Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z]

Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z]
Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z]
Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z]
Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z]
Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z]
This commit is contained in:
Alexey Tikhonov 2024-11-22 15:13:17 +01:00
parent 20b14c938d
commit e0d298f0ae
9 changed files with 911 additions and 1 deletions

View File

@ -0,0 +1,35 @@
From 5fc4540e97625a23f2573b0804a1509cf46931c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Thu, 14 Nov 2024 17:27:49 +0100
Subject: [PATCH 08/15] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55
but the corresponding option is missing in
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200
This error was introduced by
https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 9ee10f98e0070774e0e7f0794bc296ef06a671e4)
---
src/providers/be_dyndns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index 2c655ef1e..5d0f51119 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -1201,6 +1201,7 @@ static struct dp_option default_dyndns_opts[] = {
{ "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
+ { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
{ "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER },
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
--
2.46.1

View File

@ -0,0 +1,69 @@
From b34aa979919ec6f3d73e3229c5ad3ab88bc5028a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Thu, 14 Nov 2024 18:46:44 +0100
Subject: [PATCH 09/15] TESTS: Also test default_dyndns_opts
Compare this structure to ipa_dyndns_opts, which is already compared
to ad_dyndns_opts.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 2c72834e657197012b3a32207ffe307e8ba5f9e2)
---
src/providers/be_dyndns.c | 2 +-
src/providers/be_dyndns.h | 1 +
src/tests/ipa_ldap_opt-tests.c | 6 ++++++
3 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index 5d0f51119..e6fa7dfd6 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -1197,7 +1197,7 @@ be_nsupdate_check(void)
return ret;
}
-static struct dp_option default_dyndns_opts[] = {
+struct dp_option default_dyndns_opts[] = {
{ "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
diff --git a/src/providers/be_dyndns.h b/src/providers/be_dyndns.h
index 2185fee95..719c13942 100644
--- a/src/providers/be_dyndns.h
+++ b/src/providers/be_dyndns.h
@@ -63,6 +63,7 @@ enum dp_dyndns_opts {
DP_OPT_DYNDNS /* attrs counter */
};
+extern struct dp_option default_dyndns_opts[DP_OPT_DYNDNS + 1];
#define DYNDNS_REMOVE_A 0x1
#define DYNDNS_REMOVE_AAAA 0x2
diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c
index a1a0e9cc6..da990acaf 100644
--- a/src/tests/ipa_ldap_opt-tests.c
+++ b/src/tests/ipa_ldap_opt-tests.c
@@ -103,6 +103,10 @@ START_TEST(test_compare_opts)
ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS,
ad_dyndns_opts);
ck_assert_msg(ret == EOK, "[%s]", strerror(ret));
+
+ ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS,
+ default_dyndns_opts);
+ ck_assert_msg(ret == EOK, "[%s]", strerror(ret));
}
END_TEST
@@ -200,6 +204,8 @@ START_TEST(test_dp_opt_sentinel)
fail_unless_dp_opt_is_terminator(&default_krb5_opts[KRB5_OPTS]);
+ fail_unless_dp_opt_is_terminator(&default_dyndns_opts[DP_OPT_DYNDNS]);
+
fail_unless_dp_opt_is_terminator(&ad_basic_opts[AD_OPTS_BASIC]);
fail_unless_dp_opt_is_terminator(&ad_def_ldap_opts[SDAP_OPTS_BASIC]);
fail_unless_dp_opt_is_terminator(&ad_def_krb5_opts[KRB5_OPTS]);
--
2.46.1

View File

@ -0,0 +1,310 @@
From ebbde00722489c51cfcc70aa6550ed6ea4b97ff8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Sep 2024 14:27:19 +0200
Subject: [PATCH 10/15] sdap: allow to provide user_map when looking up group
memberships
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.
Resolves: https://github.com/SSSD/sssd/issues/7590
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 69f63f1fa64bd9cc7c2ee1f8e8d736727b13b3be)
(cherry picked from commit 321ca19ae09609ac4195f323b696bdcd7ee573e4)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/providers/ad/ad_gpo.c | 2 +-
src/providers/ldap/ldap_common.h | 2 +
src/providers/ldap/ldap_id.c | 9 ++++
src/providers/ldap/sdap_async.h | 2 +
src/providers/ldap/sdap_async_initgroups.c | 51 ++++++++++++++--------
5 files changed, 48 insertions(+), 18 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index b879b0a08..69dd54f5b 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2244,7 +2244,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
search_bases,
state->host_fqdn,
BE_FILTER_NAME,
- NULL,
+ NULL, NULL, 0,
true,
true);
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 2c984ef50..61a35553b 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
const char *filter_value,
int filter_type,
const char *extra_value,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
bool noexist_delete,
bool set_non_posix);
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index b3ea2333f..0596ad4cf 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1144,6 +1144,8 @@ struct groups_by_user_state {
const char *filter_value;
int filter_type;
const char *extra_value;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
const char **attrs;
bool non_posix;
@@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
const char *filter_value,
int filter_type,
const char *extra_value,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
bool noexist_delete,
bool set_non_posix)
{
@@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
state->filter_value = filter_value;
state->filter_type = filter_type;
state->extra_value = extra_value;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
state->domain = sdom->dom;
state->sysdb = sdom->dom->sysdb;
state->search_bases = search_bases;
@@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
state->sdom,
sdap_id_op_handle(state->op),
state->ctx,
+ state->user_map,
+ state->user_map_cnt,
state->conn,
state->search_bases,
state->filter_value,
@@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
ar->filter_value,
ar->filter_type,
ar->extra_value,
+ NULL, 0,
noexist_delete, false);
break;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 89245f41f..a45e057d0 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -157,6 +157,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_domain *sdom,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sdap_id_conn_ctx *conn,
struct sdap_search_base **search_bases,
const char *name,
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index fb3d8fe24..8ce1f6cd4 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -785,6 +785,8 @@ struct sdap_initgr_nested_state {
struct tevent_context *ev;
struct sysdb_ctx *sysdb;
struct sdap_options *opts;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
struct sss_domain_info *dom;
struct sdap_handle *sh;
@@ -812,6 +814,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req);
static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_options *opts,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sysdb_ctx *sysdb,
struct sss_domain_info *dom,
struct sdap_handle *sh,
@@ -828,6 +832,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
state->ev = ev;
state->opts = opts;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
state->sysdb = sysdb;
state->dom = dom;
state->sh = sh;
@@ -968,7 +974,7 @@ static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req)
subreq = sdap_deref_search_send(state, state->ev, state->opts,
state->sh, state->orig_dn,
- state->opts->user_map[SDAP_AT_USER_MEMBEROF].name,
+ state->user_map[SDAP_AT_USER_MEMBEROF].name,
sdap_attrs, num_maps, maps, timeout);
if (!subreq) {
ret = EIO;
@@ -2697,6 +2703,8 @@ struct sdap_get_initgr_state {
struct tevent_context *ev;
struct sysdb_ctx *sysdb;
struct sdap_options *opts;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
struct sss_domain_info *dom;
struct sdap_domain *sdom;
struct sdap_handle *sh;
@@ -2731,6 +2739,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_domain *sdom,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sdap_id_conn_ctx *conn,
struct sdap_search_base **search_bases,
const char *filter_value,
@@ -2754,6 +2764,12 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->ev = ev;
state->opts = id_ctx->opts;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
+ if (state->user_map == NULL) {
+ state->user_map = id_ctx->opts->user_map;
+ state->user_map_cnt = id_ctx->opts->user_map_cnt;
+ }
state->dom = sdom->dom;
state->sysdb = sdom->dom->sysdb;
state->sdom = sdom;
@@ -2785,7 +2801,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
switch (filter_type) {
case BE_FILTER_SECID:
- search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
+ search_attr = state->user_map[SDAP_AT_USER_OBJECTSID].name;
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
if (ret != EOK) {
@@ -2794,7 +2810,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
break;
case BE_FILTER_UUID:
- search_attr = state->opts->user_map[SDAP_AT_USER_UUID].name;
+ search_attr = state->user_map[SDAP_AT_USER_UUID].name;
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
if (ret != EOK) {
@@ -2812,23 +2828,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ep_filter = get_enterprise_principal_string_filter(state,
- state->opts->user_map[SDAP_AT_USER_PRINC].name,
+ state->user_map[SDAP_AT_USER_PRINC].name,
clean_name, state->opts->basic);
state->user_base_filter =
talloc_asprintf(state,
"(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
- state->opts->user_map[SDAP_AT_USER_PRINC].name,
+ state->user_map[SDAP_AT_USER_PRINC].name,
clean_name,
- state->opts->user_map[SDAP_AT_USER_EMAIL].name,
+ state->user_map[SDAP_AT_USER_EMAIL].name,
clean_name,
ep_filter == NULL ? "" : ep_filter,
- state->opts->user_map[SDAP_OC_USER].name);
+ state->user_map[SDAP_OC_USER].name);
if (state->user_base_filter == NULL) {
talloc_zfree(req);
return NULL;
}
} else {
- search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name;
+ search_attr = state->user_map[SDAP_AT_USER_NAME].name;
ret = sss_parse_internal_fqname(state, filter_value,
&state->shortname, NULL);
@@ -2860,7 +2876,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->user_base_filter =
talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
search_attr, clean_name,
- state->opts->user_map[SDAP_OC_USER].name);
+ state->user_map[SDAP_OC_USER].name);
if (!state->user_base_filter) {
talloc_zfree(req);
return NULL;
@@ -2877,14 +2893,14 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
*/
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
"(%s=*))",
- id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
+ state->user_map[SDAP_AT_USER_OBJECTSID].name);
} else {
/* When not ID-mapping or looking up app users, make sure there
* is a non-NULL UID */
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
"(&(%s=*)(!(%s=0))))",
- id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
- id_ctx->opts->user_map[SDAP_AT_USER_UID].name);
+ state->user_map[SDAP_AT_USER_UID].name,
+ state->user_map[SDAP_AT_USER_UID].name);
}
if (!state->user_base_filter) {
talloc_zfree(req);
@@ -2892,8 +2908,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ret = build_attrs_from_map(state,
- state->opts->user_map,
- state->opts->user_map_cnt,
+ state->user_map,
+ state->user_map_cnt,
NULL, &state->user_attrs, NULL);
if (ret) {
talloc_zfree(req);
@@ -2990,7 +3006,7 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
state->user_search_bases[state->user_base_iter]->basedn,
state->user_search_bases[state->user_base_iter]->scope,
state->filter, state->user_attrs,
- state->opts->user_map, state->opts->user_map_cnt,
+ state->user_map, state->user_map_cnt,
state->timeout,
false);
if (!subreq) {
@@ -3179,6 +3195,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
case SDAP_SCHEMA_IPA_V1:
subreq = sdap_initgr_nested_send(state, state->ev, state->opts,
+ state->user_map, state->user_map_cnt,
state->sysdb, state->dom, state->sh,
state->orig_user, state->grp_attrs);
if (!subreq) {
@@ -3377,7 +3394,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
*/
ret = sdap_attrs_get_sid_str(
tmp_ctx, opts->idmap_ctx, state->orig_user,
- opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
+ state->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
&sid_str);
if (ret != EOK) goto done;
@@ -3392,7 +3409,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
ret = sysdb_attrs_get_uint32_t(
state->orig_user,
- opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
+ state->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
&primary_gid);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
--
2.46.1

View File

@ -0,0 +1,80 @@
From 9ff2e55000d146381db5f66575e40ada5ecaf0cf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Sep 2024 14:37:05 +0200
Subject: [PATCH 11/15] ad: use default user_map when looking of host groups
for GPO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.
Resolves: https://github.com/SSSD/sssd/issues/7590
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
(cherry picked from commit 2c233636c093708d5cdd7ddb69af9b0ecde633bd)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/providers/ad/ad_access.h | 1 +
src/providers/ad/ad_gpo.c | 15 ++++++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
index 34d5597da..c54b53eed 100644
--- a/src/providers/ad/ad_access.h
+++ b/src/providers/ad/ad_access.h
@@ -49,6 +49,7 @@ struct ad_access_ctx {
} gpo_map_type;
hash_table_t *gpo_map_options_table;
enum gpo_map_type gpo_default_right;
+ struct sdap_attr_map *host_attr_map;
};
struct tevent_req *
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 69dd54f5b..4e2f06b0d 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -45,6 +45,7 @@
#include "providers/ad/ad_common.h"
#include "providers/ad/ad_domain_info.h"
#include "providers/ad/ad_gpo.h"
+#include "providers/ad/ad_opts.h"
#include "providers/ldap/sdap_access.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap.h"
@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
"trying with user search base.");
}
+ if (state->access_ctx->host_attr_map == NULL) {
+ ret = sdap_copy_map(state->access_ctx,
+ ad_2008r2_user_map, SDAP_OPTS_USER,
+ &state->access_ctx->host_attr_map);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
+ goto done;
+ }
+ }
+
subreq = groups_by_user_send(state, state->ev,
state->access_ctx->ad_id_ctx->sdap_id_ctx,
sdom, state->conn,
search_bases,
state->host_fqdn,
BE_FILTER_NAME,
- NULL, NULL, 0,
+ NULL,
+ state->access_ctx->host_attr_map,
+ SDAP_OPTS_USER,
true,
true);
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
--
2.46.1

View File

@ -0,0 +1,61 @@
From 0e86f1a53b893a296488d96a432b98458403bcb9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 14 Jun 2024 16:10:34 +0200
Subject: [PATCH 12/15] sysdb: do not fail to add non-posix user to MPG domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.
Resolves: https://github.com/SSSD/sssd/issues/7451
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 986bb726202e69b05f861c14c3a220379baf9bd1)
(cherry picked from commit d234cf5d6e793daf2c96856887acb641c4dff407)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/db/sysdb_ops.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 3331d4687..fa2d81217 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
goto done;
}
- ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
- if (ret != ENOENT) {
- if (ret == EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Group with GID [%"SPRIgid"] already exists in an "
- "MPG domain\n", gid);
- ret = EEXIST;
+ if (uid != 0) { /* uid == 0 means non-POSIX object */
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+ if (ret != ENOENT) {
+ if (ret == EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Group with GID [%"SPRIgid"] already exists in an "
+ "MPG domain\n", uid);
+ ret = EEXIST;
+ }
+ goto done;
}
- goto done;
}
}
--
2.46.1

View File

@ -0,0 +1,230 @@
From acd5da528789734411b12fa8b19007b00eea9f2c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 13 Sep 2024 15:45:59 +0200
Subject: [PATCH 13/15] ldap: add 'exop_force' value for ldap_pwmodify_mode
In case the LDAP server allows to run the extended operation to change a
password even if an authenticated bind fails due to missing grace logins
the new option 'exop_force' can be used to run the extended operation to
change the password anyways.
:config: Added `exop_force` value for configuration option
`ldap_pwmodify_mode`. This can be used to force a password change even
if no grace logins are left. Depending on the configuration of the
LDAP server it might be expected that the password change will fail.
(cherry picked from commit 72a7fd0ded236a16b00bb4e26221f7e23b702a53)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit e3a3f44c4cdcb936b59941636ff576de613366d1)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/man/sssd-ldap.5.xml | 11 +++++++++
src/providers/ipa/ipa_auth.c | 3 ++-
src/providers/ldap/ldap_auth.c | 5 +++-
src/providers/ldap/ldap_options.c | 2 ++
src/providers/ldap/sdap.h | 5 ++--
src/providers/ldap/sdap_async.h | 3 ++-
src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++-----
7 files changed, 45 insertions(+), 11 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 0a814ec35..a9994aade 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -234,6 +234,17 @@
userPassword (not recommended).
</para>
</listitem>
+ <listitem>
+ <para>
+ exop_force - Try Password Modify
+ Extended Operation (RFC 3062) even if
+ there are no grace logins left.
+ Depending on the type and configuration
+ of the LDAP server the password change
+ might fail because an authenticated bind
+ is not possible.
+ </para>
+ </listitem>
</itemizedlist>
</para>
<para>
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 1d61a1052..b2e5b6f35 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -381,7 +381,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq)
SDAP_OPT_TIMEOUT);
subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn,
- state->pd->authtok, timeout);
+ state->pd->authtok, timeout,
+ state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode);
if (subreq == NULL) {
goto done;
}
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 8ec4d3af5..023ed2277 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -896,7 +896,8 @@ static void auth_do_bind(struct tevent_req *req)
NULL, NULL, state->dn,
state->authtok,
dp_opt_get_int(state->ctx->opts->basic,
- SDAP_OPT_TIMEOUT));
+ SDAP_OPT_TIMEOUT),
+ state->ctx->opts->pwmodify_mode);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -1186,6 +1187,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx,
switch (opts->pwmodify_mode) {
case SDAP_PWMODIFY_EXOP:
+ case SDAP_PWMODIFY_EXOP_FORCE:
subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn,
password, new_password,
timeout);
@@ -1229,6 +1231,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq)
switch (state->mode) {
case SDAP_PWMODIFY_EXOP:
+ case SDAP_PWMODIFY_EXOP_FORCE:
ret = sdap_exop_modify_passwd_recv(subreq, state,
&state->user_error_message);
break;
diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
index 277bcb529..72a95300d 100644
--- a/src/providers/ldap/ldap_options.c
+++ b/src/providers/ldap/ldap_options.c
@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
} else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
+ } else if (strcasecmp(pwmodify, "exop_force") == 0) {
+ opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE;
} else {
DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
ret = EINVAL;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 103d50ed4..cc34c8198 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -546,8 +546,9 @@ struct sdap_options {
/* password modify mode */
enum pwmodify_mode {
- SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
- SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */
+ SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
+ SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */
+ SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */
} pwmodify_mode;
/* The search bases for the domain or its subdomain */
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index a45e057d0..80b403bc3 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -146,7 +146,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
const char *sasl_user,
const char *user_dn,
struct sss_auth_token *authtok,
- int simple_bind_timeout);
+ int simple_bind_timeout,
+ enum pwmodify_mode pwmodify_mode);
errno_t sdap_auth_recv(struct tevent_req *req,
TALLOC_CTX *memctx,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index e8638725c..992a5798c 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -643,6 +643,7 @@ struct simple_bind_state {
struct tevent_context *ev;
struct sdap_handle *sh;
const char *user_dn;
+ enum pwmodify_mode pwmodify_mode;
struct sdap_op *op;
@@ -659,7 +660,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
int timeout,
const char *user_dn,
- struct berval *pw)
+ struct berval *pw,
+ enum pwmodify_mode pwmodify_mode)
{
struct tevent_req *req;
struct simple_bind_state *state;
@@ -682,6 +684,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
state->ev = ev;
state->sh = sh;
state->user_dn = user_dn;
+ state->pwmodify_mode = pwmodify_mode;
ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
0, NULL, 0, &ctrls[0]);
@@ -866,7 +869,12 @@ static void simple_bind_done(struct sdap_op *op,
* Grace Authentications". */
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, grace logins exhausted.\n");
- ret = ERR_AUTH_FAILED;
+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
+ ret = ERR_PASSWORD_EXPIRED;
+ } else {
+ ret = ERR_AUTH_FAILED;
+ }
}
} else if (strcmp(response_controls[c]->ldctl_oid,
LDAP_CONTROL_PWEXPIRED) == 0) {
@@ -879,7 +887,12 @@ static void simple_bind_done(struct sdap_op *op,
if (result == LDAP_INVALID_CREDENTIALS) {
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, grace logins exhausted.\n");
- ret = ERR_AUTH_FAILED;
+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
+ ret = ERR_PASSWORD_EXPIRED;
+ } else {
+ ret = ERR_AUTH_FAILED;
+ }
} else {
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, user must set a new password.\n");
@@ -1358,7 +1371,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
const char *sasl_user,
const char *user_dn,
struct sss_auth_token *authtok,
- int simple_bind_timeout)
+ int simple_bind_timeout,
+ enum pwmodify_mode pwmodify_mode)
{
struct tevent_req *req, *subreq;
struct sdap_auth_state *state;
@@ -1397,7 +1411,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
pw.bv_len = pwlen;
state->is_sasl = false;
- subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw);
+ subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, pwmodify_mode);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return tevent_req_post(req, ev);
@@ -1972,7 +1986,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
SDAP_SASL_AUTHID),
user_dn, authtok,
dp_opt_get_int(state->opts->basic,
- SDAP_OPT_TIMEOUT));
+ SDAP_OPT_TIMEOUT),
+ state->opts->pwmodify_mode);
talloc_free(authtok);
if (!subreq) {
tevent_req_error(req, ENOMEM);
--
2.46.1

View File

@ -0,0 +1,54 @@
From aa81ab093966c1717ebfafbeef9f9f78944b9c23 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 15 Apr 2024 16:29:33 +0200
Subject: [PATCH 14/15] DEBUG: reduce log level in case a responder asks for
unknown domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Addition to 718fed9c53807b8502d6547bc0253b979d35e677
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit ab2671c00866d917f3e737a007ae64753f8440aa)
(cherry picked from commit 8dcf23f215fe2a7fadf13598ce7f04523caa5eb0)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/responder/common/cache_req/plugins/cache_req_common.c | 5 ++++-
src/sbus/router/sbus_router_handler.c | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
index 7eb09215a..00b9383ee 100644
--- a/src/responder/common/cache_req/plugins/cache_req_common.c
+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
@@ -129,7 +129,10 @@ cache_req_common_process_dp_reply(struct cache_req *cr,
bool bret;
if (ret != EOK) {
- CACHE_REQ_DEBUG(SSSDBG_IMPORTANT_INFO, cr,
+ int msg_level = SSSDBG_IMPORTANT_INFO;
+ /* ERR_DOMAIN_NOT_FOUND: 'ad_enabled_domains' option can exclude domain */
+ if (ret == ERR_DOMAIN_NOT_FOUND) msg_level = SSSDBG_CONF_SETTINGS;
+ CACHE_REQ_DEBUG(msg_level, cr,
"Could not get account info [%d]: %s\n",
ret, sss_strerror(ret));
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c
index 7b6c2441f..732716046 100644
--- a/src/sbus/router/sbus_router_handler.c
+++ b/src/sbus/router/sbus_router_handler.c
@@ -150,6 +150,8 @@ static void sbus_issue_request_done(struct tevent_req *subreq)
} else {
int msg_level = SSSDBG_OP_FAILURE;
if (ret == ERR_MISSING_DP_TARGET) msg_level = SSSDBG_FUNC_DATA;
+ /* ERR_DOMAIN_NOT_FOUND: 'ad_enabled_domains' option can exclude domain */
+ if (ret == ERR_DOMAIN_NOT_FOUND) msg_level = SSSDBG_CONF_SETTINGS;
DEBUG(msg_level, "%s.%s: Error [%d]: %s\n",
meta.interface, meta.member, ret, sss_strerror(ret));
}
--
2.46.1

View File

@ -0,0 +1,55 @@
From 3e7e0cc7038c89132c9f4b8a48b6b1e0c0febff4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 21 Nov 2024 09:16:09 +0100
Subject: [PATCH 15/15] ldap_child: make sure invalid krb5 context is not used
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7715
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744)
---
src/util/sss_krb5.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 3f57e5b26..f44df2b5f 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -83,6 +83,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name)
return keytab_name;
}
+ if (ctx == NULL) {
+ return "-unknown-";
+ }
+
if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) {
return "-default keytab-";
}
@@ -1355,8 +1359,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
{
krb5_error_code kerr;
const char *msg;
+ krb5_context ctx;
- kerr = krb5_init_context(context);
+ kerr = krb5_init_context(&ctx);
if (kerr != 0) {
/* It is safe to call (sss_)krb5_get_error_message() with NULL as first
* argument. */
@@ -1365,6 +1370,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
"Failed to init Kerberos context [%s]\n", msg);
sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg);
sss_krb5_free_error_message(NULL, msg);
+ } else {
+ *context = ctx;
}
return kerr;
--
2.46.1

View File

@ -19,7 +19,7 @@
Name: sssd
Version: 2.9.4
Release: 5%{?dist}
Release: 5%{?dist}.1
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -34,6 +34,14 @@ Patch0004: 0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
Patch0005: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch
Patch0006: 0006-ad-refresh-root-domain-when-read-directly.patch
Patch0007: 0007-failover-add-failover_primary_timeout-option.patch
Patch0008: 0008-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch
Patch0009: 0009-TESTS-Also-test-default_dyndns_opts.patch
Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
Patch0012: 0012-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
Patch0013: 0013-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
Patch0014: 0014-DEBUG-reduce-log-level-in-case-a-responder-asks-for-.patch
Patch0015: 0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
### Downstream Patches ###
@ -1218,6 +1226,14 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Fri Nov 22 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-5.1
- Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z]
- Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z]
- Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z]
- Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z]
- Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z]
- Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z]
* Mon Sep 09 2024 Anuar Beisembayev <abeisemb@redhat.com> - 2.9.4-5
- Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements