import CS sssd-2.9.1-2.el8

2023-11-15 08:26:28 +00:00 · 2023-11-15 08:26:28 +00:00 · 9a403b1a7e
parent 87cae3c020
commit 9a403b1a7e
9 changed files with 211 additions and 341 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/sssd-2.8.2.tar.gz
+SOURCES/sssd-2.9.1.tar.gz
--- a/.sssd.metadata
+++ b/.sssd.metadata
@ -1 +1 @@
-4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz
+5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz
--- a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
+++ b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
@ -1,158 +0,0 @@
-From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Thu, 8 Dec 2022 15:14:05 +0100
-Subject: [PATCH] ldap: update shadow last change in sysdb as well
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Otherwise pam can use the changed information whe id chaching is
-enabled, so next authentication that fits into the id timeout
-(5 seconds by default) will still sees the password as expired.
-
-Resolves: https://github.com/SSSD/sssd/issues/6477
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
---
- src/db/sysdb.h                 |  4 ++++
- src/db/sysdb_ops.c             | 32 ++++++++++++++++++++++++++++++++
- src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
- 3 files changed, 52 insertions(+), 5 deletions(-)
-
-diff --git a/src/db/sysdb.h b/src/db/sysdb.h
-index 7c666f5c4..06b44f5ba 100644
--- a/src/db/sysdb.h
-+++ b/src/db/sysdb.h
-@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
-                         struct sysdb_attrs *attrs,
-                         int mod_op);
- 
-+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
-+                                             const char *name,
-+                                             const char *attrname);
-+
- /* Replace group attrs */
- int sysdb_set_group_attr(struct sss_domain_info *domain,
-                          const char *name,
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index 0d6f2d5cd..ed0df9872 100644
--- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -1485,6 +1485,38 @@ done:
-     return ret;
- }
- 
-+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
-+                                             const char *name,
-+                                             const char *attrname)
-+{
-+    struct sysdb_attrs *attrs;
-+    char *value;
-+    errno_t ret;
-+
-+    attrs = sysdb_new_attrs(NULL);
-+    if (attrs == NULL) {
-+        return ENOMEM;
-+    }
-+
-+    /* The attribute contains number of days since the epoch */
-+    value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
-+    if (value == NULL) {
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    ret = sysdb_attrs_add_string(attrs, attrname, value);
-+    if (ret != EOK) {
-+        goto done;
-+    }
-+
-+    ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
-+
-+done:
-+    talloc_free(attrs);
-+    return ret;
-+}
-+
- /* =Replace-Attributes-On-Group=========================================== */
- 
- int sysdb_set_group_attr(struct sss_domain_info *domain,
-diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
-index 6404a9d3a..96b9d6df4 100644
--- a/src/providers/ldap/ldap_auth.c
-+++ b/src/providers/ldap/ldap_auth.c
-@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
-     struct pam_data *pd;
-     struct sdap_handle *sh;
-     char *dn;
-+    enum pwexpire pw_expire_type;
- };
- 
- static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
-@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
- {
-     struct sdap_pam_chpass_handler_state *state;
-     struct tevent_req *req;
-    enum pwexpire pw_expire_type;
-     void *pw_expire_data;
-     size_t msg_len;
-     uint8_t *msg;
-@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
-     state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
- 
-     ret = auth_recv(subreq, state, &state->sh, &state->dn,
-                    &pw_expire_type, &pw_expire_data);
-+                    &state->pw_expire_type, &pw_expire_data);
-     talloc_free(subreq);
- 
-     if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
-@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
-     }
- 
-     if (ret == EOK) {
-        switch (pw_expire_type) {
-+        switch (state->pw_expire_type) {
-         case PWEXPIRE_SHADOW:
-             ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
-             break;
-@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
-             break;
-         default:
-             DEBUG(SSSDBG_CRIT_FAILURE,
-                  "Unknown password expiration type %d.\n", pw_expire_type);
-+                  "Unknown password expiration type %d.\n",
-+                  state->pw_expire_type);
-             state->pd->pam_status = PAM_SYSTEM_ERR;
-             goto done;
-         }
-@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
-         case ERR_PASSWORD_EXPIRED:
-             DEBUG(SSSDBG_TRACE_LIBS,
-                   "user [%s] successfully authenticated.\n", state->dn);
-            ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
-+            ret = sdap_pam_chpass_handler_change_step(state, req,
-+                                                      state->pw_expire_type);
-             if (ret != EOK) {
-                 DEBUG(SSSDBG_OP_FAILURE,
-                       "sdap_pam_chpass_handler_change_step() failed.\n");
-@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
- 
-     switch (ret) {
-     case EOK:
-+        if (state->pw_expire_type == PWEXPIRE_SHADOW) {
-+            ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
-+                    state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
-+            if (ret != EOK) {
-+                state->pd->pam_status = PAM_SYSTEM_ERR;
-+                goto done;
-+            }
-+        }
-+
-         state->pd->pam_status = PAM_SUCCESS;
