rpms/sssd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS sssd-2.9.6-4.el9_6.2

Browse Source
This commit is contained in:
eabdullin 2025-05-13 14:23:35 +00:00
parent 82ed2a153e
commit f246fd45d3
22 changed files with 706 additions and 1630 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.9.5.tar.gz
SOURCES/sssd-2.9.6.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
f6704a9df1303e154ef8526f9f21e2b72879c046 SOURCES/sssd-2.9.5.tar.gz
da2490cf07d91fd340ce87ffc209fc2420ccf60c SOURCES/sssd-2.9.6.tar.gz

83
SOURCES/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch Normal file
View File

@ -0,0 +1,83 @@
From 4f9fb5fd301d635ad54bf6d0ef93d6811445c7f9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 22 May 2024 13:31:06 +0200
Subject: [PATCH] SYSDB: Use SYSDB_NAME from cached entry when updating users
and groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The sysdb_store_user() and sysdb_store_group() functinos search for the
entry by name to check if it is already cached. This search considers
SYSDB_ALIAS, added when the domain is case insensitive. If a matching
entry is found use its SYSDB_NAME instead of the passed name.
It may happen the group is stored in uppercase, but later some server
returns a memberOf attribute in lowercase. When updating the group to
add the memberships the first search will find the entry, but the modify
operation will fail as the group name in the built DN will differ in case.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d2b734b926e1f23370c9cabd8ba6f07bf6b29a86)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 76f4580aa..32e49d759 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2615,6 +2615,22 @@ int sysdb_store_user(struct sss_domain_info *domain,
}
} else {
/* the user exists, let's just replace attributes when set */
+ /*
+ * The sysdb_search_user_by_name() function also matches lowercased
+ * aliases, saved when the domain is case-insensitive. This means that
+ * the stored entry name can differ in capitalization from the search
+ * name. Use the cached entry name to perform the modification because
+ * if name capitalization in entry's DN differs the modify operation
+ * will fail.
+ */
+ const char *entry_name =
+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (entry_name != NULL) {
+ name = entry_name;
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "User '%s' without a name?\n", name);
+ }
+
ret = sysdb_store_user_attrs(domain, name, uid, gid, gecos, homedir,
shell, orig_dn, attrs, remove_attrs,
cache_timeout, now);
@@ -2849,6 +2865,22 @@ int sysdb_store_group(struct sss_domain_info *domain,
ret = sysdb_store_new_group(domain, name, gid, attrs,
cache_timeout, now);
} else {
+ /*
+ * The sysdb_search_group_by_name() function also matches lowercased
+ * aliases, saved when the domain is case-insensitive. This means that
+ * the stored entry name can differ in capitalization from the search
+ * name. Use the cached entry name to perform the modification because
+ * if name capitalization in entry's DN differs the modify operation
+ * will fail.
+ */
+ const char *entry_name =
+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (entry_name != NULL) {
+ name = entry_name;
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Group '%s' without a name?\n", name);
+ }
+
ret = sysdb_store_group_attrs(domain, name, gid, attrs,
cache_timeout, now);
}
--
2.47.0

34
SOURCES/0001-spec-change-passkey_child-owner.patch
View File

@ -1,34 +0,0 @@
From ee8de7e404ba65062e0b373f2badc0475835bbde Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 11 Jun 2024 15:57:23 +0200
Subject: [PATCH] spec: change passkey_child owner
passkey_child owner was incorrectly set to $sssd_user:$sssd_user, when
it should be root:root. Correcting it.
Fixes: 30daa0ccdae5 ("spec: update to include passkey")
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit bb72b53d3a222f016d882853a619bd74c237edf9)
---
contrib/sssd.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 03171a872..3735d4f06 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -998,7 +998,7 @@ done
%if %{build_passkey}
%files passkey
-%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child
+%{_libexecdir}/%{servicename}/passkey_child
%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
--
2.44.0

93
SOURCES/0002-KCM-fix-memory-leak.patch Normal file
View File

@ -0,0 +1,93 @@
From 6aba9a7dd2261c19f053d5fbd5358fdaf335b807 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 5 Feb 2025 08:59:49 +0100
Subject: [PATCH] KCM: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The copy of 'secret' argument - `secret_val.data` - was left hanging
on `sss_sec_ctx`, effectively resulting in a memory leak.
But this copy isn't actually required as this data isn't modified in
below operations.
This is a backport of https://github.com/SSSD/sssd/pull/7823
:fixes:'sssd_kcm' memory leak was fixed.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/responder/kcm/secrets/secrets.c | 28 ++++++++++++----------------
1 file changed, 12 insertions(+), 16 deletions(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 730fa68b6..d1a9672d5 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -953,7 +953,7 @@ errno_t sss_sec_put(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val;
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
int ret;
if (req == NULL || secret == NULL) {
@@ -1002,13 +1002,11 @@ errno_t sss_sec_put(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -1050,7 +1048,7 @@ errno_t sss_sec_update(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val;
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
int ret;
if (req == NULL || secret == NULL) {
@@ -1099,13 +1097,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
/* FIXME - should we have a lastUpdate timestamp? */
ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL);
if (ret != LDB_SUCCESS) {
@@ -1115,6 +1106,11 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_MINOR_FAILURE,
--
2.47.0

58
SOURCES/0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
View File

@ -1,58 +0,0 @@
From d234cf5d6e793daf2c96856887acb641c4dff407 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 14 Jun 2024 16:10:34 +0200
Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.
Resolves: https://github.com/SSSD/sssd/issues/7451
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 986bb726202e69b05f861c14c3a220379baf9bd1)
---
src/db/sysdb_ops.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0f62e3b1a..76f4580aa 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
goto done;
}
- ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
- if (ret != ENOENT) {
- if (ret == EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Group with GID [%"SPRIgid"] already exists in an "
- "MPG domain\n", gid);
- ret = EEXIST;
+ if (uid != 0) { /* uid == 0 means non-POSIX object */
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+ if (ret != ENOENT) {
+ if (ret == EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Group with GID [%"SPRIgid"] already exists in an "
+ "MPG domain\n", uid);
+ ret = EEXIST;
+ }
+ goto done;
}
- goto done;
}
}
--
2.44.0

59
SOURCES/0003-KCM-another-memory-leak-fixed.patch Normal file
View File

@ -0,0 +1,59 @@
From e7c76df8c0fa4a361c433684553ba1384166a564 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 12 Feb 2025 11:30:22 +0100
Subject: [PATCH] KCM: another memory leak fixed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
```
...
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520
...
```
Reviewed-by: Alejandro López <allopez@redhat.com>
(cherry picked from commit 9e72bc242b600158d7920b2b98644efa42fd1ffa)
---
src/responder/kcm/kcmsrv_ccache.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index 6e4ea64e0..4f4f8b46a 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -404,7 +404,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
- goto done;
+ goto fail;
}
for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) {
@@ -417,7 +417,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
cred_list[i] = kcm_cred_to_krb5(krb_context, cred);
if (cred_list[i] == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
- goto done;
+ goto fail;
}
}
@@ -426,8 +426,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
talloc_steal(mem_ctx, cred_list);
+ talloc_free(tmp_ctx);
return cred_list;
-done:
+
+fail:
talloc_free(tmp_ctx);
return NULL;
#endif
--
2.47.0

