rpms
/
sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sssd-2.8.2-1.el8

This commit is contained in:
CentOS Sources 2022-12-24 06:09:22 +00:00 committed by Stepan Oksanichenko
parent d4a7de2177
commit c9667aa30b
4 changed files with 172 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.8.1.tar.gz
SOURCES/sssd-2.8.2.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
946608bad3cd09782912f6f6d68ba3bf21828a70 SOURCES/sssd-2.8.1.tar.gz
4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz

158
SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch Normal file
View File

@ -0,0 +1,158 @@
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Dec 2022 15:14:05 +0100
Subject: [PATCH] ldap: update shadow last change in sysdb as well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.
Resolves: https://github.com/SSSD/sssd/issues/6477
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
---
src/db/sysdb.h | 4 ++++
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
3 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 7c666f5c4..06b44f5ba 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
struct sysdb_attrs *attrs,
int mod_op);
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname);
+
/* Replace group attrs */
int sysdb_set_group_attr(struct sss_domain_info *domain,
const char *name,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0d6f2d5cd..ed0df9872 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1485,6 +1485,38 @@ done:
return ret;
}
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname)
+{
+ struct sysdb_attrs *attrs;
+ char *value;
+ errno_t ret;
+
+ attrs = sysdb_new_attrs(NULL);
+ if (attrs == NULL) {
+ return ENOMEM;
+ }
+
+ /* The attribute contains number of days since the epoch */
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
+ if (value == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
+
+done:
+ talloc_free(attrs);
+ return ret;
+}
+
/* =Replace-Attributes-On-Group=========================================== */
int sysdb_set_group_attr(struct sss_domain_info *domain,
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 6404a9d3a..96b9d6df4 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
struct pam_data *pd;
struct sdap_handle *sh;
char *dn;
+ enum pwexpire pw_expire_type;
};
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
{
struct sdap_pam_chpass_handler_state *state;
struct tevent_req *req;
- enum pwexpire pw_expire_type;
void *pw_expire_data;
size_t msg_len;
uint8_t *msg;
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
ret = auth_recv(subreq, state, &state->sh, &state->dn,
- &pw_expire_type, &pw_expire_data);
+ &state->pw_expire_type, &pw_expire_data);
talloc_free(subreq);
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
}
if (ret == EOK) {
- switch (pw_expire_type) {
+ switch (state->pw_expire_type) {
case PWEXPIRE_SHADOW:
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
break;
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
- "Unknown password expiration type %d.\n", pw_expire_type);
+ "Unknown password expiration type %d.\n",
+ state->pw_expire_type);
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
case ERR_PASSWORD_EXPIRED:
DEBUG(SSSDBG_TRACE_LIBS,
"user [%s] successfully authenticated.\n", state->dn);
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
+ ret = sdap_pam_chpass_handler_change_step(state, req,
+ state->pw_expire_type);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sdap_pam_chpass_handler_change_step() failed.\n");
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
switch (ret) {
case EOK:
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
+ if (ret != EOK) {
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ }
+
state->pd->pam_status = PAM_SUCCESS;
break;
case ERR_CHPASS_DENIED:
--
2.37.3

14
SPECS/sssd.spec
View File

@ -18,7 +18,7 @@
%global enable_systemtap_opt --enable-systemtap
Name: sssd
Version: 2.8.1
Version: 2.8.2
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
@ -27,7 +27,7 @@ URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
#Patch0001:
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
### Downstream Patches ###
@ -105,6 +105,7 @@ BuildRequires: jansson-devel
BuildRequires: libcurl-devel
BuildRequires: libjose-devel
BuildRequires: softhsm >= 2.1.0
BuildRequires: bc
BuildRequires: openssl
BuildRequires: openssh
BuildRequires: libnl3-devel
@ -1209,6 +1210,15 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Mon Dec 19 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization
- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list
- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required)
* Tue Nov 22 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
- Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr