Merge branch 'c8' into a8
This commit is contained in:
commit
e945aa7449
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/sssd-2.8.2.tar.gz
|
SOURCES/sssd-2.9.1.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz
|
5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz
|
||||||
|
@ -1,158 +0,0 @@
|
|||||||
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 8 Dec 2022 15:14:05 +0100
|
|
||||||
Subject: [PATCH] ldap: update shadow last change in sysdb as well
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Otherwise pam can use the changed information whe id chaching is
|
|
||||||
enabled, so next authentication that fits into the id timeout
|
|
||||||
(5 seconds by default) will still sees the password as expired.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/6477
|
|
||||||
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
|
|
||||||
---
|
|
||||||
src/db/sysdb.h | 4 ++++
|
|
||||||
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
|
|
||||||
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
|
|
||||||
3 files changed, 52 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
||||||
index 7c666f5c4..06b44f5ba 100644
|
|
||||||
--- a/src/db/sysdb.h
|
|
||||||
+++ b/src/db/sysdb.h
|
|
||||||
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
|
|
||||||
struct sysdb_attrs *attrs,
|
|
||||||
int mod_op);
|
|
||||||
|
|
||||||
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
|
|
||||||
+ const char *name,
|
|
||||||
+ const char *attrname);
|
|
||||||
+
|
|
||||||
/* Replace group attrs */
|
|
||||||
int sysdb_set_group_attr(struct sss_domain_info *domain,
|
|
||||||
const char *name,
|
|
||||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
||||||
index 0d6f2d5cd..ed0df9872 100644
|
|
||||||
--- a/src/db/sysdb_ops.c
|
|
||||||
+++ b/src/db/sysdb_ops.c
|
|
||||||
@@ -1485,6 +1485,38 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
|
|
||||||
+ const char *name,
|
|
||||||
+ const char *attrname)
|
|
||||||
+{
|
|
||||||
+ struct sysdb_attrs *attrs;
|
|
||||||
+ char *value;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ attrs = sysdb_new_attrs(NULL);
|
|
||||||
+ if (attrs == NULL) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* The attribute contains number of days since the epoch */
|
|
||||||
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
|
|
||||||
+ if (value == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(attrs);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* =Replace-Attributes-On-Group=========================================== */
|
|
||||||
|
|
||||||
int sysdb_set_group_attr(struct sss_domain_info *domain,
|
|
||||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
||||||
index 6404a9d3a..96b9d6df4 100644
|
|
||||||
--- a/src/providers/ldap/ldap_auth.c
|
|
||||||
+++ b/src/providers/ldap/ldap_auth.c
|
|
||||||
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
|
|
||||||
struct pam_data *pd;
|
|
||||||
struct sdap_handle *sh;
|
|
||||||
char *dn;
|
|
||||||
+ enum pwexpire pw_expire_type;
|
|
||||||
};
|
|
||||||
|
|
||||||
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
|
|
||||||
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
|
||||||
{
|
|
||||||
struct sdap_pam_chpass_handler_state *state;
|
|
||||||
struct tevent_req *req;
|
|
||||||
- enum pwexpire pw_expire_type;
|
|
||||||
void *pw_expire_data;
|
|
||||||
size_t msg_len;
|
|
||||||
uint8_t *msg;
|
|
||||||
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
|
||||||
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
|
|
||||||
|
|
||||||
ret = auth_recv(subreq, state, &state->sh, &state->dn,
|
|
||||||
- &pw_expire_type, &pw_expire_data);
|
|
||||||
+ &state->pw_expire_type, &pw_expire_data);
|
|
||||||
talloc_free(subreq);
|
|
||||||
|
|
||||||
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
|
|
||||||
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ret == EOK) {
|
|
||||||
- switch (pw_expire_type) {
|
|
||||||
+ switch (state->pw_expire_type) {
|
|
||||||
case PWEXPIRE_SHADOW:
|
|
||||||
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
|
|
||||||
break;
|
|
||||||
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Unknown password expiration type %d.\n", pw_expire_type);
|
|
||||||
+ "Unknown password expiration type %d.\n",
|
|
||||||
+ state->pw_expire_type);
|
|
||||||
state->pd->pam_status = PAM_SYSTEM_ERR;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
|
||||||
case ERR_PASSWORD_EXPIRED:
|
|
||||||
DEBUG(SSSDBG_TRACE_LIBS,
|
|
||||||
"user [%s] successfully authenticated.\n", state->dn);
|
|
||||||
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
|
|
||||||
+ ret = sdap_pam_chpass_handler_change_step(state, req,
|
|
||||||
+ state->pw_expire_type);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"sdap_pam_chpass_handler_change_step() failed.\n");
|
|
||||||
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
|
|
||||||
|
|
||||||
switch (ret) {
|
|
||||||
case EOK:
|
|