-         break;
-     case ERR_CHPASS_DENIED:
-- 
-2.37.3
-
--- a/SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
+++ b/SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
@ -0,0 +1,106 @@
+From f16e570838d1c6cd30b5883f364b0f437c314b1f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 9 Jun 2023 12:31:39 +0200
+Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Those two new calls can be used if there are requests stuck by e.g.
+waiting on replies where there is no other way to handle the timeout and
+get the system back into a stable state. They should be only used as a
+last resort.
+
+Resolves: https://github.com/SSSD/sssd/issues/6803
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 75f2b35ad3b9256de905d05c5108400d35688554)
+---
+ src/util/util.h          | 12 ++++++++++++
+ src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++--
+ 2 files changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/util.h b/src/util/util.h
+index 11dc40d57..02fd53237 100644
+--- a/src/util/util.h
+++ b/src/util/util.h
+@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
+ void teardown_watchdog(void);
+ int get_watchdog_ticks(void);
+ 
+/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable
+ * the watchdog reset, respectively. This means that after arm_watchdog() is
+ * called the watchdog will not be resetted anymore and it will kill the
+ * process if disarm_watchdog() wasn't called before.
+ * Those calls should only be used when there is no other way to handle
+ * waiting request and recover into a stable state.
+ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should
+ * not be called a second time in a different request because then
+ * disarm_watchdog() will disable the watchdog coverage for both. */
+void arm_watchdog(void);
+void disarm_watchdog(void);
+
+ /* from files.c */
+ int sss_remove_tree(const char *root);
+ int sss_remove_subtree(const char *root);
+diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
+index b1534e499..abafd94b9 100644
+--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
+@@ -40,6 +40,7 @@ struct watchdog_ctx {
+     time_t timestamp;
+     struct tevent_fd *tfd;
+     int pipefd[2];
+    bool armed; /* if 'true' ticks counter will not be reset */
+ } watchdog_ctx;
+ 
+ static void watchdog_detect_timeshift(void)
+@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev,
+                                    struct timeval current_time,
+                                    void *private_data)
+ {
+-    /* first thing reset the watchdog ticks */
+-    watchdog_reset();
+    if (!watchdog_ctx.armed) {
+        /* first thing reset the watchdog ticks */
+        watchdog_reset();
+    } else {
+        DEBUG(SSSDBG_IMPORTANT_INFO,
+              "Watchdog armed, process might be terminated soon.\n");
+    }
+ 
+     /* then set a new watchodg event */
+     watchdog_ctx.te = tevent_add_timer(ev, ev,
+@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval)
+     watchdog_ctx.ev = ev;
+     watchdog_ctx.input_interval = interval;
+     watchdog_ctx.timestamp = time(NULL);
+    watchdog_ctx.armed = false;
+ 
+     ret = pipe(watchdog_ctx.pipefd);
+     if (ret == -1) {
+@@ -264,3 +271,20 @@ int get_watchdog_ticks(void)
+ {
+     return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
+ }
+
+void arm_watchdog(void)
+{
+    if (watchdog_ctx.armed) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "arm_watchdog() is called although the watchdog is already armed. "
+              "This indicates a programming error and should be avoided because "
+              "it will most probably not work as expected.\n");
+    }
+
+    watchdog_ctx.armed = true;
+}
+
+void disarm_watchdog(void)
+{
+    watchdog_ctx.armed = false;
+}
+-- 
+2.38.1
+
--- a/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
+++ b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
@ -1,58 +0,0 @@
-From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 3 Feb 2023 11:35:42 +0100
-Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
- read/write/check helpers.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
-error condition is detected, regular `POLLIN/POLLOUT` won't be set.
-Error code set by error condition should have a priority. This enables
-users of this helper to retry attempt (as designed).
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
---
- src/sss_client/common.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/src/sss_client/common.c b/src/sss_client/common.c
-index 2c888faa9..27e09f6f3 100644
--- a/src/sss_client/common.c
-+++ b/src/sss_client/common.c
-@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
-         case 1:
-             if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
-                 *errnop = EPIPE;
-            }
-            if (!(pfd.revents & POLLOUT)) {
-+            } else if (!(pfd.revents & POLLOUT)) {
-                 *errnop = EBUSY;
-             }
-             break;
-@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
-             }
-             if (pfd.revents & (POLLERR | POLLNVAL)) {
-                 *errnop = EPIPE;
-            }
-            if (!(pfd.revents & POLLIN)) {
-+            } else if (!(pfd.revents & POLLIN)) {
-                 *errnop = EBUSY;
-             }
-             break;
-@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
-         case 1:
-             if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
-                 *errnop = EPIPE;
-            }
-            if (!(pfd.revents & (POLLIN | POLLOUT))) {
-+            } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
-                 *errnop = EBUSY;
-             }
-             break;
-- 
-2.37.3
-
--- a/SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch
+++ b/SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch
@ -0,0 +1,66 @@
+From 27987c791bc452f53696a3a33f0d607ab040e78d Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 9 Jun 2023 13:01:47 +0200
+Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There seem to be conditions where the reply in the
+sbus_call_DBus_Hello_send() request gets lost and the backend cannot
+properly initialize its sbus/DBus server. Since the backend cannot be
+connected by the frontends in this state the best way to recover would
+be a restart. Since the event-loop is active in this state, e.g. waiting
+for the reply, the watchdog will not consider the process as hung and
+will not restart the process.
+
+To make the watchdog handle this case arm_watchdog() and
+disarm_watchdog() are called before and after the request, respectively.
+
+Resolves: https://github.com/SSSD/sssd/issues/6803
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
+---
+ Makefile.am                                   | 1 -
+ src/sbus/connection/sbus_connection_connect.c | 4 ++++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index e780e8a14..23c63ec1e 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -4672,7 +4672,6 @@ krb5_child_LDADD = \
+     $(CLIENT_LIBS) \
+     $(SYSTEMD_LOGIN_LIBS) \
+     $(JANSSON_LIBS) \
+-    libsss_sbus.la \
+     $(NULL)
+ 
+ ldap_child_SOURCES = \
+diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
+index 45a0fa491..edc090e15 100644
+--- a/src/sbus/connection/sbus_connection_connect.c
+++ b/src/sbus/connection/sbus_connection_connect.c
+@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx,
+ 
+     tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req);
+ 
+    arm_watchdog();
+
+     return req;
+ }
+ 
+@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq)
+     uint32_t res;
+     errno_t ret;
+ 
+    disarm_watchdog();
+
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+ 
+     ret = sbus_call_DBus_RequestName_recv(subreq, &res);
+-- 
+2.38.1
+
--- a/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
+++ b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
@ -1,63 +0,0 @@
-From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Wed, 8 Feb 2023 17:48:52 +0100
-Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
- alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
- there is a risk to close "foreign" socket opened in another thread.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
---
- src/sss_client/common.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/src/sss_client/common.c b/src/sss_client/common.c
-index 27e09f6f3..c8ade645b 100644
--- a/src/sss_client/common.c
-+++ b/src/sss_client/common.c
-@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
-             *errnop = ETIME;
-             break;
-         case 1:
-            if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
-+            if (pfd.revents & (POLLERR | POLLHUP)) {
-+                *errnop = EPIPE;
-+            } else if (pfd.revents & POLLNVAL) {
-+                /* Invalid request: fd is not opened */
-+                sss_cli_sd = -1;
-                 *errnop = EPIPE;
-             } else if (!(pfd.revents & POLLOUT)) {
-                 *errnop = EBUSY;
-@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
-             if (pfd.revents & (POLLHUP)) {
-                 pollhup = true;
-             }
-            if (pfd.revents & (POLLERR | POLLNVAL)) {
-+            if (pfd.revents & POLLERR) {
-+                *errnop = EPIPE;
-+            } else if (pfd.revents & POLLNVAL) {
-+                /* Invalid request: fd is not opened */
-+                sss_cli_sd = -1;
-                 *errnop = EPIPE;
-             } else if (!(pfd.revents & POLLIN)) {
-                 *errnop = EBUSY;
-@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
-             *errnop = ETIME;
-             break;
-         case 1:
-            if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
-+            if (pfd.revents & (POLLERR | POLLHUP)) {
-+                *errnop = EPIPE;
-+            } else if (pfd.revents & POLLNVAL) {
-+                /* Invalid request: fd is not opened */
-+                sss_cli_sd = -1;
-                 *errnop = EPIPE;
-             } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
-                 *errnop = EBUSY;
-- 
-2.37.3
-
--- a/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
+++ b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
@ -1,53 +0,0 @@
-From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Wed, 8 Feb 2023 18:58:37 +0100
-Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with
- mutex. Otherwise a thread calling pam_end() can close socket mid pam
- transaction in another thread.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bug only manifested on platforms where "lockfree client"
-feature wasn't built.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082)
---
- src/sss_client/pam_sss.c     | 3 +++
- src/sss_client/pam_sss_gss.c | 2 ++
- 2 files changed, 5 insertions(+)
-
-diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
-index afbdef59a..39ad17188 100644
--- a/src/sss_client/pam_sss.c
-+++ b/src/sss_client/pam_sss.c
-@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
- #endif /* PAM_DATA_REPLACE */
- 
-     D(("Closing the fd"));
-+
-+    sss_pam_lock();
-     sss_cli_close_socket();
-+    sss_pam_unlock();
- }
- 
- struct cert_auth_info {
-diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
-index 1109ec570..dd578ae5d 100644
--- a/src/sss_client/pam_sss_gss.c
-+++ b/src/sss_client/pam_sss_gss.c
-@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,
-     }
- 
- done:
-+    sss_pam_lock();
-     sss_cli_close_socket();
-+    sss_pam_unlock();
-     free(username);
-     free(domain);
-     free(target);
-- 
-2.37.3
-
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@ -18,7 +18,7 @@
 %global enable_systemtap_opt --enable-systemtap

