From c5a7c647e4e6725fa85421f57ea3667f7656c5a6 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Wed, 20 May 2026 04:54:02 -0400 Subject: [PATCH] import CS sssd-2.9.8-4.el9 --- .gitignore | 2 +- .sssd.metadata | 2 +- ...0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch | 42 ------- ...-not-require-GID-for-non-POSIX-group.patch | 81 ++++++++++++++ ...x-use-after-free-in-kcm_read_options.patch | 16 +++ ...ne-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch | 104 ------------------ SOURCES/0003-add-missing-include.patch | 28 +++++ ...os-localauth-an2ln-plugin-for-AD-IPA.patch | 39 ------- SPECS/sssd.spec | 34 ++++-- 9 files changed, 153 insertions(+), 195 deletions(-) delete mode 100644 SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch create mode 100644 SOURCES/0001-do-not-require-GID-for-non-POSIX-group.patch create mode 100644 SOURCES/0002-fix-use-after-free-in-kcm_read_options.patch delete mode 100644 SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch create mode 100644 SOURCES/0003-add-missing-include.patch delete mode 100644 SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch diff --git a/.gitignore b/.gitignore index 45802ae..7d1d85e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.9.7.tar.gz +SOURCES/sssd-2.9.8.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 5305089..b881c79 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -b8c9deadb0f0a9b0afdea1dcfc3f0f955f8a7f64 SOURCES/sssd-2.9.7.tar.gz +e75ee2920ca2856f0dedb51681cbed340f916db3 SOURCES/sssd-2.9.8.tar.gz diff --git a/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch b/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch deleted file mode 100644 index e23008a..0000000 --- a/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch +++ /dev/null @@ -1,42 +0,0 @@ -From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 18 Jun 2025 14:30:57 +0200 -Subject: [PATCH 3/4] authtok: add IS_PW_OR_ST_AUTHTOK() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch adds a helper macro to determine if an authtok struct is of -type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is -useful if a password is expected but an authentication token forwarded -by an different PAM module, which is most probably a password, can be -used as well. - -Resolves: https://github.com/SSSD/sssd/issues/7968 - -Reviewed-by: Pavel Březina -Reviewed-by: Shridhar Gadekar -Reviewed-by: Tomáš Halman -(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050) ---- - src/util/authtok.h | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/util/authtok.h b/src/util/authtok.h -index b58e9dbbd..acabb7078 100644 ---- a/src/util/authtok.h -+++ b/src/util/authtok.h -@@ -28,6 +28,10 @@ - sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ - || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) - -+#define IS_PW_OR_ST_AUTHTOK(tok) ( \ -+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \ -+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED) -+ - - /* Use sss_authtok_* accessor functions instead of struct sss_auth_token - */ --- -2.50.0 - diff --git a/SOURCES/0001-do-not-require-GID-for-non-POSIX-group.patch b/SOURCES/0001-do-not-require-GID-for-non-POSIX-group.patch new file mode 100644 index 0000000..bb5601b --- /dev/null +++ b/SOURCES/0001-do-not-require-GID-for-non-POSIX-group.patch @@ -0,0 +1,81 @@ +Based on 57918755aa87a943ff451bfde6794da513e71d8d commit +From: Sumit Bose +Date: Mon, 9 Feb 2026 14:10:29 +0100 +Subject: [PATCH] sdap: do not require GID for non-POSIX group + +diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c +index 6d0c7e49907..9e0eaf8a4d6 100644 +--- a/src/providers/ldap/sdap_async_groups.c ++++ b/src/providers/ldap/sdap_async_groups.c +@@ -620,15 +620,17 @@ static int sdap_save_group(TALLOC_CTX *memctx, + goto done; + } + +- ret = sysdb_attrs_get_uint32_t(attrs, +- opts->group_map[SDAP_AT_GROUP_GID].sys_name, +- &gid); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "no gid provided for [%s] in domain [%s].\n", +- group_name, dom->name); +- ret = EINVAL; +- goto done; ++ if (posix_group) { ++ ret = sysdb_attrs_get_uint32_t(attrs, ++ opts->group_map[SDAP_AT_GROUP_GID].sys_name, ++ &gid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "no gid provided for [%s] in domain [%s].\n", ++ group_name, dom->name); ++ ret = EINVAL; ++ goto done; ++ } + } + } + } +diff --git a/src/tests/tests/system/tests/test_identity.py b/src/tests/tests/system/tests/test_identity.py +index 3e38637b0a5..68894958fe7 100644 +--- a/src/tests/tests/system/tests/test_identity.py ++++ b/src/tests/tests/system/tests/test_identity.py +@@ -718,3 +718,40 @@ def test_identity__filter_groups_by_name_and_lookup_by_gid(client: Client, ldap: + + result = client.tools.getent.group(20001) + assert result is None, "Filtered group was found" ++ ++ ++@pytest.mark.importance("critical") ++@pytest.mark.topology(KnownTopologyGroup.AnyAD) ++def test_identity__nested_non_posix_group(client: Client, provider: GenericADProvider): ++ """ ++ :title: Lookup indirect group-members of a nested non-POSIX group ++ :setup: ++ 1. Add a new POSIX user and two new groups, one POSIX the other non-POSIX ++ 2. Add the user to the non-POSIX group and the non-POSIX group to the POSIX group ++ 3. Set 'ldap_id_mapping = false' to allow non-POSIX groups, because ++ with POSIX id-mapping enabled all groups will get POSIX ID and hence ++ there are no non-POSIX groups, and start SSSD ++ :steps: ++ 1. Lookup the POSIX group with getent ++ :expectedresults: ++ 1. Group is present and the new user is a member ++ :customerscenario: False ++ """ ++ user = provider.user("nesteduser").add( ++ uid=10001, gid=20001, password="Secret123", gecos="User for tests", shell="/bin/bash" ++ ) ++ nested_group = provider.group("nested_nonposix_group").add().add_member(user) ++ base_group = provider.group("posix_group").add(gid=30001).add_member(nested_group) ++ ++ client.sssd.domain["ldap_id_mapping"] = "false" ++ client.sssd.start() ++ ++ result = client.tools.getent.group(base_group.name) ++ assert result is not None, f"Group '{base_group.name}' not found!" ++ assert ( ++ len(result.members) == 1 ++ ), f"Group '{base_group.name}' has unexpected number of members [{len(result.members)}]!" ++ assert f"{user.name}" in result.members, f"Member '{user.name}' of group '{base_group.name}' not found!" ++ ++ result = client.tools.getent.group(nested_group.name) ++ assert result is None, f"Non-POSIX Group '{nested_group.name}' was found with 'getent group'!" diff --git a/SOURCES/0002-fix-use-after-free-in-kcm_read_options.patch b/SOURCES/0002-fix-use-after-free-in-kcm_read_options.patch new file mode 100644 index 0000000..ba11482 --- /dev/null +++ b/SOURCES/0002-fix-use-after-free-in-kcm_read_options.patch @@ -0,0 +1,16 @@ +KCM: fix use-after-free in `kcm_read_options()` +Based on commit c5a2b48f13af893ae6c7c9fe63e41f64eb77cade + +diff --git a/src/responder/kcm/kcm_renew.c b/src/responder/kcm/kcm_renew.c +index 39e9470fa22..32eccf4b48a 100644 +--- a/src/responder/kcm/kcm_renew.c ++++ b/src/responder/kcm/kcm_renew.c +@@ -228,7 +228,7 @@ static errno_t kcm_read_options(TALLOC_CTX *mem_ctx, + *_validate = validate; + *_canonicalize = canonicalize; + *_timeout = timeout; +- *_renew_intv = renew_intv; ++ *_renew_intv = talloc_steal(mem_ctx, renew_intv); + + ret = EOK; + diff --git a/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch b/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch deleted file mode 100644 index 98e3788..0000000 --- a/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 10 Jun 2025 14:22:19 +0200 -Subject: [PATCH 4/4] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to -handle credentials forwarded by other PAM modules. Before it was -unconditionally assumed that it is a password and hence -SSS_AUTHTOK_TYPE_PASSWORD was used. - -When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were -already handled but currently offline use-cases fail because here only -SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch -SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline -credentials as well. - -Resolves: https://github.com/SSSD/sssd/issues/7968 - -Reviewed-by: Pavel Březina -Reviewed-by: Shridhar Gadekar -Reviewed-by: Tomáš Halman -(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48) ---- - src/providers/krb5/krb5_auth.c | 11 +++++++---- - src/providers/krb5/krb5_child.c | 4 ++++ - .../krb5/krb5_delayed_online_authentication.c | 2 +- - src/responder/pam/pamsrv_cmd.c | 1 + - 4 files changed, 13 insertions(+), 5 deletions(-) - -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index 07e4d807f..fb2f58869 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, - domain->cache_credentials_min_ff_length); - ret = EINVAL; - } -- } else if (sss_authtok_get_type(pd->authtok) == -- SSS_AUTHTOK_TYPE_PASSWORD) { -+ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) { -+ /* At this point we can be sure that -+ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because -+ * krb5_auth_store_creds() is not called if 2FA/otp was used, -+ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication. -+ */ - ret = sss_authtok_get_password(pd->authtok, &password, NULL); - } else { - DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n", -@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq) - if (kr->is_offline) { - if (dp_opt_get_bool(kr->krb5_ctx->opts, - KRB5_STORE_PASSWORD_IF_OFFLINE) -- && sss_authtok_get_type(pd->authtok) -- == SSS_AUTHTOK_TYPE_PASSWORD) { -+ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) { - krb5_auth_cache_creds(state->kr->krb5_ctx, - state->domain, - state->be_ctx->cdb, -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 5830305a0..21ec38627 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, - if (kerr != 0) { - KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); - -+ if (kerr == EAGAIN) { -+ kerr = KRB5_KDC_UNREACH; -+ } -+ - /* Special case for IPA password migration */ - if (kr->pd->cmd == SSS_PAM_AUTHENTICATE - && kerr == KRB5_PREAUTH_FAILED -diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c -index f88d8ab9b..1fac986a6 100644 ---- a/src/providers/krb5/krb5_delayed_online_authentication.c -+++ b/src/providers/krb5/krb5_delayed_online_authentication.c -@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, - return EINVAL; - } - -- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { -+ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Invalid authtok for user [%s].\n", pd->user); - return EINVAL; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index d4cb421f4..c6a436069 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, - - switch (sss_authtok_get_type(authtok)) { - case SSS_AUTHTOK_TYPE_PASSWORD: -+ case SSS_AUTHTOK_TYPE_PAM_STACKED: - ret = sss_authtok_get_password(authtok, password, NULL); - break; - case SSS_AUTHTOK_TYPE_2FA: --- -2.50.0 - diff --git a/SOURCES/0003-add-missing-include.patch b/SOURCES/0003-add-missing-include.patch new file mode 100644 index 0000000..5e83949 --- /dev/null +++ b/SOURCES/0003-add-missing-include.patch @@ -0,0 +1,28 @@ +commit ca662958218f4484a89be94015066ff6a14875a8 +Author: Alexey Tikhonov +Date: Wed Apr 15 09:42:34 2026 +0200 + + Add missing include + + Original patch f3af8c89af656767333410b0e94da9288dd8ade8 didn't include + "config.h" that provides `HAVE_PTHREAD_EXT` + It works in some branches accidentally because of transitive include + via "sss_cli.h" but that's fragile (and in some branches "sss_cli.h" + doesn't include "config.h") + + Reviewed-by: Tomáš Halman + (cherry picked from commit a809b9236250e6f20e9a9ff1452708cd288b705f) + +diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c +index f5986767f..45e2ce460 100644 +--- a/src/sss_client/autofs/sss_autofs.c ++++ b/src/sss_client/autofs/sss_autofs.c +@@ -18,6 +18,8 @@ + along with this program. If not, see . + */ + ++#include "config.h" ++ + #include + #include + #include diff --git a/SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch b/SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch deleted file mode 100644 index 60d3d0d..0000000 --- a/SOURCES/0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit 9939c39d1949fad48af2f0b43c788bad0809e310 -Author: Sumit Bose -Date: Fri Oct 10 12:57:40 2025 +0200 - - krb5: disable Kerberos localauth an2ln plugin for AD/IPA - - If a client is joined to AD or IPA SSSD's localauth plugin can handle - the mapping of Kerberos principals to local accounts. In case it cannot - map the Kerberos principals libkrb5 is currently configured to fall back - to the default localauth plugins 'default', 'rule', 'names', - 'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). - All plugins except 'an2ln' require some explicit configuration by either - the administrator or the local user. To avoid some unexpected mapping is - done by the 'an2ln' plugin this patch disables it in the configuration - snippets for SSSD's localauth plugin. - - Resolves: https://github.com/SSSD/sssd/issues/8021 - - :relnote: After startup SSSD already creates a Kerberos configuration - snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin - if the AD or IPA providers are used. This enables SSSD's localauth plugin. - Starting with this release the an2ln plugin is disabled in the - configuration snippet as well. If this file or its content are included in - the Kerberos configuration it will fix CVE-2025-11561. - - Reviewed-by: Alexey Tikhonov - Reviewed-by: Pavel Březina - -diff -up sssd-2.9.7/src/util/domain_info_utils.c.orig sssd-2.9.7/src/util/domain_info_utils.c ---- sssd-2.9.7/src/util/domain_info_utils.c.orig 2025-05-20 16:51:32.000000000 +0200 -+++ sssd-2.9.7/src/util/domain_info_utils.c 2025-10-20 10:55:54.008139333 +0200 -@@ -751,6 +751,7 @@ done: - #define LOCALAUTH_PLUGIN_CONFIG \ - "[plugins]\n" \ - " localauth = {\n" \ -+" disable = an2ln\n" \ - " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ - " }\n" - diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index ac31953..8f00a3e 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,17 +26,17 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}) Name: sssd -Version: 2.9.7 -Release: 4%{?dist}.1 +Version: 2.9.8 +Release: 4%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch -Patch0002: 0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch -Patch0003: 0003-disable-Kerberos-localauth-an2ln-plugin-for-AD-IPA.patch +Patch1: 0001-do-not-require-GID-for-non-POSIX-group.patch +Patch2: 0002-fix-use-after-free-in-kcm_read_options.patch +Patch3: 0003-add-missing-include.patch ### Dependencies ### @@ -1086,9 +1086,27 @@ fi %systemd_postun_with_restart sssd.service %changelog -* Fri Oct 17 2025 Tomas Halman - 2.9.8-4 +- Resolves: RHEL-154804 Crash in 'sss_client/autofs/sss_autofs.c' + +* Mon Apr 13 2026 Tomas Halman - 2.9.8-3 +- Resolves: RHEL-167758 - sssd-kcm fails to start if krb5_renew_interval is specified + +* Thu Apr 2 2026 Tomas Halman - 2.9.8-2 +- Resolves: RHEL-150277 - Failed to resolve indirect group-members of nested non-POSIX group + +* Thu Jan 22 2026 Tomas Halman - 2.9.8-1 +- Resolves: RHEL-143692 - SSSD Rebase for RHEL 9.8 +- Resolves: RHEL-133967 - Remove SSSD option ipa_enable_dns_sites +- Resolves: RHEL-133469 - 'sssd_nss' hangs when looking up an object by ID that has expired cache entry and filtered out by name +- Resolves: RHEL-133006 - SSSD: change a default value of 'session_provider' sssd.conf option to 'none' +- Resolves: RHEL-132984 - sssd_be: segfault at 8 ip 00007f6fd25b2b90 sp 00007ffc02dfbae0 error 4 in libsss_ipa.so +- Resolves: RHEL-132506 - RFE: package LDAP provider support for subid ranges +- Resolves: RHEL-120297 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux +- Resolves: RHEL-87530 - AD user in external group is not cleared when expiring the cache + +* Tue Sep 23 2025 Pavel Filipenský - 2.9.7-5 +- Related: RHEL-114548 - Rebase Samba to the latest 4.23.x release * Thu Aug 14 2025 Alexey Tikhonov - 2.9.7-4 - Related: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]