37
SOURCES/0003-ad-use-right-memory-context-in-GPO-code.patch
View File

@ -1,37 +0,0 @@
From 723a30b45ba4cbd9a4913fd37d68e392dcfc16ba Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Jun 2024 18:04:00 +0200
Subject: [PATCH] ad: use right memory context in GPO code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The original primary SID is allocated on a temporary context and must be
move to be longer living one to still be available when the SID is
evaluated later in the code.
Resolves: https://github.com/SSSD/sssd/issues/7411
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit b25e510ad60f6ce0b57063cce648c3aa48b21241)
---
src/providers/ad/ad_gpo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index b879b0a08..ed664ec83 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -711,7 +711,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
}
group_sids[i++] = talloc_strdup(group_sids, AD_AUTHENTICATED_USERS_SID);
if (orig_gid_sid != NULL) {
- group_sids[i++] = orig_gid_sid;
+ group_sids[i++] = talloc_steal(group_sids, orig_gid_sid);
}
group_sids[i] = NULL;
--
2.44.0

441
SOURCES/0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch Normal file
View File

@ -0,0 +1,441 @@
From addb1a78106cab8a85f8f6c56d79e84b5abd0d5e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 14 Feb 2025 21:15:16 +0100
Subject: [PATCH] SYSDB: don't add group members if 'ignore_group_members ==
true'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7793
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 281d9c3ed66ee28a9572433a629eb0d72525ca46)
---
src/db/sysdb.h | 51 ++++++---
src/db/sysdb_search.c | 6 +-
src/db/sysdb_views.c | 10 +-
src/tests/cmocka/test_responder_cache_req.c | 112 +++++++-------------
src/tests/cmocka/test_sysdb_ts_cache.c | 6 +-
src/tools/sss_override.c | 2 +-
6 files changed, 90 insertions(+), 97 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 55c6437f2..fb1ced009 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -276,19 +276,44 @@
SYSDB_ORIG_DN, \
NULL}
-#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \
- SYSDB_MEMBERUID, \
- SYSDB_MEMBER, \
- SYSDB_GHOST, \
- SYSDB_DEFAULT_ATTRS, \
- SYSDB_SID_STR, \
- SYSDB_OVERRIDE_DN, \
- SYSDB_OVERRIDE_OBJECT_DN, \
- SYSDB_DEFAULT_OVERRIDE_NAME, \
- SYSDB_UUID, \
- ORIGINALAD_PREFIX SYSDB_NAME, \
- ORIGINALAD_PREFIX SYSDB_GIDNUM, \
- NULL}
+/* Strictly speaking it should return 'const char * const *' but
+ * that gets really unreadable.
+ */
+__attribute__((always_inline))
+static inline const char **SYSDB_GRSRC_ATTRS(const struct sss_domain_info *domain)
+{
+ static const char * __SYSDB_GRSRC_ATTRS_NO_MEMBERS[] = {
+ SYSDB_NAME, SYSDB_GIDNUM,
+ SYSDB_DEFAULT_ATTRS,
+ SYSDB_SID_STR,
+ SYSDB_OVERRIDE_DN,
+ SYSDB_OVERRIDE_OBJECT_DN,
+ SYSDB_DEFAULT_OVERRIDE_NAME,
+ SYSDB_UUID,
+ NULL
+ };
+ static const char * __SYSDB_GRSRC_ATTRS_WITH_MEMBERS[] = {
+ SYSDB_NAME, SYSDB_GIDNUM,
+ SYSDB_MEMBERUID,
+ SYSDB_MEMBER,
+ SYSDB_GHOST,
+ SYSDB_DEFAULT_ATTRS,
+ SYSDB_SID_STR,
+ SYSDB_OVERRIDE_DN,
+ SYSDB_OVERRIDE_OBJECT_DN,
+ SYSDB_DEFAULT_OVERRIDE_NAME,
+ SYSDB_UUID,
+ ORIGINALAD_PREFIX SYSDB_NAME,
+ ORIGINALAD_PREFIX SYSDB_GIDNUM,
+ NULL
+ };
+
+ if (domain && domain->ignore_group_members) {
+ return __SYSDB_GRSRC_ATTRS_NO_MEMBERS;
+ } else {
+ return __SYSDB_GRSRC_ATTRS_WITH_MEMBERS;
+ }
+}
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
SYSDB_NETGROUP_MEMBER, \
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index e4c53b853..7f34ddbcb 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1176,7 +1176,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *fmt_filter;
char *sanitized_name;
struct ldb_dn *base_dn;
@@ -1378,7 +1378,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
struct ldb_dn *base_dn;
struct ldb_result *res = NULL;
int ret;
- static const char *default_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **default_attrs = SYSDB_GRSRC_ATTRS(domain);
const char **attrs = NULL;
tmp_ctx = talloc_new(NULL);
@@ -1484,7 +1484,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *filter = NULL;
const char *ts_filter = NULL;
const char *base_filter;
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 19c10977b..71f627974 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -1237,7 +1237,7 @@ errno_t sysdb_search_group_override_by_name(TALLOC_CTX *mem_ctx,
struct ldb_result **override_obj,
struct ldb_result **orig_obj)
{
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
return sysdb_search_override_by_name(mem_ctx, domain, name,
SYSDB_GROUP_NAME_OVERRIDE_FILTER,
@@ -1253,7 +1253,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
{
TALLOC_CTX *tmp_ctx;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain);
const char **attrs;
struct ldb_dn *base_dn;
struct ldb_result *override_res;
@@ -1417,7 +1417,7 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain,
struct ldb_message *override;
uint64_t uid;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); /* members don't matter */
const char **attrs;
struct attr_map {
const char *attr;
@@ -1551,6 +1551,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
char *val;
struct sss_domain_info *orig_dom;
+ if (domain->ignore_group_members) {
+ return EOK;
+ }
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index fe69a9dfd..c665e1adb 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -3282,10 +3282,8 @@ void test_object_by_sid_user_multiple_domains_notfound(void **state)
void test_object_by_sid_group_cache_valid(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
@@ -3298,10 +3296,8 @@ void test_object_by_sid_group_cache_valid(void **state)
void test_object_by_sid_group_cache_expired(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
@@ -3320,10 +3316,8 @@ void test_object_by_sid_group_cache_expired(void **state)
void test_object_by_sid_group_cache_midpoint(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
@@ -3341,12 +3335,10 @@ void test_object_by_sid_group_cache_midpoint(void **state)
void test_object_by_sid_group_ncache(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
errno_t ret;
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
/* Setup user. */
ret = sss_ncache_set_sid(test_ctx->ncache, false, test_ctx->tctx->dom, groups[0].sid);
assert_int_equal(ret, EOK);
@@ -3359,10 +3351,8 @@ void test_object_by_sid_group_ncache(void **state)
void test_object_by_sid_group_missing_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3380,10 +3370,8 @@ void test_object_by_sid_group_missing_found(void **state)
void test_object_by_sid_group_missing_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3397,17 +3385,13 @@ void test_object_by_sid_group_missing_notfound(void **state)
void test_object_by_sid_group_multiple_domains_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- struct sss_domain_info *domain = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
- /* Setup user. */
- domain = find_domain_by_name(test_ctx->tctx->dom,
- "responder_cache_req_test_d", true);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
assert_non_null(domain);
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ /* Setup user. */
prepare_group(domain, &groups[0], 1000, time(NULL));
/* Mock values. */
@@ -3423,10 +3407,8 @@ void test_object_by_sid_group_multiple_domains_found(void **state)
void test_object_by_sid_group_multiple_domains_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3605,10 +3587,8 @@ void test_object_by_id_user_multiple_domains_notfound(void **state)
void test_object_by_id_group_cache_valid(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
@@ -3620,10 +3600,8 @@ void test_object_by_id_group_cache_valid(void **state)
void test_object_by_id_group_cache_expired(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
@@ -3641,10 +3619,8 @@ void test_object_by_id_group_cache_expired(void **state)
void test_object_by_id_group_cache_midpoint(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
@@ -3661,12 +3637,10 @@ void test_object_by_id_group_cache_midpoint(void **state)
void test_object_by_id_group_ncache(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
errno_t ret;
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
/* Setup group. We explicitly add the UID into BOTH UID and GID
* namespaces, because otherwise the cache_req plugin would
* search the Data Provider anyway, because it can't be sure
@@ -3693,10 +3667,8 @@ void test_object_by_id_group_ncache(void **state)
void test_object_by_id_group_missing_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3713,10 +3685,8 @@ void test_object_by_id_group_missing_found(void **state)
void test_object_by_id_group_missing_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3729,17 +3699,13 @@ void test_object_by_id_group_missing_notfound(void **state)
void test_object_by_id_group_multiple_domains_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- struct sss_domain_info *domain = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
- /* Setup user. */
- domain = find_domain_by_name(test_ctx->tctx->dom,
- "responder_cache_req_test_d", true);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
assert_non_null(domain);
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ /* Setup user. */
prepare_group(domain, &groups[0], 1000, time(NULL));
/* Mock values. */
@@ -3755,10 +3721,8 @@ void test_object_by_id_group_multiple_domains_found(void **state)
void test_object_by_id_group_multiple_domains_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
index 24b26d950..f349b7061 100644
--- a/src/tests/cmocka/test_sysdb_ts_cache.c
+++ b/src/tests/cmocka/test_sysdb_ts_cache.c
@@ -694,7 +694,7 @@ static void test_sysdb_getgr_merges(void **state)
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
struct sysdb_attrs *group_attrs = NULL;
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
char *filter = NULL;
struct ldb_result *res = NULL;
size_t msgs_count;
@@ -783,7 +783,7 @@ static void test_merge_ldb_results(void **state)
int ret;
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
char *filter;
struct ldb_result *res;
struct ldb_result *res1;
@@ -856,7 +856,7 @@ static void test_group_bysid(void **state)
int ret;
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
struct sysdb_attrs *group_attrs = NULL;
struct ldb_result *res;
struct ldb_message *msg = NULL;
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index cfd8f17fa..a20859c4d 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -1218,7 +1218,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
size_t count;
size_t i;
errno_t ret;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *fqname;
char *name;
--
2.47.0

