From 74225ac32871fc361b14108c48dd34b4ab6446bd Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 24 Jul 2024 13:41:24 +0300
Subject: [PATCH] - ad: refresh root domain when read directly

---
 ...fresh-root-domain-when-read-directly.patch | 77 +++++++++++++++++++
 SPECS/sssd.spec                               |  9 ++-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0016-ad-refresh-root-domain-when-read-directly.patch

diff --git a/SOURCES/0016-ad-refresh-root-domain-when-read-directly.patch b/SOURCES/0016-ad-refresh-root-domain-when-read-directly.patch
new file mode 100644
index 0000000..c7d7005
--- /dev/null
+++ b/SOURCES/0016-ad-refresh-root-domain-when-read-directly.patch
@@ -0,0 +1,77 @@
+From 0de6c33047ac7a2b5316ec5ec936d6b675671c53 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 1 Mar 2024 10:50:07 +0100
+Subject: [PATCH] ad: refresh root domain when read directly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the domain object of the forest root domain cannot be found in the
+LDAP tree of the local AD domain SSSD tries to read the request data
+from an LDAP server of the forest root domain directly. After reading
+this data the information is stored in the cache but currently the
+information about the domain store in memory is not updated with the
+additional data. As a result e.g. the domain SID is missing in this data
+and only becomes available after a restart where it is read from the
+cache.
+
+With this patch an unconditional refresh is triggered at the end of the
+fallback code path.
+
+Resolves: https://github.com/SSSD/sssd/issues/7250
+
+Reviewed-by: Dan Lavu <dlavu@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/providers/ad/ad_subdomains.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index a8d1892cc6..d8f3738ce9 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state {
+ static void ad_get_root_domain_done(struct tevent_req *subreq);
+ static void ad_check_root_domain_done(struct tevent_req *subreq);
+ static errno_t
+-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
++ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
+ 
+ struct tevent_req *
+ ad_check_domain_send(TALLOC_CTX *mem_ctx,
+@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
+         return;
+     }
+ 
+-    ret = ad_get_root_domain_refresh(state);
++    ret = ad_get_root_domain_refresh(state, false);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
+     }
+@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
+ 
+     state->reply_count = 1;
+ 
+-    ret = ad_get_root_domain_refresh(state);
++    ret = ad_get_root_domain_refresh(state, true);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
+     }
+@@ -1697,7 +1697,7 @@ done:
+ }
+ 
+ static errno_t
+-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
++ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
+ {
+     struct sss_domain_info *root_domain;
+     bool has_changes;
+@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
+         goto done;
+     }
+ 
+-    if (has_changes) {
++    if (has_changes || refresh) {
+         ret = ad_subdom_reinit(state->sd_ctx);
+         if (ret != EOK) {
+             DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index bc684b2..1cc544e 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -27,7 +27,7 @@
 
 Name: sssd
 Version: 2.9.4
-Release: 6%{?dist}
+Release: 6%{?dist}.1.alma.1
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
@@ -50,6 +50,10 @@ Patch0013: 0013-pam-fix-storing-auth-types-for-offline-auth.patch
 Patch0014: 0014-ad-gpo-use-hash-to-store-intermediate-results.patch
 Patch0015: 0015-tests-Drop-extensions-from-openssl-command-if-there-.patch
 
+# Patches were taken from:
+# https://github.com/SSSD/sssd/commit/0de6c33047ac7a2b5316ec5ec936d6b675671c53
+Patch0016: 0016-ad-refresh-root-domain-when-read-directly.patch
+
 ### Dependencies ###
 
 Requires: sssd-ad = %{version}-%{release}
@@ -1098,6 +1102,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Wed Jul 24 2024 Eduard Abdullin <eabdullin@almalinux.org> - 2.9.4-6.el9_4.1.alma.1
+- ad: refresh root domain when read directly
+
 * Thu Apr 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-6
 - Resolves: RHEL-27209 - Race condition during authorization leads to GPO policies functioning inconsistently [rhel-9.4.0]