import sssd-2.6.2-3.el8

2022-03-29 14:36:28 -04:00 · 2022-03-29 14:36:28 -04:00 · f4724209ba
commit f4724209ba
parent ad123f85d7
9 changed files with 1541 additions and 11167 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/sssd-2.5.2.tar.gz
+SOURCES/sssd-2.6.2.tar.gz
--- a/.sssd.metadata
+++ b/.sssd.metadata
@ -1 +1 @@
-680a282289fdfc6e27562e0ac82933ccd1f9574e SOURCES/sssd-2.5.2.tar.gz
+c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
--- a/SOURCES/0001-TOOLS-replace-system-with-execvp.patch
+++ b/SOURCES/0001-TOOLS-replace-system-with-execvp.patch
@ -1,277 +0,0 @@
 From 3861960837b996d959af504a937a03963dc21d62 Mon Sep 17 00:00:00 2001
 From: Alexey Tikhonov <atikhono@redhat.com>
 Date: Fri, 18 Jun 2021 13:17:19 +0200
 Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
 user supplied command
 A flaw was found in SSSD, where the sssctl command was vulnerable
 to shell command injection via the logs-fetch and cache-expire
 subcommands. This flaw allows an attacker to trick the root user
 into running a specially crafted sssctl command, such as via sudo,
 to gain root access. The highest threat from this vulnerability is
 to confidentiality, integrity, as well as system availability.
 :fixes: CVE-2021-3621
 ---
 src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
 src/tools/sssctl/sssctl.h      |  2 +-
 src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
 src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
 4 files changed, 73 insertions(+), 57 deletions(-)
 diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
 index 2997dbf96..8adaf3091 100644
 --- a/src/tools/sssctl/sssctl.c
 +++ b/src/tools/sssctl/sssctl.c
@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
     return SSSCTL_PROMPT_ERROR;
 }
 -errno_t sssctl_run_command(const char *command)
 +errno_t sssctl_run_command(const char *const argv[])
 {
     int ret;
 +    int wstatus;
 -    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
 +    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
 -    ret = system(command);
 +    ret = fork();
     if (ret == -1) {
 -        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
         ERROR("Error while executing external command\n");
         return EFAULT;
 -    } else if (WEXITSTATUS(ret) != 0) {
 -        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
 -              command, WEXITSTATUS(ret));
 +    }
 +
 +    if (ret == 0) {
 +        /* cast is safe - see
 +        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
 +        "The statement about argv[] and envp[] being constants ... "
 +        */
 +        execvp(argv[0], discard_const_p(char * const, argv));
         ERROR("Error while executing external command\n");
 -        return EIO;
 +        _exit(1);
 +    } else {
 +        if (waitpid(ret, &wstatus, 0) == -1) {
 +            ERROR("Error while executing external command '%s'\n", argv[0]);
 +            return EFAULT;
 +        } else if (WEXITSTATUS(wstatus) != 0) {
 +            ERROR("Command '%s' failed with [%d]\n",
 +                  argv[0], WEXITSTATUS(wstatus));
 +            return EIO;
 +        }
     }
     return EOK;
@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
 #elif defined(HAVE_SERVICE)
     switch (action) {
     case SSSCTL_SVC_START:
 -        return sssctl_run_command(SERVICE_PATH" sssd start");
 +        return sssctl_run_command(
 +                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
     case SSSCTL_SVC_STOP:
 -        return sssctl_run_command(SERVICE_PATH" sssd stop");
 +        return sssctl_run_command(
 +                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
     case SSSCTL_SVC_RESTART:
 -        return sssctl_run_command(SERVICE_PATH" sssd restart");
 +        return sssctl_run_command(
 +                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
     }
 #endif
 diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
 index 0115b2457..599ef6519 100644
 --- a/src/tools/sssctl/sssctl.h
 +++ b/src/tools/sssctl/sssctl.h
@@ -47,7 +47,7 @@ enum sssctl_prompt_result
 sssctl_prompt(const char *message,
               enum sssctl_prompt_result defval);
 -errno_t sssctl_run_command(const char *command);
 +errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
 bool sssctl_start_sssd(bool force);
 bool sssctl_stop_sssd(bool force);
 bool sssctl_restart_sssd(bool force);
 diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
 index 8d79b977f..bf2291341 100644
 --- a/src/tools/sssctl/sssctl_data.c
 +++ b/src/tools/sssctl/sssctl_data.c
@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
         }
     }
 -    ret = sssctl_run_command("sss_override user-export "
 -                             SSS_BACKUP_USER_OVERRIDES);
 +    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
 +                                              SSS_BACKUP_USER_OVERRIDES, NULL});
     if (ret != EOK) {
         ERROR("Unable to export user overrides\n");
         return ret;
     }
 -    ret = sssctl_run_command("sss_override group-export "
 -                             SSS_BACKUP_GROUP_OVERRIDES);
 +    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
 +                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
     if (ret != EOK) {
         ERROR("Unable to export group overrides\n");
         return ret;
@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
     }
     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
 -        ret = sssctl_run_command("sss_override user-import "
 -                                 SSS_BACKUP_USER_OVERRIDES);
 +        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
 +                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
         if (ret != EOK) {
             ERROR("Unable to import user overrides\n");
             return ret;
@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
     }
     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
 -        ret = sssctl_run_command("sss_override group-import "
 -                                 SSS_BACKUP_GROUP_OVERRIDES);
 +        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
 +                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
         if (ret != EOK) {
             ERROR("Unable to import group overrides\n");
             return ret;
@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
                             void *pvt)
 {
     errno_t ret;
 -    char *cmd_args = NULL;
 -    const char *cachecmd = SSS_CACHE;
 -    char *cmd = NULL;
 -    int i;
 -
 -    if (cmdline->argc == 0) {
 -        ret = sssctl_run_command(cachecmd);
 -        goto done;
 -    }
 -    cmd_args = talloc_strdup(tool_ctx, "");
 -    if (cmd_args == NULL) {
 -        ret = ENOMEM;
 -        goto done;
 +    const char **args = talloc_array_size(tool_ctx,
 +                                          sizeof(char *),
 +                                          cmdline->argc + 2);
 +    if (!args) {
 +        return ENOMEM;
     }
 +    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
 +    args[0] = SSS_CACHE;
 +    args[cmdline->argc + 1] = NULL;
 -    for (i = 0; i < cmdline->argc; i++) {
 -        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
 -        if (i != cmdline->argc - 1) {
 -            cmd_args = talloc_strdup_append(cmd_args, " ");
 -        }
 -    }
 -
 -    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
 -    if (cmd == NULL) {
 -        ret = ENOMEM;
 -        goto done;
 -    }
 -
 -    ret = sssctl_run_command(cmd);
 -
 -done:
 -    talloc_free(cmd_args);
 -    talloc_free(cmd);
 +    ret = sssctl_run_command(args);
 +    talloc_free(args);
     return ret;
 }
 diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
 index 9ff2be05b..ebb2c4571 100644
 --- a/src/tools/sssctl/sssctl_logs.c
 +++ b/src/tools/sssctl/sssctl_logs.c
@@ -31,6 +31,7 @@
 #include <ldb.h>
 #include <popt.h>
 #include <stdio.h>
 +#include <glob.h>
 #include "util/util.h"
 #include "tools/common/sss_process.h"
@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
 {
     struct sssctl_logs_opts opts = {0};
     errno_t ret;
 +    glob_t globbuf;
     /* Parse command line. */
     struct poptOption options[] = {
@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
         sss_signal(SIGHUP);
     } else {
 +        globbuf.gl_offs = 4;
 +        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
 +        if (ret != 0) {
 +            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
 +            return ret;
 +        }
 +        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
 +        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
 +        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
 +        globbuf.gl_pathv[3] = discard_const_p(char, "0");
 +
         PRINT("Truncating log files...\n");
 -        ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
 +        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
 +        globfree(&globbuf);
         if (ret != EOK) {
             ERROR("Unable to truncate log files\n");
             return ret;
@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
                           void *pvt)
 {
     const char *file;
 -    const char *cmd;
     errno_t ret;
 +    glob_t globbuf;
     /* Parse command line. */
     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
         return ret;
     }
 -    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
 -    if (cmd == NULL) {
 -        ERROR("Out of memory!");
 +    globbuf.gl_offs = 3;
 +    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
 +    if (ret != 0) {
 +        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
 +        return ret;
     }
 +    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
 +    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
 +    globbuf.gl_pathv[2] = discard_const_p(char, file);
     PRINT("Archiving log files into %s...\n", file);
 -    ret = sssctl_run_command(cmd);
 +    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
 +    globfree(&globbuf);
     if (ret != EOK) {
         ERROR("Unable to archive log files\n");
         return ret;
 -- 
 2.26.3
--- a/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
+++ b/SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch
@ -0,0 +1,33 @@
 From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Tue, 4 Jan 2022 10:11:49 +0100
 Subject: [PATCH] ipa: fix reply socket of selinux_child
 Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
 the reply socket of selinux_child from stdout to stderr while switching
 from exec_child to exec_child_ex. This patch returns the original
 behavior.