208
SOURCES/0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch
View File

@ -1,208 +0,0 @@
From 09b23e78806d8930c3f1b9e411dc8cf464c18998 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 Jul 2024 13:08:02 +0200
Subject: [PATCH 4/5] TS_CACHE: never try to upgrade timestamps cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It's easier and more consistent to recreate it instead.
This is a natural extension of 3b67fc6488ac10ca13561d9032f59951f82203e6
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit fc2a26c306e51b66680aef85aa0d2c41d8049a7f)
---
src/db/sysdb_init.c | 103 +----------------------------------------
src/db/sysdb_upgrade.c | 45 ------------------
2 files changed, 1 insertion(+), 147 deletions(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index 38a9cd64a..a1d02d49c 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -376,57 +376,6 @@ static errno_t sysdb_cache_create_empty(struct ldb_context *ldb,
return EOK;
}
-static errno_t sysdb_ts_cache_upgrade(TALLOC_CTX *mem_ctx,
- struct sysdb_ctx *sysdb,
- struct ldb_context *ldb,
- struct sss_domain_info *domain,
- const char *cur_version,
- const char **_new_version)
-{
- errno_t ret;
- TALLOC_CTX *tmp_ctx;
- const char *version;
- struct ldb_context *save_ldb;
-
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- return ENOMEM;
- }
-
- /* The upgrade process depends on having ldb around, yet the upgrade
- * function shouldn't set the ldb pointer, only the connect function
- * should after it's successful. To avoid hard refactoring, save the
- * ldb pointer here and restore in the 'done' handler
- */
- save_ldb = sysdb->ldb;
- sysdb->ldb = ldb;
-
- version = talloc_strdup(tmp_ctx, cur_version);
- if (version == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- DEBUG(SSSDBG_CONF_SETTINGS,
- "Upgrading timstamp cache of DB [%s] from version: %s\n",
- domain->name, version);
-
- if (strcmp(version, SYSDB_TS_VERSION_0_1) == 0) {
- ret = sysdb_ts_upgrade_01(sysdb, &version);
- if (ret != EOK) {
- goto done;
- }
- }
-
- ret = EOK;
-
-done:
- sysdb->ldb = save_ldb;
- *_new_version = version;
- talloc_free(tmp_ctx);
- return ret;
-}
-
static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sysdb_dom_upgrade_ctx *upgrade_ctx,
@@ -884,56 +833,6 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
}
ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
- switch (ret) {
- case ERR_SYSDB_VERSION_TOO_OLD:
- if (upgrade_ctx == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "DB version too old [%s], expected [%s] for domain %s!\n",
- version, SYSDB_VERSION, domain->name);
- break;
- }
-
- ret = sysdb_ts_cache_upgrade(tmp_ctx, sysdb, ldb, domain, version,
- &version);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not upgrade the timestamp ldb file (%d) (%s)\n",
- ret, sss_strerror(ret));
- break;
- }
-
- /* The version should now match SYSDB_VERSION.
- * If not, it means we didn't match any of the
- * known older versions. The DB might be
- * corrupt or generated by a newer version of
- * SSSD.
- */
- ret = sysdb_version_check(SYSDB_TS_VERSION, version);
- if (ret == EOK) {
- /* The cache has been upgraded.
- * We need to reopen the LDB to ensure that
- * any changes made above take effect.
- */
- ret = sysdb_ldb_reconnect(tmp_ctx,
- sysdb->ldb_ts_file,
- LDB_FLG_NOSYNC,
- &ldb);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not reopen the timestamp ldb file (%d) (%s)\n",
- ret, sss_strerror(ret));
- }
- }
- break;
- case ERR_SYSDB_VERSION_TOO_NEW:
- DEBUG(SSSDBG_MINOR_FAILURE,
- "DB version too new [%s], expected [%s] for domain %s!\n",
- version, SYSDB_TS_VERSION, domain->name);
- break;
- default:
- break;
- }
-
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"The timestamps cache could not be opened. "
@@ -953,7 +852,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not delete the timestamp ldb file (%d) (%s)\n",
+ "sysdb_ts_cache_connect() failed after cache deletion [%d]: %s\n",
ret, sss_strerror(ret));
}
}
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
index 328bd2962..37c0007cb 100644
--- a/src/db/sysdb_upgrade.c
+++ b/src/db/sysdb_upgrade.c
@@ -2774,51 +2774,6 @@ done:
return ret;
}
-int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
-{
- struct upgrade_ctx *ctx;
- errno_t ret;
- struct ldb_message *msg = NULL;
-
- ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_TS_VERSION_0_2, &ctx);
- if (ret) {
- return ret;
- }
-
- /* Remove @IDXONE from index */
- talloc_free(msg);
- msg = ldb_msg_new(ctx);
- if (msg == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST");
- if (msg->dn == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = ldb_msg_add_empty(msg, "@IDXONE", LDB_FLAG_MOD_DELETE, NULL);
- if (ret != LDB_SUCCESS) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = ldb_modify(sysdb->ldb, msg);
- if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
- goto done;
- }
-
- /* conversion done, update version number */
- ret = update_version(ctx);
-
-done:
- ret = finish_upgrade(ret, &ctx, ver);
- return ret;
-}
-
/*
* Example template for future upgrades.
* Copy and change version numbers as appropriate.
--
2.45.2

