import sssd-2.4.0-9.el8_4.1

2021-06-29 09:46:29 -04:00 · 2021-06-29 09:46:29 -04:00 · f6c0b6929b
parent 9e8c2ec9f3
commit f6c0b6929b
8 changed files with 940 additions and 1 deletions
--- a/SOURCES/0052-handle-large-service-tickets.patch
+++ b/SOURCES/0052-handle-large-service-tickets.patch
@ -0,0 +1,233 @@
+From b6efe6b119b0c11314a324e8a2cf96fb74a9c983 Mon Sep 17 00:00:00 2001
+From: Sam Morris <sam@robots.org.uk>
+Date: Tue, 6 Apr 2021 18:42:19 +0100
+Subject: [PATCH 1/6] responder/common/responder_packet: handle large service
+ tickets
+
+Resolves: https://github.com/SSSD/sssd/issues/5568
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/responder/common/responder_packet.c | 11 +++++++++++
+ src/responder/common/responder_packet.h |  1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
+index f56d92276..d091332b0 100644
+--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
+@@ -229,6 +229,17 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
+             if (ret != EOK) {
+                 return ret;
+             }
+	/* Kerberos tickets can get pretty big; since Windows Server 2012, the
+	 * limit is 48 KiB!
+	 */
+	} else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX)
+                && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE
+                && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) {
+            sss_packet_set_len(packet, 0);
+            ret = sss_packet_grow(packet, new_len);
+            if (ret != EOK) {
+                return ret;
+            }
+         } else {
+             return EINVAL;
+         }
+diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
+index 509a22a9a..70bf1e8d3 100644
+--- a/src/responder/common/responder_packet.h
+++ b/src/responder/common/responder_packet.h
+@@ -26,6 +26,7 @@
+ 
+ #define SSS_PACKET_MAX_RECV_SIZE 1024
+ #define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 )
+ 
+ struct sss_packet;
+ 
+-- 
+2.26.3
+
+
+From c6a76283580c25ff78b36b8b23efdabbdb3a2cc1 Mon Sep 17 00:00:00 2001
+From: Sam Morris <sam@robots.org.uk>
+Date: Wed, 7 Apr 2021 14:21:34 +0100
+Subject: [PATCH 2/6] responder/common/responder_packet: reduce duplication of
+ code that handles larger-than-normal packets
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/responder/common/responder_packet.c | 40 +++++++++++++------------
+ 1 file changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
+index d091332b0..523c9ddd4 100644
+--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
+@@ -216,25 +216,27 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
+ 
+     new_len = sss_packet_get_len(packet);
+     if (new_len > packet->memsize) {
+-        /* Allow certificate based requests to use larger buffer but not
+-         * larger than SSS_CERT_PACKET_MAX_RECV_SIZE. Due to the way
+-         * sss_packet_grow() works the packet len must be set to '0' first and
+-         * then grow to the expected size. */
+-        if ((sss_packet_get_cmd(packet) == SSS_NSS_GETNAMEBYCERT
+-                    || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT)
+-                && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE
+-                && new_len < SSS_CERT_PACKET_MAX_RECV_SIZE) {
+-            sss_packet_set_len(packet, 0);
+-            ret = sss_packet_grow(packet, new_len);
+-            if (ret != EOK) {
+-                return ret;
+-            }
+-	/* Kerberos tickets can get pretty big; since Windows Server 2012, the
+-	 * limit is 48 KiB!
