rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS sssd-2.9.8-4.el9

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-05-20 04:54:02 -04:00
parent df83f33538
commit c5a7c647e4
9 changed files with 153 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.9.7.tar.gz
SOURCES/sssd-2.9.8.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
b8c9deadb0f0a9b0afdea1dcfc3f0f955f8a7f64 SOURCES/sssd-2.9.7.tar.gz
e75ee2920ca2856f0dedb51681cbed340f916db3 SOURCES/sssd-2.9.8.tar.gz

42
SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
View File

@ -1,42 +0,0 @@
From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Jun 2025 14:30:57 +0200
Subject: [PATCH 3/4] authtok: add IS_PW_OR_ST_AUTHTOK()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch adds a helper macro to determine if an authtok struct is of
type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is
useful if a password is expected but an authentication token forwarded
by an different PAM module, which is most probably a password, can be
used as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050)
---
src/util/authtok.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/util/authtok.h b/src/util/authtok.h
index b58e9dbbd..acabb7078 100644
--- a/src/util/authtok.h
+++ b/src/util/authtok.h
@@ -28,6 +28,10 @@
sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
|| sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+#define IS_PW_OR_ST_AUTHTOK(tok) ( \
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED)
+
/* Use sss_authtok_* accessor functions instead of struct sss_auth_token
*/
--
2.50.0

81
SOURCES/0001-do-not-require-GID-for-non-POSIX-group.patch Normal file
View File

@ -0,0 +1,81 @@
Based on 57918755aa87a943ff451bfde6794da513e71d8d commit
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Feb 2026 14:10:29 +0100
Subject: [PATCH] sdap: do not require GID for non-POSIX group
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 6d0c7e49907..9e0eaf8a4d6 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -620,15 +620,17 @@ static int sdap_save_group(TALLOC_CTX *memctx,
goto done;
}
- ret = sysdb_attrs_get_uint32_t(attrs,
- opts->group_map[SDAP_AT_GROUP_GID].sys_name,
- &gid);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "no gid provided for [%s] in domain [%s].\n",
- group_name, dom->name);
- ret = EINVAL;
- goto done;
+ if (posix_group) {
+ ret = sysdb_attrs_get_uint32_t(attrs,
+ opts->group_map[SDAP_AT_GROUP_GID].sys_name,
+ &gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "no gid provided for [%s] in domain [%s].\n",
+ group_name, dom->name);
+ ret = EINVAL;
+ goto done;
+ }
}
}
}
diff --git a/src/tests/tests/system/tests/test_identity.py b/src/tests/tests/system/tests/test_identity.py
index 3e38637b0a5..68894958fe7 100644
--- a/src/tests/tests/system/tests/test_identity.py
+++ b/src/tests/tests/system/tests/test_identity.py
@@ -718,3 +718,40 @@ def test_identity__filter_groups_by_name_and_lookup_by_gid(client: Client, ldap:
result = client.tools.getent.group(20001)
assert result is None, "Filtered group was found"
+
+
+@pytest.mark.importance("critical")
+@pytest.mark.topology(KnownTopologyGroup.AnyAD)
+def test_identity__nested_non_posix_group(client: Client, provider: GenericADProvider):
+ """
+ :title: Lookup indirect group-members of a nested non-POSIX group
+ :setup:
+ 1. Add a new POSIX user and two new groups, one POSIX the other non-POSIX
+ 2. Add the user to the non-POSIX group and the non-POSIX group to the POSIX group
+ 3. Set 'ldap_id_mapping = false' to allow non-POSIX groups, because
+ with POSIX id-mapping enabled all groups will get POSIX ID and hence
+ there are no non-POSIX groups, and start SSSD
+ :steps:
+ 1. Lookup the POSIX group with getent
+ :expectedresults:
+ 1. Group is present and the new user is a member
+ :customerscenario: False
+ """
+ user = provider.user("nesteduser").add(
+ uid=10001, gid=20001, password="Secret123", gecos="User for tests", shell="/bin/bash"
+ )
+ nested_group = provider.group("nested_nonposix_group").add().add_member(user)
+ base_group = provider.group("posix_group").add(gid=30001).add_member(nested_group)
+
+ client.sssd.domain["ldap_id_mapping"] = "false"
+ client.sssd.start()
+
+ result = client.tools.getent.group(base_group.name)
+ assert result is not None, f"Group '{base_group.name}' not found!"
+ assert (
+ len(result.members) == 1
+ ), f"Group '{base_group.name}' has unexpected number of members [{len(result.members)}]!"
+ assert f"{user.name}" in result.members, f"Member '{user.name}' of group '{base_group.name}' not found!"
+
+ result = client.tools.getent.group(nested_group.name)
+ assert result is None, f"Non-POSIX Group '{nested_group.name}' was found with 'getent group'!"

16
SOURCES/0002-fix-use-after-free-in-kcm_read_options.patch Normal file
View File

@ -0,0 +1,16 @@
KCM: fix use-after-free in `kcm_read_options()`
Based on commit c5a2b48f13af893ae6c7c9fe63e41f64eb77cade
diff --git a/src/responder/kcm/kcm_renew.c b/src/responder/kcm/kcm_renew.c
index 39e9470fa22..32eccf4b48a 100644
--- a/src/responder/kcm/kcm_renew.c
+++ b/src/responder/kcm/kcm_renew.c
@@ -228,7 +228,7 @@ static errno_t kcm_read_options(TALLOC_CTX *mem_ctx,
*_validate = validate;
*_canonicalize = canonicalize;
*_timeout = timeout;
- *_renew_intv = renew_intv;
+ *_renew_intv = talloc_steal(mem_ctx, renew_intv);
ret = EOK;

104
SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
View File

@ -1,104 +0,0 @@
From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 10 Jun 2025 14:22:19 +0200
Subject: [PATCH 4/4] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to
handle credentials forwarded by other PAM modules. Before it was
unconditionally assumed that it is a password and hence
SSS_AUTHTOK_TYPE_PASSWORD was used.
When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were
already handled but currently offline use-cases fail because here only
SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch
SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline
credentials as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48)
---
src/providers/krb5/krb5_auth.c | 11 +++++++----
src/providers/krb5/krb5_child.c | 4 ++++
.../krb5/krb5_delayed_online_authentication.c | 2 +-
src/responder/pam/pamsrv_cmd.c | 1 +
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 07e4d807f..fb2f58869 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
domain->cache_credentials_min_ff_length);
ret = EINVAL;
}
- } else if (sss_authtok_get_type(pd->authtok) ==
- SSS_AUTHTOK_TYPE_PASSWORD) {
+ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
+ /* At this point we can be sure that
+ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because
+ * krb5_auth_store_creds() is not called if 2FA/otp was used,
+ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication.
+ */
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
} else {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n",
@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
if (kr->is_offline) {
if (dp_opt_get_bool(kr->krb5_ctx->opts,
KRB5_STORE_PASSWORD_IF_OFFLINE)
- && sss_authtok_get_type(pd->authtok)
- == SSS_AUTHTOK_TYPE_PASSWORD) {
+ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
krb5_auth_cache_creds(state->kr->krb5_ctx,
state->domain,
state->be_ctx->cdb,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 5830305a0..21ec38627 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
if (kerr != 0) {
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+ if (kerr == EAGAIN) {
+ kerr = KRB5_KDC_UNREACH;
+ }
+
/* Special case for IPA password migration */
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
&& kerr == KRB5_PREAUTH_FAILED
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index f88d8ab9b..1fac986a6 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
return EINVAL;
}
- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid authtok for user [%s].\n", pd->user);
return EINVAL;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index d4cb421f4..c6a436069 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
switch (sss_authtok_get_type(authtok)) {
case SSS_AUTHTOK_TYPE_PASSWORD:
+ case SSS_AUTHTOK_TYPE_PAM_STACKED:
ret = sss_authtok_get_password(authtok, password, NULL);
break;
case SSS_AUTHTOK_TYPE_2FA:
--
2.50.0

28
SOURCES/0003-add-missing-include.patch Normal file
View File

@ -0,0 +1,28 @@
commit ca662958218f4484a89be94015066ff6a14875a8
Author: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed Apr 15 09:42:34 2026 +0200
Add missing include
Original patch f3af8c89af656767333410b0e94da9288dd8ade8 didn't include
"config.h" that provides `HAVE_PTHREAD_EXT`
It works in some branches accidentally because of transitive include
via "sss_cli.h" but that's fragile (and in some branches "sss_cli.h"
doesn't include "config.h")
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit a809b9236250e6f20e9a9ff1452708cd288b705f)
diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c
index f5986767f..45e2ce460 100644
--- a/src/sss_client/autofs/sss_autofs.c
+++ b/src/sss_client/autofs/sss_autofs.c
@@ -18,6 +18,8 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "config.h"
+
#include <errno.h>
#include <stdlib.h>
#include <stdatomic.h>

39
SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch
View File

@ -1,39 +0,0 @@
commit 9939c39d1949fad48af2f0b43c788bad0809e310
Author: Sumit Bose <sbose@redhat.com>
Date: Fri Oct 10 12:57:40 2025 +0200
krb5: disable Kerberos localauth an2ln plugin for AD/IPA
If a client is joined to AD or IPA SSSD's localauth plugin can handle
the mapping of Kerberos principals to local accounts. In case it cannot
map the Kerberos principals libkrb5 is currently configured to fall back
to the default localauth plugins 'default', 'rule', 'names',
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
All plugins except 'an2ln' require some explicit configuration by either
the administrator or the local user. To avoid some unexpected mapping is
done by the 'an2ln' plugin this patch disables it in the configuration
snippets for SSSD's localauth plugin.
Resolves: https://github.com/SSSD/sssd/issues/8021
:relnote: After startup SSSD already creates a Kerberos configuration
snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
if the AD or IPA providers are used. This enables SSSD's localauth plugin.
Starting with this release the an2ln plugin is disabled in the
configuration snippet as well. If this file or its content are included in
the Kerberos configuration it will fix CVE-2025-11561.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
diff -up sssd-2.9.7/src/util/domain_info_utils.c.orig sssd-2.9.7/src/util/domain_info_utils.c
--- sssd-2.9.7/src/util/domain_info_utils.c.orig 2025-05-20 16:51:32.000000000 +0200
+++ sssd-2.9.7/src/util/domain_info_utils.c 2025-10-20 10:55:54.008139333 +0200
@@ -751,6 +751,7 @@ done:
#define LOCALAUTH_PLUGIN_CONFIG \
"[plugins]\n" \
" localauth = {\n" \
+" disable = an2ln\n" \
" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
" }\n"

34
SPECS/sssd.spec
View File

@ -26,17 +26,17 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
Name: sssd
Version: 2.9.7
Release: 4%{?dist}.1
Version: 2.9.8
Release: 4%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
Patch0002: 0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
Patch0003: 0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch
Patch1: 0001-do-not-require-GID-for-non-POSIX-group.patch
Patch2: 0002-fix-use-after-free-in-kcm_read_options.patch
Patch3: 0003-add-missing-include.patch
### Dependencies ###
@ -1086,9 +1086,27 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Fri Oct 17 2025 Tomas Halman <thalman@redhat.com - 2.9.7.4.1
- Resolves: RHEL-120298 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation
on AD-joined Linux systems
* Wed Apr 15 2026 Tomas Halman <thalman@redhat.com> - 2.9.8-4
- Resolves: RHEL-154804 Crash in 'sss_client/autofs/sss_autofs.c'
* Mon Apr 13 2026 Tomas Halman <thalman@redhat.com> - 2.9.8-3
- Resolves: RHEL-167758 - sssd-kcm fails to start if krb5_renew_interval is specified
* Thu Apr 2 2026 Tomas Halman <thalman@redhat.com> - 2.9.8-2
- Resolves: RHEL-150277 - Failed to resolve indirect group-members of nested non-POSIX group
* Thu Jan 22 2026 Tomas Halman <thalman@redhat.com> - 2.9.8-1
- Resolves: RHEL-143692 - SSSD Rebase for RHEL 9.8
- Resolves: RHEL-133967 - Remove SSSD option ipa_enable_dns_sites
- Resolves: RHEL-133469 - 'sssd_nss' hangs when looking up an object by ID that has expired cache entry and filtered out by name
- Resolves: RHEL-133006 - SSSD: change a default value of 'session_provider' sssd.conf option to 'none'
- Resolves: RHEL-132984 - sssd_be: segfault at 8 ip 00007f6fd25b2b90 sp 00007ffc02dfbae0 error 4 in libsss_ipa.so
- Resolves: RHEL-132506 - RFE: package LDAP provider support for subid ranges
- Resolves: RHEL-120297 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux
- Resolves: RHEL-87530 - AD user in external group is not cleared when expiring the cache
* Tue Sep 23 2025 Pavel Filipenský <pfilipen@redhat.com> - 2.9.7-5
- Related: RHEL-114548 - Rebase Samba to the latest 4.23.x release
* Thu Aug 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-4
- Related: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]