From 742312a8a9010fd38004d9755ee2127a180e2601 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 8 Nov 2023 11:28:21 +0300 Subject: [PATCH] - Apply 0003-mc-recover-from-invalid-memory-cache-size.patch - Apply 0004-sss_iface-do-not-add-cli_id-to-chain-key.patch - Apply 0005-Accept-krb5-1.21-for-building-the-PAC-plugin.patch - Apply 0006-MC-a-couple-of-additions-to-recover-from-invalid-memory.patch --- ...cover-from-invalid-memory-cache-size.patch | 220 ++++++++++ ...iface-do-not-add-cli_id-to-chain-key.patch | 400 ++++++++++++++++++ ...rb5-1.21-for-building-the-PAC-plugin.patch | 28 ++ ...tions-to-recover-from-invalid-memory.patch | 332 +++++++++++++++ SPECS/sssd.spec | 22 +- 5 files changed, 996 insertions(+), 6 deletions(-) create mode 100644 SOURCES/0003-mc-recover-from-invalid-memory-cache-size.patch create mode 100644 SOURCES/0004-sss_iface-do-not-add-cli_id-to-chain-key.patch create mode 100644 SOURCES/0005-Accept-krb5-1.21-for-building-the-PAC-plugin.patch create mode 100644 SOURCES/0006-MC-a-couple-of-additions-to-recover-from-invalid-memory.patch diff --git a/SOURCES/0003-mc-recover-from-invalid-memory-cache-size.patch b/SOURCES/0003-mc-recover-from-invalid-memory-cache-size.patch new file mode 100644 index 0000000..583435c --- /dev/null +++ b/SOURCES/0003-mc-recover-from-invalid-memory-cache-size.patch @@ -0,0 +1,220 @@ +From 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 4 Aug 2023 12:19:49 +0200 +Subject: [PATCH] mc: recover from invalid memory cache size + +If we access the mmap file outside its boundaries a SIGBUS is raised. +We can now safely recover if the file has unexpected size. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +--- + src/responder/nss/nsssrv_mmap_cache.c | 86 +++++++++++++++++---- + src/sss_client/nss_mc_common.c | 42 +++++++--- + src/tests/system/tests/test_memory_cache.py | 36 ++++++++- + 3 files changed, 135 insertions(+), 29 deletions(-) + +diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c +index 12c2996596..bd814f3bc7 100644 +--- a/src/responder/nss/nsssrv_mmap_cache.c ++++ b/src/responder/nss/nsssrv_mmap_cache.c +@@ -722,6 +722,57 @@ static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc, + return EOK; + } + ++static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc) ++{ ++ struct sss_mc_ctx *mcc = *_mcc; ++ struct stat fdstat; ++ bool reinit = false; ++ errno_t ret; ++ ++ /* No mcc initialized? Memory cache may be disabled. */ ++ if (mcc == NULL || mcc->fd < 0) { ++ ret = EINVAL; ++ reinit = false; ++ goto done; ++ } ++ ++ if (fstat(mcc->fd, &fdstat) == -1) { ++ ret = errno; ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unable to stat memory cache [file=%s, fd=%d] [%d]: %s\n", ++ mcc->file, mcc->fd, ret, sss_strerror(ret)); ++ reinit = true; ++ goto done; ++ } ++ ++ if (fdstat.st_nlink == 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Memory cache file was removed\n"); ++ ret = ENOENT; ++ reinit = true; ++ goto done; ++ } ++ ++ if (fdstat.st_size != mcc->mmap_size) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Memory cache is corrupted, invalid size [file=%s, fd=%d, " ++ "expected_size=%zu, real_size=%zu]\n", ++ mcc->file, mcc->fd, mcc->mmap_size, fdstat.st_size); ++ ret = EINVAL; ++ reinit = true; ++ goto done; ++ } ++ ++ ret = EOK; ++ reinit = false; ++ ++done: ++ if (reinit) { ++ return sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, -1, -1, _mcc); ++ } ++ ++ return ret; ++} ++ + /*************************************************************************** + * passwd map + ***************************************************************************/ +@@ -744,9 +795,9 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + ret = snprintf(uidstr, 11, "%ld", (long)uid); +@@ -815,9 +866,9 @@ errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid) + char *uidstr; + errno_t ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + uidstr = talloc_asprintf(NULL, "%ld", (long)uid); +@@ -886,9 +937,9 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + ret = snprintf(gidstr, 11, "%ld", (long)gid); +@@ -953,9 +1004,9 @@ errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid) + char *gidstr; + errno_t ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + gidstr = talloc_asprintf(NULL, "%ld", (long)gid); +@@ -1018,9 +1069,9 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + /* array of gids + name + unique_name */ +@@ -1087,8 +1138,9 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc, + size_t rec_len; + int ret; + +- if (mcc == NULL) { +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + ret = snprintf(idkey, sizeof(idkey), "%d-%ld", +diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c +index 3128861bf3..e227c0bae3 100644 +--- a/src/sss_client/nss_mc_common.c ++++ b/src/sss_client/nss_mc_common.c +@@ -69,13 +69,43 @@ static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx) + #endif + } + ++static errno_t sss_nss_mc_validate(struct sss_cli_mc_ctx *ctx) ++{ ++ struct stat fdstat; ++ ++ /* No mc ctx initialized?*/ ++ if (ctx == NULL || ctx->fd < 0) { ++ return EINVAL; ++ } ++ ++ if (fstat(ctx->fd, &fdstat) == -1) { ++ return errno; ++ } ++ ++ /* Memcache was removed. */ ++ if (fdstat.st_nlink == 0) { ++ return ENOENT; ++ } ++ ++ /* Invalid size. */ ++ if (fdstat.st_size != ctx->mmap_size) { ++ return ERANGE; ++ } ++ ++ return EOK; ++} ++ + errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) + { + struct sss_mc_header h; + bool copy_ok; + int count; + int ret; +- struct stat fdstat; ++ ++ ret = sss_nss_mc_validate(ctx); ++ if (ret != EOK) { ++ return ret; ++ } + + /* retry barrier protected reading max 5 times then give up */ + for (count = 5; count > 0; count--) { +@@ -115,16 +145,6 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) + } + } + +- ret = fstat(ctx->fd, &fdstat); +- if (ret == -1) { +- return EIO; +- } +- +- if (fdstat.st_nlink == 0) { +- /* memory cache was removed; we need to reinitialize it. */ +- return EINVAL; +- } +- + return 0; + } diff --git a/SOURCES/0004-sss_iface-do-not-add-cli_id-to-chain-key.patch b/SOURCES/0004-sss_iface-do-not-add-cli_id-to-chain-key.patch new file mode 100644 index 0000000..3ef59b1 --- /dev/null +++ b/SOURCES/0004-sss_iface-do-not-add-cli_id-to-chain-key.patch @@ -0,0 +1,400 @@ +From 1e5dfc187c7659cca567d2f7d5592e72794ef13c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 4 Sep 2023 14:12:58 +0200 +Subject: [PATCH] sss_iface: do not add cli_id to chain key + +Otherwise we only chain identical requests from the same client +which effectively renders chaining not functional. + +Resolves: https://github.com/SSSD/sssd/issues/6911 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Justin Stephenson +--- + src/sss_iface/sbus_sss_client_async.c | 12 +++---- + src/sss_iface/sbus_sss_interface.h | 24 ++++++------- + src/sss_iface/sbus_sss_keygens.c | 50 +++++++++++++-------------- + src/sss_iface/sbus_sss_keygens.h | 10 +++--- + src/sss_iface/sss_iface.xml | 12 +++---- + 5 files changed, 54 insertions(+), 54 deletions(-) + +diff --git a/src/sss_iface/sbus_sss_client_async.c b/src/sss_iface/sbus_sss_client_async.c +index 042d1b7b34..5ca925283a 100644 +--- a/src/sss_iface/sbus_sss_client_async.c ++++ b/src/sss_iface/sbus_sss_client_async.c +@@ -1861,7 +1861,7 @@ sbus_call_dp_autofs_Enumerate_send + const char * arg_mapname, + uint32_t arg_cli_id) + { +- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2, ++ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1, + busname, object_path, "sssd.DataProvider.Autofs", "Enumerate", arg_dp_flags, arg_mapname, arg_cli_id); + } + +@@ -1883,7 +1883,7 @@ sbus_call_dp_autofs_GetEntry_send + const char * arg_entryname, + uint32_t arg_cli_id) + { +- return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2_3, ++ return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2, + busname, object_path, "sssd.DataProvider.Autofs", "GetEntry", arg_dp_flags, arg_mapname, arg_entryname, arg_cli_id); + } + +@@ -1904,7 +1904,7 @@ sbus_call_dp_autofs_GetMap_send + const char * arg_mapname, + uint32_t arg_cli_id) + { +- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2, ++ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1, + busname, object_path, "sssd.DataProvider.Autofs", "GetMap", arg_dp_flags, arg_mapname, arg_cli_id); + } + +@@ -2142,7 +2142,7 @@ sbus_call_dp_dp_getAccountDomain_send + const char * arg_filter, + uint32_t arg_cli_id) + { +- return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2_3, ++ return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2, + busname, object_path, "sssd.dataprovider", "getAccountDomain", arg_dp_flags, arg_entry_type, arg_filter, arg_cli_id); + } + +@@ -2170,7 +2170,7 @@ sbus_call_dp_dp_getAccountInfo_send + const char * arg_extra, + uint32_t arg_cli_id) + { +- return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4_5, ++ return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4, + busname, object_path, "sssd.dataprovider", "getAccountInfo", arg_dp_flags, arg_entry_type, arg_filter, arg_domain, arg_extra, arg_cli_id); + } + +@@ -2267,7 +2267,7 @@ sbus_call_dp_dp_resolverHandler_send + const char * arg_filter_value, + uint32_t arg_cli_id) + { +- return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3_4, ++ return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3, + busname, object_path, "sssd.dataprovider", "resolverHandler", arg_dp_flags, arg_entry_type, arg_filter_type, arg_filter_value, arg_cli_id); + } + +diff --git a/src/sss_iface/sbus_sss_interface.h b/src/sss_iface/sbus_sss_interface.h +index fc86c71d90..5b4d1c362a 100644 +--- a/src/sss_iface/sbus_sss_interface.h ++++ b/src/sss_iface/sbus_sss_interface.h +@@ -166,7 +166,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \ + NULL, \ + _sbus_sss_invoke_in_usu_out__send, \ +- _sbus_sss_key_usu_0_1_2, \ ++ _sbus_sss_key_usu_0_1, \ + (handler), (data)); \ + }) + +@@ -177,7 +177,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \ + NULL, \ + _sbus_sss_invoke_in_usu_out__send, \ +- _sbus_sss_key_usu_0_1_2, \ ++ _sbus_sss_key_usu_0_1, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -188,7 +188,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \ + NULL, \ + _sbus_sss_invoke_in_ussu_out__send, \ +- _sbus_sss_key_ussu_0_1_2_3, \ ++ _sbus_sss_key_ussu_0_1_2, \ + (handler), (data)); \ + }) + +@@ -199,7 +199,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \ + NULL, \ + _sbus_sss_invoke_in_ussu_out__send, \ +- _sbus_sss_key_ussu_0_1_2_3, \ ++ _sbus_sss_key_ussu_0_1_2, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -210,7 +210,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \ + NULL, \ + _sbus_sss_invoke_in_usu_out__send, \ +- _sbus_sss_key_usu_0_1_2, \ ++ _sbus_sss_key_usu_0_1, \ + (handler), (data)); \ + }) + +@@ -221,7 +221,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \ + NULL, \ + _sbus_sss_invoke_in_usu_out__send, \ +- _sbus_sss_key_usu_0_1_2, \ ++ _sbus_sss_key_usu_0_1, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -522,7 +522,7 @@ + &_sbus_sss_args_sssd_dataprovider_getAccountDomain, \ + NULL, \ + _sbus_sss_invoke_in_uusu_out_qus_send, \ +- _sbus_sss_key_uusu_0_1_2_3, \ ++ _sbus_sss_key_uusu_0_1_2, \ + (handler), (data)); \ + }) + +@@ -533,7 +533,7 @@ + &_sbus_sss_args_sssd_dataprovider_getAccountDomain, \ + NULL, \ + _sbus_sss_invoke_in_uusu_out_qus_send, \ +- _sbus_sss_key_uusu_0_1_2_3, \ ++ _sbus_sss_key_uusu_0_1_2, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -544,7 +544,7 @@ + &_sbus_sss_args_sssd_dataprovider_getAccountInfo, \ + NULL, \ + _sbus_sss_invoke_in_uusssu_out_qus_send, \ +- _sbus_sss_key_uusssu_0_1_2_3_4_5, \ ++ _sbus_sss_key_uusssu_0_1_2_3_4, \ + (handler), (data)); \ + }) + +@@ -555,7 +555,7 @@ + &_sbus_sss_args_sssd_dataprovider_getAccountInfo, \ + NULL, \ + _sbus_sss_invoke_in_uusssu_out_qus_send, \ +- _sbus_sss_key_uusssu_0_1_2_3_4_5, \ ++ _sbus_sss_key_uusssu_0_1_2_3_4, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -632,7 +632,7 @@ + &_sbus_sss_args_sssd_dataprovider_resolverHandler, \ + NULL, \ + _sbus_sss_invoke_in_uuusu_out_qus_send, \ +- _sbus_sss_key_uuusu_0_1_2_3_4, \ ++ _sbus_sss_key_uuusu_0_1_2_3, \ + (handler), (data)); \ + }) + +@@ -643,7 +643,7 @@ + &_sbus_sss_args_sssd_dataprovider_resolverHandler, \ + NULL, \ + _sbus_sss_invoke_in_uuusu_out_qus_send, \ +- _sbus_sss_key_uuusu_0_1_2_3_4, \ ++ _sbus_sss_key_uuusu_0_1_2_3, \ + (handler_send), (handler_recv), (data)); \ + }) + +diff --git a/src/sss_iface/sbus_sss_keygens.c b/src/sss_iface/sbus_sss_keygens.c +index 1bffc1360f..0bded60f83 100644 +--- a/src/sss_iface/sbus_sss_keygens.c ++++ b/src/sss_iface/sbus_sss_keygens.c +@@ -90,86 +90,86 @@ _sbus_sss_key_ussu_0_1 + } + + const char * +-_sbus_sss_key_ussu_0_1_2_3 ++_sbus_sss_key_ussu_0_1_2 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_ussu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); ++ sbus_req->path, args->arg0, args->arg1, args->arg2); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); ++ sbus_req->path, args->arg0, args->arg1, args->arg2); + } + + const char * +-_sbus_sss_key_usu_0_1_2 ++_sbus_sss_key_usu_0_1 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_usu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2); ++ sbus_req->path, args->arg0, args->arg1); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2); ++ sbus_req->path, args->arg0, args->arg1); + } + + const char * +-_sbus_sss_key_uusssu_0_1_2_3_4_5 ++_sbus_sss_key_uusssu_0_1_2_3_4 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uusssu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5); ++ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5); ++ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4); + } + + const char * +-_sbus_sss_key_uusu_0_1_2_3 ++_sbus_sss_key_uusu_0_1_2 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uusu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); ++ sbus_req->path, args->arg0, args->arg1, args->arg2); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); ++ sbus_req->path, args->arg0, args->arg1, args->arg2); + } + + const char * +-_sbus_sss_key_uuusu_0_1_2_3_4 ++_sbus_sss_key_uuusu_0_1_2_3 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uuusu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4); ++ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4); ++ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); + } +diff --git a/src/sss_iface/sbus_sss_keygens.h b/src/sss_iface/sbus_sss_keygens.h +index 8f09b46de5..7e42c2c53f 100644 +--- a/src/sss_iface/sbus_sss_keygens.h ++++ b/src/sss_iface/sbus_sss_keygens.h +@@ -49,31 +49,31 @@ _sbus_sss_key_ussu_0_1 + struct _sbus_sss_invoker_args_ussu *args); + + const char * +-_sbus_sss_key_ussu_0_1_2_3 ++_sbus_sss_key_ussu_0_1_2 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_ussu *args); + + const char * +-_sbus_sss_key_usu_0_1_2 ++_sbus_sss_key_usu_0_1 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_usu *args); + + const char * +-_sbus_sss_key_uusssu_0_1_2_3_4_5 ++_sbus_sss_key_uusssu_0_1_2_3_4 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uusssu *args); + + const char * +-_sbus_sss_key_uusu_0_1_2_3 ++_sbus_sss_key_uusu_0_1_2 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uusu *args); + + const char * +-_sbus_sss_key_uuusu_0_1_2_3_4 ++_sbus_sss_key_uuusu_0_1_2_3 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uuusu *args); +diff --git a/src/sss_iface/sss_iface.xml b/src/sss_iface/sss_iface.xml +index 6709c4e48a..82c65aa0b8 100644 +--- a/src/sss_iface/sss_iface.xml ++++ b/src/sss_iface/sss_iface.xml +@@ -91,18 +91,18 @@ + + + +- ++ + + + + + +- ++ + + + + +- ++ + + + +@@ -133,7 +133,7 @@ + + + +- ++ + + + +@@ -150,7 +150,7 @@ + + + +- ++ + + + +@@ -159,7 +159,7 @@ + + + +- ++ + + + diff --git a/SOURCES/0005-Accept-krb5-1.21-for-building-the-PAC-plugin.patch b/SOURCES/0005-Accept-krb5-1.21-for-building-the-PAC-plugin.patch new file mode 100644 index 0000000..01aef9b --- /dev/null +++ b/SOURCES/0005-Accept-krb5-1.21-for-building-the-PAC-plugin.patch @@ -0,0 +1,28 @@ +From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 15 Jun 2023 12:05:03 +0200 +Subject: [PATCH] BUILD: Accept krb5 1.21 for building the PAC plugin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose +--- + src/external/pac_responder.m4 | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4 +index 3cbe3c9cfb..90727185b5 100644 +--- a/src/external/pac_responder.m4 ++++ b/src/external/pac_responder.m4 +@@ -22,7 +22,8 @@ then + Kerberos\ 5\ release\ 1.17* | \ + Kerberos\ 5\ release\ 1.18* | \ + Kerberos\ 5\ release\ 1.19* | \ +- Kerberos\ 5\ release\ 1.20*) ++ Kerberos\ 5\ release\ 1.20* | \ ++ Kerberos\ 5\ release\ 1.21*) + krb5_version_ok=yes + AC_MSG_RESULT([yes]) + ;; diff --git a/SOURCES/0006-MC-a-couple-of-additions-to-recover-from-invalid-memory.patch b/SOURCES/0006-MC-a-couple-of-additions-to-recover-from-invalid-memory.patch new file mode 100644 index 0000000..cd79366 --- /dev/null +++ b/SOURCES/0006-MC-a-couple-of-additions-to-recover-from-invalid-memory.patch @@ -0,0 +1,332 @@ +From 88d8afbb115f18007dcc11f7ebac1b238c3ebd98 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 25 Sep 2023 12:36:09 +0200 +Subject: [PATCH] MC: a couple of additions to 'recover from invalid memory + cache size' patch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Additions to 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 : + + - handle all invalidations consistently + - supply a valid pointer to `sss_mmap_cache_validate_or_reinit()`, + not a pointer to a local var + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/responder/nss/nss_get_object.c | 10 ++--- + src/responder/nss/nss_iface.c | 8 ++-- + src/responder/nss/nsssrv_mmap_cache.c | 64 ++++++++++++++++++--------- + src/responder/nss/nsssrv_mmap_cache.h | 10 ++--- + 4 files changed, 56 insertions(+), 36 deletions(-) + +diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c +index 5d62dd0985..29f9cb59b5 100644 +--- a/src/responder/nss/nss_get_object.c ++++ b/src/responder/nss/nss_get_object.c +@@ -34,13 +34,13 @@ memcache_delete_entry_by_name(struct sss_nss_ctx *nss_ctx, + + switch (type) { + case SSS_MC_PASSWD: +- ret = sss_mmap_cache_pw_invalidate(nss_ctx->pwd_mc_ctx, name); ++ ret = sss_mmap_cache_pw_invalidate(&nss_ctx->pwd_mc_ctx, name); + break; + case SSS_MC_GROUP: +- ret = sss_mmap_cache_gr_invalidate(nss_ctx->grp_mc_ctx, name); ++ ret = sss_mmap_cache_gr_invalidate(&nss_ctx->grp_mc_ctx, name); + break; + case SSS_MC_INITGROUPS: +- ret = sss_mmap_cache_initgr_invalidate(nss_ctx->initgr_mc_ctx, name); ++ ret = sss_mmap_cache_initgr_invalidate(&nss_ctx->initgr_mc_ctx, name); + break; + default: + return EINVAL; +@@ -66,10 +66,10 @@ memcache_delete_entry_by_id(struct sss_nss_ctx *nss_ctx, + + switch (type) { + case SSS_MC_PASSWD: +- ret = sss_mmap_cache_pw_invalidate_uid(nss_ctx->pwd_mc_ctx, (uid_t)id); ++ ret = sss_mmap_cache_pw_invalidate_uid(&nss_ctx->pwd_mc_ctx, (uid_t)id); + break; + case SSS_MC_GROUP: +- ret = sss_mmap_cache_gr_invalidate_gid(nss_ctx->grp_mc_ctx, (gid_t)id); ++ ret = sss_mmap_cache_gr_invalidate_gid(&nss_ctx->grp_mc_ctx, (gid_t)id); + break; + default: + return EINVAL; +diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c +index 07e91aa811..db743f8b7e 100644 +--- a/src/responder/nss/nss_iface.c ++++ b/src/responder/nss/nss_iface.c +@@ -78,7 +78,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx, + + if (ret == ENOENT || res->count == 0) { + /* The user is gone. Invalidate the mc record */ +- ret = sss_mmap_cache_pw_invalidate(nctx->pwd_mc_ctx, delete_name); ++ ret = sss_mmap_cache_pw_invalidate(&nctx->pwd_mc_ctx, delete_name); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", +@@ -125,7 +125,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx, + for (i = 0; i < gnum; i++) { + id = groups[i]; + +- ret = sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, id); ++ ret = sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, id); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", +@@ -134,7 +134,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx, + } + + to_sized_string(delete_name, fq_name); +- ret = sss_mmap_cache_initgr_invalidate(nctx->initgr_mc_ctx, ++ ret = sss_mmap_cache_initgr_invalidate(&nctx->initgr_mc_ctx, + delete_name); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, +@@ -208,7 +208,7 @@ sss_nss_memorycache_invalidate_group_by_id(TALLOC_CTX *mem_ctx, + DEBUG(SSSDBG_TRACE_LIBS, + "Invalidating group %u from memory cache\n", gid); + +- sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid); ++ sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, gid); + + return EOK; + } +diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c +index 90d12299a4..06f3d7a694 100644 +--- a/src/responder/nss/nsssrv_mmap_cache.c ++++ b/src/responder/nss/nsssrv_mmap_cache.c +@@ -701,16 +701,22 @@ static inline void sss_mmap_chain_in_rec(struct sss_mc_ctx *mcc, + * generic invalidation + ***************************************************************************/ + +-static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc, ++static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc); ++ ++static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *key) + { ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; ++ int ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); ++ if (ret != EOK) { ++ return ret; + } + ++ mcc = *_mcc; ++ + rec = sss_mc_find_record(mcc, key); + if (rec == NULL) { + /* nothing to invalidate */ +@@ -785,7 +791,7 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + const struct sized_string *homedir, + const struct sized_string *shell) + { +- struct sss_mc_ctx *mcc = *_mcc; ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; + struct sss_mc_pwd_data *data; + struct sized_string uidkey; +@@ -795,11 +801,13 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + ret = snprintf(uidstr, 11, "%ld", (long)uid); + if (ret > 10) { + return EINVAL; +@@ -851,14 +859,15 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + return EOK; + } + +-errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name) + { +- return sss_mmap_cache_invalidate(mcc, name); ++ return sss_mmap_cache_invalidate(_mcc, name); + } + +-errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid) ++errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx **_mcc, uid_t uid) + { ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec = NULL; + struct sss_mc_pwd_data *data; + uint32_t hash; +@@ -866,11 +875,13 @@ errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid) + char *uidstr; + errno_t ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + uidstr = talloc_asprintf(NULL, "%ld", (long)uid); + if (!uidstr) { + return ENOMEM; +@@ -927,7 +938,7 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + gid_t gid, size_t memnum, + const char *membuf, size_t memsize) + { +- struct sss_mc_ctx *mcc = *_mcc; ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; + struct sss_mc_grp_data *data; + struct sized_string gidkey; +@@ -937,11 +948,13 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + ret = snprintf(gidstr, 11, "%ld", (long)gid); + if (ret > 10) { + return EINVAL; +@@ -989,14 +1002,15 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + return EOK; + } + +-errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name) + { +- return sss_mmap_cache_invalidate(mcc, name); ++ return sss_mmap_cache_invalidate(_mcc, name); + } + +-errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid) ++errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx **_mcc, gid_t gid) + { ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec = NULL; + struct sss_mc_grp_data *data; + uint32_t hash; +@@ -1004,11 +1018,13 @@ errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid) + char *gidstr; + errno_t ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + gidstr = talloc_asprintf(NULL, "%ld", (long)gid); + if (!gidstr) { + return ENOMEM; +@@ -1061,7 +1077,7 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + uint32_t num_groups, + const uint8_t *gids_buf) + { +- struct sss_mc_ctx *mcc = *_mcc; ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; + struct sss_mc_initgr_data *data; + size_t data_len; +@@ -1069,11 +1085,13 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + /* array of gids + name + unique_name */ + data_len = num_groups * sizeof(uint32_t) + name->len + unique_name->len; + rec_len = sizeof(struct sss_mc_rec) + sizeof(struct sss_mc_initgr_data) +@@ -1119,10 +1137,10 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + return EOK; + } + +-errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name) + { +- return sss_mmap_cache_invalidate(mcc, name); ++ return sss_mmap_cache_invalidate(_mcc, name); + } + + errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc, +@@ -1131,18 +1149,20 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc, + uint32_t type, + bool explicit_lookup) + { +- struct sss_mc_ctx *mcc = *_mcc; ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; + struct sss_mc_sid_data *data; + char idkey[16]; + size_t rec_len; + int ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + ret = snprintf(idkey, sizeof(idkey), "%d-%ld", + (type == SSS_ID_TYPE_GID) ? SSS_ID_TYPE_GID : SSS_ID_TYPE_UID, + (long)id); +diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h +index 686b8e1b21..28ee5adb64 100644 +--- a/src/responder/nss/nsssrv_mmap_cache.h ++++ b/src/responder/nss/nsssrv_mmap_cache.h +@@ -63,17 +63,17 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc, + uint32_t type, /* enum sss_id_type*/ + bool explicit_lookup); /* false ~ by_id(), true ~ by_uid/gid() */ + +-errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name); + +-errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid); ++errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx **_mcc, uid_t uid); + +-errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name); + +-errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid); ++errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx **_mcc, gid_t gid); + +-errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name); + + errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx, diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index e2de904..0771514 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.9.1 -Release: 2%{?dist} +Release: 4%{?dist}.alma.1 Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -38,11 +38,15 @@ Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch # Patches were taken from: -# https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/26c81cdfa6fdda4aab69e0184839be0fb74ef73d -Patch0004: 0004-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch -Patch0005: 0005-sbus-arm-watchdog-for-sbus_connect_init_send.patch -# https://github.com/SSSD/sssd/commit/01d02794e02f051ea9a78cd63b30384de3e7c9b0 -Patch0006: 0006-sysdb-fix-string-comparison-when-checking-for-overrides.patch +# https://github.com/SSSD/sssd/commit/641e5f73d3bd5b3d32cafd551013d3bfd2a52732 +Patch0003: 0003-mc-recover-from-invalid-memory-cache-size.patch +# https://github.com/SSSD/sssd/commit/1e5dfc187c7659cca567d2f7d5592e72794ef13c +Patch0004: 0004-sss_iface-do-not-add-cli_id-to-chain-key.patch +# https://github.com/SSSD/sssd/commit/74d0f4538deb766592079b1abca0d949d6dea105 +Patch0005: 0005-Accept-krb5-1.21-for-building-the-PAC-plugin.patch +# https://github.com/SSSD/sssd/commit/88d8afbb115f18007dcc11f7ebac1b238c3ebd98 +Patch0006: 0006-MC-a-couple-of-additions-to-recover-from-invalid-memory.patch + ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -1068,6 +1072,12 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Wed Nov 08 2023 Eduard Abdullin - 2.9.1-4.alma.1 +- Apply 0003-mc-recover-from-invalid-memory-cache-size.patch +- Apply 0004-sss_iface-do-not-add-cli_id-to-chain-key.patch +- Apply 0005-Accept-krb5-1.21-for-building-the-PAC-plugin.patch +- Apply 0006-MC-a-couple-of-additions-to-recover-from-invalid-memory.patch + * Mon Jul 10 2023 Alexey Tikhonov - 2.9.1-2 - Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system