rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase SSSD for RHEL 10.2

Browse Source 
Resolves: RHEL-139110 - Rebase SSSD for RHEL 10.2
Resolves: RHEL-132552 - sssd_be: segfault at 8 ip 00007f6fd25b2b90 sp 00007ffc02dfbae0 error 4 in libsss_ipa.so[7f6fd25ae000+4d000]
Resolves: RHEL-132505 - RFE: package LDAP provider support for subid ranges
Resolves: RHEL-130571 - SSSD: change a default value of 'session_provider' sssd.conf option to 'none'
Resolves: RHEL-129636 - sssd service fails to start after updating to 2.9.6-4 or 2.9.7-4
Resolves: RHEL-128594 - 'sssd_nss' hangs when looking up an object by ID that has expired cache entry and filtered out by name
Resolves: RHEL-127792 - Remove SSSD option ipa_enable_dns_sites
Resolves: RHEL-120501 - Crash in 'sss_client/autofs/sss_autofs.c'
Resolves: RHEL-120287 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-10.2]
Resolves: RHEL-114468 - Spam in 'sssd_kcm.log' during normal operations
Resolves: RHEL-113111 - Including innapropriate IPv6 addresses in dyndns_update
Resolves: RHEL-104221 - The SSSD cache is filled with groups having GID=0, causing the cache index to grow excessively large. This, in turn, leads to timeouts
Resolves: RHEL-94545 - When the user name of an AD user in an IPA-AD trust environment overwritten, the user private group, the users primary group, cannot be lookup up by the overwritten name.
Resolves: RHEL-77184 - AD user in external group is not cleared when expiring the cache
Resolves: RHEL-72935 - sss_override does not work on AD UPN
Resolves: RHEL-11913 - GDM Support for IdM IdP feature and MFA [SSSD]
Resolves: RHEL-4990 - [RFE] SSSD support for Azure AD / Microsoft Entra ID (or general direct support of OIDC authentication)
This commit is contained in:
Sumit Bose 2026-01-15 15:49:44 +01:00
parent 574d180216
commit 5c9eab4125
4 changed files with 34 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -118,3 +118,4 @@ sssd-1.2.91.tar.gz
/sssd-2.10.2.tar.gz
/sssd-2.11.0.tar.gz
/sssd-2.11.1.tar.gz
/sssd-2.12.0.tar.gz

222
0001-Revert-ipa-improve-handling-of-external-group-member.patch
View File

@ -1,222 +0,0 @@
From 98a91d170f7a6074ed1bd3b8ed9161c4a11b4074 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 14 Aug 2025 16:21:00 +0200
Subject: [PATCH] Revert "ipa: improve handling of external group memberships"
This reverts commit 63a6f51069a86765417f044a62705fe20572e0da.
---
src/providers/ipa/ipa_subdomains_ext_groups.c | 152 +++---------------
1 file changed, 22 insertions(+), 130 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index f86130d89..ba3fb3953 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -312,19 +312,11 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
bool *missing_groups)
{
size_t c;
- size_t d = 0;
struct sysdb_attrs *user_attrs;
size_t msgs_count;
struct ldb_message **msgs;
TALLOC_CTX *tmp_ctx;
int ret;
- const struct ldb_val *val;
- char *user_name;
- char **sysdb_ipa_group_memberships;
- char **add_groups;
- char **del_groups;
- errno_t sret;
- bool in_transaction = false;
*missing_groups = false;
@@ -334,96 +326,18 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
return ENOMEM;
}
- val = ldb_dn_get_rdn_val(user_dn);
- if (val == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "user_dn has no RDN.\n");
- ret = EINVAL;
- goto done;
- }
- user_name = talloc_strndup(tmp_ctx, (char *) val->data, val->length);
- if (user_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user name.\n");
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_transaction_start(user_dom->sysdb);
- if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to start update transaction\n");
- goto done;
- }
-
- in_transaction = true;
-
- ret = sysdb_get_direct_parents_ex(tmp_ctx, user_dom, group_dom,
- SYSDB_MEMBER_USER, user_name,
- SYSDB_ORIG_DN,
- &sysdb_ipa_group_memberships);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to get current IPA group memberships "
- "of user [%s].\n", user_name);
- goto done;
- }
-
- ret = diff_string_lists(tmp_ctx, groups, sysdb_ipa_group_memberships,
- &add_groups, &del_groups, NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to get difference in group lists.\n");
- goto done;
- }
-
- user_attrs = sysdb_new_attrs(tmp_ctx);
- if (user_attrs == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
- ret = ENOMEM;
- goto done;
- }
-
- /* Add all new IPA groups to SYSDB_ORIG_MEMBEROF because they are most
- * probably removed by the previous user update and mark all new groups as
- * processed. */
for (c = 0; groups[c] != NULL; c++) {
- ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
- groups[c]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
- goto done;
+ if (groups[c][0] == '\0') {
+ continue;
}
- groups[c][0] = '\0';
- }
-
- if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) {
- DEBUG(SSSDBG_TRACE_ALL, "New IPA groups [%zu].\n", c);
-
- for (c = 0; sysdb_ipa_group_memberships[c] != NULL; c++);
- DEBUG(SSSDBG_TRACE_ALL, "Cached IPA groups [%zu].\n", c);
-
- for (c = 0; add_groups[c] != NULL; c++);
- DEBUG(SSSDBG_TRACE_ALL, "Groups to add [%zu].\n", c);
-
- for (c = 0; del_groups[c] != NULL; c++);
- DEBUG(SSSDBG_TRACE_ALL, "Groups to delete [%zu].\n", c);
- }
-
- /* TODO: there is a similar functionality (adding and removing group
- * memberships in sysdb_update_members_ex(), but the missing group feature
- * is missing. It might be worth to evaluate if either the missing group
- * feature can be added there or if group which are missing in the cache
- * can bew handled differently here. */
-
- for (c = 0; add_groups[c] != NULL; c++) {
-
- ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, add_groups[c],
+ ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, groups[c],
NULL, &msgs_count, &msgs);
if (ret != EOK) {
if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "Group [%s] not in the cache.\n",
- add_groups[c]);
+ groups[c]);
*missing_groups = true;
- talloc_free(groups[d]);
- /* add missing group back to the list */
- groups[d++] = talloc_steal(groups, add_groups[c]);
continue;
} else {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n");
@@ -431,6 +345,9 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
}
}
+/* TODO? Do we have to remove members as well? I think not because the AD
+ * query before removes all memberships. */
+
ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn,
LDB_FLAG_MOD_ADD);
if (ret != EOK && ret != EEXIST) {
@@ -438,58 +355,33 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
goto done;
}
- }
- talloc_free(groups[d]);
- groups[d] = NULL;
+ user_attrs = sysdb_new_attrs(tmp_ctx);
+ if (user_attrs == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
- for (c = 0; del_groups[c] != NULL; c++) {
- ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, del_groups[c],
- NULL, &msgs_count, &msgs);
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
+ groups[c]);
if (ret != EOK) {
- if (ret == ENOENT) {
- DEBUG(SSSDBG_TRACE_ALL,
- "Group [%s] not in the cache, skipping.\n",
- del_groups[c]);
- continue;
- } else {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n");
- goto done;
- }
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
+ goto done;
}
- ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn,
- LDB_FLAG_MOD_DELETE);
+ ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs,
+ LDB_FLAG_MOD_ADD);
if (ret != EOK && ret != EEXIST) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sysdb_mod_group_member failed to delete member.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
goto done;
}
- }
- /* Update SYSDB_ORIG_MEMBEROF with the IPA groups. */
- ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs,
- LDB_FLAG_MOD_ADD);
- if (ret != EOK && ret != EEXIST) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to add original IPA group DNs, ignored.\n");
- }
-
- ret = sysdb_transaction_commit(user_dom->sysdb);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
- goto done;
+ /* mark group as already processed */
+ groups[c][0] = '\0';
}
- in_transaction = false;
-
ret = EOK;
done:
- if (in_transaction) {
- sret = sysdb_transaction_cancel(user_dom->sysdb);
- if (sret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n");
- }
- }
-
talloc_free(tmp_ctx);
return ret;
--
2.50.0

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-2.11.1.tar.gz) = e65897bcb9ddd64f6c01787ad7b7eab3c9916e10f9ead02a6e92de503a4ea71c091e998ccf0344576b520bea75abfe5fd2880e8401237a26274d764d291f6fa4
SHA512 (sssd-2.12.0.tar.gz) = 3bd90a88a43019b00d3f0a674ef4d2473bf6895e749a54bec8ac1661e7d289083e0cbd64846dacc8bdd4b2447f171dddb2d0ba108962dbd862bce86c2247b038

