Merge branch 'c9' into a9
This commit is contained in:
commit
8a58df9b66
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/sssd-2.8.2.tar.gz
|
||||
SOURCES/sssd-2.9.1.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz
|
||||
5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz
|
||||
|
||||
@ -1,158 +0,0 @@
|
||||
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 8 Dec 2022 15:14:05 +0100
|
||||
Subject: [PATCH] ldap: update shadow last change in sysdb as well
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Otherwise pam can use the changed information whe id chaching is
|
||||
enabled, so next authentication that fits into the id timeout
|
||||
(5 seconds by default) will still sees the password as expired.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6477
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
|
||||
---
|
||||
src/db/sysdb.h | 4 ++++
|
||||
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
|
||||
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
|
||||
3 files changed, 52 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index 7c666f5c4..06b44f5ba 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
|
||||
struct sysdb_attrs *attrs,
|
||||
int mod_op);
|
||||
|
||||
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
|
||||
+ const char *name,
|
||||
+ const char *attrname);
|
||||
+
|
||||
/* Replace group attrs */
|
||||
int sysdb_set_group_attr(struct sss_domain_info *domain,
|
||||
const char *name,
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 0d6f2d5cd..ed0df9872 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -1485,6 +1485,38 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
|
||||
+ const char *name,
|
||||
+ const char *attrname)
|
||||
+{
|
||||
+ struct sysdb_attrs *attrs;
|
||||
+ char *value;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ attrs = sysdb_new_attrs(NULL);
|
||||
+ if (attrs == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ /* The attribute contains number of days since the epoch */
|
||||
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
|
||||
+ if (value == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(attrs);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* =Replace-Attributes-On-Group=========================================== */
|
||||
|
||||
int sysdb_set_group_attr(struct sss_domain_info *domain,
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index 6404a9d3a..96b9d6df4 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
|
||||
struct pam_data *pd;
|
||||
struct sdap_handle *sh;
|
||||
char *dn;
|
||||
+ enum pwexpire pw_expire_type;
|
||||
};
|
||||
|
||||
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
|
||||
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
{
|
||||
struct sdap_pam_chpass_handler_state *state;
|
||||
struct tevent_req *req;
|
||||
- enum pwexpire pw_expire_type;
|
||||
void *pw_expire_data;
|
||||
size_t msg_len;
|
||||
uint8_t *msg;
|
||||
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
|
||||
|
||||
ret = auth_recv(subreq, state, &state->sh, &state->dn,
|
||||
- &pw_expire_type, &pw_expire_data);
|
||||
+ &state->pw_expire_type, &pw_expire_data);
|
||||
talloc_free(subreq);
|
||||
|
||||
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
|
||||
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
if (ret == EOK) {
|
||||
- switch (pw_expire_type) {
|
||||
+ switch (state->pw_expire_type) {
|
||||
case PWEXPIRE_SHADOW:
|
||||
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
|
||||
break;
|
||||
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
break;
|
||||
default:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Unknown password expiration type %d.\n", pw_expire_type);
|
||||
+ "Unknown password expiration type %d.\n",
|
||||
+ state->pw_expire_type);
|
||||
state->pd->pam_status = PAM_SYSTEM_ERR;
|
||||
goto done;
|
||||
}
|
||||
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
case ERR_PASSWORD_EXPIRED:
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"user [%s] successfully authenticated.\n", state->dn);
|
||||
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
|
||||
+ ret = sdap_pam_chpass_handler_change_step(state, req,
|
||||
+ state->pw_expire_type);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"sdap_pam_chpass_handler_change_step() failed.\n");
|
||||
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
|
||||
|
||||
switch (ret) {
|
||||
case EOK:
|
||||
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
|
||||
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
|
||||
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
|
||||
+ if (ret != EOK) {
|
||||
+ state->pd->pam_status = PAM_SYSTEM_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
state->pd->pam_status = PAM_SUCCESS;
|
||||
break;
|
||||
case ERR_CHPASS_DENIED:
|
||||
--
|
||||
2.37.3
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
From 897ccf40b2e7ab30c3b8a3fb42584d1d5b8c4bb3 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 13 Jan 2023 18:58:05 +0100
|
||||
Subject: [PATCH] MAN: mention `attributes` in 'see also'
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit b631c3174a3f8f5c169e9507969015dd79fdfd80)
|
||||
---
|
||||
src/man/include/seealso.xml | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
|
||||
index 9999496fa..7f0bbe9df 100644
|
||||
--- a/src/man/include/seealso.xml
|
||||
+++ b/src/man/include/seealso.xml
|
||||
@@ -10,6 +10,9 @@
|
||||
<citerefentry>
|
||||
<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
|
||||
</citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sssd-ldap-attributes</refentrytitle><manvolnum>5</manvolnum>
|
||||
+ </citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
|
||||
</citerefentry>,
|
||||
--
|
||||
2.37.3
|
||||
|
||||
@ -1,90 +0,0 @@
|
||||
From 45a5630e0cfe95ab90bf4a7dd1b32f418c4c759e Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 23 Dec 2022 16:36:58 +0100
|
||||
Subject: [PATCH] SSS_CLIENT: delete key in lib destructor
|
||||
|
||||
pthread_key_delete() disables thread at-exit destructors.
|
||||
Otherwise an attempt to execute already unloaded `sss_at_thread_exit()`
|
||||
would trigger segfault.
|
||||
|
||||
This doesn't solve an issue with leaking on `dlclose()` FDs initialized in
|
||||
multiple threads, but better than crash.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6505
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 08ccd23fb2c831d6ea918a59b777a0073d414858)
|
||||
---
|
||||
src/sss_client/common.c | 24 +++++++++++++++++++-----
|
||||
1 file changed, 19 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index d762dff49..2c888faa9 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <nss.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <errno.h>
|
||||
+#include <stdatomic.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
@@ -63,7 +64,8 @@
|
||||
|
||||
#ifdef HAVE_PTHREAD_EXT
|
||||
static pthread_key_t sss_sd_key;
|
||||
-static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
|
||||
+static pthread_once_t sss_sd_key_init = PTHREAD_ONCE_INIT;
|
||||
+static atomic_bool sss_sd_key_initialized = false;
|
||||
static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
|
||||
static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
|
||||
#else
|
||||
@@ -71,9 +73,6 @@ static int sss_cli_sd = -1; /* the sss client socket descriptor */
|
||||
static struct stat sss_cli_sb; /* the sss client stat buffer */
|
||||
#endif
|
||||
|
||||
-#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
|
||||
-__attribute__((destructor))
|
||||
-#endif
|
||||
void sss_cli_close_socket(void)
|
||||
{
|
||||
if (sss_cli_sd != -1) {
|
||||
@@ -91,9 +90,24 @@ static void sss_at_thread_exit(void *v)
|
||||
static void init_sd_key(void)
|
||||
{
|
||||
pthread_key_create(&sss_sd_key, sss_at_thread_exit);
|
||||
+ sss_sd_key_initialized = true;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
|
||||
+__attribute__((destructor)) void sss_at_lib_unload(void)
|
||||
+{
|
||||
+#ifdef HAVE_PTHREAD_EXT
|
||||
+ if (sss_sd_key_initialized) {
|
||||
+ sss_sd_key_initialized = false;
|
||||
+ pthread_key_delete(sss_sd_key);
|
||||
+ }
|
||||
+#endif
|
||||
+ sss_cli_close_socket();
|
||||
}
|
||||
#endif
|
||||
|
||||
+
|
||||
/* Requests:
|
||||
*
|
||||
* byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
|
||||
@@ -572,7 +586,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
|
||||
}
|
||||
|
||||
#ifdef HAVE_PTHREAD_EXT
|
||||
- pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
|
||||
+ pthread_once(&sss_sd_key_init, init_sd_key); /* once for all threads */
|
||||
|
||||
/* It actually doesn't matter what value to set for a key.
|
||||
* The only important thing: key must be non-NULL to ensure
|
||||
--
|
||||
2.37.3
|
||||
|
||||
@ -1,36 +0,0 @@
|
||||
From 01d02794e02f051ea9a78cd63b30384de3e7c9b0 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 10 May 2023 10:27:08 +0200
|
||||
Subject: [PATCH] sysdb: fix string comparison when checking for overrides
|
||||
|
||||
When checking if the input group-name is the original name from AD or an
|
||||
overwritten one the comparison is currently done case sensitive. Since
|
||||
AD handles names case-insensitive and hence SSSD should do this as well
|
||||
this comparison might cause issues.