||||||
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
|
|
||||||
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
|
|
||||||
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ state->pd->pam_status = PAM_SYSTEM_ERR;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
state->pd->pam_status = PAM_SUCCESS;
|
|
||||||
break;
|
|
||||||
case ERR_CHPASS_DENIED:
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001
|
From f16e570838d1c6cd30b5883f364b0f437c314b1f Mon Sep 17 00:00:00 2001
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
Date: Fri, 9 Jun 2023 12:31:39 +0200
|
Date: Fri, 9 Jun 2023 12:31:39 +0200
|
||||||
Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
|
Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls
|
||||||
@ -22,10 +22,10 @@ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|||||||
2 files changed, 38 insertions(+), 2 deletions(-)
|
2 files changed, 38 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/util/util.h b/src/util/util.h
|
diff --git a/src/util/util.h b/src/util/util.h
|
||||||
index a8356e0cd..9dbcf3301 100644
|
index 11dc40d57..02fd53237 100644
|
||||||
--- a/src/util/util.h
|
--- a/src/util/util.h
|
||||||
+++ b/src/util/util.h
|
+++ b/src/util/util.h
|
||||||
@@ -756,6 +756,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
|
@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
|
||||||
void teardown_watchdog(void);
|
void teardown_watchdog(void);
|
||||||
int get_watchdog_ticks(void);
|
int get_watchdog_ticks(void);
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Fri, 3 Feb 2023 11:35:42 +0100
|
|
||||||
Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
|
|
||||||
read/write/check helpers.
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
|
|
||||||
error condition is detected, regular `POLLIN/POLLOUT` won't be set.
|
|
||||||
Error code set by error condition should have a priority. This enables
|
|
||||||
users of this helper to retry attempt (as designed).
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
|
|
||||||
---
|
|
||||||
src/sss_client/common.c | 9 +++------
|
|
||||||
1 file changed, 3 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
|
||||||
index 2c888faa9..27e09f6f3 100644
|
|
||||||
--- a/src/sss_client/common.c
|
|
||||||
+++ b/src/sss_client/common.c
|
|
||||||
@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
|
|
||||||
case 1:
|
|
||||||
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
|
||||||
*errnop = EPIPE;
|
|
||||||
- }
|
|
||||||
- if (!(pfd.revents & POLLOUT)) {
|
|
||||||
+ } else if (!(pfd.revents & POLLOUT)) {
|
|
||||||
*errnop = EBUSY;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
|
|
||||||
}
|
|
||||||
if (pfd.revents & (POLLERR | POLLNVAL)) {
|
|
||||||
*errnop = EPIPE;
|
|
||||||
- }
|
|
||||||
- if (!(pfd.revents & POLLIN)) {
|
|
||||||
+ } else if (!(pfd.revents & POLLIN)) {
|
|
||||||
*errnop = EBUSY;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
|
|
||||||
case 1:
|
|
||||||
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
|
||||||
*errnop = EPIPE;
|
|
||||||
- }
|
|
||||||
- if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
|
||||||
+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
|
||||||
*errnop = EBUSY;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001
|
From 27987c791bc452f53696a3a33f0d607ab040e78d Mon Sep 17 00:00:00 2001
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
Date: Fri, 9 Jun 2023 13:01:47 +0200
|
Date: Fri, 9 Jun 2023 13:01:47 +0200
|
||||||
Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
|
Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send()
|
||||||
@ -23,9 +23,22 @@ Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
|
(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)
|
||||||
---
|
---
|
||||||
|
Makefile.am | 1 -
|
||||||
src/sbus/connection/sbus_connection_connect.c | 4 ++++
|
src/sbus/connection/sbus_connection_connect.c | 4 ++++
|
||||||
1 file changed, 4 insertions(+)
|
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index e780e8a14..23c63ec1e 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -4672,7 +4672,6 @@ krb5_child_LDADD = \
|
||||||
|
$(CLIENT_LIBS) \
|
||||||
|
$(SYSTEMD_LOGIN_LIBS) \
|
||||||
|
$(JANSSON_LIBS) \
|
||||||
|
- libsss_sbus.la \
|
||||||
|
$(NULL)
|
||||||
|
|
||||||
|
ldap_child_SOURCES = \
|
||||||
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
|
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
|
||||||
index 45a0fa491..edc090e15 100644
|
index 45a0fa491..edc090e15 100644
|
||||||
--- a/src/sbus/connection/sbus_connection_connect.c
|
--- a/src/sbus/connection/sbus_connection_connect.c
|
@ -1,63 +0,0 @@
|
|||||||
From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Wed, 8 Feb 2023 17:48:52 +0100
|
|
||||||
Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
|
|
||||||
alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
|
|
||||||
there is a risk to close "foreign" socket opened in another thread.
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
|
|
||||||
---
|
|
||||||
src/sss_client/common.c | 18 +++++++++++++++---
|
|
||||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
|
||||||
index 27e09f6f3..c8ade645b 100644
|
|
||||||
--- a/src/sss_client/common.c
|
|
||||||
+++ b/src/sss_client/common.c
|
|
||||||
@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
|
|
||||||
*errnop = ETIME;
|
|
||||||
break;
|
|
||||||
case 1:
|
|
||||||
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
|
||||||
+ if (pfd.revents & (POLLERR | POLLHUP)) {
|
|
||||||
+ *errnop = EPIPE;
|
|
||||||
+ } else if (pfd.revents & POLLNVAL) {
|
|
||||||
+ /* Invalid request: fd is not opened */
|
|
||||||
+ sss_cli_sd = -1;
|
|
||||||
*errnop = EPIPE;
|
|
||||||
} else if (!(pfd.revents & POLLOUT)) {
|
|
||||||
*errnop = EBUSY;
|
|
||||||
@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
|
|
||||||
if (pfd.revents & (POLLHUP)) {
|
|
||||||
pollhup = true;
|
|
||||||
}
|
|
||||||
- if (pfd.revents & (POLLERR | POLLNVAL)) {
|
|
||||||
+ if (pfd.revents & POLLERR) {
|
|
||||||
+ *errnop = EPIPE;
|
|
||||||
+ } else if (pfd.revents & POLLNVAL) {
|
|
||||||
+ /* Invalid request: fd is not opened */
|
|
||||||
+ sss_cli_sd = -1;
|
|
||||||
*errnop = EPIPE;
|
|
||||||
} else if (!(pfd.revents & POLLIN)) {
|
|
||||||
*errnop = EBUSY;
|
|
||||||
@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
|
|
||||||
*errnop = ETIME;
|
|
||||||
break;
|
|
||||||
case 1:
|
|
||||||
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
|
||||||
+ if (pfd.revents & (POLLERR | POLLHUP)) {
|
|
||||||
+ *errnop = EPIPE;
|
|
||||||
+ } else if (pfd.revents & POLLNVAL) {
|
|
||||||
+ /* Invalid request: fd is not opened */
|
|
||||||
+ sss_cli_sd = -1;
|
|
||||||
*errnop = EPIPE;
|
|
||||||
} else if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
|
||||||
*errnop = EBUSY;
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
@ -1,53 +0,0 @@
|
|||||||
From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Wed, 8 Feb 2023 18:58:37 +0100
|
|
||||||
Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with
|
|
||||||
mutex. Otherwise a thread calling pam_end() can close socket mid pam
|
|
||||||
transaction in another thread.
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Bug only manifested on platforms where "lockfree client"
|
|
||||||
feature wasn't built.
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082)
|
|
||||||
---
|
|
||||||
src/sss_client/pam_sss.c | 3 +++
|
|
||||||
src/sss_client/pam_sss_gss.c | 2 ++
|
|
||||||
2 files changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
||||||
index afbdef59a..39ad17188 100644
|
|
||||||
--- a/src/sss_client/pam_sss.c
|
|
||||||
+++ b/src/sss_client/pam_sss.c
|
|
||||||
@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
|
|
||||||
#endif /* PAM_DATA_REPLACE */
|
|
||||||
|
|
||||||
D(("Closing the fd"));
|
|
||||||
+
|
|
||||||
+ sss_pam_lock();
|
|
||||||
sss_cli_close_socket();
|
|
||||||
+ sss_pam_unlock();
|
|
||||||
}
|
|
||||||
|
|
||||||
struct cert_auth_info {
|
|
||||||
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
|
|
||||||
index 1109ec570..dd578ae5d 100644
|
|
||||||
--- a/src/sss_client/pam_sss_gss.c
|
|
||||||
+++ b/src/sss_client/pam_sss_gss.c
|
|
||||||
@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,
|
|
||||||
}
|
|
||||||
|
|
||||||
done:
|
|
||||||
+ sss_pam_lock();
|
|
||||||
sss_cli_close_socket();
|
|
||||||
+ sss_pam_unlock();
|
|
||||||
free(username);
|
|
||||||
free(domain);
|
|
||||||
free(target);
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 01d02794e02f051ea9a78cd63b30384de3e7c9b0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 10 May 2023 10:27:08 +0200
|
|
||||||
Subject: [PATCH] sysdb: fix string comparison when checking for overrides
|
|
||||||
|
|
||||||
When checking if the input group-name is the original name from AD or an
|
|
||||||
overwritten one the comparison is currently done case sensitive. Since
|
|
||||||
AD handles names case-insensitive and hence SSSD should do this as well
|
|
||||||
this comparison might cause issues.
|
|
||||||
|
|
||||||
The patch replace the case sensitive comparison with a comparison with
|
|
||||||
respects the case_sensitive of the domain the object is coming from.
|
|
||||||
|
|
||||||
Resolves: https://github.com/SSSD/sssd/issues/6720
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb_search.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
|
|
||||||
index 7efd570e78..e4c53b8535 100644
|
|
||||||
--- a/src/db/sysdb_search.c
|
|
||||||
+++ b/src/db/sysdb_search.c
|
|
||||||
@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
|
|
||||||
res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
|
|
||||||
|
|
||||||
if (originalad_sanitized_name != NULL
|
|
||||||
- && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
|
|
||||||
+ && !sss_string_equal(domain->case_sensitive,
|
|
||||||
+ originalad_sanitized_name,
|
|
||||||
+ sanitized_name)) {
|
|
||||||
fmt_filter = SYSDB_GRNAM_FILTER;
|
|
||||||
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
|
|
||||||
res = NULL;
|
|
@ -18,8 +18,8 @@
|
|||||||
%global enable_systemtap_opt --enable-systemtap
|
%global enable_systemtap_opt --enable-systemtap
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.8.2
|
Version: 2.9.1
|
||||||
Release: 3%{?dist}.alma
|
Release: 2%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -27,10 +27,8 @@ URL: https://github.com/SSSD/sssd
|
|||||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
|
Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
|
||||||
Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
|
Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch
|
||||||
Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
|
|
||||||
Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
|
|
||||||
|
|
||||||
# Patches were taken from:
|
# Patches were taken from:
|
||||||
# https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/26c81cdfa6fdda4aab69e0184839be0fb74ef73d
|
# https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/26c81cdfa6fdda4aab69e0184839be0fb74ef73d
|
||||||
@ -221,7 +219,6 @@ Summary: Userspace tools for use with the SSSD
|
|||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
Requires: libsss_simpleifp = %{version}-%{release}
|
|
||||||
# required by sss_obfuscate
|
# required by sss_obfuscate
|
||||||
Requires: python3-sss = %{version}-%{release}
|
Requires: python3-sss = %{version}-%{release}
|
||||||
Requires: python3-sssdconfig = %{version}-%{release}
|
Requires: python3-sssdconfig = %{version}-%{release}
|
||||||
@ -601,6 +598,8 @@ autoreconf -ivf
|
|||||||
--with-initscript=systemd \
|
--with-initscript=systemd \
|
||||||
--with-syslog=journald \
|
--with-syslog=journald \
|
||||||
--with-subid \
|
--with-subid \
|
||||||
|
--with-files-provider \
|
||||||
|
--with-libsifp \
|
||||||
--enable-sss-default-nss-plugin \
|
--enable-sss-default-nss-plugin \
|
||||||
--without-python2-bindings \
|
--without-python2-bindings \
|
||||||
--with-sssd-user=sssd \
|
--with-sssd-user=sssd \
|
||||||
@ -917,7 +916,7 @@ done
|
|||||||
%{_mandir}/man5/sssd-ifp.5*
|
%{_mandir}/man5/sssd-ifp.5*
|
||||||
%{_unitdir}/sssd-ifp.service
|
%{_unitdir}/sssd-ifp.service
|
||||||
# InfoPipe DBus plumbing
|
# InfoPipe DBus plumbing
|
||||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||||
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
|
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
|
||||||
|
|
||||||
%files -n libsss_simpleifp
|
%files -n libsss_simpleifp
|
||||||
@ -1220,10 +1219,36 @@ fi
|
|||||||
%systemd_postun_with_restart sssd.service
|
%systemd_postun_with_restart sssd.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Aug 08 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.8.2-3.alma
|
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
|
||||||
- Apply 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls
|
- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
|
||||||
0006-sbus-arm-watchdog-for-sbus_connect_init_send
|
|
||||||
0007-sysdb-fix-string-comparison-when-checking-for-overrides patches
|
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
|
||||||
|
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||||
|
- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
|
||||||
|
- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
|
||||||
|
- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
|
||||||
|
- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
|
||||||
|
- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
|
||||||
|
- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
|
||||||
|
- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
|
||||||
|
- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
|
||||||
|
- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
|
||||||
|
|
||||||
|
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
|
||||||
|
- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
|
||||||
|
Rebuild against rebased Samba libs
|
||||||
|
|
||||||
|
* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
|
||||||
|
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||||
|
|
||||||
|
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
|
||||||
|
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||||
|
- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
|
||||||
|
- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
|
||||||
|
- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
|
||||||
|
- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
|
||||||
|
- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
|
||||||
|
- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
|
||||||
|
|
||||||
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
|
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
|
||||||
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
|
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
|
||||||
|
Loading…
Reference in New Issue
Block a user