50
sssd.spec
View File

@ -7,7 +7,6 @@
%global build_kcm_renewals 1
%global krb5_version 1.18.2
%global build_passkey 1
%global build_idp 0
%global build_ssh_known_hosts_proxy 0
# we don't want to provide private python extension libs
@ -17,21 +16,19 @@
# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.2.0
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
Name: sssd
Version: 2.11.1
Release: 3%{?dist}
Version: 2.12.0
Release: 1%{?dist}
Summary: System Security Services Daemon
License: GPL-3.0-or-later
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/2.11.1/sssd-2.11.1.tar.gz
Source0: https://github.com/SSSD/sssd/releases/download/2.12.0/sssd-2.12.0.tar.gz
Source1: sssd.sysusers
### Patches ###
Patch0001: 0001-Revert-ipa-improve-handling-of-external-group-member.patch
### Dependencies ###
@ -86,7 +83,7 @@ BuildRequires: libdhash-devel >= 0.4.2
BuildRequires: libfido2-devel
%endif
BuildRequires: libini_config-devel >= 1.3
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libldb-devel
BuildRequires: libnfsidmap-devel
BuildRequires: libnl3-devel
BuildRequires: libselinux-devel
@ -162,7 +159,7 @@ Obsoletes: libsss_simpleifp-debuginfo < 2.9.2
Obsoletes: sssd-polkit-rules < 2.10.0
# Requires
# due to ABI changes in 1.1.30/1.2.0
Requires: libldb >= %{ldb_version}
Requires: libldb >= %{samba_package_version}
Requires: libtevent >= 0.11.0
Requires: sssd-client%{?_isa} = %{version}-%{release}
Requires: (libsss_sudo = %{version}-%{release} if sudo)
@ -473,14 +470,17 @@ An implementation of a Kerberos KCM server. Use this package if you want to
use the KCM: Kerberos credentials cache.
%package idp
Summary: Kerberos plugins and OIDC helper for external identity providers.
Summary: The IdP back end of the SSSD, Kerberos plugins and OIDC helper
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
%description idp
This package provides Kerberos plugins that are required to enable
authentication against external identity providers. Additionally a helper
program to handle the OAuth 2.0 Device Authorization Grant is provided.
Provides the Identity Provider (IdP) back end that the SSSD can utilize to fetch
identity data from and authenticate against an IdP like Keycloak or Entra ID
server. Additionally this package provides Kerberos plugins that are required to
enable authentication against external identity providers, if the KDC supports
it, and a helper program to handle the OAuth 2.0 Device Authorization Grant.
%if %{build_passkey}
%package passkey
@ -498,7 +498,7 @@ enable authentication with passkey token.
%endif
%prep
%autosetup -n sssd-2.11.1 -p1
%autosetup -n %{name}-%{version_no_tilde} -p1
%build
@ -533,9 +533,6 @@ autoreconf -ivf
%endif
%if %{build_ssh_known_hosts_proxy}
--with-ssh-known-hosts-proxy \
%endif
%if ! %{build_idp}
--with-id-provider-idp=no
%endif
%{nil}
@ -981,10 +978,8 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%{_mandir}/man8/sssd-kcm.8*
%files idp
%if %{build_idp}
%{_libdir}/%{name}/libsss_idp.so
%{_mandir}/man5/sssd-idp.5*
%endif
%{_libexecdir}/%{servicename}/oidc_child
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
@ -1092,6 +1087,25 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Thu Jan 15 2026 Sumit Bose <sbose@redhat.com> - 2.12.0-1
- Resolves: RHEL-139110 - Rebase SSSD for RHEL 10.2
- Resolves: RHEL-132552 - sssd_be: segfault at 8 ip 00007f6fd25b2b90 sp 00007ffc02dfbae0 error 4 in libsss_ipa.so[7f6fd25ae000+4d000]
- Resolves: RHEL-132505 - RFE: package LDAP provider support for subid ranges
- Resolves: RHEL-130571 - SSSD: change a default value of 'session_provider' sssd.conf option to 'none'
- Resolves: RHEL-129636 - sssd service fails to start after updating to 2.9.6-4 or 2.9.7-4
- Resolves: RHEL-128594 - 'sssd_nss' hangs when looking up an object by ID that has expired cache entry and filtered out by name
- Resolves: RHEL-127792 - Remove SSSD option ipa_enable_dns_sites
- Resolves: RHEL-120501 - Crash in 'sss_client/autofs/sss_autofs.c'
- Resolves: RHEL-120287 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-10.2]
- Resolves: RHEL-114468 - Spam in 'sssd_kcm.log' during normal operations
- Resolves: RHEL-113111 - Including innapropriate IPv6 addresses in dyndns_update
- Resolves: RHEL-104221 - The SSSD cache is filled with groups having GID=0, causing the cache index to grow excessively large. This, in turn, leads to timeouts
- Resolves: RHEL-94545 - When the user name of an AD user in an IPA-AD trust environment overwritten, the user private group, the users primary group, cannot be lookup up by the overwritten name.
- Resolves: RHEL-77184 - AD user in external group is not cleared when expiring the cache
- Resolves: RHEL-72935 - sss_override does not work on AD UPN
- Resolves: RHEL-11913 - GDM Support for IdM IdP feature and MFA [SSSD]
- Resolves: RHEL-4990 - [RFE] SSSD support for Azure AD / Microsoft Entra ID (or general direct support of OIDC authentication)
* Mon Sep 22 2025 Pavel Filipenský <pfilipen@redhat.com> - 2.11.1-3
- Related: RHEL-114545 - Rebase Samba to the latest 4.23.x release