diff --git a/SOURCES/0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch b/SOURCES/0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch new file mode 100644 index 0000000..7a364d4 --- /dev/null +++ b/SOURCES/0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch @@ -0,0 +1,230 @@ +From acd5da528789734411b12fa8b19007b00eea9f2c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 13 Sep 2024 15:45:59 +0200 +Subject: [PATCH 6/9] ldap: add 'exop_force' value for ldap_pwmodify_mode + +In case the LDAP server allows to run the extended operation to change a +password even if an authenticated bind fails due to missing grace logins +the new option 'exop_force' can be used to run the extended operation to +change the password anyways. + +:config: Added `exop_force` value for configuration option + `ldap_pwmodify_mode`. This can be used to force a password change even + if no grace logins are left. Depending on the configuration of the + LDAP server it might be expected that the password change will fail. + +(cherry picked from commit 72a7fd0ded236a16b00bb4e26221f7e23b702a53) + +Reviewed-by: Justin Stephenson +(cherry picked from commit e3a3f44c4cdcb936b59941636ff576de613366d1) + +Reviewed-by: Justin Stephenson +--- + src/man/sssd-ldap.5.xml | 11 +++++++++ + src/providers/ipa/ipa_auth.c | 3 ++- + src/providers/ldap/ldap_auth.c | 5 +++- + src/providers/ldap/ldap_options.c | 2 ++ + src/providers/ldap/sdap.h | 5 ++-- + src/providers/ldap/sdap_async.h | 3 ++- + src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++----- + 7 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml +index 0a814ec35..a9994aade 100644 +--- a/src/man/sssd-ldap.5.xml ++++ b/src/man/sssd-ldap.5.xml +@@ -234,6 +234,17 @@ + userPassword (not recommended). + + ++ ++ ++ exop_force - Try Password Modify ++ Extended Operation (RFC 3062) even if ++ there are no grace logins left. ++ Depending on the type and configuration ++ of the LDAP server the password change ++ might fail because an authenticated bind ++ is not possible. ++ ++ + + + +diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c +index 1d61a1052..b2e5b6f35 100644 +--- a/src/providers/ipa/ipa_auth.c ++++ b/src/providers/ipa/ipa_auth.c +@@ -381,7 +381,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq) + SDAP_OPT_TIMEOUT); + + subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn, +- state->pd->authtok, timeout); ++ state->pd->authtok, timeout, ++ state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode); + if (subreq == NULL) { + goto done; + } +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 8ec4d3af5..023ed2277 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -896,7 +896,8 @@ static void auth_do_bind(struct tevent_req *req) + NULL, NULL, state->dn, + state->authtok, + dp_opt_get_int(state->ctx->opts->basic, +- SDAP_OPT_TIMEOUT)); ++ SDAP_OPT_TIMEOUT), ++ state->ctx->opts->pwmodify_mode); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; +@@ -1186,6 +1187,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx, + + switch (opts->pwmodify_mode) { + case SDAP_PWMODIFY_EXOP: ++ case SDAP_PWMODIFY_EXOP_FORCE: + subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn, + password, new_password, + timeout); +@@ -1229,6 +1231,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq) + + switch (state->mode) { + case SDAP_PWMODIFY_EXOP: ++ case SDAP_PWMODIFY_EXOP_FORCE: + ret = sdap_exop_modify_passwd_recv(subreq, state, + &state->user_error_message); + break; +diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c +index 277bcb529..72a95300d 100644 +--- a/src/providers/ldap/ldap_options.c ++++ b/src/providers/ldap/ldap_options.c +@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx, + opts->pwmodify_mode = SDAP_PWMODIFY_EXOP; + } else if (strcasecmp(pwmodify, "ldap_modify") == 0) { + opts->pwmodify_mode = SDAP_PWMODIFY_LDAP; ++ } else if (strcasecmp(pwmodify, "exop_force") == 0) { ++ opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify); + ret = EINVAL; +diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h +index 103d50ed4..cc34c8198 100644 +--- a/src/providers/ldap/sdap.h ++++ b/src/providers/ldap/sdap.h +@@ -546,8 +546,9 @@ struct sdap_options { + + /* password modify mode */ + enum pwmodify_mode { +- SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */ +- SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */ ++ SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */ ++ SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */ ++ SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */ + } pwmodify_mode; + + /* The search bases for the domain or its subdomain */ +diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h +index a45e057d0..80b403bc3 100644 +--- a/src/providers/ldap/sdap_async.h ++++ b/src/providers/ldap/sdap_async.h +@@ -146,7 +146,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + const char *sasl_user, + const char *user_dn, + struct sss_auth_token *authtok, +- int simple_bind_timeout); ++ int simple_bind_timeout, ++ enum pwmodify_mode pwmodify_mode); + + errno_t sdap_auth_recv(struct tevent_req *req, + TALLOC_CTX *memctx, +diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c +index e8638725c..992a5798c 100644 +--- a/src/providers/ldap/sdap_async_connection.c ++++ b/src/providers/ldap/sdap_async_connection.c +@@ -643,6 +643,7 @@ struct simple_bind_state { + struct tevent_context *ev; + struct sdap_handle *sh; + const char *user_dn; ++ enum pwmodify_mode pwmodify_mode; + + struct sdap_op *op; + +@@ -659,7 +660,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + struct sdap_handle *sh, + int timeout, + const char *user_dn, +- struct berval *pw) ++ struct berval *pw, ++ enum pwmodify_mode pwmodify_mode) + { + struct tevent_req *req; + struct simple_bind_state *state; +@@ -682,6 +684,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + state->ev = ev; + state->sh = sh; + state->user_dn = user_dn; ++ state->pwmodify_mode = pwmodify_mode; + + ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, + 0, NULL, 0, &ctrls[0]); +@@ -866,7 +869,12 @@ static void simple_bind_done(struct sdap_op *op, + * Grace Authentications". */ + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired, grace logins exhausted.\n"); +- ret = ERR_AUTH_FAILED; ++ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) { ++ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n"); ++ ret = ERR_PASSWORD_EXPIRED; ++ } else { ++ ret = ERR_AUTH_FAILED; ++ } + } + } else if (strcmp(response_controls[c]->ldctl_oid, + LDAP_CONTROL_PWEXPIRED) == 0) { +@@ -879,7 +887,12 @@ static void simple_bind_done(struct sdap_op *op, + if (result == LDAP_INVALID_CREDENTIALS) { + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired, grace logins exhausted.\n"); +- ret = ERR_AUTH_FAILED; ++ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) { ++ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n"); ++ ret = ERR_PASSWORD_EXPIRED; ++ } else { ++ ret = ERR_AUTH_FAILED; ++ } + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired, user must set a new password.\n"); +@@ -1358,7 +1371,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + const char *sasl_user, + const char *user_dn, + struct sss_auth_token *authtok, +- int simple_bind_timeout) ++ int simple_bind_timeout, ++ enum pwmodify_mode pwmodify_mode) + { + struct tevent_req *req, *subreq; + struct sdap_auth_state *state; +@@ -1397,7 +1411,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + pw.bv_len = pwlen; + + state->is_sasl = false; +- subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw); ++ subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, pwmodify_mode); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return tevent_req_post(req, ev); +@@ -1972,7 +1986,8 @@ static void sdap_cli_auth_step(struct tevent_req *req) + SDAP_SASL_AUTHID), + user_dn, authtok, + dp_opt_get_int(state->opts->basic, +- SDAP_OPT_TIMEOUT)); ++ SDAP_OPT_TIMEOUT), ++ state->opts->pwmodify_mode); + talloc_free(authtok); + if (!subreq) { + tevent_req_error(req, ENOMEM); +-- +2.43.5 + diff --git a/SOURCES/0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch b/SOURCES/0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch new file mode 100644 index 0000000..0f8542e --- /dev/null +++ b/SOURCES/0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch @@ -0,0 +1,35 @@ +From 5fc4540e97625a23f2573b0804a1509cf46931c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Thu, 14 Nov 2024 17:27:49 +0100 +Subject: [PATCH 1/9] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET + +The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in +https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55 +but the corresponding option is missing in +https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200 + +This error was introduced by +https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +(cherry picked from commit 9ee10f98e0070774e0e7f0794bc296ef06a671e4) +--- + src/providers/be_dyndns.