From 6fc2203a2ef90c39b5c3e36e9b27801e2015bcda Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 15 May 2025 15:44:21 +0000 Subject: [PATCH] import CS sssd-2.10.2-3.el10.2 --- .gitignore | 2 +- .sssd.metadata | 1 - 0001-KCM-fix-memory-leak.patch | 113 + 0002-KCM-another-memory-leak-fixed.patch | 58 + ...group-members-if-ignore_group_member.patch | 440 ++++ ...sssd-adding-mail-as-case-insensitive.patch | 144 -- ..._bases-option-to-groups_by_user_send.patch | 154 -- ...context-as-new-member-of-struct-sdap.patch | 194 -- ...with-multiple-certs-and-missing-logi.patch | 233 -- ...e-hash-to-store-intermediate-results.patch | 218 -- ...fresh-root-domain-when-read-directly.patch | 81 - ...-add-failover_primary_timeout-option.patch | 306 --- ...ion-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch | 35 - ...-TESTS-Also-test-default_dyndns_opts.patch | 69 - ...ovide-user_map-when-looking-up-group.patch | 310 --- ...ser_map-when-looking-of-host-groups-.patch | 80 - ...l-to-add-non-posix-user-to-MPG-domai.patch | 61 - ...p_force-value-for-ldap_pwmodify_mode.patch | 230 -- ...-level-in-case-a-responder-asks-for-.patch | 54 - ...sure-invalid-krb5-context-is-not-use.patch | 55 - sources | 1 + SPECS/sssd.spec => sssd.spec | 1910 +++++++---------- sssd.sysusers | 1 + 23 files changed, 1434 insertions(+), 3316 deletions(-) delete mode 100644 .sssd.metadata create mode 100644 0001-KCM-fix-memory-leak.patch create mode 100644 0002-KCM-another-memory-leak-fixed.patch create mode 100644 0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch delete mode 100644 SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch delete mode 100644 SOURCES/0002-sdap-add-search_bases-option-to-groups_by_user_send.patch delete mode 100644 SOURCES/0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch delete mode 100644 SOURCES/0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch delete mode 100644 SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch delete mode 100644 SOURCES/0006-ad-refresh-root-domain-when-read-directly.patch delete mode 100644 SOURCES/0007-failover-add-failover_primary_timeout-option.patch delete mode 100644 SOURCES/0008-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch delete mode 100644 SOURCES/0009-TESTS-Also-test-default_dyndns_opts.patch delete mode 100644 SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch delete mode 100644 SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch delete mode 100644 SOURCES/0012-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch delete mode 100644 SOURCES/0013-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch delete mode 100644 SOURCES/0014-DEBUG-reduce-log-level-in-case-a-responder-asks-for-.patch delete mode 100644 SOURCES/0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch create mode 100644 sources rename SPECS/sssd.spec => sssd.spec (62%) create mode 100644 sssd.sysusers diff --git a/.gitignore b/.gitignore index d510690..ae5e98e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.9.4.tar.gz +sssd-2.10.2.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata deleted file mode 100644 index eaa72f2..0000000 --- a/.sssd.metadata +++ /dev/null @@ -1 +0,0 @@ -574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz diff --git a/0001-KCM-fix-memory-leak.patch b/0001-KCM-fix-memory-leak.patch new file mode 100644 index 0000000..e62c69b --- /dev/null +++ b/0001-KCM-fix-memory-leak.patch @@ -0,0 +1,113 @@ +From 50f703f25914254d2a545f52f504dfa5a6f65546 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 4 Feb 2025 18:59:36 +0100 +Subject: [PATCH] KCM: fix memory leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The copy of 'secret' argument - `secret_val.data` - was left hanging +on `sss_sec_ctx`, effectively resulting in a memory leak. +But this copy isn't actually required as this data isn't modified in +below operations. +Skipping alloc+memcpy+erase is also beneficial performance wise. + +:fixes:'sssd_kcm' memory leak was fixed. + +Reviewed-by: Alejandro López +Reviewed-by: Justin Stephenson +(cherry picked from commit 7f1b7c9689827df92e8b2166423d4e80688dbacb) +--- + src/responder/kcm/secrets/secrets.c | 34 ++++++++++------------------- + 1 file changed, 12 insertions(+), 22 deletions(-) + +diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c +index 625a09f39..fe7410cb3 100644 +--- a/src/responder/kcm/secrets/secrets.c ++++ b/src/responder/kcm/secrets/secrets.c +@@ -979,7 +979,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + size_t secret_len) + { + struct ldb_message *msg; +- struct ldb_val secret_val = { .data = NULL }; ++ const struct ldb_val secret_val = { .length = secret_len, .data = secret }; + bool erase_msg = false; + int ret; + +@@ -1029,13 +1029,11 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- secret_val.length = secret_len; +- secret_val.data = talloc_memdup(req->sctx, secret, secret_len); +- if (!secret_val.data) { +- ret = ENOMEM; +- goto done; +- } +- ++ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data ++ * but rather copies a pointer under the hood. ++ * This is fine since no operations modifying this data are performed ++ * below and 'msg' is freed before function returns. ++ */ + ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -1069,9 +1067,6 @@ errno_t sss_sec_put(struct sss_sec_req *req, + + ret = EOK; + done: +- if (secret_val.data != NULL) { +- sss_erase_mem_securely(secret_val.data, secret_val.length); +- } + if (erase_msg) { + db_result_erase_message_securely(msg, SEC_ATTR_SECRET); + } +@@ -1084,7 +1079,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + size_t secret_len) + { + struct ldb_message *msg; +- struct ldb_val secret_val = { .data = NULL }; ++ const struct ldb_val secret_val = { .length = secret_len, .data = secret }; + bool erase_msg = false; + int ret; + +@@ -1134,13 +1129,6 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- secret_val.length = secret_len; +- secret_val.data = talloc_memdup(req->sctx, secret, secret_len); +- if (!secret_val.data) { +- ret = ENOMEM; +- goto done; +- } +- + /* FIXME - should we have a lastUpdate timestamp? */ + ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { +@@ -1150,6 +1138,11 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + ++ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data ++ * but rather copies a pointer under the hood. ++ * This is fine since no operations modifying this data are performed ++ * below and 'msg' is freed before function returns. ++ */ + ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, +@@ -1174,9 +1167,6 @@ errno_t sss_sec_update(struct sss_sec_req *req, + + ret = EOK; + done: +- if (secret_val.data != NULL) { +- sss_erase_mem_securely(secret_val.data, secret_val.length); +- } + if (erase_msg) { + db_result_erase_message_securely(msg, SEC_ATTR_SECRET); + } +-- +2.47.0 + diff --git a/0002-KCM-another-memory-leak-fixed.patch b/0002-KCM-another-memory-leak-fixed.patch new file mode 100644 index 0000000..0fb27bc --- /dev/null +++ b/0002-KCM-another-memory-leak-fixed.patch @@ -0,0 +1,58 @@ +From 9e72bc242b600158d7920b2b98644efa42fd1ffa Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 12 Feb 2025 11:30:22 +0100 +Subject: [PATCH] KCM: another memory leak fixed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +``` +... + talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0 + talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90 + talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520 +... +``` + +Reviewed-by: Alejandro López +--- + src/responder/kcm/kcmsrv_ccache.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index f614156cc..bf8daffd0 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -407,7 +407,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { +- goto done; ++ goto fail; + } + + for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) { +@@ -420,7 +420,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, + cred_list[i] = kcm_cred_to_krb5(krb_context, cred); + if (cred_list[i] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n"); +- goto done; ++ goto fail; + } + } + +@@ -429,8 +429,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, + + talloc_steal(mem_ctx, cred_list); + ++ talloc_free(tmp_ctx); + return cred_list; +-done: ++ ++fail: + talloc_free(tmp_ctx); + return NULL; + #endif +-- +2.47.0 + diff --git a/0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch b/0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch new file mode 100644 index 0000000..6f5c7f7 --- /dev/null +++ b/0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch @@ -0,0 +1,440 @@ +From 281d9c3ed66ee28a9572433a629eb0d72525ca46 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 14 Feb 2025 21:15:16 +0100 +Subject: [PATCH] SYSDB: don't add group members if 'ignore_group_members == + true' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/7793 + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose +--- + src/db/sysdb.h | 51 ++++++--- + src/db/sysdb_search.c | 6 +- + src/db/sysdb_views.c | 10 +- + src/tests/cmocka/test_responder_cache_req.c | 112 +++++++------------- + src/tests/cmocka/test_sysdb_ts_cache.c | 6 +- + src/tools/sss_override.c | 2 +- + 6 files changed, 90 insertions(+), 97 deletions(-) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index 1b827caf9..319b88e25 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -277,19 +277,44 @@ + SYSDB_ORIG_DN, \ + NULL} + +-#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \ +- SYSDB_MEMBERUID, \ +- SYSDB_MEMBER, \ +- SYSDB_GHOST, \ +- SYSDB_DEFAULT_ATTRS, \ +- SYSDB_SID_STR, \ +- SYSDB_OVERRIDE_DN, \ +- SYSDB_OVERRIDE_OBJECT_DN, \ +- SYSDB_DEFAULT_OVERRIDE_NAME, \ +- SYSDB_UUID, \ +- ORIGINALAD_PREFIX SYSDB_NAME, \ +- ORIGINALAD_PREFIX SYSDB_GIDNUM, \ +- NULL} ++/* Strictly speaking it should return 'const char * const *' but ++ * that gets really unreadable. ++ */ ++__attribute__((always_inline)) ++static inline const char **SYSDB_GRSRC_ATTRS(const struct sss_domain_info *domain) ++{ ++ static const char * __SYSDB_GRSRC_ATTRS_NO_MEMBERS[] = { ++ SYSDB_NAME, SYSDB_GIDNUM, ++ SYSDB_DEFAULT_ATTRS, ++ SYSDB_SID_STR, ++ SYSDB_OVERRIDE_DN, ++ SYSDB_OVERRIDE_OBJECT_DN, ++ SYSDB_DEFAULT_OVERRIDE_NAME, ++ SYSDB_UUID, ++ NULL ++ }; ++ static const char * __SYSDB_GRSRC_ATTRS_WITH_MEMBERS[] = { ++ SYSDB_NAME, SYSDB_GIDNUM, ++ SYSDB_MEMBERUID, ++ SYSDB_MEMBER, ++ SYSDB_GHOST, ++ SYSDB_DEFAULT_ATTRS, ++ SYSDB_SID_STR, ++ SYSDB_OVERRIDE_DN, ++ SYSDB_OVERRIDE_OBJECT_DN, ++ SYSDB_DEFAULT_OVERRIDE_NAME, ++ SYSDB_UUID, ++ ORIGINALAD_PREFIX SYSDB_NAME, ++ ORIGINALAD_PREFIX SYSDB_GIDNUM, ++ NULL ++ }; ++ ++ if (domain && domain->ignore_group_members) { ++ return __SYSDB_GRSRC_ATTRS_NO_MEMBERS; ++ } else { ++ return __SYSDB_GRSRC_ATTRS_WITH_MEMBERS; ++ } ++} + + #define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \ + SYSDB_NETGROUP_MEMBER, \ +diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c +index e4c53b853..7f34ddbcb 100644 +--- a/src/db/sysdb_search.c ++++ b/src/db/sysdb_search.c +@@ -1176,7 +1176,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, + struct ldb_result **_res) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **attrs = SYSDB_GRSRC_ATTRS(domain); + const char *fmt_filter; + char *sanitized_name; + struct ldb_dn *base_dn; +@@ -1378,7 +1378,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx, + struct ldb_dn *base_dn; + struct ldb_result *res = NULL; + int ret; +- static const char *default_attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **default_attrs = SYSDB_GRSRC_ATTRS(domain); + const char **attrs = NULL; + + tmp_ctx = talloc_new(NULL); +@@ -1484,7 +1484,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx, + struct ldb_result **_res) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **attrs = SYSDB_GRSRC_ATTRS(domain); + const char *filter = NULL; + const char *ts_filter = NULL; + const char *base_filter; +diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c +index 19c10977b..71f627974 100644 +--- a/src/db/sysdb_views.c ++++ b/src/db/sysdb_views.c +@@ -1237,7 +1237,7 @@ errno_t sysdb_search_group_override_by_name(TALLOC_CTX *mem_ctx, + struct ldb_result **override_obj, + struct ldb_result **orig_obj) + { +- const char *attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **attrs = SYSDB_GRSRC_ATTRS(domain); + + return sysdb_search_override_by_name(mem_ctx, domain, name, + SYSDB_GROUP_NAME_OVERRIDE_FILTER, +@@ -1253,7 +1253,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx, + { + TALLOC_CTX *tmp_ctx; + static const char *user_attrs[] = SYSDB_PW_ATTRS; +- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); + const char **attrs; + struct ldb_dn *base_dn; + struct ldb_result *override_res; +@@ -1417,7 +1417,7 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain, + struct ldb_message *override; + uint64_t uid; + static const char *user_attrs[] = SYSDB_PW_ATTRS; +- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); /* members don't matter */ + const char **attrs; + struct attr_map { + const char *attr; +@@ -1551,6 +1551,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain, + char *val; + struct sss_domain_info *orig_dom; + ++ if (domain->ignore_group_members) { ++ return EOK; ++ } ++ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); +diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c +index 32718c1f1..fcc7eca35 100644 +--- a/src/tests/cmocka/test_responder_cache_req.c ++++ b/src/tests/cmocka/test_responder_cache_req.c +@@ -3267,10 +3267,8 @@ void test_object_by_sid_user_multiple_domains_notfound(void **state) + + void test_object_by_sid_group_cache_valid(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); +@@ -3283,10 +3281,8 @@ void test_object_by_sid_group_cache_valid(void **state) + + void test_object_by_sid_group_cache_expired(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); +@@ -3305,10 +3301,8 @@ void test_object_by_sid_group_cache_expired(void **state) + + void test_object_by_sid_group_cache_midpoint(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); +@@ -3326,12 +3320,10 @@ void test_object_by_sid_group_cache_midpoint(void **state) + + void test_object_by_sid_group_ncache(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + errno_t ret; + +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +- + /* Setup user. */ + ret = sss_ncache_set_sid(test_ctx->ncache, false, test_ctx->tctx->dom, groups[0].sid); + assert_int_equal(ret, EOK); +@@ -3344,10 +3336,8 @@ void test_object_by_sid_group_ncache(void **state) + + void test_object_by_sid_group_missing_found(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); +@@ -3365,10 +3355,8 @@ void test_object_by_sid_group_missing_found(void **state) + + void test_object_by_sid_group_missing_notfound(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); +@@ -3382,17 +3370,13 @@ void test_object_by_sid_group_missing_notfound(void **state) + + void test_object_by_sid_group_multiple_domains_found(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- struct sss_domain_info *domain = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +- +- /* Setup user. */ +- domain = find_domain_by_name(test_ctx->tctx->dom, +- "responder_cache_req_test_d", true); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom, ++ "responder_cache_req_test_d", true); + assert_non_null(domain); ++ const char **attrs = SYSDB_GRSRC_ATTRS(domain); + ++ /* Setup user. */ + prepare_group(domain, &groups[0], 1000, time(NULL)); + + /* Mock values. */ +@@ -3408,10 +3392,8 @@ void test_object_by_sid_group_multiple_domains_found(void **state) + + void test_object_by_sid_group_multiple_domains_notfound(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); +@@ -3590,10 +3572,8 @@ void test_object_by_id_user_multiple_domains_notfound(void **state) + + void test_object_by_id_group_cache_valid(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); +@@ -3605,10 +3585,8 @@ void test_object_by_id_group_cache_valid(void **state) + + void test_object_by_id_group_cache_expired(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); +@@ -3626,10 +3604,8 @@ void test_object_by_id_group_cache_expired(void **state) + + void test_object_by_id_group_cache_midpoint(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); +@@ -3646,12 +3622,10 @@ void test_object_by_id_group_cache_midpoint(void **state) + + void test_object_by_id_group_ncache(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + errno_t ret; + +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +- + /* Setup group. We explicitly add the UID into BOTH UID and GID + * namespaces, because otherwise the cache_req plugin would + * search the Data Provider anyway, because it can't be sure +@@ -3678,10 +3652,8 @@ void test_object_by_id_group_ncache(void **state) + + void test_object_by_id_group_missing_found(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); +@@ -3698,10 +3670,8 @@ void test_object_by_id_group_missing_found(void **state) + + void test_object_by_id_group_missing_notfound(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); +@@ -3714,17 +3684,13 @@ void test_object_by_id_group_missing_notfound(void **state) + + void test_object_by_id_group_multiple_domains_found(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- struct sss_domain_info *domain = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); +- +- /* Setup user. */ +- domain = find_domain_by_name(test_ctx->tctx->dom, +- "responder_cache_req_test_d", true); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom, ++ "responder_cache_req_test_d", true); + assert_non_null(domain); ++ const char **attrs = SYSDB_GRSRC_ATTRS(domain); + ++ /* Setup user. */ + prepare_group(domain, &groups[0], 1000, time(NULL)); + + /* Mock values. */ +@@ -3740,10 +3706,8 @@ void test_object_by_id_group_multiple_domains_found(void **state) + + void test_object_by_id_group_multiple_domains_notfound(void **state) + { +- struct cache_req_test_ctx *test_ctx = NULL; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; +- +- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); +diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c +index 24b26d950..f349b7061 100644 +--- a/src/tests/cmocka/test_sysdb_ts_cache.c ++++ b/src/tests/cmocka/test_sysdb_ts_cache.c +@@ -694,7 +694,7 @@ static void test_sysdb_getgr_merges(void **state) + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct sysdb_attrs *group_attrs = NULL; +- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + char *filter = NULL; + struct ldb_result *res = NULL; + size_t msgs_count; +@@ -783,7 +783,7 @@ static void test_merge_ldb_results(void **state) + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); +- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + char *filter; + struct ldb_result *res; + struct ldb_result *res1; +@@ -856,7 +856,7 @@ static void test_group_bysid(void **state) + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); +- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); + struct sysdb_attrs *group_attrs = NULL; + struct ldb_result *res; + struct ldb_message *msg = NULL; +diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c +index e4bad848e..1968dde3a 100644 +--- a/src/tools/sss_override.c ++++ b/src/tools/sss_override.c +@@ -1218,7 +1218,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx, + size_t count; + size_t i; + errno_t ret; +- const char *attrs[] = SYSDB_GRSRC_ATTRS; ++ const char **attrs = SYSDB_GRSRC_ATTRS(domain); + const char *fqname; + char *name; + +-- +2.47.0 + diff --git a/SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch b/SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch deleted file mode 100644 index 1e12d0b..0000000 --- a/SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch +++ /dev/null @@ -1,144 +0,0 @@ -From dd0f63246aa75d5f53b44cbc185e88833e79976e Mon Sep 17 00:00:00 2001 -From: Andre Boscatto -Date: Wed, 7 Feb 2024 12:28:28 +0100 -Subject: [PATCH] sssd: adding mail as case insensitive -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: https://github.com/SSSD/sssd/issues/7173 - -Reviewed-by: Iker Pedrosa -Reviewed-by: Tomáš Halman -(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51) ---- - src/db/sysdb_init.c | 7 ++++++ - src/db/sysdb_private.h | 5 +++- - src/db/sysdb_upgrade.c | 56 ++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 67 insertions(+), 1 deletion(-) - -diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c -index c2ea6c369..38a9cd64a 100644 ---- a/src/db/sysdb_init.c -+++ b/src/db/sysdb_init.c -@@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx, - } - } - -+ if (strcmp(version, SYSDB_VERSION_0_23) == 0) { -+ ret = sysdb_upgrade_23(sysdb, &version); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ - ret = EOK; - done: - sysdb->ldb = save_ldb; -diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h -index 1f55007bc..63f7b5601 100644 ---- a/src/db/sysdb_private.h -+++ b/src/db/sysdb_private.h -@@ -23,6 +23,7 @@ - #ifndef __INT_SYS_DB_H__ - #define __INT_SYS_DB_H__ - -+#define SYSDB_VERSION_0_24 "0.24" - #define SYSDB_VERSION_0_23 "0.23" - #define SYSDB_VERSION_0_22 "0.22" - #define SYSDB_VERSION_0_21 "0.21" -@@ -47,7 +48,7 @@ - #define SYSDB_VERSION_0_2 "0.2" - #define SYSDB_VERSION_0_1 "0.1" - --#define SYSDB_VERSION SYSDB_VERSION_0_23 -+#define SYSDB_VERSION SYSDB_VERSION_0_24 - - #define SYSDB_BASE_LDIF \ - "dn: @ATTRIBUTES\n" \ -@@ -60,6 +61,7 @@ - "objectclass: CASE_INSENSITIVE\n" \ - "ipHostNumber: CASE_INSENSITIVE\n" \ - "ipNetworkNumber: CASE_INSENSITIVE\n" \ -+ "mail: CASE_INSENSITIVE\n" \ - "\n" \ - "dn: @INDEXLIST\n" \ - "@IDXATTR: cn\n" \ -@@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver); -+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver); - - int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver); - -diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c -index 346a1cb0b..56083e6be 100644 ---- a/src/db/sysdb_upgrade.c -+++ b/src/db/sysdb_upgrade.c -@@ -2718,6 +2718,62 @@ done: - return ret; - } - -+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver) -+{ -+ TALLOC_CTX *tmp_ctx; -+ int ret; -+ struct ldb_message *msg; -+ struct upgrade_ctx *ctx; -+ -+ tmp_ctx = talloc_new(NULL); -+ if (!tmp_ctx) { -+ return ENOMEM; -+ } -+ -+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx); -+ if (ret) { -+ return ret; -+ } -+ -+ /* Add new indexes */ -+ msg = ldb_msg_new(tmp_ctx); -+ if (!msg) { -+ ret = ENOMEM; -+ goto done; -+ } -+ msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES"); -+ if (!msg->dn) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ /* Case insensitive search for mail */ -+ ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL); -+ if (ret != LDB_SUCCESS) { -+ ret = ENOMEM; -+ goto done; -+ } -+ ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE"); -+ if (ret != LDB_SUCCESS) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = ldb_modify(sysdb->ldb, msg); -+ if (ret != LDB_SUCCESS) { -+ ret = sysdb_error_to_errno(ret); -+ goto done; -+ } -+ -+ /* conversion done, update version number */ -+ ret = update_version(ctx); -+ -+done: -+ ret = finish_upgrade(ret, &ctx, ver); -+ talloc_free(tmp_ctx); -+ return ret; -+} -+ - int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver) - { - struct upgrade_ctx *ctx; --- -2.41.0 - diff --git a/SOURCES/0002-sdap-add-search_bases-option-to-groups_by_user_send.patch b/SOURCES/0002-sdap-add-search_bases-option-to-groups_by_user_send.patch deleted file mode 100644 index e7f048f..0000000 --- a/SOURCES/0002-sdap-add-search_bases-option-to-groups_by_user_send.patch +++ /dev/null @@ -1,154 +0,0 @@ -From a7621a5b464af7a3c8409dcbde038b35fee2c895 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 23 Jan 2024 13:47:53 +0100 -Subject: [PATCH 2/3] sdap: add search_bases option to groups_by_user_send() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -AD handles users and computer objects very similar and so does SSSD's -GPO code when lookup up the host's group-memberships. But users and -computers might be stored in different sub-tree of the AD LDAP tree and -if a dedicated user search base is given with the ldap_user_search_base -option in sssd.conf the host object might be in a different sub-tree. To -make sure the host can still be found this patch uses the base DN of -the LDAP tree when searching for hosts in the GPO code. - -Resolves: https://github.com/SSSD/sssd/issues/5708 - -Reviewed-by: Alejandro López -Reviewed-by: Tomáš Halman -(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196) ---- - src/providers/ad/ad_gpo.c | 10 ++++++++++ - src/providers/ldap/ldap_common.h | 1 + - src/providers/ldap/ldap_id.c | 6 +++++- - src/providers/ldap/sdap_async.h | 1 + - src/providers/ldap/sdap_async_initgroups.c | 4 +++- - 5 files changed, 20 insertions(+), 2 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 94959c36b..b0ee3e616 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -2091,6 +2091,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) - char *server_uri; - LDAPURLDesc *lud; - struct sdap_domain *sdom; -+ struct sdap_search_base **search_bases; - - req = tevent_req_callback_data(subreq, struct tevent_req); - state = tevent_req_data(req, struct ad_gpo_access_state); -@@ -2184,9 +2185,18 @@ ad_gpo_connect_done(struct tevent_req *subreq) - goto done; - } - -+ ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx, -+ "AD_HOSTS", NULL, &search_bases); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to create dedicated search base for host lookups, " -+ "trying with user search base."); -+ } -+ - subreq = groups_by_user_send(state, state->ev, - state->access_ctx->ad_id_ctx->sdap_id_ctx, - sdom, state->conn, -+ search_bases, - state->host_fqdn, - BE_FILTER_NAME, - NULL, -diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h -index 7159d6356..2c984ef50 100644 ---- a/src/providers/ldap/ldap_common.h -+++ b/src/providers/ldap/ldap_common.h -@@ -304,6 +304,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - struct sdap_id_ctx *ctx, - struct sdap_domain *sdom, - struct sdap_id_conn_ctx *conn, -+ struct sdap_search_base **search_bases, - const char *filter_value, - int filter_type, - const char *extra_value, -diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c -index da54816bd..b3ea2333f 100644 ---- a/src/providers/ldap/ldap_id.c -+++ b/src/providers/ldap/ldap_id.c -@@ -1139,6 +1139,7 @@ struct groups_by_user_state { - struct sdap_id_op *op; - struct sysdb_ctx *sysdb; - struct sss_domain_info *domain; -+ struct sdap_search_base **search_bases; - - const char *filter_value; - int filter_type; -@@ -1160,6 +1161,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - struct sdap_id_ctx *ctx, - struct sdap_domain *sdom, - struct sdap_id_conn_ctx *conn, -+ struct sdap_search_base **search_bases, - const char *filter_value, - int filter_type, - const char *extra_value, -@@ -1192,6 +1194,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - state->extra_value = extra_value; - state->domain = sdom->dom; - state->sysdb = sdom->dom->sysdb; -+ state->search_bases = search_bases; - - if (state->domain->type == DOM_TYPE_APPLICATION || set_non_posix) { - state->non_posix = true; -@@ -1254,6 +1257,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq) - sdap_id_op_handle(state->op), - state->ctx, - state->conn, -+ state->search_bases, - state->filter_value, - state->filter_type, - state->extra_value, -@@ -1449,7 +1453,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, - } - - subreq = groups_by_user_send(state, be_ctx->ev, id_ctx, -- sdom, conn, -+ sdom, conn, NULL, - ar->filter_value, - ar->filter_type, - ar->extra_value, -diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h -index 5458d21f1..89245f41f 100644 ---- a/src/providers/ldap/sdap_async.h -+++ b/src/providers/ldap/sdap_async.h -@@ -158,6 +158,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - struct sdap_handle *sh, - struct sdap_id_ctx *id_ctx, - struct sdap_id_conn_ctx *conn, -+ struct sdap_search_base **search_bases, - const char *name, - int filter_type, - const char *extra_value, -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index 97be594a3..fb3d8fe24 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -2732,6 +2732,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - struct sdap_handle *sh, - struct sdap_id_ctx *id_ctx, - struct sdap_id_conn_ctx *conn, -+ struct sdap_search_base **search_bases, - const char *filter_value, - int filter_type, - const char *extra_value, -@@ -2764,7 +2765,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - state->orig_user = NULL; - state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); - state->user_base_iter = 0; -- state->user_search_bases = sdom->user_search_bases; -+ state->user_search_bases = (search_bases == NULL) ? sdom->user_search_bases -+ : search_bases; - if (!state->user_search_bases) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Initgroups lookup request without a user search base\n"); --- -2.41.0 - diff --git a/SOURCES/0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch b/SOURCES/0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch deleted file mode 100644 index a7ff19e..0000000 --- a/SOURCES/0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch +++ /dev/null @@ -1,194 +0,0 @@ -From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 24 Jan 2024 14:21:12 +0100 -Subject: [PATCH 3/3] sdap: add naming_context as new member of struct - sdap_domain -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The naming_context could be a more reliable source than basedn for the -actual base DN because basedn is set very early from the domain name -given in sssd.conf. Although it is recommended to use the fully -qualified DNS domain name here it is not required. As a result basedn -might not reflect the actual based DN of the LDAP server. Also pure LDAP -server (i.e. not AD or FreeIPA) might use different schemes to set the -base DN which will not be based on the DNS domain of the LDAP server. - -Resolves: https://github.com/SSSD/sssd/issues/5708 - -Reviewed-by: Alejandro López -Reviewed-by: Tomáš Halman -(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e) ---- - src/providers/ad/ad_gpo.c | 6 ++++-- - src/providers/ldap/sdap.c | 36 +++++++++++++----------------------- - src/providers/ldap/sdap.h | 11 +++++++++++ - 3 files changed, 28 insertions(+), 25 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index b0ee3e616..3d1ad39c7 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq) - goto done; - } - -- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx, -- "AD_HOSTS", NULL, &search_bases); -+ ret = common_parse_search_base(state, -+ sdom->naming_context == NULL ? sdom->basedn -+ : sdom->naming_context, -+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Failed to create dedicated search base for host lookups, " -diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c -index f5637c5fb..956eba93a 100644 ---- a/src/providers/ldap/sdap.c -+++ b/src/providers/ldap/sdap.c -@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - struct sdap_domain *sdom) - { - int ret; -- char *naming_context = NULL; - -- if (!sdom->search_bases -- || !sdom->user_search_bases -- || !sdom->group_search_bases -- || !sdom->netgroup_search_bases -- || !sdom->host_search_bases -- || !sdom->sudo_search_bases -- || !sdom->iphost_search_bases -- || !sdom->ipnetwork_search_bases -- || !sdom->autofs_search_bases) { -- naming_context = get_naming_context(opts->basic, rootdse); -- if (naming_context == NULL) { -+ if (!sdom->naming_context) { -+ sdom->naming_context = get_naming_context(sdom, rootdse); -+ if (sdom->naming_context == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n"); - - /* This has to be non-fatal, since some servers offer -@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->user_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_USER_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->group_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_GROUP_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->netgroup_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_NETGROUP_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->host_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_HOST_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->sudo_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_SUDO_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->service_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_SERVICE_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->autofs_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_AUTOFS_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->iphost_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_IPHOST_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - -@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - if (!sdom->ipnetwork_search_bases) { - ret = sdap_set_search_base(opts, sdom, - SDAP_IPNETWORK_SEARCH_BASE, -- naming_context); -+ sdom->naming_context); - if (ret != EOK) goto done; - } - - ret = EOK; - - done: -- talloc_free(naming_context); - return ret; - } - -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index 161bc5c26..103d50ed4 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -454,6 +454,17 @@ struct sdap_domain { - - char *basedn; - -+ /* The naming_context could be a more reliable source than basedn for the -+ * actual base DN because basedn is set very early from the domain name -+ * given in sssd.conf. Although it is recommended to use the fully -+ * qualified DNS domain name here it is not required. As a result basedn -+ * might not reflect the actual based DN of the LDAP server. Also pure -+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set -+ * the base DN which will not be based on the DNS domain of the LDAP -+ * server. naming_context might be NULL even after connection to an LDAP -+ * server. */ -+ char *naming_context; -+ - struct sdap_search_base **search_bases; - struct sdap_search_base **user_search_bases; - struct sdap_search_base **group_search_bases; --- -2.41.0 - diff --git a/SOURCES/0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch b/SOURCES/0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch deleted file mode 100644 index 7ba9ba5..0000000 --- a/SOURCES/0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch +++ /dev/null @@ -1,233 +0,0 @@ -From 50077c3255177fe1b01837fbe31a7f8fd47dee74 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 18 Jan 2024 13:08:17 +0100 -Subject: [PATCH] pam: fix SC auth with multiple certs and missing login name - -While introducing the local_auth_policy option a quite specific use-case -was not covered correctly. If there are multiple matching certificates -on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard -mode was used for login, i.e. there is no user name given and the user -has to be derived from the certificate used for login, authentication -failed. The main reason for the failure is that in this case the -Smartcard interaction and the user mapping has to be done first to -determine the user before local_auth_policy is evaluated. As a result -when checking if the authentication can be finished the request was in -an unexpected state because the indicator for local Smartcard -authentication was not enabled. - -Resolves: https://github.com/SSSD/sssd/issues/7109 - -Reviewed-by: Justin Stephenson -Reviewed-by: Scott Poore -(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3) ---- - src/responder/pam/pamsrv.h | 10 ++++ - src/responder/pam/pamsrv_cmd.c | 17 +++++-- - src/tests/intg/Makefile.am | 2 + - src/tests/intg/test_pam_responder.py | 74 +++++++++++++++++++++++++++- - 4 files changed, 96 insertions(+), 7 deletions(-) - -diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h -index 7013a8edd..618836189 100644 ---- a/src/responder/pam/pamsrv.h -+++ b/src/responder/pam/pamsrv.h -@@ -93,7 +93,17 @@ struct pam_auth_req { - struct ldb_message *user_obj; - struct cert_auth_info *cert_list; - struct cert_auth_info *current_cert; -+ /* Switched to 'true' if the backend indicates that it cannot handle -+ * Smartcard authentication, but Smartcard authentication is -+ * possible and local Smartcard authentication is allowed. */ - bool cert_auth_local; -+ /* Switched to 'true' if authentication (not pre-authentication) was -+ * started without a login name and the name had to be lookup up with the -+ * certificate used for authentication. Since reading the certificate from -+ * the Smartcard already involves the PIN validation in this case there -+ * would be no need for an additional Smartcard interaction if only local -+ * Smartcard authentication is possible. */ -+ bool initial_cert_auth_successful; - - bool passkey_data_exists; - uint32_t client_id_num; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index c23ea7ba4..a7c181733 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -2200,8 +2200,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) - ret = ENOENT; - goto done; - } -- -- if (cert_count > 1) { -+ /* Multiple certificates are only expected during pre-auth */ -+ if (cert_count > 1 && preq->pd->cmd == SSS_PAM_PREAUTH) { - for (preq->current_cert = preq->cert_list; - preq->current_cert != NULL; - preq->current_cert = sss_cai_get_next(preq->current_cert)) { -@@ -2285,7 +2285,9 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) - } - - /* If logon_name was not given during authentication add a -- * SSS_PAM_CERT_INFO message to send the name to the caller. */ -+ * SSS_PAM_CERT_INFO message to send the name to the caller. -+ * Additionally initial_cert_auth_successful is set to -+ * indicate that the user is already authenticated. */ - if (preq->pd->cmd == SSS_PAM_AUTHENTICATE - && preq->pd->logon_name == NULL) { - ret = add_pam_cert_response(preq->pd, -@@ -2297,6 +2299,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) - preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; - goto done; - } -+ -+ preq->initial_cert_auth_successful = true; - } - - /* cert_user will be returned to the PAM client as user name, so -@@ -2851,12 +2855,15 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) - if (found) { - if (local_policy != NULL && strcasecmp(local_policy, "only") == 0) { - talloc_free(tmp_ctx); -- DEBUG(SSSDBG_IMPORTANT_INFO, "Local auth only set, skipping online auth\n"); -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "Local auth only set and matching certificate was found, " -+ "skipping online auth\n"); - if (preq->pd->cmd == SSS_PAM_PREAUTH) { - preq->pd->pam_status = PAM_SUCCESS; - } else if (preq->pd->cmd == SSS_PAM_AUTHENTICATE - && IS_SC_AUTHTOK(preq->pd->authtok) -- && preq->cert_auth_local) { -+ && (preq->cert_auth_local -+ || preq->initial_cert_auth_successful)) { - preq->pd->pam_status = PAM_SUCCESS; - preq->callback = pam_reply; - } -diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am -index 3866d3ca6..0cfd268dc 100644 ---- a/src/tests/intg/Makefile.am -+++ b/src/tests/intg/Makefile.am -@@ -199,6 +199,7 @@ clean-local: - - PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem" - SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf" -+SOFTHSM2_TWO_CONF="$(abs_builddir)/../test_CA/softhsm2_two.conf" - - intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains sss_netgroup_thread_test - pipepath="$(DESTDIR)$(pipepath)"; \ -@@ -233,6 +234,7 @@ intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service - PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \ - ABS_SRCDIR=$(abs_srcdir) \ - SOFTHSM2_CONF=$(SOFTHSM2_CONF) \ -+ SOFTHSM2_TWO_CONF=$(SOFTHSM2_TWO_CONF) \ - KCM_RENEW=$(KCM_RENEW) \ - FILES_PROVIDER=$(FILES_PROVIDER) \ - DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \ -diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py -index 1fc3937e6..0fbf8065e 100644 ---- a/src/tests/intg/test_pam_responder.py -+++ b/src/tests/intg/test_pam_responder.py -@@ -168,7 +168,7 @@ def format_pam_cert_auth_conf(config, provider): - {provider.p} - - [certmap/auth_only/user1] -- matchrule = .*CN=SSSD test cert 0001.* -+ matchrule = .*CN=SSSD test cert 000[12].* - """).format(**locals()) - - -@@ -201,7 +201,7 @@ def format_pam_cert_auth_conf_name_format(config, provider): - {provider.p} - - [certmap/auth_only/user1] -- matchrule = .*CN=SSSD test cert 0001.* -+ matchrule = .*CN=SSSD test cert 000[12].* - """).format(**locals()) - - -@@ -380,6 +380,28 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup): - return None - - -+@pytest.fixture -+def simple_pam_cert_auth_two_certs(request, passwd_ops_setup): -+ """Setup SSSD with pam_cert_auth=True""" -+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH'] -+ -+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF'] -+ softhsm2_two_conf = os.environ['SOFTHSM2_TWO_CONF'] -+ os.environ['SOFTHSM2_CONF'] = softhsm2_two_conf -+ -+ conf = format_pam_cert_auth_conf(config, provider_switch(request.param)) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ -+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf -+ -+ passwd_ops_setup.useradd(**USER1) -+ passwd_ops_setup.useradd(**USER2) -+ sync_files_provider(USER2['name']) -+ -+ return None -+ -+ - @pytest.fixture - def simple_pam_cert_auth_name_format(request, passwd_ops_setup): - """Setup SSSD with pam_cert_auth=True and full_name_format""" -@@ -522,6 +544,54 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl): - assert err.find("pam_authenticate for user [user1]: Success") != -1 - - -+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True) -+def test_sc_auth_two(simple_pam_cert_auth_two_certs, env_for_sssctl): -+ -+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1", -+ "--action=auth", "--service=pam_sss_service"], -+ universal_newlines=True, -+ env=env_for_sssctl, stdin=subprocess.PIPE, -+ stdout=subprocess.PIPE, stderr=subprocess.PIPE) -+ -+ try: -+ out, err = sssctl.communicate(input="2\n123456") -+ except Exception: -+ sssctl.kill() -+ out, err = sssctl.communicate() -+ -+ sssctl.stdin.close() -+ sssctl.stdout.close() -+ -+ if sssctl.wait() != 0: -+ raise Exception("sssctl failed") -+ -+ assert err.find("pam_authenticate for user [user1]: Success") != -1 -+ -+ -+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True) -+def test_sc_auth_two_missing_name(simple_pam_cert_auth_two_certs, env_for_sssctl): -+ -+ sssctl = subprocess.Popen(["sssctl", "user-checks", "", -+ "--action=auth", "--service=pam_sss_allow_missing_name"], -+ universal_newlines=True, -+ env=env_for_sssctl, stdin=subprocess.PIPE, -+ stdout=subprocess.PIPE, stderr=subprocess.PIPE) -+ -+ try: -+ out, err = sssctl.communicate(input="2\n123456") -+ except Exception: -+ sssctl.kill() -+ out, err = sssctl.communicate() -+ -+ sssctl.stdin.close() -+ sssctl.stdout.close() -+ -+ if sssctl.wait() != 0: -+ raise Exception("sssctl failed") -+ -+ assert err.find("pam_authenticate for user [user1]: Success") != -1 -+ -+ - @pytest.mark.parametrize('simple_pam_cert_auth', ['proxy_password'], indirect=True) - def test_sc_proxy_password_fallback(simple_pam_cert_auth, env_for_sssctl): - """ --- -2.41.0 - diff --git a/SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch b/SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch deleted file mode 100644 index 5bb0332..0000000 --- a/SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch +++ /dev/null @@ -1,218 +0,0 @@ -From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 8 Nov 2023 14:50:24 +0100 -Subject: [PATCH] ad-gpo: use hash to store intermediate results -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently after the evaluation of a single GPO file the intermediate -results are stored in the cache and this cache entry is updated until -all applicable GPO files are evaluated. Finally the data in the cache is -used to make the decision of access is granted or rejected. - -If there are two or more access-control request running in parallel one -request might overwrite the cache object with intermediate data while -another request reads the cached data for the access decision and as a -result will do this decision based on intermediate data. - -To avoid this the intermediate results are not stored in the cache -anymore but in hash tables which are specific to the request. Only the -final result is written to the cache to have it available for offline -authentication. - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman -(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a) ---- - src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++----- - 1 file changed, 102 insertions(+), 14 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 3d1ad39c7..b879b0a08 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, - return ret; - } - -+static errno_t -+add_result_to_hash(hash_table_t *hash, const char *key, char *value) -+{ -+ int hret; -+ hash_key_t k; -+ hash_value_t v; -+ -+ if (hash == NULL || key == NULL || value == NULL) { -+ return EINVAL; -+ } -+ -+ k.type = HASH_KEY_CONST_STRING; -+ k.c_str = key; -+ -+ v.type = HASH_VALUE_PTR; -+ v.ptr = value; -+ -+ hret = hash_enter(hash, &k, &v); -+ if (hret != HASH_SUCCESS) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n", -+ key, value, hash_error_string(hret)); -+ return EIO; -+ } -+ -+ return EOK; -+} -+ - /* - * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, - * and stores the allow_key and deny_key of all of the gpo_map_types present -@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, - */ - static errno_t - ad_gpo_store_policy_settings(struct sss_domain_info *domain, -+ hash_table_t *allow_maps, hash_table_t *deny_maps, - const char *filename) - { - struct ini_cfgfile *file_ctx = NULL; -@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - goto done; - } else if (ret != ENOENT) { - const char *value = allow_value ? allow_value : empty_val; -- ret = sysdb_gpo_store_gpo_result_setting(domain, -- allow_key, -- value); -+ ret = add_result_to_hash(allow_maps, allow_key, -+ talloc_strdup(allow_maps, value)); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_gpo_store_gpo_result_setting failed for key:" -- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value, -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " -+ "value: [%s] to allow maps " -+ "[%d][%s].\n", -+ allow_key, value, ret, -+ sss_strerror(ret)); - goto done; - } - } -@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - goto done; - } else if (ret != ENOENT) { - const char *value = deny_value ? deny_value : empty_val; -- ret = sysdb_gpo_store_gpo_result_setting(domain, -- deny_key, -- value); -+ ret = add_result_to_hash(deny_maps, deny_key, -+ talloc_strdup(deny_maps, value)); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_gpo_store_gpo_result_setting failed for key:" -- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value, -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " -+ "value: [%s] to deny maps " -+ "[%d][%s].\n", -+ deny_key, value, ret, -+ sss_strerror(ret)); - goto done; - } - } -@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state { - int num_cse_filtered_gpos; - int cse_gpo_index; - const char *ad_domain; -+ hash_table_t *allow_maps; -+ hash_table_t *deny_maps; - }; - - static void ad_gpo_connect_done(struct tevent_req *subreq); -@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, - goto immediately; - } - -+ ret = sss_hash_create(state, 0, &state->allow_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps " -+ "hash table [%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } -+ -+ ret = sss_hash_create(state, 0, &state->deny_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps " -+ "hash table [%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } - - subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); - if (subreq == NULL) { -@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req) - return EAGAIN; - } - -+static errno_t -+store_hash_maps_in_cache(struct sss_domain_info *domain, -+ hash_table_t *allow_maps, hash_table_t *deny_maps) -+{ -+ int ret; -+ struct hash_iter_context_t *iter; -+ hash_entry_t *entry; -+ size_t c; -+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL}; -+ -+ -+ for (c = 0; hash_list[c] != NULL; c++) { -+ iter = new_hash_iter_context(hash_list[c]); -+ if (iter == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n"); -+ return EINVAL; -+ } -+ -+ while ((entry = iter->next(iter)) != NULL) { -+ ret = sysdb_gpo_store_gpo_result_setting(domain, -+ entry->key.c_str, -+ entry->value.ptr); -+ if (ret != EOK) { -+ free(iter); -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_gpo_store_gpo_result_setting failed for key:" -+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str, -+ (char *) entry->value.ptr, ret, sss_strerror(ret)); -+ return ret; -+ } -+ } -+ talloc_free(iter); -+ } -+ -+ return EOK; -+} -+ - /* - * This cse-specific function (GP_EXT_GUID_SECURITY) increments the - * cse_gpo_index until the policy settings for all applicable GPOs have been -@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) - * (as part of the GPO Result object in the sysdb cache). - */ - ret = ad_gpo_store_policy_settings(state->host_domain, -+ state->allow_maps, state->deny_maps, - cse_filtered_gpo->policy_filename); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, -@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq) - - if (ret == EOK) { - /* ret is EOK only after all GPO policy files have been downloaded */ -+ ret = store_hash_maps_in_cache(state->host_domain, -+ state->allow_maps, state->deny_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps " -+ "[%d][%s].\n", ret, sss_strerror(ret)); -+ goto done; -+ } - ret = ad_gpo_perform_hbac_processing(state, - state->gpo_mode, - state->gpo_map_type, --- -2.44.0 - diff --git a/SOURCES/0006-ad-refresh-root-domain-when-read-directly.patch b/SOURCES/0006-ad-refresh-root-domain-when-read-directly.patch deleted file mode 100644 index 7652bcf..0000000 --- a/SOURCES/0006-ad-refresh-root-domain-when-read-directly.patch +++ /dev/null @@ -1,81 +0,0 @@ -From db27a51f274640e1aa2f13476c80955a3ec9e91c Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 1 Mar 2024 10:50:07 +0100 -Subject: [PATCH] ad: refresh root domain when read directly -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the domain object of the forest root domain cannot be found in the -LDAP tree of the local AD domain SSSD tries to read the request data -from an LDAP server of the forest root domain directly. After reading -this data the information is stored in the cache but currently the -information about the domain store in memory is not updated with the -additional data. As a result e.g. the domain SID is missing in this data -and only becomes available after a restart where it is read from the -cache. - -With this patch an unconditional refresh is triggered at the end of the -fallback code path. - -Resolves: https://github.com/SSSD/sssd/issues/7250 - -Reviewed-by: Dan Lavu -Reviewed-by: Tomáš Halman -(cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53) ---- - src/providers/ad/ad_subdomains.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index a8d1892cc..d8f3738ce 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state { - static void ad_get_root_domain_done(struct tevent_req *subreq); - static void ad_check_root_domain_done(struct tevent_req *subreq); - static errno_t --ad_get_root_domain_refresh(struct ad_get_root_domain_state *state); -+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh); - - struct tevent_req * - ad_check_domain_send(TALLOC_CTX *mem_ctx, -@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - return; - } - -- ret = ad_get_root_domain_refresh(state); -+ ret = ad_get_root_domain_refresh(state, false); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); - } -@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) - - state->reply_count = 1; - -- ret = ad_get_root_domain_refresh(state); -+ ret = ad_get_root_domain_refresh(state, true); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); - } -@@ -1697,7 +1697,7 @@ done: - } - - static errno_t --ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) -+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh) - { - struct sss_domain_info *root_domain; - bool has_changes; -@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) - goto done; - } - -- if (has_changes) { -+ if (has_changes || refresh) { - ret = ad_subdom_reinit(state->sd_ctx); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n"); --- -2.45.0 - diff --git a/SOURCES/0007-failover-add-failover_primary_timeout-option.patch b/SOURCES/0007-failover-add-failover_primary_timeout-option.patch deleted file mode 100644 index c24ca1c..0000000 --- a/SOURCES/0007-failover-add-failover_primary_timeout-option.patch +++ /dev/null @@ -1,306 +0,0 @@ -From 14f32f681a25aac185d72bc6d22a9e3b59dd265a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Tue, 30 Apr 2024 12:28:53 +0200 -Subject: [PATCH] failover: add failover_primary_timeout option - -This was previously hardcoded to 31 seconds (hardcoded retry_timout + -1). This may be too short period under some circumstances. - -When we retry primary server we drop connection to the backup server and -if the primary server is not yet available (and there are many -unavailable primary servers) we may go through a long timeout cycle -every half minute. - -This patch makes the value configurable. - -:config: Added `failover_primary_timout` configuration option. This - can be used to configure how often SSSD tries to reconnect to a - primary server after a successful connection to a backup server. - This was previously hardcoded to 31 seconds which is kept as - the default value. - -Resolves: https://github.com/SSSD/sssd/issues/7375 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Iker Pedrosa -(cherry picked from commit e9738e36937e78f80bb2772c48cffbddf39bd5fe) ---- - src/config/SSSDConfig/sssdoptions.py | 2 + - src/config/SSSDConfigTest.py | 2 + - src/config/cfg_rules.ini | 1 + - src/config/etc/sssd.api.conf | 1 + - src/man/sssd.conf.5.xml | 19 ++++++++ - src/providers/data_provider.h | 1 + - src/providers/data_provider_fo.c | 14 +++++- - src/providers/fail_over.c | 10 +++++ - src/providers/fail_over.h | 3 ++ - src/tests/system/tests/test_failover.py | 59 +++++++++++++++++++++++++ - 10 files changed, 110 insertions(+), 2 deletions(-) - create mode 100644 src/tests/system/tests/test_failover.py - -diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py -index 0d75e6d82..95b39aa59 100644 ---- a/src/config/SSSDConfig/sssdoptions.py -+++ b/src/config/SSSDConfig/sssdoptions.py -@@ -186,6 +186,8 @@ class SSSDOptions(object): - 'dns_resolver_op_timeout': _('How long should keep trying to resolve single DNS query (seconds)'), - 'dns_resolver_timeout': _('How long to wait for replies from DNS when resolving servers (seconds)'), - 'dns_discovery_domain': _('The domain part of service discovery DNS query'), -+ 'failover_primary_timeout': _('How often SSSD tries to reconnect to the primary server after a successful ' -+ 'connection to the backup server.'), - 'override_gid': _('Override GID value from the identity provider with this value'), - 'case_sensitive': _('Treat usernames as case sensitive'), - 'entry_cache_user_timeout': _('Entry cache timeout length (seconds)'), -diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py -index b160be2b1..f333c35eb 100755 ---- a/src/config/SSSDConfigTest.py -+++ b/src/config/SSSDConfigTest.py -@@ -579,6 +579,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 'dns_resolver_op_timeout', - 'dns_resolver_timeout', - 'dns_discovery_domain', -+ 'failover_primary_timeout', - 'dyndns_update', - 'dyndns_ttl', - 'dyndns_iface', -@@ -939,6 +940,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 'dns_resolver_op_timeout', - 'dns_resolver_timeout', - 'dns_discovery_domain', -+ 'failover_primary_timeout', - 'dyndns_update', - 'dyndns_ttl', - 'dyndns_iface', -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 92e87fb18..4c2ea0b87 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -405,6 +405,7 @@ option = dns_resolver_op_timeout - option = dns_resolver_timeout - option = dns_resolver_use_search_list - option = dns_discovery_domain -+option = failover_primary_timeout - option = override_gid - option = case_sensitive - option = override_homedir -diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf -index 5ae6aab19..31787c23c 100644 ---- a/src/config/etc/sssd.api.conf -+++ b/src/config/etc/sssd.api.conf -@@ -172,6 +172,7 @@ dns_resolver_server_timeout = int, None, false - dns_resolver_op_timeout = int, None, false - dns_resolver_timeout = int, None, false - dns_discovery_domain = str, None, false -+failover_primary_timeout = int, None, false - override_gid = int, None, false - case_sensitive = str, None, false - override_homedir = str, None, false -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 339f21e25..fbb82e357 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -3773,6 +3773,25 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit - - - -+ -+ failover_primary_timeout (integer) -+ -+ -+ When no primary server is currently available, -+ SSSD fail overs to a backup server. This option -+ defines the amount of time (in seconds) to -+ wait before SSSD tries to reconnect to a primary -+ server again. -+ -+ -+ Note: The minimum value is 31. -+ -+ -+ Default: 31 -+ -+ -+ -+ - - override_gid (integer) - -diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h -index 36a82b84d..def35e491 100644 ---- a/src/providers/data_provider.h -+++ b/src/providers/data_provider.h -@@ -267,6 +267,7 @@ enum dp_res_opts { - DP_RES_OPT_RESOLVER_SERVER_TIMEOUT, - DP_RES_OPT_RESOLVER_USE_SEARCH_LIST, - DP_RES_OPT_DNS_DOMAIN, -+ DP_RES_OPT_FAILOVER_PRIMARY_TIMEOUT, - - DP_RES_OPTS /* attrs counter */ - }; -diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c -index b0aed54e9..c23f92e35 100644 ---- a/src/providers/data_provider_fo.c -+++ b/src/providers/data_provider_fo.c -@@ -48,10 +48,20 @@ static int be_fo_get_options(struct be_ctx *ctx, - DP_RES_OPT_RESOLVER_TIMEOUT); - opts->use_search_list = dp_opt_get_bool(ctx->be_res->opts, - DP_RES_OPT_RESOLVER_USE_SEARCH_LIST); -+ opts->primary_timeout = dp_opt_get_int(ctx->be_res->opts, -+ DP_RES_OPT_FAILOVER_PRIMARY_TIMEOUT); -+ - opts->retry_timeout = 30; - opts->srv_retry_neg_timeout = 15; - opts->family_order = ctx->be_res->family_order; - -+ if (opts->primary_timeout <= opts->retry_timeout) { -+ opts->primary_timeout = opts->retry_timeout + 1; -+ DEBUG(SSSDBG_CONF_SETTINGS, -+ "Warning: failover_primary_timeout is too low, using %lu " -+ "seconds instead\n", opts->primary_timeout); -+ } -+ - return EOK; - } - -@@ -551,7 +561,7 @@ static void be_resolve_server_done(struct tevent_req *subreq) - struct tevent_req); - struct be_resolve_server_state *state = tevent_req_data(req, - struct be_resolve_server_state); -- time_t timeout = fo_get_service_retry_timeout(state->svc->fo_service) + 1; -+ time_t timeout = fo_get_primary_retry_timeout(state->svc->fo_service); - int ret; - - ret = be_resolve_server_process(subreq, state, &new_subreq); -@@ -564,7 +574,6 @@ static void be_resolve_server_done(struct tevent_req *subreq) - } - - if (!fo_is_server_primary(state->srv)) { -- /* FIXME: make the timeout configurable */ - ret = be_primary_server_timeout_activate(state->ctx, state->ev, - state->ctx, state->svc, - timeout); -@@ -871,6 +880,7 @@ static struct dp_option dp_res_default_opts[] = { - { "dns_resolver_server_timeout", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, - { "dns_resolver_use_search_list", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "dns_discovery_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, -+ { "failover_primary_timeout", DP_OPT_NUMBER, { .number = 31 }, NULL_NUMBER }, - DP_OPTION_TERMINATOR - }; - -diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c -index 7cb642448..7f94407c5 100644 ---- a/src/providers/fail_over.c -+++ b/src/providers/fail_over.c -@@ -158,6 +158,7 @@ fo_context_init(TALLOC_CTX *mem_ctx, struct fo_options *opts) - - ctx->opts->srv_retry_neg_timeout = opts->srv_retry_neg_timeout; - ctx->opts->retry_timeout = opts->retry_timeout; -+ ctx->opts->primary_timeout = opts->primary_timeout; - ctx->opts->family_order = opts->family_order; - ctx->opts->service_resolv_timeout = opts->service_resolv_timeout; - ctx->opts->use_search_list = opts->use_search_list; -@@ -1740,6 +1741,15 @@ time_t fo_get_service_retry_timeout(struct fo_service *svc) - return svc->ctx->opts->retry_timeout; - } - -+time_t fo_get_primary_retry_timeout(struct fo_service *svc) -+{ -+ if (svc == NULL || svc->ctx == NULL || svc->ctx->opts == NULL) { -+ return 0; -+ } -+ -+ return svc->ctx->opts->primary_timeout; -+} -+ - bool fo_get_use_search_list(struct fo_server *server) - { - if ( -diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h -index 36021ad6f..924a09970 100644 ---- a/src/providers/fail_over.h -+++ b/src/providers/fail_over.h -@@ -83,6 +83,7 @@ struct fo_server; - struct fo_options { - time_t srv_retry_neg_timeout; - time_t retry_timeout; -+ time_t primary_timeout; - int service_resolv_timeout; - bool use_search_list; - enum restrict_family family_order; -@@ -211,6 +212,8 @@ int fo_is_srv_lookup(struct fo_server *s); - - time_t fo_get_service_retry_timeout(struct fo_service *svc); - -+time_t fo_get_primary_retry_timeout(struct fo_service *svc); -+ - bool fo_get_use_search_list(struct fo_server *server); - - void fo_reset_services(struct fo_ctx *fo_ctx); -diff --git a/src/tests/system/tests/test_failover.py b/src/tests/system/tests/test_failover.py -new file mode 100644 -index 000000000..565cec9bc ---- /dev/null -+++ b/src/tests/system/tests/test_failover.py -@@ -0,0 +1,59 @@ -+""" -+SSSD Failover tests. -+ -+:requirement: Failover -+""" -+ -+from __future__ import annotations -+ -+import pytest -+from sssd_test_framework.roles.client import Client -+from sssd_test_framework.roles.ldap import LDAP -+from sssd_test_framework.topology import KnownTopology -+ -+ -+@pytest.mark.parametrize("value, expected", [(None, 31), (15, 31), (60, 60)]) -+@pytest.mark.importance("low") -+@pytest.mark.ticket(gh=7375, jira="RHEL-17659") -+@pytest.mark.topology(KnownTopology.LDAP) -+def test_failover__retry_primary(client: Client, ldap: LDAP, value: int | None, expected: int): -+ """ -+ :title: Primary server reactivation timeout is respected -+ :setup: -+ 1. Create LDAP user "user-1" -+ 2. Set failover_primary_timeout to @value -+ 3. Set ldap_uri to invalid, not working server -+ 4. Set ldap_backup_uri to working server -+ 5. Start SSSD -+ :steps: -+ 1. Lookup user-1 -+ 2. Check that SSSD is connected to backup server -+ 3. Find "Primary server reactivation timeout set to @expected seconds" in domain logs -+ :expectedresults: -+ 1. SSSD failover to backup server -+ 2. SSSD is indeed connected to the backup server -+ 3. String is found -+ :customerscenario: True -+ """ -+ ldap.user("user-1").add() -+ -+ if value is not None: -+ client.sssd.domain["failover_primary_timeout"] = str(value) -+ -+ client.sssd.enable_responder("ifp") -+ client.sssd.domain["ldap_uri"] = "ldap://ldap.invalid" -+ client.sssd.domain["ldap_backup_uri"] = f"ldap://{ldap.host.hostname}" -+ client.sssd.start() -+ -+ # Lookup user to make sure SSSD did correctly failover to backup server -+ result = client.tools.id("user-1") -+ assert result is not None -+ -+ # Check that SSSD is indeed connected to backup server -+ assert client.sssd.default_domain is not None -+ status = client.sssctl.domain_status(client.sssd.default_domain, active=True) -+ assert ldap.host.hostname in status.stdout -+ -+ # Check that primary server reactivation timeout was correctly created -+ log = client.fs.read(client.sssd.logs.domain()) -+ assert f"Primary server reactivation timeout set to {expected} seconds" in log --- -2.46.0 - diff --git a/SOURCES/0008-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch b/SOURCES/0008-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch deleted file mode 100644 index 2375fc1..0000000 --- a/SOURCES/0008-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5fc4540e97625a23f2573b0804a1509cf46931c9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= -Date: Thu, 14 Nov 2024 17:27:49 +0100 -Subject: [PATCH 08/15] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET - -The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in -https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55 -but the corresponding option is missing in -https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200 - -This error was introduced by -https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Sumit Bose -(cherry picked from commit 9ee10f98e0070774e0e7f0794bc296ef06a671e4) ---- - src/providers/be_dyndns.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c -index 2c655ef1e..5d0f51119 100644 ---- a/src/providers/be_dyndns.c -+++ b/src/providers/be_dyndns.c -@@ -1201,6 +1201,7 @@ static struct dp_option default_dyndns_opts[] = { - { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, -+ { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, - { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER }, - { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE }, --- -2.46.1 - diff --git a/SOURCES/0009-TESTS-Also-test-default_dyndns_opts.patch b/SOURCES/0009-TESTS-Also-test-default_dyndns_opts.patch deleted file mode 100644 index 2f7cb8f..0000000 --- a/SOURCES/0009-TESTS-Also-test-default_dyndns_opts.patch +++ /dev/null @@ -1,69 +0,0 @@ -From b34aa979919ec6f3d73e3229c5ad3ab88bc5028a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= -Date: Thu, 14 Nov 2024 18:46:44 +0100 -Subject: [PATCH 09/15] TESTS: Also test default_dyndns_opts - -Compare this structure to ipa_dyndns_opts, which is already compared -to ad_dyndns_opts. - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Sumit Bose -(cherry picked from commit 2c72834e657197012b3a32207ffe307e8ba5f9e2) ---- - src/providers/be_dyndns.c | 2 +- - src/providers/be_dyndns.h | 1 + - src/tests/ipa_ldap_opt-tests.c | 6 ++++++ - 3 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c -index 5d0f51119..e6fa7dfd6 100644 ---- a/src/providers/be_dyndns.c -+++ b/src/providers/be_dyndns.c -@@ -1197,7 +1197,7 @@ be_nsupdate_check(void) - return ret; - } - --static struct dp_option default_dyndns_opts[] = { -+struct dp_option default_dyndns_opts[] = { - { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, -diff --git a/src/providers/be_dyndns.h b/src/providers/be_dyndns.h -index 2185fee95..719c13942 100644 ---- a/src/providers/be_dyndns.h -+++ b/src/providers/be_dyndns.h -@@ -63,6 +63,7 @@ enum dp_dyndns_opts { - - DP_OPT_DYNDNS /* attrs counter */ - }; -+extern struct dp_option default_dyndns_opts[DP_OPT_DYNDNS + 1]; - - #define DYNDNS_REMOVE_A 0x1 - #define DYNDNS_REMOVE_AAAA 0x2 -diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c -index a1a0e9cc6..da990acaf 100644 ---- a/src/tests/ipa_ldap_opt-tests.c -+++ b/src/tests/ipa_ldap_opt-tests.c -@@ -103,6 +103,10 @@ START_TEST(test_compare_opts) - ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS, - ad_dyndns_opts); - ck_assert_msg(ret == EOK, "[%s]", strerror(ret)); -+ -+ ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS, -+ default_dyndns_opts); -+ ck_assert_msg(ret == EOK, "[%s]", strerror(ret)); - } - END_TEST - -@@ -200,6 +204,8 @@ START_TEST(test_dp_opt_sentinel) - - fail_unless_dp_opt_is_terminator(&default_krb5_opts[KRB5_OPTS]); - -+ fail_unless_dp_opt_is_terminator(&default_dyndns_opts[DP_OPT_DYNDNS]); -+ - fail_unless_dp_opt_is_terminator(&ad_basic_opts[AD_OPTS_BASIC]); - fail_unless_dp_opt_is_terminator(&ad_def_ldap_opts[SDAP_OPTS_BASIC]); - fail_unless_dp_opt_is_terminator(&ad_def_krb5_opts[KRB5_OPTS]); --- -2.46.1 - diff --git a/SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch b/SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch deleted file mode 100644 index c304253..0000000 --- a/SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch +++ /dev/null @@ -1,310 +0,0 @@ -From ebbde00722489c51cfcc70aa6550ed6ea4b97ff8 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 6 Sep 2024 14:27:19 +0200 -Subject: [PATCH 10/15] sdap: allow to provide user_map when looking up group - memberships -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -To allow to lookup group memberships of other objects similar to user -objects but with different attribute mappings, e.g. host objects in AD, -a new option to provide an alternative attribute map is added. - -Resolves: https://github.com/SSSD/sssd/issues/7590 - -Reviewed-by: Justin Stephenson -Reviewed-by: Tomáš Halman -(cherry picked from commit 69f63f1fa64bd9cc7c2ee1f8e8d736727b13b3be) -(cherry picked from commit 321ca19ae09609ac4195f323b696bdcd7ee573e4) - -Reviewed-by: Justin Stephenson ---- - src/providers/ad/ad_gpo.c | 2 +- - src/providers/ldap/ldap_common.h | 2 + - src/providers/ldap/ldap_id.c | 9 ++++ - src/providers/ldap/sdap_async.h | 2 + - src/providers/ldap/sdap_async_initgroups.c | 51 ++++++++++++++-------- - 5 files changed, 48 insertions(+), 18 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index b879b0a08..69dd54f5b 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -2244,7 +2244,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) - search_bases, - state->host_fqdn, - BE_FILTER_NAME, -- NULL, -+ NULL, NULL, 0, - true, - true); - tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req); -diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h -index 2c984ef50..61a35553b 100644 ---- a/src/providers/ldap/ldap_common.h -+++ b/src/providers/ldap/ldap_common.h -@@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - const char *filter_value, - int filter_type, - const char *extra_value, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - bool noexist_delete, - bool set_non_posix); - -diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c -index b3ea2333f..0596ad4cf 100644 ---- a/src/providers/ldap/ldap_id.c -+++ b/src/providers/ldap/ldap_id.c -@@ -1144,6 +1144,8 @@ struct groups_by_user_state { - const char *filter_value; - int filter_type; - const char *extra_value; -+ struct sdap_attr_map *user_map; -+ size_t user_map_cnt; - const char **attrs; - bool non_posix; - -@@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - const char *filter_value, - int filter_type, - const char *extra_value, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - bool noexist_delete, - bool set_non_posix) - { -@@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - state->filter_value = filter_value; - state->filter_type = filter_type; - state->extra_value = extra_value; -+ state->user_map = user_map; -+ state->user_map_cnt = user_map_cnt; - state->domain = sdom->dom; - state->sysdb = sdom->dom->sysdb; - state->search_bases = search_bases; -@@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq) - state->sdom, - sdap_id_op_handle(state->op), - state->ctx, -+ state->user_map, -+ state->user_map_cnt, - state->conn, - state->search_bases, - state->filter_value, -@@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, - ar->filter_value, - ar->filter_type, - ar->extra_value, -+ NULL, 0, - noexist_delete, false); - break; - -diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h -index 89245f41f..a45e057d0 100644 ---- a/src/providers/ldap/sdap_async.h -+++ b/src/providers/ldap/sdap_async.h -@@ -157,6 +157,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - struct sdap_domain *sdom, - struct sdap_handle *sh, - struct sdap_id_ctx *id_ctx, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - struct sdap_id_conn_ctx *conn, - struct sdap_search_base **search_bases, - const char *name, -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index fb3d8fe24..8ce1f6cd4 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -785,6 +785,8 @@ struct sdap_initgr_nested_state { - struct tevent_context *ev; - struct sysdb_ctx *sysdb; - struct sdap_options *opts; -+ struct sdap_attr_map *user_map; -+ size_t user_map_cnt; - struct sss_domain_info *dom; - struct sdap_handle *sh; - -@@ -812,6 +814,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req); - static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, - struct tevent_context *ev, - struct sdap_options *opts, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - struct sysdb_ctx *sysdb, - struct sss_domain_info *dom, - struct sdap_handle *sh, -@@ -828,6 +832,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, - - state->ev = ev; - state->opts = opts; -+ state->user_map = user_map; -+ state->user_map_cnt = user_map_cnt; - state->sysdb = sysdb; - state->dom = dom; - state->sh = sh; -@@ -968,7 +974,7 @@ static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req) - - subreq = sdap_deref_search_send(state, state->ev, state->opts, - state->sh, state->orig_dn, -- state->opts->user_map[SDAP_AT_USER_MEMBEROF].name, -+ state->user_map[SDAP_AT_USER_MEMBEROF].name, - sdap_attrs, num_maps, maps, timeout); - if (!subreq) { - ret = EIO; -@@ -2697,6 +2703,8 @@ struct sdap_get_initgr_state { - struct tevent_context *ev; - struct sysdb_ctx *sysdb; - struct sdap_options *opts; -+ struct sdap_attr_map *user_map; -+ size_t user_map_cnt; - struct sss_domain_info *dom; - struct sdap_domain *sdom; - struct sdap_handle *sh; -@@ -2731,6 +2739,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - struct sdap_domain *sdom, - struct sdap_handle *sh, - struct sdap_id_ctx *id_ctx, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - struct sdap_id_conn_ctx *conn, - struct sdap_search_base **search_bases, - const char *filter_value, -@@ -2754,6 +2764,12 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - - state->ev = ev; - state->opts = id_ctx->opts; -+ state->user_map = user_map; -+ state->user_map_cnt = user_map_cnt; -+ if (state->user_map == NULL) { -+ state->user_map = id_ctx->opts->user_map; -+ state->user_map_cnt = id_ctx->opts->user_map_cnt; -+ } - state->dom = sdom->dom; - state->sysdb = sdom->dom->sysdb; - state->sdom = sdom; -@@ -2785,7 +2801,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - - switch (filter_type) { - case BE_FILTER_SECID: -- search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name; -+ search_attr = state->user_map[SDAP_AT_USER_OBJECTSID].name; - - ret = sss_filter_sanitize(state, state->filter_value, &clean_name); - if (ret != EOK) { -@@ -2794,7 +2810,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - } - break; - case BE_FILTER_UUID: -- search_attr = state->opts->user_map[SDAP_AT_USER_UUID].name; -+ search_attr = state->user_map[SDAP_AT_USER_UUID].name; - - ret = sss_filter_sanitize(state, state->filter_value, &clean_name); - if (ret != EOK) { -@@ -2812,23 +2828,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - } - - ep_filter = get_enterprise_principal_string_filter(state, -- state->opts->user_map[SDAP_AT_USER_PRINC].name, -+ state->user_map[SDAP_AT_USER_PRINC].name, - clean_name, state->opts->basic); - state->user_base_filter = - talloc_asprintf(state, - "(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)", -- state->opts->user_map[SDAP_AT_USER_PRINC].name, -+ state->user_map[SDAP_AT_USER_PRINC].name, - clean_name, -- state->opts->user_map[SDAP_AT_USER_EMAIL].name, -+ state->user_map[SDAP_AT_USER_EMAIL].name, - clean_name, - ep_filter == NULL ? "" : ep_filter, -- state->opts->user_map[SDAP_OC_USER].name); -+ state->user_map[SDAP_OC_USER].name); - if (state->user_base_filter == NULL) { - talloc_zfree(req); - return NULL; - } - } else { -- search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; -+ search_attr = state->user_map[SDAP_AT_USER_NAME].name; - - ret = sss_parse_internal_fqname(state, filter_value, - &state->shortname, NULL); -@@ -2860,7 +2876,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - state->user_base_filter = - talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", - search_attr, clean_name, -- state->opts->user_map[SDAP_OC_USER].name); -+ state->user_map[SDAP_OC_USER].name); - if (!state->user_base_filter) { - talloc_zfree(req); - return NULL; -@@ -2877,14 +2893,14 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - */ - state->user_base_filter = talloc_asprintf_append(state->user_base_filter, - "(%s=*))", -- id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); -+ state->user_map[SDAP_AT_USER_OBJECTSID].name); - } else { - /* When not ID-mapping or looking up app users, make sure there - * is a non-NULL UID */ - state->user_base_filter = talloc_asprintf_append(state->user_base_filter, - "(&(%s=*)(!(%s=0))))", -- id_ctx->opts->user_map[SDAP_AT_USER_UID].name, -- id_ctx->opts->user_map[SDAP_AT_USER_UID].name); -+ state->user_map[SDAP_AT_USER_UID].name, -+ state->user_map[SDAP_AT_USER_UID].name); - } - if (!state->user_base_filter) { - talloc_zfree(req); -@@ -2892,8 +2908,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - } - - ret = build_attrs_from_map(state, -- state->opts->user_map, -- state->opts->user_map_cnt, -+ state->user_map, -+ state->user_map_cnt, - NULL, &state->user_attrs, NULL); - if (ret) { - talloc_zfree(req); -@@ -2990,7 +3006,7 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req) - state->user_search_bases[state->user_base_iter]->basedn, - state->user_search_bases[state->user_base_iter]->scope, - state->filter, state->user_attrs, -- state->opts->user_map, state->opts->user_map_cnt, -+ state->user_map, state->user_map_cnt, - state->timeout, - false); - if (!subreq) { -@@ -3179,6 +3195,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) - - case SDAP_SCHEMA_IPA_V1: - subreq = sdap_initgr_nested_send(state, state->ev, state->opts, -+ state->user_map, state->user_map_cnt, - state->sysdb, state->dom, state->sh, - state->orig_user, state->grp_attrs); - if (!subreq) { -@@ -3377,7 +3394,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) - */ - ret = sdap_attrs_get_sid_str( - tmp_ctx, opts->idmap_ctx, state->orig_user, -- opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name, -+ state->user_map[SDAP_AT_USER_OBJECTSID].sys_name, - &sid_str); - if (ret != EOK) goto done; - -@@ -3392,7 +3409,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) - - ret = sysdb_attrs_get_uint32_t( - state->orig_user, -- opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name, -+ state->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name, - &primary_gid); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, --- -2.46.1 - diff --git a/SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch b/SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch deleted file mode 100644 index 20605e3..0000000 --- a/SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9ff2e55000d146381db5f66575e40ada5ecaf0cf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 6 Sep 2024 14:37:05 +0200 -Subject: [PATCH 11/15] ad: use default user_map when looking of host groups - for GPO -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Use the default AD user attribute map to lookup the group membership of -the AD host object. This should help to avoid issues if user attributes -are overwritten in the user attribute map. - -Resolves: https://github.com/SSSD/sssd/issues/7590 - -Reviewed-by: Justin Stephenson -Reviewed-by: Tomáš Halman -(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7) -(cherry picked from commit 2c233636c093708d5cdd7ddb69af9b0ecde633bd) - -Reviewed-by: Justin Stephenson ---- - src/providers/ad/ad_access.h | 1 + - src/providers/ad/ad_gpo.c | 15 ++++++++++++++- - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h -index 34d5597da..c54b53eed 100644 ---- a/src/providers/ad/ad_access.h -+++ b/src/providers/ad/ad_access.h -@@ -49,6 +49,7 @@ struct ad_access_ctx { - } gpo_map_type; - hash_table_t *gpo_map_options_table; - enum gpo_map_type gpo_default_right; -+ struct sdap_attr_map *host_attr_map; - }; - - struct tevent_req * -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 69dd54f5b..4e2f06b0d 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -45,6 +45,7 @@ - #include "providers/ad/ad_common.h" - #include "providers/ad/ad_domain_info.h" - #include "providers/ad/ad_gpo.h" -+#include "providers/ad/ad_opts.h" - #include "providers/ldap/sdap_access.h" - #include "providers/ldap/sdap_async.h" - #include "providers/ldap/sdap.h" -@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq) - "trying with user search base."); - } - -+ if (state->access_ctx->host_attr_map == NULL) { -+ ret = sdap_copy_map(state->access_ctx, -+ ad_2008r2_user_map, SDAP_OPTS_USER, -+ &state->access_ctx->host_attr_map); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n"); -+ goto done; -+ } -+ } -+ - subreq = groups_by_user_send(state, state->ev, - state->access_ctx->ad_id_ctx->sdap_id_ctx, - sdom, state->conn, - search_bases, - state->host_fqdn, - BE_FILTER_NAME, -- NULL, NULL, 0, -+ NULL, -+ state->access_ctx->host_attr_map, -+ SDAP_OPTS_USER, - true, - true); - tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req); --- -2.46.1 - diff --git a/SOURCES/0012-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch b/SOURCES/0012-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch deleted file mode 100644 index 2e8a31c..0000000 --- a/SOURCES/0012-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0e86f1a53b893a296488d96a432b98458403bcb9 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 14 Jun 2024 16:10:34 +0200 -Subject: [PATCH 12/15] sysdb: do not fail to add non-posix user to MPG domain -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -SSSD does not handle the root user (UID==0) and treats all accounts with -UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as -well and as a result for those accounts in MPG domains the check for a -collisions of the primary GID should be skipped. The current code might -e.g. cause issues during GPO evaluation when adding a host account into -the cache which does not have any UID or GID set in AD and SSSD is -configured to read UID and GID from AD. - -Resolves: https://github.com/SSSD/sssd/issues/7451 - -Reviewed-by: Alejandro López -Reviewed-by: Tomáš Halman -(cherry picked from commit 986bb726202e69b05f861c14c3a220379baf9bd1) -(cherry picked from commit d234cf5d6e793daf2c96856887acb641c4dff407) - -Reviewed-by: Justin Stephenson ---- - src/db/sysdb_ops.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 3331d4687..fa2d81217 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain, - goto done; - } - -- ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg); -- if (ret != ENOENT) { -- if (ret == EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -- "Group with GID [%"SPRIgid"] already exists in an " -- "MPG domain\n", gid); -- ret = EEXIST; -+ if (uid != 0) { /* uid == 0 means non-POSIX object */ -+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg); -+ if (ret != ENOENT) { -+ if (ret == EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Group with GID [%"SPRIgid"] already exists in an " -+ "MPG domain\n", uid); -+ ret = EEXIST; -+ } -+ goto done; - } -- goto done; - } - } - --- -2.46.1 - diff --git a/SOURCES/0013-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch b/SOURCES/0013-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch deleted file mode 100644 index 67159db..0000000 --- a/SOURCES/0013-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch +++ /dev/null @@ -1,230 +0,0 @@ -From acd5da528789734411b12fa8b19007b00eea9f2c Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 13 Sep 2024 15:45:59 +0200 -Subject: [PATCH 13/15] ldap: add 'exop_force' value for ldap_pwmodify_mode - -In case the LDAP server allows to run the extended operation to change a -password even if an authenticated bind fails due to missing grace logins -the new option 'exop_force' can be used to run the extended operation to -change the password anyways. - -:config: Added `exop_force` value for configuration option - `ldap_pwmodify_mode`. This can be used to force a password change even - if no grace logins are left. Depending on the configuration of the - LDAP server it might be expected that the password change will fail. - -(cherry picked from commit 72a7fd0ded236a16b00bb4e26221f7e23b702a53) - -Reviewed-by: Justin Stephenson -(cherry picked from commit e3a3f44c4cdcb936b59941636ff576de613366d1) - -Reviewed-by: Justin Stephenson ---- - src/man/sssd-ldap.5.xml | 11 +++++++++ - src/providers/ipa/ipa_auth.c | 3 ++- - src/providers/ldap/ldap_auth.c | 5 +++- - src/providers/ldap/ldap_options.c | 2 ++ - src/providers/ldap/sdap.h | 5 ++-- - src/providers/ldap/sdap_async.h | 3 ++- - src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++----- - 7 files changed, 45 insertions(+), 11 deletions(-) - -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index 0a814ec35..a9994aade 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -234,6 +234,17 @@ - userPassword (not recommended). - - -+ -+ -+ exop_force - Try Password Modify -+ Extended Operation (RFC 3062) even if -+ there are no grace logins left. -+ Depending on the type and configuration -+ of the LDAP server the password change -+ might fail because an authenticated bind -+ is not possible. -+ -+ - - - -diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c -index 1d61a1052..b2e5b6f35 100644 ---- a/src/providers/ipa/ipa_auth.c -+++ b/src/providers/ipa/ipa_auth.c -@@ -381,7 +381,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq) - SDAP_OPT_TIMEOUT); - - subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn, -- state->pd->authtok, timeout); -+ state->pd->authtok, timeout, -+ state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode); - if (subreq == NULL) { - goto done; - } -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 8ec4d3af5..023ed2277 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -896,7 +896,8 @@ static void auth_do_bind(struct tevent_req *req) - NULL, NULL, state->dn, - state->authtok, - dp_opt_get_int(state->ctx->opts->basic, -- SDAP_OPT_TIMEOUT)); -+ SDAP_OPT_TIMEOUT), -+ state->ctx->opts->pwmodify_mode); - if (!subreq) { - tevent_req_error(req, ENOMEM); - return; -@@ -1186,6 +1187,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx, - - switch (opts->pwmodify_mode) { - case SDAP_PWMODIFY_EXOP: -+ case SDAP_PWMODIFY_EXOP_FORCE: - subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn, - password, new_password, - timeout); -@@ -1229,6 +1231,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq) - - switch (state->mode) { - case SDAP_PWMODIFY_EXOP: -+ case SDAP_PWMODIFY_EXOP_FORCE: - ret = sdap_exop_modify_passwd_recv(subreq, state, - &state->user_error_message); - break; -diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c -index 277bcb529..72a95300d 100644 ---- a/src/providers/ldap/ldap_options.c -+++ b/src/providers/ldap/ldap_options.c -@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx, - opts->pwmodify_mode = SDAP_PWMODIFY_EXOP; - } else if (strcasecmp(pwmodify, "ldap_modify") == 0) { - opts->pwmodify_mode = SDAP_PWMODIFY_LDAP; -+ } else if (strcasecmp(pwmodify, "exop_force") == 0) { -+ opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE; - } else { - DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify); - ret = EINVAL; -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index 103d50ed4..cc34c8198 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -546,8 +546,9 @@ struct sdap_options { - - /* password modify mode */ - enum pwmodify_mode { -- SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */ -- SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */ -+ SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */ -+ SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */ -+ SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */ - } pwmodify_mode; - - /* The search bases for the domain or its subdomain */ -diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h -index a45e057d0..80b403bc3 100644 ---- a/src/providers/ldap/sdap_async.h -+++ b/src/providers/ldap/sdap_async.h -@@ -146,7 +146,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, - const char *sasl_user, - const char *user_dn, - struct sss_auth_token *authtok, -- int simple_bind_timeout); -+ int simple_bind_timeout, -+ enum pwmodify_mode pwmodify_mode); - - errno_t sdap_auth_recv(struct tevent_req *req, - TALLOC_CTX *memctx, -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index e8638725c..992a5798c 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -643,6 +643,7 @@ struct simple_bind_state { - struct tevent_context *ev; - struct sdap_handle *sh; - const char *user_dn; -+ enum pwmodify_mode pwmodify_mode; - - struct sdap_op *op; - -@@ -659,7 +660,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, - struct sdap_handle *sh, - int timeout, - const char *user_dn, -- struct berval *pw) -+ struct berval *pw, -+ enum pwmodify_mode pwmodify_mode) - { - struct tevent_req *req; - struct simple_bind_state *state; -@@ -682,6 +684,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, - state->ev = ev; - state->sh = sh; - state->user_dn = user_dn; -+ state->pwmodify_mode = pwmodify_mode; - - ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, - 0, NULL, 0, &ctrls[0]); -@@ -866,7 +869,12 @@ static void simple_bind_done(struct sdap_op *op, - * Grace Authentications". */ - DEBUG(SSSDBG_TRACE_LIBS, - "Password expired, grace logins exhausted.\n"); -- ret = ERR_AUTH_FAILED; -+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) { -+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n"); -+ ret = ERR_PASSWORD_EXPIRED; -+ } else { -+ ret = ERR_AUTH_FAILED; -+ } - } - } else if (strcmp(response_controls[c]->ldctl_oid, - LDAP_CONTROL_PWEXPIRED) == 0) { -@@ -879,7 +887,12 @@ static void simple_bind_done(struct sdap_op *op, - if (result == LDAP_INVALID_CREDENTIALS) { - DEBUG(SSSDBG_TRACE_LIBS, - "Password expired, grace logins exhausted.\n"); -- ret = ERR_AUTH_FAILED; -+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) { -+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n"); -+ ret = ERR_PASSWORD_EXPIRED; -+ } else { -+ ret = ERR_AUTH_FAILED; -+ } - } else { - DEBUG(SSSDBG_TRACE_LIBS, - "Password expired, user must set a new password.\n"); -@@ -1358,7 +1371,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, - const char *sasl_user, - const char *user_dn, - struct sss_auth_token *authtok, -- int simple_bind_timeout) -+ int simple_bind_timeout, -+ enum pwmodify_mode pwmodify_mode) - { - struct tevent_req *req, *subreq; - struct sdap_auth_state *state; -@@ -1397,7 +1411,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, - pw.bv_len = pwlen; - - state->is_sasl = false; -- subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw); -+ subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, pwmodify_mode); - if (!subreq) { - tevent_req_error(req, ENOMEM); - return tevent_req_post(req, ev); -@@ -1972,7 +1986,8 @@ static void sdap_cli_auth_step(struct tevent_req *req) - SDAP_SASL_AUTHID), - user_dn, authtok, - dp_opt_get_int(state->opts->basic, -- SDAP_OPT_TIMEOUT)); -+ SDAP_OPT_TIMEOUT), -+ state->opts->pwmodify_mode); - talloc_free(authtok); - if (!subreq) { - tevent_req_error(req, ENOMEM); --- -2.46.1 - diff --git a/SOURCES/0014-DEBUG-reduce-log-level-in-case-a-responder-asks-for-.patch b/SOURCES/0014-DEBUG-reduce-log-level-in-case-a-responder-asks-for-.patch deleted file mode 100644 index 9b4dd50..0000000 --- a/SOURCES/0014-DEBUG-reduce-log-level-in-case-a-responder-asks-for-.patch +++ /dev/null @@ -1,54 +0,0 @@ -From aa81ab093966c1717ebfafbeef9f9f78944b9c23 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 15 Apr 2024 16:29:33 +0200 -Subject: [PATCH 14/15] DEBUG: reduce log level in case a responder asks for - unknown domain -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Addition to 718fed9c53807b8502d6547bc0253b979d35e677 - -Reviewed-by: Alejandro López -Reviewed-by: Iker Pedrosa -(cherry picked from commit ab2671c00866d917f3e737a007ae64753f8440aa) -(cherry picked from commit 8dcf23f215fe2a7fadf13598ce7f04523caa5eb0) - -Reviewed-by: Justin Stephenson ---- - src/responder/common/cache_req/plugins/cache_req_common.c | 5 ++++- - src/sbus/router/sbus_router_handler.c | 2 ++ - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c -index 7eb09215a..00b9383ee 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_common.c -+++ b/src/responder/common/cache_req/plugins/cache_req_common.c -@@ -129,7 +129,10 @@ cache_req_common_process_dp_reply(struct cache_req *cr, - bool bret; - - if (ret != EOK) { -- CACHE_REQ_DEBUG(SSSDBG_IMPORTANT_INFO, cr, -+ int msg_level = SSSDBG_IMPORTANT_INFO; -+ /* ERR_DOMAIN_NOT_FOUND: 'ad_enabled_domains' option can exclude domain */ -+ if (ret == ERR_DOMAIN_NOT_FOUND) msg_level = SSSDBG_CONF_SETTINGS; -+ CACHE_REQ_DEBUG(msg_level, cr, - "Could not get account info [%d]: %s\n", - ret, sss_strerror(ret)); - CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, -diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c -index 7b6c2441f..732716046 100644 ---- a/src/sbus/router/sbus_router_handler.c -+++ b/src/sbus/router/sbus_router_handler.c -@@ -150,6 +150,8 @@ static void sbus_issue_request_done(struct tevent_req *subreq) - } else { - int msg_level = SSSDBG_OP_FAILURE; - if (ret == ERR_MISSING_DP_TARGET) msg_level = SSSDBG_FUNC_DATA; -+ /* ERR_DOMAIN_NOT_FOUND: 'ad_enabled_domains' option can exclude domain */ -+ if (ret == ERR_DOMAIN_NOT_FOUND) msg_level = SSSDBG_CONF_SETTINGS; - DEBUG(msg_level, "%s.%s: Error [%d]: %s\n", - meta.interface, meta.member, ret, sss_strerror(ret)); - } --- -2.46.1 - diff --git a/SOURCES/0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch b/SOURCES/0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch deleted file mode 100644 index 779ffd8..0000000 --- a/SOURCES/0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 3e7e0cc7038c89132c9f4b8a48b6b1e0c0febff4 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 21 Nov 2024 09:16:09 +0100 -Subject: [PATCH 15/15] ldap_child: make sure invalid krb5 context is not used -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: https://github.com/SSSD/sssd/issues/7715 - -Reviewed-by: Alejandro López -Reviewed-by: Alexey Tikhonov -(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744) ---- - src/util/sss_krb5.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c -index 3f57e5b26..f44df2b5f 100644 ---- a/src/util/sss_krb5.c -+++ b/src/util/sss_krb5.c -@@ -83,6 +83,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name) - return keytab_name; - } - -+ if (ctx == NULL) { -+ return "-unknown-"; -+ } -+ - if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) { - return "-default keytab-"; - } -@@ -1355,8 +1359,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context) - { - krb5_error_code kerr; - const char *msg; -+ krb5_context ctx; - -- kerr = krb5_init_context(context); -+ kerr = krb5_init_context(&ctx); - if (kerr != 0) { - /* It is safe to call (sss_)krb5_get_error_message() with NULL as first - * argument. */ -@@ -1365,6 +1370,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context) - "Failed to init Kerberos context [%s]\n", msg); - sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg); - sss_krb5_free_error_message(NULL, msg); -+ } else { -+ *context = ctx; - } - - return kerr; --- -2.46.1 - diff --git a/sources b/sources new file mode 100644 index 0000000..5dd7b85 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (sssd-2.10.2.tar.gz) = 14ad222802e5426b0959ee32602e04ce24b3eb8d3bdd5e188cf29e3c7d32e0631b41c386fdbd129acf281317538460015d35410a688ea48dd546f9ae28522eac diff --git a/SPECS/sssd.spec b/sssd.spec similarity index 62% rename from SPECS/sssd.spec rename to sssd.spec index 36d493d..c56e263 100644 --- a/SPECS/sssd.spec +++ b/sssd.spec @@ -1,59 +1,85 @@ +# SSSD SPEC file for Fedora 34+ and RHEL-9+ + +# define SSSD user +%if 0%{?fedora} >= 41 || 0%{?rhel} +%global use_sssd_user 1 +%global sssd_user sssd +%else +%global use_sssd_user 0 +%global sssd_user root +%endif + +# sysusers depends on presence of sssd user +%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 +%global use_sysusers 1 +%else +%global use_sysusers 0 +%endif + +%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 +%global build_subid 1 +%else +%global build_subid 0 +%endif + +%if 0%{?fedora} >= 34 +%global build_kcm_renewals 1 +%global krb5_version 1.19.1 +%elif 0%{?rhel} >= 8 +%global build_kcm_renewals 1 +%global krb5_version 1.18.2 +%else +%global build_kcm_renewals 0 +%endif + +%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9 +%global build_passkey 1 +%else +%global build_passkey 0 +%endif + +%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 +%global build_ssh_known_hosts_proxy 0 +%else +%global build_ssh_known_hosts_proxy 1 +%endif + # we don't want to provide private python extension libs %define __provides_exclude_from %{python3_sitearch}/.*\.so$ -# SSSD fails to build with -Wl,-z,defs -%undefine _strict_symbol_defs_build - %define _hardened_build 1 -%global install_pcscd_polkit_rule 1 - -%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) - # Determine the location of the LDB modules directory %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) %global ldb_version 1.2.0 -%global enable_systemtap 1 -%global enable_systemtap_opt --enable-systemtap +%global samba_package_version %(rpm -q samba-devel --queryformat %{version}) Name: sssd -Version: 2.9.4 -Release: 5%{?dist}.1 -Group: Applications/System +Version: 2.10.2 +Release: 3%{?dist}.2 Summary: System Security Services Daemon -License: GPLv3+ -URL: https://github.com/SSSD/sssd -Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz +License: GPL-3.0-or-later +URL: https://github.com/SSSD/sssd/ +Source0: https://github.com/SSSD/sssd/releases/download/2.10.2/sssd-2.10.2.tar.gz +Source1: sssd.sysusers ### Patches ### -Patch0001: 0001-sssd-adding-mail-as-case-insensitive.patch -Patch0002: 0002-sdap-add-search_bases-option-to-groups_by_user_send.patch -Patch0003: 0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch -Patch0004: 0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch -Patch0005: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch -Patch0006: 0006-ad-refresh-root-domain-when-read-directly.patch -Patch0007: 0007-failover-add-failover_primary_timeout-option.patch -Patch0008: 0008-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch -Patch0009: 0009-TESTS-Also-test-default_dyndns_opts.patch -Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch -Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch -Patch0012: 0012-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch -Patch0013: 0013-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch -Patch0014: 0014-DEBUG-reduce-log-level-in-case-a-responder-asks-for-.patch -Patch0015: 0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch - -### Downstream Patches ### +Patch0001: 0001-KCM-fix-memory-leak.patch +Patch0002: 0002-KCM-another-memory-leak-fixed.patch +Patch0003: 0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch ### Dependencies ### -Requires: sssd-common = %{version}-%{release} -Requires: sssd-ldap = %{version}-%{release} -Requires: sssd-krb5 = %{version}-%{release} -Requires: sssd-ipa = %{version}-%{release} Requires: sssd-ad = %{version}-%{release} -Recommends: sssd-proxy = %{version}-%{release} -Requires: python3-sssdconfig = %{version}-%{release} +Requires: sssd-common = %{version}-%{release} +Requires: sssd-ipa = %{version}-%{release} +Requires: sssd-krb5 = %{version}-%{release} +Requires: sssd-ldap = %{version}-%{release} +Requires: sssd-proxy = %{version}-%{release} +Suggests: logrotate +Suggests: procps-ng +Suggests: python3-sssdconfig = %{version}-%{release} Suggests: sssd-dbus = %{version}-%{release} %global servicename sssd @@ -69,111 +95,120 @@ Suggests: sssd-dbus = %{version}-%{release} ### Build Dependencies ### -BuildRequires: make BuildRequires: autoconf BuildRequires: automake -BuildRequires: libtool -BuildRequires: m4 -BuildRequires: gcc -BuildRequires: popt-devel -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -BuildRequires: libtdb-devel -BuildRequires: libldb-devel >= %{ldb_version} -BuildRequires: libdhash-devel >= 0.4.2 -BuildRequires: libcollection-devel -BuildRequires: libini_config-devel >= 1.1 -BuildRequires: dbus-devel -BuildRequires: dbus-libs -BuildRequires: openldap-devel -BuildRequires: pam-devel -BuildRequires: nss-devel -BuildRequires: nspr-devel -BuildRequires: pcre2-devel -BuildRequires: libxslt -BuildRequires: libxml2 -BuildRequires: docbook-style-xsl -BuildRequires: krb5-devel -BuildRequires: krb5-libs >= 1.18.2-11 -BuildRequires: c-ares-devel -BuildRequires: python3-devel -BuildRequires: check-devel -BuildRequires: doxygen -BuildRequires: libselinux-devel -BuildRequires: libsemanage-devel BuildRequires: bind-utils -BuildRequires: keyutils-libs-devel -BuildRequires: gettext-devel -BuildRequires: pkgconfig -BuildRequires: diffstat +BuildRequires: c-ares-devel +BuildRequires: check-devel +BuildRequires: cifs-utils-devel +BuildRequires: dbus-devel +BuildRequires: docbook-style-xsl +BuildRequires: doxygen BuildRequires: findutils -BuildRequires: selinux-policy-targeted -BuildRequires: libcmocka-devel >= 1.0.0 -BuildRequires: uid_wrapper -BuildRequires: nss_wrapper -BuildRequires: pam_wrapper -BuildRequires: p11-kit-devel -BuildRequires: openssl-devel +BuildRequires: gcc +BuildRequires: gdm-pam-extensions-devel +BuildRequires: gettext-devel +# required for p11_child smartcard tests BuildRequires: gnutls-utils BuildRequires: jansson-devel +BuildRequires: libcap-devel BuildRequires: libcurl-devel BuildRequires: libjose-devel +BuildRequires: keyutils-libs-devel +BuildRequires: krb5-devel +BuildRequires: libcmocka-devel >= 1.0.0 +BuildRequires: libdhash-devel >= 0.4.2 +%if %{build_passkey} +BuildRequires: libfido2-devel +%endif +BuildRequires: libini_config-devel >= 1.3 +BuildRequires: libldb-devel >= %{ldb_version} +BuildRequires: libnfsidmap-devel +BuildRequires: libnl3-devel +BuildRequires: libselinux-devel +BuildRequires: libsemanage-devel +BuildRequires: libsmbclient-devel +BuildRequires: libtalloc-devel +BuildRequires: libtdb-devel +BuildRequires: libtevent-devel +BuildRequires: libtool +BuildRequires: libunistring +BuildRequires: libunistring-devel +BuildRequires: libuuid-devel +BuildRequires: libxml2 +BuildRequires: libxslt +BuildRequires: m4 +BuildRequires: make +BuildRequires: nss_wrapper +BuildRequires: openldap-devel +# required for p11_child smartcard tests +BuildRequires: openssh +BuildRequires: openssl >= 1.0.1 +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: p11-kit-devel +BuildRequires: pam_wrapper +BuildRequires: pam-devel +BuildRequires: pcre2-devel +BuildRequires: pkgconfig +BuildRequires: popt-devel +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: samba-devel +# required for idmap_sss.so +BuildRequires: samba-winbind +BuildRequires: selinux-policy-targeted +# required for p11_child smartcard tests BuildRequires: softhsm >= 2.1.0 BuildRequires: bc -BuildRequires: openssl -BuildRequires: openssh -BuildRequires: libnl3-devel BuildRequires: systemd-devel -BuildRequires: systemd -BuildRequires: cifs-utils-devel -BuildRequires: libnfsidmap-devel -BuildRequires: samba-devel -BuildRequires: libsmbclient-devel -BuildRequires: samba-winbind BuildRequires: systemtap-sdt-devel -BuildRequires: libuuid-devel -BuildRequires: gdm-pam-extensions-devel -BuildRequires: libunistring-devel -BuildRequires: shadow-utils-subid-devel +BuildRequires: systemtap-sdt-dtrace +BuildRequires: uid_wrapper BuildRequires: po4a +BuildRequires: valgrind-devel +%if %{build_subid} +BuildRequires: shadow-utils-subid-devel +%endif +%if %{build_kcm_renewals} +BuildRequires: krb5-libs >= %{krb5_version} +%endif +%if %{use_sysusers} || %{build_passkey} +BuildRequires: systemd-rpm-macros +%{?sysusers_requires_compat} +%endif %description Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward -the system and a plug-gable back-end system to connect to multiple different +the system and a pluggable back end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. -The sssd sub-package is a meta-package that contains the daemon as well as all +The sssd subpackage is a meta-package that contains the daemon as well as all the existing back ends. %package common Summary: Common files for the SSSD -Group: Applications/System -License: GPLv3+ -# Conflicts -Conflicts: selinux-policy < 3.10.0-46 -Conflicts: sssd < 1.10.0-8%{?dist}.beta2 -# sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5 -Obsoletes: sssd-libwbclient < 2.5.0 -Obsoletes: sssd-libwbclient-debuginfo < 2.5.0 +License: GPL-3.0-or-later +# libsss_simpleifp is removed +Obsoletes: libsss_simpleifp < 2.9.2 +Obsoletes: libsss_simpleifp-debuginfo < 2.9.2 +Obsoletes: sssd-polkit-rules < 2.10.0 # Requires -# Explicitly require RHEL-8.0 versions of the Samba libraries -# in order to prevent untested combinations of a new SSSD and -# older libraries. See e.g. rhbz#1593756 -Requires: libtalloc >= 2.1.14-1 -Requires: libtevent >= 0.9.37-1 -Requires: libldb >= 1.4.2-1 -Requires: libtdb >= 1.3.16-1 # due to ABI changes in 1.1.30/1.2.0 Requires: libldb >= %{ldb_version} +Requires: libtevent >= 0.11.0 Requires: sssd-client%{?_isa} = %{version}-%{release} -Recommends: libsss_sudo = %{version}-%{release} -Recommends: libsss_autofs%{?_isa} = %{version}-%{release} -Recommends: sssd-nfs-idmap = %{version}-%{release} +Requires: (libsss_sudo = %{version}-%{release} if sudo) +Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs) +Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap) Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} +Requires(post): coreutils +Requires(postun): coreutils +%if %{use_sssd_user} Requires(pre): shadow-utils +%endif %{?systemd_requires} ### Provides ### @@ -183,16 +218,13 @@ Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1 %description common Common files for the SSSD. The common package includes all the files needed to run a particular back end, however, the back ends are packaged in separate -sub-packages such as sssd-ldap. +subpackages such as sssd-ldap. %package client Summary: SSSD Client libraries for NSS and PAM -Group: Applications/System -License: LGPLv3+ +License: LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig Requires(post): /usr/sbin/alternatives Requires(preun): /usr/sbin/alternatives @@ -202,10 +234,7 @@ service. %package -n libsss_sudo Summary: A library to allow communication between SUDO and SSSD -Group: Development/Libraries -License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig +License: LGPL-3.0-or-later Conflicts: sssd-common < %{version}-%{release} %description -n libsss_sudo @@ -213,8 +242,7 @@ A utility library to allow communication between SUDO and SSSD %package -n libsss_autofs Summary: A library to allow communication between Autofs and SSSD -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later Conflicts: sssd-common < %{version}-%{release} %description -n libsss_autofs @@ -222,8 +250,7 @@ A utility library to allow communication between Autofs and SSSD %package tools Summary: Userspace tools for use with the SSSD -Group: Applications/System -License: GPLv3+ +License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} @@ -231,7 +258,7 @@ Requires: python3-sssdconfig = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} # for logger=journald support with sss_analyze Requires: python3-systemd -Recommends: sssd-dbus +Requires: sssd-dbus %description tools Provides several administrative tools: @@ -242,8 +269,7 @@ Provides several administrative tools: %package -n python3-sssdconfig Summary: SSSD and IPA configuration file manipulation classes and functions -Group: Applications/System -License: GPLv3+ +License: GPL-3.0-or-later BuildArch: noarch %{?python_provide:%python_provide python3-sssdconfig} @@ -252,8 +278,7 @@ Provides python3 files for manipulation SSSD and IPA configuration files. %package -n python3-sss Summary: Python3 bindings for sssd -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later Requires: sssd-common = %{version}-%{release} %{?python_provide:%python_provide python3-sss} @@ -264,8 +289,7 @@ Provides python3 bindings: %package -n python3-sss-murmur Summary: Python3 bindings for murmur hash function -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later %{?python_provide:%python_provide python3-sss-murmur} %description -n python3-sss-murmur @@ -273,9 +297,7 @@ Provides python3 module for calculating the murmur hash version 3 %package ldap Summary: The LDAP back end of the SSSD -Group: Applications/System -License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 +License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} @@ -287,12 +309,9 @@ from and authenticate against an LDAP server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication -Group: Applications/System -License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 +License: GPL-3.0-or-later Requires: cyrus-sasl-gssapi%{?_isa} Requires: sssd-common = %{version}-%{release} -Requires(pre): shadow-utils %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can use for @@ -300,9 +319,7 @@ Kerberos user or host authentication. %package krb5 Summary: The Kerberos authentication back end for the SSSD -Group: Applications/System -License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 +License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} @@ -312,8 +329,7 @@ against a Kerberos server. %package common-pac Summary: Common files needed for supporting PAC processing -Group: Applications/System -License: GPLv3+ +License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} @@ -323,9 +339,7 @@ for handling Kerberos PACs. %package ipa Summary: The IPA back end of the SSSD -Group: Applications/System -License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 +License: GPL-3.0-or-later Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} @@ -334,7 +348,6 @@ Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} -Requires(pre): shadow-utils %description ipa Provides the IPA back end that the SSSD can utilize to fetch identity data @@ -342,9 +355,7 @@ from and authenticate against an IPA server. %package ad Summary: The AD back end of the SSSD -Group: Applications/System -License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 +License: GPL-3.0-or-later Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} @@ -361,12 +372,9 @@ identity data from and authenticate against an Active Directory server. %package proxy Summary: The proxy back end of the SSSD -Group: Applications/System -License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 +License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} -Requires(pre): shadow-utils %description proxy Provides the proxy back end which can be used to wrap an existing NSS and/or @@ -374,18 +382,14 @@ PAM modules to leverage SSSD caching. %package -n libsss_idmap Summary: FreeIPA Idmap library -Group: Development/Libraries -License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig +License: LGPL-3.0-or-later %description -n libsss_idmap Utility library to convert SIDs to Unix uids and gids %package -n libsss_idmap-devel Summary: FreeIPA Idmap library -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later Requires: libsss_idmap = %{version}-%{release} %description -n libsss_idmap-devel @@ -393,18 +397,14 @@ Utility library to SIDs to Unix uids and gids %package -n libipa_hbac Summary: FreeIPA HBAC Evaluator library -Group: Development/Libraries -License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig +License: LGPL-3.0-or-later %description -n libipa_hbac Utility library to validate FreeIPA HBAC rules for authorization requests %package -n libipa_hbac-devel Summary: FreeIPA HBAC Evaluator library -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later Requires: libipa_hbac = %{version}-%{release} %description -n libipa_hbac-devel @@ -412,8 +412,7 @@ Utility library to validate FreeIPA HBAC rules for authorization requests %package -n python3-libipa_hbac Summary: Python3 bindings for the FreeIPA HBAC Evaluator library -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later Requires: libipa_hbac = %{version}-%{release} %{?python_provide:%python_provide python3-libipa_hbac} @@ -423,18 +422,14 @@ used by Python applications. %package -n libsss_nss_idmap Summary: Library for SID and certificate based lookups -Group: Development/Libraries -License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig +License: LGPL-3.0-or-later %description -n libsss_nss_idmap Utility library for SID and certificate based lookups %package -n libsss_nss_idmap-devel Summary: Library for SID and certificate based lookups -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} %description -n libsss_nss_idmap-devel @@ -442,8 +437,7 @@ Utility library for SID and certificate based lookups %package -n python3-libsss_nss_idmap Summary: Python3 bindings for libsss_nss_idmap -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} %{?python_provide:%python_provide python3-libsss_nss_idmap} @@ -453,8 +447,7 @@ be used by Python applications. %package dbus Summary: The D-Bus responder of the SSSD -Group: Applications/System -License: GPLv3+ +License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} %{?systemd_requires} @@ -462,47 +455,12 @@ Requires: sssd-common = %{version}-%{release} Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus. -%if (0%{?install_pcscd_polkit_rule} == 1) -%package polkit-rules -Summary: Rules for polkit integration for SSSD -Group: Applications/System -License: GPLv3+ -Requires: polkit >= 0.106 -Requires: sssd-common = %{version}-%{release} - -%description polkit-rules -Provides rules for polkit integration with SSSD. This is required -for smartcard support. -%endif - -%package -n libsss_simpleifp -Summary: The SSSD D-Bus responder helper library -Group: Development/Libraries -License: GPLv3+ -Requires: sssd-dbus = %{version}-%{release} -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig - -%description -n libsss_simpleifp -Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. - -%package -n libsss_simpleifp-devel -Summary: The SSSD D-Bus responder helper library -Group: Development/Libraries -License: GPLv3+ -Requires: dbus-devel -Requires: libsss_simpleifp = %{version}-%{release} - -%description -n libsss_simpleifp-devel -Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. - %package winbind-idmap Summary: SSSD's idmap_sss Backend for Winbind -Group: Applications/System -License: GPLv3+ and LGPLv3+ -Conflicts: sssd-common < %{version}-%{release} +License: GPL-3.0-or-later AND LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Conflicts: sssd-common < %{version}-%{release} %description winbind-idmap The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs @@ -510,8 +468,7 @@ and SIDs. %package nfs-idmap Summary: SSSD plug-in for NFSv4 rpc.idmapd -Group: Applications/System -License: GPLv3+ +License: GPL-3.0-or-later Conflicts: sssd-common < %{version}-%{release} %description nfs-idmap @@ -521,10 +478,7 @@ UIDs/GIDs to names and vice versa. It can be also used for mapping principal %package -n libsss_certmap Summary: SSSD Certificate Mapping Library -Group: Development/Libraries -License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig +License: LGPL-3.0-or-later Conflicts: sssd-common < %{version}-%{release} %description -n libsss_certmap @@ -532,8 +486,7 @@ Library to map certificates to users based on rules %package -n libsss_certmap-devel Summary: SSSD Certificate Mapping Library -Group: Development/Libraries -License: LGPLv3+ +License: LGPL-3.0-or-later Requires: libsss_certmap = %{version}-%{release} %description -n libsss_certmap-devel @@ -541,10 +494,12 @@ Library to map certificates to users based on rules %package kcm Summary: An implementation of a Kerberos KCM server -Group: Applications/System -License: GPLv3+ +License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} -Requires: krb5-libs >= 1.18.2-11 +%if %{build_kcm_renewals} +Requires: krb5-libs >= %{krb5_version} +Requires: sssd-krb5-common = %{version}-%{release} +%endif %{?systemd_requires} %description kcm @@ -553,7 +508,7 @@ use the KCM: Kerberos credentials cache. %package idp Summary: Kerberos plugins and OIDC helper for external identity providers. -License: GPLv3+ +License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} %description idp @@ -561,75 +516,73 @@ This package provides Kerberos plugins that are required to enable authentication against external identity providers. Additionally a helper program to handle the OAuth 2.0 Device Authorization Grant is provided. +%if %{build_passkey} +%package passkey +Summary: SSSD helpers and plugins needed for authentication with passkey token +License: GPL-3.0-or-later +Requires: sssd-common = %{version}-%{release} +Requires: libfido2 +%if "%{sssd_user}" != "root" +Requires: acl +%endif + +%description passkey +This package provides helper processes and Kerberos plugins that are required to +enable authentication with passkey token. +%endif + %prep -# Update timestamps on the files touched by a patch, to avoid non-equal -# .pyc/.pyo files across the multilib peers within a build, where "Level" -# is the patch prefix option (e.g. -p1) -# Taken from specfile for python-simplejson -UpdateTimestamps() { - Level=$1 - PatchFile=$2 - - # Locate the affected files: - for f in $(diffstat $Level -l $PatchFile); do - # Set the files to have the same timestamp as that of the patch: - touch -r $PatchFile $f - done -} - -%setup -q - -for p in %patches ; do - %__patch -p1 -i $p - UpdateTimestamps -p1 $p -done +%autosetup -n sssd-2.10.2 -p1 %build + autoreconf -ivf %configure \ - --with-test-dir=/dev/shm \ + --runstatedir=%{_rundir} \ + --disable-rpath \ + --disable-static \ + --enable-gss-spnego-for-zero-maxssf \ + --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ + --enable-nsslibdir=%{_libdir} \ + --enable-pammoddir=%{_libdir}/security \ + --enable-sss-default-nss-plugin \ + --enable-systemtap \ --with-db-path=%{dbpath} \ + --with-gpo-cache-path=%{gpocachepath} \ + --with-init-dir=%{_initrddir} \ + --with-initscript=systemd \ + --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ --with-mcache-path=%{mcpath} \ --with-pipe-path=%{pipepath} \ --with-pubconf-path=%{pubconfpath} \ - --with-gpo-cache-path=%{gpocachepath} \ - --with-init-dir=%{_initrddir} \ - --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ - --enable-nsslibdir=%{_libdir} \ - --enable-pammoddir=%{_libdir}/security \ - --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ - --disable-static \ - --with-crypto=libcrypto \ - --disable-rpath \ - --with-initscript=systemd \ + --with-sssd-user=%{sssd_user} \ --with-syslog=journald \ + --with-test-dir=/dev/shm \ +%if %{build_subid} --with-subid \ - --with-files-provider \ - --with-libsifp \ - --enable-sss-default-nss-plugin \ - --without-python2-bindings \ - --with-sssd-user=sssd \ - %{?with_cifs_utils_plugin_option} \ - %{?enable_systemtap_opt} \ +%endif +%if %{build_passkey} + --with-passkey \ +%endif +%if %{build_ssh_known_hosts_proxy} + --with-ssh-known-hosts-proxy \ +%endif + %{nil} +%make_build all docs runstatedir=%{_rundir} -make %{?_smp_mflags} all docs -make -C po ja.gmo -make -C po fr.gmo -make -C po zh_CN.po +%py3_shebang_fix src/tools/analyzer/sss_analyze +sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate %check export CK_TIMEOUT_MULTIPLIER=10 -make %{?_smp_mflags} check VERBOSE=yes +%make_build check VERBOSE=yes unset CK_TIMEOUT_MULTIPLIER %install -%py3_shebang_fix src/tools/analyzer/sss_analyze -sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate - -make install DESTDIR=$RPM_BUILD_ROOT +%make_install # Prepare language files /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd @@ -651,6 +604,15 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp +# Enable krb5 passkey plugins by default (when sssd-passkey package is installed) +%if %{build_passkey} +cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \ + $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey +%if "%{sssd_user}" != "root" +install -D -p -m 0644 contrib/90-sssd-token-access.rules %{buildroot}%{_udevrulesdir}/90-sssd-token-access.rules +%endif +%endif + # krb5 configuration snippet cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir @@ -659,6 +621,9 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ # Otherwise this directory could not be owned by sssd-client mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils +# tmpfiles.d config +install -D -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf + # Remove .la files created by libtool find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; @@ -667,7 +632,7 @@ rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name} # Older versions of rpmbuild can only handle one -f option # So we need to append to the sssd*.lang file -for file in `ls $RPM_BUILD_ROOT/%{python3_sitelib}/*.egg-info 2> /dev/null` +for file in `find $RPM_BUILD_ROOT/%{python3_sitelib} -maxdepth 1 -name "*.egg-info" 2> /dev/null` do echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang done @@ -753,12 +718,14 @@ do cat $subpackage.lang done +%if %{use_sysusers} +install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf +%endif + %files -%defattr(-,root,root,-) %license COPYING %files common -f sssd.lang -%defattr(-,root,root,-) %license COPYING %doc src/examples/sssd-example.conf %{_sbindir}/sssd @@ -770,17 +737,18 @@ done %{_unitdir}/sssd-pac.socket %{_unitdir}/sssd-pac.service %{_unitdir}/sssd-pam.socket -%{_unitdir}/sssd-pam-priv.socket %{_unitdir}/sssd-pam.service %{_unitdir}/sssd-ssh.socket %{_unitdir}/sssd-ssh.service %{_unitdir}/sssd-sudo.socket %{_unitdir}/sssd-sudo.service +%{_tmpfilesdir}/%{name}.conf + %dir %{_libexecdir}/%{servicename} %{_libexecdir}/%{servicename}/sssd_be %{_libexecdir}/%{servicename}/sssd_nss -%{_libexecdir}/%{servicename}/sssd_pam +%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/sssd_pam %{_libexecdir}/%{servicename}/sssd_autofs %{_libexecdir}/%{servicename}/sssd_ssh %{_libexecdir}/%{servicename}/sssd_sudo @@ -788,8 +756,6 @@ done %{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders %dir %{_libdir}/%{name} -# The files provider is intentionally packaged in -common -%{_libdir}/%{name}/libsss_files.so %{_libdir}/%{name}/libsss_simple.so #Internal shared libraries @@ -800,7 +766,6 @@ done %{_libdir}/%{name}/libsss_krb5_common.so %{_libdir}/%{name}/libsss_ldap_common.so %{_libdir}/%{name}/libsss_util.so -%{_libdir}/%{name}/libsss_semanage.so %{_libdir}/%{name}/libifp_iface.so %{_libdir}/%{name}/libifp_iface_sync.so %{_libdir}/%{name}/libsss_iface.so @@ -810,42 +775,43 @@ done %{ldb_modulesdir}/memberof.so %{_bindir}/sss_ssh_authorizedkeys +%{_bindir}/sss_ssh_knownhosts %{_bindir}/sss_ssh_knownhostsproxy %{_sbindir}/sss_cache %{_libexecdir}/%{servicename}/sss_signal -%dir %{sssdstatedir} +%attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir} %dir %{_localstatedir}/cache/krb5rcache -%attr(700,sssd,sssd) %dir %{dbpath} -%attr(775,sssd,sssd) %dir %{mcpath} -%attr(700,root,root) %dir %{secdbpath} -%attr(751,root,root) %dir %{deskprofilepath} -%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd -%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group -%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups -%attr(755,sssd,sssd) %dir %{pipepath} -%attr(750,sssd,root) %dir %{pipepath}/private -%attr(755,sssd,sssd) %dir %{pubconfpath} -%attr(755,sssd,sssd) %dir %{gpocachepath} -%attr(750,sssd,sssd) %dir %{_var}/log/%{name} -%attr(700,sssd,sssd) %dir %{_sysconfdir}/sssd -%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d -%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki -%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf +%attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath} +%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath} +%attr(770,%{sssd_user},%{sssd_user}) %dir %{secdbpath} +%attr(771,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath} +%attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath} +%attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private +%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath} +%attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath} +%attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name} +%attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd +%attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d +%attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd/pki +%ghost %attr(0640,root,%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %dir %{_sysconfdir}/logrotate.d %config(noreplace) %{_sysconfdir}/logrotate.d/sssd %dir %{_sysconfdir}/rwtab.d %config(noreplace) %{_sysconfdir}/rwtab.d/sssd %dir %{_datadir}/sssd +%attr(775,%{sssd_user},%{sssd_user}) %dir %{_rundir}/sssd %config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils %dir %{_libdir}/%{name}/conf %{_libdir}/%{name}/conf/sssd.conf %{_datadir}/sssd/cfg_rules.ini %{_mandir}/man1/sss_ssh_authorizedkeys.1* +%{_mandir}/man1/sss_ssh_knownhosts.1* +%if %{build_ssh_known_hosts_proxy} %{_mandir}/man1/sss_ssh_knownhostsproxy.1* +%endif %{_mandir}/man5/sssd.conf.5* -%{_mandir}/man5/sssd-files.5* %{_mandir}/man5/sssd-simple.5* %{_mandir}/man5/sssd-sudo.5* %{_mandir}/man5/sssd-session-recording.5* @@ -861,28 +827,26 @@ done %{_datadir}/systemtap/tapset/sssd.stp %{_datadir}/systemtap/tapset/sssd_functions.stp %{_mandir}/man5/sssd-systemtap.5* - -%if (0%{?install_pcscd_polkit_rule} == 1) -%files polkit-rules +%if %{use_sysusers} +%{_sysusersdir}/sssd.conf +%endif +%if %{use_sssd_user} %{_datadir}/polkit-1/rules.d/* %endif %files ldap -f sssd_ldap.lang -%defattr(-,root,root,-) %license COPYING %{_libdir}/%{name}/libsss_ldap.so %{_mandir}/man5/sssd-ldap.5* %{_mandir}/man5/sssd-ldap-attributes.5* %files krb5-common -%defattr(-,root,root,-) %license COPYING -%attr(755,sssd,sssd) %dir %{pubconfpath}/krb5.include.d -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child +%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d +%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/ldap_child +%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search,cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang -%defattr(-,root,root,-) %license COPYING %{_libdir}/%{name}/libsss_krb5.so %{_mandir}/man5/sssd-krb5.5* @@ -891,33 +855,28 @@ done %{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir %files common-pac -%defattr(-,root,root,-) %license COPYING %{_libexecdir}/%{servicename}/sssd_pac %files ipa -f sssd_ipa.lang -%defattr(-,root,root,-) %license COPYING -%attr(700,sssd,sssd) %dir %{keytabdir} +%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child +%attr(0750,root,%{sssd_user}) %caps(cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* %files ad -f sssd_ad.lang -%defattr(-,root,root,-) %license COPYING %{_libdir}/%{name}/libsss_ad.so %{_libexecdir}/%{servicename}/gpo_child %{_mandir}/man5/sssd-ad.5* %files proxy -%defattr(-,root,root,-) %license COPYING -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/proxy_child +%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child %{_libdir}/%{name}/libsss_proxy.so %files dbus -f sssd_dbus.lang -%defattr(-,root,root,-) %license COPYING %{_libexecdir}/%{servicename}/sssd_ifp %{_mandir}/man5/sssd-ifp.5* @@ -926,23 +885,12 @@ done %{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service -%files -n libsss_simpleifp -%defattr(-,root,root,-) -%{_libdir}/libsss_simpleifp.so.* - -%files -n libsss_simpleifp-devel -%defattr(-,root,root,-) -%doc sss_simpleifp_doc/html -%{_includedir}/sss_sifp.h -%{_includedir}/sss_sifp_dbus.h -%{_libdir}/libsss_simpleifp.so -%{_libdir}/pkgconfig/sss_simpleifp.pc - %files client -f sssd_client.lang -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libnss_sss.so.2 +%if %{build_subid} %{_libdir}/libsubid_sss.so +%endif %{_libdir}/security/pam_sss.so %{_libdir}/security/pam_sss_gss.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so @@ -960,18 +908,15 @@ done %{_mandir}/man8/sssd_krb5_localauth_plugin.8* %files -n libsss_sudo -%defattr(-,root,root,-) %license src/sss_client/COPYING %{_libdir}/libsss_sudo.so* %files -n libsss_autofs -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %dir %{_libdir}/%{name}/modules %{_libdir}/%{name}/modules/libsss_autofs.so %files tools -f sssd_tools.lang -%defattr(-,root,root,-) %license COPYING %{_sbindir}/sss_obfuscate %{_sbindir}/sss_override @@ -987,7 +932,6 @@ done %{_mandir}/man8/sssctl.8* %files -n python3-sssdconfig -f python3_sssdconfig.lang -%defattr(-,root,root,-) %dir %{python3_sitelib}/SSSDConfig %{python3_sitelib}/SSSDConfig/*.py* %dir %{python3_sitelib}/SSSDConfig/__pycache__ @@ -997,55 +941,45 @@ done %{_datadir}/sssd/sssd.api.d %files -n python3-sss -%defattr(-,root,root,-) %{python3_sitearch}/pysss.so %files -n python3-sss-murmur -%defattr(-,root,root,-) %{python3_sitearch}/pysss_murmur.so %files -n libsss_idmap -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_idmap.so.* %files -n libsss_idmap-devel -%defattr(-,root,root,-) %doc idmap_doc/html %{_includedir}/sss_idmap.h %{_libdir}/libsss_idmap.so %{_libdir}/pkgconfig/sss_idmap.pc %files -n libipa_hbac -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libipa_hbac.so.* %files -n libipa_hbac-devel -%defattr(-,root,root,-) %doc hbac_doc/html %{_includedir}/ipa_hbac.h %{_libdir}/libipa_hbac.so %{_libdir}/pkgconfig/ipa_hbac.pc %files -n libsss_nss_idmap -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_nss_idmap.so.* %files -n libsss_nss_idmap-devel -%defattr(-,root,root,-) %doc nss_idmap_doc/html %{_includedir}/sss_nss_idmap.h %{_libdir}/libsss_nss_idmap.so %{_libdir}/pkgconfig/sss_nss_idmap.pc %files -n python3-libsss_nss_idmap -%defattr(-,root,root,-) %{python3_sitearch}/pysss_nss_idmap.so %files -n python3-libipa_hbac -%defattr(-,root,root,-) %{python3_sitearch}/pyhbac.so %files winbind-idmap -f sssd_winbind_idmap.lang @@ -1058,13 +992,11 @@ done %{_libdir}/libnfsidmap/sss.so %files -n libsss_certmap -f libsss_certmap.lang -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_certmap.so.* %{_mandir}/man5/sss-certmap.5* %files -n libsss_certmap-devel -%defattr(-,root,root,-) %doc certmap_doc/html %{_includedir}/sss_certmap.h %{_libdir}/libsss_certmap.so @@ -1085,21 +1017,27 @@ done %{_datadir}/sssd/krb5-snippets/sssd_enable_idp %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp -%pre ipa -getent group sssd >/dev/null || groupadd -r sssd -getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd - -%pre krb5-common -getent group sssd >/dev/null || groupadd -r sssd -getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd +%if %{build_passkey} +%files passkey +%{_libexecdir}/%{servicename}/passkey_child +%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so +%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey +%if "%{sssd_user}" != "root" +%{_udevrulesdir}/90-sssd-token-access.rules +%endif +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey +%endif +%if %{use_sssd_user} %pre common +! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null || true +%if %{use_sysusers} +%sysusers_create_compat %{SOURCE1} +%else getent group sssd >/dev/null || groupadd -r sssd -getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd - -%pre proxy -getent group sssd >/dev/null || groupadd -r sssd -getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd +getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologin -c "User for sssd" sssd +%endif +%endif %post common %systemd_post sssd.service @@ -1107,41 +1045,18 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %systemd_post sssd-nss.socket %systemd_post sssd-pac.socket %systemd_post sssd-pam.socket -%systemd_post sssd-pam-priv.socket %systemd_post sssd-ssh.socket %systemd_post sssd-sudo.socket - -function mod_nss() { - if [ -f "$1" ] ; then - # Change order 'sss <-> files' if default pattern is found - match_pattern="^[[:blank:]]*(passwd|group):(.*)sss[[:blank:]]+files(.*)" - if grep -E -r -q -s "$match_pattern" "$1"; then - sed -i.save_by_rpm -E -e " - s/$match_pattern/\1:\2files sss\3/ - " "$1" &>/dev/null || : - # Remove obsolete comment - sed -i -E -e '/# .sssd. performs its own .files.-based caching, so it should generally/d' "$1" &>/dev/null || : - sed -i -E -e '/# come before .files.\./d' "$1" &>/dev/null || : - fi - fi -} - -if grep -E -r -q -s "[[:blank:]]*id_provider[[:blank:]]*=[[:blank:]]*files" /etc/sssd/ || - grep -E -i -r -q -s "[[:blank:]]*enable_files_domain[[:blank:]]*=[[:blank:]]*true" /etc/sssd ; then - # "files provider" configured explicitly, leave nsswitch.conf intact - : -else - NSSFILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)" - if [ "$NSSFILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then - mod_nss "/etc/authselect/user-nsswitch.conf" - authselect apply-changes &> /dev/null || : - else - mod_nss "$NSSFILE" - # also apply the same changes to user-nsswitch.conf to affect - # possible future authselect configuration - mod_nss "/etc/authselect/user-nsswitch.conf" - fi -fi +%__rm -f %{mcpath}/passwd +%__rm -f %{mcpath}/group +%__rm -f %{mcpath}/initgroups +%__rm -f %{mcpath}/sid +%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true +%__chmod -f -R g+r %{_sysconfdir}/sssd || true +%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true +%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true +%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true +%__chown -f -R %{sssd_user}:%{sssd_user} %{gpocachepath} || true %preun common %systemd_preun sssd.service @@ -1149,24 +1064,28 @@ fi %systemd_preun sssd-nss.socket %systemd_preun sssd-pac.socket %systemd_preun sssd-pam.socket -%systemd_preun sssd-pam-priv.socket %systemd_preun sssd-ssh.socket %systemd_preun sssd-sudo.socket %postun common +%__rm -f %{mcpath}/passwd +%__rm -f %{mcpath}/group +%__rm -f %{mcpath}/initgroups +%__rm -f %{mcpath}/sid %systemd_postun_with_restart sssd-autofs.socket -%systemd_postun_with_restart sssd-autofs.service %systemd_postun_with_restart sssd-nss.socket -%systemd_postun_with_restart sssd-nss.service %systemd_postun_with_restart sssd-pac.socket -%systemd_postun_with_restart sssd-pac.service %systemd_postun_with_restart sssd-pam.socket -%systemd_postun_with_restart sssd-pam-priv.socket -%systemd_postun_with_restart sssd-pam.service %systemd_postun_with_restart sssd-ssh.socket -%systemd_postun_with_restart sssd-ssh.service %systemd_postun_with_restart sssd-sudo.socket -%systemd_postun_with_restart sssd-sudo.service + +# Services have RefuseManualStart=true, therefore we can't request restart. +%systemd_postun sssd-autofs.service +%systemd_postun sssd-nss.service +%systemd_postun sssd-pac.service +%systemd_postun sssd-pam.service +%systemd_postun sssd-ssh.service +%systemd_postun sssd-sudo.service %post dbus %systemd_post sssd-ifp.service @@ -1188,746 +1107,556 @@ fi %systemd_postun_with_restart sssd-kcm.service %post client -/sbin/ldconfig /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20 %preun client if [ $1 -eq 0 ] ; then - /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so + /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so || true fi -%postun client -p /sbin/ldconfig - -%post -n libsss_sudo -p /sbin/ldconfig - -%postun -n libsss_sudo -p /sbin/ldconfig - -%post -n libipa_hbac -p /sbin/ldconfig - -%postun -n libipa_hbac -p /sbin/ldconfig - -%post -n libsss_idmap -p /sbin/ldconfig - -%postun -n libsss_idmap -p /sbin/ldconfig - -%post -n libsss_nss_idmap -p /sbin/ldconfig - -%postun -n libsss_nss_idmap -p /sbin/ldconfig - -%post -n libsss_simpleifp -p /sbin/ldconfig - -%postun -n libsss_simpleifp -p /sbin/ldconfig - -%post -n libsss_certmap -p /sbin/ldconfig - -%postun -n libsss_certmap -p /sbin/ldconfig - %posttrans common %systemd_postun_with_restart sssd.service %changelog -* Fri Nov 22 2024 Alexey Tikhonov - 2.9.4-5.1 -- Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z] -- Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z] -- Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z] -- Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z] -- Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z] -- Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z] - -* Mon Sep 09 2024 Anuar Beisembayev - 2.9.4-5 -- Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements - -* Fri May 17 2024 Arun Bansal - 2.9.4-4 -- Resolves: RHEL-33957 - ad: refresh root domain when read directly - -* Thu Apr 18 2024 Alexey Tikhonov - 2.9.4-3 -- Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently - -* Mon Feb 12 2024 Alexey Tikhonov - 2.9.4-2 -- Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8] -- Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8] -- Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8] - -* Sat Jan 13 2024 Alexey Tikhonov - 2.9.4-1 -- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 -- Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache -- Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP' -- Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') -- Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest -- Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf -- Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8] -- Resolves: RHEL-10721 - very bad performance when requesting service tickets -- Resolves: RHEL-19011 - Invalid handling groups from child domain -- Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8] - -* Mon Nov 13 2023 Alexey Tikhonov - 2.9.3-2 -- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 - -* Mon Nov 13 2023 Alexey Tikhonov - 2.9.3-1 -- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 -- Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication -- Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user - -* Mon Sep 11 2023 Alexey Tikhonov - 2.9.2-1 -- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10 -- Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code -- Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7) - -* Mon Jul 10 2023 Alexey Tikhonov - 2.9.1-2 -- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system - -* Fri Jun 23 2023 Alexey Tikhonov - 2.9.1-1 -- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 -- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy -- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files -- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' -- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure -- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] -- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization -- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working -- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides -- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' - -* Tue May 30 2023 Alexey Tikhonov - 2.9.0-4 -- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release - Rebuild against rebased Samba libs - -* Thu May 25 2023 Alexey Tikhonov - 2.9.0-3 -- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 - -* Mon May 15 2023 Alexey Tikhonov - 2.9.0-1 -- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 -- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) -- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket -- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 -- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name -- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") -- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # - -* Mon Feb 13 2023 Alexey Tikhonov - 2.8.2-2 -- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy" - -* Mon Dec 19 2022 Alexey Tikhonov - 2.8.2-1 -- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 -- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. -- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization -- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list -- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged -- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around -- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) - -* Tue Nov 22 2022 Alexey Tikhonov - 2.8.1-1 -- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 -- Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr -- Resolves: rhbz#2144579 - sssd timezone issues sudonotafter -- Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file -- Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) -- Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed - -* Mon Oct 31 2022 Alexey Tikhonov - 2.7.3-5 -- Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release - Rebuild against Samba rebase. - -* Fri Aug 26 2022 Alexey Tikhonov - 2.7.3-4 -- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 - -* Tue Aug 23 2022 Alexey Tikhonov - 2.7.3-3 -- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 -- Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured -- Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend - -* Wed Aug 10 2022 Alexey Tikhonov - 2.7.3-2 -- Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases -- Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs -- Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL - -* Wed Jul 13 2022 Alexey Tikhonov - 2.7.3-1 -- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 -- Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization - -* Mon Jun 20 2022 Alexey Tikhonov - 2.7.2-1 -- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 -- Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets -- Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file -- Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 -- Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf -- Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP -- Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect -- Resolves: rhbz#2098617 - Harden kerberos ticket validation -- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol - -* Wed May 18 2022 Alexey Tikhonov - 2.7.0-2 -- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 -- Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) -- Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. -- Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 -- Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() -- Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd -- Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop -- Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send -- Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker -- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol -- Resolves: rhbz#2087745 - 2FA prompting setting ineffective -- Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language - -* Mon Jan 17 2022 Alexey Tikhonov - 2.6.2-3 -- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names -- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. -- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries -- Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update -- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization - -* Tue Jan 04 2022 Alexey Tikhonov - 2.6.2-2 -- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch) - -* Mon Dec 27 2021 Alexey Tikhonov - 2.6.2-1 -- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 -- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files -- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries -- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. -- Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf -- Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name -- Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry -- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API -- Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). -- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs -- Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders -- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization - -* Fri Nov 26 2021 Alexey Tikhonov - 2.6.1-2 -- Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release - -* Mon Nov 15 2021 Alexey Tikhonov - 2.6.1-1 -- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 -- Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected -- Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator -- Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed -- Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb -- Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) -- Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) -- Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD -- Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline -- Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' -- Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s -- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs -- Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. -- Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA -- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API -- Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing - -* Mon Aug 02 2021 Alexey Tikhonov - 2.5.2-2 -- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] -- Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization - -* Mon Jul 12 2021 Alexey Tikhonov - 2.5.2-1 -- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 -- Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU -- Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` -- Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling -- Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address -- Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group -- Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade - -* Mon Jun 21 2021 Alexey Tikhonov - 2.5.1-2 -- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken -- Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument -- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild) - -* Tue Jun 08 2021 Alexey Tikhonov - 2.5.1-1 -- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 -- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools -- Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory -- Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file -- Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout -- Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests -- Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust -- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection -- Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found -- Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group -- Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable -- Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. -- Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf - -* Mon May 10 2021 Alexey Tikhonov - 2.5.0-1 -- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 -- Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 -- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools -- Resolves: rhbz#1945888 - Inconsistant debug level for connection logging -- Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets -- Resolves: rhbz#1949149 - [RFE] Poor man's backtrace -- Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR -- Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. -- Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs -- Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path -- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm -- Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries -- Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection -- Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries -- Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries -- Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. -- Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable -- Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used -- Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() -- Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen -- Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page -- Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page -- Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp -- Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) -- Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 -- Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login -- Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive - -* Fri Feb 12 2021 Alexey Tikhonov - 2.4.0-8 -- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss -- Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. -- Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch) - -* Tue Jan 26 2021 Alexey Tikhonov - 2.4.0-7 -- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules -- Resolves: rhbz#1918433 - sssd unable to lookup certmap rules -- Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 - -* Mon Jan 18 2021 Alexey Tikhonov - 2.4.0-6 -- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched -- Resolves: rhbz#1915395 - Memory leak in the simple access provider -- Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup -- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) - -* Mon Dec 28 2020 Alexey Tikhonov - 2.4.0-5 -- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value -- Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) -- Resolves: rhbz#1893159 - Default debug level should report all errors / failures -- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication - -* Mon Dec 21 2020 Alexey Tikhonov - 2.4.0-4 -- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process -- Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] -- Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently - -* Mon Dec 07 2020 Alexey Tikhonov - 2.4.0-3 -- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() -- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process -- Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal -- Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior - -* Thu Nov 12 2020 Alexey Tikhonov - 2.4.0-2 -- This is to bump version to allow rebuild against rebased libldb. - -* Fri Oct 23 2020 Alexey Tikhonov - 2.4.0-1 -- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 -- Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI -- Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() -- Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording -- Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x -- Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. -- Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process -- Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL -- Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) -- Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page -- Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" -- Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains -- Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file -- Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes -- Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level -- Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff -- Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command -- Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate - -* Mon Sep 14 2020 Alexey Tikhonov - 2.3.0-9 -- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied - -* Fri Aug 21 2020 Alexey Tikhonov - 2.3.0-8 -- Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working -- Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema -- Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf -- Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1 - -* Fri Aug 07 2020 Alexey Tikhonov - 2.3.0-7 -- Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. -- Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter - -* Fri Jul 24 2020 Alexey Tikhonov - 2.3.0-6 -- Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization - -* Mon Jul 20 2020 Alexey Tikhonov - 2.3.0-5 -- Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache -- Fixed "requires/provides" rpmdiff warning - -* Thu Jul 02 2020 Alexey Tikhonov - 2.3.0-4 -- Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication -- Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider -- Resolves: rhbz#1803134 - Improve "unlock" time when user session already active - -* Fri Jun 26 2020 Alexey Tikhonov - 2.3.0-3 -- Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package -- Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP -- Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache -- Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for - inotify events, and no updates are triggered -- Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" - on GDM login with smart-card -- Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat -- Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. -- Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management -- Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest - if LDAP entries do not contain AD forest root information -- Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories - in SSSD-AD direct integration. -- Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card -- Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False -- Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma - -* Thu Jun 11 2020 Alexey Tikhonov - 2.3.0-2 -- Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. - -* Mon Jun 08 2020 Alexey Tikhonov - 2.3.0-1 -- Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 -- Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure -- Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working - -* Mon Mar 16 2020 Alexey Tikhonov - 2.2.3-19 -- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard - certificate EKU and perform an action based - on value when generating SSH key from a certificate - (additional patch) - -* Fri Mar 13 2020 Alexey Tikhonov - 2.2.3-19 -- Resolves: rhbz#1810634 - id command taking 1+ minute for returning user - information - -* Fri Feb 28 2020 Michal Židek - 2.2.3-18 -- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard - certificate EKU and perform an action based - on value when generating SSH key from a certificate - -* Mon Feb 24 2020 Alexey Tikhonov - 2.2.3-17 -- Resolves: rhbz#1718193 - p11_child should have an option to skip - C_WaitForSlotEvent if the PKCS#11 module - does not implement it properly - -* Mon Feb 17 2020 Alexey Tikhonov - 2.2.3-16 -- Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is - omitted and auth_provider is krb5 - -* Wed Feb 12 2020 Michal Židek - 2.2.3-15 -- Resolves: rhbz#1754996 - [sssd] Tier 0 Localization - -* Tue Jan 28 2020 Michal Židek - 2.2.3-14 -- Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be - specified up to the seconds - -* Tue Jan 28 2020 Michal Židek - 2.2.3-13 -- Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools - -* Tue Jan 28 2020 Michal Židek - 2.2.3-12 -* Resolves: rhbz#1794016 - sssd_be frequent crash - -* Tue Jan 14 2020 Michal Židek - 2.2.3-11 -* Resolves: rhbz#1762415 - Force LDAPS over 636 with AD Access Provider - -* Tue Jan 14 2020 Michal Židek - 2.2.3-10 -* Resolves: rhbz#1583592 - [RFE] Add configurable randomness to SSSD ldap - connection timeout - -* Tue Jan 14 2020 Michal Židek - 2.2.3-9 -* Resolves: rhbz#1783190 - [abrt] [faf] sssd: - raise(): /usr/libexec/sssd/sssd_autofs killed by 6 - - -* Thu Dec 19 2019 Michal Židek - 2.2.3-8 -* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect - -* Thu Dec 19 2019 Michal Židek - 2.2.3-7 -* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect - -* Sun Dec 15 2019 Michal Židek - 2.2.3-6 -* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized - -* Sun Dec 15 2019 Michal Židek - 2.2.3-5 -* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character - for match rules sss-certmap - -* Thu Dec 12 2019 Michal Židek - 2.2.3-4 -* Resolves: rhbz#1781728 - sssctl config-check command does not give proper - error messages with line numbers - -* Mon Dec 2 2019 Michal Židek - 2.2.3-3 -* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release - Increasing version number to pick latest libldb - -* Sat Nov 30 2019 Michal Židek - 2.2.3-2 -* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release - PART2: Fix gating issue. - -* Sat Nov 30 2019 Michal Židek - 2.2.3-1 -* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release - -* Thu Nov 21 2019 Michal Židek - 2.2.2-1 -* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release - -* Wed Sep 4 2019 Michal Židek - 2.2.0-19 -- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid - new ones (kcm) +* Mon Apr 7 2025 Alexey Tikhonov - 2.10.2-3.2 +- Resolves: RHEL-79158 - Disk cache failure with large db sizes -* Sun Sep 1 2019 Michal Židek - 2.2.0-18 -- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 -- Also sync. kcm multihost tests with master +* Wed Apr 2 2025 Alexey Tikhonov - 2.10.2-3.1 +- Resolves: RHEL-79158 - Disk cache failure with large db sizes -* Sun Sep 1 2019 Michal Židek - 2.2.0-17 -- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome - keyring -- Also apply a patch to fix gating tests issue +* Wed Feb 12 2025 Alexey Tikhonov - 2.10.2-3 +- Resolves: RHEL-78061 - 'sssd_kcm' leaks memory -* Sun Aug 18 2019 Michal Židek - 2.2.0-16 -- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get - the IP address of the machine updated in IPA upon - sssd.service startup +* Mon Feb 10 2025 Alexey Tikhonov - 2.10.2-2 +- Resolves: RHEL-78061 - 'sssd_kcm' leaks memory -* Sun Aug 18 2019 Michal Židek - 2.2.0-15 -- Resolves: rhbz#1736265 - Smart Card auth of local user: endless - loop if wrong PIN was provided +* Wed Jan 29 2025 Alexey Tikhonov - 2.10.2-1 +- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 -* Sun Aug 18 2019 Michal Židek - 2.2.0-14 -- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" - should not cause files domain entries to be - qualified, this can break sudo access +* Wed Dec 18 2024 Alexey Tikhonov - 2.10.1-3 +- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 -* Sun Aug 18 2019 Michal Židek - 2.2.0-13 -- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the - systemd-user service in the account phase in RHEL-8 +* Wed Dec 18 2024 Alexey Tikhonov - 2.10.1-2 +- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 -* Sun Aug 18 2019 Michal Židek - 2.2.0-12 -- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets +* Tue Dec 10 2024 Alexey Tikhonov - 2.10.1-1 +- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 +- Resolves: RHEL-4984 - Mismatch between input and parsed domain name when default_domain_suffix is set. +- Resolves: RHEL-65848 - sssd password authentication broken in sssd-2.10.0~beta2-2 and later +- Resolves: RHEL-67669 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option +- Resolves: RHEL-68421 - sssd ldap_child process segfaults when krb5.conf is invalid [rhel-10] +- Resolves: RHEL-66935 - Avoid log flooding in case an app keeps making invalid `getservbyport(0, ...)` request +- Resolves: RHEL-65736 - ipa: sudo commands doesn't check threshold correctly +- Resolves: RHEL-68319 - Please deprecate/remove ad_allow_remote_domain_local_groups -* Fri Aug 9 2019 Michal Židek - 2.2.0-11 -- Resolves: rhbz#1733372 - permission denied on logs when running sssd as - non-root user +* Mon Oct 21 2024 Alexey Tikhonov - 2.10.0-3 +- Related: RHEL-59777 - Rebase Samba to the latest 4.21.x release -* Fri Aug 9 2019 Michal Židek - 2.2.0-10 -- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing - the trailing colon +* Tue Oct 15 2024 Alexey Tikhonov - 2.10.0-2 +- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 -* Fri Aug 9 2019 Michal Židek - 2.2.0-9 -- Resolves: rhbz#1382750 - Conflicting default timeout values +* Tue Oct 15 2024 Alexey Tikhonov - 2.10.0-1 +- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 +- Resolves: RHEL-56701 - sss_ssh_knownhosts is breaking ansible-pull +- Resolves: RHEL-55993 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not -* Fri Aug 2 2019 Michal Židek - 2.2.0-8 -- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder - repository - - This just required a raise in release number - and changelog for the record. +* Thu Aug 22 2024 Alexey Tikhonov - 2.10.0~beta2-3 +- Resolves: RHEL-50243 - Please install sssd-polkit-rules by default -* Fri Aug 2 2019 Michal Židek - 2.2.0-7 -- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is - not FIPS140 compliant +* Fri Aug 2 2024 Alexey Tikhonov - 2.10.0~beta2-2 +- Resolves: RHEL-51891 - [RHEL-10]logrotate.service fails to start because /var/log/sssd has insecure permission +- Resolves: RHEL-52400 - SYSDB: remove index on dataExpireTimestamp [rhel-10] +- Resolves: RHEL-50243 - Please install sssd-polkit-rules by default -* Fri Aug 2 2019 Michal Židek - 2.2.0-6 -- Resolves: rhbz#1726945 - negative cache does not use values from - 'filter_users' config option for known domains +* Wed Jun 26 2024 Alexey Tikhonov - 2.10.0~beta2-1 +- Resolves: RHEL-40253 - Rebase SSSD for RHEL 10-beta +- Resolves: RHEL-43259 - sudo does not work any more with krb ticket -* Thu Jul 25 2019 Jakub Hrozek - 2.2.0-5 -- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo +* Mon Jun 24 2024 Troy Dawson - 2.10.0~beta1-2 +- Bump release for June 2024 mass rebuild -* Thu Jul 25 2019 Jakub Hrozek - 2.2.0-4 -- Resolves: rhbz#1283798 - sssd failover does not work on connecting to - non-responsive ldaps:// server +* Thu Jun 6 2024 Alexey Tikhonov - 2.10.0~beta1-1 +- Resolves: RHEL-40253 - Rebase SSSD for RHEL 10-beta +- Resolves: RHEL-29303 - Issue discovered by static analyzer. +- Resolves: RHEL-11181 - sssd[4022110]: gencache_init: Failed to create directory: //.cache/samba - Permission denied +- Resolves: RHEL-4986 - [RFE] sssd use systemd-sysusers +- Resolves: RHEL-4974 - sssd status shows error "krb5_kt_start_seq_get failed: Permission denied" when running as unprivileged user 'sssd' -* Wed Jul 3 2019 Jakub Hrozek - 2.2.0-3 -- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with +* Thu Feb 22 2024 Troy Dawson - 2.9.4-6 +- Bump release to rebuild on correct samba + +* Fri Feb 16 2024 Stephen Gallagher - 2.9.4-5 +- Resolves: RHEL-25985 - FTBFS due to OpenSSL 3.2 + +* Fri Feb 02 2024 Stephen Gallagher - 2.9.4-5 +- Restore i686 on Fedora ELN + +* Wed Jan 31 2024 Guenther Deschner - 2.9.4-4 +- Fix the build with Samba 4.20 + +* Thu Jan 18 2024 Alexey Tikhonov - 2.9.4-3 +- Disable enumeration support for IPA and AD providers. + Deprecation was announced in F39 release notes: + https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/sysadmin/Security/#_support_for_the_enumeration_feature_has_been_deprecated_for_ad_and_ipa_backends + This is a backport of upstream patch: + https://github.com/SSSD/sssd/commit/9240bca7dcc28371ae5dce31c01e85d28409cd04 + +* Mon Jan 15 2024 Colin Walters - 2.9.4-2 +- Scope ExcludeArch: ix86 to RHEL10+ + +* Fri Jan 12 2024 Pavel Březina - 2.9.4-1 +- Rebase to SSSD 2.9.4 +- Files provider suport remove (rhbz#2253183) +- i686 support removed (rhbz#2069738) + +* Wed Nov 15 2023 Pavel Březina - 2.9.3-1 +- Rebase to SSSD 2.9.3 + +* Thu Nov 09 2023 Pavel Březina - 2.9.2-3 +- Fix "Obsoletes libsss_simpleifp" + +* Tue Oct 03 2023 Iker Pedrosa - 2.9.2-2 +- Fixes for passkey authentication + +* Thu Sep 07 2023 Pavel Březina - 2.9.2-1 +- Rebase to SSSD 2.9.2 + +* Tue Aug 15 2023 Alexey Tikhonov - 2.9.1-4 +- Resolves sss_certmap_test fail + +* Sat Jul 22 2023 Fedora Release Engineering - 2.9.