147
SOURCES/0005-SYSDB-remove-index-on-dataExpireTimestamp.patch
View File

@ -1,147 +0,0 @@
From 13e3d0390b9aaf72a855b857857c3cdd6eb6252a Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 21 Jun 2024 19:09:29 +0200
Subject: [PATCH 5/5] SYSDB: remove index on `dataExpireTimestamp`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This index was only used in cleanup tasks that don't run often.
On the other hand, this index is huge and degrades performance of libldb
in general.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit f0d45464cee1d2a6a2719dbffe5bbf6189d0554a)
---
src/db/sysdb_init.c | 8 ++++++++
src/db/sysdb_private.h | 9 +++++----
src/db/sysdb_upgrade.c | 27 +++++++++++++++++++++++++++
3 files changed, 40 insertions(+), 4 deletions(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index a1d02d49c..68b9744dd 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -559,6 +559,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
}
}
+ if (strcmp(version, SYSDB_VERSION_0_24) == 0) {
+ ret = sysdb_upgrade_24(sysdb, &version);
+ if (ret != EOK) {
+ goto done;
+ }
+ }
+
ret = EOK;
done:
sysdb->ldb = save_ldb;
@@ -765,6 +772,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
ret = sysdb_domain_cache_upgrade(tmp_ctx, sysdb, upgrade_ctx,
ldb, domain, version, &version);
if (ret != EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_domain_cache_upgrade() failed\n");
goto done;
}
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
index 63f7b5601..b814f97a5 100644
--- a/src/db/sysdb_private.h
+++ b/src/db/sysdb_private.h
@@ -23,6 +23,7 @@
#ifndef __INT_SYS_DB_H__
#define __INT_SYS_DB_H__
+#define SYSDB_VERSION_0_25 "0.25"
#define SYSDB_VERSION_0_24 "0.24"
#define SYSDB_VERSION_0_23 "0.23"
#define SYSDB_VERSION_0_22 "0.22"
@@ -48,7 +49,7 @@
#define SYSDB_VERSION_0_2 "0.2"
#define SYSDB_VERSION_0_1 "0.1"
-#define SYSDB_VERSION SYSDB_VERSION_0_24
+#define SYSDB_VERSION SYSDB_VERSION_0_25
#define SYSDB_BASE_LDIF \
"dn: @ATTRIBUTES\n" \
@@ -72,7 +73,6 @@
"@IDXATTR: uidNumber\n" \
"@IDXATTR: gidNumber\n" \
"@IDXATTR: lastUpdate\n" \
- "@IDXATTR: dataExpireTimestamp\n" \
"@IDXATTR: originalDN\n" \
"@IDXATTR: nameAlias\n" \
"@IDXATTR: servicePort\n" \
@@ -104,10 +104,11 @@
"\n"
/* The timestamp cache has its own versioning */
+#define SYSDB_TS_VERSION_0_3 "0.3"
#define SYSDB_TS_VERSION_0_2 "0.2"
#define SYSDB_TS_VERSION_0_1 "0.1"
-#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_2
+#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_3
#define SYSDB_TS_BASE_LDIF \
"dn: @ATTRIBUTES\n" \
@@ -115,7 +116,6 @@
"\n" \
"dn: @INDEXLIST\n" \
"@IDXATTR: lastUpdate\n" \
- "@IDXATTR: dataExpireTimestamp\n" \
"\n" \
"dn: cn=sysdb\n" \
"cn: sysdb\n" \
@@ -194,6 +194,7 @@ int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver);
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
index 37c0007cb..b010488ca 100644
--- a/src/db/sysdb_upgrade.c
+++ b/src/db/sysdb_upgrade.c
@@ -2774,6 +2774,33 @@ done:
return ret;
}
+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver)
+{
+ struct upgrade_ctx *ctx;
+ errno_t ret;
+
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_25, &ctx);
+ if (ret) {
+ return ret;
+ }
+
+ ret = sysdb_ldb_mod_index(sysdb, SYSDB_IDX_DELETE, sysdb->ldb, "dataExpireTimestamp");
+ if (ret == ENOENT) { /*nothing to delete */
+ ret = EOK;
+ }
+ if (ret != EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_ldb_mod_index() failed [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ ret = update_version(ctx);
+
+done:
+ ret = finish_upgrade(ret, &ctx, ver);
+ return ret;
+}
+
/*
* Example template for future upgrades.
* Copy and change version numbers as appropriate.
--
2.45.2

115
SOURCES/0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
View File

@ -1,115 +0,0 @@
From 39cbb8df402f59b4df2442eb291600773e7062cc Mon Sep 17 00:00:00 2001
From: Petr Mikhalicin <pmikhalicin@rutoken.ru>
Date: Fri, 10 Nov 2023 15:24:48 +0600
Subject: [PATCH 6/8] pam_sss: fix passthrow of old authtok from another pam
modules at PAM_PRELIM_CHECK
pam_sss ignored old authtoks passed from another pam modules
Resolves: https://github.com/SSSD/sssd/issues/7007
Resolves: https://github.com/SSSD/sssd/issues/5418
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ae6b9163be0a5a8846e8dbf2e0da2c29221781b9)
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/sss_client/pam_sss.c | 75 ++++++++++++++++++++++++----------------
1 file changed, 45 insertions(+), 30 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 41a528dda..5171e58ec 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2728,42 +2728,57 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
exp_data = NULL;
}
- /* we query for the old password during PAM_PRELIM_CHECK to make
- * pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
- if (flags & PAM_CLI_FLAGS_USE_2FA
- || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
- && pi->otp_challenge != NULL)) {
- if (pi->password_prompting) {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
- _("Second Factor (optional): "));
- } else {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
- _("Second Factor: "));
- }
+ if (getuid() == 0 && !exp_data )
+ return PAM_SUCCESS;
+
+ if (flags & PAM_CLI_FLAGS_USE_2FA
+ || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
+ && pi->otp_challenge != NULL)) {
+ if (pi->password_prompting) {
+ ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ _("Second Factor (optional): "));
} else {
- ret = prompt_password(pamh, pi, _("Current Password: "));
+ ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ _("Second Factor: "));
}
- if (ret != PAM_SUCCESS) {
- D(("failed to get credentials from user"));
- return ret;
+ } else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
+ && check_authtok_data(pamh, pi) != 0) {
+ if (pi->pamstack_oldauthtok == NULL) {
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
+ pi->pam_authtok = NULL;
+ pi->pam_authtok_size = 0;
+ } else {
+ pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
+ if (pi->pam_authtok == NULL) {
+ D(("strdup failed"));
+ return PAM_BUF_ERR;
+ }
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+ pi->pam_authtok_size = strlen(pi->pam_authtok);
}
+ ret = PAM_SUCCESS;
+ } else {
+ ret = prompt_password(pamh, pi, _("Current Password: "));
+ }
+ if (ret != PAM_SUCCESS) {
+ D(("failed to get credentials from user"));
+ return ret;
+ }
- ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
- if (ret != PAM_SUCCESS) {
- D(("Failed to set PAM_OLDAUTHTOK [%s], "
- "oldauthtok may not be available",
- pam_strerror(pamh,ret)));
- return ret;
- }
+ ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
+ if (ret != PAM_SUCCESS) {
+ D(("Failed to set PAM_OLDAUTHTOK [%s], "
+ "oldauthtok may not be available",
+ pam_strerror(pamh,ret)));
+ return ret;
+ }
- if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) {
- ret = keep_authtok_data(pamh, pi);
- if (ret != 0) {
- D(("Failed to store authtok data to pam handle. Password "
- "change might fail."));
- }
+ if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) {
+ ret = keep_authtok_data(pamh, pi);
+ if (ret != 0) {
+ D(("Failed to store authtok data to pam handle. Password "
+ "change might fail."));
}
}
--
2.45.2

178
SOURCES/0007-krb5_child-do-not-try-passwords-with-OTP.patch
View File

@ -1,178 +0,0 @@
From ef375cdd67b51d8fb63cae4d3cd40f3a5c2bc173 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 1 Jul 2024 20:40:30 +0200
Subject: [PATCH 7/8] krb5_child: do not try passwords with OTP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During two-factor authentication (OTP) krb5_child should use use the
dedicated OTP auth types SSS_AUTHTOK_TYPE_2FA and
SSS_AUTHTOK_TYPE_2FA_SINGLE exclusively and should not try password or
other types.
The special handling needed of ssh under certain conditions are
documented in the code and the man page.
Resolves: https://github.com/SSSD/sssd/issues/7456
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit af799964e5fa1264467b49988021c054586eff27)
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/man/sssd.conf.5.xml | 11 +++++++++
src/providers/krb5/krb5_child.c | 11 +--------
src/sss_client/pam_sss.c | 44 ++++++++++++++++++++++++---------
3 files changed, 44 insertions(+), 22 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index fb86a4e41..8ac1a4418 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -4559,6 +4559,17 @@ ldap_user_extra_attrs = phone:telephoneNumber
to log in either only with the password or with both factors
two-step prompting has to be used.
</para>
+ <para>
+ Some clients, such as SSH with
+ 'PasswordAuthentication yes', generate their own prompts
+ and do not use prompts provided by SSSD or other PAM
+ modules. Additionally, for SSH with
+ PasswordAuthentication, if two-factor authentication is
+ available, SSSD expects that the
+ credentials entered by the user at the SSH password prompt
+ will always be the two factors in a single string, even if
+ two-factor authentication is optional.
+ </para>
</listitem>
</varlistentry>
</variablelist>
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 494711de9..cb9a9ce73 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -536,15 +536,6 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
size_t fa2_len;
switch (sss_authtok_get_type(auth_tok)) {
- case SSS_AUTHTOK_TYPE_PASSWORD:
- ret = sss_authtok_get_password(auth_tok, &pwd, &len);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n");
- return ret;
- }
-
- return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin);
- break;
case SSS_AUTHTOK_TYPE_2FA_SINGLE:
ret = sss_authtok_get_2fa_single(auth_tok, &pwd, &len);
if (ret != EOK) {
@@ -569,7 +560,7 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
"Unsupported authtok type %d\n", sss_authtok_get_type(auth_tok));
}
- return EINVAL;
+ return EAGAIN;
}
static krb5_error_code answer_otp(krb5_context ctx,
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 5171e58ec..d43bd0f55 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1656,6 +1656,7 @@ static int prompt_password(pam_handle_t *pamh, struct pam_items *pi,
}
static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
+ bool second_factor_optional,
const char *prompt_fa1, const char *prompt_fa2)
{
int ret;
@@ -1706,13 +1707,30 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
goto done;
}
- if (resp[1].resp == NULL || *(resp[1].resp) == '\0'
- || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
- && strcmp(resp[0].resp, resp[1].resp) == 0)) {
+ if (resp[1].resp == NULL || *(resp[1].resp) == '\0') {
/* Missing second factor, assume first factor contains combined 2FA
- * credentials.
- * Special handling for SSH with password authentication. Combined
- * 2FA credentials are used but SSH puts them in both responses. */
+ * credentials if the second factor is not optional. If it is optional
+ * then it is assumed that the first factor contain the password. */
+ pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
+ if (pi->pam_authtok == NULL) {
+ D(("strndup failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+ pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
+ pi->pam_authtok_type = second_factor_optional
+ ? SSS_AUTHTOK_TYPE_PASSWORD
+ : SSS_AUTHTOK_TYPE_2FA_SINGLE;
+ } else if (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
+ && strcmp(resp[0].resp, resp[1].resp) == 0) {
+ /* Special handling for SSH with password authentication (ssh's
+ * 'PasswordAuthentication' option. In this mode the ssh client
+ * directly prompts the user for a password and the prompts we are
+ * sending are ignored. Since we send two prompts ssh * will create two
+ * response as well with the same content. We assume that the combined
+ * 2FA credentials are used even if the second factor is optional
+ * because there is no indication about the intention of the user. As a
+ * result we prefer the more secure variant. */
pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
if (pi->pam_authtok == NULL) {
@@ -1721,7 +1739,7 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
goto done;
}
pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
- pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA_SINGLE;
} else {
ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0,
@@ -2487,7 +2505,7 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi)
ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c]));
break;
case PC_TYPE_2FA:
- ret = prompt_2fa(pamh, pi, pc_get_2fa_1st_prompt(pi->pc[c]),
+ ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
pc_get_2fa_2nd_prompt(pi->pc[c]));
break;
case PC_TYPE_2FA_SINGLE:
@@ -2564,10 +2582,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
- ret = prompt_2fa(pamh, pi, _("First Factor: "),
+ ret = prompt_2fa(pamh, pi, true, _("First Factor: "),
_("Second Factor (optional): "));
} else {
- ret = prompt_2fa(pamh, pi, _("First Factor: "),
+ ret = prompt_2fa(pamh, pi, false, _("First Factor: "),
_("Second Factor: "));
}
} else if (pi->passkey_prompt_pin) {
@@ -2736,10 +2754,12 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ ret = prompt_2fa(pamh, pi, true,
+ _("First Factor (Current Password): "),
_("Second Factor (optional): "));
} else {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ ret = prompt_2fa(pamh, pi, false,
+ _("First Factor (Current Password): "),
_("Second Factor: "));
}
} else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
--
2.45.2

45
SOURCES/0008-pam_sss-add-missing-optional-2nd-factor-handling.patch
View File

@ -1,45 +0,0 @@
From 7e76396a891b4c704f1db8c71a217f869bef0ec3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 12 Jul 2024 13:46:00 +0200
Subject: [PATCH 8/8] pam_sss: add missing optional 2nd factor handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a follow up to pull-request #7462 and adds the proper handling of
an optional second factor in case the prompting is configured.
Resolves: https://github.com/SSSD/sssd/issues/7456
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 077d2993a1b306e7cfe61618cbd5d03c602572f8)
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/sss_client/pam_sss.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d43bd0f55..d1101e16c 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi)
ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c]));
break;
case PC_TYPE_2FA:
- ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
- pc_get_2fa_2nd_prompt(pi->pc[c]));
+ if (pi->password_prompting) {
+ ret = prompt_2fa(pamh, pi, true, pc_get_2fa_1st_prompt(pi->pc[c]),
+ pc_get_2fa_2nd_prompt(pi->pc[c]));
+ } else {
+ ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
+ pc_get_2fa_2nd_prompt(pi->pc[c]));
+ }
break;
case PC_TYPE_2FA_SINGLE:
ret = prompt_2fa_single(pamh, pi,
--
2.45.2

58
SOURCES/0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch
View File

@ -1,58 +0,0 @@
From b4c496856d466ff00d06cd5177cb216110f5e3b3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Sep 2024 15:18:14 +0200
Subject: [PATCH] pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never
to 'false'.
The krb5 backend will only returns that Smartcard authentication is
available if a Smartcard is present. That means if the user
authenticates with a different method and a Smartcard is not present at
this time 'sc_allow' will be 'false' and might overwrite a 'true' value
written during a previous authentication attempt where a Smartcard was
present. To avoid this we only write 'true' values. Since the default if
SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard
authentication (offline) will still only be enabled if online Smartcard
authentication was detected.
Resolves: https://github.com/SSSD/sssd/issues/7532
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 67ba42c48abb9270982836310488e35d9fc1d451)
---
src/responder/pam/pamsrv_cmd.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1394147a0..941446d94 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -554,9 +554,22 @@ static errno_t set_local_auth_type(struct pam_auth_req *preq,
goto fail;
}
- ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow);
- if (ret != EOK) {
- goto fail;
+ if (sc_allow) {
+ /* Only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to
+ * 'false'. The krb5 backend will only returns that Smartcard
+ * authentication is available if a Smartcard is present. That means
+ * if the user authenticates with a different method and a Smartcard
+ * is not present at this time 'sc_allow' will be 'false' and might
+ * overwrite a 'true' value written during a previous authentication
+ * attempt where a Smartcard was present. To avoid this we only write
+ * 'true' values. Since the default if SYSDB_LOCAL_SMARTCARD_AUTH is
+ * missing is 'false' local Smartcard authentication (offline) will
+ * still only be enabled if online Smartcard authentication was
+ * detected. */
+ ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow);
+ if (ret != EOK) {
+ goto fail;
+ }
}
ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_PASSKEY_AUTH, passkey_allow);
--
2.45.0

