diff --git a/SOURCES/0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch b/SOURCES/0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch new file mode 100644 index 0000000..da5505b --- /dev/null +++ b/SOURCES/0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch @@ -0,0 +1,175 @@ +From 51e92297157562511baf8902777f02a4aa2e70e6 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 15 Mar 2022 11:36:45 +0100 +Subject: [PATCH] ad: use right sdap_domain in ad_domain_info_send +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally ad_domain_info_send() was only called when there was only a +single domain available and hence only a single sdap_domain struct with +the search bases in the sdap_domain list. Since ad_domain_info_send() is +now called at other times as well the right sdap_domain struct must be +selected so that the right search bases are used. + +Resolves: https://github.com/SSSD/sssd/issues/6063 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_domain_info.c | 10 +++++- + src/providers/ldap/ldap_common.h | 3 ++ + src/providers/ldap/sdap_domain.c | 21 ++++++++++++ + src/tests/cmocka/test_search_bases.c | 48 +++++++++++++++++++++++++++- + 4 files changed, 80 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c +index 52b2e2442..f3a82a198 100644 +--- a/src/providers/ad/ad_domain_info.c ++++ b/src/providers/ad/ad_domain_info.c +@@ -181,6 +181,7 @@ struct ad_domain_info_state { + struct sdap_id_op *id_op; + struct sdap_id_ctx *id_ctx; + struct sdap_options *opts; ++ struct sdap_domain *sdom; + + const char *dom_name; + int base_iter; +@@ -215,6 +216,13 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx, + state->id_ctx = conn->id_ctx; + state->opts = conn->id_ctx->opts; + state->dom_name = dom_name; ++ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name); ++ if (state->sdom == NULL || state->sdom->search_bases == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n"); ++ ret = EINVAL; ++ goto immediate; ++ } ++ + + ret = ad_domain_info_next(req); + if (ret != EOK && ret != EAGAIN) { +@@ -243,7 +251,7 @@ ad_domain_info_next(struct tevent_req *req) + struct ad_domain_info_state *state = + tevent_req_data(req, struct ad_domain_info_state); + +- base = state->opts->sdom->search_bases[state->base_iter]; ++ base = state->sdom->search_bases[state->base_iter]; + if (base == NULL) { + return EOK; + } +diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h +index c78338b5d..426ee68df 100644 +--- a/src/providers/ldap/ldap_common.h ++++ b/src/providers/ldap/ldap_common.h +@@ -391,6 +391,9 @@ sdap_domain_remove(struct sdap_options *opts, + struct sdap_domain *sdap_domain_get(struct sdap_options *opts, + struct sss_domain_info *dom); + ++struct sdap_domain *sdap_domain_get_by_name(struct sdap_options *opts, ++ const char *dom_name); ++ + struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts, + const char *dn); + +diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c +index fa6e9340d..1785dd20d 100644 +--- a/src/providers/ldap/sdap_domain.c ++++ b/src/providers/ldap/sdap_domain.c +@@ -44,6 +44,27 @@ sdap_domain_get(struct sdap_options *opts, + return sditer; + } + ++struct sdap_domain * ++sdap_domain_get_by_name(struct sdap_options *opts, ++ const char *dom_name) ++{ ++ struct sdap_domain *sditer = NULL; ++ ++ if (dom_name == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Missing domain name.\n"); ++ return NULL; ++ } ++ ++ DLIST_FOR_EACH(sditer, opts->sdom) { ++ if (sditer->dom->name != NULL ++ && strcasecmp(sditer->dom->name, dom_name) == 0) { ++ break; ++ } ++ } ++ ++ return sditer; ++} ++ + struct sdap_domain * + sdap_domain_get_by_dn(struct sdap_options *opts, + const char *dn) +diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c +index 109fa04bf..3276cf118 100644 +--- a/src/tests/cmocka/test_search_bases.c ++++ b/src/tests/cmocka/test_search_bases.c +@@ -176,6 +176,51 @@ void test_get_by_dn_fail(void **state) + do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS); + } + ++void test_sdap_domain_get_by_name(void **state) ++{ ++ struct sdap_options *opts; ++ struct sss_domain_info dom1 = { 0 }; ++ dom1.name = discard_const("dom1"); ++ struct sss_domain_info dom2 = { 0 }; ++ dom2.name = discard_const("dom2"); ++ struct sss_domain_info dom3 = { 0 }; ++ dom3.name = discard_const("dom3"); ++ int ret; ++ struct sdap_domain *sdom; ++ ++ opts = talloc_zero(NULL, struct sdap_options); ++ assert_non_null(opts); ++ ++ ret = sdap_domain_add(opts, &dom1, NULL); ++ assert_int_equal(ret, EOK); ++ ++ ret = sdap_domain_add(opts, &dom2, NULL); ++ assert_int_equal(ret, EOK); ++ ++ ret = sdap_domain_add(opts, &dom3, NULL); ++ assert_int_equal(ret, EOK); ++ ++ sdom = sdap_domain_get_by_name(opts, NULL); ++ assert_null(sdom); ++ ++ sdom = sdap_domain_get_by_name(opts, "abc"); ++ assert_null(sdom); ++ ++ sdom = sdap_domain_get_by_name(opts, "dom1"); ++ assert_non_null(sdom); ++ assert_ptr_equal(sdom->dom, &dom1); ++ ++ sdom = sdap_domain_get_by_name(opts, "dom2"); ++ assert_non_null(sdom); ++ assert_ptr_equal(sdom->dom, &dom2); ++ ++ sdom = sdap_domain_get_by_name(opts, "dom3"); ++ assert_non_null(sdom); ++ assert_ptr_equal(sdom->dom, &dom3); ++ ++ talloc_free(opts); ++} ++ + int main(void) + { + const struct CMUnitTest tests[] = { +@@ -183,7 +228,8 @@ int main(void) + cmocka_unit_test(test_search_bases_success), + cmocka_unit_test(test_get_by_dn_fail), + cmocka_unit_test(test_get_by_dn), +- cmocka_unit_test(test_get_by_dn2) ++ cmocka_unit_test(test_get_by_dn2), ++ cmocka_unit_test(test_sdap_domain_get_by_name) + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +-- +2.34.3 + diff --git a/SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch b/SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch new file mode 100644 index 0000000..093fea8 --- /dev/null +++ b/SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch @@ -0,0 +1,58 @@ +From 80ffa314c669feaaffe487d8ea5004c149d948c8 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 23 May 2022 09:05:43 +0200 +Subject: [PATCH] ad: add fallback in ad_domain_info_send() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed +ad_domain_info_send() to handle multiple domains by searching for the +matching sdap_domain data. Unfortunately it assumed that the configured +name and the DNS domain name are always matching. This is true for all +sub-domains discovered at runtime by DNS lookups but might not be true +for the domain configured in sssd.conf. Since the configured domain is +the first in the list of sdap_domain data it will be used as a fallback +in case no data could be found by name. + +Resolves: https://github.com/SSSD/sssd/issues/6170 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Pavel Březina +(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e) +--- + src/providers/ad/ad_domain_info.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c +index f3a82a198..9583c74b9 100644 +--- a/src/providers/ad/ad_domain_info.c ++++ b/src/providers/ad/ad_domain_info.c +@@ -217,8 +217,23 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx, + state->opts = conn->id_ctx->opts; + state->dom_name = dom_name; + state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name); ++ /* The first domain in the list is the domain configured in sssd.conf and ++ * here it might be possible that the domain name from the config file and ++ * the DNS domain name do not match. All other sub-domains are discovered ++ * at runtime with the help of DNS lookups so it is expected that the ++ * names matches. Hence it makes sense to fall back to the first entry in ++ * the list if no matching domain was found since it is most probably ++ * related to the configured domain. */ ++ if (state->sdom == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "No internal domain data found for [%s], " ++ "falling back to first domain.\n", ++ state->dom_name); ++ state->sdom = state->opts->sdom; ++ } + if (state->sdom == NULL || state->sdom->search_bases == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Missing internal domain data for domain [%s].\n", ++ state->dom_name); + ret = EINVAL; + goto immediate; + } +-- +2.34.3 + diff --git a/SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch b/SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch new file mode 100644 index 0000000..b757a37 --- /dev/null +++ b/SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch @@ -0,0 +1,34 @@ +From 0eae7db9e06645ef88d0cf15672770776293edb5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 23 May 2022 11:05:01 +0200 +Subject: [PATCH] pam_sss_gss: KRB5CCNAME may be NULL + +Resolves: https://github.com/SSSD/sssd/issues/6180 + +:fixes: A regression in pam_sss_gss module causing a failure if + KRB5CCNAME environment variable was not set was fixed. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +(cherry picked from commit 9aad30711a5928f0e8a3627305b6449291de507f) +--- + src/sss_client/pam_sss_gss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c +index 51047efc3..77a58e4cf 100644 +--- a/src/sss_client/pam_sss_gss.c ++++ b/src/sss_client/pam_sss_gss.c +@@ -492,7 +492,8 @@ static errno_t sss_cli_getenv(const char *variable_name, char **_value) + { + char *value = getenv(variable_name); + if (value == NULL) { +- return ENOENT; ++ *_value = NULL; ++ return EOK; + } + + *_value = strdup(value); +-- +2.34.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 7f71424..185c9d7 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 2.6.2 -Release: 4%{?dist} +Release: 4%{?dist}.1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -33,6 +33,9 @@ Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch Patch0004: 0004-po-update-translations.patch Patch0005: 0005-Revert-usertools-force-local-user-for-sssd-process-u.patch Patch0006: 0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch +Patch0007: 0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch +Patch0008: 0008-ad-add-fallback-in-ad_domain_info_send.patch +Patch0009: 0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch ### Downstream Patches ### @@ -1159,6 +1162,10 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Thu Jun 2 2022 Alexey Tikhonov - 2.6.2-4.1 +- Resolves: rhbz#2072958 - Use right sdap_domain in ad_domain_info_send [rhel-8.6.0.z] +- Resolves: rhbz#2089244 - pam_sss_gss ceased to work after upgrade to 8.6 [rhel-8.6.0.z] + * Thu Apr 21 2022 Alexey Tikhonov - 2.6.2-4 - Resolves: rhbz#2074648 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop [rhel-8.6.0.z]