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Jun 26 2023 Python Maint - 2.9.1-2 +- Rebuilt for Python 3.12 + +* Mon Jun 26 2023 Pavel Březina - 2.9.1-1 +- Rebase to SSSD 2.9.1 + +* Tue Jun 13 2023 Python Maint - 2.9.0-2 +- Rebuilt for Python 3.12 + +* Fri May 5 2023 Pavel Březina - 2.9.0-1 +- Rebase to SSSD 2.9.0 +- SPDX migration + +* Thu Jan 26 2023 Stephen Gallagher - 2.8.2-4 +- Rebuild against libunistring 1.1 + +* Sat Jan 21 2023 Fedora Release Engineering - 2.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Jan 20 2023 Alexey Tikhonov - 2.8.2-2 +- Rebuild against Samba 4.18rc1 + +* Fri Dec 9 2022 Pavel Březina - 2.8.2-1 +- Rebase to SSSD 2.8.2 + +* Fri Nov 4 2022 Pavel Březina - 2.8.1-1 +- Rebase to SSSD 2.8.1 + +* Mon Oct 24 2022 Pavel Březina - 2.8.0-2 +- Fix regression, syslog is no longer spammed when no SSSD domain is configured (#2133437) + +* Fri Oct 7 2022 Pavel Březina - 2.8.0-1 +- Rebase to SSSD 2.8.0 + +* Fri Aug 26 2022 Pavel Březina - 2.7.4-1 +- Rebase to SSSD 2.7.4 + +* Tue Aug 09 2022 Adam Williamson - 2.7.3-3 +- Rebuild against new libndr + +* Sat Jul 23 2022 Fedora Release Engineering - 2.7.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jul 4 2022 Pavel Březina - 2.7.3-1 +- Rebase to SSSD 2.7.3 + +* Wed Jun 15 2022 Python Maint - 2.7.1-3 +- Rebuilt for Python 3.11 + +* Thu Jun 9 2022 Pavel Březina - 2.7.1-2 +- Fix regression in IPA provider (#2094685) + +* Thu Jun 2 2022 Pavel Březina - 2.7.1-1 +- Rebase to SSSD 2.7.1 + +* Thu Apr 14 2022 Pavel Březina - 2.7.0-1 +- Rebase to SSSD 2.7.0 + +* Tue Jan 25 2022 Pavel Březina - 2.6.3-1 +- Rebase to SSSD 2.6.3 + +* Sat Jan 22 2022 Fedora Release Engineering - 2.6.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Jan 04 2022 Iker Pedrosa - 2.6.2-2 +- Fix IPA reply socket of selinux_child + +* Thu Dec 23 2021 Iker Pedrosa - 2.6.2-1 +- Rebase to SSSD 2.6.2 + +* Tue Nov 09 2021 Pavel Březina - 2.6.1-1 +- Rebase to SSSD 2.6.1 + +* Mon Nov 01 2021 Pavel Březina - 2.6.0-2 +- Add additional patches on top of 2.6.0 +- Fix KCM upgrade from older releases +- Enable subid ranges + +* Thu Oct 14 2021 Pavel Březina - 2.6.0-1 +- Rebase to SSSD 2.6.0 + +* Tue Sep 21 2021 Iker Pedrosa - 2.5.2-7 +- Solve compilation problem with autoconf + +* Tue Sep 14 2021 Sahana Prasad - 2.5.2-6 +- Rebuilt with OpenSSL 3.0.0 + +* Mon Aug 16 2021 Pavel Březina - 2.5.2-5 +- Fix CVE-2021-3621 + +* Mon Aug 09 2021 Pavel Březina - 2.5.2-4 +- Disable running files provider by default +- Support subid ranges managed by FreeIPA + +* Fri Jul 23 2021 Fedora Release Engineering - 2.5.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jul 16 2021 Alexander Bokovoy - 2.5.2-2 +- Rebuild against Samba 4.15.0 RC1 + +* Tue Jul 13 2021 Pavel Březina - 2.5.2-1 +- Rebase to SSSD 2.5.2 + +* Thu Jun 24 2021 Pavel Březina - 2.5.1-2 +- Multiple small fixes to reduce size of log files with debug_backtrace on +- Fix a corner case bug in KCM renewals that makes user lookup in the daemon fail + +* Tue Jun 08 2021 Pavel Březina - 2.5.1-1 +- Rebase to SSSD 2.5.1 + +* Fri Jun 04 2021 Python Maint +- Rebuilt for Python 3.10 + +* Wed May 19 2021 Pavel Březina - 2.5.0-2 +- Fix regression in sssd-kcm when upgrading from 2.4.0 directly to 2.5.0 +- Return correct error code for unknown/unsupported operations in sssd-kcm + +* Mon May 10 2021 Pavel Březina - 2.5.0-1 +- Rebase to SSSD 2.5.0 + +* Thu Apr 8 2021 Iker Pedrosa - 2.4.2-5 +- Change configure to avoid errors with new autoconf version (rhbz#1943130) + +* Wed Mar 31 2021 Pavel Březina - 2.4.2-4 +- Add CAP_DAC_OVERRIDE to ifp service file if required by build configuration + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 2.4.2-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Fri Feb 19 2021 Pavel Březina - 2.4.2-2 +- Remove setuid from child binaries and relax requirement on python3-sssdconfig + +* Fri Feb 19 2021 Pavel Březina - 2.4.2-1 +- Rebase to SSSD 2.4.2 + +* Fri Feb 5 2021 Pavel Březina - 2.4.1-1 +- Rebase to SSSD 2.4.1 + +* Wed Jan 27 2021 Fedora Release Engineering - 2.4.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Dec 11 2020 Pavel Březina - 2.4.0-6 +- Improve sssd-kcm performance, fix upgrade with existing credentials (rhbz#1645624) + +* Mon Dec 7 2020 Pavel Březina - 2.4.0-5 +- Improve sssd-kcm performance (rhbz#1645624) + +* Mon Nov 30 2020 Stephen Gallagher - 2.4.0-4 +- Rebuild for Fedora ELN + +* Tue Nov 3 2020 Petr Lautrbach - 2.4.0-3 +- Rebuild with libsemanage.so.2 + +* Mon Oct 12 2020 Pavel Březina - 2.4.0-2 +- Remove old patches + +* Mon Oct 12 2020 Pavel Březina - 2.4.0-1 +- Rebase to SSSD 2.4.0 + +* Tue Jul 28 2020 Pavel Březina - 2.3.1-4 +- Actually include 2.3.1 source + +* Tue Jul 28 2020 Pavel Březina - 2.3.1-3 +- Fix test compilation with check-0.15 + +* Mon Jul 27 2020 Pavel Březina - 2.3.1-2 +- Use correct run dir (RHBZ#1557622) + +* Fri Jul 24 2020 Pavel Březina - 2.3.1-1 +- Rebase to SSSD 2.3.1 + +* Fri Jul 24 2020 Merlin Mathesius - 2.3.0-5 +- Minor ELN conditional fix + +* Tue Jul 14 2020 Tom Stellard - 2.3.0-4 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Wed Jul 1 2020 Jeff Law +- Disable LTO + +* Fri Jun 19 2020 Peter Jones +- Fix github url typo + +* Tue May 26 2020 Miro Hrončok - 2.3.0-2 +- Rebuilt for Python 3.9 + +* Wed May 20 2020 Pavel Březina - 2.3.0-1 +- Rebase to SSSD 2.3.0 + +* Fri Feb 28 2020 Michal Židek - 2.2.3-14 +- Resolves: rhbz#1800567 - sssd fail to build in Fedora rawhide + +* Wed Feb 26 2020 Michal Židek - 2.2.3-13 +- Resolves: upstream#4159 - p11_child should have an option to skip + C_WaitForSlotEvent if the PKCS#11 module does not + implement it properly + +* Wed Feb 26 2020 Michal Židek - 2.2.3-12 +- Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in + `sss_ptr_hash_delete_cb()` + +* Wed Feb 26 2020 Michal Židek - 2.2.3-11 +- Resolves: upstream#4118 - sssd requires timed sudoers ldap entries to be + specified up to the seconds + +* Wed Feb 26 2020 Michal Židek - 2.2.3-11 +- Add sssd-dbus package as a dependency of sssd-tools + +* Wed Feb 26 2020 Michal Židek - 2.2.3-10 +- Resolves: upstream#4142 - sssd_be frequent crash + +* Wed Feb 26 2020 Michal Židek - 2.2.3-9 +- Resolves: upstream#4131 Force LDAPS over 636 with AD Provider + +* Wed Feb 26 2020 Michal Židek - 2.2.3-8 +- Resolves: upstream#3630 - Randomize ldap_connection_expire_timeout either + by default or w/ a configure option + +* Wed Feb 26 2020 Michal Židek - 2.2.3-7 +- Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in + `sss_ptr_hash_delete_cb()` +* Wed Feb 26 2020 Michal Židek - 2.2.3-6 +- Resolves: upstream#4088 - server/be: SIGTERM handling is incorrect + +* Wed Feb 26 2020 Michal Židek - 2.2.3-5 +- Resolves: upstream##4089 Watchdog implementation or usage is incorrect + +* Wed Feb 26 2020 Michal Židek - 2.2.3-4 +- Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized + +* Wed Feb 26 2020 Michal Židek - 2.2.3-3 +- Resolves: upstream#4127 - [Doc]Provide explanation on escape character for + match rules sss-certmap + +* Wed Feb 26 2020 Michal Židek - 2.2.3-2 +- Resolves: upstream#4129 - sssctl config-check command does not give proper + error messages with line numbers + +* Wed Feb 26 2020 Michal Židek - 2.2.3-1 +- Update to latest released upstream version +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_3.htm + +* Fri Jan 31 2020 Fedora Release Engineering - 2.2.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 24 2020 Stephen Gallagher - 2.2.2-5 +- Fix build against samba-4.12.0rc1 + +* Fri Jan 24 2020 Mohan Boddu - 2.2.2-4 +- Rebuild for samba-4.12.0rc1 + +* Tue Oct 22 2019 Adam Williamson - 2.2.2-3 +- Resolves: rhbz#1755643 - Upgrade to sssd 2.2.2-1.fc30 breaks setting + up FreeIPA replica in containers + +* Tue Oct 22 2019 Adam Williamson - 2.2.2-2 +- Resolves: rhbz#1757224 - Tickets act like they're expiring prematurely + when using KCM cache + +* Wed Sep 11 2019 Michal Židek - 2.2.2-1 +- Update to latest released upstream version +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_2.html +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_1.html + +* Mon Aug 26 2019 Stephen Gallagher - 2.2.0-6 +- Rebuilding for libldb 2.0.5 + +* Mon Aug 19 2019 Miro Hrončok - 2.2.0-5 +- Rebuilt for Python 3.8 + +* Sat Jul 27 2019 Fedora Release Engineering - 2.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jul 5 2019 Jakub Hrozek - 2.2.0-3 +- Resolves: rhbz#1721636 - sssd-kcm calls sssd-genconf which triggers + nscd warning + +* Fri Jul 5 2019 Jakub Hrozek - 2.2.0-2 +- Resolves: rhbz#1724717 - sssd-proxy crashes resolving groups with no members -* Wed Jul 3 2019 Jakub Hrozek - 2.2.0-2 -- Resolves: rhbz#1673443 - sssd man pages: The default value of - "ldap_user_home_directory" is not mentioned - with AD server configuration +* Mon Jun 17 2019 Michal Židek - 2.2.0-1 +- Update to latest released upstream version +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_0.html -* Fri Jun 14 2019 Michal Židek - 2.2.0-1 -- Resolves: rhbz#1687281 - Rebase sssd in RHEL-8.1 to the latest upstream release +* Wed Mar 27 2019 Michal Židek - 2.1.0-2 +- Resolves: upstream#3867 - [RFE] Need an option in SSSD so that it will skip + GPOs that have groupPolicyContainers unreadable + by SSSD. +- CVE-2018-16838 -* Wed Jun 12 2019 Michal Židek - 2.1.0-1 -- Resolves: rhbz#1687281 - Rebase sssd in RHEL-8.1 to the latest upstream release +* Wed Mar 27 2019 Michal Židek - 2.1.0-1 +- Update to latest released upstream version +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_1_0.html -* Thu May 30 2019 Michal Židek - 2.0.0-45 -- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is - done here in order to unblock gating changes before rebase. -- Related: rhbz#1682305 +* Wed Feb 13 2019 Sinny Kumari - 2.0.0-9 +- Resolves: rhbz#1667444 - sssd: make python3-sssdconfig as suggest -* Sun Feb 10 2019 Jakub Hrozek - 2.0.0-43 -- Resolves: rhbz#1672780 - gdm login not prompting for username when smart - card maps to multiple users +* Wed Feb 13 2019 Adam Williamson - 2.0.0-8 +- Resolves: rhbz#1676946 - startup fail with status NOTIMPLEMENTED -* Fri Feb 08 2019 Michal Židek - 2.0.0-42 -- Resolves: rhbz#1645291 - Perform some basic ccache initialization as part - of gen_new to avoid a subsequent switch call - failure +* Sun Feb 03 2019 Fedora Release Engineering - 2.0.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild -* Thu Feb 07 2019 Michal Židek - 2.0.0-41 --Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong - subdomain service name being used +* Wed Dec 12 2018 Adam Williamson - 2.0.0-6 +- Resolves: rhbz#1654537 - sbus: use 120 second default timeout +- Backport two other patches from master to fix build with recent krb5 -* Thu Feb 07 2019 Michal Židek - 2.0.0-40 --Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. - UnknownProperty: Unknown property +* Wed Nov 07 2018 Michal Židek - 2.0.0-5 +- Resolves: rhbz#1629737 - sssd: Remove python2 (sub)packages from Fedora 30+ -* Thu Feb 07 2019 Michal Židek - 2.0.0-39 -- Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than - 1.x, this can result in time outs +* Wed Aug 29 2018 Michal Židek - 2.0.0-4 +- Resolves: upstream#3821 - crash related to sbus_router_destructor() +- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref +- Resolves: upstream#3819 - sssd only sets the SELinux login context if it + differs from the default +- Resolves: upstream#3807 - The sbus codegen script relies on "python" which + might not be available on all distributions +- Resolves: upstream#3820 - sudo: search with lower cased name for case + insensitive domains +- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from + an allow-any default to a deny-any default when it + can't find any GPOs to apply to a user login. +- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort + startup +- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 + also for local account authentication +- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup +- Resolves: upstream#3826 - Remove references of sss_user/group/add/del + commands in man pages since local provider is + deprecated +- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not + started due to a misconfiguration +- Resolves: upstream#3830 - Printing incorrect information about domain with + sssctl utility +- Resolves: upstream#3489 - p11_child should work wit openssl1.0+ +- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary + changes in nsswitch.conf +- Resovles: upstream#3650 - RFE: Require smartcard authentication +- Resolves: upstream#3334 - sssctl config-check does not check any special + characters in domain name of domain section +- Resolves: upstream#3849 - Files: The files provider always enumerates + which causes duplicate when running getent passwd +- Related: upstream#3855 - session not recording for local user when groups + defined +- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb +- Related: upstream#3493 - Remove the pysss.local interface -* Mon Jan 14 2019 Michal Židek - 2.0.0-38 -- Resolves: rhbz#1578014 - sssd does not work under non-root user -- Note: Actually the patches were in the 2.0.0-37, this one just adds this - changelog because it was missing. +* Wed Aug 29 2018 Michal Židek - 2.0.0-3 +- Resolves: rhbz#1622760 - Console login as FreeIPA domain user fails in + current Fedora Rawhide / 29 -* Fri Jan 11 2019 Michal Židek - 2.0.0-36 -- Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss - suggests using * for backend sss +* Wed Aug 29 2018 Michal Židek - 2.0.0-2 +- Fix linking issues -* Fri Jan 11 2019 Michal Židek - 2.0.0-35 -- Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist +* Tue Aug 14 2018 Michal Židek - 2.0.0-1 +- New upstream release 2.0.0 -* Thu Jan 10 2019 Michal Židek - 2.0.0-34 -- Resolves: rhbz#1622008 - Error message when IPA server uninstall calls - kdestroy caused by KCM returning a wrong error - code during the delete operation +* Sat Jul 14 2018 Fedora Release Engineering - 1.16.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild -* Wed Jan 09 2019 Michal Židek - 2.0.0-33 -- Resolves: rhbz#1646113 - Missing concise documentation about valid options - for sssd-files-provider +* Mon Jul 02 2018 Miro Hrončok - 1.16.2-5 +- Rebuilt for Python 3.7 -* Mon Dec 17 2018 Michal Židek - 2.0.0-32 -- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc - and libtevent to avoid an issue in GPO processing +* Mon Jun 25 2018 Fabiano Fidêncio - 1.16.2-4 +- Related: upstream#941 - return multiple server addresses to the Kerberos + locator plugin +- Related: upstream#3652 - kdcinfo doesn't get populated for other domains +- Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD + closes its end of the pipe before reading all the + SSH keys +- Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully +- Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes + stored in AD GC also for regular AD DC queries +- Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being + able to consume an @-sign in the user/group name. +- Resolves: upstream#3766 - CVE-2018-10852: information leak from the sssd-sudo + responder -* Sun Dec 16 2018 Michal Židek - 2.0.0-31 -- Resolves: 1658813 - PKINIT with KCM does not work +* Thu Jun 21 2018 Fabiano Fidêncio - 1.16.2-3 +- Resolves: rhbz#1591804 - something keeps /lib/libnss_systemd.so.2 open on + minimal appliance image, breaking composes -* Sun Dec 16 2018 Michal Židek - 2.0.0-30 -- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to - retrieve AD users through IPA Trust +* Tue Jun 19 2018 Miro Hrončok - 1.16.2-2 +- Rebuilt for Python 3.7 -* Sun Dec 16 2018 Michal Židek - 2.0.0-29 -- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): - /usr/libexec/sssd/proxy_child killed by 6 +* Mon Jun 11 2018 Fabiano Fidêncio - 1.16.2-1 +- New upstream release 1.16.2 +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html -* Sun Dec 16 2018 Michal Židek - 2.0.0-28 -- Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories +* Thu May 24 2018 Fabiano Fidêncio - 1.16.1-9 +- Related: upstream#3742 - Change of: User may not run sudo --> a password is + required -* Tue Dec 11 2018 Michal Židek - 2.0.0-27 -- Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work - if ID provider is authenticated with GSSAPI +* Thu May 17 2018 Fabiano Fidêncio - 1.16.1-8 +- Revert 589d1a48 as the builders are back to f27 -* Tue Dec 11 2018 Michal Židek - 2.0.0-26 -- Resolves: rhbz#1657980 - sssd_nss memory leak +* Wed May 16 2018 Fabiano Fidêncio - 1.16.1-7 +- Related: upstream#3436 - Certificates used in unit tests have limited + lifetime +- Add: "ExcludeArch: armv7hl" -* Tue Dec 11 2018 Michal Židek - 2.0.0-25 -- Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly - for D-bus, resulting in a crash +* Mon May 14 2018 Fabiano Fidêncio - 1.16.1-6 +- Related: upstream#3436 - Add openssl, openssh and nss-tools as BuildRequires -* Tue Dec 04 2018 Michal Židek - 2.0.0-24 -- Resolves: rhbz#1646168 - sssctl access-report always prints an error message -- Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the - configuration without having to restart the whole - sssd -- Resolves: rhbz#1640576 - sssctl reports incorrect information about local - user's cache entry expiration time -- Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user -- Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys +* Mon May 14 2018 Fabiano Fidêncio - 1.16.1-5 +- Related: upstream#3436 - Certificates used in unit tests have limited + lifetime +- Resolves: upstream#3725 - sssd not honoring dyndns_server if the DNS update + process is terminated with a signal +- Resolves: upstream#3726 - SSSD with ID provider 'ad' should give a warning + in case the ldap schema is manually changed to + something different than 'ad'. +- Related: upstream#2653 - Group renaming issue when "id_provider = ldap" is + set. +- Resolves: upstream#3719 - The SSSD IPA provider allocates information about + external groups on a long lived memory context, + causing memory growth of the sssd_be process +- Resolves: upstream#3728 - Request by ID outside the min_id/max_id limit of a + first domain does not reach the second domain +- Resolves: upstream#3731 - nss_clear_netgroup_hash_table(): only remove + entries from the hash table, do not free them +- Resolves: upstream#3595 - ID override GID from Default Trust View is not + properly resolved in case domain resolution order + is set -* Thu Oct 25 2018 Jakub Hrozek - 2.0.0-23 -- Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui - with smart card - -* Wed Oct 24 2018 Jakub Hrozek - 2.0.0-22 -- Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA - -* Tue Oct 16 2018 Jakub Hrozek - 2.0.0-21 -- Related: rhbz#1638150 - session not recording for local user when groups defined -- Also add silence a Coverity warning, which is related to rhbz#1637131 - -* Mon Oct 15 2018 Jakub Hrozek - 2.0.0-20 -- Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules - -* Mon Oct 15 2018 Jakub Hrozek - 2.0.0-19 -- Add OSCP checks for p11_child -- Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local - users - -* Mon Oct 15 2018 Jakub Hrozek - 2.0.0-18 -- Related: rhbz#1638006 - Files: The files provider always enumerates - which causes duplicate when running getent passwd - -* Thu Oct 11 2018 Jakub Hrozek - 2.0.0-17 -- Related: rhbz#1637131 - pam_unix unable to match fully qualified username - provided by sssd during smartcard auth using gdm - -* Thu Oct 11 2018 Jakub Hrozek - 2.0.0-16 -- Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a - PKCS#11 URI - -* Thu Oct 11 2018 Jakub Hrozek - 2.0.0-15 -- Related: rhbz#1611011 - Support for "require smartcard for login option" - -* Thu Oct 11 2018 Jakub Hrozek - 2.0.0-14 -- Related: rhbz#1635595 - Cant login with smartcard with multiple certs - -* Thu Oct 11 2018 Jakub Hrozek - 2.0.0-13 -- Backport more sbus2 fixes -- Related: rhbz#1623878 - crash related to sbus_router_destructor() - -* Wed Oct 10 2018 Jakub Hrozek - 2.0.0-12 -- Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD - -* Wed Oct 3 2018 Jakub Hrozek - 2.0.0-11 -- Resolves: rhbz#1628122 - Printing incorrect information about domain - with sssctl utility - -* Wed Oct 3 2018 Jakub Hrozek - 2.0.0-10 -- Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not - started due to a misconfiguration - -* Wed Oct 3 2018 Jakub Hrozek - 2.0.0-9 -- Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del - commands in man pages since local provider - is deprecated - -* Wed Oct 3 2018 Jakub Hrozek - 2.0.0-8 -- Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): - /usr/libexec/sssd/sssd_be killed by 11 crash - func _dbus_list_unlink - -* Wed Oct 3 2018 Jakub Hrozek - 2.0.0-7 -- Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it - differs from the default - -* Wed Sep 26 2018 Jakub Hrozek - 2.0.0-6 -- Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup - -* Tue Sep 25 2018 Jakub Hrozek - 2.0.0-5 -- Resolves: rhbz#1615590 - Do not rely on "python" for el8 - -* Tue Sep 25 2018 Jakub Hrozek - 2.0.0-4 -- Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local - users - -* Tue Sep 11 2018 Jakub Hrozek - 2.0.0-3 -- Resolves: rhbz#1623878 - crash related to sbus_router_destructor() - -* Thu Aug 30 2018 Jakub Hrozek - 2.0.0-2 -- Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication - fails with the KCM ccache - -* Mon Aug 13 2018 Fabiano Fidêncio - 2.0.0-1 -- Resolves: rhbz#1615460 - Rebase SSSD to the latest released version - -* Tue Jul 03 2018 Tomas Orsava - 1.16.2-2 -- Switch hardcoded python3 shebangs into the %%{__python3} macro - -* Thu Jun 14 2018 Fabiano Fidêncio - 1.16.2-1 -- Update to 1.16.2 release -- Cleanup unused global definitions -- Remove python2 references from the spec file -- Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x +* Sat May 05 2018 Fabiano Fidêncio - 1.16.1-4 +- Resolves: rhbz#1574778 - sssd fails to download known_hosts from freeipa * Fri Apr 27 2018 Fabiano Fidêncio - 1.16.1-3 - Resolves: upstream#3684 - A group is not updated if its member is removed @@ -1957,6 +1686,7 @@ fi - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal] +- Add gcc to build dependencies * Fri Mar 30 2018 Fabiano Fidêncio - 1.16.1-2 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain diff --git a/sssd.sysusers b/sssd.sysusers new file mode 100644 index 0000000..ee8a05d --- /dev/null +++ b/sssd.sysusers @@ -0,0 +1 @@ +u sssd - "User for sssd" /run/sssd/ /sbin/nologin