diff --git a/.gitignore b/.gitignore index b237fea..e8ef24e 100644 --- a/.gitignore +++ b/.gitignore @@ -106,3 +106,4 @@ sssd-1.2.91.tar.gz /sssd-2.9.3.tar.gz /sssd-2.9.4.tar.gz /sssd-2.9.5.tar.gz +/sssd-2.9.6.tar.gz diff --git a/0001-spec-change-passkey_child-owner.patch b/0001-spec-change-passkey_child-owner.patch deleted file mode 100644 index dac8b4b..0000000 --- a/0001-spec-change-passkey_child-owner.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ee8de7e404ba65062e0b373f2badc0475835bbde Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Tue, 11 Jun 2024 15:57:23 +0200 -Subject: [PATCH] spec: change passkey_child owner - -passkey_child owner was incorrectly set to $sssd_user:$sssd_user, when -it should be root:root. Correcting it. - -Fixes: 30daa0ccdae5 ("spec: update to include passkey") - -Signed-off-by: Iker Pedrosa - -Reviewed-by: Alexey Tikhonov -(cherry picked from commit bb72b53d3a222f016d882853a619bd74c237edf9) ---- - contrib/sssd.spec.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 03171a872..3735d4f06 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -998,7 +998,7 @@ done - - %if %{build_passkey} - %files passkey --%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child -+%{_libexecdir}/%{servicename}/passkey_child - %{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so - %{_datadir}/sssd/krb5-snippets/sssd_enable_passkey - %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey --- -2.44.0 - diff --git a/0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch b/0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch deleted file mode 100644 index 503738e..0000000 --- a/0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch +++ /dev/null @@ -1,58 +0,0 @@ -From d234cf5d6e793daf2c96856887acb641c4dff407 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 14 Jun 2024 16:10:34 +0200 -Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -SSSD does not handle the root user (UID==0) and treats all accounts with -UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as -well and as a result for those accounts in MPG domains the check for a -collisions of the primary GID should be skipped. The current code might -e.g. cause issues during GPO evaluation when adding a host account into -the cache which does not have any UID or GID set in AD and SSSD is -configured to read UID and GID from AD. - -Resolves: https://github.com/SSSD/sssd/issues/7451 - -Reviewed-by: Alejandro López -Reviewed-by: Tomáš Halman -(cherry picked from commit 986bb726202e69b05f861c14c3a220379baf9bd1) ---- - src/db/sysdb_ops.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 0f62e3b1a..76f4580aa 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain, - goto done; - } - -- ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg); -- if (ret != ENOENT) { -- if (ret == EOK) { -- DEBUG(SSSDBG_OP_FAILURE, -- "Group with GID [%"SPRIgid"] already exists in an " -- "MPG domain\n", gid); -- ret = EEXIST; -+ if (uid != 0) { /* uid == 0 means non-POSIX object */ -+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg); -+ if (ret != ENOENT) { -+ if (ret == EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Group with GID [%"SPRIgid"] already exists in an " -+ "MPG domain\n", uid); -+ ret = EEXIST; -+ } -+ goto done; - } -- goto done; - } - } - --- -2.44.0 - diff --git a/0003-ad-use-right-memory-context-in-GPO-code.patch b/0003-ad-use-right-memory-context-in-GPO-code.patch deleted file mode 100644 index 29401e6..0000000 --- a/0003-ad-use-right-memory-context-in-GPO-code.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 723a30b45ba4cbd9a4913fd37d68e392dcfc16ba Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 7 Jun 2024 18:04:00 +0200 -Subject: [PATCH] ad: use right memory context in GPO code -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The original primary SID is allocated on a temporary context and must be -move to be longer living one to still be available when the SID is -evaluated later in the code. - -Resolves: https://github.com/SSSD/sssd/issues/7411 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman -(cherry picked from commit b25e510ad60f6ce0b57063cce648c3aa48b21241) ---- - src/providers/ad/ad_gpo.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index b879b0a08..ed664ec83 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -711,7 +711,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx, - } - group_sids[i++] = talloc_strdup(group_sids, AD_AUTHENTICATED_USERS_SID); - if (orig_gid_sid != NULL) { -- group_sids[i++] = orig_gid_sid; -+ group_sids[i++] = talloc_steal(group_sids, orig_gid_sid); - } - group_sids[i] = NULL; - --- -2.44.0 - diff --git a/0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch b/0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch deleted file mode 100644 index 60f5383..0000000 --- a/0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch +++ /dev/null @@ -1,208 +0,0 @@ -From 09b23e78806d8930c3f1b9e411dc8cf464c18998 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Jul 2024 13:08:02 +0200 -Subject: [PATCH 4/5] TS_CACHE: never try to upgrade timestamps cache -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It's easier and more consistent to recreate it instead. - -This is a natural extension of 3b67fc6488ac10ca13561d9032f59951f82203e6 - -Reviewed-by: Alejandro López -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit fc2a26c306e51b66680aef85aa0d2c41d8049a7f) ---- - src/db/sysdb_init.c | 103 +---------------------------------------- - src/db/sysdb_upgrade.c | 45 ------------------ - 2 files changed, 1 insertion(+), 147 deletions(-) - -diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c -index 38a9cd64a..a1d02d49c 100644 ---- a/src/db/sysdb_init.c -+++ b/src/db/sysdb_init.c -@@ -376,57 +376,6 @@ static errno_t sysdb_cache_create_empty(struct ldb_context *ldb, - return EOK; - } - --static errno_t sysdb_ts_cache_upgrade(TALLOC_CTX *mem_ctx, -- struct sysdb_ctx *sysdb, -- struct ldb_context *ldb, -- struct sss_domain_info *domain, -- const char *cur_version, -- const char **_new_version) --{ -- errno_t ret; -- TALLOC_CTX *tmp_ctx; -- const char *version; -- struct ldb_context *save_ldb; -- -- tmp_ctx = talloc_new(NULL); -- if (tmp_ctx == NULL) { -- return ENOMEM; -- } -- -- /* The upgrade process depends on having ldb around, yet the upgrade -- * function shouldn't set the ldb pointer, only the connect function -- * should after it's successful. To avoid hard refactoring, save the -- * ldb pointer here and restore in the 'done' handler -- */ -- save_ldb = sysdb->ldb; -- sysdb->ldb = ldb; -- -- version = talloc_strdup(tmp_ctx, cur_version); -- if (version == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- DEBUG(SSSDBG_CONF_SETTINGS, -- "Upgrading timstamp cache of DB [%s] from version: %s\n", -- domain->name, version); -- -- if (strcmp(version, SYSDB_TS_VERSION_0_1) == 0) { -- ret = sysdb_ts_upgrade_01(sysdb, &version); -- if (ret != EOK) { -- goto done; -- } -- } -- -- ret = EOK; -- --done: -- sysdb->ldb = save_ldb; -- *_new_version = version; -- talloc_free(tmp_ctx); -- return ret; --} -- - static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx, - struct sysdb_ctx *sysdb, - struct sysdb_dom_upgrade_ctx *upgrade_ctx, -@@ -884,56 +833,6 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb, - } - - ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); -- switch (ret) { -- case ERR_SYSDB_VERSION_TOO_OLD: -- if (upgrade_ctx == NULL) { -- DEBUG(SSSDBG_FATAL_FAILURE, -- "DB version too old [%s], expected [%s] for domain %s!\n", -- version, SYSDB_VERSION, domain->name); -- break; -- } -- -- ret = sysdb_ts_cache_upgrade(tmp_ctx, sysdb, ldb, domain, version, -- &version); -- if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -- "Could not upgrade the timestamp ldb file (%d) (%s)\n", -- ret, sss_strerror(ret)); -- break; -- } -- -- /* The version should now match SYSDB_VERSION. -- * If not, it means we didn't match any of the -- * known older versions. The DB might be -- * corrupt or generated by a newer version of -- * SSSD. -- */ -- ret = sysdb_version_check(SYSDB_TS_VERSION, version); -- if (ret == EOK) { -- /* The cache has been upgraded. -- * We need to reopen the LDB to ensure that -- * any changes made above take effect. -- */ -- ret = sysdb_ldb_reconnect(tmp_ctx, -- sysdb->ldb_ts_file, -- LDB_FLG_NOSYNC, -- &ldb); -- if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -- "Could not reopen the timestamp ldb file (%d) (%s)\n", -- ret, sss_strerror(ret)); -- } -- } -- break; -- case ERR_SYSDB_VERSION_TOO_NEW: -- DEBUG(SSSDBG_MINOR_FAILURE, -- "DB version too new [%s], expected [%s] for domain %s!\n", -- version, SYSDB_TS_VERSION, domain->name); -- break; -- default: -- break; -- } -- - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "The timestamps cache could not be opened. " -@@ -953,7 +852,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb, - ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, -- "Could not delete the timestamp ldb file (%d) (%s)\n", -+ "sysdb_ts_cache_connect() failed after cache deletion [%d]: %s\n", - ret, sss_strerror(ret)); - } - } -diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c -index 328bd2962..37c0007cb 100644 ---- a/src/db/sysdb_upgrade.c -+++ b/src/db/sysdb_upgrade.c -@@ -2774,51 +2774,6 @@ done: - return ret; - } - --int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver) --{ -- struct upgrade_ctx *ctx; -- errno_t ret; -- struct ldb_message *msg = NULL; -- -- ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_TS_VERSION_0_2, &ctx); -- if (ret) { -- return ret; -- } -- -- /* Remove @IDXONE from index */ -- talloc_free(msg); -- msg = ldb_msg_new(ctx); -- if (msg == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST"); -- if (msg->dn == NULL) { -- ret = ENOMEM; -- goto done; -- } -- -- ret = ldb_msg_add_empty(msg, "@IDXONE", LDB_FLAG_MOD_DELETE, NULL); -- if (ret != LDB_SUCCESS) { -- ret = ENOMEM; -- goto done; -- } -- -- ret = ldb_modify(sysdb->ldb, msg); -- if (ret != LDB_SUCCESS) { -- ret = sysdb_error_to_errno(ret); -- goto done; -- } -- -- /* conversion done, update version number */ -- ret = update_version(ctx); -- --done: -- ret = finish_upgrade(ret, &ctx, ver); -- return ret; --} -- - /* - * Example template for future upgrades. - * Copy and change version numbers as appropriate. --- -2.45.2 - diff --git a/0005-SYSDB-remove-index-on-dataExpireTimestamp.patch b/0005-SYSDB-remove-index-on-dataExpireTimestamp.patch deleted file mode 100644 index ee1a718..0000000 --- a/0005-SYSDB-remove-index-on-dataExpireTimestamp.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 13e3d0390b9aaf72a855b857857c3cdd6eb6252a Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 21 Jun 2024 19:09:29 +0200 -Subject: [PATCH 5/5] SYSDB: remove index on `dataExpireTimestamp` -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This index was only used in cleanup tasks that don't run often. -On the other hand, this index is huge and degrades performance of libldb -in general. - -Reviewed-by: Alejandro López -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit f0d45464cee1d2a6a2719dbffe5bbf6189d0554a) ---- - src/db/sysdb_init.c | 8 ++++++++ - src/db/sysdb_private.h | 9 +++++---- - src/db/sysdb_upgrade.c | 27 +++++++++++++++++++++++++++ - 3 files changed, 40 insertions(+), 4 deletions(-) - -diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c -index a1d02d49c..68b9744dd 100644 ---- a/src/db/sysdb_init.c -+++ b/src/db/sysdb_init.c -@@ -559,6 +559,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx, - } - } - -+ if (strcmp(version, SYSDB_VERSION_0_24) == 0) { -+ ret = sysdb_upgrade_24(sysdb, &version); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ - ret = EOK; - done: - sysdb->ldb = save_ldb; -@@ -765,6 +772,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb, - ret = sysdb_domain_cache_upgrade(tmp_ctx, sysdb, upgrade_ctx, - ldb, domain, version, &version); - if (ret != EOK) { -+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_domain_cache_upgrade() failed\n"); - goto done; - } - -diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h -index 63f7b5601..b814f97a5 100644 ---- a/src/db/sysdb_private.h -+++ b/src/db/sysdb_private.h -@@ -23,6 +23,7 @@ - #ifndef __INT_SYS_DB_H__ - #define __INT_SYS_DB_H__ - -+#define SYSDB_VERSION_0_25 "0.25" - #define SYSDB_VERSION_0_24 "0.24" - #define SYSDB_VERSION_0_23 "0.23" - #define SYSDB_VERSION_0_22 "0.22" -@@ -48,7 +49,7 @@ - #define SYSDB_VERSION_0_2 "0.2" - #define SYSDB_VERSION_0_1 "0.1" - --#define SYSDB_VERSION SYSDB_VERSION_0_24 -+#define SYSDB_VERSION SYSDB_VERSION_0_25 - - #define SYSDB_BASE_LDIF \ - "dn: @ATTRIBUTES\n" \ -@@ -72,7 +73,6 @@ - "@IDXATTR: uidNumber\n" \ - "@IDXATTR: gidNumber\n" \ - "@IDXATTR: lastUpdate\n" \ -- "@IDXATTR: dataExpireTimestamp\n" \ - "@IDXATTR: originalDN\n" \ - "@IDXATTR: nameAlias\n" \ - "@IDXATTR: servicePort\n" \ -@@ -104,10 +104,11 @@ - "\n" - - /* The timestamp cache has its own versioning */ -+#define SYSDB_TS_VERSION_0_3 "0.3" - #define SYSDB_TS_VERSION_0_2 "0.2" - #define SYSDB_TS_VERSION_0_1 "0.1" - --#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_2 -+#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_3 - - #define SYSDB_TS_BASE_LDIF \ - "dn: @ATTRIBUTES\n" \ -@@ -115,7 +116,6 @@ - "\n" \ - "dn: @INDEXLIST\n" \ - "@IDXATTR: lastUpdate\n" \ -- "@IDXATTR: dataExpireTimestamp\n" \ - "\n" \ - "dn: cn=sysdb\n" \ - "cn: sysdb\n" \ -@@ -194,6 +194,7 @@ int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver); - int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver); -+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver); - - int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver); - -diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c -index 37c0007cb..b010488ca 100644 ---- a/src/db/sysdb_upgrade.c -+++ b/src/db/sysdb_upgrade.c -@@ -2774,6 +2774,33 @@ done: - return ret; - } - -+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver) -+{ -+ struct upgrade_ctx *ctx; -+ errno_t ret; -+ -+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_25, &ctx); -+ if (ret) { -+ return ret; -+ } -+ -+ ret = sysdb_ldb_mod_index(sysdb, SYSDB_IDX_DELETE, sysdb->ldb, "dataExpireTimestamp"); -+ if (ret == ENOENT) { /*nothing to delete */ -+ ret = EOK; -+ } -+ if (ret != EOK) { -+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_ldb_mod_index() failed [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ ret = update_version(ctx); -+ -+done: -+ ret = finish_upgrade(ret, &ctx, ver); -+ return ret; -+} -+ - /* - * Example template for future upgrades. - * Copy and change version numbers as appropriate. --- -2.45.2 - diff --git a/0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch b/0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch deleted file mode 100644 index 43f9e2d..0000000 --- a/0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 39cbb8df402f59b4df2442eb291600773e7062cc Mon Sep 17 00:00:00 2001 -From: Petr Mikhalicin -Date: Fri, 10 Nov 2023 15:24:48 +0600 -Subject: [PATCH 6/8] pam_sss: fix passthrow of old authtok from another pam - modules at PAM_PRELIM_CHECK - -pam_sss ignored old authtoks passed from another pam modules - -Resolves: https://github.com/SSSD/sssd/issues/7007 -Resolves: https://github.com/SSSD/sssd/issues/5418 - -Reviewed-by: Iker Pedrosa -Reviewed-by: Sumit Bose -(cherry picked from commit ae6b9163be0a5a8846e8dbf2e0da2c29221781b9) - -Reviewed-by: Sumit Bose ---- - src/sss_client/pam_sss.c | 75 ++++++++++++++++++++++++---------------- - 1 file changed, 45 insertions(+), 30 deletions(-) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 41a528dda..5171e58ec 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -2728,42 +2728,57 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, - exp_data = NULL; - } - -- /* we query for the old password during PAM_PRELIM_CHECK to make -- * pam_sss work e.g. with pam_cracklib */ - if (pam_flags & PAM_PRELIM_CHECK) { -- if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) { -- if (flags & PAM_CLI_FLAGS_USE_2FA -- || (pi->otp_vendor != NULL && pi->otp_token_id != NULL -- && pi->otp_challenge != NULL)) { -- if (pi->password_prompting) { -- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "), -- _("Second Factor (optional): ")); -- } else { -- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "), -- _("Second Factor: ")); -- } -+ if (getuid() == 0 && !exp_data ) -+ return PAM_SUCCESS; -+ -+ if (flags & PAM_CLI_FLAGS_USE_2FA -+ || (pi->otp_vendor != NULL && pi->otp_token_id != NULL -+ && pi->otp_challenge != NULL)) { -+ if (pi->password_prompting) { -+ ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "), -+ _("Second Factor (optional): ")); - } else { -- ret = prompt_password(pamh, pi, _("Current Password: ")); -+ ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "), -+ _("Second Factor: ")); - } -- if (ret != PAM_SUCCESS) { -- D(("failed to get credentials from user")); -- return ret; -+ } else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS) -+ && check_authtok_data(pamh, pi) != 0) { -+ if (pi->pamstack_oldauthtok == NULL) { -+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; -+ pi->pam_authtok = NULL; -+ pi->pam_authtok_size = 0; -+ } else { -+ pi->pam_authtok = strdup(pi->pamstack_oldauthtok); -+ if (pi->pam_authtok == NULL) { -+ D(("strdup failed")); -+ return PAM_BUF_ERR; -+ } -+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; -+ pi->pam_authtok_size = strlen(pi->pam_authtok); - } -+ ret = PAM_SUCCESS; -+ } else { -+ ret = prompt_password(pamh, pi, _("Current Password: ")); -+ } -+ if (ret != PAM_SUCCESS) { -+ D(("failed to get credentials from user")); -+ return ret; -+ } - -- ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok); -- if (ret != PAM_SUCCESS) { -- D(("Failed to set PAM_OLDAUTHTOK [%s], " -- "oldauthtok may not be available", -- pam_strerror(pamh,ret))); -- return ret; -- } -+ ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok); -+ if (ret != PAM_SUCCESS) { -+ D(("Failed to set PAM_OLDAUTHTOK [%s], " -+ "oldauthtok may not be available", -+ pam_strerror(pamh,ret))); -+ return ret; -+ } - -- if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) { -- ret = keep_authtok_data(pamh, pi); -- if (ret != 0) { -- D(("Failed to store authtok data to pam handle. Password " -- "change might fail.")); -- } -+ if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) { -+ ret = keep_authtok_data(pamh, pi); -+ if (ret != 0) { -+ D(("Failed to store authtok data to pam handle. Password " -+ "change might fail.")); - } - } - --- -2.45.2 - diff --git a/0007-krb5_child-do-not-try-passwords-with-OTP.patch b/0007-krb5_child-do-not-try-passwords-with-OTP.patch deleted file mode 100644 index 27c987f..0000000 --- a/0007-krb5_child-do-not-try-passwords-with-OTP.patch +++ /dev/null @@ -1,178 +0,0 @@ -From ef375cdd67b51d8fb63cae4d3cd40f3a5c2bc173 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 1 Jul 2024 20:40:30 +0200 -Subject: [PATCH 7/8] krb5_child: do not try passwords with OTP -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -During two-factor authentication (OTP) krb5_child should use use the -dedicated OTP auth types SSS_AUTHTOK_TYPE_2FA and -SSS_AUTHTOK_TYPE_2FA_SINGLE exclusively and should not try password or -other types. - -The special handling needed of ssh under certain conditions are -documented in the code and the man page. - -Resolves: https://github.com/SSSD/sssd/issues/7456 - -Reviewed-by: Justin Stephenson -Reviewed-by: Tomáš Halman -(cherry picked from commit af799964e5fa1264467b49988021c054586eff27) - -Reviewed-by: Sumit Bose ---- - src/man/sssd.conf.5.xml | 11 +++++++++ - src/providers/krb5/krb5_child.c | 11 +-------- - src/sss_client/pam_sss.c | 44 ++++++++++++++++++++++++--------- - 3 files changed, 44 insertions(+), 22 deletions(-) - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index fb86a4e41..8ac1a4418 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -4559,6 +4559,17 @@ ldap_user_extra_attrs = phone:telephoneNumber - to log in either only with the password or with both factors - two-step prompting has to be used. - -+ -+ Some clients, such as SSH with -+ 'PasswordAuthentication yes', generate their own prompts -+ and do not use prompts provided by SSSD or other PAM -+ modules. Additionally, for SSH with -+ PasswordAuthentication, if two-factor authentication is -+ available, SSSD expects that the -+ credentials entered by the user at the SSH password prompt -+ will always be the two factors in a single string, even if -+ two-factor authentication is optional. -+ - - - -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 494711de9..cb9a9ce73 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -536,15 +536,6 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, - size_t fa2_len; - - switch (sss_authtok_get_type(auth_tok)) { -- case SSS_AUTHTOK_TYPE_PASSWORD: -- ret = sss_authtok_get_password(auth_tok, &pwd, &len); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n"); -- return ret; -- } -- -- return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin); -- break; - case SSS_AUTHTOK_TYPE_2FA_SINGLE: - ret = sss_authtok_get_2fa_single(auth_tok, &pwd, &len); - if (ret != EOK) { -@@ -569,7 +560,7 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, - "Unsupported authtok type %d\n", sss_authtok_get_type(auth_tok)); - } - -- return EINVAL; -+ return EAGAIN; - } - - static krb5_error_code answer_otp(krb5_context ctx, -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 5171e58ec..d43bd0f55 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -1656,6 +1656,7 @@ static int prompt_password(pam_handle_t *pamh, struct pam_items *pi, - } - - static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi, -+ bool second_factor_optional, - const char *prompt_fa1, const char *prompt_fa2) - { - int ret; -@@ -1706,13 +1707,30 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi, - goto done; - } - -- if (resp[1].resp == NULL || *(resp[1].resp) == '\0' -- || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0 -- && strcmp(resp[0].resp, resp[1].resp) == 0)) { -+ if (resp[1].resp == NULL || *(resp[1].resp) == '\0') { - /* Missing second factor, assume first factor contains combined 2FA -- * credentials. -- * Special handling for SSH with password authentication. Combined -- * 2FA credentials are used but SSH puts them in both responses. */ -+ * credentials if the second factor is not optional. If it is optional -+ * then it is assumed that the first factor contain the password. */ -+ pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE); -+ if (pi->pam_authtok == NULL) { -+ D(("strndup failed.")); -+ ret = PAM_BUF_ERR; -+ goto done; -+ } -+ pi->pam_authtok_size = strlen(pi->pam_authtok) + 1; -+ pi->pam_authtok_type = second_factor_optional -+ ? SSS_AUTHTOK_TYPE_PASSWORD -+ : SSS_AUTHTOK_TYPE_2FA_SINGLE; -+ } else if (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0 -+ && strcmp(resp[0].resp, resp[1].resp) == 0) { -+ /* Special handling for SSH with password authentication (ssh's -+ * 'PasswordAuthentication' option. In this mode the ssh client -+ * directly prompts the user for a password and the prompts we are -+ * sending are ignored. Since we send two prompts ssh * will create two -+ * response as well with the same content. We assume that the combined -+ * 2FA credentials are used even if the second factor is optional -+ * because there is no indication about the intention of the user. As a -+ * result we prefer the more secure variant. */ - - pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE); - if (pi->pam_authtok == NULL) { -@@ -1721,7 +1739,7 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi, - goto done; - } - pi->pam_authtok_size = strlen(pi->pam_authtok) + 1; -- pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; -+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA_SINGLE; - } else { - - ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0, -@@ -2487,7 +2505,7 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi) - ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c])); - break; - case PC_TYPE_2FA: -- ret = prompt_2fa(pamh, pi, pc_get_2fa_1st_prompt(pi->pc[c]), -+ ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]), - pc_get_2fa_2nd_prompt(pi->pc[c])); - break; - case PC_TYPE_2FA_SINGLE: -@@ -2564,10 +2582,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, - || (pi->otp_vendor != NULL && pi->otp_token_id != NULL - && pi->otp_challenge != NULL)) { - if (pi->password_prompting) { -- ret = prompt_2fa(pamh, pi, _("First Factor: "), -+ ret = prompt_2fa(pamh, pi, true, _("First Factor: "), - _("Second Factor (optional): ")); - } else { -- ret = prompt_2fa(pamh, pi, _("First Factor: "), -+ ret = prompt_2fa(pamh, pi, false, _("First Factor: "), - _("Second Factor: ")); - } - } else if (pi->passkey_prompt_pin) { -@@ -2736,10 +2754,12 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, - || (pi->otp_vendor != NULL && pi->otp_token_id != NULL - && pi->otp_challenge != NULL)) { - if (pi->password_prompting) { -- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "), -+ ret = prompt_2fa(pamh, pi, true, -+ _("First Factor (Current Password): "), - _("Second Factor (optional): ")); - } else { -- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "), -+ ret = prompt_2fa(pamh, pi, false, -+ _("First Factor (Current Password): "), - _("Second Factor: ")); - } - } else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS) --- -2.45.2 - diff --git a/0008-pam_sss-add-missing-optional-2nd-factor-handling.patch b/0008-pam_sss-add-missing-optional-2nd-factor-handling.patch deleted file mode 100644 index 62c1ec4..0000000 --- a/0008-pam_sss-add-missing-optional-2nd-factor-handling.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 7e76396a891b4c704f1db8c71a217f869bef0ec3 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 12 Jul 2024 13:46:00 +0200 -Subject: [PATCH 8/8] pam_sss: add missing optional 2nd factor handling -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is a follow up to pull-request #7462 and adds the proper handling of -an optional second factor in case the prompting is configured. - -Resolves: https://github.com/SSSD/sssd/issues/7456 - -Reviewed-by: Justin Stephenson -Reviewed-by: Tomáš Halman -(cherry picked from commit 077d2993a1b306e7cfe61618cbd5d03c602572f8) - -Reviewed-by: Sumit Bose ---- - src/sss_client/pam_sss.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index d43bd0f55..d1101e16c 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi) - ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c])); - break; - case PC_TYPE_2FA: -- ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]), -- pc_get_2fa_2nd_prompt(pi->pc[c])); -+ if (pi->password_prompting) { -+ ret = prompt_2fa(pamh, pi, true, pc_get_2fa_1st_prompt(pi->pc[c]), -+ pc_get_2fa_2nd_prompt(pi->pc[c])); -+ } else { -+ ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]), -+ pc_get_2fa_2nd_prompt(pi->pc[c])); -+ } - break; - case PC_TYPE_2FA_SINGLE: - ret = prompt_2fa_single(pamh, pi, --- -2.45.2 - diff --git a/0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch b/0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch deleted file mode 100644 index e069a48..0000000 --- a/0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch +++ /dev/null @@ -1,58 +0,0 @@ -From b4c496856d466ff00d06cd5177cb216110f5e3b3 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 18 Sep 2024 15:18:14 +0200 -Subject: [PATCH] pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never - to 'false'. - -The krb5 backend will only returns that Smartcard authentication is -available if a Smartcard is present. That means if the user -authenticates with a different method and a Smartcard is not present at -this time 'sc_allow' will be 'false' and might overwrite a 'true' value -written during a previous authentication attempt where a Smartcard was -present. To avoid this we only write 'true' values. Since the default if -SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard -authentication (offline) will still only be enabled if online Smartcard -authentication was detected. - -Resolves: https://github.com/SSSD/sssd/issues/7532 - -Reviewed-by: Iker Pedrosa -Reviewed-by: Justin Stephenson -(cherry picked from commit 67ba42c48abb9270982836310488e35d9fc1d451) ---- - src/responder/pam/pamsrv_cmd.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 1394147a0..941446d94 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -554,9 +554,22 @@ static errno_t set_local_auth_type(struct pam_auth_req *preq, - goto fail; - } - -- ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow); -- if (ret != EOK) { -- goto fail; -+ if (sc_allow) { -+ /* Only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to -+ * 'false'. The krb5 backend will only returns that Smartcard -+ * authentication is available if a Smartcard is present. That means -+ * if the user authenticates with a different method and a Smartcard -+ * is not present at this time 'sc_allow' will be 'false' and might -+ * overwrite a 'true' value written during a previous authentication -+ * attempt where a Smartcard was present. To avoid this we only write -+ * 'true' values. Since the default if SYSDB_LOCAL_SMARTCARD_AUTH is -+ * missing is 'false' local Smartcard authentication (offline) will -+ * still only be enabled if online Smartcard authentication was -+ * detected. */ -+ ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow); -+ if (ret != EOK) { -+ goto fail; -+ } - } - - ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_PASSKEY_AUTH, passkey_allow); --- -2.45.0 - diff --git a/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch b/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch deleted file mode 100644 index 1286417..0000000 --- a/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch +++ /dev/null @@ -1,307 +0,0 @@ -From 321ca19ae09609ac4195f323b696bdcd7ee573e4 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 6 Sep 2024 14:27:19 +0200 -Subject: [PATCH 10/11] sdap: allow to provide user_map when looking up group - memberships -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -To allow to lookup group memberships of other objects similar to user -objects but with different attribute mappings, e.g. host objects in AD, -a new option to provide an alternative attribute map is added. - -Resolves: https://github.com/SSSD/sssd/issues/7590 - -Reviewed-by: Justin Stephenson -Reviewed-by: Tomáš Halman -(cherry picked from commit 69f63f1fa64bd9cc7c2ee1f8e8d736727b13b3be) ---- - src/providers/ad/ad_gpo.c | 2 +- - src/providers/ldap/ldap_common.h | 2 + - src/providers/ldap/ldap_id.c | 9 ++++ - src/providers/ldap/sdap_async.h | 2 + - src/providers/ldap/sdap_async_initgroups.c | 51 ++++++++++++++-------- - 5 files changed, 48 insertions(+), 18 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index ed664ec83..fa68d814f 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -2244,7 +2244,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) - search_bases, - state->host_fqdn, - BE_FILTER_NAME, -- NULL, -+ NULL, NULL, 0, - true, - true); - tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req); -diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h -index 2c984ef50..61a35553b 100644 ---- a/src/providers/ldap/ldap_common.h -+++ b/src/providers/ldap/ldap_common.h -@@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - const char *filter_value, - int filter_type, - const char *extra_value, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - bool noexist_delete, - bool set_non_posix); - -diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c -index b3ea2333f..0596ad4cf 100644 ---- a/src/providers/ldap/ldap_id.c -+++ b/src/providers/ldap/ldap_id.c -@@ -1144,6 +1144,8 @@ struct groups_by_user_state { - const char *filter_value; - int filter_type; - const char *extra_value; -+ struct sdap_attr_map *user_map; -+ size_t user_map_cnt; - const char **attrs; - bool non_posix; - -@@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - const char *filter_value, - int filter_type, - const char *extra_value, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - bool noexist_delete, - bool set_non_posix) - { -@@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, - state->filter_value = filter_value; - state->filter_type = filter_type; - state->extra_value = extra_value; -+ state->user_map = user_map; -+ state->user_map_cnt = user_map_cnt; - state->domain = sdom->dom; - state->sysdb = sdom->dom->sysdb; - state->search_bases = search_bases; -@@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq) - state->sdom, - sdap_id_op_handle(state->op), - state->ctx, -+ state->user_map, -+ state->user_map_cnt, - state->conn, - state->search_bases, - state->filter_value, -@@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, - ar->filter_value, - ar->filter_type, - ar->extra_value, -+ NULL, 0, - noexist_delete, false); - break; - -diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h -index 89245f41f..a45e057d0 100644 ---- a/src/providers/ldap/sdap_async.h -+++ b/src/providers/ldap/sdap_async.h -@@ -157,6 +157,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - struct sdap_domain *sdom, - struct sdap_handle *sh, - struct sdap_id_ctx *id_ctx, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - struct sdap_id_conn_ctx *conn, - struct sdap_search_base **search_bases, - const char *name, -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index fb3d8fe24..8ce1f6cd4 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -785,6 +785,8 @@ struct sdap_initgr_nested_state { - struct tevent_context *ev; - struct sysdb_ctx *sysdb; - struct sdap_options *opts; -+ struct sdap_attr_map *user_map; -+ size_t user_map_cnt; - struct sss_domain_info *dom; - struct sdap_handle *sh; - -@@ -812,6 +814,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req); - static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, - struct tevent_context *ev, - struct sdap_options *opts, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - struct sysdb_ctx *sysdb, - struct sss_domain_info *dom, - struct sdap_handle *sh, -@@ -828,6 +832,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, - - state->ev = ev; - state->opts = opts; -+ state->user_map = user_map; -+ state->user_map_cnt = user_map_cnt; - state->sysdb = sysdb; - state->dom = dom; - state->sh = sh; -@@ -968,7 +974,7 @@ static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req) - - subreq = sdap_deref_search_send(state, state->ev, state->opts, - state->sh, state->orig_dn, -- state->opts->user_map[SDAP_AT_USER_MEMBEROF].name, -+ state->user_map[SDAP_AT_USER_MEMBEROF].name, - sdap_attrs, num_maps, maps, timeout); - if (!subreq) { - ret = EIO; -@@ -2697,6 +2703,8 @@ struct sdap_get_initgr_state { - struct tevent_context *ev; - struct sysdb_ctx *sysdb; - struct sdap_options *opts; -+ struct sdap_attr_map *user_map; -+ size_t user_map_cnt; - struct sss_domain_info *dom; - struct sdap_domain *sdom; - struct sdap_handle *sh; -@@ -2731,6 +2739,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - struct sdap_domain *sdom, - struct sdap_handle *sh, - struct sdap_id_ctx *id_ctx, -+ struct sdap_attr_map *user_map, -+ size_t user_map_cnt, - struct sdap_id_conn_ctx *conn, - struct sdap_search_base **search_bases, - const char *filter_value, -@@ -2754,6 +2764,12 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - - state->ev = ev; - state->opts = id_ctx->opts; -+ state->user_map = user_map; -+ state->user_map_cnt = user_map_cnt; -+ if (state->user_map == NULL) { -+ state->user_map = id_ctx->opts->user_map; -+ state->user_map_cnt = id_ctx->opts->user_map_cnt; -+ } - state->dom = sdom->dom; - state->sysdb = sdom->dom->sysdb; - state->sdom = sdom; -@@ -2785,7 +2801,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - - switch (filter_type) { - case BE_FILTER_SECID: -- search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name; -+ search_attr = state->user_map[SDAP_AT_USER_OBJECTSID].name; - - ret = sss_filter_sanitize(state, state->filter_value, &clean_name); - if (ret != EOK) { -@@ -2794,7 +2810,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - } - break; - case BE_FILTER_UUID: -- search_attr = state->opts->user_map[SDAP_AT_USER_UUID].name; -+ search_attr = state->user_map[SDAP_AT_USER_UUID].name; - - ret = sss_filter_sanitize(state, state->filter_value, &clean_name); - if (ret != EOK) { -@@ -2812,23 +2828,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - } - - ep_filter = get_enterprise_principal_string_filter(state, -- state->opts->user_map[SDAP_AT_USER_PRINC].name, -+ state->user_map[SDAP_AT_USER_PRINC].name, - clean_name, state->opts->basic); - state->user_base_filter = - talloc_asprintf(state, - "(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)", -- state->opts->user_map[SDAP_AT_USER_PRINC].name, -+ state->user_map[SDAP_AT_USER_PRINC].name, - clean_name, -- state->opts->user_map[SDAP_AT_USER_EMAIL].name, -+ state->user_map[SDAP_AT_USER_EMAIL].name, - clean_name, - ep_filter == NULL ? "" : ep_filter, -- state->opts->user_map[SDAP_OC_USER].name); -+ state->user_map[SDAP_OC_USER].name); - if (state->user_base_filter == NULL) { - talloc_zfree(req); - return NULL; - } - } else { -- search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; -+ search_attr = state->user_map[SDAP_AT_USER_NAME].name; - - ret = sss_parse_internal_fqname(state, filter_value, - &state->shortname, NULL); -@@ -2860,7 +2876,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - state->user_base_filter = - talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", - search_attr, clean_name, -- state->opts->user_map[SDAP_OC_USER].name); -+ state->user_map[SDAP_OC_USER].name); - if (!state->user_base_filter) { - talloc_zfree(req); - return NULL; -@@ -2877,14 +2893,14 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - */ - state->user_base_filter = talloc_asprintf_append(state->user_base_filter, - "(%s=*))", -- id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); -+ state->user_map[SDAP_AT_USER_OBJECTSID].name); - } else { - /* When not ID-mapping or looking up app users, make sure there - * is a non-NULL UID */ - state->user_base_filter = talloc_asprintf_append(state->user_base_filter, - "(&(%s=*)(!(%s=0))))", -- id_ctx->opts->user_map[SDAP_AT_USER_UID].name, -- id_ctx->opts->user_map[SDAP_AT_USER_UID].name); -+ state->user_map[SDAP_AT_USER_UID].name, -+ state->user_map[SDAP_AT_USER_UID].name); - } - if (!state->user_base_filter) { - talloc_zfree(req); -@@ -2892,8 +2908,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - } - - ret = build_attrs_from_map(state, -- state->opts->user_map, -- state->opts->user_map_cnt, -+ state->user_map, -+ state->user_map_cnt, - NULL, &state->user_attrs, NULL); - if (ret) { - talloc_zfree(req); -@@ -2990,7 +3006,7 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req) - state->user_search_bases[state->user_base_iter]->basedn, - state->user_search_bases[state->user_base_iter]->scope, - state->filter, state->user_attrs, -- state->opts->user_map, state->opts->user_map_cnt, -+ state->user_map, state->user_map_cnt, - state->timeout, - false); - if (!subreq) { -@@ -3179,6 +3195,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) - - case SDAP_SCHEMA_IPA_V1: - subreq = sdap_initgr_nested_send(state, state->ev, state->opts, -+ state->user_map, state->user_map_cnt, - state->sysdb, state->dom, state->sh, - state->orig_user, state->grp_attrs); - if (!subreq) { -@@ -3377,7 +3394,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) - */ - ret = sdap_attrs_get_sid_str( - tmp_ctx, opts->idmap_ctx, state->orig_user, -- opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name, -+ state->user_map[SDAP_AT_USER_OBJECTSID].sys_name, - &sid_str); - if (ret != EOK) goto done; - -@@ -3392,7 +3409,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) - - ret = sysdb_attrs_get_uint32_t( - state->orig_user, -- opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name, -+ state->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name, - &primary_gid); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, --- -2.45.0 - diff --git a/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch b/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch deleted file mode 100644 index 6318be3..0000000 --- a/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 2c233636c093708d5cdd7ddb69af9b0ecde633bd Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 6 Sep 2024 14:37:05 +0200 -Subject: [PATCH 11/11] ad: use default user_map when looking of host groups - for GPO -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Use the default AD user attribute map to lookup the group membership of -the AD host object. This should help to avoid issues if user attributes -are overwritten in the user attribute map. - -Resolves: https://github.com/SSSD/sssd/issues/7590 - -Reviewed-by: Justin Stephenson -Reviewed-by: Tomáš Halman -(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7) ---- - src/providers/ad/ad_access.h | 1 + - src/providers/ad/ad_gpo.c | 15 ++++++++++++++- - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h -index 34d5597da..c54b53eed 100644 ---- a/src/providers/ad/ad_access.h -+++ b/src/providers/ad/ad_access.h -@@ -49,6 +49,7 @@ struct ad_access_ctx { - } gpo_map_type; - hash_table_t *gpo_map_options_table; - enum gpo_map_type gpo_default_right; -+ struct sdap_attr_map *host_attr_map; - }; - - struct tevent_req * -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index fa68d814f..6b154f71d 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -45,6 +45,7 @@ - #include "providers/ad/ad_common.h" - #include "providers/ad/ad_domain_info.h" - #include "providers/ad/ad_gpo.h" -+#include "providers/ad/ad_opts.h" - #include "providers/ldap/sdap_access.h" - #include "providers/ldap/sdap_async.h" - #include "providers/ldap/sdap.h" -@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq) - "trying with user search base."); - } - -+ if (state->access_ctx->host_attr_map == NULL) { -+ ret = sdap_copy_map(state->access_ctx, -+ ad_2008r2_user_map, SDAP_OPTS_USER, -+ &state->access_ctx->host_attr_map); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n"); -+ goto done; -+ } -+ } -+ - subreq = groups_by_user_send(state, state->ev, - state->access_ctx->ad_id_ctx->sdap_id_ctx, - sdom, state->conn, - search_bases, - state->host_fqdn, - BE_FILTER_NAME, -- NULL, NULL, 0, -+ NULL, -+ state->access_ctx->host_attr_map, -+ SDAP_OPTS_USER, - true, - true); - tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req); --- -2.45.0 - diff --git a/sources b/sources index 7c1bdc9..6bfa171 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.9.5.tar.gz) = d219f12ffc75af233f0e4ffc62c0442acc6da3cd94ed4eab7102a78821af5257c8e4ba0d06b2c99c08e06502f8d0d0bcc80540d63823dbe0f52eb0432ae7e14d +SHA512 (sssd-2.9.6.tar.gz) = d9a35fc12022f0a2aa73be373b396411fc69b2fe5489ab93d17813a4c75b3ec30e598d5748ab202f7588039b465e11d616ce546cd5fe5439fa8edd9ac8cda69a diff --git a/sssd.spec b/sssd.spec index 080d33c..036ff4f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,25 +26,15 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.9.5 -Release: 5%{?dist} +Version: 2.9.6 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-spec-change-passkey_child-owner.patch -Patch0002: 0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch -Patch0003: 0003-ad-use-right-memory-context-in-GPO-code.patch -Patch0004: 0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch -Patch0005: 0005-SYSDB-remove-index-on-dataExpireTimestamp.patch -Patch0006: 0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch -Patch0007: 0007-krb5_child-do-not-try-passwords-with-OTP.patch -Patch0008: 0008-pam_sss-add-missing-optional-2nd-factor-handling.patch -Patch0009: 0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch -Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch -Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch +# Patch0001: ### Dependencies ### @@ -1094,6 +1084,12 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Thu Dec 5 2024 Alexey Tikhonov - 2.9.6-1 +- Resolves: RHEL-70189 - Rebase SSSD for RHEL 9.6 +- Resolves: RHEL-67670 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-9] +- Resolves: RHEL-68369 - sssd backend process segfaults when krb5.conf is invalid +- Resolves: RHEL-66266 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-9] + * Mon Oct 21 2024 Alexey Tikhonov - 2.9.5-5 - Related: RHEL-59788 - Rebase Samba to the latest 4.21.x release