import sssd-2.6.2-3.el8

2022-03-14 02:53:45 +00:00 · 2022-03-14 02:53:45 +00:00 · 920798981e
commit 920798981e
parent 49efc2ca42
7 changed files with 1508 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/sssd-2.6.1.tar.gz
+SOURCES/sssd-2.6.2.tar.gz
--- a/.sssd.metadata
+++ b/.sssd.metadata
@ -1 +1 @@
-7bf04ef18d0997727eb011e3eab6199771f0920f SOURCES/sssd-2.6.1.tar.gz
+c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
--- a/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
+++ b/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
@ -0,0 +1,33 @@
+From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jan 2022 10:11:49 +0100
+Subject: [PATCH] ipa: fix reply socket of selinux_child
+
+Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
+the reply socket of selinux_child from stdout to stderr while switching
+from exec_child to exec_child_ex. This patch returns the original
+behavior.
+
+Resolves: https://github.com/SSSD/sssd/issues/5939
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/providers/ipa/ipa_selinux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
+index 6f885c0fd..2e0593dd7 100644
+--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
+@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
+     if (pid == 0) { /* child */
+         exec_child_ex(state, pipefd_to_child, pipefd_from_child,
+                       SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
+-                      false, STDIN_FILENO, STDERR_FILENO);
+                      false, STDIN_FILENO, STDOUT_FILENO);
+         DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
+               ret, sss_strerror(ret));
+         return ret;
+-- 
+2.26.3
+
--- a/SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch
+++ b/SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch
@ -0,0 +1,42 @@
+From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 16 Dec 2021 11:14:18 +0100
+Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the forest root is not part of the return trusted domain objects
+from the local domain controller we generate an object for further
+processing. During this processing it is expected that the 'cn'
+attribute is set and contains the name of the forest root. So far this
+attribute was missing and it is now added by this patch.
+
+Resolves: https://github.com/SSSD/sssd/issues/5926
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ad/ad_subdomains.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index 0353de76f..0c3f8ac31 100644
+--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
+@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
+         goto done;
+     }
+ 
+    ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
+                                 state->forest);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
+        goto done;
+    }
+
+     err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
+                                    &id_val.data, &id_val.length);
+     if (err != IDMAP_SUCCESS) {
+-- 
+2.26.3
+
--- a/SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
+++ b/SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
@ -0,0 +1,140 @@
+From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Thu, 13 Jan 2022 11:28:30 +0100
+Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AD and IPA providers use a common fo_server object for LDAP and
+Kerberos, which is created with the LDAP data. This means that due to
+the changes introduced in
+https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
+the port in use for the Kerberos requests would be the one specified for
+LDAP, usually the default one (389).
+
+In order to avoid that, AD and IPA providers shouldn't change the
+Kerberos port with the one provided for LDAP.
+
+:fixes: A critical regression that prevented authentication of users via
+AD and IPA providers was fixed. LDAP port was reused for Kerberos
+communication and this provider would send incomprehensible information
+to this port.
+
+Resolves: https://github.com/SSSD/sssd/issues/5947
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ad/ad_common.c     |  1 +
+ src/providers/ipa/ipa_common.c   |  1 +
+ src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
+ src/providers/krb5/krb5_common.h |  1 +
+ 4 files changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
+index e263444c5..1ca5f8e3a 100644
+--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
+@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
+     if (service->krb5_service->write_kdcinfo) {
+         ret = write_krb5info_file_from_fo_server(service->krb5_service,
+                                                  server,
+                                                 true,
+                                                  SSS_KRB5KDC_FO_SRV,
+                                                  ad_krb5info_file_filter);
+         if (ret != EOK) {
+diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
+index 1509cb1ce..e6c1f9aa4 100644
+--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
+@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
+     if (service->krb5_service->write_kdcinfo) {
+         ret = write_krb5info_file_from_fo_server(service->krb5_service,
+                                                  server,
+                                                 true,
+                                                  SSS_KRB5KDC_FO_SRV,
+                                                  NULL);
+         if (ret != EOK) {
+diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
+index 719ce6a12..5ffa20809 100644
+--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
+@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
+ 
+ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
+                                            struct fo_server *server,
+                                           bool force_default_port,
+                                            const char *service,
+                                            bool (*filter)(struct fo_server *))
+ {
+@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
+     if (filter == NULL || filter(server) == false) {
+         address = fo_server_address_or_name(tmp_ctx, server);
+         if (address) {
+-            port = fo_get_server_port(server);
+-            if (port != 0) {
+-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+-                if (address == NULL) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+-                    talloc_free(tmp_ctx);
+-                    return ENOMEM;
+            if (!force_default_port) {
+                port = fo_get_server_port(server);
+                if (port != 0) {
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+                    if (address == NULL) {
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+                        talloc_free(tmp_ctx);
+                        return ENOMEM;
+                    }
+                 }
+             }
+ 
+@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
+                 continue;
+             }
+ 
+-            port = fo_get_server_port(item);
+-            if (port != 0) {
+-                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+-                if (address == NULL) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+-                    talloc_free(tmp_ctx);
+-                    return ENOMEM;
+            if (!force_default_port) {
+                port = fo_get_server_port(item);
+                if (port != 0) {
+                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+                    if (address == NULL) {
+                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+                        talloc_free(tmp_ctx);
+                        return ENOMEM;
+                    }
+                 }
+             }
+ 
+@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
+     if (krb5_service->write_kdcinfo) {
+         ret = write_krb5info_file_from_fo_server(krb5_service,
+                                                  server,
+                                                 false,
+                                                  krb5_service->name,
+                                                  NULL);
+         if (ret != EOK) {
+diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
+index 151f446d1..2fd39a751 100644
+--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
+@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
+ 
+ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
+                                            struct fo_server *server,
+                                           bool force_default_port,
+                                            const char *service,
+                                            bool (*filter)(struct fo_server *));
+ 
+-- 
+2.26.3
+
--- a/SOURCES/0004-po-update-translations.patch
+++ b/SOURCES/0004-po-update-translations.patch
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@ -18,8 +18,8 @@
 %global enable_systemtap_opt --enable-systemtap

 Name: sssd
-Version: 2.6.1
-Release: 2%{?dist}
+Version: 2.6.2
+Release: 3%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -27,7 +27,10 @@ URL: https://github.com/SSSD/sssd
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz

 ### Patches ###
-#Patch0001:
+Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
+Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
+Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
+Patch0004: 0004-po-update-translations.patch

 ### Downstream Patches ###

@ -80,6 +83,7 @@ BuildRequires: libxslt
 BuildRequires: libxml2
 BuildRequires: docbook-style-xsl
 BuildRequires: krb5-devel
+BuildRequires: krb5-libs >= 1.18.2-11
 BuildRequires: c-ares-devel
 BuildRequires: python3-devel
 BuildRequires: check-devel
@ -211,8 +215,8 @@ Requires: libsss_simpleifp = %{version}-%{release}
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
+# for logger=journald support with sss_analyze
 Requires: python3-systemd
-Requires: python3-click
 Recommends: sssd-dbus

 %description tools
@ -525,6 +529,7 @@ Summary: An implementation of a Kerberos KCM server
 Group:  Applications/System
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
+Requires: krb5-libs >= 1.18.2-11
 %{?systemd_requires}

 %description kcm
@ -595,7 +600,7 @@ unset CK_TIMEOUT_MULTIPLIER

 %install

-%py3_shebang_fix src/tools/analyzer/sss_analyze.py
+%py3_shebang_fix src/tools/analyzer/sss_analyze
 sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate

 make install DESTDIR=$RPM_BUILD_ROOT
@ -616,6 +621,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache

+# krb5 configuration snippet
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+
 # Create directory for cifs-idmap alternative
 # Otherwise this directory could not be owned by sssd-client
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
@ -847,6 +856,9 @@ done
 %license COPYING
 %{_libdir}/%{name}/libsss_krb5.so
 %{_mandir}/man5/sssd-krb5.5*
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+%dir %{_datadir}/sssd/krb5-snippets
+%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir

 %files common-pac
 %defattr(-,root,root,-)
@ -935,6 +947,7 @@ done
 %{_sbindir}/sss_debuglevel
 %{_sbindir}/sss_seed
 %{_sbindir}/sssctl
+%{_libexecdir}/%{servicename}/sss_analyze
 %{python3_sitelib}/sssd/
 %{_mandir}/man8/sss_obfuscate.8*
 %{_mandir}/man8/sss_override.8*
@ -1144,6 +1157,30 @@ fi
 %systemd_postun_with_restart sssd.service

 %changelog
+* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
+- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
+- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
+- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
+- Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update
+- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
+
+* Tue Jan 04 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
+- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)
+
+* Mon Dec 27 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
+- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
+- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files
+- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
+- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
+- Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf
+- Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name
+- Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry
+- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
+- Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon).
+- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
+- Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders
+- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
+
 * Fri Nov 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-2
 - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release