From 98cad07f1e1e1819badd3cfbc9bbcccb15ca0ee4 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Tue, 10 Dec 2024 17:58:00 +0100 Subject: [PATCH] Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 Resolves: RHEL-4984 - Mismatch between input and parsed domain name when default_domain_suffix is set. Resolves: RHEL-65848 - sssd password authentication broken in sssd-2.10.0~beta2-2 and later Resolves: RHEL-67669 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option Resolves: RHEL-68421 - sssd ldap_child process segfaults when krb5.conf is invalid [rhel-10] Resolves: RHEL-66935 - Avoid log flooding in case an app keeps making invalid `getservbyport(0, ...)` request Resolves: RHEL-65736 - ipa: sudo commands doesn't check threshold correctly Resolves: RHEL-68319 - Please deprecate/remove ad_allow_remote_domain_local_groups --- .gitignore | 1 + ...logrotate-to-work-with-non-root-grou.patch | 68 ------ ...p_force-value-for-ldap_pwmodify_mode.patch | 230 ------------------ ...ever-try-to-upgrade-timestamps-cache.patch | 207 ---------------- ...-remove-index-on-dataExpireTimestamp.patch | 146 ----------- ...e-sssd-polkit-rules-into-sssd-common.patch | 70 ------ sources | 2 +- sssd.spec | 43 ++-- 8 files changed, 27 insertions(+), 740 deletions(-) delete mode 100644 0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch delete mode 100644 0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch delete mode 100644 0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch delete mode 100644 0003-SYSDB-remove-index-on-dataExpireTimestamp.patch delete mode 100644 0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch diff --git a/.gitignore b/.gitignore index 5827863..41eb90d 100644 --- a/.gitignore +++ b/.gitignore @@ -114,3 +114,4 @@ sssd-1.2.91.tar.gz /sssd-2.10.0-beta1.tar.gz /sssd-2.10.0-beta2.tar.gz /sssd-2.10.0.tar.gz +/sssd-2.10.1.tar.gz diff --git a/0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch b/0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch deleted file mode 100644 index a401bc9..0000000 --- a/0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch +++ /dev/null @@ -1,68 +0,0 @@ -From e4ae4d6129e85fe99bbb82438ed90352400ecdf3 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 26 Jul 2024 15:55:01 +0200 -Subject: [PATCH] BUILD: configure logrotate to work with non-root-group - writable folder -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Otherwise logrotate complains: -``` -error: skipping "/var/log/sssd/sssd_kcm.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. -``` - -See https://bugzilla.redhat.com/show_bug.cgi?id=2299733 for details - -Reviewed-by: Jakub Vávra -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina ---- - Makefile.am | 1 + - configure.ac | 1 + - src/examples/{logrotate => logrotate.in} | 1 + - 3 files changed, 3 insertions(+) - rename src/examples/{logrotate => logrotate.in} (90%) - -diff --git a/Makefile.am b/Makefile.am -index f4cadee6f..82e0c5882 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -5706,6 +5706,7 @@ endif - rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket - rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service - rm -f $(builddir)/src/tools/wrappers/sss_debuglevel -+ rm -Rf $(builddir)/src/examples - rm -Rf $(builddir)/contrib - - CLEANFILES += *.X */*.X */*/*.X -diff --git a/configure.ac b/configure.ac -index 105d77a4d..380c16ba8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -563,6 +563,7 @@ AC_DEFINE_UNQUOTED([ABS_SRC_DIR], ["$my_srcdir"], [Absolute path to the source d - AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config - contrib/sssd-pcsc.rules contrib/90-sssd-token-access.rules - contrib/sssd-tmpfiles.conf -+ src/examples/logrotate - src/sysv/sssd src/sysv/gentoo/sssd src/sysv/gentoo/sssd-kcm - po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile - src/tests/intg/Makefile src/tests/test_CA/Makefile -diff --git a/src/examples/logrotate b/src/examples/logrotate.in -similarity index 90% -rename from src/examples/logrotate -rename to src/examples/logrotate.in -index 6e769451c..0421946a2 100644 ---- a/src/examples/logrotate -+++ b/src/examples/logrotate.in -@@ -6,6 +6,7 @@ - rotate 2 - compress - delaycompress -+ su @SSSD_USER@ @SSSD_USER@ - postrotate - /bin/kill -HUP `cat /var/run/sssd.pid 2>/dev/null` 2> /dev/null || true - /bin/pkill -HUP sssd_kcm 2> /dev/null || true --- -2.45.2 - diff --git a/0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch b/0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch deleted file mode 100644 index eb1a5ba..0000000 --- a/0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch +++ /dev/null @@ -1,230 +0,0 @@ -From d523261c312c1ccab0253ddf14b54daba44ed268 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 13 Sep 2024 15:45:59 +0200 -Subject: [PATCH] ldap: add 'exop_force' value for ldap_pwmodify_mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case the LDAP server allows to run the extended operation to change a -password even if an authenticated bind fails due to missing grace logins -the new option 'exop_force' can be used to run the extended operation to -change the password anyways. - -:config: Added `exop_force` value for configuration option - `ldap_pwmodify_mode`. This can be used to force a password change even - if no grace logins are left. Depending on the configuration of the - LDAP server it might be expected that the password change will fail. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -(cherry picked from commit 7184541976608d357a5da48d09a7fa08862477d8) ---- - src/man/sssd-ldap.5.xml | 11 +++++++++ - src/providers/ipa/ipa_auth.c | 3 ++- - src/providers/ldap/ldap_auth.c | 5 +++- - src/providers/ldap/ldap_options.c | 2 ++ - src/providers/ldap/sdap.h | 5 ++-- - src/providers/ldap/sdap_async.h | 3 ++- - src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++----- - 7 files changed, 45 insertions(+), 11 deletions(-) - -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index a6f9b1c97..d50aa65b2 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -234,6 +234,17 @@ - userPassword (not recommended). - - -+ -+ -+ exop_force - Try Password Modify -+ Extended Operation (RFC 3062) even if -+ there are no grace logins left. -+ Depending on the type and configuration -+ of the LDAP server the password change -+ might fail because an authenticated bind -+ is not possible. -+ -+ - - - -diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c -index e238d0623..db1cd6ad3 100644 ---- a/src/providers/ipa/ipa_auth.c -+++ b/src/providers/ipa/ipa_auth.c -@@ -397,7 +397,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq) - SDAP_USE_PPOLICY); - - subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn, -- state->pd->authtok, timeout, use_ppolicy); -+ state->pd->authtok, timeout, use_ppolicy, -+ state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode); - if (subreq == NULL) { - goto done; - } -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 9ccbdabdb..370cdf171 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -914,7 +914,8 @@ static void auth_do_bind(struct tevent_req *req) - subreq = sdap_auth_send(state, state->ev, state->sh, - NULL, NULL, state->dn, - state->authtok, -- timeout, use_ppolicy); -+ timeout, use_ppolicy, -+ state->ctx->opts->pwmodify_mode); - if (!subreq) { - tevent_req_error(req, ENOMEM); - return; -@@ -1208,6 +1209,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx, - - switch (opts->pwmodify_mode) { - case SDAP_PWMODIFY_EXOP: -+ case SDAP_PWMODIFY_EXOP_FORCE: - use_ppolicy = dp_opt_get_bool(opts->basic, SDAP_USE_PPOLICY); - subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn, - password, new_password, -@@ -1252,6 +1254,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq) - - switch (state->mode) { - case SDAP_PWMODIFY_EXOP: -+ case SDAP_PWMODIFY_EXOP_FORCE: - ret = sdap_exop_modify_passwd_recv(subreq, state, - &state->user_error_message); - break; -diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c -index 277bcb529..72a95300d 100644 ---- a/src/providers/ldap/ldap_options.c -+++ b/src/providers/ldap/ldap_options.c -@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx, - opts->pwmodify_mode = SDAP_PWMODIFY_EXOP; - } else if (strcasecmp(pwmodify, "ldap_modify") == 0) { - opts->pwmodify_mode = SDAP_PWMODIFY_LDAP; -+ } else if (strcasecmp(pwmodify, "exop_force") == 0) { -+ opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE; - } else { - DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify); - ret = EINVAL; -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index d66ca156a..35a4d5e1c 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -550,8 +550,9 @@ struct sdap_options { - - /* password modify mode */ - enum pwmodify_mode { -- SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */ -- SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */ -+ SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */ -+ SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */ -+ SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */ - } pwmodify_mode; - - /* The search bases for the domain or its subdomain */ -diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h -index a78a1157c..700cd6f9c 100644 ---- a/src/providers/ldap/sdap_async.h -+++ b/src/providers/ldap/sdap_async.h -@@ -147,7 +147,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, - const char *user_dn, - struct sss_auth_token *authtok, - int simple_bind_timeout, -- bool use_ppolicy); -+ bool use_ppolicy, -+ enum pwmodify_mode pwmodify_mode); - - errno_t sdap_auth_recv(struct tevent_req *req, - TALLOC_CTX *memctx, -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index a6d4ee443..67c09835b 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -646,6 +646,7 @@ struct simple_bind_state { - struct tevent_context *ev; - struct sdap_handle *sh; - const char *user_dn; -+ enum pwmodify_mode pwmodify_mode; - - struct sdap_op *op; - -@@ -663,7 +664,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, - int timeout, - const char *user_dn, - struct berval *pw, -- bool use_ppolicy) -+ bool use_ppolicy, -+ enum pwmodify_mode pwmodify_mode) - { - struct tevent_req *req; - struct simple_bind_state *state; -@@ -686,6 +688,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, - state->ev = ev; - state->sh = sh; - state->user_dn = user_dn; -+ state->pwmodify_mode = pwmodify_mode; - - if (use_ppolicy) { - ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, -@@ -872,7 +875,12 @@ static void simple_bind_done(struct sdap_op *op, - * Grace Authentications". */ - DEBUG(SSSDBG_TRACE_LIBS, - "Password expired, grace logins exhausted.\n"); -- ret = ERR_AUTH_FAILED; -+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) { -+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n"); -+ ret = ERR_PASSWORD_EXPIRED; -+ } else { -+ ret = ERR_AUTH_FAILED; -+ } - } - } else if (strcmp(response_controls[c]->ldctl_oid, - LDAP_CONTROL_PWEXPIRED) == 0) { -@@ -885,7 +893,12 @@ static void simple_bind_done(struct sdap_op *op, - if (result == LDAP_INVALID_CREDENTIALS) { - DEBUG(SSSDBG_TRACE_LIBS, - "Password expired, grace logins exhausted.\n"); -- ret = ERR_AUTH_FAILED; -+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) { -+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n"); -+ ret = ERR_PASSWORD_EXPIRED; -+ } else { -+ ret = ERR_AUTH_FAILED; -+ } - } else { - DEBUG(SSSDBG_TRACE_LIBS, - "Password expired, user must set a new password.\n"); -@@ -1365,7 +1378,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, - const char *user_dn, - struct sss_auth_token *authtok, - int simple_bind_timeout, -- bool use_ppolicy) -+ bool use_ppolicy, -+ enum pwmodify_mode pwmodify_mode) - { - struct tevent_req *req, *subreq; - struct sdap_auth_state *state; -@@ -1404,7 +1418,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, - pw.bv_len = pwlen; - - state->is_sasl = false; -- subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, use_ppolicy); -+ subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, use_ppolicy, pwmodify_mode); - if (!subreq) { - tevent_req_error(req, ENOMEM); - return tevent_req_post(req, ev); -@@ -1981,7 +1995,8 @@ static void sdap_cli_auth_step(struct tevent_req *req) - dp_opt_get_int(state->opts->basic, - SDAP_OPT_TIMEOUT), - dp_opt_get_bool(state->opts->basic, -- SDAP_USE_PPOLICY)); -+ SDAP_USE_PPOLICY), -+ state->opts->pwmodify_mode); - talloc_free(authtok); - if (!subreq) { - tevent_req_error(req, ENOMEM); --- -2.46.1 - diff --git a/0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch b/0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch deleted file mode 100644 index 6910e76..0000000 --- a/0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch +++ /dev/null @@ -1,207 +0,0 @@ -From fc2a26c306e51b66680aef85aa0d2c41d8049a7f Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Jul 2024 13:08:02 +0200 -Subject: [PATCH 2/3] TS_CACHE: never try to upgrade timestamps cache -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It's easier and more consistent to recreate it instead. - -This is a natural extension of 3b67fc6488ac10ca13561d9032f59951f82203e6 - -Reviewed-by: Alejandro López -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman ---- - src/db/sysdb_init.c | 103 +---------------------------------------- - src/db/sysdb_upgrade.c | 45 ------------------ - 2 files changed, 1 insertion(+), 147 deletions(-) - -diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c -index 85db5f9e1..ecf16fd11 100644 ---- a/src/db/sysdb_init.c -+++ b/src/db/sysdb_init.c -@@ -348,57 +348,6 @@ static errno_t sysdb_cache_create_empty(struct ldb_context *ldb, - return EOK; - } - --static errno_t sysdb_ts_cache_upgrade(TALLOC_CTX *mem_ctx, -- struct sysdb_ctx *sysdb, -- struct ldb_context *ldb, -- struct sss_domain_info *domain, -- const char *cur_version, -- const char **_new_version) --{ -- errno_t ret; -- TALLOC_CTX *tmp_ctx; -- const char *version; -- struct ldb_context *save_ldb; -- -- tmp_ctx = talloc_new(NULL); -- if (tmp_ctx == NULL) { -- return ENOMEM; -- } -- -- /* The upgrade process depends on having ldb around, yet the upgrade -- * function shouldn't set the ldb pointer, only the connect function -- * should after it's successful. To avoid hard refactoring, save the -- * ldb pointer here and restore in the 'done' handler -- */ -- save_ldb = sysdb->ldb; -- sysdb->ldb = ldb; -- -- version = talloc_strdup(tmp_ctx, cur_version); -- if (version == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- DEBUG(SSSDBG_CONF_SETTINGS, -- "Upgrading timstamp cache of DB [%s] from version: %s\n", -- domain->name, version); -- -- if (strcmp(version, SYSDB_TS_VERSION_0_1) == 0) { -- ret = sysdb_ts_upgrade_01(sysdb, &version); -- if (ret != EOK) { -- goto done; -- } -- } -- -- ret = EOK; -- --done: -- sysdb->ldb = save_ldb; -- *_new_version = version; -- talloc_free(tmp_ctx); -- return ret; --} -- - static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx, - struct sysdb_ctx *sysdb, - struct sysdb_dom_upgrade_ctx *upgrade_ctx, -@@ -856,56 +805,6 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb, - } - - ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); -- switch (ret) { -- case ERR_SYSDB_VERSION_TOO_OLD: -- if (upgrade_ctx == NULL) { -- DEBUG(SSSDBG_FATAL_FAILURE, -- "DB version too old [%s], expected [%s] for domain %s!\n", -- version, SYSDB_VERSION, domain->name); -- break; -- } -- -- ret = sysdb_ts_cache_upgrade(tmp_ctx, sysdb, ldb, domain, version, -- &version); -- if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -- "Could not upgrade the timestamp ldb file (%d) (%s)\n", -- ret, sss_strerror(ret)); -- break; -- } -- -- /* The version should now match SYSDB_VERSION. -- * If not, it means we didn't match any of the -- * known older versions. The DB might be -- * corrupt or generated by a newer version of -- * SSSD. -- */ -- ret = sysdb_version_check(SYSDB_TS_VERSION, version); -- if (ret == EOK) { -- /* The cache has been upgraded. -- * We need to reopen the LDB to ensure that -- * any changes made above take effect. -- */ -- ret = sysdb_ldb_reconnect(tmp_ctx, -- sysdb->ldb_ts_file, -- LDB_FLG_NOSYNC, -- &ldb); -- if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -- "Could not reopen the timestamp ldb file (%d) (%s)\n", -- ret, sss_strerror(ret)); -- } -- } -- break; -- case ERR_SYSDB_VERSION_TOO_NEW: -- DEBUG(SSSDBG_MINOR_FAILURE, -- "DB version too new [%s], expected [%s] for domain %s!\n", -- version, SYSDB_TS_VERSION, domain->name); -- break; -- default: -- break; -- } -- - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "The timestamps cache could not be opened. " -@@ -925,7 +824,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb, - ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, -- "Could not delete the timestamp ldb file (%d) (%s)\n", -+ "sysdb_ts_cache_connect() failed after cache deletion [%d]: %s\n", - ret, sss_strerror(ret)); - } - } -diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c -index 8fb17c6bb..05142d972 100644 ---- a/src/db/sysdb_upgrade.c -+++ b/src/db/sysdb_upgrade.c -@@ -2820,51 +2820,6 @@ done: - return ret; - } - --int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver) --{ -- struct upgrade_ctx *ctx; -- errno_t ret; -- struct ldb_message *msg = NULL; -- -- ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_TS_VERSION_0_2, &ctx); -- if (ret) { -- return ret; -- } -- -- /* Remove @IDXONE from index */ -- talloc_free(msg); -- msg = ldb_msg_new(ctx); -- if (msg == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST"); -- if (msg->dn == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- ret = ldb_msg_add_empty(msg, "@IDXONE", LDB_FLAG_MOD_DELETE, NULL); -- if (ret != LDB_SUCCESS) { -- ret = ENOMEM; -- goto done; -- } -- -- ret = ldb_modify(sysdb->ldb, msg); -- if (ret != LDB_SUCCESS) { -- ret = sysdb_error_to_errno(ret); -- goto done; -- } -- -- /* conversion done, update version number */ -- ret = update_version(ctx); -- --done: -- ret = finish_upgrade(ret, &ctx, ver); -- return ret; --} -- - /* - * Example template for future upgrades. - * Copy and change version numbers as appropriate. --- -2.45.2 - diff --git a/0003-SYSDB-remove-index-on-dataExpireTimestamp.patch b/0003-SYSDB-remove-index-on-dataExpireTimestamp.patch deleted file mode 100644 index 2cd2730..0000000 --- a/0003-SYSDB-remove-index-on-dataExpireTimestamp.patch +++ /dev/null @@ -1,146 +0,0 @@ -From f0d45464cee1d2a6a2719dbffe5bbf6189d0554a Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 21 Jun 2024 19:09:29 +0200 -Subject: [PATCH 3/3] SYSDB: remove index on `dataExpireTimestamp` -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This index was only used in cleanup tasks that don't run often. -On the other hand, this index is huge and degrades performance of libldb -in general. - -Reviewed-by: Alejandro López -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman ---- - src/db/sysdb_init.c | 8 ++++++++ - src/db/sysdb_private.h | 9 +++++---- - src/db/sysdb_upgrade.c | 27 +++++++++++++++++++++++++++ - 3 files changed, 40 insertions(+), 4 deletions(-) - -diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c -index ecf16fd11..507a97f63 100644 ---- a/src/db/sysdb_init.c -+++ b/src/db/sysdb_init.c -@@ -531,6 +531,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx, - } - } - -+ if (strcmp(version, SYSDB_VERSION_0_24) == 0) { -+ ret = sysdb_upgrade_24(sysdb, &version); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ - ret = EOK; - done: - sysdb->ldb = save_ldb; -@@ -737,6 +744,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb, - ret = sysdb_domain_cache_upgrade(tmp_ctx, sysdb, upgrade_ctx, - ldb, domain, version, &version); - if (ret != EOK) { -+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_domain_cache_upgrade() failed\n"); - goto done; - } - -diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h -index 2d7d6f62d..32d3f1c7e 100644 ---- a/src/db/sysdb_private.h -+++ b/src/db/sysdb_private.h -@@ -23,6 +23,7 @@ - #ifndef __INT_SYS_DB_H__ - #define __INT_SYS_DB_H__ - -+#define SYSDB_VERSION_0_25 "0.25" - #define SYSDB_VERSION_0_24 "0.24" - #define SYSDB_VERSION_0_23 "0.23" - #define SYSDB_VERSION_0_22 "0.22" -@@ -48,7 +49,7 @@ - #define SYSDB_VERSION_0_2 "0.2" - #define SYSDB_VERSION_0_1 "0.1" - --#define SYSDB_VERSION SYSDB_VERSION_0_24 -+#define SYSDB_VERSION SYSDB_VERSION_0_25 - - #define SYSDB_BASE_LDIF \ - "dn: @ATTRIBUTES\n" \ -@@ -73,7 +74,6 @@ - "@IDXATTR: uidNumber\n" \ - "@IDXATTR: gidNumber\n" \ - "@IDXATTR: lastUpdate\n" \ -- "@IDXATTR: dataExpireTimestamp\n" \ - "@IDXATTR: originalDN\n" \ - "@IDXATTR: nameAlias\n" \ - "@IDXATTR: servicePort\n" \ -@@ -106,10 +106,11 @@ - "\n" - - /* The timestamp cache has its own versioning */ -+#define SYSDB_TS_VERSION_0_3 "0.3" - #define SYSDB_TS_VERSION_0_2 "0.2" - #define SYSDB_TS_VERSION_0_1 "0.1" - --#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_2 -+#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_3 - - #define SYSDB_TS_BASE_LDIF \ - "dn: @ATTRIBUTES\n" \ -@@ -117,7 +118,6 @@ - "\n" \ - "dn: @INDEXLIST\n" \ - "@IDXATTR: lastUpdate\n" \ -- "@IDXATTR: dataExpireTimestamp\n" \ - "\n" \ - "dn: cn=sysdb\n" \ - "cn: sysdb\n" \ -@@ -196,6 +196,7 @@ int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver); -+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver); - - int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver); - -diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c -index 05142d972..c0c8e13ee 100644 ---- a/src/db/sysdb_upgrade.c -+++ b/src/db/sysdb_upgrade.c -@@ -2820,6 +2820,33 @@ done: - return ret; - } - -+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver) -+{ -+ struct upgrade_ctx *ctx; -+ errno_t ret; -+ -+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_25, &ctx); -+ if (ret) { -+ return ret; -+ } -+ -+ ret = sysdb_ldb_mod_index(sysdb, SYSDB_IDX_DELETE, sysdb->ldb, "dataExpireTimestamp"); -+ if (ret == ENOENT) { /*nothing to delete */ -+ ret = EOK; -+ } -+ if (ret != EOK) { -+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_ldb_mod_index() failed [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ ret = update_version(ctx); -+ -+done: -+ ret = finish_upgrade(ret, &ctx, ver); -+ return ret; -+} -+ - /* - * Example template for future upgrades. - * Copy and change version numbers as appropriate. --- -2.45.2 - diff --git a/0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch b/0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch deleted file mode 100644 index c17c30b..0000000 --- a/0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch +++ /dev/null @@ -1,70 +0,0 @@ -From a7d0bbeb5a8a41e80fec91d7d38b5dcb35eebe8f Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 23 Jul 2024 18:07:09 +0200 -Subject: [PATCH] SPEC: merge 'sssd-polkit-rules' into 'sssd-common' -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -'p11_child' runs under non-privileged user and thus requires -polkit-rules by default. - -Reviewed-by: Scott Poore -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman ---- - contrib/sssd.spec.in | 20 ++++---------------- - 1 file changed, 4 insertions(+), 16 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index c65be0d27..4edabce56 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -210,6 +210,9 @@ License: GPL-3.0-or-later - Obsoletes: libsss_simpleifp < 2.9.0 - Obsoletes: libsss_simpleifp-debuginfo < 2.9.0 - %endif -+%if %{use_sssd_user} -+Obsoletes: sssd-polkit-rules < 2.10.0 -+%endif - # Requires - # due to ABI changes in 1.1.30/1.2.0 - Requires: libldb >= %{ldb_version} -@@ -470,19 +473,6 @@ Requires: sssd-common = %{version}-%{release} - Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows - the information from the SSSD to be transmitted over the system bus. - --%if %{use_sssd_user} --%package polkit-rules --Summary: Rules for polkit integration for SSSD --Group: Applications/System --License: GPL-3.0-or-later --Requires: polkit >= 0.106 --Requires: sssd-common = %{version}-%{release} -- --%description polkit-rules --Provides rules for polkit integration with SSSD. This is required --for smartcard support. --%endif -- - %if 0%{?rhel} == 9 - %package -n libsss_simpleifp - Summary: The SSSD D-Bus responder helper library -@@ -885,13 +875,11 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf - %if %{use_sysusers} - %{_sysusersdir}/sssd.conf - %endif -- -- - %if %{use_sssd_user} --%files polkit-rules - %{_datadir}/polkit-1/rules.d/* - %endif - -+ - %files ldap -f sssd_ldap.lang - %license COPYING - %{_libdir}/%{name}/libsss_ldap.so --- -2.45.2 - diff --git a/sources b/sources index 6073d96..5af48d6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.10.0.tar.gz) = d237ff135fb21bcd1040787d6dfe8fa383290fbae1f15c6917284beb38dd95ecf6418335302e26be40c65e44e8b44135499eec0b98119ea53a38098ac0bc1e2c +SHA512 (sssd-2.10.1.tar.gz) = 001ff9cd60aa510ead11e418a1b96714136cc270b29551027cb12c340744890b358da5900a10863d4df649ad073f14f6f26c28e3f973b1cd5c2ab61f2a2a045b diff --git a/sssd.spec b/sssd.spec index 8e0680d..0ab3c62 100644 --- a/sssd.spec +++ b/sssd.spec @@ -16,9 +16,6 @@ %global use_sysusers 0 %endif -# Capabilities of privileged child helpers (required even if SSSD runs under root) -%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep - %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 %global build_subid 1 %else @@ -59,16 +56,16 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.10.0 -Release: 3%{?dist} +Version: 2.10.1 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ -Source0: https://github.com/SSSD/sssd/releases/download/2.10.0/sssd-2.10.0.tar.gz +Source0: https://github.com/SSSD/sssd/releases/download/2.10.1/sssd-2.10.1.tar.gz Source1: sssd.sysusers ### Patches ### -Patch0001: 0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch +# Patch0001: ### Dependencies ### @@ -142,10 +139,10 @@ BuildRequires: m4 BuildRequires: make BuildRequires: nss_wrapper BuildRequires: openldap-devel -BuildRequires: openssh # required for p11_child smartcard tests -BuildRequires: openssl -BuildRequires: openssl-devel +BuildRequires: openssh +BuildRequires: openssl >= 1.0.1 +BuildRequires: openssl-devel >= 1.0.1 BuildRequires: p11-kit-devel BuildRequires: pam_wrapper BuildRequires: pam-devel @@ -163,6 +160,7 @@ BuildRequires: softhsm >= 2.1.0 BuildRequires: bc BuildRequires: systemd-devel BuildRequires: systemtap-sdt-devel +BuildRequires: systemtap-sdt-dtrace BuildRequires: uid_wrapper BuildRequires: po4a BuildRequires: valgrind-devel @@ -532,7 +530,7 @@ enable authentication with passkey token. %endif %prep -%autosetup -n sssd-2.10.0 -p1 +%autosetup -n sssd-2.10.1 -p1 %build @@ -766,7 +764,6 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %{_libdir}/%{name}/libsss_krb5_common.so %{_libdir}/%{name}/libsss_ldap_common.so %{_libdir}/%{name}/libsss_util.so -%{_libdir}/%{name}/libsss_semanage.so %{_libdir}/%{name}/libifp_iface.so %{_libdir}/%{name}/libifp_iface_sync.so %{_libdir}/%{name}/libsss_iface.so @@ -844,8 +841,8 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %files krb5-common %license COPYING %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d -%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/ldap_child -%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/krb5_child +%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/ldap_child +%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search,cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang %license COPYING @@ -863,7 +860,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %license COPYING %attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so -%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/selinux_child +%attr(0750,root,%{sssd_user}) %caps(cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* %files ad -f sssd_ad.lang @@ -1052,12 +1049,12 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi %__rm -f %{mcpath}/group %__rm -f %{mcpath}/initgroups %__rm -f %{mcpath}/sid +%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true +%__chmod -f -R g+r %{_sysconfdir}/sssd || true %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true -%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true -%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true -%__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true +%__chown -f -R %{sssd_user}:%{sssd_user} %{gpocachepath} || true %preun common %systemd_preun sssd.service @@ -1119,6 +1116,16 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Tue Dec 10 2024 Alexey Tikhonov - 2.10.1-1 +- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0 +- Resolves: RHEL-4984 - Mismatch between input and parsed domain name when default_domain_suffix is set. +- Resolves: RHEL-65848 - sssd password authentication broken in sssd-2.10.0~beta2-2 and later +- Resolves: RHEL-67669 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option +- Resolves: RHEL-68421 - sssd ldap_child process segfaults when krb5.conf is invalid [rhel-10] +- Resolves: RHEL-66935 - Avoid log flooding in case an app keeps making invalid `getservbyport(0, ...)` request +- Resolves: RHEL-65736 - ipa: sudo commands doesn't check threshold correctly +- Resolves: RHEL-68319 - Please deprecate/remove ad_allow_remote_domain_local_groups + * Mon Oct 21 2024 Alexey Tikhonov - 2.10.0-3 - Related: RHEL-59777 - Rebase Samba to the latest 4.21.x release