diff --git a/.gitignore b/.gitignore index b427e49..8002017 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /sssd-2.7.2.tar.gz /sssd-2.7.3.tar.gz /sssd-2.8.1.tar.gz +/sssd-2.8.2.tar.gz diff --git a/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch new file mode 100644 index 0000000..60feece --- /dev/null +++ b/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch @@ -0,0 +1,158 @@ +From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 8 Dec 2022 15:14:05 +0100 +Subject: [PATCH] ldap: update shadow last change in sysdb as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise pam can use the changed information whe id chaching is +enabled, so next authentication that fits into the id timeout +(5 seconds by default) will still sees the password as expired. + +Resolves: https://github.com/SSSD/sssd/issues/6477 + +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman +(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) +--- + src/db/sysdb.h | 4 ++++ + src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ + src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- + 3 files changed, 52 insertions(+), 5 deletions(-) + +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index 7c666f5c4..06b44f5ba 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, + struct sysdb_attrs *attrs, + int mod_op); + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname); ++ + /* Replace group attrs */ + int sysdb_set_group_attr(struct sss_domain_info *domain, + const char *name, +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 0d6f2d5cd..ed0df9872 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -1485,6 +1485,38 @@ done: + return ret; + } + ++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, ++ const char *name, ++ const char *attrname) ++{ ++ struct sysdb_attrs *attrs; ++ char *value; ++ errno_t ret; ++ ++ attrs = sysdb_new_attrs(NULL); ++ if (attrs == NULL) { ++ return ENOMEM; ++ } ++ ++ /* The attribute contains number of days since the epoch */ ++ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); ++ if (value == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = sysdb_attrs_add_string(attrs, attrname, value); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); ++ ++done: ++ talloc_free(attrs); ++ return ret; ++} ++ + /* =Replace-Attributes-On-Group=========================================== */ + + int sysdb_set_group_attr(struct sss_domain_info *domain, +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 6404a9d3a..96b9d6df4 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { + struct pam_data *pd; + struct sdap_handle *sh; + char *dn; ++ enum pwexpire pw_expire_type; + }; + + static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); +@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + { + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *req; +- enum pwexpire pw_expire_type; + void *pw_expire_data; + size_t msg_len; + uint8_t *msg; +@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + ret = auth_recv(subreq, state, &state->sh, &state->dn, +- &pw_expire_type, &pw_expire_data); ++ &state->pw_expire_type, &pw_expire_data); + talloc_free(subreq); + + if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && +@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + } + + if (ret == EOK) { +- switch (pw_expire_type) { ++ switch (state->pw_expire_type) { + case PWEXPIRE_SHADOW: + ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); + break; +@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, +- "Unknown password expiration type %d.\n", pw_expire_type); ++ "Unknown password expiration type %d.\n", ++ state->pw_expire_type); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } +@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + case ERR_PASSWORD_EXPIRED: + DEBUG(SSSDBG_TRACE_LIBS, + "user [%s] successfully authenticated.\n", state->dn); +- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); ++ ret = sdap_pam_chpass_handler_change_step(state, req, ++ state->pw_expire_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_pam_chpass_handler_change_step() failed.\n"); +@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) + + switch (ret) { + case EOK: ++ if (state->pw_expire_type == PWEXPIRE_SHADOW) { ++ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, ++ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); ++ if (ret != EOK) { ++ state->pd->pam_status = PAM_SYSTEM_ERR; ++ goto done; ++ } ++ } ++ + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_CHPASS_DENIED: +-- +2.37.3 + diff --git a/sources b/sources index 5693232..49e768c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.8.1.tar.gz) = 419798fa3e7ab0ad407d9f53ead183e6c4ffb534c93ed20a944a2eea6760bffaa2336373a8d52bd43f8e7c100e52fccecc9d0859bde04f8ce4e7406102024c0e +SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55 diff --git a/sssd.spec b/sssd.spec index d0be7c3..d91753f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ %global enable_systemtap_opt --enable-systemtap Name: sssd -Version: 2.8.1 +Version: 2.8.2 Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon @@ -27,7 +27,7 @@ URL: https://github.com/SSSD/sssd Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -#Patch0001: +Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch ### Downstream Patches ### @@ -105,6 +105,7 @@ BuildRequires: jansson-devel BuildRequires: libcurl-devel BuildRequires: libjose-devel BuildRequires: softhsm >= 2.1.0 +BuildRequires: bc BuildRequires: openssl BuildRequires: openssh BuildRequires: libnl3-devel @@ -1209,6 +1210,15 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Dec 19 2022 Alexey Tikhonov - 2.8.2-1 +- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 +- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level. +- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization +- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list +- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged +- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around +- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required) + * Tue Nov 22 2022 Alexey Tikhonov - 2.8.1-1 - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8 - Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr