diff --git a/.gitignore b/.gitignore index 916c992..0794181 100644 --- a/.gitignore +++ b/.gitignore @@ -118,3 +118,4 @@ sssd-1.2.91.tar.gz /sssd-2.10.2.tar.gz /sssd-2.11.0.tar.gz /sssd-2.11.1.tar.gz +/sssd-2.12.0.tar.gz diff --git a/0001-Revert-ipa-improve-handling-of-external-group-member.patch b/0001-Revert-ipa-improve-handling-of-external-group-member.patch deleted file mode 100644 index c2360c1..0000000 --- a/0001-Revert-ipa-improve-handling-of-external-group-member.patch +++ /dev/null @@ -1,222 +0,0 @@ -From 98a91d170f7a6074ed1bd3b8ed9161c4a11b4074 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 14 Aug 2025 16:21:00 +0200 -Subject: [PATCH] Revert "ipa: improve handling of external group memberships" - -This reverts commit 63a6f51069a86765417f044a62705fe20572e0da. ---- - src/providers/ipa/ipa_subdomains_ext_groups.c | 152 +++--------------- - 1 file changed, 22 insertions(+), 130 deletions(-) - -diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c -index f86130d89..ba3fb3953 100644 ---- a/src/providers/ipa/ipa_subdomains_ext_groups.c -+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c -@@ -312,19 +312,11 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, - bool *missing_groups) - { - size_t c; -- size_t d = 0; - struct sysdb_attrs *user_attrs; - size_t msgs_count; - struct ldb_message **msgs; - TALLOC_CTX *tmp_ctx; - int ret; -- const struct ldb_val *val; -- char *user_name; -- char **sysdb_ipa_group_memberships; -- char **add_groups; -- char **del_groups; -- errno_t sret; -- bool in_transaction = false; - - *missing_groups = false; - -@@ -334,96 +326,18 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, - return ENOMEM; - } - -- val = ldb_dn_get_rdn_val(user_dn); -- if (val == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "user_dn has no RDN.\n"); -- ret = EINVAL; -- goto done; -- } -- user_name = talloc_strndup(tmp_ctx, (char *) val->data, val->length); -- if (user_name == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user name.\n"); -- ret = ENOMEM; -- goto done; -- } -- -- ret = sysdb_transaction_start(user_dom->sysdb); -- if (ret != EOK) { -- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to start update transaction\n"); -- goto done; -- } -- -- in_transaction = true; -- -- ret = sysdb_get_direct_parents_ex(tmp_ctx, user_dom, group_dom, -- SYSDB_MEMBER_USER, user_name, -- SYSDB_ORIG_DN, -- &sysdb_ipa_group_memberships); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Failed to get current IPA group memberships " -- "of user [%s].\n", user_name); -- goto done; -- } -- -- ret = diff_string_lists(tmp_ctx, groups, sysdb_ipa_group_memberships, -- &add_groups, &del_groups, NULL); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Failed to get difference in group lists.\n"); -- goto done; -- } -- -- user_attrs = sysdb_new_attrs(tmp_ctx); -- if (user_attrs == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); -- ret = ENOMEM; -- goto done; -- } -- -- /* Add all new IPA groups to SYSDB_ORIG_MEMBEROF because they are most -- * probably removed by the previous user update and mark all new groups as -- * processed. */ - for (c = 0; groups[c] != NULL; c++) { -- ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, -- groups[c]); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); -- goto done; -+ if (groups[c][0] == '\0') { -+ continue; - } - -- groups[c][0] = '\0'; -- } -- -- if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { -- DEBUG(SSSDBG_TRACE_ALL, "New IPA groups [%zu].\n", c); -- -- for (c = 0; sysdb_ipa_group_memberships[c] != NULL; c++); -- DEBUG(SSSDBG_TRACE_ALL, "Cached IPA groups [%zu].\n", c); -- -- for (c = 0; add_groups[c] != NULL; c++); -- DEBUG(SSSDBG_TRACE_ALL, "Groups to add [%zu].\n", c); -- -- for (c = 0; del_groups[c] != NULL; c++); -- DEBUG(SSSDBG_TRACE_ALL, "Groups to delete [%zu].\n", c); -- } -- -- /* TODO: there is a similar functionality (adding and removing group -- * memberships in sysdb_update_members_ex(), but the missing group feature -- * is missing. It might be worth to evaluate if either the missing group -- * feature can be added there or if group which are missing in the cache -- * can bew handled differently here. */ -- -- for (c = 0; add_groups[c] != NULL; c++) { -- -- ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, add_groups[c], -+ ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, groups[c], - NULL, &msgs_count, &msgs); - if (ret != EOK) { - if (ret == ENOENT) { - DEBUG(SSSDBG_TRACE_ALL, "Group [%s] not in the cache.\n", -- add_groups[c]); -+ groups[c]); - *missing_groups = true; -- talloc_free(groups[d]); -- /* add missing group back to the list */ -- groups[d++] = talloc_steal(groups, add_groups[c]); - continue; - } else { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); -@@ -431,6 +345,9 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, - } - } - -+/* TODO? Do we have to remove members as well? I think not because the AD -+ * query before removes all memberships. */ -+ - ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn, - LDB_FLAG_MOD_ADD); - if (ret != EOK && ret != EEXIST) { -@@ -438,58 +355,33 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, - goto done; - } - -- } -- talloc_free(groups[d]); -- groups[d] = NULL; -+ user_attrs = sysdb_new_attrs(tmp_ctx); -+ if (user_attrs == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } - -- for (c = 0; del_groups[c] != NULL; c++) { -- ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, del_groups[c], -- NULL, &msgs_count, &msgs); -+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, -+ groups[c]); - if (ret != EOK) { -- if (ret == ENOENT) { -- DEBUG(SSSDBG_TRACE_ALL, -- "Group [%s] not in the cache, skipping.\n", -- del_groups[c]); -- continue; -- } else { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); -- goto done; -- } -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); -+ goto done; - } - -- ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn, -- LDB_FLAG_MOD_DELETE); -+ ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs, -+ LDB_FLAG_MOD_ADD); - if (ret != EOK && ret != EEXIST) { -- DEBUG(SSSDBG_OP_FAILURE, -- "sysdb_mod_group_member failed to delete member.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n"); - goto done; - } -- } - -- /* Update SYSDB_ORIG_MEMBEROF with the IPA groups. */ -- ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs, -- LDB_FLAG_MOD_ADD); -- if (ret != EOK && ret != EEXIST) { -- DEBUG(SSSDBG_OP_FAILURE, "Failed to add original IPA group DNs, ignored.\n"); -- } -- -- ret = sysdb_transaction_commit(user_dom->sysdb); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); -- goto done; -+ /* mark group as already processed */ -+ groups[c][0] = '\0'; - } - -- in_transaction = false; -- - ret = EOK; - done: -- if (in_transaction) { -- sret = sysdb_transaction_cancel(user_dom->sysdb); -- if (sret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); -- } -- } -- - talloc_free(tmp_ctx); - - return ret; --- -2.50.0 - diff --git a/sources b/sources index f12bd80..e4fb5a4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.11.1.tar.gz) = e65897bcb9ddd64f6c01787ad7b7eab3c9916e10f9ead02a6e92de503a4ea71c091e998ccf0344576b520bea75abfe5fd2880e8401237a26274d764d291f6fa4 +SHA512 (sssd-2.12.0.tar.gz) = 3bd90a88a43019b00d3f0a674ef4d2473bf6895e749a54bec8ac1661e7d289083e0cbd64846dacc8bdd4b2447f171dddb2d0ba108962dbd862bce86c2247b038 diff --git a/sssd.spec b/sssd.spec index 6c61dac..b429aa3 100644 --- a/sssd.spec +++ b/sssd.spec @@ -7,7 +7,6 @@ %global build_kcm_renewals 1 %global krb5_version 1.18.2 %global build_passkey 1 -%global build_idp 0 %global build_ssh_known_hosts_proxy 0 # we don't want to provide private python extension libs @@ -17,21 +16,19 @@ # Determine the location of the LDB modules directory %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) -%global ldb_version 1.2.0 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}) Name: sssd -Version: 2.11.1 -Release: 3%{?dist} +Version: 2.12.0 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ -Source0: https://github.com/SSSD/sssd/releases/download/2.11.1/sssd-2.11.1.tar.gz +Source0: https://github.com/SSSD/sssd/releases/download/2.12.0/sssd-2.12.0.tar.gz Source1: sssd.sysusers ### Patches ### -Patch0001: 0001-Revert-ipa-improve-handling-of-external-group-member.patch ### Dependencies ### @@ -86,7 +83,7 @@ BuildRequires: libdhash-devel >= 0.4.2 BuildRequires: libfido2-devel %endif BuildRequires: libini_config-devel >= 1.3 -BuildRequires: libldb-devel >= %{ldb_version} +BuildRequires: libldb-devel BuildRequires: libnfsidmap-devel BuildRequires: libnl3-devel BuildRequires: libselinux-devel @@ -162,7 +159,7 @@ Obsoletes: libsss_simpleifp-debuginfo < 2.9.2 Obsoletes: sssd-polkit-rules < 2.10.0 # Requires # due to ABI changes in 1.1.30/1.2.0 -Requires: libldb >= %{ldb_version} +Requires: libldb >= %{samba_package_version} Requires: libtevent >= 0.11.0 Requires: sssd-client%{?_isa} = %{version}-%{release} Requires: (libsss_sudo = %{version}-%{release} if sudo) @@ -473,14 +470,17 @@ An implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache. %package idp -Summary: Kerberos plugins and OIDC helper for external identity providers. +Summary: The IdP back end of the SSSD, Kerberos plugins and OIDC helper License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} %description idp -This package provides Kerberos plugins that are required to enable -authentication against external identity providers. Additionally a helper -program to handle the OAuth 2.0 Device Authorization Grant is provided. +Provides the Identity Provider (IdP) back end that the SSSD can utilize to fetch +identity data from and authenticate against an IdP like Keycloak or Entra ID +server. Additionally this package provides Kerberos plugins that are required to +enable authentication against external identity providers, if the KDC supports +it, and a helper program to handle the OAuth 2.0 Device Authorization Grant. %if %{build_passkey} %package passkey @@ -498,7 +498,7 @@ enable authentication with passkey token. %endif %prep -%autosetup -n sssd-2.11.1 -p1 +%autosetup -n %{name}-%{version_no_tilde} -p1 %build @@ -533,9 +533,6 @@ autoreconf -ivf %endif %if %{build_ssh_known_hosts_proxy} --with-ssh-known-hosts-proxy \ -%endif -%if ! %{build_idp} - --with-id-provider-idp=no %endif %{nil} @@ -981,10 +978,8 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %{_mandir}/man8/sssd-kcm.8* %files idp -%if %{build_idp} %{_libdir}/%{name}/libsss_idp.so %{_mandir}/man5/sssd-idp.5* -%endif %{_libexecdir}/%{servicename}/oidc_child %{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so %{_datadir}/sssd/krb5-snippets/sssd_enable_idp @@ -1092,6 +1087,25 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Thu Jan 15 2026 Sumit Bose - 2.12.0-1 +- Resolves: RHEL-139110 - Rebase SSSD for RHEL 10.2 +- Resolves: RHEL-132552 - sssd_be: segfault at 8 ip 00007f6fd25b2b90 sp 00007ffc02dfbae0 error 4 in libsss_ipa.so[7f6fd25ae000+4d000] +- Resolves: RHEL-132505 - RFE: package LDAP provider support for subid ranges +- Resolves: RHEL-130571 - SSSD: change a default value of 'session_provider' sssd.conf option to 'none' +- Resolves: RHEL-129636 - sssd service fails to start after updating to 2.9.6-4 or 2.9.7-4 +- Resolves: RHEL-128594 - 'sssd_nss' hangs when looking up an object by ID that has expired cache entry and filtered out by name +- Resolves: RHEL-127792 - Remove SSSD option ipa_enable_dns_sites +- Resolves: RHEL-120501 - Crash in 'sss_client/autofs/sss_autofs.c' +- Resolves: RHEL-120287 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-10.2] +- Resolves: RHEL-114468 - Spam in 'sssd_kcm.log' during normal operations +- Resolves: RHEL-113111 - Including innapropriate IPv6 addresses in dyndns_update +- Resolves: RHEL-104221 - The SSSD cache is filled with groups having GID=0, causing the cache index to grow excessively large. This, in turn, leads to timeouts +- Resolves: RHEL-94545 - When the user name of an AD user in an IPA-AD trust environment overwritten, the user private group, the users primary group, cannot be lookup up by the overwritten name. +- Resolves: RHEL-77184 - AD user in external group is not cleared when expiring the cache +- Resolves: RHEL-72935 - sss_override does not work on AD UPN +- Resolves: RHEL-11913 - GDM Support for IdM IdP feature and MFA [SSSD] +- Resolves: RHEL-4990 - [RFE] SSSD support for Azure AD / Microsoft Entra ID (or general direct support of OIDC authentication) + * Mon Sep 22 2025 Pavel Filipenský - 2.11.1-3 - Related: RHEL-114545 - Rebase Samba to the latest 4.23.x release