rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'c8' into a8

Browse Source
This commit is contained in:
eabdullin 2023-11-15 11:37:51 +03:00
commit e945aa7449
10 changed files with 57 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.8.2.tar.gz
SOURCES/sssd-2.9.1.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz
5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz

158
SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
View File

@ -1,158 +0,0 @@
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 8 Dec 2022 15:14:05 +0100
Subject: [PATCH] ldap: update shadow last change in sysdb as well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.
Resolves: https://github.com/SSSD/sssd/issues/6477
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
---
src/db/sysdb.h | 4 ++++
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
3 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 7c666f5c4..06b44f5ba 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
struct sysdb_attrs *attrs,
int mod_op);
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname);
+
/* Replace group attrs */
int sysdb_set_group_attr(struct sss_domain_info *domain,
const char *name,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0d6f2d5cd..ed0df9872 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1485,6 +1485,38 @@ done:
return ret;
}
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
+ const char *name,
+ const char *attrname)
+{
+ struct sysdb_attrs *attrs;
+ char *value;
+ errno_t ret;
+
+ attrs = sysdb_new_attrs(NULL);
+ if (attrs == NULL) {
+ return ENOMEM;
+ }
+
+ /* The attribute contains number of days since the epoch */
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
+ if (value == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
+
+done:
+ talloc_free(attrs);
+ return ret;
+}
+
/* =Replace-Attributes-On-Group=========================================== */
int sysdb_set_group_attr(struct sss_domain_info *domain,
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 6404a9d3a..96b9d6df4 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
struct pam_data *pd;
struct sdap_handle *sh;
char *dn;
+ enum pwexpire pw_expire_type;
};
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
{
struct sdap_pam_chpass_handler_state *state;
struct tevent_req *req;
- enum pwexpire pw_expire_type;
void *pw_expire_data;
size_t msg_len;
uint8_t *msg;
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
ret = auth_recv(subreq, state, &state->sh, &state->dn,
- &pw_expire_type, &pw_expire_data);
+ &state->pw_expire_type, &pw_expire_data);
talloc_free(subreq);
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
}
if (ret == EOK) {
- switch (pw_expire_type) {
+ switch (state->pw_expire_type) {
case PWEXPIRE_SHADOW:
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
break;
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
- "Unknown password expiration type %d.\n", pw_expire_type);
+ "Unknown password expiration type %d.\n",
+ state->pw_expire_type);
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
case ERR_PASSWORD_EXPIRED:
DEBUG(SSSDBG_TRACE_LIBS,
"user [%s] successfully authenticated.\n", state->dn);
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
+ ret = sdap_pam_chpass_handler_change_step(state, req,
+ state->pw_expire_type);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sdap_pam_chpass_handler_change_step() failed.\n");
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
switch (ret) {
case EOK:
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
+ if (ret != EOK) {
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ }
+
state->pd->pam_status = PAM_SUCCESS;
break;
case ERR_CHPASS_DENIED:
--
2.37.3

6
SOURCES/0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch → SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
View File

@ -1,4 +1,4 @@
From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001
From f16e570838d1c6cd30b5883f364b0f437c314b1f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 12:31:39 +0200
Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
@ -22,10 +22,10 @@ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/util/util.h b/src/util/util.h
index a8356e0cd..9dbcf3301 100644
index 11dc40d57..02fd53237 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -756,6 +756,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
void teardown_watchdog(void);
int get_watchdog_ticks(void);

58
SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
View File

@ -1,58 +0,0 @@
From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 3 Feb 2023 11:35:42 +0100
Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
read/write/check helpers.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
error condition is detected, regular `POLLIN/POLLOUT` won't be set.
Error code set by error condition should have a priority. This enables
users of this helper to retry attempt (as designed).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
---
src/sss_client/common.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 2c888faa9..27e09f6f3 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
case 1:
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
*errnop = EPIPE;
- }
- if (!(pfd.revents & POLLOUT)) {
+ } else if (!(pfd.revents & POLLOUT)) {
*errnop = EBUSY;
}
break;
@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
}
if (pfd.revents & (POLLERR | POLLNVAL)) {
*errnop = EPIPE;
- }
- if (!(pfd.revents & POLLIN)) {
+ } else if (!(pfd.revents & POLLIN)) {
*errnop = EBUSY;
}
break;
@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
case 1:
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
*errnop = EPIPE;
- }
- if (!(pfd.revents & (POLLIN | POLLOUT))) {
+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
*errnop = EBUSY;
}
break;
--
2.37.3

17
SOURCES/0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch → SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch
View File

@ -1,4 +1,4 @@
From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001
From 27987c791bc452f53696a3a33f0d607ab040e78d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 13:01:47 +0200
Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
@ -23,9 +23,22 @@ Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
---
Makefile.am | 1 -
src/sbus/connection/sbus_connection_connect.c | 4 ++++
1 file changed, 4 insertions(+)
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index e780e8a14..23c63ec1e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4672,7 +4672,6 @@ krb5_child_LDADD = \
$(CLIENT_LIBS) \
$(SYSTEMD_LOGIN_LIBS) \
$(JANSSON_LIBS) \
- libsss_sbus.la \
$(NULL)
ldap_child_SOURCES = \
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
index 45a0fa491..edc090e15 100644
--- a/src/sbus/connection/sbus_connection_connect.c

