diff --git a/.gitignore b/.gitignore index de42cf5..5827863 100644 --- a/.gitignore +++ b/.gitignore @@ -113,3 +113,4 @@ sssd-1.2.91.tar.gz /sssd-2.10.0~beta1.tar.gz /sssd-2.10.0-beta1.tar.gz /sssd-2.10.0-beta2.tar.gz +/sssd-2.10.0.tar.gz diff --git a/0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch b/0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch new file mode 100644 index 0000000..eb1a5ba --- /dev/null +++ b/0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch @@ -0,0 +1,230 @@ +From d523261c312c1ccab0253ddf14b54daba44ed268 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 13 Sep 2024 15:45:59 +0200 +Subject: [PATCH] ldap: add 'exop_force' value for ldap_pwmodify_mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case the LDAP server allows to run the extended operation to change a +password even if an authenticated bind fails due to missing grace logins +the new option 'exop_force' can be used to run the extended operation to +change the password anyways. + +:config: Added `exop_force` value for configuration option + `ldap_pwmodify_mode`. This can be used to force a password change even + if no grace logins are left. Depending on the configuration of the + LDAP server it might be expected that the password change will fail. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +(cherry picked from commit 7184541976608d357a5da48d09a7fa08862477d8) +--- + src/man/sssd-ldap.5.xml | 11 +++++++++ + src/providers/ipa/ipa_auth.c | 3 ++- + src/providers/ldap/ldap_auth.c | 5 +++- + src/providers/ldap/ldap_options.c | 2 ++ + src/providers/ldap/sdap.h | 5 ++-- + src/providers/ldap/sdap_async.h | 3 ++- + src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++----- + 7 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml +index a6f9b1c97..d50aa65b2 100644 +--- a/src/man/sssd-ldap.5.xml ++++ b/src/man/sssd-ldap.5.xml +@@ -234,6 +234,17 @@ + userPassword (not recommended). + + ++ ++ ++ exop_force - Try Password Modify ++ Extended Operation (RFC 3062) even if ++ there are no grace logins left. ++ Depending on the type and configuration ++ of the LDAP server the password change ++ might fail because an authenticated bind ++ is not possible. ++ ++ + + + +diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c +index e238d0623..db1cd6ad3 100644 +--- a/src/providers/ipa/ipa_auth.c ++++ b/src/providers/ipa/ipa_auth.c +@@ -397,7 +397,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq) + SDAP_USE_PPOLICY); + + subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn, +- state->pd->authtok, timeout, use_ppolicy); ++ state->pd->authtok, timeout, use_ppolicy, ++ state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode); + if (subreq == NULL) { + goto done; + } +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 9ccbdabdb..370cdf171 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -914,7 +914,8 @@ static void auth_do_bind(struct tevent_req *req) + subreq = sdap_auth_send(state, state->ev, state->sh, + NULL, NULL, state->dn, + state->authtok, +- timeout, use_ppolicy); ++ timeout, use_ppolicy, ++ state->ctx->opts->pwmodify_mode); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; +@@ -1208,6 +1209,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx, + + switch (opts->pwmodify_mode) { + case SDAP_PWMODIFY_EXOP: ++ case SDAP_PWMODIFY_EXOP_FORCE: + use_ppolicy = dp_opt_get_bool(opts->basic, SDAP_USE_PPOLICY); + subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn, + password, new_password, +@@ -1252,6 +1254,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq) + + switch (state->mode) { + case SDAP_PWMODIFY_EXOP: ++ case SDAP_PWMODIFY_EXOP_FORCE: + ret = sdap_exop_modify_passwd_recv(subreq, state, + &state->user_error_message); + break; +diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c +index 277bcb529..72a95300d 100644 +--- a/src/providers/ldap/ldap_options.c ++++ b/src/providers/ldap/ldap_options.c +@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx, + opts->pwmodify_mode = SDAP_PWMODIFY_EXOP; + } else if (strcasecmp(pwmodify, "ldap_modify") == 0) { + opts->pwmodify_mode = SDAP_PWMODIFY_LDAP; ++ } else if (strcasecmp(pwmodify, "exop_force") == 0) { ++ opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify); + ret = EINVAL; +diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h +index d66ca156a..35a4d5e1c 100644 +--- a/src/providers/ldap/sdap.h ++++ b/src/providers/ldap/sdap.h +@@ -550,8 +550,9 @@ struct sdap_options { + + /* password modify mode */ + enum pwmodify_mode { +- SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */ +- SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */ ++ SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */ ++ SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */ ++ SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */ + } pwmodify_mode; + + /* The search bases for the domain or its subdomain */ +diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h +index a78a1157c..700cd6f9c 100644 +--- a/src/providers/ldap/sdap_async.h ++++ b/src/providers/ldap/sdap_async.h +@@ -147,7 +147,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + const char *user_dn, + struct sss_auth_token *authtok, + int simple_bind_timeout, +- bool use_ppolicy); ++ bool use_ppolicy, ++ enum pwmodify_mode pwmodify_mode); + + errno_t sdap_auth_recv(struct tevent_req *req, + TALLOC_CTX *memctx, +diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c +index a6d4ee443..67c09835b 100644 +--- a/src/providers/ldap/sdap_async_connection.c ++++ b/src/providers/ldap/sdap_async_connection.c +@@ -646,6 +646,7 @@ struct simple_bind_state { + struct tevent_context *ev; + struct sdap_handle *sh; + const char *user_dn; ++ enum pwmodify_mode pwmodify_mode; + + struct sdap_op *op; + +@@ -663,7 +664,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + int timeout, + const char *user_dn, + struct berval *pw, +- bool use_ppolicy) ++ bool use_ppolicy, ++ enum pwmodify_mode pwmodify_mode) + { + struct tevent_req *req; + struct simple_bind_state *state; +@@ -686,6 +688,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + state->ev = ev; + state->sh = sh; + state->user_dn = user_dn; ++ state->pwmodify_mode = pwmodify_mode; + + if (use_ppolicy) { + ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, +@@ -872,7 +875,12 @@ static void simple_bind_done(struct sdap_op *op, + * Grace Authentications". */ + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired, grace logins exhausted.\n"); +- ret = ERR_AUTH_FAILED; ++ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) { ++ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n"); ++ ret = ERR_PASSWORD_EXPIRED; ++ } else { ++ ret = ERR_AUTH_FAILED; ++ } + } + } else if (strcmp(response_controls[c]->ldctl_oid, + LDAP_CONTROL_PWEXPIRED) == 0) { +@@ -885,7 +893,12 @@ static void simple_bind_done(struct sdap_op *op, + if (result == LDAP_INVALID_CREDENTIALS) { + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired, grace logins exhausted.\n"); +- ret = ERR_AUTH_FAILED; ++ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) { ++ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n"); ++ ret = ERR_PASSWORD_EXPIRED; ++ } else { ++ ret = ERR_AUTH_FAILED; ++ } + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired, user must set a new password.\n"); +@@ -1365,7 +1378,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + const char *user_dn, + struct sss_auth_token *authtok, + int simple_bind_timeout, +- bool use_ppolicy) ++ bool use_ppolicy, ++ enum pwmodify_mode pwmodify_mode) + { + struct tevent_req *req, *subreq; + struct sdap_auth_state *state; +@@ -1404,7 +1418,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + pw.bv_len = pwlen; + + state->is_sasl = false; +- subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, use_ppolicy); ++ subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, use_ppolicy, pwmodify_mode); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return tevent_req_post(req, ev); +@@ -1981,7 +1995,8 @@ static void sdap_cli_auth_step(struct tevent_req *req) + dp_opt_get_int(state->opts->basic, + SDAP_OPT_TIMEOUT), + dp_opt_get_bool(state->opts->basic, +- SDAP_USE_PPOLICY)); ++ SDAP_USE_PPOLICY), ++ state->opts->pwmodify_mode); + talloc_free(authtok); + if (!subreq) { + tevent_req_error(req, ENOMEM); +-- +2.46.1 + diff --git a/sources b/sources index e93ed16..6073d96 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.10.0-beta2.tar.gz) = 0de63006d6c9d1658edcdb76c6eca2b2a7858a0805ff3a81c96959e599dc55c09098c34b3a3e38730fbb59edd7e7d7d12eb17ede06411c8131e9dce938e0e810 +SHA512 (sssd-2.10.0.tar.gz) = d237ff135fb21bcd1040787d6dfe8fa383290fbae1f15c6917284beb38dd95ecf6418335302e26be40c65e44e8b44135499eec0b98119ea53a38098ac0bc1e2c diff --git a/sssd.spec b/sssd.spec index 863fa2d..6535f39 100644 --- a/sssd.spec +++ b/sssd.spec @@ -59,20 +59,16 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.10.0~beta2 -# Using '.el10' directly is a work around RHEL-38900 -Release: 3%{?dist} +Version: 2.10.0 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ -Source0: https://github.com/SSSD/sssd/releases/download/2.10.0-beta2/sssd-2.10.0-beta2.tar.gz +Source0: https://github.com/SSSD/sssd/releases/download/2.10.0/sssd-2.10.0.tar.gz Source1: sssd.sysusers ### Patches ### -Patch0001: 0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch -Patch0002: 0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch -Patch0003: 0003-SYSDB-remove-index-on-dataExpireTimestamp.patch -Patch0004: 0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch +Patch0001: 0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch ### Dependencies ### @@ -197,9 +193,7 @@ License: GPL-3.0-or-later # libsss_simpleifp is removed Obsoletes: libsss_simpleifp < 2.9.2 Obsoletes: libsss_simpleifp-debuginfo < 2.9.2 -%if %{use_sssd_user} Obsoletes: sssd-polkit-rules < 2.10.0 -%endif # Requires # due to ABI changes in 1.1.30/1.2.0 Requires: libldb >= %{ldb_version} @@ -463,7 +457,7 @@ the information from the SSSD to be transmitted over the system bus. %package winbind-idmap Summary: SSSD's idmap_sss Backend for Winbind -License: GPL-3.0-or-later AND LGPL-3.0-or-later +License: GPL-3.0-or-later and LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Conflicts: sssd-common < %{version}-%{release} @@ -538,7 +532,7 @@ enable authentication with passkey token. %endif %prep -%autosetup -n sssd-2.10.0-beta2 -p1 +%autosetup -n sssd-2.10.0 -p1 %build @@ -568,9 +562,6 @@ autoreconf -ivf %if %{build_subid} --with-subid \ %endif -%if ! %{use_sssd_user} - --disable-polkit-rules-path \ -%endif %if %{build_passkey} --with-passkey \ %endif @@ -1040,11 +1031,12 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %if %{use_sssd_user} %pre common +! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null || true %if %{use_sysusers} %sysusers_create_compat %{SOURCE1} %else getent group sssd >/dev/null || groupadd -r sssd -getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd +getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologin -c "User for sssd" sssd %endif %endif @@ -1065,6 +1057,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true +%__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true %preun common %systemd_preun sssd.service @@ -1119,13 +1112,18 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %preun client if [ $1 -eq 0 ] ; then - /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so + /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so || true fi %posttrans common %systemd_postun_with_restart sssd.service %changelog +* Tue Oct 15 2024 Alexey Tikhonov - 2.10.0-1 +- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 +- Resolves: RHEL-56701 - sss_ssh_knownhosts is breaking ansible-pull +- Resolves: RHEL-55993 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not + * Thu Aug 22 2024 Alexey Tikhonov - 2.10.0~beta2-3 - Resolves: RHEL-50243 - Please install sssd-polkit-rules by default