 Resolves: https://github.com/SSSD/sssd/issues/5939
 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
 ---
 src/providers/ipa/ipa_selinux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
 index 6f885c0fd..2e0593dd7 100644
 --- a/src/providers/ipa/ipa_selinux.c
 +++ b/src/providers/ipa/ipa_selinux.c
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
     if (pid == 0) { /* child */
         exec_child_ex(state, pipefd_to_child, pipefd_from_child,
                       SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
 -                      false, STDIN_FILENO, STDERR_FILENO);
 +                      false, STDIN_FILENO, STDOUT_FILENO);
         DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
               ret, sss_strerror(ret));
         return ret;
 -- 
 2.26.3
--- a/SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch
+++ b/SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch
@ -0,0 +1,42 @@
 From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Thu, 16 Dec 2021 11:14:18 +0100
 Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If the forest root is not part of the return trusted domain objects
 from the local domain controller we generate an object for further
 processing. During this processing it is expected that the 'cn'
 attribute is set and contains the name of the forest root. So far this
 attribute was missing and it is now added by this patch.
 Resolves: https://github.com/SSSD/sssd/issues/5926
 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
 ---
 src/providers/ad/ad_subdomains.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
 index 0353de76f..0c3f8ac31 100644
 --- a/src/providers/ad/ad_subdomains.c
 +++ b/src/providers/ad/ad_subdomains.c
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
         goto done;
     }
 +    ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
 +                                 state->forest);
 +    if (ret != EOK) {
 +        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
 +        goto done;
 +    }
 +
     err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
                                    &id_val.data, &id_val.length);
     if (err != IDMAP_SUCCESS) {
 -- 
 2.26.3
--- a/SOURCES/0002-po-update-translations.patch
+++ b/SOURCES/0002-po-update-translations.patch
--- a/SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
+++ b/SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
@ -0,0 +1,140 @@
 From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ipedrosa@redhat.com>
 Date: Thu, 13 Jan 2022 11:28:30 +0100
 Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 AD and IPA providers use a common fo_server object for LDAP and
 Kerberos, which is created with the LDAP data. This means that due to
 the changes introduced in
 https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
 the port in use for the Kerberos requests would be the one specified for
 LDAP, usually the default one (389).
 In order to avoid that, AD and IPA providers shouldn't change the
 Kerberos port with the one provided for LDAP.
 :fixes: A critical regression that prevented authentication of users via
 AD and IPA providers was fixed. LDAP port was reused for Kerberos
 communication and this provider would send incomprehensible information
 to this port.
 Resolves: https://github.com/SSSD/sssd/issues/5947
 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
 ---
 src/providers/ad/ad_common.c     |  1 +
 src/providers/ipa/ipa_common.c   |  1 +
 src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
 src/providers/krb5/krb5_common.h |  1 +
 4 files changed, 23 insertions(+), 14 deletions(-)
 diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
 index e263444c5..1ca5f8e3a 100644
 --- a/src/providers/ad/ad_common.c
 +++ b/src/providers/ad/ad_common.c
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
     if (service->krb5_service->write_kdcinfo) {
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
                                                  server,
 +                                                 true,
                                                  SSS_KRB5KDC_FO_SRV,
                                                  ad_krb5info_file_filter);
         if (ret != EOK) {
 diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
 index 1509cb1ce..e6c1f9aa4 100644
 --- a/src/providers/ipa/ipa_common.c
 +++ b/src/providers/ipa/ipa_common.c
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
     if (service->krb5_service->write_kdcinfo) {
         ret = write_krb5info_file_from_fo_server(service->krb5_service,
                                                  server,
 +                                                 true,
                                                  SSS_KRB5KDC_FO_SRV,
                                                  NULL);
         if (ret != EOK) {
 diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
 index 719ce6a12..5ffa20809 100644
 --- a/src/providers/krb5/krb5_common.c
 +++ b/src/providers/krb5/krb5_common.c
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
                                            struct fo_server *server,
 +                                           bool force_default_port,
                                            const char *service,
                                            bool (*filter)(struct fo_server *))
 {
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
     if (filter == NULL || filter(server) == false) {
