diff --git a/.gitignore b/.gitignore index 10e88cc..28058ba 100644 --- a/.gitignore +++ b/.gitignore @@ -92,3 +92,4 @@ sssd-1.2.91.tar.gz /sssd-2.4.1.tar.gz /sssd-2.4.2.tar.gz /sssd-2.5.0.tar.gz +/sssd-2.5.1.tar.gz diff --git a/0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch b/0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch deleted file mode 100644 index 7dc4f76..0000000 --- a/0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 9b017dbc80cf09b3a2d7e09f771faf70d4538b4f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Thu, 13 May 2021 12:18:24 +0200 -Subject: [PATCH 1/5] KCM: return KRB5_FCC_INTERNAL for unknown or not - implemented operation - -sssd-kcm should follow Heimdal's return codes. Heimdal returns `KRB5_FCC_INTERNAL` -for cases where operation code is not known or not implemented. See: - -* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1785 -* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1792 - -We returned different codes before this patch which makes Kerberos to differentiate -between Heimdal and sssd implementation. This leads to errors like: - -* https://github.com/krb5/krb5/pull/1178#issuecomment-838289703 - -Resolves: https://github.com/SSSD/sssd/issues/5628 - -Reviewed-by: Justin Stephenson ---- - src/responder/kcm/kcmsrv_cmd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c -index 6b11b184124c7cb17be2c7858afda3d56a4dcea6..3ad17ef431bb3d42b39f56d04c97acfc25f06d2f 100644 ---- a/src/responder/kcm/kcmsrv_cmd.c -+++ b/src/responder/kcm/kcmsrv_cmd.c -@@ -197,7 +197,7 @@ static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf, - if (op_io->op == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Did not find a KCM operation handler for the requested opcode\n"); -- return ERR_KCM_MALFORMED_IN_PKT; -+ return ERR_KCM_OP_NOT_IMPLEMENTED; - } - - /* The operation only receives the payload, not the opcode or the protocol info */ -@@ -643,7 +643,7 @@ krb5_error_code sss2krb5_error(errno_t err) - case EACCES: - return KRB5_FCC_PERM; - case ERR_KCM_OP_NOT_IMPLEMENTED: -- return KRB5_CC_NOSUPP; -+ return KRB5_FCC_INTERNAL; - case ERR_WRONG_NAME_FORMAT: - return KRB5_CC_BADNAME; - case ERR_NO_MATCHING_CREDS: --- -2.30.2 - diff --git a/0002-SECRETS-Resolve-mkey-path-correctly.patch b/0002-SECRETS-Resolve-mkey-path-correctly.patch deleted file mode 100644 index 1e7f330..0000000 --- a/0002-SECRETS-Resolve-mkey-path-correctly.patch +++ /dev/null @@ -1,104 +0,0 @@ -From dbde4e692e34d3ff8233ac17a5eae5a062637e48 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Wed, 19 May 2021 10:54:52 -0400 -Subject: [PATCH 2/5] SECRETS: Resolve mkey path correctly -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Use the correct master key path for the secrets database, -fixing an issue on upgrade. - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/tests/cmocka/test_kcm_renewals.c | 3 ++- - src/util/secrets/secrets.c | 10 ++++++---- - src/util/secrets/secrets.h | 1 + - 3 files changed, 9 insertions(+), 5 deletions(-) - -diff --git a/src/tests/cmocka/test_kcm_renewals.c b/src/tests/cmocka/test_kcm_renewals.c -index f508bab005ff916a8f2a453670c137a56ac9ba46..53ce558be22cffb486d593bbc8c021b91e8fb2fa 100644 ---- a/src/tests/cmocka/test_kcm_renewals.c -+++ b/src/tests/cmocka/test_kcm_renewals.c -@@ -37,6 +37,7 @@ - #define TESTS_PATH "tp_" BASE_FILE_STEM - #define TEST_CONF_DB "test_kcm_renewals_conf.ldb" - #define TEST_DB_FULL_PATH TESTS_PATH "/secrets.ldb" -+#define TEST_MKEY_FULL_PATH TESTS_PATH "/.secrets.mkey" - - errno_t kcm_renew_all_tgts(TALLOC_CTX *mem_ctx, - struct kcm_renew_tgt_ctx *renew_tgt_ctx, -@@ -199,7 +200,7 @@ static void test_kcm_renewals_tgt(void **state) - open(TEST_DB_FULL_PATH, O_CREAT|O_EXCL|O_WRONLY, 0600); - - ret = sss_sec_init_with_path(test_ctx->ccdb, NULL, TEST_DB_FULL_PATH, -- &secdb->sctx); -+ TEST_MKEY_FULL_PATH, &secdb->sctx); - - /* Create renew ctx */ - renew_tgt_ctx = talloc_zero(test_ctx, struct kcm_renew_tgt_ctx); -diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c -index 42df14aa9c6265cbd723f826ce47f35529c4be10..2801eb24263ef8116a7afc294ee91a863295f5be 100644 ---- a/src/util/secrets/secrets.c -+++ b/src/util/secrets/secrets.c -@@ -634,13 +634,13 @@ static int generate_master_key(const char *filename, size_t size) - } - - static errno_t lcl_read_mkey(TALLOC_CTX *mem_ctx, -- const char *dbpath, -+ const char *mkeypath, - struct sss_sec_data *master_key) - { - int mfd; - ssize_t size; - errno_t ret; -- const char *mkey = dbpath; -+ const char *mkey = mkeypath; - - master_key->data = talloc_size(mem_ctx, MKEY_SIZE); - if (master_key->data == NULL) { -@@ -703,6 +703,7 @@ static int set_quotas(struct sss_sec_ctx *sec_ctx, - errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx, - struct sss_sec_hive_config **config_list, - const char *dbpath, -+ const char *mkeypath, - struct sss_sec_ctx **_sec_ctx) - { - struct sss_sec_ctx *sec_ctx; -@@ -746,7 +747,7 @@ errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx, - goto done; - } - -- ret = lcl_read_mkey(sec_ctx, dbpath, &sec_ctx->master_key); -+ ret = lcl_read_mkey(sec_ctx, mkeypath, &sec_ctx->master_key); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot get the master key\n"); - goto done; -@@ -764,9 +765,10 @@ errno_t sss_sec_init(TALLOC_CTX *mem_ctx, - struct sss_sec_ctx **_sec_ctx) - { - const char *dbpath = SECRETS_DB_PATH"/secrets.ldb"; -+ const char *mkeypath = SECRETS_DB_PATH"/.secrets.mkey"; - errno_t ret; - -- ret = sss_sec_init_with_path(mem_ctx, config_list, dbpath, _sec_ctx); -+ ret = sss_sec_init_with_path(mem_ctx, config_list, dbpath, mkeypath, _sec_ctx); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize secdb [%d]: %s\n", - ret, sss_strerror(ret)); -diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h -index a15b99ffec6d1810e0c0cf815ed48d118ba2a08c..958f0824b5c89d8cafc249c7ac123ed999931347 100644 ---- a/src/util/secrets/secrets.h -+++ b/src/util/secrets/secrets.h -@@ -83,6 +83,7 @@ errno_t sss_sec_init(TALLOC_CTX *mem_ctx, - errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx, - struct sss_sec_hive_config **config_list, - const char *dbpath, -+ const char *mkeypath, - struct sss_sec_ctx **_sec_ctx); - - errno_t sss_sec_new_req(TALLOC_CTX *mem_ctx, --- -2.30.2 - diff --git a/0003-UTIL-SECRETS-mistype-fix.patch b/0003-UTIL-SECRETS-mistype-fix.patch deleted file mode 100644 index bd4a187..0000000 --- a/0003-UTIL-SECRETS-mistype-fix.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 9777427facccbbe45c855b0319258335dffb986a Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 18 May 2021 12:04:01 +0200 -Subject: [PATCH 3/5] UTIL/SECRETS: mistype fix - -Wrong variable was tested after mem allocation. - -Also fixes following covscan issues: -``` -Error: DEADCODE (CWE-561): -sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL". -sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL". -sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true. -sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;". - # 1009| uid_list = talloc_zero_array(tmp_ctx, const char *, res->count); - # 1010| if (uuid_list == NULL) { - # 1011|-> ret = ENOMEM; - # 1012| goto done; - # 1013| } -``` - -Reviewed-by: Justin Stephenson ---- - src/util/secrets/secrets.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c -index 2801eb24263ef8116a7afc294ee91a863295f5be..6e99e291dd355cc69b0d872f53624ca3446e18ad 100644 ---- a/src/util/secrets/secrets.c -+++ b/src/util/secrets/secrets.c -@@ -1002,14 +1002,14 @@ errno_t sss_sec_list_cc_uuids(TALLOC_CTX *mem_ctx, - goto done; - } - -- uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count); -+ uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count); - if (uuid_list == NULL) { - ret = ENOMEM; - goto done; - } - -- uid_list = talloc_zero_array(tmp_ctx, const char *, res->count); -- if (uuid_list == NULL) { -+ uid_list = talloc_zero_array(tmp_ctx, const char *, res->count); -+ if (uid_list == NULL) { - ret = ENOMEM; - goto done; - } --- -2.30.2 - diff --git a/sources b/sources index 1911b5e..44c7e0f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.5.0.tar.gz) = 80b5e81cedacdf0bbe724af20d69b918bb6cc353976c6c65421afcd5809d1723f523bc3c1be294b9e01cfda9617c2df5c6ceb007837f195eb1abc2abdab9858c +SHA512 (sssd-2.5.1.tar.gz) = 7441df3b5f1cc1eadb0c6853b048d780ecb36761876aaeb26b9a2d87729211d3ceeae01085dc3ec4fd1c5328f951c8abe854b1d01d91fae25466f930fe16e44a diff --git a/sssd.spec b/sssd.spec index b30fd2f..5041204 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,19 +26,15 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.5.0 -Release: 3%{?dist} +Version: 2.5.1 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ -Source0: https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz +Source0: https://github.com/SSSD/sssd/releases/download/2.5.1/sssd-2.5.1.tar.gz ### Patches ### -Patch0001: 0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch -Patch0002: 0002-SECRETS-Resolve-mkey-path-correctly.patch -Patch0003: 0003-UTIL-SECRETS-mistype-fix.patch - ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -1002,6 +998,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Tue Jun 08 2021 Pavel Březina - 2.5.1-1 +- Rebase to SSSD 2.5.1 + * Fri Jun 04 2021 Python Maint - Rebuilt for Python 3.10