Auto sync2gitlab import of sssd-2.8.2-1.el8.src.rpm

.gitignore

@@ -3,3 +3,4 @@
 /sssd-2.7.2.tar.gz
 /sssd-2.7.3.tar.gz
 /sssd-2.8.1.tar.gz
+/sssd-2.8.2.tar.gz

0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch

@@ -0,0 +1,158 @@
+From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 8 Dec 2022 15:14:05 +0100
+Subject: [PATCH] ldap: update shadow last change in sysdb as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise pam can use the changed information whe id chaching is
+enabled, so next authentication that fits into the id timeout
+(5 seconds by default) will still sees the password as expired.
+
+Resolves: https://github.com/SSSD/sssd/issues/6477
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
+---
+ src/db/sysdb.h                 |  4 ++++
+ src/db/sysdb_ops.c             | 32 ++++++++++++++++++++++++++++++++
+ src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
+ 3 files changed, 52 insertions(+), 5 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 7c666f5c4..06b44f5ba 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
+                         struct sysdb_attrs *attrs,
+                         int mod_op);
+ 
++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
++                                             const char *name,
++                                             const char *attrname);
++
+ /* Replace group attrs */
+ int sysdb_set_group_attr(struct sss_domain_info *domain,
+                          const char *name,
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 0d6f2d5cd..ed0df9872 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -1485,6 +1485,38 @@ done:
+     return ret;
+ }
+ 
++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
++                                             const char *name,
++                                             const char *attrname)
++{
++    struct sysdb_attrs *attrs;
++    char *value;
++    errno_t ret;
++
++    attrs = sysdb_new_attrs(NULL);
++    if (attrs == NULL) {
++        return ENOMEM;
++    }
++
++    /* The attribute contains number of days since the epoch */
++    value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
++    if (value == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = sysdb_attrs_add_string(attrs, attrname, value);
++    if (ret != EOK) {
++        goto done;
++    }
++
++    ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
++
++done:
++    talloc_free(attrs);
++    return ret;
++}
++
+ /* =Replace-Attributes-On-Group=========================================== */
+ 
+ int sysdb_set_group_attr(struct sss_domain_info *domain,
+diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
+index 6404a9d3a..96b9d6df4 100644
+--- a/src/providers/ldap/ldap_auth.c
++++ b/src/providers/ldap/ldap_auth.c
+@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
+     struct pam_data *pd;
+     struct sdap_handle *sh;
+     char *dn;
++    enum pwexpire pw_expire_type;
+ };
+ 
+ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
+@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ {
+     struct sdap_pam_chpass_handler_state *state;
+     struct tevent_req *req;
+-    enum pwexpire pw_expire_type;
+     void *pw_expire_data;
+     size_t msg_len;
+     uint8_t *msg;
+@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+     state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
+ 
+     ret = auth_recv(subreq, state, &state->sh, &state->dn,
+-                    &pw_expire_type, &pw_expire_data);
++                    &state->pw_expire_type, &pw_expire_data);
+     talloc_free(subreq);
+ 
+     if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
+@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+     }
+ 
+     if (ret == EOK) {
+-        switch (pw_expire_type) {
++        switch (state->pw_expire_type) {
+         case PWEXPIRE_SHADOW:
+             ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
+             break;
+@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+             break;
+         default:
+             DEBUG(SSSDBG_CRIT_FAILURE,
+-                  "Unknown password expiration type %d.\n", pw_expire_type);
++                  "Unknown password expiration type %d.\n",
++                  state->pw_expire_type);
+             state->pd->pam_status = PAM_SYSTEM_ERR;
+             goto done;
+         }
+@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+         case ERR_PASSWORD_EXPIRED:
+             DEBUG(SSSDBG_TRACE_LIBS,
+                   "user [%s] successfully authenticated.\n", state->dn);
+-            ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
++            ret = sdap_pam_chpass_handler_change_step(state, req,
++                                                      state->pw_expire_type);
+             if (ret != EOK) {
+                 DEBUG(SSSDBG_OP_FAILURE,
+                       "sdap_pam_chpass_handler_change_step() failed.\n");
+@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
+ 
+     switch (ret) {
+     case EOK:
++        if (state->pw_expire_type == PWEXPIRE_SHADOW) {
++            ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
++                    state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
++            if (ret != EOK) {
++                state->pd->pam_status = PAM_SYSTEM_ERR;
++                goto done;
++            }
++        }
++
+         state->pd->pam_status = PAM_SUCCESS;
+         break;
+     case ERR_CHPASS_DENIED:
+-- 
+2.37.3
+

sources

@@ -1 +1 @@
-SHA512 (sssd-2.8.1.tar.gz) = 419798fa3e7ab0ad407d9f53ead183e6c4ffb534c93ed20a944a2eea6760bffaa2336373a8d52bd43f8e7c100e52fccecc9d0859bde04f8ce4e7406102024c0e
+SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55

sssd.spec

@@ -18,7 +18,7 @@
 %global enable_systemtap_opt --enable-systemtap
 
 Name: sssd
-Version: 2.8.1
+Version: 2.8.2
 Release: 1%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
@@ -27,7 +27,7 @@ URL: https://github.com/SSSD/sssd
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 
 ### Patches ###
-#Patch0001:
+Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
 
 ### Downstream Patches ###
 
@@ -105,6 +105,7 @@ BuildRequires: jansson-devel
 BuildRequires: libcurl-devel
 BuildRequires: libjose-devel
 BuildRequires: softhsm >= 2.1.0
+BuildRequires: bc
 BuildRequires: openssl
 BuildRequires: openssh
 BuildRequires: libnl3-devel
@@ -1209,6 +1210,15 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Mon Dec 19 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
+- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
+- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
+- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization
+- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list
+- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
+- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
+- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required)
+
 * Tue Nov 22 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
 - Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
 - Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr