rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-70189 - Rebase SSSD for RHEL 9.6

Browse Source 
Resolves: RHEL-67670 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-9]
Resolves: RHEL-68369 - sssd backend process segfaults when krb5.conf is invalid
Resolves: RHEL-66266 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-9]
This commit is contained in:
Alexey Tikhonov 2024-12-05 19:41:16 +01:00
parent 9ec53af8f4
commit cdca4870e1
14 changed files with 11 additions and 1278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -106,3 +106,4 @@ sssd-1.2.91.tar.gz
/sssd-2.9.3.tar.gz /sssd-2.9.3.tar.gz
/sssd-2.9.4.tar.gz /sssd-2.9.4.tar.gz
/sssd-2.9.5.tar.gz /sssd-2.9.5.tar.gz
/sssd-2.9.6.tar.gz

34
0001-spec-change-passkey_child-owner.patch
View File

@ -1,34 +0,0 @@
From ee8de7e404ba65062e0b373f2badc0475835bbde Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 11 Jun 2024 15:57:23 +0200
Subject: [PATCH] spec: change passkey_child owner
passkey_child owner was incorrectly set to $sssd_user:$sssd_user, when
it should be root:root. Correcting it.
Fixes: 30daa0ccdae5 ("spec: update to include passkey")
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit bb72b53d3a222f016d882853a619bd74c237edf9)
---
contrib/sssd.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 03171a872..3735d4f06 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -998,7 +998,7 @@ done
%if %{build_passkey}
%files passkey
-%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child
+%{_libexecdir}/%{servicename}/passkey_child
%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
--
2.44.0

58
0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
View File

@ -1,58 +0,0 @@
From d234cf5d6e793daf2c96856887acb641c4dff407 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 14 Jun 2024 16:10:34 +0200
Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.
Resolves: https://github.com/SSSD/sssd/issues/7451
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 986bb726202e69b05f861c14c3a220379baf9bd1)
---
src/db/sysdb_ops.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0f62e3b1a..76f4580aa 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
goto done;
}
- ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
- if (ret != ENOENT) {
- if (ret == EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Group with GID [%"SPRIgid"] already exists in an "
- "MPG domain\n", gid);
- ret = EEXIST;
+ if (uid != 0) { /* uid == 0 means non-POSIX object */
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+ if (ret != ENOENT) {
+ if (ret == EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Group with GID [%"SPRIgid"] already exists in an "
+ "MPG domain\n", uid);
+ ret = EEXIST;
+ }
+ goto done;
}
- goto done;
}
}
--
2.44.0

37
0003-ad-use-right-memory-context-in-GPO-code.patch
View File

@ -1,37 +0,0 @@
From 723a30b45ba4cbd9a4913fd37d68e392dcfc16ba Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Jun 2024 18:04:00 +0200
Subject: [PATCH] ad: use right memory context in GPO code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The original primary SID is allocated on a temporary context and must be
move to be longer living one to still be available when the SID is
evaluated later in the code.
Resolves: https://github.com/SSSD/sssd/issues/7411
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit b25e510ad60f6ce0b57063cce648c3aa48b21241)
---
src/providers/ad/ad_gpo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index b879b0a08..ed664ec83 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -711,7 +711,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
}
group_sids[i++] = talloc_strdup(group_sids, AD_AUTHENTICATED_USERS_SID);
if (orig_gid_sid != NULL) {
- group_sids[i++] = orig_gid_sid;
+ group_sids[i++] = talloc_steal(group_sids, orig_gid_sid);
}
group_sids[i] = NULL;
--
2.44.0

208
0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch
View File

@ -1,208 +0,0 @@
From 09b23e78806d8930c3f1b9e411dc8cf464c18998 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 Jul 2024 13:08:02 +0200
Subject: [PATCH 4/5] TS_CACHE: never try to upgrade timestamps cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It's easier and more consistent to recreate it instead.
This is a natural extension of 3b67fc6488ac10ca13561d9032f59951f82203e6
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit fc2a26c306e51b66680aef85aa0d2c41d8049a7f)
---
src/db/sysdb_init.c | 103 +----------------------------------------
src/db/sysdb_upgrade.c | 45 ------------------
2 files changed, 1 insertion(+), 147 deletions(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index 38a9cd64a..a1d02d49c 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -376,57 +376,6 @@ static errno_t sysdb_cache_create_empty(struct ldb_context *ldb,
return EOK;
}
-static errno_t sysdb_ts_cache_upgrade(TALLOC_CTX *mem_ctx,
- struct sysdb_ctx *sysdb,
- struct ldb_context *ldb,
- struct sss_domain_info *domain,
- const char *cur_version,
- const char **_new_version)
-{
- errno_t ret;
- TALLOC_CTX *tmp_ctx;
- const char *version;
- struct ldb_context *save_ldb;
-
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- return ENOMEM;
- }
-
- /* The upgrade process depends on having ldb around, yet the upgrade
- * function shouldn't set the ldb pointer, only the connect function
- * should after it's successful. To avoid hard refactoring, save the
- * ldb pointer here and restore in the 'done' handler
- */
- save_ldb = sysdb->ldb;
- sysdb->ldb = ldb;
-
- version = talloc_strdup(tmp_ctx, cur_version);
- if (version == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- DEBUG(SSSDBG_CONF_SETTINGS,
- "Upgrading timstamp cache of DB [%s] from version: %s\n",
- domain->name, version);
-
- if (strcmp(version, SYSDB_TS_VERSION_0_1) == 0) {
- ret = sysdb_ts_upgrade_01(sysdb, &version);
- if (ret != EOK) {
- goto done;
- }
- }
-
- ret = EOK;
-
-done:
- sysdb->ldb = save_ldb;
- *_new_version = version;
- talloc_free(tmp_ctx);
- return ret;
-}
-
static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sysdb_dom_upgrade_ctx *upgrade_ctx,
@@ -884,56 +833,6 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
}
ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
- switch (ret) {
- case ERR_SYSDB_VERSION_TOO_OLD:
- if (upgrade_ctx == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "DB version too old [%s], expected [%s] for domain %s!\n",
- version, SYSDB_VERSION, domain->name);
- break;
- }
-
- ret = sysdb_ts_cache_upgrade(tmp_ctx, sysdb, ldb, domain, version,
- &version);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not upgrade the timestamp ldb file (%d) (%s)\n",
- ret, sss_strerror(ret));
- break;
- }
-
- /* The version should now match SYSDB_VERSION.
- * If not, it means we didn't match any of the
- * known older versions. The DB might be
- * corrupt or generated by a newer version of
- * SSSD.
- */
- ret = sysdb_version_check(SYSDB_TS_VERSION, version);
- if (ret == EOK) {
- /* The cache has been upgraded.
- * We need to reopen the LDB to ensure that
- * any changes made above take effect.
- */
- ret = sysdb_ldb_reconnect(tmp_ctx,
- sysdb->ldb_ts_file,
- LDB_FLG_NOSYNC,
- &ldb);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not reopen the timestamp ldb file (%d) (%s)\n",
- ret, sss_strerror(ret));
- }
- }
- break;
- case ERR_SYSDB_VERSION_TOO_NEW:
- DEBUG(SSSDBG_MINOR_FAILURE,
- "DB version too new [%s], expected [%s] for domain %s!\n",
- version, SYSDB_TS_VERSION, domain->name);
- break;
- default:
- break;
- }
-
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"The timestamps cache could not be opened. "
@@ -953,7 +852,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not delete the timestamp ldb file (%d) (%s)\n",
+ "sysdb_ts_cache_connect() failed after cache deletion [%d]: %s\n",
ret, sss_strerror(ret));
}
}
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
index 328bd2962..37c0007cb 100644
--- a/src/db/sysdb_upgrade.c
+++ b/src/db/sysdb_upgrade.c
@@ -2774,51 +2774,6 @@ done:
return ret;
}
-int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
-{
- struct upgrade_ctx *ctx;
- errno_t ret;
- struct ldb_message *msg = NULL;
-
- ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_TS_VERSION_0_2, &ctx);
- if (ret) {
- return ret;
- }
-
- /* Remove @IDXONE from index */
- talloc_free(msg);
- msg = ldb_msg_new(ctx);
- if (msg == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST");
- if (msg->dn == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = ldb_msg_add_empty(msg, "@IDXONE", LDB_FLAG_MOD_DELETE, NULL);
- if (ret != LDB_SUCCESS) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = ldb_modify(sysdb->ldb, msg);
- if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
- goto done;
- }
-
- /* conversion done, update version number */
- ret = update_version(ctx);
-
-done:
- ret = finish_upgrade(ret, &ctx, ver);
- return ret;
-}
-
/*
* Example template for future upgrades.
* Copy and change version numbers as appropriate.
--
2.45.2

147
0005-SYSDB-remove-index-on-dataExpireTimestamp.patch
View File

@ -1,147 +0,0 @@
From 13e3d0390b9aaf72a855b857857c3cdd6eb6252a Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 21 Jun 2024 19:09:29 +0200
Subject: [PATCH 5/5] SYSDB: remove index on `dataExpireTimestamp`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This index was only used in cleanup tasks that don't run often.
On the other hand, this index is huge and degrades performance of libldb
in general.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit f0d45464cee1d2a6a2719dbffe5bbf6189d0554a)
---
src/db/sysdb_init.c | 8 ++++++++
src/db/sysdb_private.h | 9 +++++----
src/db/sysdb_upgrade.c | 27 +++++++++++++++++++++++++++
3 files changed, 40 insertions(+), 4 deletions(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index a1d02d49c..68b9744dd 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -559,6 +559,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
}
}
+ if (strcmp(version, SYSDB_VERSION_0_24) == 0) {
+ ret = sysdb_upgrade_24(sysdb, &version);
+ if (ret != EOK) {
+ goto done;
+ }
+ }
+
ret = EOK;
done:
sysdb->ldb = save_ldb;
@@ -765,6 +772,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
ret = sysdb_domain_cache_upgrade(tmp_ctx, sysdb, upgrade_ctx,
ldb, domain, version, &version);
if (ret != EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_domain_cache_upgrade() failed\n");
goto done;
}
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
index 63f7b5601..b814f97a5 100644
--- a/src/db/sysdb_private.h
+++ b/src/db/sysdb_private.h
@@ -23,6 +23,7 @@
#ifndef __INT_SYS_DB_H__
#define __INT_SYS_DB_H__
+#define SYSDB_VERSION_0_25 "0.25"
#define SYSDB_VERSION_0_24 "0.24"
#define SYSDB_VERSION_0_23 "0.23"
#define SYSDB_VERSION_0_22 "0.22"
@@ -48,7 +49,7 @@
#define SYSDB_VERSION_0_2 "0.2"
#define SYSDB_VERSION_0_1 "0.1"
-#define SYSDB_VERSION SYSDB_VERSION_0_24
+#define SYSDB_VERSION SYSDB_VERSION_0_25
#define SYSDB_BASE_LDIF \
"dn: @ATTRIBUTES\n" \
@@ -72,7 +73,6 @@
"@IDXATTR: uidNumber\n" \
"@IDXATTR: gidNumber\n" \
"@IDXATTR: lastUpdate\n" \
- "@IDXATTR: dataExpireTimestamp\n" \
"@IDXATTR: originalDN\n" \
"@IDXATTR: nameAlias\n" \
"@IDXATTR: servicePort\n" \
@@ -104,10 +104,11 @@
"\n"
/* The timestamp cache has its own versioning */
+#define SYSDB_TS_VERSION_0_3 "0.3"
#define SYSDB_TS_VERSION_0_2 "0.2"
#define SYSDB_TS_VERSION_0_1 "0.1"
-#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_2
+#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_3
#define SYSDB_TS_BASE_LDIF \
"dn: @ATTRIBUTES\n" \
@@ -115,7 +116,6 @@
"\n" \
"dn: @INDEXLIST\n" \
"@IDXATTR: lastUpdate\n" \
- "@IDXATTR: dataExpireTimestamp\n" \
"\n" \
"dn: cn=sysdb\n" \
"cn: sysdb\n" \
@@ -194,6 +194,7 @@ int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
index 37c0007cb..b010488ca 100644
--- a/src/db/sysdb_upgrade.c
+++ b/src/db/sysdb_upgrade.c
@@ -2774,6 +2774,33 @@ done:
return ret;
}
+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver)
+{
+ struct upgrade_ctx *ctx;
+ errno_t ret;
+
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_25, &ctx);
+ if (ret) {
+ return ret;
+ }
+
+ ret = sysdb_ldb_mod_index(sysdb, SYSDB_IDX_DELETE, sysdb->ldb, "dataExpireTimestamp");
+ if (ret == ENOENT) { /*nothing to delete */
+ ret = EOK;
+ }
+ if (ret != EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_ldb_mod_index() failed [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ ret = update_version(ctx);
+
+done:
+ ret = finish_upgrade(ret, &ctx, ver);
+ return ret;
+}
+
/*
* Example template for future upgrades.
* Copy and change version numbers as appropriate.
--
2.45.2

115
0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
View File

@ -1,115 +0,0 @@
From 39cbb8df402f59b4df2442eb291600773e7062cc Mon Sep 17 00:00:00 2001
From: Petr Mikhalicin <pmikhalicin@rutoken.ru>
Date: Fri, 10 Nov 2023 15:24:48 +0600
Subject: [PATCH 6/8] pam_sss: fix passthrow of old authtok from another pam
modules at PAM_PRELIM_CHECK
pam_sss ignored old authtoks passed from another pam modules
Resolves: https://github.com/SSSD/sssd/issues/7007
Resolves: https://github.com/SSSD/sssd/issues/5418
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ae6b9163be0a5a8846e8dbf2e0da2c29221781b9)
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/sss_client/pam_sss.c | 75 ++++++++++++++++++++++++----------------
1 file changed, 45 insertions(+), 30 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 41a528dda..5171e58ec 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2728,42 +2728,57 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
exp_data = NULL;
}
- /* we query for the old password during PAM_PRELIM_CHECK to make
- * pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
- if (flags & PAM_CLI_FLAGS_USE_2FA
- || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
- && pi->otp_challenge != NULL)) {
- if (pi->password_prompting) {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
- _("Second Factor (optional): "));
- } else {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
- _("Second Factor: "));
- }
+ if (getuid() == 0 && !exp_data )
+ return PAM_SUCCESS;
+
+ if (flags & PAM_CLI_FLAGS_USE_2FA
+ || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
+ && pi->otp_challenge != NULL)) {
+ if (pi->password_prompting) {
+ ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ _("Second Factor (optional): "));
} else {
- ret = prompt_password(pamh, pi, _("Current Password: "));
+ ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ _("Second Factor: "));
}
- if (ret != PAM_SUCCESS) {
- D(("failed to get credentials from user"));
- return ret;
+ } else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
+ && check_authtok_data(pamh, pi) != 0) {
+ if (pi->pamstack_oldauthtok == NULL) {
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
+ pi->pam_authtok = NULL;
+ pi->pam_authtok_size = 0;
+ } else {
+ pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
+ if (pi->pam_authtok == NULL) {
+ D(("strdup failed"));
+ return PAM_BUF_ERR;
+ }
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+ pi->pam_authtok_size = strlen(pi->pam_authtok);
}
+ ret = PAM_SUCCESS;
+ } else {
+ ret = prompt_password(pamh, pi, _("Current Password: "));
+ }
+ if (ret != PAM_SUCCESS) {
+ D(("failed to get credentials from user"));
+ return ret;
+ }
- ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
- if (ret != PAM_SUCCESS) {
- D(("Failed to set PAM_OLDAUTHTOK [%s], "
- "oldauthtok may not be available",
- pam_strerror(pamh,ret)));
- return ret;
- }
+ ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
+ if (ret != PAM_SUCCESS) {
+ D(("Failed to set PAM_OLDAUTHTOK [%s], "
+ "oldauthtok may not be available",
+ pam_strerror(pamh,ret)));
+ return ret;
+ }
- if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) {
- ret = keep_authtok_data(pamh, pi);
- if (ret != 0) {
- D(("Failed to store authtok data to pam handle. Password "
- "change might fail."));
- }
+ if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) {
+ ret = keep_authtok_data(pamh, pi);
+ if (ret != 0) {
+ D(("Failed to store authtok data to pam handle. Password "
+ "change might fail."));
}
}
--
2.45.2

178
0007-krb5_child-do-not-try-passwords-with-OTP.patch
View File

@ -1,178 +0,0 @@
From ef375cdd67b51d8fb63cae4d3cd40f3a5c2bc173 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 1 Jul 2024 20:40:30 +0200
Subject: [PATCH 7/8] krb5_child: do not try passwords with OTP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During two-factor authentication (OTP) krb5_child should use use the
dedicated OTP auth types SSS_AUTHTOK_TYPE_2FA and
SSS_AUTHTOK_TYPE_2FA_SINGLE exclusively and should not try password or
other types.
The special handling needed of ssh under certain conditions are
documented in the code and the man page.
Resolves: https://github.com/SSSD/sssd/issues/7456
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit af799964e5fa1264467b49988021c054586eff27)
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/man/sssd.conf.5.xml | 11 +++++++++
src/providers/krb5/krb5_child.c | 11 +--------
src/sss_client/pam_sss.c | 44 ++++++++++++++++++++++++---------
3 files changed, 44 insertions(+), 22 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index fb86a4e41..8ac1a4418 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -4559,6 +4559,17 @@ ldap_user_extra_attrs = phone:telephoneNumber
to log in either only with the password or with both factors
two-step prompting has to be used.
</para>
+ <para>
+ Some clients, such as SSH with
+ 'PasswordAuthentication yes', generate their own prompts
+ and do not use prompts provided by SSSD or other PAM
+ modules. Additionally, for SSH with
+ PasswordAuthentication, if two-factor authentication is
+ available, SSSD expects that the
+ credentials entered by the user at the SSH password prompt
+ will always be the two factors in a single string, even if
+ two-factor authentication is optional.
+ </para>
</listitem>
</varlistentry>
</variablelist>
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 494711de9..cb9a9ce73 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -536,15 +536,6 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
size_t fa2_len;
switch (sss_authtok_get_type(auth_tok)) {
- case SSS_AUTHTOK_TYPE_PASSWORD:
- ret = sss_authtok_get_password(auth_tok, &pwd, &len);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n");
- return ret;
- }
-
- return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin);
- break;
case SSS_AUTHTOK_TYPE_2FA_SINGLE:
ret = sss_authtok_get_2fa_single(auth_tok, &pwd, &len);
if (ret != EOK) {
@@ -569,7 +560,7 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
"Unsupported authtok type %d\n", sss_authtok_get_type(auth_tok));
}
- return EINVAL;
+ return EAGAIN;
}
static krb5_error_code answer_otp(krb5_context ctx,
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 5171e58ec..d43bd0f55 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1656,6 +1656,7 @@ static int prompt_password(pam_handle_t *pamh, struct pam_items *pi,
}
static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
+ bool second_factor_optional,
const char *prompt_fa1, const char *prompt_fa2)
{
int ret;
@@ -1706,13 +1707,30 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
goto done;
}
- if (resp[1].resp == NULL || *(resp[1].resp) == '\0'
- || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
- && strcmp(resp[0].resp, resp[1].resp) == 0)) {
+ if (resp[1].resp == NULL || *(resp[1].resp) == '\0') {
/* Missing second factor, assume first factor contains combined 2FA
- * credentials.
- * Special handling for SSH with password authentication. Combined
- * 2FA credentials are used but SSH puts them in both responses. */
+ * credentials if the second factor is not optional. If it is optional
+ * then it is assumed that the first factor contain the password. */
+ pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
+ if (pi->pam_authtok == NULL) {
+ D(("strndup failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+ pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
+ pi->pam_authtok_type = second_factor_optional
+ ? SSS_AUTHTOK_TYPE_PASSWORD
+ : SSS_AUTHTOK_TYPE_2FA_SINGLE;
+ } else if (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
+ && strcmp(resp[0].resp, resp[1].resp) == 0) {
+ /* Special handling for SSH with password authentication (ssh's
+ * 'PasswordAuthentication' option. In this mode the ssh client
+ * directly prompts the user for a password and the prompts we are
+ * sending are ignored. Since we send two prompts ssh * will create two
+ * response as well with the same content. We assume that the combined
+ * 2FA credentials are used even if the second factor is optional
+ * because there is no indication about the intention of the user. As a
+ * result we prefer the more secure variant. */
pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
if (pi->pam_authtok == NULL) {
@@ -1721,7 +1739,7 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
goto done;
}
pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
- pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA_SINGLE;
} else {
ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0,
@@ -2487,7 +2505,7 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi)
ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c]));
break;
case PC_TYPE_2FA:
- ret = prompt_2fa(pamh, pi, pc_get_2fa_1st_prompt(pi->pc[c]),
+ ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
pc_get_2fa_2nd_prompt(pi->pc[c]));
break;
case PC_TYPE_2FA_SINGLE:
@@ -2564,10 +2582,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
- ret = prompt_2fa(pamh, pi, _("First Factor: "),
+ ret = prompt_2fa(pamh, pi, true, _("First Factor: "),
_("Second Factor (optional): "));
} else {
- ret = prompt_2fa(pamh, pi, _("First Factor: "),
+ ret = prompt_2fa(pamh, pi, false, _("First Factor: "),
_("Second Factor: "));
}
} else if (pi->passkey_prompt_pin) {
@@ -2736,10 +2754,12 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ ret = prompt_2fa(pamh, pi, true,
+ _("First Factor (Current Password): "),
_("Second Factor (optional): "));
} else {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ ret = prompt_2fa(pamh, pi, false,
+ _("First Factor (Current Password): "),
_("Second Factor: "));
}
} else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
--
2.45.2

45
0008-pam_sss-add-missing-optional-2nd-factor-handling.patch
View File

@ -1,45 +0,0 @@
From 7e76396a891b4c704f1db8c71a217f869bef0ec3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 12 Jul 2024 13:46:00 +0200
Subject: [PATCH 8/8] pam_sss: add missing optional 2nd factor handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a follow up to pull-request #7462 and adds the proper handling of
an optional second factor in case the prompting is configured.
Resolves: https://github.com/SSSD/sssd/issues/7456
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 077d2993a1b306e7cfe61618cbd5d03c602572f8)
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/sss_client/pam_sss.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d43bd0f55..d1101e16c 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi)
ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c]));
break;
case PC_TYPE_2FA:
- ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
- pc_get_2fa_2nd_prompt(pi->pc[c]));
+ if (pi->password_prompting) {
+ ret = prompt_2fa(pamh, pi, true, pc_get_2fa_1st_prompt(pi->pc[c]),
+ pc_get_2fa_2nd_prompt(pi->pc[c]));
+ } else {
+ ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
+ pc_get_2fa_2nd_prompt(pi->pc[c]));
+ }
break;
case PC_TYPE_2FA_SINGLE:
ret = prompt_2fa_single(pamh, pi,
--
2.45.2

58
0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch
View File

@ -1,58 +0,0 @@
From b4c496856d466ff00d06cd5177cb216110f5e3b3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Sep 2024 15:18:14 +0200
Subject: [PATCH] pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never
to 'false'.
The krb5 backend will only returns that Smartcard authentication is
available if a Smartcard is present. That means if the user
authenticates with a different method and a Smartcard is not present at
this time 'sc_allow' will be 'false' and might overwrite a 'true' value
written during a previous authentication attempt where a Smartcard was
present. To avoid this we only write 'true' values. Since the default if
SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard
authentication (offline) will still only be enabled if online Smartcard
authentication was detected.
Resolves: https://github.com/SSSD/sssd/issues/7532
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 67ba42c48abb9270982836310488e35d9fc1d451)
---
src/responder/pam/pamsrv_cmd.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1394147a0..941446d94 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -554,9 +554,22 @@ static errno_t set_local_auth_type(struct pam_auth_req *preq,
goto fail;
}
- ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow);
- if (ret != EOK) {
- goto fail;
+ if (sc_allow) {
+ /* Only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to
+ * 'false'. The krb5 backend will only returns that Smartcard
+ * authentication is available if a Smartcard is present. That means
+ * if the user authenticates with a different method and a Smartcard
+ * is not present at this time 'sc_allow' will be 'false' and might
+ * overwrite a 'true' value written during a previous authentication
+ * attempt where a Smartcard was present. To avoid this we only write
+ * 'true' values. Since the default if SYSDB_LOCAL_SMARTCARD_AUTH is
+ * missing is 'false' local Smartcard authentication (offline) will
+ * still only be enabled if online Smartcard authentication was
+ * detected. */
+ ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow);
+ if (ret != EOK) {
+ goto fail;
+ }
}
ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_PASSKEY_AUTH, passkey_allow);
--
2.45.0

307
0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
View File

@ -1,307 +0,0 @@
From 321ca19ae09609ac4195f323b696bdcd7ee573e4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Sep 2024 14:27:19 +0200
Subject: [PATCH 10/11] sdap: allow to provide user_map when looking up group
memberships
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.
Resolves: https://github.com/SSSD/sssd/issues/7590
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 69f63f1fa64bd9cc7c2ee1f8e8d736727b13b3be)
---
src/providers/ad/ad_gpo.c | 2 +-
src/providers/ldap/ldap_common.h | 2 +
src/providers/ldap/ldap_id.c | 9 ++++
src/providers/ldap/sdap_async.h | 2 +
src/providers/ldap/sdap_async_initgroups.c | 51 ++++++++++++++--------
5 files changed, 48 insertions(+), 18 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index ed664ec83..fa68d814f 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2244,7 +2244,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
search_bases,
state->host_fqdn,
BE_FILTER_NAME,
- NULL,
+ NULL, NULL, 0,
true,
true);
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 2c984ef50..61a35553b 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
const char *filter_value,
int filter_type,
const char *extra_value,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
bool noexist_delete,
bool set_non_posix);
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index b3ea2333f..0596ad4cf 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1144,6 +1144,8 @@ struct groups_by_user_state {
const char *filter_value;
int filter_type;
const char *extra_value;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
const char **attrs;
bool non_posix;
@@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
const char *filter_value,
int filter_type,
const char *extra_value,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
bool noexist_delete,
bool set_non_posix)
{
@@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
state->filter_value = filter_value;
state->filter_type = filter_type;
state->extra_value = extra_value;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
state->domain = sdom->dom;
state->sysdb = sdom->dom->sysdb;
state->search_bases = search_bases;
@@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
state->sdom,
sdap_id_op_handle(state->op),
state->ctx,
+ state->user_map,
+ state->user_map_cnt,
state->conn,
state->search_bases,
state->filter_value,
@@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
ar->filter_value,
ar->filter_type,
ar->extra_value,
+ NULL, 0,
noexist_delete, false);
break;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 89245f41f..a45e057d0 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -157,6 +157,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_domain *sdom,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sdap_id_conn_ctx *conn,
struct sdap_search_base **search_bases,
const char *name,
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index fb3d8fe24..8ce1f6cd4 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -785,6 +785,8 @@ struct sdap_initgr_nested_state {
struct tevent_context *ev;
struct sysdb_ctx *sysdb;
struct sdap_options *opts;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
struct sss_domain_info *dom;
struct sdap_handle *sh;
@@ -812,6 +814,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req);
static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_options *opts,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sysdb_ctx *sysdb,
struct sss_domain_info *dom,
struct sdap_handle *sh,
@@ -828,6 +832,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
state->ev = ev;
state->opts = opts;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
state->sysdb = sysdb;
state->dom = dom;
state->sh = sh;
@@ -968,7 +974,7 @@ static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req)
subreq = sdap_deref_search_send(state, state->ev, state->opts,
state->sh, state->orig_dn,
- state->opts->user_map[SDAP_AT_USER_MEMBEROF].name,
+ state->user_map[SDAP_AT_USER_MEMBEROF].name,
sdap_attrs, num_maps, maps, timeout);
if (!subreq) {
ret = EIO;
@@ -2697,6 +2703,8 @@ struct sdap_get_initgr_state {
struct tevent_context *ev;
struct sysdb_ctx *sysdb;
struct sdap_options *opts;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
struct sss_domain_info *dom;
struct sdap_domain *sdom;
struct sdap_handle *sh;
@@ -2731,6 +2739,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_domain *sdom,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sdap_id_conn_ctx *conn,
struct sdap_search_base **search_bases,
const char *filter_value,
@@ -2754,6 +2764,12 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->ev = ev;
state->opts = id_ctx->opts;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
+ if (state->user_map == NULL) {
+ state->user_map = id_ctx->opts->user_map;
+ state->user_map_cnt = id_ctx->opts->user_map_cnt;
+ }
state->dom = sdom->dom;
state->sysdb = sdom->dom->sysdb;
state->sdom = sdom;
@@ -2785,7 +2801,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
switch (filter_type) {
case BE_FILTER_SECID:
- search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
+ search_attr = state->user_map[SDAP_AT_USER_OBJECTSID].name;
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
if (ret != EOK) {
@@ -2794,7 +2810,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
break;
case BE_FILTER_UUID:
- search_attr = state->opts->user_map[SDAP_AT_USER_UUID].name;
+ search_attr = state->user_map[SDAP_AT_USER_UUID].name;
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
if (ret != EOK) {
@@ -2812,23 +2828,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ep_filter = get_enterprise_principal_string_filter(state,
- state->opts->user_map[SDAP_AT_USER_PRINC].name,
+ state->user_map[SDAP_AT_USER_PRINC].name,
clean_name, state->opts->basic);
state->user_base_filter =
talloc_asprintf(state,
"(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
- state->opts->user_map[SDAP_AT_USER_PRINC].name,
+ state->user_map[SDAP_AT_USER_PRINC].name,
clean_name,
- state->opts->user_map[SDAP_AT_USER_EMAIL].name,
+ state->user_map[SDAP_AT_USER_EMAIL].name,
clean_name,
ep_filter == NULL ? "" : ep_filter,
- state->opts->user_map[SDAP_OC_USER].name);
+ state->user_map[SDAP_OC_USER].name);
if (state->user_base_filter == NULL) {
talloc_zfree(req);
return NULL;
}
} else {
- search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name;
+ search_attr = state->user_map[SDAP_AT_USER_NAME].name;
ret = sss_parse_internal_fqname(state, filter_value,
&state->shortname, NULL);
@@ -2860,7 +2876,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->user_base_filter =
talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
search_attr, clean_name,
- state->opts->user_map[SDAP_OC_USER].name);
+ state->user_map[SDAP_OC_USER].name);
if (!state->user_base_filter) {
talloc_zfree(req);
return NULL;
@@ -2877,14 +2893,14 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
*/
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
"(%s=*))",
- id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
+ state->user_map[SDAP_AT_USER_OBJECTSID].name);
} else {
/* When not ID-mapping or looking up app users, make sure there
* is a non-NULL UID */
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
"(&(%s=*)(!(%s=0))))",
- id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
- id_ctx->opts->user_map[SDAP_AT_USER_UID].name);
+ state->user_map[SDAP_AT_USER_UID].name,
+ state->user_map[SDAP_AT_USER_UID].name);
}
if (!state->user_base_filter) {
talloc_zfree(req);
@@ -2892,8 +2908,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ret = build_attrs_from_map(state,
- state->opts->user_map,
- state->opts->user_map_cnt,
+ state->user_map,
+ state->user_map_cnt,
NULL, &state->user_attrs, NULL);
if (ret) {
talloc_zfree(req);
@@ -2990,7 +3006,7 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
state->user_search_bases[state->user_base_iter]->basedn,
state->user_search_bases[state->user_base_iter]->scope,
state->filter, state->user_attrs,
- state->opts->user_map, state->opts->user_map_cnt,
+ state->user_map, state->user_map_cnt,
state->timeout,
false);
if (!subreq) {
@@ -3179,6 +3195,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
case SDAP_SCHEMA_IPA_V1:
subreq = sdap_initgr_nested_send(state, state->ev, state->opts,
+ state->user_map, state->user_map_cnt,
state->sysdb, state->dom, state->sh,
state->orig_user, state->grp_attrs);
if (!subreq) {
@@ -3377,7 +3394,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
*/
ret = sdap_attrs_get_sid_str(
tmp_ctx, opts->idmap_ctx, state->orig_user,
- opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
+ state->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
&sid_str);
if (ret != EOK) goto done;
@@ -3392,7 +3409,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
ret = sysdb_attrs_get_uint32_t(
state->orig_user,
- opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
+ state->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
&primary_gid);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
--
2.45.0

77
0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
View File

@ -1,77 +0,0 @@
From 2c233636c093708d5cdd7ddb69af9b0ecde633bd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Sep 2024 14:37:05 +0200
Subject: [PATCH 11/11] ad: use default user_map when looking of host groups
for GPO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.
Resolves: https://github.com/SSSD/sssd/issues/7590
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
---
src/providers/ad/ad_access.h | 1 +
src/providers/ad/ad_gpo.c | 15 ++++++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
index 34d5597da..c54b53eed 100644
--- a/src/providers/ad/ad_access.h
+++ b/src/providers/ad/ad_access.h
@@ -49,6 +49,7 @@ struct ad_access_ctx {
} gpo_map_type;
hash_table_t *gpo_map_options_table;
enum gpo_map_type gpo_default_right;
+ struct sdap_attr_map *host_attr_map;
};
struct tevent_req *
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index fa68d814f..6b154f71d 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -45,6 +45,7 @@
#include "providers/ad/ad_common.h"
#include "providers/ad/ad_domain_info.h"
#include "providers/ad/ad_gpo.h"
+#include "providers/ad/ad_opts.h"
#include "providers/ldap/sdap_access.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap.h"
@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
"trying with user search base.");
}
+ if (state->access_ctx->host_attr_map == NULL) {
+ ret = sdap_copy_map(state->access_ctx,
+ ad_2008r2_user_map, SDAP_OPTS_USER,
+ &state->access_ctx->host_attr_map);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
+ goto done;
+ }
+ }
+
subreq = groups_by_user_send(state, state->ev,
state->access_ctx->ad_id_ctx->sdap_id_ctx,
sdom, state->conn,
search_bases,
state->host_fqdn,
BE_FILTER_NAME,
- NULL, NULL, 0,
+ NULL,
+ state->access_ctx->host_attr_map,
+ SDAP_OPTS_USER,
true,
true);
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
--
2.45.0

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-2.9.5.tar.gz) = d219f12ffc75af233f0e4ffc62c0442acc6da3cd94ed4eab7102a78821af5257c8e4ba0d06b2c99c08e06502f8d0d0bcc80540d63823dbe0f52eb0432ae7e14d SHA512 (sssd-2.9.6.tar.gz) = d9a35fc12022f0a2aa73be373b396411fc69b2fe5489ab93d17813a4c75b3ec30e598d5748ab202f7588039b465e11d616ce546cd5fe5439fa8edd9ac8cda69a

22
sssd.spec
View File

@ -26,25 +26,15 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd Name: sssd
Version: 2.9.5 Version: 2.9.6
Release: 5%{?dist} Release: 1%{?dist}
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
URL: https://github.com/SSSD/sssd/ URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ### ### Patches ###
Patch0001: 0001-spec-change-passkey_child-owner.patch # Patch0001:
Patch0002: 0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
Patch0003: 0003-ad-use-right-memory-context-in-GPO-code.patch
Patch0004: 0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch
Patch0005: 0005-SYSDB-remove-index-on-dataExpireTimestamp.patch
Patch0006: 0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
Patch0007: 0007-krb5_child-do-not-try-passwords-with-OTP.patch
Patch0008: 0008-pam_sss-add-missing-optional-2nd-factor-handling.patch
Patch0009: 0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch
Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
### Dependencies ### ### Dependencies ###
@ -1094,6 +1084,12 @@ fi
%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd.service
%changelog %changelog
* Thu Dec 5 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-1
- Resolves: RHEL-70189 - Rebase SSSD for RHEL 9.6
- Resolves: RHEL-67670 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-9]
- Resolves: RHEL-68369 - sssd backend process segfaults when krb5.conf is invalid
- Resolves: RHEL-66266 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-9]
* Mon Oct 21 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-5 * Mon Oct 21 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-5
- Related: RHEL-59788 - Rebase Samba to the latest 4.21.x release - Related: RHEL-59788 - Rebase Samba to the latest 4.21.x release