rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9

Browse Source 
Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
This commit is contained in:
Alexey Tikhonov 2023-05-15 17:25:02 +02:00
parent 5cc012ea39
commit a994a882f1
7 changed files with 265 additions and 288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -4,3 +4,4 @@
/sssd-2.7.3.tar.gz
/sssd-2.8.1.tar.gz
/sssd-2.8.2.tar.gz
/sssd-2.9.0.tar.gz

248
0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch Normal file
View File

@ -0,0 +1,248 @@
From eb43c2400a34a4ab77be4f75ba7536baecda3bef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Wed, 10 May 2023 17:29:07 +0200
Subject: [PATCH] FILE WATCH: Callback not executed on link or relative path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When the watched file was a symbolic link or was a relative path,
the calback was not executed because the filename comparison
was wrongly considering the files to be different.
The solution is to normalize the filenames before comparing them.
This cannot be easily done at setup because the file could not
exist at that moment.
The test was adapted to check this situation.
Resolves: https://github.com/SSSD/sssd/issues/6718
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3)
---
src/tests/file_watch-tests.c | 83 ++++++++++++++++++++++++++----------
src/util/file_watch.c | 26 +++++++++--
2 files changed, 83 insertions(+), 26 deletions(-)
diff --git a/src/tests/file_watch-tests.c b/src/tests/file_watch-tests.c
index 3ca5b44f9..3e1aea6ce 100644
--- a/src/tests/file_watch-tests.c
+++ b/src/tests/file_watch-tests.c
@@ -36,11 +36,19 @@
#include "util/file_watch.h"
#include "tests/common.h"
-#define FW_DIR TEST_DIR "/file-watch"
-#define WATCHED_FILE_INOTIFY FW_DIR "/watched_file_inotify"
-#define WATCHED_FILE_POLL FW_DIR "/watched_file_poll"
-#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/watched_file_inotify.exists"
-#define WATCHED_EXISTING_FILE_POLL FW_DIR "/watched_file_poll.exists"
+#define FW_NAME "/file-watch-test-dir"
+#define FILE_INOTIFY_NAME "watched_file_inotify"
+#define FILE_POLL_NAME "watched_file_poll"
+#define FW_DIR TEST_DIR FW_NAME
+#define EXISTING_FILE_INOTIFY_NAME FILE_INOTIFY_NAME ".exists"
+#define EXISTING_FILE_POLL_NAME FILE_POLL_NAME ".exists"
+#define WATCHED_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" FILE_INOTIFY_NAME
+#define WATCHED_FILE_POLL FW_DIR "/.." FW_NAME "/" FILE_POLL_NAME
+#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" EXISTING_FILE_INOTIFY_NAME
+#define WATCHED_EXISTING_FILE_POLL FW_DIR "/.." FW_NAME "/" EXISTING_FILE_POLL_NAME
+#define WATCHED_EXISTING_LINK_INOTIFY FW_DIR "/" EXISTING_FILE_INOTIFY_NAME ".link"
+#define WATCHED_EXISTING_LINK_POLL FW_DIR "/" EXISTING_FILE_POLL_NAME ".link"
+#define UNWATCHED_FILE FW_DIR "/unwatched_file"
static TALLOC_CTX *test_mem_ctx;
@@ -50,34 +58,51 @@ struct fn_arg {
int counter;
};
-static void setup_file_watch(void)
+static void remove_files(void)
{
- test_mem_ctx = talloc_new(NULL);
- mkdir(FW_DIR, 0700);
unlink(WATCHED_FILE_INOTIFY);
unlink(WATCHED_FILE_POLL);
+ unlink(WATCHED_EXISTING_LINK_INOTIFY);
+ unlink(WATCHED_EXISTING_LINK_POLL);
unlink(WATCHED_EXISTING_FILE_INOTIFY);
unlink(WATCHED_EXISTING_FILE_POLL);
+ unlink(UNWATCHED_FILE);
}
+static void setup_file_watch(void)
+{
+ DEBUG(SSSDBG_TRACE_ALL, "==========================================\n");
+ test_mem_ctx = talloc_new(NULL);
+ mkdir(FW_DIR, 0700);
+ remove_files();
+}
static void teardown_file_watch(void)
{
- unlink(WATCHED_FILE_INOTIFY);
- unlink(WATCHED_FILE_POLL);
- unlink(WATCHED_EXISTING_FILE_INOTIFY);
- unlink(WATCHED_EXISTING_FILE_POLL);
talloc_free(test_mem_ctx);
+ remove_files();
+ rmdir(FW_DIR);
}
static void callback(const char *filename, void *arg)
{
- DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
+ static char received[PATH_MAX + 1];
+ static char expected[PATH_MAX + 1];
+ char *res;
struct fn_arg *data = (struct fn_arg *) arg;
+ DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
+
ck_assert_msg(data != NULL, "Callback received NULL argument");
- ck_assert_msg(strcmp(filename, data->filename) == 0,
+
+ res = realpath(data->filename, expected);
+ ck_assert_msg(res != NULL, "Failed to normalize the expected filename");
