From a994a882f192ccb5e2def8ed8f4f11eadfb1a8aa Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Mon, 15 May 2023 17:25:02 +0200 Subject: [PATCH] Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # --- .gitignore | 1 + ...ack-not-executed-on-link-or-relative.patch | 248 ++++++++++++++++++ ...-shadow-last-change-in-sysdb-as-well.patch | 158 ----------- ...rror-codes-returned-by-common-read-w.patch | 58 ---- ...ll-returns-POLLNVAL-then-socket-is-a.patch | 63 ----- sources | 2 +- sssd.spec | 23 +- 7 files changed, 265 insertions(+), 288 deletions(-) create mode 100644 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch delete mode 100644 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch delete mode 100644 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch delete mode 100644 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch diff --git a/.gitignore b/.gitignore index 8002017..91ca869 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /sssd-2.7.3.tar.gz /sssd-2.8.1.tar.gz /sssd-2.8.2.tar.gz +/sssd-2.9.0.tar.gz diff --git a/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch b/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch new file mode 100644 index 0000000..21a27c7 --- /dev/null +++ b/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch @@ -0,0 +1,248 @@ +From eb43c2400a34a4ab77be4f75ba7536baecda3bef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Wed, 10 May 2023 17:29:07 +0200 +Subject: [PATCH] FILE WATCH: Callback not executed on link or relative path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When the watched file was a symbolic link or was a relative path, +the calback was not executed because the filename comparison +was wrongly considering the files to be different. + +The solution is to normalize the filenames before comparing them. +This cannot be easily done at setup because the file could not +exist at that moment. + +The test was adapted to check this situation. + +Resolves: https://github.com/SSSD/sssd/issues/6718 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3) +--- + src/tests/file_watch-tests.c | 83 ++++++++++++++++++++++++++---------- + src/util/file_watch.c | 26 +++++++++-- + 2 files changed, 83 insertions(+), 26 deletions(-) + +diff --git a/src/tests/file_watch-tests.c b/src/tests/file_watch-tests.c +index 3ca5b44f9..3e1aea6ce 100644 +--- a/src/tests/file_watch-tests.c ++++ b/src/tests/file_watch-tests.c +@@ -36,11 +36,19 @@ + #include "util/file_watch.h" + #include "tests/common.h" + +-#define FW_DIR TEST_DIR "/file-watch" +-#define WATCHED_FILE_INOTIFY FW_DIR "/watched_file_inotify" +-#define WATCHED_FILE_POLL FW_DIR "/watched_file_poll" +-#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/watched_file_inotify.exists" +-#define WATCHED_EXISTING_FILE_POLL FW_DIR "/watched_file_poll.exists" ++#define FW_NAME "/file-watch-test-dir" ++#define FILE_INOTIFY_NAME "watched_file_inotify" ++#define FILE_POLL_NAME "watched_file_poll" ++#define FW_DIR TEST_DIR FW_NAME ++#define EXISTING_FILE_INOTIFY_NAME FILE_INOTIFY_NAME ".exists" ++#define EXISTING_FILE_POLL_NAME FILE_POLL_NAME ".exists" ++#define WATCHED_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" FILE_INOTIFY_NAME ++#define WATCHED_FILE_POLL FW_DIR "/.." FW_NAME "/" FILE_POLL_NAME ++#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" EXISTING_FILE_INOTIFY_NAME ++#define WATCHED_EXISTING_FILE_POLL FW_DIR "/.." FW_NAME "/" EXISTING_FILE_POLL_NAME ++#define WATCHED_EXISTING_LINK_INOTIFY FW_DIR "/" EXISTING_FILE_INOTIFY_NAME ".link" ++#define WATCHED_EXISTING_LINK_POLL FW_DIR "/" EXISTING_FILE_POLL_NAME ".link" ++#define UNWATCHED_FILE FW_DIR "/unwatched_file" + + + static TALLOC_CTX *test_mem_ctx; +@@ -50,34 +58,51 @@ struct fn_arg { + int counter; + }; + +-static void setup_file_watch(void) ++static void remove_files(void) + { +- test_mem_ctx = talloc_new(NULL); +- mkdir(FW_DIR, 0700); + unlink(WATCHED_FILE_INOTIFY); + unlink(WATCHED_FILE_POLL); ++ unlink(WATCHED_EXISTING_LINK_INOTIFY); ++ unlink(WATCHED_EXISTING_LINK_POLL); + unlink(WATCHED_EXISTING_FILE_INOTIFY); + unlink(WATCHED_EXISTING_FILE_POLL); ++ unlink(UNWATCHED_FILE); + } + ++static void setup_file_watch(void) ++{ ++ DEBUG(SSSDBG_TRACE_ALL, "==========================================\n"); ++ test_mem_ctx = talloc_new(NULL); ++ mkdir(FW_DIR, 0700); ++ remove_files(); ++} + + static void teardown_file_watch(void) + { +- unlink(WATCHED_FILE_INOTIFY); +- unlink(WATCHED_FILE_POLL); +- unlink(WATCHED_EXISTING_FILE_INOTIFY); +- unlink(WATCHED_EXISTING_FILE_POLL); + talloc_free(test_mem_ctx); ++ remove_files(); ++ rmdir(FW_DIR); + } + + + static void callback(const char *filename, void *arg) + { +- DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n"); ++ static char received[PATH_MAX + 1]; ++ static char expected[PATH_MAX + 