- Apply 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls

0006-sbus-arm-watchdog-for-sbus_connect_init_send
 0007-sysdb-fix-string-comparison-when-checking-for-overrides patches

SOURCES/0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch

@@ -0,0 +1,106 @@
+From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 9 Jun 2023 12:31:39 +0200
+Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Those two new calls can be used if there are requests stuck by e.g.
+waiting on replies where there is no other way to handle the timeout and
+get the system back into a stable state. They should be only used as a
+last resort.
+
+Resolves: https://github.com/SSSD/sssd/issues/6803
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 75f2b35ad3b9256de905d05c5108400d35688554)
+---
+ src/util/util.h          | 12 ++++++++++++
+ src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++--
+ 2 files changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/util.h b/src/util/util.h
+index a8356e0cd..9dbcf3301 100644
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -756,6 +756,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
+ void teardown_watchdog(void);
+ int get_watchdog_ticks(void);
+ 
++/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable
++ * the watchdog reset, respectively. This means that after arm_watchdog() is
++ * called the watchdog will not be resetted anymore and it will kill the
++ * process if disarm_watchdog() wasn't called before.
++ * Those calls should only be used when there is no other way to handle
++ * waiting request and recover into a stable state.
++ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should
++ * not be called a second time in a different request because then
++ * disarm_watchdog() will disable the watchdog coverage for both. */
++void arm_watchdog(void);
++void disarm_watchdog(void);
++
+ /* from files.c */
+ int sss_remove_tree(const char *root);
+ int sss_remove_subtree(const char *root);
+diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
+index b1534e499..abafd94b9 100644
+--- a/src/util/util_watchdog.c
++++ b/src/util/util_watchdog.c
+@@ -40,6 +40,7 @@ struct watchdog_ctx {
+     time_t timestamp;
+     struct tevent_fd *tfd;
+     int pipefd[2];
++    bool armed; /* if 'true' ticks counter will not be reset */
+ } watchdog_ctx;
+ 
+ static void watchdog_detect_timeshift(void)
+@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev,
+                                    struct timeval current_time,
+                                    void *private_data)
+ {
+-    /* first thing reset the watchdog ticks */
+-    watchdog_reset();
++    if (!watchdog_ctx.armed) {
++        /* first thing reset the watchdog ticks */
++        watchdog_reset();
++    } else {
++        DEBUG(SSSDBG_IMPORTANT_INFO,
++              "Watchdog armed, process might be terminated soon.\n");
++    }
+ 
+     /* then set a new watchodg event */
+     watchdog_ctx.te = tevent_add_timer(ev, ev,
+@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval)
+     watchdog_ctx.ev = ev;
+     watchdog_ctx.input_interval = interval;
+     watchdog_ctx.timestamp = time(NULL);
++    watchdog_ctx.armed = false;
+ 
+     ret = pipe(watchdog_ctx.pipefd);
+     if (ret == -1) {
+@@ -264,3 +271,20 @@ int get_watchdog_ticks(void)
+ {
+     return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
+ }
++
++void arm_watchdog(void)
++{
++    if (watchdog_ctx.armed) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "arm_watchdog() is called although the watchdog is already armed. "
++              "This indicates a programming error and should be avoided because "
++              "it will most probably not work as expected.\n");
++    }
++
++    watchdog_ctx.armed = true;
++}
++
++void disarm_watchdog(void)
++{
++    watchdog_ctx.armed = false;
++}
+-- 
+2.38.1
+

SOURCES/0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch

@@ -0,0 +1,53 @@
+From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 9 Jun 2023 13:01:47 +0200
+Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There seem to be conditions where the reply in the
+sbus_call_DBus_Hello_send() request gets lost and the backend cannot
+properly initialize its sbus/DBus server. Since the backend cannot be
+connected by the frontends in this state the best way to recover would
+be a restart. Since the event-loop is active in this state, e.g. waiting
+for the reply, the watchdog will not consider the process as hung and
+will not restart the process.
+
+To make the watchdog handle this case arm_watchdog() and
+disarm_watchdog() are called before and after the request, respectively.
+
+Resolves: https://github.com/SSSD/sssd/issues/6803
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
+---
+ src/sbus/connection/sbus_connection_connect.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
+index 45a0fa491..edc090e15 100644
+--- a/src/sbus/connection/sbus_connection_connect.c
++++ b/src/sbus/connection/sbus_connection_connect.c
+@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx,
+ 
+     tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req);
+ 
++    arm_watchdog();
++
+     return req;
+ }
+ 
+@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq)
+     uint32_t res;
+     errno_t ret;
+ 
++    disarm_watchdog();
++
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+ 
+     ret = sbus_call_DBus_RequestName_recv(subreq, &res);
+-- 
+2.38.1
+

SOURCES/0007-sysdb-fix-string-comparison-when-checking-for-overrides.patch

@@ -0,0 +1,36 @@
+From 01d02794e02f051ea9a78cd63b30384de3e7c9b0 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 10 May 2023 10:27:08 +0200
+Subject: [PATCH] sysdb: fix string comparison when checking for overrides
+
+When checking if the input group-name is the original name from AD or an
+overwritten one the comparison is currently done case sensitive. Since
+AD handles names case-insensitive and hence SSSD should do this as well
+this comparison might cause issues.
+
+The patch replace the case sensitive comparison with a comparison with
+respects the case_sensitive of the domain the object is coming from.
+
+Resolves: https://github.com/SSSD/sssd/issues/6720
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ src/db/sysdb_search.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
+index 7efd570e78..e4c53b8535 100644
+--- a/src/db/sysdb_search.c
++++ b/src/db/sysdb_search.c
+@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
+                     res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
+ 
+             if (originalad_sanitized_name != NULL
+-                    && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
++                    && !sss_string_equal(domain->case_sensitive,
++                                         originalad_sanitized_name,
++                                         sanitized_name)) {
+                 fmt_filter = SYSDB_GRNAM_FILTER;
+                 base_dn = sysdb_group_base_dn(tmp_ctx, domain);
+                 res = NULL;

SPECS/sssd.spec

@@ -19,7 +19,7 @@
 
 Name: sssd
 Version: 2.8.2
-Release: 2%{?dist}
+Release: 3%{?dist}.alma
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -32,6 +32,13 @@ Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
 Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
 Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
 
+# Patches were taken from:
+# https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/26c81cdfa6fdda4aab69e0184839be0fb74ef73d
+Patch0005: 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
+Patch0006: 0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch
+# https://github.com/SSSD/sssd/commit/01d02794e02f051ea9a78cd63b30384de3e7c9b0
+Patch0007: 0007-sysdb-fix-string-comparison-when-checking-for-overrides.patch
+
 ### Downstream Patches ###
 
 ### Dependencies ###
@@ -1213,6 +1220,11 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Tue Aug 08 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.8.2-3.alma
+- Apply 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls
+ 0006-sbus-arm-watchdog-for-sbus_connect_init_send
+ 0007-sysdb-fix-string-comparison-when-checking-for-overrides patches
+
 * Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
 - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"