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c +index 2c655ef1e..5d0f51119 100644 +--- a/src/providers/be_dyndns.c ++++ b/src/providers/be_dyndns.c +@@ -1201,6 +1201,7 @@ static struct dp_option default_dyndns_opts[] = { + { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, ++ { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, + { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER }, + { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE }, +-- +2.43.5 + diff --git a/SOURCES/0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch b/SOURCES/0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch new file mode 100644 index 0000000..955722e --- /dev/null +++ b/SOURCES/0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch @@ -0,0 +1,55 @@ +From 3e7e0cc7038c89132c9f4b8a48b6b1e0c0febff4 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 21 Nov 2024 09:16:09 +0100 +Subject: [PATCH 8/9] ldap_child: make sure invalid krb5 context is not used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/7715 + +Reviewed-by: Alejandro López +Reviewed-by: Alexey Tikhonov +(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744) +--- + src/util/sss_krb5.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c +index 3f57e5b26..f44df2b5f 100644 +--- a/src/util/sss_krb5.c ++++ b/src/util/sss_krb5.c +@@ -83,6 +83,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name) + return keytab_name; + } + ++ if (ctx == NULL) { ++ return "-unknown-"; ++ } ++ + if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) { + return "-default keytab-"; + } +@@ -1355,8 +1359,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context) + { + krb5_error_code kerr; + const char *msg; ++ krb5_context ctx; + +- kerr = krb5_init_context(context); ++ kerr = krb5_init_context(&ctx); + if (kerr != 0) { + /* It is safe to call (sss_)krb5_get_error_message() with NULL as first + * argument. */ +@@ -1365,6 +1370,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context) + "Failed to init Kerberos context [%s]\n", msg); + sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg); + sss_krb5_free_error_message(NULL, msg); ++ } else { ++ *context = ctx; + } + + return kerr; +-- +2.43.5 + diff --git a/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch b/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch new file mode 100644 index 0000000..fbf8d90 --- /dev/null +++ b/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch @@ -0,0 +1,26 @@ +From: Alex Burmashev +Date: Tue, 04 May 2021 13:31:41 +0100 +Subject: [PATCH] restore default debug level for sss_cache + +We want only fatal failures to be logged, otherwise in some conditions log is. +flooded with unneeded "errors" + +Resolves: https://github.com/SSSD/sssd/issues/5488 + +Orabug: 32810448 +Signed-off-by: Alex Burmashev + +Patch migrated from ol8 to ol9 without any modification +Signed-off-by: Darren Archibald +diff -ruN sssd-2.4.0.orig/src/tools/sss_cache.c sssd-2.4.0/src/tools/sss_cache.c +--- sssd-2.4.0.orig/src/tools/sss_cache.c 2021-06-29 12:48:07.035970021 -0700 ++++ sssd-2.4.0/src/tools/sss_cache.c 2021-06-29 13:11:23.126918933 -0700 +@@ -709,7 +709,7 @@ + struct cache_tool_ctx *ctx = NULL; + int idb = INVALIDATE_NONE; + struct input_values values = { 0 }; +- int debug = SSSDBG_TOOLS_DEFAULT; ++ int debug = SSSDBG_FATAL_FAILURE; + errno_t ret = EOK; + + poptContext pc = NULL; diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 0686bc1..a7e659c 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.9.5 -Release: 4%{?dist}.1 +Release: 4.0.1%{?dist}.4 Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -45,6 +45,10 @@ Patch0008: 0008-pam_sss-add-missing-optional-2nd-factor-handling.patch Patch0009: 0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch +Patch0012: 0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch +Patch0013: 0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch +Patch0014: 0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch +Patch2002: 2002-orabug32810448-restore-default-debug-sss_cache.patch ### Dependencies ### @@ -1094,6 +1098,14 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Dec 23 2024 Kevin Lyons - 2.9.5-4.0.1.4 +- Restore default debug level for sss_cache [Orabug: 32810448] + +* Mon Dec 23 2024 Kevin Lyons - 2.9.5-4.4 +- Resolves: RHEL-67670 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-9] +- Resolves: RHEL-68369 - sssd backend process segfaults when krb5.conf is invalid +- Resolves: RHEL-66266 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-9] + * Tue Sep 24 2024 Alexey Tikhonov - 2.9.5-4.1 - Resolves: RHEL-59876 - EL9/CentOS Stream 9 lost offline smart card authentication - Resolves: RHEL-50912 - possible regression of rhbz#2196521 @@ -1171,7 +1183,6 @@ fi - Resolves: rhbz#2234829 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working) - Resolves: rhbz#2236119 - dbus and crond getting terminated with SIGBUS in sss_client code - * Mon Jul 10 2023 Alexey Tikhonov - 2.9.1-2 - Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system