+
+ res = realpath(filename, received);
+ ck_assert_msg(res != NULL, "Failed to normalize the received filename");
+
+ ck_assert_msg(strcmp(expected, received) == 0,
"Wrong filename in the callback.");
data->counter++;
}
@@ -88,7 +113,7 @@ static void modify_file(const char *filename)
int fd;
int res;
- DEBUG(SSSDBG_TRACE_FUNC, "File modified\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Modifying file %s\n", filename);
fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
ck_assert_msg(fd != -1, "Failed to open the file.");
@@ -119,11 +144,14 @@ static void test_file_watch_no_file(bool use_inotify)
arg.filename = filename;
arg.counter = 0;
+ DEBUG(SSSDBG_TRACE_ALL, "Watching file %s\n", filename);
ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
ck_assert_msg(ctx != NULL, "Failed to watch a file.");
ck_assert_msg(arg.counter == 0, "Unexpected callback invocation.");
- // At this point the file doesn't exist, we will create it.
+ // At this point the file doesn't exist. We create the watched and an
+ // unwatched file
+ modify_file(UNWATCHED_FILE);
modify_file(filename);
if (use_inotify) {
res = tevent_loop_once(ev);
@@ -152,26 +180,35 @@ static void test_file_watch_with_file(bool use_inotify)
{
struct file_watch_ctx *ctx;
struct tevent_context *ev;
+ const char *filepath;
const char *filename;
+ const char *linkpath;
struct fn_arg arg;
int res;
if (use_inotify) {
- filename = WATCHED_EXISTING_FILE_INOTIFY;
+ filename = EXISTING_FILE_INOTIFY_NAME;
+ filepath = WATCHED_EXISTING_FILE_INOTIFY;
+ linkpath = WATCHED_EXISTING_LINK_INOTIFY;
} else {
- filename = WATCHED_EXISTING_FILE_POLL;
+ filename = EXISTING_FILE_POLL_NAME;
+ filepath = WATCHED_EXISTING_FILE_POLL;
+ linkpath = WATCHED_EXISTING_LINK_POLL;
}
- modify_file(filename);
+ modify_file(filepath);
+ res = symlink(filename, linkpath);
+ ck_assert_msg(res == 0, "Failed create the symbolic link");
ev = tevent_context_init(test_mem_ctx);
ck_assert_msg(ev != NULL, "Failed to create the tevent context.");
- arg.filename = filename;
+ arg.filename = linkpath;
arg.counter = 0;
// File already exists
- ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
- ck_assert_msg(ctx != NULL, "Failed to watch a file.");
+ DEBUG(SSSDBG_TRACE_ALL, "Watching link %s\n", linkpath);
+ ctx = fw_watch_file(test_mem_ctx, ev, linkpath, use_inotify, callback, &arg);
+ ck_assert_msg(ctx != NULL, "Failed to watch a link.");
ck_assert_msg(arg.counter >= 1, "Callback not invoked at start up.");
ck_assert_msg(arg.counter <= 1, "Callback invoked too many times at start up.");
@@ -179,7 +216,7 @@ static void test_file_watch_with_file(bool use_inotify)
if (!use_inotify) {
sleep(2); // Detection by polling is based on the file's modification time.
}
- modify_file(filename);
+ modify_file(filepath);
if (use_inotify) {
res = tevent_loop_once(ev);
ck_assert_msg(res == 0, "tevent_loop_once() failed.");
diff --git a/src/util/file_watch.c b/src/util/file_watch.c
index b994e4116..d19fdccd6 100644
--- a/src/util/file_watch.c
+++ b/src/util/file_watch.c
@@ -121,7 +121,10 @@ static int watched_file_inotify_cb(const char *filename,
uint32_t flags,
void *pvt)
{
+ static char received[PATH_MAX + 1];
+ static char expected[PATH_MAX + 1];
struct file_watch_ctx *fw_ctx;
+ char *res;
DEBUG(SSSDBG_TRACE_LIBS,
"Received inotify notification for %s\n", filename);
@@ -131,15 +134,32 @@ static int watched_file_inotify_cb(const char *filename,
return EINVAL;
}
- if (strcmp(fw_ctx->filename, filename) == 0) {
- if (access(fw_ctx->filename, F_OK) == 0) {
- fw_ctx->cb(fw_ctx->filename, fw_ctx->cb_arg);
+ res = realpath(fw_ctx->filename, expected);
+ if (res == NULL) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Normalization failed for expected %s. Skipping the callback.\n",
+ fw_ctx->filename);
+ goto done;
+ }
+
+ res = realpath(filename, received);
+ if (res == NULL) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Normalization failed for received %s. Skipping the callback.\n",
+ filename);
+ goto done;
+ }
+
+ if (strcmp(expected, received) == 0) {
+ if (access(received, F_OK) == 0) {
+ fw_ctx->cb(received, fw_ctx->cb_arg);
} else {
DEBUG(SSSDBG_TRACE_LIBS,
"File %s is missing. Skipping the callback.\n", filename);
}
}
+done:
return EOK;
}
--
2.38.1

158
0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
View File

@ -1,158 +0,0 @@
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Dec 2022 15:14:05 +0100
Subject: [PATCH] ldap: update shadow last change in sysdb as well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.
Resolves: https://github.com/SSSD/sssd/issues/6477
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
---
src/db/sysdb.h | 4 ++++
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
3 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 7c666f5c4..06b44f5ba 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
struct sysdb_attrs *attrs,
int mod_op);
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname);
+
/* Replace group attrs */
int sysdb_set_group_attr(struct sss_domain_info *domain,
const char *name,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0d6f2d5cd..ed0df9872 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1485,6 +1485,38 @@ done:
return ret;
}
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname)
+{
+ struct sysdb_attrs *attrs;
+ char *value;
+ errno_t ret;
+
+ attrs = sysdb_new_attrs(NULL);
+ if (attrs == NULL) {
+ return ENOMEM;
+ }
+
+ /* The attribute contains number of days since the epoch */
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
+ if (value == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
+
+done:
+ talloc_free(attrs);
+ return ret;
+}
+
/* =Replace-Attributes-On-Group=========================================== */
int sysdb_set_group_attr(struct sss_domain_info *domain,
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 6404a9d3a..96b9d6df4 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
struct pam_data *pd;
struct sdap_handle *sh;
char *dn;
+ enum pwexpire pw_expire_type;
};
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
{
struct sdap_pam_chpass_handler_state *state;
struct tevent_req *req;
- enum pwexpire pw_expire_type;
void *pw_expire_data;
size_t msg_len;
uint8_t *msg;
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
ret = auth_recv(subreq, state, &state->sh, &state->dn,
- &pw_expire_type, &pw_expire_data);
+ &state->pw_expire_type, &pw_expire_data);
talloc_free(subreq);
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
}
if (ret == EOK) {
- switch (pw_expire_type) {
+ switch (state->pw_expire_type) {
case PWEXPIRE_SHADOW:
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
break;
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
- "Unknown password expiration type %d.\n", pw_expire_type);
+ "Unknown password expiration type %d.\n",
+ state->pw_expire_type);
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
case ERR_PASSWORD_EXPIRED:
DEBUG(SSSDBG_TRACE_LIBS,
"user [%s] successfully authenticated.\n", state->dn);
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
+ ret = sdap_pam_chpass_handler_change_step(state, req,
+ state->pw_expire_type);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sdap_pam_chpass_handler_change_step() failed.\n");
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
switch (ret) {
case EOK:
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
+ if (ret != EOK) {
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ }
+
state->pd->pam_status = PAM_SUCCESS;
break;
case ERR_CHPASS_DENIED:
--
2.37.3

58
0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
View File

@ -1,58 +0,0 @@
From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 3 Feb 2023 11:35:42 +0100
Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
read/write/check helpers.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
error condition is detected, regular `POLLIN/POLLOUT` won't be set.
Error code set by error condition should have a priority. This enables
users of this helper to retry attempt (as designed).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
---
src/sss_client/common.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 2c888faa9..27e09f6f3 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
case 1:
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
*errnop = EPIPE;
- }
- if (!(pfd.revents & POLLOUT)) {
+ } else if (!(pfd.revents & POLLOUT)) {
*errnop = EBUSY;
}
break;
@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
}
if (pfd.revents & (POLLERR | POLLNVAL)) {
*errnop = EPIPE;
- }
- if (!(pfd.revents & POLLIN)) {
+ } else if (!(pfd.revents & POLLIN)) {
*errnop = EBUSY;
}
break;
@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
case 1:
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
*errnop = EPIPE;
- }
- if (!(pfd.revents & (POLLIN | POLLOUT))) {
+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
*errnop = EBUSY;
}
break;
--
2.37.3

63
0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
View File

@ -1,63 +0,0 @@
From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 8 Feb 2023 17:48:52 +0100
Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
there is a risk to close "foreign" socket opened in another thread.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
---
src/sss_client/common.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 27e09f6f3..c8ade645b 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
*errnop = ETIME;
break;
case 1:
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
+ if (pfd.revents & (POLLERR | POLLHUP)) {
+ *errnop = EPIPE;
+ } else if (pfd.revents & POLLNVAL) {
+ /* Invalid request: fd is not opened */
+ sss_cli_sd = -1;
*errnop = EPIPE;
} else if (!(pfd.revents & POLLOUT)) {
*errnop = EBUSY;
@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
if (pfd.revents & (POLLHUP)) {
pollhup = true;
}
- if (pfd.revents & (POLLERR | POLLNVAL)) {
+ if (pfd.revents & POLLERR) {
+ *errnop = EPIPE;
+ } else if (pfd.revents & POLLNVAL) {
+ /* Invalid request: fd is not opened */
+ sss_cli_sd = -1;
*errnop = EPIPE;
} else if (!(pfd.revents & POLLIN)) {
*errnop = EBUSY;
@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
*errnop = ETIME;
break;
case 1:
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
+ if (pfd.revents & (POLLERR | POLLHUP)) {
+ *errnop = EPIPE;
+ } else if (pfd.revents & POLLNVAL) {
+ /* Invalid request: fd is not opened */
+ sss_cli_sd = -1;
*errnop = EPIPE;
} else if (!(pfd.revents & (POLLIN | POLLOUT))) {
*errnop = EBUSY;
--
2.37.3

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55
SHA512 (sssd-2.9.0.tar.gz) = cf65572cfa6468c4b3edc3a33a48ab6d58979917901662eb8b2d8fc5931494be81da13295246500a3a315b71d0395594c9a565014e5875f3cdde50da096f253d

23
sssd.spec
View File

@ -18,8 +18,8 @@
%global enable_systemtap_opt --enable-systemtap
Name: sssd
Version: 2.8.2
Release: 2%{?dist}
Version: 2.9.0
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -27,10 +27,7 @@ URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
### Downstream Patches ###
@ -214,7 +211,6 @@ Summary: Userspace tools for use with the SSSD
Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
@ -594,6 +590,8 @@ autoreconf -ivf
--with-initscript=systemd \
--with-syslog=journald \
--with-subid \
--with-files-provider \
--with-libsifp \
--enable-sss-default-nss-plugin \
--without-python2-bindings \
--with-sssd-user=sssd \
@ -910,7 +908,7 @@ done
%{_mandir}/man5/sssd-ifp.5*
%{_unitdir}/sssd-ifp.service
# InfoPipe DBus plumbing
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
%files -n libsss_simpleifp
@ -1213,6 +1211,15 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"