307
SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
View File

@ -1,307 +0,0 @@
From 321ca19ae09609ac4195f323b696bdcd7ee573e4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Sep 2024 14:27:19 +0200
Subject: [PATCH 10/11] sdap: allow to provide user_map when looking up group
memberships
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.
Resolves: https://github.com/SSSD/sssd/issues/7590
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 69f63f1fa64bd9cc7c2ee1f8e8d736727b13b3be)
---
src/providers/ad/ad_gpo.c | 2 +-
src/providers/ldap/ldap_common.h | 2 +
src/providers/ldap/ldap_id.c | 9 ++++
src/providers/ldap/sdap_async.h | 2 +
src/providers/ldap/sdap_async_initgroups.c | 51 ++++++++++++++--------
5 files changed, 48 insertions(+), 18 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index ed664ec83..fa68d814f 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2244,7 +2244,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
search_bases,
state->host_fqdn,
BE_FILTER_NAME,
- NULL,
+ NULL, NULL, 0,
true,
true);
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 2c984ef50..61a35553b 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
const char *filter_value,
int filter_type,
const char *extra_value,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
bool noexist_delete,
bool set_non_posix);
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index b3ea2333f..0596ad4cf 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1144,6 +1144,8 @@ struct groups_by_user_state {
const char *filter_value;
int filter_type;
const char *extra_value;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
const char **attrs;
bool non_posix;
@@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
const char *filter_value,
int filter_type,
const char *extra_value,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
bool noexist_delete,
bool set_non_posix)
{
@@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
state->filter_value = filter_value;
state->filter_type = filter_type;
state->extra_value = extra_value;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
state->domain = sdom->dom;
state->sysdb = sdom->dom->sysdb;
state->search_bases = search_bases;
@@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
state->sdom,
sdap_id_op_handle(state->op),
state->ctx,
+ state->user_map,
+ state->user_map_cnt,
state->conn,
state->search_bases,
state->filter_value,
@@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
ar->filter_value,
ar->filter_type,
ar->extra_value,
+ NULL, 0,
noexist_delete, false);
break;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 89245f41f..a45e057d0 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -157,6 +157,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_domain *sdom,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sdap_id_conn_ctx *conn,
struct sdap_search_base **search_bases,
const char *name,
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index fb3d8fe24..8ce1f6cd4 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -785,6 +785,8 @@ struct sdap_initgr_nested_state {
struct tevent_context *ev;
struct sysdb_ctx *sysdb;
struct sdap_options *opts;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
struct sss_domain_info *dom;
struct sdap_handle *sh;
@@ -812,6 +814,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req);
static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
struct sdap_options *opts,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sysdb_ctx *sysdb,
struct sss_domain_info *dom,
struct sdap_handle *sh,
@@ -828,6 +832,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
state->ev = ev;
state->opts = opts;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
state->sysdb = sysdb;
state->dom = dom;
state->sh = sh;
@@ -968,7 +974,7 @@ static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req)
subreq = sdap_deref_search_send(state, state->ev, state->opts,
state->sh, state->orig_dn,
- state->opts->user_map[SDAP_AT_USER_MEMBEROF].name,
+ state->user_map[SDAP_AT_USER_MEMBEROF].name,
sdap_attrs, num_maps, maps, timeout);
if (!subreq) {
ret = EIO;
@@ -2697,6 +2703,8 @@ struct sdap_get_initgr_state {
struct tevent_context *ev;
struct sysdb_ctx *sysdb;
struct sdap_options *opts;
+ struct sdap_attr_map *user_map;
+ size_t user_map_cnt;
struct sss_domain_info *dom;
struct sdap_domain *sdom;
struct sdap_handle *sh;
@@ -2731,6 +2739,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_domain *sdom,
struct sdap_handle *sh,
struct sdap_id_ctx *id_ctx,
+ struct sdap_attr_map *user_map,
+ size_t user_map_cnt,
struct sdap_id_conn_ctx *conn,
struct sdap_search_base **search_bases,
const char *filter_value,
@@ -2754,6 +2764,12 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->ev = ev;
state->opts = id_ctx->opts;
+ state->user_map = user_map;
+ state->user_map_cnt = user_map_cnt;
+ if (state->user_map == NULL) {
+ state->user_map = id_ctx->opts->user_map;
+ state->user_map_cnt = id_ctx->opts->user_map_cnt;
+ }
state->dom = sdom->dom;
state->sysdb = sdom->dom->sysdb;
state->sdom = sdom;
@@ -2785,7 +2801,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
switch (filter_type) {
case BE_FILTER_SECID:
- search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
+ search_attr = state->user_map[SDAP_AT_USER_OBJECTSID].name;
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
if (ret != EOK) {
@@ -2794,7 +2810,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
break;
case BE_FILTER_UUID:
- search_attr = state->opts->user_map[SDAP_AT_USER_UUID].name;
+ search_attr = state->user_map[SDAP_AT_USER_UUID].name;
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
if (ret != EOK) {
@@ -2812,23 +2828,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ep_filter = get_enterprise_principal_string_filter(state,
- state->opts->user_map[SDAP_AT_USER_PRINC].name,
+ state->user_map[SDAP_AT_USER_PRINC].name,
clean_name, state->opts->basic);
state->user_base_filter =
talloc_asprintf(state,
"(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
- state->opts->user_map[SDAP_AT_USER_PRINC].name,
+ state->user_map[SDAP_AT_USER_PRINC].name,
clean_name,
- state->opts->user_map[SDAP_AT_USER_EMAIL].name,
+ state->user_map[SDAP_AT_USER_EMAIL].name,
clean_name,
ep_filter == NULL ? "" : ep_filter,
- state->opts->user_map[SDAP_OC_USER].name);
+ state->user_map[SDAP_OC_USER].name);
if (state->user_base_filter == NULL) {
talloc_zfree(req);
return NULL;
}
} else {
- search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name;
+ search_attr = state->user_map[SDAP_AT_USER_NAME].name;
ret = sss_parse_internal_fqname(state, filter_value,
&state->shortname, NULL);
@@ -2860,7 +2876,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->user_base_filter =
talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
search_attr, clean_name,
- state->opts->user_map[SDAP_OC_USER].name);
+ state->user_map[SDAP_OC_USER].name);
if (!state->user_base_filter) {
talloc_zfree(req);
return NULL;
@@ -2877,14 +2893,14 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
*/
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
"(%s=*))",
- id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
+ state->user_map[SDAP_AT_USER_OBJECTSID].name);
} else {
/* When not ID-mapping or looking up app users, make sure there
* is a non-NULL UID */
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
"(&(%s=*)(!(%s=0))))",
- id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
- id_ctx->opts->user_map[SDAP_AT_USER_UID].name);
+ state->user_map[SDAP_AT_USER_UID].name,
+ state->user_map[SDAP_AT_USER_UID].name);
}
if (!state->user_base_filter) {
talloc_zfree(req);
@@ -2892,8 +2908,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ret = build_attrs_from_map(state,
- state->opts->user_map,
- state->opts->user_map_cnt,
+ state->user_map,
+ state->user_map_cnt,
NULL, &state->user_attrs, NULL);
if (ret) {
talloc_zfree(req);
@@ -2990,7 +3006,7 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
state->user_search_bases[state->user_base_iter]->basedn,
state->user_search_bases[state->user_base_iter]->scope,
state->filter, state->user_attrs,
- state->opts->user_map, state->opts->user_map_cnt,
+ state->user_map, state->user_map_cnt,
state->timeout,
false);
if (!subreq) {
@@ -3179,6 +3195,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
case SDAP_SCHEMA_IPA_V1:
subreq = sdap_initgr_nested_send(state, state->ev, state->opts,
+ state->user_map, state->user_map_cnt,
state->sysdb, state->dom, state->sh,
state->orig_user, state->grp_attrs);
if (!subreq) {
@@ -3377,7 +3394,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
*/
ret = sdap_attrs_get_sid_str(
tmp_ctx, opts->idmap_ctx, state->orig_user,
- opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
+ state->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
&sid_str);
if (ret != EOK) goto done;
@@ -3392,7 +3409,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
ret = sysdb_attrs_get_uint32_t(
state->orig_user,
- opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
+ state->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
&primary_gid);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
--
2.45.0