1]; ++ char *res; + struct fn_arg *data = (struct fn_arg *) arg; + ++ DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n"); ++ + ck_assert_msg(data != NULL, "Callback received NULL argument"); +- ck_assert_msg(strcmp(filename, data->filename) == 0, ++ ++ res = realpath(data->filename, expected); ++ ck_assert_msg(res != NULL, "Failed to normalize the expected filename"); ++ ++ res = realpath(filename, received); ++ ck_assert_msg(res != NULL, "Failed to normalize the received filename"); ++ ++ ck_assert_msg(strcmp(expected, received) == 0, + "Wrong filename in the callback."); + data->counter++; + } +@@ -88,7 +113,7 @@ static void modify_file(const char *filename) + int fd; + int res; + +- DEBUG(SSSDBG_TRACE_FUNC, "File modified\n"); ++ DEBUG(SSSDBG_TRACE_FUNC, "Modifying file %s\n", filename); + fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR); + ck_assert_msg(fd != -1, "Failed to open the file."); + +@@ -119,11 +144,14 @@ static void test_file_watch_no_file(bool use_inotify) + arg.filename = filename; + arg.counter = 0; + ++ DEBUG(SSSDBG_TRACE_ALL, "Watching file %s\n", filename); + ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg); + ck_assert_msg(ctx != NULL, "Failed to watch a file."); + ck_assert_msg(arg.counter == 0, "Unexpected callback invocation."); + +- // At this point the file doesn't exist, we will create it. ++ // At this point the file doesn't exist. We create the watched and an ++ // unwatched file ++ modify_file(UNWATCHED_FILE); + modify_file(filename); + if (use_inotify) { + res = tevent_loop_once(ev); +@@ -152,26 +180,35 @@ static void test_file_watch_with_file(bool use_inotify) + { + struct file_watch_ctx *ctx; + struct tevent_context *ev; ++ const char *filepath; + const char *filename; ++ const char *linkpath; + struct fn_arg arg; + int res; + + if (use_inotify) { +- filename = WATCHED_EXISTING_FILE_INOTIFY; ++ filename = EXISTING_FILE_INOTIFY_NAME; ++ filepath = WATCHED_EXISTING_FILE_INOTIFY; ++ linkpath = WATCHED_EXISTING_LINK_INOTIFY; + } else { +- filename = WATCHED_EXISTING_FILE_POLL; ++ filename = EXISTING_FILE_POLL_NAME; ++ filepath = WATCHED_EXISTING_FILE_POLL; ++ linkpath = WATCHED_EXISTING_LINK_POLL; + } +- modify_file(filename); ++ modify_file(filepath); ++ res = symlink(filename, linkpath); ++ ck_assert_msg(res == 0, "Failed create the symbolic link"); + + ev = tevent_context_init(test_mem_ctx); + ck_assert_msg(ev != NULL, "Failed to create the tevent context."); + +- arg.filename = filename; ++ arg.filename = linkpath; + arg.counter = 0; + + // File already exists +- ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg); +- ck_assert_msg(ctx != NULL, "Failed to watch a file."); ++ DEBUG(SSSDBG_TRACE_ALL, "Watching link %s\n", linkpath); ++ ctx = fw_watch_file(test_mem_ctx, ev, linkpath, use_inotify, callback, &arg); ++ ck_assert_msg(ctx != NULL, "Failed to watch a link."); + ck_assert_msg(arg.counter >= 1, "Callback not invoked at start up."); + ck_assert_msg(arg.counter <= 1, "Callback invoked too many times at start up."); + +@@ -179,7 +216,7 @@ static void test_file_watch_with_file(bool use_inotify) + if (!use_inotify) { + sleep(2); // Detection by polling is based on the file's modification time. + } +- modify_file(filename); ++ modify_file(filepath); + if (use_inotify) { + res = tevent_loop_once(ev); + ck_assert_msg(res == 0, "tevent_loop_once() failed."); +diff --git a/src/util/file_watch.c b/src/util/file_watch.c +index b994e4116..d19fdccd6 100644 +--- a/src/util/file_watch.c ++++ b/src/util/file_watch.c +@@ -121,7 +121,10 @@ static int watched_file_inotify_cb(const char *filename, + uint32_t flags, + void *pvt) + { ++ static char received[PATH_MAX + 1]; ++ static char expected[PATH_MAX + 1]; + struct file_watch_ctx *fw_ctx; ++ char *res; + + DEBUG(SSSDBG_TRACE_LIBS, + "Received inotify notification for %s\n", filename); +@@ -131,15 +134,32 @@ static int watched_file_inotify_cb(const char *filename, + return EINVAL; + } + +- if (strcmp(fw_ctx->filename, filename) == 0) { +- if (access(fw_ctx->filename, F_OK) == 0) { +- fw_ctx->cb(fw_ctx->filename, fw_ctx->cb_arg); ++ res = realpath(fw_ctx->filename, expected); ++ if (res == NULL) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ "Normalization failed for expected %s. Skipping the callback.\n", ++ fw_ctx->filename); ++ goto done; ++ } ++ ++ res = realpath(filename, received); ++ if (res == NULL) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ "Normalization failed for received %s. Skipping the callback.\n", ++ filename); ++ goto done; ++ } ++ ++ if (strcmp(expected, received) == 0) { ++ if (access(received, F_OK) == 0) { ++ fw_ctx->cb(received, fw_ctx->cb_arg); + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "File %s is missing. Skipping the callback.\n", filename); + } + } + ++done: + return EOK; + } + +-- +2.38.1 + diff --git a/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch deleted file mode 100644 index 60feece..0000000 --- a/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch +++ /dev/null @@ -1,158 +0,0 @@ -From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Thu, 8 Dec 2022 15:14:05 +0100 -Subject: [PATCH] ldap: update shadow last change in sysdb as well -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Otherwise pam can use the changed information whe id chaching is -enabled, so next authentication that fits into the id timeout -(5 seconds by default) will still sees the password as expired. - -Resolves: https://github.com/SSSD/sssd/issues/6477 - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) ---- - src/db/sysdb.h | 4 ++++ - src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ - src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- - 3 files changed, 52 insertions(+), 5 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 7c666f5c4..06b44f5ba 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, - struct sysdb_attrs *attrs, - int mod_op); - -+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, -+ const char *name, -+ const char *attrname); -+ - /* Replace group attrs */ - int sysdb_set_group_attr(struct sss_domain_info *domain, - const char *name, -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 0d6f2d5cd..ed0df9872 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -1485,6 +1485,38 @@ done: - return ret; - } - -+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, -+ const char *name, -+ const char *attrname) -+{ -+ struct sysdb_attrs *attrs; -+ char *value; -+ errno_t ret; -+ -+ attrs = sysdb_new_attrs(NULL); -+ if (attrs == NULL) { -+ return ENOMEM; -+ } -+ -+ /* The attribute contains number of days since the epoch */ -+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); -+ if (value == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = sysdb_attrs_add_string(attrs, attrname, value); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); -+ -+done: -+ talloc_free(attrs); -+ return ret; -+} -+ - /* =Replace-Attributes-On-Group=========================================== */ - - int sysdb_set_group_attr(struct sss_domain_info *domain, -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 6404a9d3a..96b9d6df4 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { - struct pam_data *pd; - struct sdap_handle *sh; - char *dn; -+ enum pwexpire pw_expire_type; - }; - - static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); -@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - { - struct sdap_pam_chpass_handler_state *state; - struct tevent_req *req; -- enum pwexpire pw_expire_type; - void *pw_expire_data; - size_t msg_len; - uint8_t *msg; -@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); - - ret = auth_recv(subreq, state, &state->sh, &state->dn, -- &pw_expire_type, &pw_expire_data); -+ &state->pw_expire_type, &pw_expire_data); - talloc_free(subreq); - - if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && -@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - } - - if (ret == EOK) { -- switch (pw_expire_type) { -+ switch (state->pw_expire_type) { - case PWEXPIRE_SHADOW: - ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); - break; -@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - break; - default: - DEBUG(SSSDBG_CRIT_FAILURE, -- "Unknown password expiration type %d.\n", pw_expire_type); -+ "Unknown password expiration type %d.\n", -+ state->pw_expire_type); - state->pd->pam_status = PAM_SYSTEM_ERR; - goto done; - } -@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - case ERR_PASSWORD_EXPIRED: - DEBUG(SSSDBG_TRACE_LIBS, - "user [%s] successfully authenticated.\n", state->dn); -- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); -+ ret = sdap_pam_chpass_handler_change_step(state, req, -+ state->pw_expire_type); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sdap_pam_chpass_handler_change_step() failed.\n"); -@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) - - switch (ret) { - case EOK: -+ if (state->pw_expire_type == PWEXPIRE_SHADOW) { -+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, -+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); -+ if (ret != EOK) { -+ state->pd->pam_status = PAM_SYSTEM_ERR; -+ goto done; -+ } -+ } -+ - state->pd->pam_status = PAM_SUCCESS; - break; - case ERR_CHPASS_DENIED: --- -2.37.3 - diff --git a/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch b/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch deleted file mode 100644 index fdc756a..0000000 --- a/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch +++ /dev/null @@ -1,58 +0,0 @@ -From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 3 Feb 2023 11:35:42 +0100 -Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common - read/write/check helpers. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)` -error condition is detected, regular `POLLIN/POLLOUT` won't be set. -Error code set by error condition should have a priority. This enables -users of this helper to retry attempt (as designed). - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd) ---- - src/sss_client/common.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 2c888faa9..27e09f6f3 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, - case 1: - if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & POLLOUT)) { -+ } else if (!(pfd.revents & POLLOUT)) { - *errnop = EBUSY; - } - break; -@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, - } - if (pfd.revents & (POLLERR | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & POLLIN)) { -+ } else if (!(pfd.revents & POLLIN)) { - *errnop = EBUSY; - } - break; -@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop, - case 1: - if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & (POLLIN | POLLOUT))) { -+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) { - *errnop = EBUSY; - } - break; --- -2.37.3 - diff --git a/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch b/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch deleted file mode 100644 index d7c875f..0000000 --- a/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 8 Feb 2023 17:48:52 +0100 -Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is - alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise - there is a risk to close "foreign" socket opened in another thread. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3) ---- - src/sss_client/common.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 27e09f6f3..c8ade645b 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, - *errnop = ETIME; - break; - case 1: -- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -+ if (pfd.revents & (POLLERR | POLLHUP)) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & POLLOUT)) { - *errnop = EBUSY; -@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, - if (pfd.revents & (POLLHUP)) { - pollhup = true; - } -- if (pfd.revents & (POLLERR | POLLNVAL)) { -+ if (pfd.revents & POLLERR) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & POLLIN)) { - *errnop = EBUSY; -@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop, - *errnop = ETIME; - break; - case 1: -- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -+ if (pfd.revents & (POLLERR | POLLHUP)) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & (POLLIN | POLLOUT))) { - *errnop = EBUSY; --- -2.37.3 - diff --git a/sources b/sources index 49e768c..230117e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55 +SHA512 (sssd-2.9.0.tar.gz) = cf65572cfa6468c4b3edc3a33a48ab6d58979917901662eb8b2d8fc5931494be81da13295246500a3a315b71d0395594c9a565014e5875f3cdde50da096f253d diff --git a/sssd.spec b/sssd.spec index c395105..d7a98ea 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,8 +18,8 @@ %global enable_systemtap_opt --enable-systemtap Name: sssd -Version: 2.8.2 -Release: 2%{?dist} +Version: 2.9.0 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -27,10 +27,7 @@ URL: https://github.com/SSSD/sssd Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch -Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch -Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch -Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch +Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch ### Downstream Patches ### @@ -214,7 +211,6 @@ Summary: Userspace tools for use with the SSSD Group: Applications/System License: GPLv3+ Requires: sssd-common = %{version}-%{release} -Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} @@ -594,6 +590,8 @@ autoreconf -ivf --with-initscript=systemd \ --with-syslog=journald \ --with-subid \ + --with-files-provider \ + --with-libsifp \ --enable-sss-default-nss-plugin \ --without-python2-bindings \ --with-sssd-user=sssd \ @@ -910,7 +908,7 @@ done %{_mandir}/man5/sssd-ifp.5* %{_unitdir}/sssd-ifp.service # InfoPipe DBus plumbing -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service %files -n libsss_simpleifp @@ -1213,6 +1211,15 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon May 15 2023 Alexey Tikhonov - 2.9.0-1 +- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 +- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) +- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket +- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 +- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name +- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") +- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # + * Mon Feb 13 2023 Alexey Tikhonov - 2.8.2-2 - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"