         address = fo_server_address_or_name(tmp_ctx, server);
         if (address) {
 -            port = fo_get_server_port(server);
 -            if (port != 0) {
 -                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
 -                if (address == NULL) {
 -                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 -                    talloc_free(tmp_ctx);
 -                    return ENOMEM;
 +            if (!force_default_port) {
 +                port = fo_get_server_port(server);
 +                if (port != 0) {
 +                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
 +                    if (address == NULL) {
 +                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 +                        talloc_free(tmp_ctx);
 +                        return ENOMEM;
 +                    }
                 }
             }
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
                 continue;
             }
 -            port = fo_get_server_port(item);
 -            if (port != 0) {
 -                address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
 -                if (address == NULL) {
 -                    DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 -                    talloc_free(tmp_ctx);
 -                    return ENOMEM;
 +            if (!force_default_port) {
 +                port = fo_get_server_port(item);
 +                if (port != 0) {
 +                    address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
 +                    if (address == NULL) {
 +                        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
 +                        talloc_free(tmp_ctx);
 +                        return ENOMEM;
 +                    }
                 }
             }
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
     if (krb5_service->write_kdcinfo) {
         ret = write_krb5info_file_from_fo_server(krb5_service,
                                                  server,
 +                                                 false,
                                                  krb5_service->name,
                                                  NULL);
         if (ret != EOK) {
 diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
 index 151f446d1..2fd39a751 100644
 --- a/src/providers/krb5/krb5_common.h
 +++ b/src/providers/krb5/krb5_common.h
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
 errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
                                            struct fo_server *server,
 +                                           bool force_default_port,
                                            const char *service,
                                            bool (*filter)(struct fo_server *));
 -- 
 2.26.3
--- a/SOURCES/0004-po-update-translations.patch
+++ b/SOURCES/0004-po-update-translations.patch
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@ -18,8 +18,8 @@
 %global enable_systemtap_opt --enable-systemtap
 Name: sssd
-Version: 2.5.2
+Version: 2.6.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -27,8 +27,10 @@ URL: https://github.com/SSSD/sssd
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 ### Patches ###
-Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
+Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
-Patch0002: 0002-po-update-translations.patch
+Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
 Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
 Patch0004: 0004-po-update-translations.patch
 ### Downstream Patches ###
@ -76,11 +78,12 @@ BuildRequires: openldap-devel
 BuildRequires: pam-devel
 BuildRequires: nss-devel
 BuildRequires: nspr-devel
-BuildRequires: pcre-devel
+BuildRequires: pcre2-devel
 BuildRequires: libxslt
 BuildRequires: libxml2
 BuildRequires: docbook-style-xsl
 BuildRequires: krb5-devel
 BuildRequires: krb5-libs >= 1.18.2-11
 BuildRequires: c-ares-devel
 BuildRequires: python3-devel
 BuildRequires: check-devel
@ -93,7 +96,6 @@ BuildRequires: gettext-devel
 BuildRequires: pkgconfig
 BuildRequires: diffstat
 BuildRequires: findutils
 BuildRequires: glib2-devel
 BuildRequires: selinux-policy-targeted
 BuildRequires: libcmocka-devel >= 1.0.0
 BuildRequires: uid_wrapper
@ -115,8 +117,10 @@ BuildRequires: libsmbclient-devel
 BuildRequires: samba-winbind
 BuildRequires: systemtap-sdt-devel
 BuildRequires: libuuid-devel
 BuildRequires: jansson-devel
 BuildRequires: gdm-pam-extensions-devel
 BuildRequires: libunistring-devel
 BuildRequires: shadow-utils-subid-devel
 BuildRequires: po4a
 %description
 Provides a set of daemons to manage access to remote directories and
@ -137,6 +141,7 @@ Conflicts: selinux-policy < 3.10.0-46
 Conflicts: sssd < 1.10.0-8%{?dist}.beta2
 # sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5
 Obsoletes: sssd-libwbclient < 2.5.0
 Obsoletes: sssd-libwbclient-debuginfo < 2.5.0
 # Requires
 # Explicitly require RHEL-8.0 versions of the Samba libraries
 # in order to prevent untested combinations of a new SSSD and
@ -210,13 +215,12 @@ Requires: libsss_simpleifp = %{version}-%{release}
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
 # for logger=journald support with sss_analyze
 Requires: python3-systemd
 Recommends: sssd-dbus
 %description tools
-Provides userspace tools for manipulating users, groups, and nested groups in
+Provides several administrative tools:
 SSSD when using id_provider = local in /etc/sssd/sssd.conf.
 Also provides several other administrative tools:
    * sss_debuglevel to change the debug level on the fly
    * sss_seed which pre-creates a user entry for use in kickstarts
    * sss_obfuscate for generating an obfuscated LDAP password
@ -240,11 +244,8 @@ Requires: sssd-common = %{version}-%{release}
 %{?python_provide:%python_provide python3-sss}
 %description -n python3-sss
-Provides python3 module for manipulating users, groups, and nested groups in
+Provides python3 bindings:
-SSSD when using id_provider = local in /etc/sssd/sssd.conf.
+    * function for retrieving list of groups user belongs to
 Also provides several other useful python3 bindings:
    * function for retrieving list of groups user belongs to.
    * class for obfuscation of passwords
 %package -n python3-sss-murmur
@ -528,6 +529,7 @@ Summary: An implementation of a Kerberos KCM server
 Group:  Applications/System
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
 Requires: krb5-libs >= 1.18.2-11
 %{?systemd_requires}
 %description kcm
@ -577,6 +579,7 @@ autoreconf -ivf
    --disable-rpath \
    --with-initscript=systemd \
    --with-syslog=journald \
    --with-subid \
    --enable-sss-default-nss-plugin \
    --enable-files-domain \
    --without-python2-bindings \
@ -597,6 +600,7 @@ unset CK_TIMEOUT_MULTIPLIER
 %install
 %py3_shebang_fix src/tools/analyzer/sss_analyze
 sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate
 make install DESTDIR=$RPM_BUILD_ROOT
@ -617,6 +621,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
 # krb5 configuration snippet
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 # Create directory for cifs-idmap alternative
 # Otherwise this directory could not be owned by sssd-client
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
@ -848,6 +856,9 @@ done
 %license COPYING
 %{_libdir}/%{name}/libsss_krb5.so
 %{_mandir}/man5/sssd-krb5.5*
 %config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 %dir %{_datadir}/sssd/krb5-snippets
 %{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
 %files common-pac
 %defattr(-,root,root,-)
@ -901,6 +912,7 @@ done
 %defattr(-,root,root,-)
 %license src/sss_client/COPYING src/sss_client/COPYING.LESSER
 %{_libdir}/libnss_sss.so.2
 %{_libdir}/libsubid_sss.so
 %{_libdir}/security/pam_sss.so
 %{_libdir}/security/pam_sss_gss.so
 %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
@ -935,6 +947,8 @@ done
 %{_sbindir}/sss_debuglevel
 %{_sbindir}/sss_seed
 %{_sbindir}/sssctl
 %{_libexecdir}/%{servicename}/sss_analyze
 %{python3_sitelib}/sssd/
 %{_mandir}/man8/sss_obfuscate.8*
 %{_mandir}/man8/sss_override.8*
 %{_mandir}/man8/sss_debuglevel.8*
@ -1033,7 +1047,6 @@ done
 %{_unitdir}/sssd-kcm.socket
 %{_unitdir}/sssd-kcm.service
 %{_mandir}/man8/sssd-kcm.8*
 %{_libdir}/%{name}/libsss_secrets.so
 %pre ipa
 getent group sssd >/dev/null || groupadd -r sssd
@ -1144,6 +1157,51 @@ fi
 %systemd_postun_with_restart sssd.service
 %changelog
 * Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
 - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
 - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
 - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
 - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update
 - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
 * Tue Jan 04 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
 - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)
 * Mon Dec 27 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
 - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
 - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files
 - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
 - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
 - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf
 - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name
 - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry
 - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
 - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon).
 - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
 - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders
 - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
 * Fri Nov 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-2
 - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
 * Mon Nov 15 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-1
 - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
 - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
 - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator
 - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed
 - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb
 - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces)
 - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
 - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD
 - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline
 - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True'
 - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s
 - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
 - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication.
 - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA
 - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
 - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing
 * Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
 - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]
 - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization
`@ -1 +1 @@`
	`SOURCES/sssd-2.5.2.tar.gz`	`SOURCES/sssd-2.6.2.tar.gz`
`@ -1 +1 @@`
	`680a282289fdfc6e27562e0ac82933ccd1f9574e SOURCES/sssd-2.5.2.tar.gz`	`c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz`