diff --git a/.gitignore b/.gitignore index a743af2..4714c8c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.8.2.tar.gz +SOURCES/sssd-2.9.1.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 6575e58..9b2fbfd 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz +5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz diff --git a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch deleted file mode 100644 index 60feece..0000000 --- a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch +++ /dev/null @@ -1,158 +0,0 @@ -From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Thu, 8 Dec 2022 15:14:05 +0100 -Subject: [PATCH] ldap: update shadow last change in sysdb as well -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Otherwise pam can use the changed information whe id chaching is -enabled, so next authentication that fits into the id timeout -(5 seconds by default) will still sees the password as expired. - -Resolves: https://github.com/SSSD/sssd/issues/6477 - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) ---- - src/db/sysdb.h | 4 ++++ - src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ - src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- - 3 files changed, 52 insertions(+), 5 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 7c666f5c4..06b44f5ba 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, - struct sysdb_attrs *attrs, - int mod_op); - -+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, -+ const char *name, -+ const char *attrname); -+ - /* Replace group attrs */ - int sysdb_set_group_attr(struct sss_domain_info *domain, - const char *name, -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 0d6f2d5cd..ed0df9872 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -1485,6 +1485,38 @@ done: - return ret; - } - -+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, -+ const char *name, -+ const char *attrname) -+{ -+ struct sysdb_attrs *attrs; -+ char *value; -+ errno_t ret; -+ -+ attrs = sysdb_new_attrs(NULL); -+ if (attrs == NULL) { -+ return ENOMEM; -+ } -+ -+ /* The attribute contains number of days since the epoch */ -+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); -+ if (value == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = sysdb_attrs_add_string(attrs, attrname, value); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); -+ -+done: -+ talloc_free(attrs); -+ return ret; -+} -+ - /* =Replace-Attributes-On-Group=========================================== */ - - int sysdb_set_group_attr(struct sss_domain_info *domain, -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 6404a9d3a..96b9d6df4 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { - struct pam_data *pd; - struct sdap_handle *sh; - char *dn; -+ enum pwexpire pw_expire_type; - }; - - static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); -@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - { - struct sdap_pam_chpass_handler_state *state; - struct tevent_req *req; -- enum pwexpire pw_expire_type; - void *pw_expire_data; - size_t msg_len; - uint8_t *msg; -@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); - - ret = auth_recv(subreq, state, &state->sh, &state->dn, -- &pw_expire_type, &pw_expire_data); -+ &state->pw_expire_type, &pw_expire_data); - talloc_free(subreq); - - if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && -@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - } - - if (ret == EOK) { -- switch (pw_expire_type) { -+ switch (state->pw_expire_type) { - case PWEXPIRE_SHADOW: - ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); - break; -@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - break; - default: - DEBUG(SSSDBG_CRIT_FAILURE, -- "Unknown password expiration type %d.\n", pw_expire_type); -+ "Unknown password expiration type %d.\n", -+ state->pw_expire_type); - state->pd->pam_status = PAM_SYSTEM_ERR; - goto done; - } -@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - case ERR_PASSWORD_EXPIRED: - DEBUG(SSSDBG_TRACE_LIBS, - "user [%s] successfully authenticated.\n", state->dn); -- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); -+ ret = sdap_pam_chpass_handler_change_step(state, req, -+ state->pw_expire_type); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sdap_pam_chpass_handler_change_step() failed.\n"); -@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) - - switch (ret) { - case EOK: -+ if (state->pw_expire_type == PWEXPIRE_SHADOW) { -+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, -+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); -+ if (ret != EOK) { -+ state->pd->pam_status = PAM_SYSTEM_ERR; -+ goto done; -+ } -+ } -+ - state->pd->pam_status = PAM_SUCCESS; - break; - case ERR_CHPASS_DENIED: --- -2.37.3 - diff --git a/SOURCES/0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch b/SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch similarity index 95% rename from SOURCES/0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch rename to SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch index 6a77149..436992c 100644 --- a/SOURCES/0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch +++ b/SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch @@ -1,4 +1,4 @@ -From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001 +From f16e570838d1c6cd30b5883f364b0f437c314b1f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 9 Jun 2023 12:31:39 +0200 Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls @@ -22,10 +22,10 @@ Reviewed-by: Pavel Březina 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/src/util/util.h b/src/util/util.h -index a8356e0cd..9dbcf3301 100644 +index 11dc40d57..02fd53237 100644 --- a/src/util/util.h +++ b/src/util/util.h -@@ -756,6 +756,18 @@ int setup_watchdog(struct tevent_context *ev, int interval); +@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval); void teardown_watchdog(void); int get_watchdog_ticks(void); diff --git a/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch b/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch deleted file mode 100644 index fdc756a..0000000 --- a/SOURCES/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch +++ /dev/null @@ -1,58 +0,0 @@ -From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 3 Feb 2023 11:35:42 +0100 -Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common - read/write/check helpers. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)` -error condition is detected, regular `POLLIN/POLLOUT` won't be set. -Error code set by error condition should have a priority. This enables -users of this helper to retry attempt (as designed). - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd) ---- - src/sss_client/common.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 2c888faa9..27e09f6f3 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, - case 1: - if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & POLLOUT)) { -+ } else if (!(pfd.revents & POLLOUT)) { - *errnop = EBUSY; - } - break; -@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, - } - if (pfd.revents & (POLLERR | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & POLLIN)) { -+ } else if (!(pfd.revents & POLLIN)) { - *errnop = EBUSY; - } - break; -@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop, - case 1: - if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & (POLLIN | POLLOUT))) { -+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) { - *errnop = EBUSY; - } - break; --- -2.37.3 - diff --git a/SOURCES/0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch b/SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch similarity index 79% rename from SOURCES/0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch rename to SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch index 99e7c04..655cf29 100644 --- a/SOURCES/0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch +++ b/SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch @@ -1,4 +1,4 @@ -From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001 +From 27987c791bc452f53696a3a33f0d607ab040e78d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 9 Jun 2023 13:01:47 +0200 Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send() @@ -23,9 +23,22 @@ Reviewed-by: Alexey Tikhonov Reviewed-by: Pavel Březina (cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af) --- + Makefile.am | 1 - src/sbus/connection/sbus_connection_connect.c | 4 ++++ - 1 file changed, 4 insertions(+) + 2 files changed, 4 insertions(+), 1 deletion(-) +diff --git a/Makefile.am b/Makefile.am +index e780e8a14..23c63ec1e 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -4672,7 +4672,6 @@ krb5_child_LDADD = \ + $(CLIENT_LIBS) \ + $(SYSTEMD_LOGIN_LIBS) \ + $(JANSSON_LIBS) \ +- libsss_sbus.la \ + $(NULL) + + ldap_child_SOURCES = \ diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c index 45a0fa491..edc090e15 100644 --- a/src/sbus/connection/sbus_connection_connect.c diff --git a/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch b/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch deleted file mode 100644 index d7c875f..0000000 --- a/SOURCES/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 8 Feb 2023 17:48:52 +0100 -Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is - alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise - there is a risk to close "foreign" socket opened in another thread. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3) ---- - src/sss_client/common.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 27e09f6f3..c8ade645b 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, - *errnop = ETIME; - break; - case 1: -- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -+ if (pfd.revents & (POLLERR | POLLHUP)) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & POLLOUT)) { - *errnop = EBUSY; -@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, - if (pfd.revents & (POLLHUP)) { - pollhup = true; - } -- if (pfd.revents & (POLLERR | POLLNVAL)) { -+ if (pfd.revents & POLLERR) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & POLLIN)) { - *errnop = EBUSY; -@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop, - *errnop = ETIME; - break; - case 1: -- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -+ if (pfd.revents & (POLLERR | POLLHUP)) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & (POLLIN | POLLOUT))) { - *errnop = EBUSY; --- -2.37.3 - diff --git a/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch b/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch deleted file mode 100644 index dee9c9d..0000000 --- a/SOURCES/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 8 Feb 2023 18:58:37 +0100 -Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with - mutex. Otherwise a thread calling pam_end() can close socket mid pam - transaction in another thread. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug only manifested on platforms where "lockfree client" -feature wasn't built. - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082) ---- - src/sss_client/pam_sss.c | 3 +++ - src/sss_client/pam_sss_gss.c | 2 ++ - 2 files changed, 5 insertions(+) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index afbdef59a..39ad17188 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err) - #endif /* PAM_DATA_REPLACE */ - - D(("Closing the fd")); -+ -+ sss_pam_lock(); - sss_cli_close_socket(); -+ sss_pam_unlock(); - } - - struct cert_auth_info { -diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c -index 1109ec570..dd578ae5d 100644 ---- a/src/sss_client/pam_sss_gss.c -+++ b/src/sss_client/pam_sss_gss.c -@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, - } - - done: -+ sss_pam_lock(); - sss_cli_close_socket(); -+ sss_pam_unlock(); - free(username); - free(domain); - free(target); --- -2.37.3 - diff --git a/SOURCES/0007-sysdb-fix-string-comparison-when-checking-for-overrides.patch b/SOURCES/0007-sysdb-fix-string-comparison-when-checking-for-overrides.patch deleted file mode 100644 index 970be5f..0000000 --- a/SOURCES/0007-sysdb-fix-string-comparison-when-checking-for-overrides.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 01d02794e02f051ea9a78cd63b30384de3e7c9b0 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 10 May 2023 10:27:08 +0200 -Subject: [PATCH] sysdb: fix string comparison when checking for overrides - -When checking if the input group-name is the original name from AD or an -overwritten one the comparison is currently done case sensitive. Since -AD handles names case-insensitive and hence SSSD should do this as well -this comparison might cause issues. - -The patch replace the case sensitive comparison with a comparison with -respects the case_sensitive of the domain the object is coming from. - -Resolves: https://github.com/SSSD/sssd/issues/6720 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Iker Pedrosa ---- - src/db/sysdb_search.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index 7efd570e78..e4c53b8535 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL); - - if (originalad_sanitized_name != NULL -- && strcmp(originalad_sanitized_name, sanitized_name) != 0) { -+ && !sss_string_equal(domain->case_sensitive, -+ originalad_sanitized_name, -+ sanitized_name)) { - fmt_filter = SYSDB_GRNAM_FILTER; - base_dn = sysdb_group_base_dn(tmp_ctx, domain); - res = NULL; diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 4346121..2b57d58 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -18,8 +18,8 @@ %global enable_systemtap_opt --enable-systemtap Name: sssd -Version: 2.8.2 -Release: 3%{?dist}.alma +Version: 2.9.1 +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -27,10 +27,8 @@ URL: https://github.com/SSSD/sssd Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch -Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch -Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch -Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch +Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch +Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch # Patches were taken from: # https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/26c81cdfa6fdda4aab69e0184839be0fb74ef73d @@ -221,7 +219,6 @@ Summary: Userspace tools for use with the SSSD Group: Applications/System License: GPLv3+ Requires: sssd-common = %{version}-%{release} -Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} @@ -601,6 +598,8 @@ autoreconf -ivf --with-initscript=systemd \ --with-syslog=journald \ --with-subid \ + --with-files-provider \ + --with-libsifp \ --enable-sss-default-nss-plugin \ --without-python2-bindings \ --with-sssd-user=sssd \ @@ -917,7 +916,7 @@ done %{_mandir}/man5/sssd-ifp.5* %{_unitdir}/sssd-ifp.service # InfoPipe DBus plumbing -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service %files -n libsss_simpleifp @@ -1220,10 +1219,36 @@ fi %systemd_postun_with_restart sssd.service %changelog -* Tue Aug 08 2023 Eduard Abdullin - 2.8.2-3.alma -- Apply 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls - 0006-sbus-arm-watchdog-for-sbus_connect_init_send - 0007-sysdb-fix-string-comparison-when-checking-for-overrides patches +* Mon Jul 10 2023 Alexey Tikhonov - 2.9.1-2 +- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system + +* Fri Jun 23 2023 Alexey Tikhonov - 2.9.1-1 +- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 +- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy +- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files +- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' +- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure +- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] +- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization +- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working +- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides +- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' + +* Tue May 30 2023 Alexey Tikhonov - 2.9.0-4 +- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release + Rebuild against rebased Samba libs + +* Thu May 25 2023 Alexey Tikhonov - 2.9.0-3 +- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 + +* Mon May 15 2023 Alexey Tikhonov - 2.9.0-1 +- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 +- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) +- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket +- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 +- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name +- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") +- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # * Mon Feb 13 2023 Alexey Tikhonov - 2.8.2-2 - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"