+-	 */
+-	} else if ((sss_packet_get_cmd(packet) == SSS_GSSAPI_SEC_CTX)
+-                && packet->memsize < SSS_GSSAPI_PACKET_MAX_RECV_SIZE
+-                && new_len < SSS_GSSAPI_PACKET_MAX_RECV_SIZE) {
+        enum sss_cli_command cmd = sss_packet_get_cmd(packet);
+        size_t max_recv_size;
+
+        /* Allow certain packet types to use a larger buffer. */
+        switch (cmd) {
+        case SSS_NSS_GETNAMEBYCERT:
+        case SSS_NSS_GETLISTBYCERT:
+            max_recv_size = SSS_CERT_PACKET_MAX_RECV_SIZE;
+            break;
+
+        case SSS_GSSAPI_SEC_CTX:
+            max_recv_size = SSS_GSSAPI_PACKET_MAX_RECV_SIZE;
+            break;
+
+        default:
+            max_recv_size = 0;
+        }
+
+        /* Due to the way sss_packet_grow() works, the packet len must be set
+         * to 0 first, and then grown to the expected size. */
+        if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) {
+             sss_packet_set_len(packet, 0);
+             ret = sss_packet_grow(packet, new_len);
+             if (ret != EOK) {
+-- 
+2.26.3
+
+
+From 63f318f73c933dc2cb08cad2f911a52d2281c45b Mon Sep 17 00:00:00 2001
+From: Sam Morris <sam@robots.org.uk>
+Date: Wed, 7 Apr 2021 14:22:25 +0100
+Subject: [PATCH 3/6] responder/common/responder_packet: add debug logging to
+ assist with errors caused by overlarge packets
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/responder/common/responder_packet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
+index 523c9ddd4..01a4e640e 100644
+--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
+@@ -243,6 +243,9 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
+                 return ret;
+             }
+         } else {
+            DEBUG(SSSDBG_OP_FAILURE,
+                "Refusing to read overlarge packet from fd %d (length %zu bytes, cmd %#04x)",
+                    fd, new_len, cmd);
+             return EINVAL;
+         }
+     }
+-- 
+2.26.3
+
+
+From 37d331774385b2b871ba76fcdef6ceafd776efce Mon Sep 17 00:00:00 2001
+From: Sam Morris <sam@robots.org.uk>
+Date: Wed, 7 Apr 2021 14:23:03 +0100
+Subject: [PATCH 4/6] responder/common/responder_packet: further increase
+ packet size for SSS_GSSAPI_SEC_CTX
+
+Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB
+provides extra overhead should that increase in the future.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/responder/common/responder_packet.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
+index 70bf1e8d3..fd991969b 100644
+--- a/src/responder/common/responder_packet.h
+++ b/src/responder/common/responder_packet.h
+@@ -26,7 +26,7 @@
+ 
+ #define SSS_PACKET_MAX_RECV_SIZE 1024
+ #define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
+-#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( SSS_PACKET_MAX_RECV_SIZE + 48 * 1024 )
+#define SSS_GSSAPI_PACKET_MAX_RECV_SIZE ( 128 * 1024 )
+ 
+ struct sss_packet;
+ 
+-- 
+2.26.3
+
+
+From 5c9fa75bd0ffa02e31cbbf19ee68134ed384229a Mon Sep 17 00:00:00 2001
+From: Sam Morris <sam@robots.org.uk>
+Date: Wed, 7 Apr 2021 19:59:45 +0100
+Subject: [PATCH 5/6] responder/common/responder_packet: remove some
+ unnecessary checks before growing packet
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/responder/common/responder_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
+index 01a4e640e..c4b38f71b 100644
+--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
+@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
+ 
+         /* Due to the way sss_packet_grow() works, the packet len must be set
+          * to 0 first, and then grown to the expected size. */
+-        if (max_recv_size && packet->memsize < max_recv_size && new_len < max_recv_size) {
+        if (new_len < max_recv_size) {
+             sss_packet_set_len(packet, 0);
+             ret = sss_packet_grow(packet, new_len);
+             if (ret != EOK) {
+-- 
+2.26.3
+
+
+From b87619f9a917d6ed9ecdb5360c4bf242dce8e372 Mon Sep 17 00:00:00 2001
+From: Sam Morris <sam@robots.org.uk>
+Date: Thu, 8 Apr 2021 19:09:33 +0100
+Subject: [PATCH 6/6] responder/common/responder_packet: allow packets of max
+ size
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/responder/common/responder_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
+index c4b38f71b..f2223c665 100644
+--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
+@@ -236,7 +236,7 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
+ 
+         /* Due to the way sss_packet_grow() works, the packet len must be set
+          * to 0 first, and then grown to the expected size. */
+-        if (new_len < max_recv_size) {
+        if (new_len <= max_recv_size) {
+             sss_packet_set_len(packet, 0);
+             ret = sss_packet_grow(packet, new_len);
+             if (ret != EOK) {
+-- 
+2.26.3
+
--- a/SOURCES/0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch
+++ b/SOURCES/0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch
@ -0,0 +1,46 @@
+From e865b008aa8947efca0116deb95e29cc2309256f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 30 Mar 2021 15:31:17 +0200
+Subject: [PATCH] AD GPO: respect ad_gpo_implicit_deny if no GPO is present
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at
+all for the given client. With this patch this case is handled as
+expected as well.