63
SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
View File

@ -1,63 +0,0 @@
From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 8 Feb 2023 17:48:52 +0100
Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
there is a risk to close "foreign" socket opened in another thread.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
---
src/sss_client/common.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 27e09f6f3..c8ade645b 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
*errnop = ETIME;
break;
case 1:
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
+ if (pfd.revents & (POLLERR | POLLHUP)) {
+ *errnop = EPIPE;
+ } else if (pfd.revents & POLLNVAL) {
+ /* Invalid request: fd is not opened */
+ sss_cli_sd = -1;
*errnop = EPIPE;
} else if (!(pfd.revents & POLLOUT)) {
*errnop = EBUSY;
@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
if (pfd.revents & (POLLHUP)) {
pollhup = true;
}
- if (pfd.revents & (POLLERR | POLLNVAL)) {
+ if (pfd.revents & POLLERR) {
+ *errnop = EPIPE;
+ } else if (pfd.revents & POLLNVAL) {
+ /* Invalid request: fd is not opened */
+ sss_cli_sd = -1;
*errnop = EPIPE;
} else if (!(pfd.revents & POLLIN)) {
*errnop = EBUSY;
@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
*errnop = ETIME;
break;
case 1:
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
+ if (pfd.revents & (POLLERR | POLLHUP)) {
+ *errnop = EPIPE;
+ } else if (pfd.revents & POLLNVAL) {
+ /* Invalid request: fd is not opened */
+ sss_cli_sd = -1;
*errnop = EPIPE;
} else if (!(pfd.revents & (POLLIN | POLLOUT))) {
*errnop = EBUSY;
--
2.37.3

53
SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
View File

@ -1,53 +0,0 @@
From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 8 Feb 2023 18:58:37 +0100
Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with
mutex. Otherwise a thread calling pam_end() can close socket mid pam
transaction in another thread.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug only manifested on platforms where "lockfree client"
feature wasn't built.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082)
---
src/sss_client/pam_sss.c | 3 +++
src/sss_client/pam_sss_gss.c | 2 ++
2 files changed, 5 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index afbdef59a..39ad17188 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
#endif /* PAM_DATA_REPLACE */
D(("Closing the fd"));
+
+ sss_pam_lock();
sss_cli_close_socket();
+ sss_pam_unlock();
}
struct cert_auth_info {
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
index 1109ec570..dd578ae5d 100644
--- a/src/sss_client/pam_sss_gss.c
+++ b/src/sss_client/pam_sss_gss.c
@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,
}
done:
+ sss_pam_lock();
sss_cli_close_socket();
+ sss_pam_unlock();
free(username);
free(domain);
free(target);
--
2.37.3

36
SOURCES/0007-sysdb-fix-string-comparison-when-checking-for-overrides.patch
View File

@ -1,36 +0,0 @@
From 01d02794e02f051ea9a78cd63b30384de3e7c9b0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 May 2023 10:27:08 +0200
Subject: [PATCH] sysdb: fix string comparison when checking for overrides
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.
The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.
Resolves: https://github.com/SSSD/sssd/issues/6720
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
---
src/db/sysdb_search.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 7efd570e78..e4c53b8535 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
if (originalad_sanitized_name != NULL
- && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
+ && !sss_string_equal(domain->case_sensitive,
+ originalad_sanitized_name,
+ sanitized_name)) {
fmt_filter = SYSDB_GRNAM_FILTER;
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
res = NULL;

49
SPECS/sssd.spec
View File

@ -18,8 +18,8 @@
%global enable_systemtap_opt --enable-systemtap
Name: sssd
Version: 2.8.2
Release: 3%{?dist}.alma
Version: 2.9.1
Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -27,10 +27,8 @@ URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch
# Patches were taken from:
# https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/26c81cdfa6fdda4aab69e0184839be0fb74ef73d
@ -221,7 +219,6 @@ Summary: Userspace tools for use with the SSSD
Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
@ -601,6 +598,8 @@ autoreconf -ivf
--with-initscript=systemd \
--with-syslog=journald \
--with-subid \
--with-files-provider \
--with-libsifp \
--enable-sss-default-nss-plugin \
--without-python2-bindings \
--with-sssd-user=sssd \
@ -917,7 +916,7 @@ done
%{_mandir}/man5/sssd-ifp.5*
%{_unitdir}/sssd-ifp.service
# InfoPipe DBus plumbing
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
%files -n libsss_simpleifp
@ -1220,10 +1219,36 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Tue Aug 08 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.8.2-3.alma
- Apply 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls
0006-sbus-arm-watchdog-for-sbus_connect_init_send
0007-sysdb-fix-string-comparison-when-checking-for-overrides patches
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
Rebuild against rebased Samba libs
* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"