Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
Resolves: rhbz#2072640 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop Resolves: rhbz#2070189 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. Resolves: rhbz#2070138 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) Resolves: rhbz#2065693 - [RHEL9] Ship new sub-package called sssd-idp into sssd Resolves: rhbz#2065098 - Use right sdap_domain in ad_domain_info_send Resolves: rhbz#2062716 - [Improvement] Add user and group version of sss_nss_getorigbyname() Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol Resolves: rhbz#2056482 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 Resolves: rhbz#1937895 - SSSD update prompts for smartcard pin twice - After update to 7.9 Resolves: rhbz#1925559 - [RFE] Implement time logging for the LDAP queries and warning of high queries time Resolves: rhbz#1915564 - sssd does not enforce smartcard auth for kde screen locker Resolves: rhbz#1859751 - [RFE] Allow SSSD to use anonymous pkinit for FAST Resolves: rhbz#1749279 - 2FA prompting setting ineffective Resolves: rhbz#1661055 - sssd fails GPO-based access if AD have setup with Japanese language Resolves: rhbz#1245367 - [RFE] Implement memory cache for SID requests to improve performance
This commit is contained in:
parent
4cdadec076
commit
c745d2f717
1
.gitignore
vendored
1
.gitignore
vendored
@ -95,3 +95,4 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-2.5.2.tar.gz
|
||||
/sssd-2.6.1.tar.gz
|
||||
/sssd-2.6.2.tar.gz
|
||||
/sssd-2.7.0.tar.gz
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 4 Jan 2022 10:11:49 +0100
|
||||
Subject: [PATCH] ipa: fix reply socket of selinux_child
|
||||
|
||||
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
|
||||
the reply socket of selinux_child from stdout to stderr while switching
|
||||
from exec_child to exec_child_ex. This patch returns the original
|
||||
behavior.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5939
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_selinux.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
||||
index 6f885c0fd..2e0593dd7 100644
|
||||
--- a/src/providers/ipa/ipa_selinux.c
|
||||
+++ b/src/providers/ipa/ipa_selinux.c
|
||||
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
|
||||
if (pid == 0) { /* child */
|
||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
|
||||
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
|
||||
- false, STDIN_FILENO, STDERR_FILENO);
|
||||
+ false, STDIN_FILENO, STDOUT_FILENO);
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
--
|
||||
2.26.3
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,42 +0,0 @@
|
||||
From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 16 Dec 2021 11:14:18 +0100
|
||||
Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the forest root is not part of the return trusted domain objects
|
||||
from the local domain controller we generate an object for further
|
||||
processing. During this processing it is expected that the 'cn'
|
||||
attribute is set and contains the name of the forest root. So far this
|
||||
attribute was missing and it is now added by this patch.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5926
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 0353de76f..0c3f8ac31 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
|
||||
+ state->forest);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
|
||||
&id_val.data, &id_val.length);
|
||||
if (err != IDMAP_SUCCESS) {
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,140 +0,0 @@
|
||||
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Thu, 13 Jan 2022 11:28:30 +0100
|
||||
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD and IPA providers use a common fo_server object for LDAP and
|
||||
Kerberos, which is created with the LDAP data. This means that due to
|
||||
the changes introduced in
|
||||
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
|
||||
the port in use for the Kerberos requests would be the one specified for
|
||||
LDAP, usually the default one (389).
|
||||
|
||||
In order to avoid that, AD and IPA providers shouldn't change the
|
||||
Kerberos port with the one provided for LDAP.
|
||||
|
||||
:fixes: A critical regression that prevented authentication of users via
|
||||
AD and IPA providers was fixed. LDAP port was reused for Kerberos
|
||||
communication and this provider would send incomprehensible information
|
||||
to this port.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5947
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_common.c | 1 +
|
||||
src/providers/ipa/ipa_common.c | 1 +
|
||||
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
|
||||
src/providers/krb5/krb5_common.h | 1 +
|
||||
4 files changed, 23 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index e263444c5..1ca5f8e3a 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
ad_krb5info_file_filter);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
|
||||
index 1509cb1ce..e6c1f9aa4 100644
|
||||
--- a/src/providers/ipa/ipa_common.c
|
||||
+++ b/src/providers/ipa/ipa_common.c
|
||||
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||
index 719ce6a12..5ffa20809 100644
|
||||
--- a/src/providers/krb5/krb5_common.c
|
||||
+++ b/src/providers/krb5/krb5_common.c
|
||||
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *))
|
||||
{
|
||||
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
if (filter == NULL || filter(server) == false) {
|
||||
address = fo_server_address_or_name(tmp_ctx, server);
|
||||
if (address) {
|
||||
- port = fo_get_server_port(server);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(server);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
continue;
|
||||
}
|
||||
|
||||
- port = fo_get_server_port(item);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(item);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(krb5_service,
|
||||
server,
|
||||
+ false,
|
||||
krb5_service->name,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
||||
index 151f446d1..2fd39a751 100644
|
||||
--- a/src/providers/krb5/krb5_common.h
|
||||
+++ b/src/providers/krb5/krb5_common.h
|
||||
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *));
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (sssd-2.6.2.tar.gz) = 56a10d96be828790b3278fd2f2476f0f1d97cf0ce6a7d6bad6e8797ed3863098889c3b12b4ebf63883a44886a548c4ee082d3dd8d373553b38dd39e29bc7339d
|
||||
SHA512 (sssd-2.7.0.tar.gz) = 578ee5b5a0160fce2ea9269d6082a6517ee63cd9ea8ea8a202f1a5d7783ae0f02d18a8a32a48dc8773e1a9d28093c9256d8d26d42a2facf20b57cadf419a854c
|
||||
|
51
sssd.spec
51
sssd.spec
@ -26,18 +26,15 @@
|
||||
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
|
||||
|
||||
Name: sssd
|
||||
Version: 2.6.2
|
||||
Release: 2%{?dist}
|
||||
Version: 2.7.0
|
||||
Release: 1%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://github.com/SSSD/sssd/
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
|
||||
Patch0002: 0002-po-update-translations.patch
|
||||
Patch0003: 0003-ad-add-required-cn-attribute-to-subdomain-object.patch
|
||||
Patch0004: 0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
|
||||
#Patch0001:
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
@ -79,6 +76,9 @@ BuildRequires: gdm-pam-extensions-devel
|
||||
BuildRequires: gettext-devel
|
||||
# required for p11_child smartcard tests
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: libjose-devel
|
||||
BuildRequires: keyutils-libs-devel
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: krb5-libs >= 1.18.2-11
|
||||
@ -292,6 +292,7 @@ License: GPLv3+
|
||||
Requires: samba-client-libs >= %{samba_package_version}
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-krb5-common = %{version}-%{release}
|
||||
Requires: sssd-idp = %{version}-%{release}
|
||||
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Recommends: bind-utils
|
||||
@ -481,6 +482,16 @@ Requires: krb5-libs >= 1.18.2-11
|
||||
An implementation of a Kerberos KCM server. Use this package if you want to
|
||||
use the KCM: Kerberos credentials cache.
|
||||
|
||||
%package idp
|
||||
Summary: Kerberos plugins and OIDC helper for external identity providers.
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
%description idp
|
||||
This package provides Kerberos plugins that are required to enable
|
||||
authentication against external identity providers. Additionally a helper
|
||||
program to handle the OAuth 2.0 Device Authorization Grant is provided.
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
@ -551,6 +562,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||
|
||||
# Enable krb5 idp plugins by default (when sssd-idp package is installed)
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||
|
||||
# krb5 configuration snippet
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
@ -949,6 +964,12 @@ done
|
||||
%{_unitdir}/sssd-kcm.service
|
||||
%{_mandir}/man8/sssd-kcm.8*
|
||||
|
||||
%files idp
|
||||
%{_libexecdir}/%{servicename}/oidc_child
|
||||
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
|
||||
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||
|
||||
%if 0%{?rhel}
|
||||
%pre common
|
||||
getent group sssd >/dev/null || groupadd -r sssd
|
||||
@ -1038,6 +1059,24 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Wed Apr 20 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-1
|
||||
- Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
|
||||
- Resolves: rhbz#2072640 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
|
||||
- Resolves: rhbz#2070189 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
|
||||
- Resolves: rhbz#2070138 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
|
||||
- Resolves: rhbz#2065693 - [RHEL9] Ship new sub-package called sssd-idp into sssd
|
||||
- Resolves: rhbz#2065098 - Use right sdap_domain in ad_domain_info_send
|
||||
- Resolves: rhbz#2062716 - [Improvement] Add user and group version of sss_nss_getorigbyname()
|
||||
- Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol
|
||||
- Resolves: rhbz#2056482 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
|
||||
- Resolves: rhbz#1937895 - SSSD update prompts for smartcard pin twice - After update to 7.9
|
||||
- Resolves: rhbz#1925559 - [RFE] Implement time logging for the LDAP queries and warning of high queries time
|
||||
- Resolves: rhbz#1915564 - sssd does not enforce smartcard auth for kde screen locker
|
||||
- Resolves: rhbz#1859751 - [RFE] Allow SSSD to use anonymous pkinit for FAST
|
||||
- Resolves: rhbz#1749279 - 2FA prompting setting ineffective
|
||||
- Resolves: rhbz#1661055 - sssd fails GPO-based access if AD have setup with Japanese language
|
||||
- Resolves: rhbz#1245367 - [RFE] Implement memory cache for SID requests to improve performance
|
||||
|
||||
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
|
||||
- Resolves: rhbz#2035244 - AD Domain in the AD Forest Missing after sssd latest update
|
||||
- Resolves: rhbz#2041560 - sssd does not use kerberos port that is set.
|
||||
|
Loading…
Reference in New Issue
Block a user