+
+Resolves: https://github.com/SSSD/sssd/issues/5561
+
+:fixes: `ad_gpo_implicit_deny` is now respected even if there are no
+        applicable GPOs present
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ad/ad_gpo.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index b15e0f345..4ef6a7219 100644
+--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
+@@ -2472,7 +2472,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
+             }
+         }
+ 
+-        ret = EOK;
+        if (state->gpo_implicit_deny == true) {
+            DEBUG(SSSDBG_TRACE_FUNC,
+                  "No applicable GPOs have been found and ad_gpo_implicit_deny"
+                  " is set to 'true'. The user will be denied access.\n");
+            ret = ERR_ACCESS_DENIED;
+        } else {
+            ret = EOK;
+        }
+
+         goto done;
+     }
+ 
+-- 
+2.26.3
+
--- a/SOURCES/0054-sss_domain_info-add-not_found_counter.patch
+++ b/SOURCES/0054-sss_domain_info-add-not_found_counter.patch
@ -0,0 +1,64 @@
+From 5d65411f1aa16af929ae2271ee4d3d9101728a67 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 14 Apr 2021 17:22:06 +0200
+Subject: [PATCH 54/55] sss_domain_info: add not_found_counter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This new counter should be used to track how often a domain could not be
+found while discovering the environment so that it can be deleted after
+a number of failed attempts.
+
+Resolves: https://github.com/SSSD/sssd/issues/5528
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/confdb/confdb.c       | 1 +
+ src/confdb/confdb.h       | 4 ++++
+ src/db/sysdb_subdomains.c | 2 ++
+ 3 files changed, 7 insertions(+)
+
+diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
+index cca76159b..c554edda0 100644
+--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
+@@ -1620,6 +1620,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
+     domain->view_name = NULL;
+ 
+     domain->state = DOM_ACTIVE;
+    domain->not_found_counter = 0;
+ 
+     *_domain = domain;
+     ret = EOK;
+diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
+index 81b68a0f1..c6c2514f8 100644
+--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
+@@ -441,6 +441,10 @@ struct sss_domain_info {
+     char *gssapi_check_upn; /* true | false | NULL */
+     /* List of indicators associated with the specific PAM service */
+     char **gssapi_indicators_map;
+
+    /* Counts how often the domain was not found during a refresh of the
+     * domain list */
+    size_t not_found_counter;
+ };
+ 
+ /**
+diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
+index e2381c8af..348f242d0 100644
+--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
+@@ -193,6 +193,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
+     dom->gssapi_services = parent->gssapi_services;
+     dom->gssapi_indicators_map = parent->gssapi_indicators_map;
+ 
+    dom->not_found_counter = 0;
+
+     if (parent->sysdb == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
+         goto fail;
+-- 
+2.26.3
+
--- a/SOURCES/0055-AD-read-trusted-domains-from-local-domain-as-well.patch
+++ b/SOURCES/0055-AD-read-trusted-domains-from-local-domain-as-well.patch
@ -0,0 +1,241 @@
+From 95adf488f94f5968f6cfba9e3bef74c07c02ccff Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 16 Feb 2021 14:30:55 +0100
+Subject: [PATCH 55/55] AD: read trusted domains from local domain as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently SSSD only uses information stored in a domain controller of
+the forest root domain to get the names of other trusted domains in the
+forest. Depending on how the forest was created the forest root might
+not have LDAP objects for all domains in the forest. It looks like a
+typical case are child domains of other domains in the forest.
+
+As a start SSSD can now include trusted domains stored in the LDAP tree
+of a local domain controller as well. In a long run it would make sense
+to allow SSSD to explicitly search for domain by looking up DNS entries
+and checking a potential domain controller with a CLDAP ping.
+
+Resolves: https://github.com/SSSD/sssd/issues/5528
+
+:feature: Besides trusted domains known by the forest root, trusted
+          domains known by the local domain are used as well.
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ad/ad_subdomains.c | 105 +++++++++++++++++++++++++------
+ 1 file changed, 86 insertions(+), 19 deletions(-)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index f5b0be6c2..3eb49c93f 100644
+--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
+@@ -45,6 +45,7 @@
+ #define AD_AT_TRUST_TYPE    "trustType"
+ #define AD_AT_TRUST_PARTNER "trustPartner"
+ #define AD_AT_TRUST_ATTRS   "trustAttributes"
+#define AD_AT_DOMAIN_NAME   "cn"
+ 
+ /* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
+  * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
+@@ -56,7 +57,6 @@
+  */
+ #define SLAVE_DOMAIN_FILTER_BASE "(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))"
+ #define SLAVE_DOMAIN_FILTER      "(&"SLAVE_DOMAIN_FILTER_BASE")"
+-#define FOREST_ROOT_FILTER_FMT   "(&"SLAVE_DOMAIN_FILTER_BASE"(cn=%s))"
+ 
+ /* Attributes of schema objects. See e.g.
+  * https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes
+@@ -646,6 +646,10 @@ done:
+     return ret;
+ }
+ 
+/* How many times we keep a domain not found during searches before it will be
+ * removed. */
+#define MAX_NOT_FOUND 6
+
+ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
+                                      struct sdap_idmap_ctx *idmap_ctx,
+                                      struct sdap_options *opts,
+@@ -706,6 +710,25 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
+         }
+ 
+         if (c >= num_subdomains) {
+            DEBUG(SSSDBG_CONF_SETTINGS, "Domain [%s] not in current list.\n",
+                                        dom->name);
+            /* Since the forest root might not have trustedDomain objects for
+             * each domain in the forest, especially e.g. for child-domains of
+             * child-domains, we cannot reliable say if a domain is still
+             * present or not.
+             * Maybe it would work to check the crossRef objects in
+             * CN=Partitions,CN=Configuration as well to understand if a
+             * domain is still known in the forest or not.
+             * For the time being we use a counter, if a domain was not found
+             * after multiple attempts it will be deleted. */
+
+            if (dom->not_found_counter++ < MAX_NOT_FOUND) {
+                DEBUG(SSSDBG_TRACE_ALL,
+                      "Domain [%s] was not found [%zu] times.\n", dom->name,
+                      dom->not_found_counter);
+                continue;
+            }
+
+             /* ok this subdomain does not exist anymore, let's clean up */
+             sss_domain_set_state(dom, DOM_DISABLED);
+ 
+@@ -740,6 +763,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
+             /* terminate all requests for this subdomain so we can free it */
+             dp_terminate_domain_requests(be_ctx->provider, dom->name);
+             talloc_zfree(sdom);
+
+         } else {
+             /* ok let's try to update it */
+             ret = ad_subdom_enumerates(domain, subdomains[c], &enumerate);
+@@ -747,6 +771,7 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
+                 goto done;
+             }
+ 
+            dom->not_found_counter = 0;
+             ret = ad_subdom_store(be_ctx->cdb, idmap_ctx, domain,
+                                   subdomains[c], enumerate);
+             if (ret) {
+@@ -1307,10 +1332,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
+     struct tevent_req *req;
+     struct sdap_options *opts;
+     errno_t ret;
+-    const char *filter;
+     const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
+                             AD_AT_SID, AD_AT_TRUST_TYPE,
+-                            AD_AT_TRUST_ATTRS, NULL };
+                            AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL };
+ 
+     req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state);
+     if (req == NULL) {
+@@ -1335,15 +1359,10 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
+     state->domain = domain;
+     state->forest = forest;
+ 
+-    filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest);
+-    if (filter == NULL) {
+-        ret = ENOMEM;
+-        goto immediately;
+-    }
+-
+     subreq = sdap_search_bases_return_first_send(state, ev, opts, sh,
+                                                  opts->sdom->search_bases,
+-                                                 NULL, false, 0, filter, attrs,
+                                                 NULL, false, 0,
+                                                 SLAVE_DOMAIN_FILTER, attrs,
+                                                  NULL);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+@@ -1365,11 +1384,33 @@ immediately:
+     return req;
+ }
+ 
+static struct sysdb_attrs *find_domain(size_t count, struct sysdb_attrs **reply,
+                                       const char *dom_name)
+{
+    size_t c;
+    const char *name;
+    int ret;
+
+    for (c = 0; c < count; c++) {
+        ret = sysdb_attrs_get_string(reply[c], AD_AT_DOMAIN_NAME, &name);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to find domain name, skipping");
+            continue;
+        }
+        if (strcasecmp(name, dom_name) == 0) {
+            return reply[c];
+        }
+    }
+
+    return NULL;
+}
+
+ static void ad_get_root_domain_done(struct tevent_req *subreq)
+ {
+     struct tevent_req *req;
+     struct ad_get_root_domain_state *state;
+     errno_t ret;
+    bool has_changes = false;
+ 
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+     state = tevent_req_data(req, struct ad_get_root_domain_state);
+@@ -1384,7 +1425,37 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
+         goto done;
+     }
+ 
+-    if (state->reply_count == 0) {
+    find_domain(state->reply_count, state->reply, state->forest);
+
+    if (state->reply_count == 0
+            || find_domain(state->reply_count, state->reply,
+                           state->forest) == NULL) {
+
+        if (state->reply_count > 0) {
+            /* refresh the other domains we have found before checking forest
+             * root */
+            ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx,
+                                        state->opts,
+                                        state->reply, state->reply_count, false,
+                                        &state->sd_ctx->last_refreshed,
+                                        &has_changes);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "ad_subdomains_refresh failed [%d]: %s\n",
+                      ret, sss_strerror(ret));
+                goto done;
+            }
+
+            if (has_changes) {
+                ret = ad_subdom_reinit(state->sd_ctx);
+                if (ret != EOK) {
+                    DEBUG(SSSDBG_OP_FAILURE,
+                          "Could not reinitialize subdomains\n");
+                    goto done;
+                }
+            }
+        }
+
+         DEBUG(SSSDBG_OP_FAILURE,
+               "No information provided for root domain, trying directly.\n");
+         subreq = ad_check_domain_send(state, state->ev, state->be_ctx,
+@@ -1397,11 +1468,6 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
+         }
+         tevent_req_set_callback(subreq, ad_check_root_domain_done, req);
+         return;
+-    } else if (state->reply_count > 1) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, "
+-              "domain list might be incomplete!\n");
+-        ret = ERR_MALFORMED_ENTRY;
+-        goto done;
+     }
+ 
+     ret = ad_get_root_domain_refresh(state);
+@@ -1519,7 +1585,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
+     errno_t ret;
+ 
+     ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts,
+-                                state->reply, state->reply_count, true,
+                                state->reply, state->reply_count, false,
+                                 &state->sd_ctx->last_refreshed,
+                                 &has_changes);
+     if (ret != EOK) {
+@@ -1536,8 +1602,9 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
+         }
+     }
+ 
+-    state->root_domain_attrs = state->reply[0];
+-    root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]);
+    state->root_domain_attrs = find_domain(state->reply_count, state->reply,
+                                           state->forest);
+    root_domain = ads_get_root_domain(state->be_ctx, state->root_domain_attrs);
+     if (root_domain == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n");
+         ret = EFAULT;
+-- 
+2.26.3
+
--- a/SOURCES/0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch
+++ b/SOURCES/0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch
@ -0,0 +1,109 @@
+From 231d1118727b989a4af9911a45a465912fe659d6 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 12 Mar 2021 14:38:54 +0100
+Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When checking if a group returned by an initgroups request is filtered
+in the negative cache the domain of the user was used. This does not
+work reliable if the user can be a member of groups from multiple
+domains.
+
+With this patch th domain the group belongs to is determined and used
+while checking the negative cache.
+
+Resolves: https://github.com/SSSD/sssd/issues/5534
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/db/sysdb.c                         | 22 ++++++++++++++++++++++
+ src/db/sysdb.h                         |  7 +++++++
+ src/responder/nss/nss_protocol_grent.c |  8 +++++---
+ 3 files changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/src/db/sysdb.c b/src/db/sysdb.c
+index 693f687be..6001c49cb 100644
+--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
+@@ -2139,3 +2139,25 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
+                       fmt, ap);
+     }
+ }
+
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
+                                           struct ldb_message *msg)
+{
+    const char *name;
+    struct sss_domain_info *obj_dom = NULL;
+
+    name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+    if (name == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Object does not have a name attribute.\n");
+        return dom;
+    }
+
+    obj_dom = find_domain_by_object_name(get_domains_head(dom), name);
+    if (obj_dom == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name);
+        return dom;
+    }
+
+    return obj_dom;
+}
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index a00efa55f..37a2c4124 100644
+--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
+@@ -1532,4 +1532,11 @@ errno_t sysdb_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx,
+ void ldb_debug_messages(void *context, enum ldb_debug_level level,
+                         const char *fmt, va_list ap);
+ 
+/* Try to detect the object domain from the object's SYSDB_NAME attribute and
+ * return the matching sss_domain_info. This should work reliable with user
+ * and group objects since fully-qualified names are used here. If the proper
+ * domain cannot be detected the given domain is returned. */
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
+                                           struct ldb_message *msg);
+
+ #endif /* __SYS_DB_H__ */
+diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
+index 135b392f7..f6e00eb10 100644
+--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
+@@ -361,6 +361,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
+                          struct cache_req_result *result)
+ {
+     struct sss_domain_info *domain;
+    struct sss_domain_info *grp_dom;
+     struct ldb_message *user;
+     struct ldb_message *msg;
+     struct ldb_message *primary_group_msg;
+@@ -418,10 +419,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
+     num_results = 0;
+     for (i = 1; i < result->count; i++) {
+         msg = result->msgs[i];
+-        gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
+        grp_dom = find_domain_by_msg(domain, msg);
+        gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM,
+                                                    0);
+         posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
+-        grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
+        grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME,
+                                                         NULL);
+ 
+         if (gid == 0) {
+@@ -435,7 +437,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
+             }
+         }
+ 
+-        if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
+        if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) {
+             continue;
+         }
+ 
+-- 
+2.26.3
+
--- a/SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch
+++ b/SOURCES/0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch
@ -0,0 +1,198 @@
+From 0cddb67128edc86be4163489e29eaa3c4e123b7b Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 12 Mar 2021 19:27:12 +0100
+Subject: [PATCH] DEBUG: introduce SSSDBG_TOOLS_DEFAULT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves: https://github.com/SSSD/sssd/issues/5488
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/sss_client/ssh/sss_ssh_authorizedkeys.c  | 2 +-
+ src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +-
+ src/tools/common/sss_tools.c                 | 2 +-
+ src/tools/sss_cache.c                        | 2 +-
+ src/tools/sss_groupadd.c                     | 2 +-
+ src/tools/sss_groupdel.c                     | 2 +-
+ src/tools/sss_groupmod.c                     | 2 +-
+ src/tools/sss_groupshow.c                    | 2 +-
+ src/tools/sss_seed.c                         | 2 +-
+ src/tools/sss_useradd.c                      | 2 +-
+ src/tools/sss_userdel.c                      | 2 +-
+ src/tools/sss_usermod.c                      | 2 +-
+ src/util/debug.h                             | 1 +
+ 13 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
+index e356f28c3..324e5e3a3 100644
+--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
+@@ -32,7 +32,7 @@
+ int main(int argc, const char **argv)
+ {
+     TALLOC_CTX *mem_ctx = NULL;
+-    int pc_debug = SSSDBG_FATAL_FAILURE;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     const char *pc_domain = NULL;
+     const char *pc_user = NULL;
+     struct poptOption long_options[] = {
+diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+index 3cd12b480..170ba30a3 100644
+--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+@@ -174,7 +174,7 @@ connect_proxy_command(char **args)
+ int main(int argc, const char **argv)
+ {
+     TALLOC_CTX *mem_ctx = NULL;
+-    int pc_debug = SSSDBG_FATAL_FAILURE;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     int pc_port = 22;
+     const char *pc_domain = NULL;
+     const char *pc_host = NULL;
+diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
+index 368d09ae2..637e251f6 100644
+--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
+@@ -56,7 +56,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
+                                  int *argc, const char **argv)
+ {
+     poptContext pc;
+-    int debug = SSSDBG_DEFAULT;
+    int debug = SSSDBG_TOOLS_DEFAULT;
+     int orig_argc = *argc;
+     int help = 0;
+ 
+diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c
+index cea900bf1..b5391b16d 100644
+--- a/src/tools/sss_cache.c
+++ b/src/tools/sss_cache.c
+@@ -709,7 +709,7 @@ static errno_t init_context(int argc, const char *argv[],
+     struct cache_tool_ctx *ctx = NULL;
+     int idb = INVALIDATE_NONE;
+     struct input_values values = { 0 };
+-    int debug = SSSDBG_DEFAULT;
+    int debug = SSSDBG_TOOLS_DEFAULT;
+     errno_t ret = EOK;
+ 
+     poptContext pc = NULL;
+diff --git a/src/tools/sss_groupadd.c b/src/tools/sss_groupadd.c
+index f71d6dde7..91559116d 100644
+--- a/src/tools/sss_groupadd.c
+++ b/src/tools/sss_groupadd.c
+@@ -34,7 +34,7 @@
+ int main(int argc, const char **argv)
+ {
+     gid_t pc_gid = 0;
+-    int pc_debug = SSSDBG_DEFAULT;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     struct poptOption long_options[] = {
+         POPT_AUTOHELP
+         { "debug",'\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug,
+diff --git a/src/tools/sss_groupdel.c b/src/tools/sss_groupdel.c
+index 5dcc2056d..e64441758 100644
+--- a/src/tools/sss_groupdel.c
+++ b/src/tools/sss_groupdel.c
+@@ -33,7 +33,7 @@
+ int main(int argc, const char **argv)
+ {
+     int ret = EXIT_SUCCESS;
+-    int pc_debug = SSSDBG_DEFAULT;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     const char *pc_groupname = NULL;
+     struct tools_ctx *tctx = NULL;
+ 
+diff --git a/src/tools/sss_groupmod.c b/src/tools/sss_groupmod.c
+index eddc7034a..8770b6684 100644
+--- a/src/tools/sss_groupmod.c
+++ b/src/tools/sss_groupmod.c
+@@ -35,7 +35,7 @@
+ int main(int argc, const char **argv)
+ {
+     gid_t pc_gid = 0;
+-    int pc_debug = SSSDBG_DEFAULT;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     struct poptOption long_options[] = {
+         POPT_AUTOHELP
+         { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug,
+diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
+index 7b0fbe117..aa618eecb 100644
+--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
+@@ -654,7 +654,7 @@ static void print_recursive(struct group_info **group_members, unsigned level)
+ int main(int argc, const char **argv)
+ {
+     int ret = EXIT_SUCCESS;
+-    int pc_debug = SSSDBG_DEFAULT;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     bool pc_recursive = false;
+     const char *pc_groupname = NULL;
+     struct tools_ctx *tctx = NULL;
+diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c
+index 1189604a3..17ba81956 100644
+--- a/src/tools/sss_seed.c
+++ b/src/tools/sss_seed.c
+@@ -460,7 +460,7 @@ static int seed_init(TALLOC_CTX *mem_ctx,
+                      struct seed_ctx **_sctx)
+ {
+     TALLOC_CTX *tmp_ctx = NULL;
+-    int pc_debug = SSSDBG_DEFAULT;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     const char *pc_domain = NULL;
+     const char *pc_name = NULL;
+     uid_t pc_uid = 0;
+diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c
+index ca2cbd6c1..fa1091ec8 100644
+--- a/src/tools/sss_useradd.c
+++ b/src/tools/sss_useradd.c
+@@ -38,7 +38,7 @@ int main(int argc, const char **argv)
+     const char *pc_gecos = NULL;
+     const char *pc_home = NULL;
+     char *pc_shell = NULL;
+-    int pc_debug = SSSDBG_DEFAULT;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     int pc_create_home = 0;
+     const char *pc_username = NULL;
+     const char *pc_skeldir = NULL;
+diff --git a/src/tools/sss_userdel.c b/src/tools/sss_userdel.c
+index bd703fd2e..60bb0f835 100644
+--- a/src/tools/sss_userdel.c
+++ b/src/tools/sss_userdel.c
+@@ -125,7 +125,7 @@ int main(int argc, const char **argv)
+     struct tools_ctx *tctx = NULL;
+     const char *pc_username = NULL;
+ 
+-    int pc_debug = SSSDBG_DEFAULT;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     int pc_remove = 0;
+     int pc_force = 0;
+     int pc_kick = 0;
+diff --git a/src/tools/sss_usermod.c b/src/tools/sss_usermod.c
+index 6a818f13a..0f3230d27 100644
+--- a/src/tools/sss_usermod.c
+++ b/src/tools/sss_usermod.c
+@@ -40,7 +40,7 @@ int main(int argc, const char **argv)
+     char *pc_gecos = NULL;
+     char *pc_home = NULL;
+     char *pc_shell = NULL;
+-    int pc_debug = SSSDBG_DEFAULT;
+    int pc_debug = SSSDBG_TOOLS_DEFAULT;
+     const char *pc_selinux_user = NULL;
+     struct poptOption long_options[] = {
+         POPT_AUTOHELP
+diff --git a/src/util/debug.h b/src/util/debug.h
+index a3adfe576..54a7e3934 100644
+--- a/src/util/debug.h
+++ b/src/util/debug.h
+@@ -108,6 +108,7 @@ int rotate_debug_files(void);
+ #define SSSDBG_INVALID        -1
+ #define SSSDBG_UNRESOLVED      0
+ #define SSSDBG_DEFAULT   (SSSDBG_FATAL_FAILURE|SSSDBG_CRIT_FAILURE|SSSDBG_OP_FAILURE)
+#define SSSDBG_TOOLS_DEFAULT (SSSDBG_FATAL_FAILURE)
+ 
+ 
+ /** \def DEBUG(level, format, ...)
+-- 
+2.26.3
+
--- a/SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch
+++ b/SOURCES/0058-TOOLS-removed-unneeded-debug-message.patch
@ -0,0 +1,34 @@
+From fbf33babe3fb52323f098aa300b51bf8fc5ee363 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 19 May 2021 17:20:52 +0200
+Subject: [PATCH] TOOLS: removed unneeded debug message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This message was logged before `sss_tool_init()` that sets debug level,
+thus ignoring configured debug level.
+
+Since the same message is printed via `ERROR` on a next line, this log
+message doesn't add any information and can be simply removed.
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/tools/common/sss_tools.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
+index 637e251f6..806667f46 100644
+--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
+@@ -512,7 +512,6 @@ int sss_tool_main(int argc, const char **argv,
+ 
+     uid = getuid();
+     if (uid != 0) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid);
+         ERROR("%1$s must be run as root\n", argv[0]);
+         return EXIT_FAILURE;
+     }
+-- 
+2.26.3
+
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@ -26,7 +26,7 @@

 Name: sssd
 Version: 2.4.0
-Release: 9%{?dist}
+Release: 9%{?dist}.1
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -85,6 +85,13 @@ Patch0048: 0048-pot-update-pot-files.patch
 Patch0049: 0049-Update-the-translations-for-the-2.4.1-release.patch
 Patch0050: 0050-pot-update-pot-files.patch
 Patch0051: 0051-po-update-translations.patch
+Patch0052: 0052-handle-large-service-tickets.patch
+Patch0053: 0053-AD-GPO-respect-ad_gpo_implicit_deny-if-no-GPO-is-pre.patch
+Patch0054: 0054-sss_domain_info-add-not_found_counter.patch
+Patch0055: 0055-AD-read-trusted-domains-from-local-domain-as-well.patch
+Patch0056: 0056-negcache-use-right-domain-in-nss_protocol_fill_initg.patch
+Patch0057: 0057-DEBUG-introduce-SSSDBG_TOOLS_DEFAULT.patch
+Patch0058: 0058-TOOLS-removed-unneeded-debug-message.patch

 ### Downstream Patches ###

@ -1266,6 +1273,13 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Mon May 24 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-9.1
+- Resolves: rhbz#1949170 - pam_sss_gss.so doesn't work with large kerberos tickets [rhel-8.4.0.z]
+- Resolves: rhbz#1945656 - No gpo found and ad_gpo_implicit_deny set to True still permits user login [rhel-8.4.0.z]
+- Resolves: rhbz#1945655 - SSSD not detecting subdomain from AD forest (RHEL 8.3) [rhel-8.4.0.z]
+- Resolves: rhbz#1945654 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-8.4.0.z]
+- Resolves: rhbz#1942438 - Wrong default debug level of sssd tools [rhel-8.4.0.z]
+
 * Fri Mar 19 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-9
 - Resolves: rhbz#1899712 - [sssd] RHEL 8.4 Tier 0 Localization