|
||||
|
||||
The patch replace the case sensitive comparison with a comparison with
|
||||
respects the case_sensitive of the domain the object is coming from.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6720
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
---
|
||||
src/db/sysdb_search.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
|
||||
index 7efd570e78..e4c53b8535 100644
|
||||
--- a/src/db/sysdb_search.c
|
||||
+++ b/src/db/sysdb_search.c
|
||||
@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
|
||||
res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
|
||||
|
||||
if (originalad_sanitized_name != NULL
|
||||
- && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
|
||||
+ && !sss_string_equal(domain->case_sensitive,
|
||||
+ originalad_sanitized_name,
|
||||
+ sanitized_name)) {
|
||||
fmt_filter = SYSDB_GRNAM_FILTER;
|
||||
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
|
||||
res = NULL;
|
||||
@ -26,17 +26,16 @@
|
||||
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
|
||||
|
||||
Name: sssd
|
||||
Version: 2.8.2
|
||||
Release: 3%{?dist}.alma
|
||||
Version: 2.9.1
|
||||
Release: 2%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://github.com/SSSD/sssd/
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
|
||||
Patch0002: 0002-MAN-mention-attributes-in-see-also.patch
|
||||
Patch0003: 0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
|
||||
Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
|
||||
Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch
|
||||
|
||||
# Patches were taken from:
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/26c81cdfa6fdda4aab69e0184839be0fb74ef73d
|
||||
@ -529,8 +528,9 @@ autoreconf -ivf
|
||||
--with-syslog=journald \
|
||||
--with-test-dir=/dev/shm \
|
||||
--with-subid \
|
||||
--with-files-provider \
|
||||
--with-libsifp \
|
||||
%if 0%{?fedora}
|
||||
--enable-files-domain \
|
||||
--disable-polkit-rules-path \
|
||||
%endif
|
||||
%{nil}
|
||||
@ -836,7 +836,7 @@ done
|
||||
%{_mandir}/man5/sssd-ifp.5*
|
||||
%{_unitdir}/sssd-ifp.service
|
||||
# InfoPipe DBus plumbing
|
||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
|
||||
|
||||
%files -n libsss_simpleifp
|
||||
@ -1068,10 +1068,38 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Thu Aug 03 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.8.2-3.alma
|
||||
- Apply 0004-watchdog-add-arm_watchdog-and-disarm_watchdog-calls
|
||||
0005-sbus-arm-watchdog-for-sbus_connect_init_send
|
||||
0006-sysdb-fix-string-comparison-when-checking-for-overrides patches
|
||||
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
|
||||
- Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system
|
||||
|
||||
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
|
||||
- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3
|
||||
- Resolves: rhbz#2196816 - [RHEL9] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
|
||||
- Resolves: rhbz#2162552 - sssd client caches old data after removing netgroup member on IDM
|
||||
- Resolves: rhbz#2189542 - [sssd] RHEL 9.3 Tier 0 Localization
|
||||
- Resolves: rhbz#2133854 - [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete
|
||||
- Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
|
||||
|
||||
* Tue Jun 6 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-5
|
||||
- Related: rhbz#2190415 - Rebase Samba to the latest 4.18.x release
|
||||
Rebuild against rebased Samba libs.
|
||||
|
||||
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
|
||||
- Related: rhbz#2190415 - Rebase Samba to the latest 4.18.x release
|
||||
Rebuild against rebased Samba libs.
|
||||
|
||||
* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
|
||||
- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3
|
||||
|
||||
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
|
||||
- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3
|
||||
- Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
|
||||
- Resolves: rhbz#1913839 - filter_groups doesn't filter GID from 'id' output: AD + 'ldap_id_mapping = True' corner case
|
||||
- Resolves: rhbz#2100789 - [Improvement] sssctl config-check command does not show an error when we don't have id_provider in the domain section
|
||||
- Resolves: rhbz#2152177 - [RFE] Add support for ldapi:// URLs
|
||||
- Resolves: rhbz#2164852 - man page entry should make clear that a nested group needs a name
|
||||
- Resolves: rhbz#2166627 - Improvement: sss_client: add 'getsidbyusername()' and 'getsidbygroupname()' and corresponding python bindings
|
||||
- Resolves: rhbz#2166943 - kinit switches KCM away from the newly issued ticket
|
||||
- Resolves: rhbz#2167728 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
|
||||
|
||||
* Mon Jan 16 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
|
||||
- Resolves: rhbz#2160001 - Reference to 'sssd-ldap-attributes' man page is missing in 'sssd-ldap', etc man pages
|
||||
|
||||
Loading…
Reference in New Issue
Block a user