77
SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
View File

@ -1,77 +0,0 @@
From 2c233636c093708d5cdd7ddb69af9b0ecde633bd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Sep 2024 14:37:05 +0200
Subject: [PATCH 11/11] ad: use default user_map when looking of host groups
for GPO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.
Resolves: https://github.com/SSSD/sssd/issues/7590
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
---
src/providers/ad/ad_access.h | 1 +
src/providers/ad/ad_gpo.c | 15 ++++++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
index 34d5597da..c54b53eed 100644
--- a/src/providers/ad/ad_access.h
+++ b/src/providers/ad/ad_access.h
@@ -49,6 +49,7 @@ struct ad_access_ctx {
} gpo_map_type;
hash_table_t *gpo_map_options_table;
enum gpo_map_type gpo_default_right;
+ struct sdap_attr_map *host_attr_map;
};
struct tevent_req *
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index fa68d814f..6b154f71d 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -45,6 +45,7 @@
#include "providers/ad/ad_common.h"
#include "providers/ad/ad_domain_info.h"
#include "providers/ad/ad_gpo.h"
+#include "providers/ad/ad_opts.h"
#include "providers/ldap/sdap_access.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap.h"
@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
"trying with user search base.");
}
+ if (state->access_ctx->host_attr_map == NULL) {
+ ret = sdap_copy_map(state->access_ctx,
+ ad_2008r2_user_map, SDAP_OPTS_USER,
+ &state->access_ctx->host_attr_map);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
+ goto done;
+ }
+ }
+
subreq = groups_by_user_send(state, state->ev,
state->access_ctx->ad_id_ctx->sdap_id_ctx,
sdom, state->conn,
search_bases,
state->host_fqdn,
BE_FILTER_NAME,
- NULL, NULL, 0,
+ NULL,
+ state->access_ctx->host_attr_map,
+ SDAP_OPTS_USER,
true,
true);
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
--
2.45.0

230
SOURCES/0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
View File

@ -1,230 +0,0 @@
From acd5da528789734411b12fa8b19007b00eea9f2c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 13 Sep 2024 15:45:59 +0200
Subject: [PATCH 6/9] ldap: add 'exop_force' value for ldap_pwmodify_mode
In case the LDAP server allows to run the extended operation to change a
password even if an authenticated bind fails due to missing grace logins
the new option 'exop_force' can be used to run the extended operation to
change the password anyways.
:config: Added `exop_force` value for configuration option
`ldap_pwmodify_mode`. This can be used to force a password change even
if no grace logins are left. Depending on the configuration of the
LDAP server it might be expected that the password change will fail.
(cherry picked from commit 72a7fd0ded236a16b00bb4e26221f7e23b702a53)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit e3a3f44c4cdcb936b59941636ff576de613366d1)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/man/sssd-ldap.5.xml | 11 +++++++++
src/providers/ipa/ipa_auth.c | 3 ++-
src/providers/ldap/ldap_auth.c | 5 +++-
src/providers/ldap/ldap_options.c | 2 ++
src/providers/ldap/sdap.h | 5 ++--
src/providers/ldap/sdap_async.h | 3 ++-
src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++-----
7 files changed, 45 insertions(+), 11 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 0a814ec35..a9994aade 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -234,6 +234,17 @@
userPassword (not recommended).
</para>
</listitem>
+ <listitem>
+ <para>
+ exop_force - Try Password Modify
+ Extended Operation (RFC 3062) even if
+ there are no grace logins left.
+ Depending on the type and configuration
+ of the LDAP server the password change
+ might fail because an authenticated bind
+ is not possible.
+ </para>
+ </listitem>
</itemizedlist>
</para>
<para>
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 1d61a1052..b2e5b6f35 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -381,7 +381,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq)
SDAP_OPT_TIMEOUT);
subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn,
- state->pd->authtok, timeout);
+ state->pd->authtok, timeout,
+ state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode);
if (subreq == NULL) {
goto done;
}
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 8ec4d3af5..023ed2277 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -896,7 +896,8 @@ static void auth_do_bind(struct tevent_req *req)
NULL, NULL, state->dn,
state->authtok,
dp_opt_get_int(state->ctx->opts->basic,
- SDAP_OPT_TIMEOUT));
+ SDAP_OPT_TIMEOUT),
+ state->ctx->opts->pwmodify_mode);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return;
@@ -1186,6 +1187,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx,
switch (opts->pwmodify_mode) {
case SDAP_PWMODIFY_EXOP:
+ case SDAP_PWMODIFY_EXOP_FORCE:
subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn,
password, new_password,
timeout);
@@ -1229,6 +1231,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq)
switch (state->mode) {
case SDAP_PWMODIFY_EXOP:
+ case SDAP_PWMODIFY_EXOP_FORCE:
ret = sdap_exop_modify_passwd_recv(subreq, state,
&state->user_error_message);
break;
diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
index 277bcb529..72a95300d 100644
--- a/src/providers/ldap/ldap_options.c
+++ b/src/providers/ldap/ldap_options.c
@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
} else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
+ } else if (strcasecmp(pwmodify, "exop_force") == 0) {
+ opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE;
} else {
DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
ret = EINVAL;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 103d50ed4..cc34c8198 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -546,8 +546,9 @@ struct sdap_options {
/* password modify mode */
enum pwmodify_mode {
- SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
- SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */
+ SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
+ SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */
+ SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */
} pwmodify_mode;
/* The search bases for the domain or its subdomain */
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index a45e057d0..80b403bc3 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -146,7 +146,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
const char *sasl_user,
const char *user_dn,
struct sss_auth_token *authtok,
- int simple_bind_timeout);
+ int simple_bind_timeout,
+ enum pwmodify_mode pwmodify_mode);
errno_t sdap_auth_recv(struct tevent_req *req,
TALLOC_CTX *memctx,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index e8638725c..992a5798c 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -643,6 +643,7 @@ struct simple_bind_state {
struct tevent_context *ev;
struct sdap_handle *sh;
const char *user_dn;
+ enum pwmodify_mode pwmodify_mode;
struct sdap_op *op;
@@ -659,7 +660,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
struct sdap_handle *sh,
int timeout,
const char *user_dn,
- struct berval *pw)
+ struct berval *pw,
+ enum pwmodify_mode pwmodify_mode)
{
struct tevent_req *req;
struct simple_bind_state *state;
@@ -682,6 +684,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
state->ev = ev;
state->sh = sh;
state->user_dn = user_dn;
+ state->pwmodify_mode = pwmodify_mode;
ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
0, NULL, 0, &ctrls[0]);
@@ -866,7 +869,12 @@ static void simple_bind_done(struct sdap_op *op,
* Grace Authentications". */
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, grace logins exhausted.\n");
- ret = ERR_AUTH_FAILED;
+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
+ ret = ERR_PASSWORD_EXPIRED;
+ } else {
+ ret = ERR_AUTH_FAILED;
+ }
}
} else if (strcmp(response_controls[c]->ldctl_oid,
LDAP_CONTROL_PWEXPIRED) == 0) {
@@ -879,7 +887,12 @@ static void simple_bind_done(struct sdap_op *op,
if (result == LDAP_INVALID_CREDENTIALS) {
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, grace logins exhausted.\n");
- ret = ERR_AUTH_FAILED;
+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
+ ret = ERR_PASSWORD_EXPIRED;
+ } else {
+ ret = ERR_AUTH_FAILED;
+ }
} else {
DEBUG(SSSDBG_TRACE_LIBS,
"Password expired, user must set a new password.\n");
@@ -1358,7 +1371,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
const char *sasl_user,
const char *user_dn,
struct sss_auth_token *authtok,
- int simple_bind_timeout)
+ int simple_bind_timeout,
+ enum pwmodify_mode pwmodify_mode)
{
struct tevent_req *req, *subreq;
struct sdap_auth_state *state;
@@ -1397,7 +1411,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
pw.bv_len = pwlen;
state->is_sasl = false;
- subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw);
+ subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, pwmodify_mode);
if (!subreq) {
tevent_req_error(req, ENOMEM);
return tevent_req_post(req, ev);
@@ -1972,7 +1986,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
SDAP_SASL_AUTHID),
user_dn, authtok,
dp_opt_get_int(state->opts->basic,
- SDAP_OPT_TIMEOUT));
+ SDAP_OPT_TIMEOUT),
+ state->opts->pwmodify_mode);
talloc_free(authtok);
if (!subreq) {
tevent_req_error(req, ENOMEM);
--
2.43.5

35
SOURCES/0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch
View File

@ -1,35 +0,0 @@
From 5fc4540e97625a23f2573b0804a1509cf46931c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Thu, 14 Nov 2024 17:27:49 +0100
Subject: [PATCH 1/9] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55
but the corresponding option is missing in
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200
This error was introduced by
https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 9ee10f98e0070774e0e7f0794bc296ef06a671e4)
---
src/providers/be_dyndns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index 2c655ef1e..5d0f51119 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -1201,6 +1201,7 @@ static struct dp_option default_dyndns_opts[] = {
{ "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
+ { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
{ "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER },
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
--
2.43.5

55
SOURCES/0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
View File

@ -1,55 +0,0 @@
From 3e7e0cc7038c89132c9f4b8a48b6b1e0c0febff4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 21 Nov 2024 09:16:09 +0100
Subject: [PATCH 8/9] ldap_child: make sure invalid krb5 context is not used
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7715
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744)
---
src/util/sss_krb5.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 3f57e5b26..f44df2b5f 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -83,6 +83,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name)
return keytab_name;
}
+ if (ctx == NULL) {
+ return "-unknown-";
+ }
+
if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) {
return "-default keytab-";
}
@@ -1355,8 +1359,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
{
krb5_error_code kerr;
const char *msg;
+ krb5_context ctx;
- kerr = krb5_init_context(context);
+ kerr = krb5_init_context(&ctx);
if (kerr != 0) {
/* It is safe to call (sss_)krb5_get_error_message() with NULL as first
* argument. */
@@ -1365,6 +1370,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
"Failed to init Kerberos context [%s]\n", msg);
sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg);
sss_krb5_free_error_message(NULL, msg);
+ } else {
+ *context = ctx;
}
return kerr;
--
2.43.5

26
SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch
View File

@ -1,26 +0,0 @@
From: Alex Burmashev <alexander.burmashev@oracle.com>
Date: Tue, 04 May 2021 13:31:41 +0100
Subject: [PATCH] restore default debug level for sss_cache
We want only fatal failures to be logged, otherwise in some conditions log is.
flooded with unneeded "errors"
Resolves: https://github.com/SSSD/sssd/issues/5488
Orabug: 32810448
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Patch migrated from ol8 to ol9 without any modification
Signed-off-by: Darren Archibald <darren.archibald@oracle.com>
diff -ruN sssd-2.4.0.orig/src/tools/sss_cache.c sssd-2.4.0/src/tools/sss_cache.c
--- sssd-2.4.0.orig/src/tools/sss_cache.c 2021-06-29 12:48:07.035970021 -0700
+++ sssd-2.4.0/src/tools/sss_cache.c 2021-06-29 13:11:23.126918933 -0700
@@ -709,7 +709,7 @@
struct cache_tool_ctx *ctx = NULL;
int idb = INVALIDATE_NONE;
struct input_values values = { 0 };
- int debug = SSSDBG_TOOLS_DEFAULT;
+ int debug = SSSDBG_FATAL_FAILURE;
errno_t ret = EOK;
poptContext pc = NULL;

46
SPECS/sssd.spec
View File

@ -23,31 +23,21 @@
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.2.0
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
Name: sssd
Version: 2.9.5
Release: 4%{?dist}.4
Version: 2.9.6
Release: 4%{?dist}.2
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-spec-change-passkey_child-owner.patch
Patch0002: 0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
Patch0003: 0003-ad-use-right-memory-context-in-GPO-code.patch
Patch0004: 0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch
Patch0005: 0005-SYSDB-remove-index-on-dataExpireTimestamp.patch
Patch0006: 0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
Patch0007: 0007-krb5_child-do-not-try-passwords-with-OTP.patch
Patch0008: 0008-pam_sss-add-missing-optional-2nd-factor-handling.patch
Patch0009: 0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch
Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
Patch0012: 0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
Patch0013: 0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch
Patch0014: 0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
Patch0001: 0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
Patch0002: 0002-KCM-fix-memory-leak.patch
Patch0003: 0003-KCM-another-memory-leak-fixed.patch
Patch0004: 0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
### Dependencies ###
@ -1097,11 +1087,30 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Mon Dec 23 2024 Kevin Lyons <kevin.x.lyons@oracle.com> - 2.9.5-4.4
* Mon Apr 7 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.2
- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
* Wed Apr 2 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.1
- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
* Wed Feb 12 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4
- Resolves: RHEL-78253 - 'sssd_kcm' leaks memory [rhel-9]
* Mon Feb 10 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-3
- Resolves: RHEL-78253 - 'sssd_kcm' leaks memory [rhel-9]
* Tue Jan 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-2
- Resolves: RHEL-73400 - Use the DN from existing entry when updating a cached group [rhel-9]
* Thu Dec 5 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-1
- Resolves: RHEL-70189 - Rebase SSSD for RHEL 9.6
- Resolves: RHEL-67670 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-9]
- Resolves: RHEL-68369 - sssd backend process segfaults when krb5.conf is invalid
- Resolves: RHEL-66266 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-9]
* Mon Oct 21 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-5
- Related: RHEL-59788 - Rebase Samba to the latest 4.21.x release
* Tue Sep 24 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-4.1
- Resolves: RHEL-59876 - EL9/CentOS Stream 9 lost offline smart card authentication
- Resolves: RHEL-50912 - possible regression of rhbz#2196521
@ -1179,6 +1188,7 @@ fi
- Resolves: rhbz#2234829 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working)
- Resolves: rhbz#2236119 - dbus and crond getting terminated with SIGBUS in sss_client code
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
- Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system