 Name: sssd
-Version: 2.8.2
+Version: 2.9.1
 Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
@ -27,10 +27,8 @@ URL: https://github.com/SSSD/sssd
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz

 ### Patches ###
-Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
-Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
-Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
-Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
+Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
+Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch

 ### Downstream Patches ###

@ -214,7 +212,6 @@ Summary: Userspace tools for use with the SSSD
 Group: Applications/System
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
-Requires: libsss_simpleifp = %{version}-%{release}
 # required by sss_obfuscate
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
@ -594,6 +591,8 @@ autoreconf -ivf
    --with-initscript=systemd \
    --with-syslog=journald \
    --with-subid \
+    --with-files-provider \
+    --with-libsifp \
    --enable-sss-default-nss-plugin \
    --without-python2-bindings \
    --with-sssd-user=sssd \
@ -910,7 +909,7 @@ done
 %{_mandir}/man5/sssd-ifp.5*
 %{_unitdir}/sssd-ifp.service
 # InfoPipe DBus plumbing
-%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
+%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
 %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service

 %files -n libsss_simpleifp
@ -1213,6 +1212,37 @@ fi
 %systemd_postun_with_restart sssd.service

 %changelog
+* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
+- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
+
+* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
+- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
+- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
+- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
+- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
+- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
+- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
+- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
+- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
+- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
+- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
+
+* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
+- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
+  Rebuild against rebased Samba libs
+
+* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
+- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
+
+* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
+- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
+- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
+- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
+- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
+- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
+- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
+- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
+
 * Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
 - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"