rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL sssd-2.11.1-2.0.1.el10_1.1

Browse Source
This commit is contained in:
eabdullin 2025-12-08 06:57:01 +00:00
parent da3e1c0b8f
commit f8e6024899
9 changed files with 307 additions and 662 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
sssd-2.10.2.tar.gz
sssd-2.11.1.tar.gz

113
0001-KCM-fix-memory-leak.patch
View File

@ -1,113 +0,0 @@
From 50f703f25914254d2a545f52f504dfa5a6f65546 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 4 Feb 2025 18:59:36 +0100
Subject: [PATCH] KCM: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The copy of 'secret' argument - `secret_val.data` - was left hanging
on `sss_sec_ctx`, effectively resulting in a memory leak.
But this copy isn't actually required as this data isn't modified in
below operations.
Skipping alloc+memcpy+erase is also beneficial performance wise.
:fixes:'sssd_kcm' memory leak was fixed.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 7f1b7c9689827df92e8b2166423d4e80688dbacb)
---
src/responder/kcm/secrets/secrets.c | 34 ++++++++++-------------------
1 file changed, 12 insertions(+), 22 deletions(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 625a09f39..fe7410cb3 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -979,7 +979,7 @@ errno_t sss_sec_put(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val = { .data = NULL };
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
bool erase_msg = false;
int ret;
@@ -1029,13 +1029,11 @@ errno_t sss_sec_put(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -1069,9 +1067,6 @@ errno_t sss_sec_put(struct sss_sec_req *req,
ret = EOK;
done:
- if (secret_val.data != NULL) {
- sss_erase_mem_securely(secret_val.data, secret_val.length);
- }
if (erase_msg) {
db_result_erase_message_securely(msg, SEC_ATTR_SECRET);
}
@@ -1084,7 +1079,7 @@ errno_t sss_sec_update(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val = { .data = NULL };
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
bool erase_msg = false;
int ret;
@@ -1134,13 +1129,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
/* FIXME - should we have a lastUpdate timestamp? */
ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL);
if (ret != LDB_SUCCESS) {
@@ -1150,6 +1138,11 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_MINOR_FAILURE,
@@ -1174,9 +1167,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
ret = EOK;
done:
- if (secret_val.data != NULL) {
- sss_erase_mem_securely(secret_val.data, secret_val.length);
- }
if (erase_msg) {
db_result_erase_message_securely(msg, SEC_ATTR_SECRET);
}
--
2.47.0

222
0001-Revert-ipa-improve-handling-of-external-group-member.patch Normal file
View File

@ -0,0 +1,222 @@
From 98a91d170f7a6074ed1bd3b8ed9161c4a11b4074 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 14 Aug 2025 16:21:00 +0200
Subject: [PATCH] Revert "ipa: improve handling of external group memberships"
This reverts commit 63a6f51069a86765417f044a62705fe20572e0da.
---
src/providers/ipa/ipa_subdomains_ext_groups.c | 152 +++---------------
1 file changed, 22 insertions(+), 130 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index f86130d89..ba3fb3953 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -312,19 +312,11 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
bool *missing_groups)
{
size_t c;
- size_t d = 0;
struct sysdb_attrs *user_attrs;
size_t msgs_count;
struct ldb_message **msgs;
TALLOC_CTX *tmp_ctx;
int ret;
- const struct ldb_val *val;
- char *user_name;
- char **sysdb_ipa_group_memberships;
- char **add_groups;
- char **del_groups;
- errno_t sret;
- bool in_transaction = false;
*missing_groups = false;
@@ -334,96 +326,18 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
return ENOMEM;
}
- val = ldb_dn_get_rdn_val(user_dn);
- if (val == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "user_dn has no RDN.\n");
- ret = EINVAL;
- goto done;
- }
- user_name = talloc_strndup(tmp_ctx, (char *) val->data, val->length);
- if (user_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user name.\n");
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_transaction_start(user_dom->sysdb);
- if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to start update transaction\n");
- goto done;
- }
-
- in_transaction = true;
-
- ret = sysdb_get_direct_parents_ex(tmp_ctx, user_dom, group_dom,
- SYSDB_MEMBER_USER, user_name,
- SYSDB_ORIG_DN,
- &sysdb_ipa_group_memberships);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to get current IPA group memberships "
- "of user [%s].\n", user_name);
- goto done;
- }
-
- ret = diff_string_lists(tmp_ctx, groups, sysdb_ipa_group_memberships,
- &add_groups, &del_groups, NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to get difference in group lists.\n");
- goto done;
- }
-
- user_attrs = sysdb_new_attrs(tmp_ctx);
- if (user_attrs == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
- ret = ENOMEM;
- goto done;
- }
-
- /* Add all new IPA groups to SYSDB_ORIG_MEMBEROF because they are most
- * probably removed by the previous user update and mark all new groups as
- * processed. */
for (c = 0; groups[c] != NULL; c++) {
- ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
- groups[c]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
- goto done;
+ if (groups[c][0] == '\0') {
+ continue;
}
- groups[c][0] = '\0';
- }
-
- if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) {
- DEBUG(SSSDBG_TRACE_ALL, "New IPA groups [%zu].\n", c);
-
- for (c = 0; sysdb_ipa_group_memberships[c] != NULL; c++);
- DEBUG(SSSDBG_TRACE_ALL, "Cached IPA groups [%zu].\n", c);
-
- for (c = 0; add_groups[c] != NULL; c++);
- DEBUG(SSSDBG_TRACE_ALL, "Groups to add [%zu].\n", c);
-
- for (c = 0; del_groups[c] != NULL; c++);
- DEBUG(SSSDBG_TRACE_ALL, "Groups to delete [%zu].\n", c);
- }
-
- /* TODO: there is a similar functionality (adding and removing group
- * memberships in sysdb_update_members_ex(), but the missing group feature
- * is missing. It might be worth to evaluate if either the missing group
- * feature can be added there or if group which are missing in the cache
- * can bew handled differently here. */
-
- for (c = 0; add_groups[c] != NULL; c++) {
-
- ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, add_groups[c],
+ ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, groups[c],
NULL, &msgs_count, &msgs);
if (ret != EOK) {
if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "Group [%s] not in the cache.\n",
- add_groups[c]);
+ groups[c]);
*missing_groups = true;
- talloc_free(groups[d]);
- /* add missing group back to the list */
- groups[d++] = talloc_steal(groups, add_groups[c]);
continue;
} else {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n");
@@ -431,6 +345,9 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
}
}
+/* TODO? Do we have to remove members as well? I think not because the AD
+ * query before removes all memberships. */
+
ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn,
LDB_FLAG_MOD_ADD);
if (ret != EOK && ret != EEXIST) {
@@ -438,58 +355,33 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
goto done;
}
- }
- talloc_free(groups[d]);
- groups[d] = NULL;
+ user_attrs = sysdb_new_attrs(tmp_ctx);
+ if (user_attrs == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
- for (c = 0; del_groups[c] != NULL; c++) {
- ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, del_groups[c],
- NULL, &msgs_count, &msgs);
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
+ groups[c]);
if (ret != EOK) {
- if (ret == ENOENT) {
- DEBUG(SSSDBG_TRACE_ALL,
- "Group [%s] not in the cache, skipping.\n",
- del_groups[c]);
- continue;
- } else {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n");
- goto done;
- }
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
+ goto done;
}
- ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn,
- LDB_FLAG_MOD_DELETE);
+ ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs,
+ LDB_FLAG_MOD_ADD);
if (ret != EOK && ret != EEXIST) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sysdb_mod_group_member failed to delete member.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
goto done;
}
- }
- /* Update SYSDB_ORIG_MEMBEROF with the IPA groups. */
- ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs,
- LDB_FLAG_MOD_ADD);
- if (ret != EOK && ret != EEXIST) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to add original IPA group DNs, ignored.\n");
- }
-
- ret = sysdb_transaction_commit(user_dom->sysdb);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
- goto done;
+ /* mark group as already processed */
+ groups[c][0] = '\0';
}
- in_transaction = false;
-
ret = EOK;
done:
- if (in_transaction) {
- sret = sysdb_transaction_cancel(user_dom->sysdb);
- if (sret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n");
- }
- }
-
talloc_free(tmp_ctx);
return ret;
--
2.50.0

58
0002-KCM-another-memory-leak-fixed.patch
View File

@ -1,58 +0,0 @@
From 9e72bc242b600158d7920b2b98644efa42fd1ffa Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 12 Feb 2025 11:30:22 +0100
Subject: [PATCH] KCM: another memory leak fixed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
```
...
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520
...
```
Reviewed-by: Alejandro López <allopez@redhat.com>
---
src/responder/kcm/kcmsrv_ccache.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index f614156cc..bf8daffd0 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -407,7 +407,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
- goto done;
+ goto fail;
}
for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) {
@@ -420,7 +420,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
cred_list[i] = kcm_cred_to_krb5(krb_context, cred);
if (cred_list[i] == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
- goto done;
+ goto fail;
}
}
@@ -429,8 +429,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
talloc_steal(mem_ctx, cred_list);
+ talloc_free(tmp_ctx);
return cred_list;
-done:
+
+fail:
talloc_free(tmp_ctx);
return NULL;
#endif
--
2.47.0

4
0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch → 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
View File

@ -1,4 +1,4 @@
From e9da1315ec32e2eb65e4159b2318f8a756768b9d Mon Sep 17 00:00:00 2001
From a08e5862693ed1191ba464351ae43c779b509096 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 10 Oct 2025 12:57:40 +0200
Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
@ -33,7 +33,7 @@ Reviewed-by: Pavel Březina <pbrezina@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 79400e901..4a27e8123 100644
index 677b76ff352198b8b6049213ae32c80f2f59026e..00f22b19d29fb24a8c49219e857a02cc24886a7d 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -747,6 +747,7 @@ done:

440
0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
View File

@ -1,440 +0,0 @@
From 281d9c3ed66ee28a9572433a629eb0d72525ca46 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 14 Feb 2025 21:15:16 +0100
Subject: [PATCH] SYSDB: don't add group members if 'ignore_group_members ==
true'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7793
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/db/sysdb.h | 51 ++++++---
src/db/sysdb_search.c | 6 +-
src/db/sysdb_views.c | 10 +-
src/tests/cmocka/test_responder_cache_req.c | 112 +++++++-------------
src/tests/cmocka/test_sysdb_ts_cache.c | 6 +-
src/tools/sss_override.c | 2 +-
6 files changed, 90 insertions(+), 97 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 1b827caf9..319b88e25 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -277,19 +277,44 @@
SYSDB_ORIG_DN, \
NULL}
-#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \
- SYSDB_MEMBERUID, \
- SYSDB_MEMBER, \
- SYSDB_GHOST, \
- SYSDB_DEFAULT_ATTRS, \
- SYSDB_SID_STR, \
- SYSDB_OVERRIDE_DN, \
- SYSDB_OVERRIDE_OBJECT_DN, \
- SYSDB_DEFAULT_OVERRIDE_NAME, \
- SYSDB_UUID, \
- ORIGINALAD_PREFIX SYSDB_NAME, \
- ORIGINALAD_PREFIX SYSDB_GIDNUM, \
- NULL}
+/* Strictly speaking it should return 'const char * const *' but
+ * that gets really unreadable.
+ */
+__attribute__((always_inline))
+static inline const char **SYSDB_GRSRC_ATTRS(const struct sss_domain_info *domain)
+{
+ static const char * __SYSDB_GRSRC_ATTRS_NO_MEMBERS[] = {
+ SYSDB_NAME, SYSDB_GIDNUM,
+ SYSDB_DEFAULT_ATTRS,
+ SYSDB_SID_STR,
+ SYSDB_OVERRIDE_DN,
+ SYSDB_OVERRIDE_OBJECT_DN,
+ SYSDB_DEFAULT_OVERRIDE_NAME,
+ SYSDB_UUID,
+ NULL
+ };
+ static const char * __SYSDB_GRSRC_ATTRS_WITH_MEMBERS[] = {
+ SYSDB_NAME, SYSDB_GIDNUM,
+ SYSDB_MEMBERUID,
+ SYSDB_MEMBER,
+ SYSDB_GHOST,
+ SYSDB_DEFAULT_ATTRS,
+ SYSDB_SID_STR,
+ SYSDB_OVERRIDE_DN,
+ SYSDB_OVERRIDE_OBJECT_DN,
+ SYSDB_DEFAULT_OVERRIDE_NAME,
+ SYSDB_UUID,
+ ORIGINALAD_PREFIX SYSDB_NAME,
+ ORIGINALAD_PREFIX SYSDB_GIDNUM,
+ NULL
+ };
+
+ if (domain && domain->ignore_group_members) {
+ return __SYSDB_GRSRC_ATTRS_NO_MEMBERS;
+ } else {
+ return __SYSDB_GRSRC_ATTRS_WITH_MEMBERS;
+ }
+}
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
SYSDB_NETGROUP_MEMBER, \
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index e4c53b853..7f34ddbcb 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1176,7 +1176,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *fmt_filter;
char *sanitized_name;
struct ldb_dn *base_dn;
@@ -1378,7 +1378,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
struct ldb_dn *base_dn;
struct ldb_result *res = NULL;
int ret;
- static const char *default_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **default_attrs = SYSDB_GRSRC_ATTRS(domain);
const char **attrs = NULL;
tmp_ctx = talloc_new(NULL);
@@ -1484,7 +1484,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *filter = NULL;
const char *ts_filter = NULL;
const char *base_filter;
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 19c10977b..71f627974 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -1237,7 +1237,7 @@ errno_t sysdb_search_group_override_by_name(TALLOC_CTX *mem_ctx,
struct ldb_result **override_obj,
struct ldb_result **orig_obj)
{
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
return sysdb_search_override_by_name(mem_ctx, domain, name,
SYSDB_GROUP_NAME_OVERRIDE_FILTER,
@@ -1253,7 +1253,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
{
TALLOC_CTX *tmp_ctx;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain);
const char **attrs;
struct ldb_dn *base_dn;
struct ldb_result *override_res;
@@ -1417,7 +1417,7 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain,
struct ldb_message *override;
uint64_t uid;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); /* members don't matter */
const char **attrs;
struct attr_map {
const char *attr;
@@ -1551,6 +1551,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
char *val;
struct sss_domain_info *orig_dom;
+ if (domain->ignore_group_members) {
+ return EOK;
+ }
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 32718c1f1..fcc7eca35 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -3267,10 +3267,8 @@ void test_object_by_sid_user_multiple_domains_notfound(void **state)
void test_object_by_sid_group_cache_valid(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
@@ -3283,10 +3281,8 @@ void test_object_by_sid_group_cache_valid(void **state)
void test_object_by_sid_group_cache_expired(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
@@ -3305,10 +3301,8 @@ void test_object_by_sid_group_cache_expired(void **state)
void test_object_by_sid_group_cache_midpoint(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
@@ -3326,12 +3320,10 @@ void test_object_by_sid_group_cache_midpoint(void **state)
void test_object_by_sid_group_ncache(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
errno_t ret;
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
/* Setup user. */
ret = sss_ncache_set_sid(test_ctx->ncache, false, test_ctx->tctx->dom, groups[0].sid);
assert_int_equal(ret, EOK);
@@ -3344,10 +3336,8 @@ void test_object_by_sid_group_ncache(void **state)
void test_object_by_sid_group_missing_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3365,10 +3355,8 @@ void test_object_by_sid_group_missing_found(void **state)
void test_object_by_sid_group_missing_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3382,17 +3370,13 @@ void test_object_by_sid_group_missing_notfound(void **state)
void test_object_by_sid_group_multiple_domains_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- struct sss_domain_info *domain = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
- /* Setup user. */
- domain = find_domain_by_name(test_ctx->tctx->dom,
- "responder_cache_req_test_d", true);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
assert_non_null(domain);
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ /* Setup user. */
prepare_group(domain, &groups[0], 1000, time(NULL));
/* Mock values. */
@@ -3408,10 +3392,8 @@ void test_object_by_sid_group_multiple_domains_found(void **state)
void test_object_by_sid_group_multiple_domains_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3590,10 +3572,8 @@ void test_object_by_id_user_multiple_domains_notfound(void **state)
void test_object_by_id_group_cache_valid(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
@@ -3605,10 +3585,8 @@ void test_object_by_id_group_cache_valid(void **state)
void test_object_by_id_group_cache_expired(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
@@ -3626,10 +3604,8 @@ void test_object_by_id_group_cache_expired(void **state)
void test_object_by_id_group_cache_midpoint(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Setup user. */
prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
@@ -3646,12 +3622,10 @@ void test_object_by_id_group_cache_midpoint(void **state)
void test_object_by_id_group_ncache(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
errno_t ret;
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
/* Setup group. We explicitly add the UID into BOTH UID and GID
* namespaces, because otherwise the cache_req plugin would
* search the Data Provider anyway, because it can't be sure
@@ -3678,10 +3652,8 @@ void test_object_by_id_group_ncache(void **state)
void test_object_by_id_group_missing_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3698,10 +3670,8 @@ void test_object_by_id_group_missing_found(void **state)
void test_object_by_id_group_missing_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return(__wrap_sss_dp_get_account_send, test_ctx);
@@ -3714,17 +3684,13 @@ void test_object_by_id_group_missing_notfound(void **state)
void test_object_by_id_group_multiple_domains_found(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- struct sss_domain_info *domain = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-
- /* Setup user. */
- domain = find_domain_by_name(test_ctx->tctx->dom,
- "responder_cache_req_test_d", true);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
assert_non_null(domain);
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ /* Setup user. */
prepare_group(domain, &groups[0], 1000, time(NULL));
/* Mock values. */
@@ -3740,10 +3706,8 @@ void test_object_by_id_group_multiple_domains_found(void **state)
void test_object_by_id_group_multiple_domains_notfound(void **state)
{
- struct cache_req_test_ctx *test_ctx = NULL;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
-
- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
/* Mock values. */
will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
index 24b26d950..f349b7061 100644
--- a/src/tests/cmocka/test_sysdb_ts_cache.c
+++ b/src/tests/cmocka/test_sysdb_ts_cache.c
@@ -694,7 +694,7 @@ static void test_sysdb_getgr_merges(void **state)
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
struct sysdb_attrs *group_attrs = NULL;
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
char *filter = NULL;
struct ldb_result *res = NULL;
size_t msgs_count;
@@ -783,7 +783,7 @@ static void test_merge_ldb_results(void **state)
int ret;
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
char *filter;
struct ldb_result *res;
struct ldb_result *res1;
@@ -856,7 +856,7 @@ static void test_group_bysid(void **state)
int ret;
struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
struct sysdb_ts_test_ctx);
- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
struct sysdb_attrs *group_attrs = NULL;
struct ldb_result *res;
struct ldb_message *msg = NULL;
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index e4bad848e..1968dde3a 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -1218,7 +1218,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
size_t count;
size_t i;
errno_t ret;
- const char *attrs[] = SYSDB_GRSRC_ATTRS;
+ const char **attrs = SYSDB_GRSRC_ATTRS(domain);
const char *fqname;
char *name;
--
2.47.0

26
2002-orabug32810448-restore-default-debug-sss_cache.patch Normal file
View File

@ -0,0 +1,26 @@
From: Alex Burmashev <alexander.burmashev@oracle.com>
Date: Tue, 04 May 2021 13:31:41 +0100
Subject: [PATCH] restore default debug level for sss_cache
We want only fatal failures to be logged, otherwise in some conditions log is.
flooded with unneeded "errors"
Resolves: https://github.com/SSSD/sssd/issues/5488
Orabug: 32810448
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Patch migrated from ol8 to ol9 without any modification
Signed-off-by: Darren Archibald <darren.archibald@oracle.com>
diff -uNr a/src/tools/sss_cache.c b/src/tools/sss_cache.c
--- a/src/tools/sss_cache.c 2024-06-26 02:11:39.000000000 -0700
+++ b/src/tools/sss_cache.c 2024-09-05 16:17:12.686336046 -0700
@@ -722,7 +722,7 @@
struct cache_tool_ctx *ctx = NULL;
int idb = INVALIDATE_NONE;
struct input_values values = { 0 };
- int debug = SSSDBG_TOOLS_DEFAULT;
+ int debug = SSSDBG_FATAL_FAILURE;
errno_t ret = EOK;
poptContext pc = NULL;

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-2.10.2.tar.gz) = 14ad222802e5426b0959ee32602e04ce24b3eb8d3bdd5e188cf29e3c7d32e0631b41c386fdbd129acf281317538460015d35410a688ea48dd546f9ae28522eac
SHA512 (sssd-2.11.1.tar.gz) = e65897bcb9ddd64f6c01787ad7b7eab3c9916e10f9ead02a6e92de503a4ea71c091e998ccf0344576b520bea75abfe5fd2880e8401237a26274d764d291f6fa4

102
sssd.spec
View File

@ -1,48 +1,14 @@
# SSSD SPEC file for Fedora 34+ and RHEL-9+
# SSSD SPEC file for RHEL-10
# define SSSD user
%if 0%{?fedora} >= 41 || 0%{?rhel}
%global use_sssd_user 1
%global sssd_user sssd
%else
%global use_sssd_user 0
%global sssd_user root
%endif
# sysusers depends on presence of sssd user
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
%global use_sysusers 1
%else
%global use_sysusers 0
%endif
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
%global build_subid 1
%else
%global build_subid 0
%endif
%if 0%{?fedora} >= 34
%global build_kcm_renewals 1
%global krb5_version 1.19.1
%elif 0%{?rhel} >= 8
%global build_kcm_renewals 1
%global krb5_version 1.18.2
%else
%global build_kcm_renewals 0
%endif
%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9
%global build_passkey 1
%else
%global build_passkey 0
%endif
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
%global build_idp 0
%global build_ssh_known_hosts_proxy 0
%else
%global build_ssh_known_hosts_proxy 1
%endif
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
@ -56,19 +22,18 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
Name: sssd
Version: 2.10.2
Release: 3%{?dist}.3
Version: 2.11.1
Release: 2.0.1%{?dist}.1
Summary: System Security Services Daemon
License: GPL-3.0-or-later
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/2.10.2/sssd-2.10.2.tar.gz
Source0: https://github.com/SSSD/sssd/releases/download/2.11.1/sssd-2.11.1.tar.gz
Source1: sssd.sysusers
Patch2002: 2002-orabug32810448-restore-default-debug-sss_cache.patch
### Patches ###
Patch0001: 0001-KCM-fix-memory-leak.patch
Patch0002: 0002-KCM-another-memory-leak-fixed.patch
Patch0003: 0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
Patch0004: 0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
Patch0001: 0001-Revert-ipa-improve-handling-of-external-group-member.patch
Patch0002: 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
### Dependencies ###
@ -166,7 +131,9 @@ BuildRequires: systemtap-sdt-devel
BuildRequires: systemtap-sdt-dtrace
BuildRequires: uid_wrapper
BuildRequires: po4a
%ifarch %{valgrind_arches}
BuildRequires: valgrind-devel
%endif
%if %{build_subid}
BuildRequires: shadow-utils-subid-devel
%endif
@ -533,7 +500,7 @@ enable authentication with passkey token.
%endif
%prep
%autosetup -n sssd-2.10.2 -p1
%autosetup -n sssd-2.11.1 -p1
%build
@ -568,6 +535,9 @@ autoreconf -ivf
%endif
%if %{build_ssh_known_hosts_proxy}
--with-ssh-known-hosts-proxy \
%endif
%if ! %{build_idp}
--with-id-provider-idp=no
%endif
%{nil}
@ -1013,6 +983,10 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%{_mandir}/man8/sssd-kcm.8*
%files idp
%if %{build_idp}
%{_libdir}/%{name}/libsss_idp.so
%{_mandir}/man5/sssd-idp.5*
%endif
%{_libexecdir}/%{servicename}/oidc_child
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
@ -1031,7 +1005,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%if %{use_sssd_user}
%pre common
! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null || true
! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null 2>&1 || true
%if %{use_sysusers}
%sysusers_create_compat %{SOURCE1}
%else
@ -1052,6 +1026,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%__rm -f %{pubconfpath}/known_hosts
%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
%__chmod -f -R g+r %{_sysconfdir}/sssd || true
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
@ -1119,8 +1094,41 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Mon Oct 20 2025 Masahiro Matsuya <mmatsuya@redhat.com> - 2.10.2-3.3
- Resolves: RHEL-120286 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-10.0.z]
* Tue Nov 25 2025 EL Errata <el-errata_ww@oracle.com> - 2.11.1-2.0.1.1
- Restore default debug level for sss_cache [Orabug: 32810448]
* Tue Oct 21 2025 Sumit Bose <sbose@redhat.com> - 2.11.1-2.1
- Resovles: RHEL-120288 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows
privilege escalation on AD-joined Linux systems [rhel-10.1.z]
* Thu Aug 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.11.1-2
- Related: RHEL-77184 - AD user in external group is not cleared when expiring the cache
Patch used to fix this ticket causes a regression (RHEL-106987) and is being reverted.
* Thu Jul 31 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.11.1-1
- Resolves: RHEL-95058 - Rebase SSSD for RHEL 10.1
- Resolves: RHEL-77184 - AD user in external group is not cleared when expiring the cache
* Fri Jun 13 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.11.0-3
- Related: RHEL-89870 - Rebase Samba to the latest 4.22.x release
* Fri Jun 6 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.11.0-2
- Resolves: RHEL-95058 - Rebase SSSD for RHEL 10.1
* Thu Jun 5 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.11.0-1
- Resolves: RHEL-95058 - Rebase SSSD for RHEL 10.1
- Resolves: RHEL-4976 - [RFE] Continue searching other PKCS#11 tokens if certificates are not found
- Resolves: RHEL-87200 - SSSD fails to connect with ipv4_first when on a machine with only IPv6 and server is dual-stack
- Resolves: RHEL-25593 - Improve sssd-simple man page description
- Resolves: RHEL-14752 - [RFE] Add IPA subdomain support to allow IPA-IPA trust
- Resolves: RHEL-92569 - SSSD LDAPU1 Mapping braces problem
- Resolves: RHEL-4981 - p11_child currently has an infinite timeout
- Resolves: RHEL-5042 - IDM homedir %%o is not working, returns /home/domain/user instead of AD POSIX unixHomeDir
- Resolves: RHEL-13086 - [RFE] Anonymous bind requests on RootDSE
- Resolves: RHEL-45824 - SSSD unable to enumerate LDAP groups if LDAP server contains any group with # character in their names
* Fri May 2 2025 Andrea Bolognani <abologna@redhat.com> - 2.10.2-4
- Resolves: RHEL-89474 - Fails to build on riscv64
* Mon Apr 7 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.10.2-3.2
- Resolves: RHEL-79158 - Disk cache failure with large db sizes