Rebase to sssd-2.9.9

Resolves: RHEL-173741 - SSSD Rebase for RHEL 9.9
Resolves: RHEL-173740 - CVE-2026-6245 sssd: out-of-bounds read in the sssd
Resolves: RHEL-150439 - Poor performance of `BE_REQ_INITGROUPS` handling by 'sssd_be' (LDAP RFC2307, no nested groups)
Resolves: RHEL-143416 - Performance impact with enumerate in SSSD > 2.7.3
Resolves: RHEL-152067 - [RFE] SSSD PAM: Support Microsoft AD PKINIT authentication indicator (ms-pkca) for pam_gssapi_indicators_map
Resolves: RHEL-173742 - Man page update: man sssd_krb5_localauth_plugin – Missing disable = an2ln
Resolves: RHEL-173743 - Concurrent child processes trigger unnecessarily backtrace
Resolves: RHEL-173744 - Detect foreign security principals in AD group members and silently ignore them
Resolves: RHEL-156519 - GDM Support for IdM IdP feature and MFA [SSSD]
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

.gitignore

@@ -109,3 +109,4 @@ sssd-1.2.91.tar.gz
 /sssd-2.9.6.tar.gz
 /sssd-2.9.7.tar.gz
 /sssd-2.9.8.tar.gz
+/sssd-2.9.9.tar.gz

0001-do-not-require-GID-for-non-POSIX-group.patch

@@ -1,81 +0,0 @@
-Based on 57918755aa87a943ff451bfde6794da513e71d8d commit
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 9 Feb 2026 14:10:29 +0100
-Subject: [PATCH] sdap: do not require GID for non-POSIX group
-
-diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
-index 6d0c7e49907..9e0eaf8a4d6 100644
---- a/src/providers/ldap/sdap_async_groups.c
-+++ b/src/providers/ldap/sdap_async_groups.c
-@@ -620,15 +620,17 @@ static int sdap_save_group(TALLOC_CTX *memctx,
-                 goto done;
-             }
- 
--            ret = sysdb_attrs_get_uint32_t(attrs,
--                                           opts->group_map[SDAP_AT_GROUP_GID].sys_name,
--                                           &gid);
--            if (ret != EOK) {
--                DEBUG(SSSDBG_CRIT_FAILURE,
--                      "no gid provided for [%s] in domain [%s].\n",
--                          group_name, dom->name);
--                ret = EINVAL;
--                goto done;
-+            if (posix_group) {
-+                ret = sysdb_attrs_get_uint32_t(attrs,
-+                                               opts->group_map[SDAP_AT_GROUP_GID].sys_name,
-+                                               &gid);
-+                if (ret != EOK) {
-+                    DEBUG(SSSDBG_CRIT_FAILURE,
-+                          "no gid provided for [%s] in domain [%s].\n",
-+                              group_name, dom->name);
-+                    ret = EINVAL;
-+                    goto done;
-+                }
-             }
-         }
-     }
-diff --git a/src/tests/tests/system/tests/test_identity.py b/src/tests/tests/system/tests/test_identity.py
-index 3e38637b0a5..68894958fe7 100644
---- a/src/tests/tests/system/tests/test_identity.py
-+++ b/src/tests/tests/system/tests/test_identity.py
-@@ -718,3 +718,40 @@ def test_identity__filter_groups_by_name_and_lookup_by_gid(client: Client, ldap:
- 
-     result = client.tools.getent.group(20001)
-     assert result is None, "Filtered group was found"
-+
-+
-+@pytest.mark.importance("critical")
-+@pytest.mark.topology(KnownTopologyGroup.AnyAD)
-+def test_identity__nested_non_posix_group(client: Client, provider: GenericADProvider):
-+    """
-+    :title: Lookup indirect group-members of a nested non-POSIX group
-+    :setup:
-+        1. Add a new POSIX user and two new groups, one POSIX the other non-POSIX
-+        2. Add the user to the non-POSIX group and the non-POSIX group to the POSIX group
-+        3. Set 'ldap_id_mapping = false' to allow non-POSIX groups, because
-+           with POSIX id-mapping enabled all groups will get POSIX ID and hence
-+           there are no non-POSIX groups, and start SSSD
-+    :steps:
-+        1. Lookup the POSIX group with getent
-+    :expectedresults:
-+        1. Group is present and the new user is a member
-+    :customerscenario: False
-+    """
-+    user = provider.user("nesteduser").add(
-+        uid=10001, gid=20001, password="Secret123", gecos="User for tests", shell="/bin/bash"
-+    )
-+    nested_group = provider.group("nested_nonposix_group").add().add_member(user)
-+    base_group = provider.group("posix_group").add(gid=30001).add_member(nested_group)
-+
-+    client.sssd.domain["ldap_id_mapping"] = "false"
-+    client.sssd.start()
-+
-+    result = client.tools.getent.group(base_group.name)
-+    assert result is not None, f"Group '{base_group.name}' not found!"
-+    assert (
-+        len(result.members) == 1
-+    ), f"Group '{base_group.name}' has unexpected number of members [{len(result.members)}]!"
-+    assert f"{user.name}" in result.members, f"Member '{user.name}' of group '{base_group.name}' not found!"
-+
-+    result = client.tools.getent.group(nested_group.name)
-+    assert result is None, f"Non-POSIX Group '{nested_group.name}' was found with 'getent group'!"

0002-fix-use-after-free-in-kcm_read_options.patch

@@ -1,16 +0,0 @@
-KCM: fix use-after-free in `kcm_read_options()`
-Based on commit c5a2b48f13af893ae6c7c9fe63e41f64eb77cade
-
-diff --git a/src/responder/kcm/kcm_renew.c b/src/responder/kcm/kcm_renew.c
-index 39e9470fa22..32eccf4b48a 100644
---- a/src/responder/kcm/kcm_renew.c
-+++ b/src/responder/kcm/kcm_renew.c
-@@ -228,7 +228,7 @@ static errno_t kcm_read_options(TALLOC_CTX *mem_ctx,
-     *_validate = validate;
-     *_canonicalize = canonicalize;
-     *_timeout = timeout;
--    *_renew_intv = renew_intv;
-+    *_renew_intv = talloc_steal(mem_ctx, renew_intv);
- 
-     ret = EOK;
- 

0002-sysdb-enumpwent-replacement.patch

@@ -0,0 +1,13 @@
+diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
+index 556d56d50..610bd6c91 100644
+--- a/src/providers/files/files_ops.c
++++ b/src/providers/files/files_ops.c
+@@ -492,7 +492,7 @@ static const char **get_cached_user_names(TALLOC_CTX *mem_ctx,
+     const char **user_names = NULL;
+     unsigned c = 0;
+ 
+-    ret = sysdb_enumpwent(mem_ctx, dom, &res);
++    ret = sysdb_enumpwent_filter(mem_ctx, dom, NULL, NULL, NULL, &res);
+     if (ret != EOK) {
+         goto done;
+     }

0003-add-missing-include.patch

@@ -1,28 +0,0 @@
-commit ca662958218f4484a89be94015066ff6a14875a8
-Author: Alexey Tikhonov <atikhono@redhat.com>
-Date:   Wed Apr 15 09:42:34 2026 +0200
-
-    Add missing include
-    
-    Original patch f3af8c89af656767333410b0e94da9288dd8ade8 didn't include
-    "config.h" that provides `HAVE_PTHREAD_EXT`
-    It works in some branches accidentally because of transitive include
-    via "sss_cli.h" but that's fragile (and in some branches "sss_cli.h"
-    doesn't include "config.h")
-    
-    Reviewed-by: Tomáš Halman <thalman@redhat.com>
-    (cherry picked from commit a809b9236250e6f20e9a9ff1452708cd288b705f)
-
-diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c
-index f5986767f..45e2ce460 100644
---- a/src/sss_client/autofs/sss_autofs.c
-+++ b/src/sss_client/autofs/sss_autofs.c
-@@ -18,6 +18,8 @@
-     along with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
- 
-+#include "config.h"
-+
- #include <errno.h>
- #include <stdlib.h>
- #include <stdatomic.h>

sources

@@ -1 +1 @@
-SHA512 (sssd-2.9.8.tar.gz) = 9b10cb5e343d32402a437dab3304c16596e9eb7b51a452ca3e2b3fea4aa8dc879abe06a57ccc716bece8024847211abf5affa83e1d2ca2cac101132133a6619a
+SHA512 (sssd-2.9.9.tar.gz) = 218d2f60bfa64d496c26df9d02ee950ed27aff46651ea2c85f123ae7f642f1e9c93f4133a4ab8606066cdb6390799f7643806ba4ac27322aea7838ebf2793545

sssd.spec

@@ -26,17 +26,16 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version})
 
 Name: sssd
-Version: 2.9.8
-Release: 4%{?dist}
+Version: 2.9.9
+Release: 1%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 
 ### Patches ###
-Patch1: 0001-do-not-require-GID-for-non-POSIX-group.patch
-Patch2: 0002-fix-use-after-free-in-kcm_read_options.patch
-Patch3: 0003-add-missing-include.patch
+Patch1: 0001-passwordless-gdm.patch
+Patch2: 0002-sysdb-enumpwent-replacement.patch
 
 ### Dependencies ###
 
@@ -1086,6 +1085,17 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Wed May  6 2026 Iker Pedrosa <ipedrosa@redhat.com> - 2.9.9-1
+- Resolves: RHEL-173741 - SSSD Rebase for RHEL 9.9
+- Resolves: RHEL-173740 - CVE-2026-6245 sssd: out-of-bounds read in the sssd
+- Resolves: RHEL-150439 - Poor performance of `BE_REQ_INITGROUPS` handling by 'sssd_be' (LDAP RFC2307, no nested groups)
+- Resolves: RHEL-143416 - Performance impact with enumerate in SSSD > 2.7.3
+- Resolves: RHEL-152067 - [RFE] SSSD PAM: Support Microsoft AD PKINIT authentication indicator (ms-pkca) for pam_gssapi_indicators_map
+- Resolves: RHEL-173742 - Man page update: man sssd_krb5_localauth_plugin – Missing disable = an2ln
+- Resolves: RHEL-173743 - Concurrent child processes trigger unnecessarily backtrace
+- Resolves: RHEL-173744 - Detect foreign security principals in AD group members and silently ignore them
+- Resolves: RHEL-156519 - GDM Support for IdM IdP feature and MFA [SSSD]
+
 * Wed Apr 15 2026 Tomas Halman <thalman@redhat.com> - 2.9.8-4
 - Resolves: RHEL-154804 Crash in 'sss_client/autofs/sss_autofs.c'