rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS sssd-2.9.8-1.el9

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-03-30 11:06:30 -04:00
parent fd6b23abaf
commit 7f70201784
5 changed files with 17 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.9.7.tar.gz
SOURCES/sssd-2.9.8.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
b8c9deadb0f0a9b0afdea1dcfc3f0f955f8a7f64 SOURCES/sssd-2.9.7.tar.gz
e75ee2920ca2856f0dedb51681cbed340f916db3 SOURCES/sssd-2.9.8.tar.gz

42
SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
View File

@ -1,42 +0,0 @@
From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Jun 2025 14:30:57 +0200
Subject: [PATCH 3/4] authtok: add IS_PW_OR_ST_AUTHTOK()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch adds a helper macro to determine if an authtok struct is of
type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is
useful if a password is expected but an authentication token forwarded
by an different PAM module, which is most probably a password, can be
used as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050)
---
src/util/authtok.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/util/authtok.h b/src/util/authtok.h
index b58e9dbbd..acabb7078 100644
--- a/src/util/authtok.h
+++ b/src/util/authtok.h
@@ -28,6 +28,10 @@
sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
|| sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+#define IS_PW_OR_ST_AUTHTOK(tok) ( \
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED)
+
/* Use sss_authtok_* accessor functions instead of struct sss_auth_token
*/
--
2.50.0

104
SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
View File

@ -1,104 +0,0 @@
From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 10 Jun 2025 14:22:19 +0200
Subject: [PATCH 4/4] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to
handle credentials forwarded by other PAM modules. Before it was
unconditionally assumed that it is a password and hence
SSS_AUTHTOK_TYPE_PASSWORD was used.
When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were
already handled but currently offline use-cases fail because here only
SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch
SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline
credentials as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48)
---
src/providers/krb5/krb5_auth.c | 11 +++++++----
src/providers/krb5/krb5_child.c | 4 ++++
.../krb5/krb5_delayed_online_authentication.c | 2 +-
src/responder/pam/pamsrv_cmd.c | 1 +
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 07e4d807f..fb2f58869 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
domain->cache_credentials_min_ff_length);
ret = EINVAL;
}
- } else if (sss_authtok_get_type(pd->authtok) ==
- SSS_AUTHTOK_TYPE_PASSWORD) {
+ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
+ /* At this point we can be sure that
+ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because
+ * krb5_auth_store_creds() is not called if 2FA/otp was used,
+ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication.
+ */
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
} else {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n",
@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
if (kr->is_offline) {
if (dp_opt_get_bool(kr->krb5_ctx->opts,
KRB5_STORE_PASSWORD_IF_OFFLINE)
- && sss_authtok_get_type(pd->authtok)
- == SSS_AUTHTOK_TYPE_PASSWORD) {
+ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
krb5_auth_cache_creds(state->kr->krb5_ctx,
state->domain,
state->be_ctx->cdb,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 5830305a0..21ec38627 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
if (kerr != 0) {
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+ if (kerr == EAGAIN) {
+ kerr = KRB5_KDC_UNREACH;
+ }
+
/* Special case for IPA password migration */
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
&& kerr == KRB5_PREAUTH_FAILED
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index f88d8ab9b..1fac986a6 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
return EINVAL;
}
- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid authtok for user [%s].\n", pd->user);
return EINVAL;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index d4cb421f4..c6a436069 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
switch (sss_authtok_get_type(authtok)) {
case SSS_AUTHTOK_TYPE_PASSWORD:
+ case SSS_AUTHTOK_TYPE_PAM_STACKED:
ret = sss_authtok_get_password(authtok, password, NULL);
break;
case SSS_AUTHTOK_TYPE_2FA:
--
2.50.0

19
SPECS/sssd.spec
View File

@ -26,16 +26,14 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
Name: sssd
Version: 2.9.7
Release: 4%{?dist}
Version: 2.9.8
Release: 1%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
Patch0002: 0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
### Dependencies ###
@ -1085,6 +1083,19 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Thu Jan 22 2026 Tomas Halman <thalman@redhat.com> - 2.9.8-1
- Resolves: RHEL-143692 - SSSD Rebase for RHEL 9.8
- Resolves: RHEL-133967 - Remove SSSD option ipa_enable_dns_sites
- Resolves: RHEL-133469 - 'sssd_nss' hangs when looking up an object by ID that has expired cache entry and filtered out by name
- Resolves: RHEL-133006 - SSSD: change a default value of 'session_provider' sssd.conf option to 'none'
- Resolves: RHEL-132984 - sssd_be: segfault at 8 ip 00007f6fd25b2b90 sp 00007ffc02dfbae0 error 4 in libsss_ipa.so
- Resolves: RHEL-132506 - RFE: package LDAP provider support for subid ranges
- Resolves: RHEL-120297 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux
- Resolves: RHEL-87530 - AD user in external group is not cleared when expiring the cache
* Tue Sep 23 2025 Pavel Filipenský <pfilipen@redhat.com> - 2.9.7-5
- Related: RHEL-114548 - Rebase Samba to the latest 4.23.x release
* Thu Aug 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-4
- Related: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]
Patch used to fix this ticket causes a regression (RHEL-106987) and is being reverted.