From f8e6024899cca2680fc4228abd26fb847ad92829 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 8 Dec 2025 06:57:01 +0000 Subject: [PATCH] import OL sssd-2.11.1-2.0.1.el10_1.1 --- .gitignore | 2 +- 0001-KCM-fix-memory-leak.patch | 113 ----- ...ve-handling-of-external-group-member.patch | 222 +++++++++ 0002-KCM-another-memory-leak-fixed.patch | 58 --- ...beros-localauth-an2ln-plugin-for-AD-.patch | 4 +- ...group-members-if-ignore_group_member.patch | 440 ------------------ ...0448-restore-default-debug-sss_cache.patch | 26 ++ sources | 2 +- sssd.spec | 102 ++-- 9 files changed, 307 insertions(+), 662 deletions(-) delete mode 100644 0001-KCM-fix-memory-leak.patch create mode 100644 0001-Revert-ipa-improve-handling-of-external-group-member.patch delete mode 100644 0002-KCM-another-memory-leak-fixed.patch rename 0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch => 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch (92%) delete mode 100644 0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch create mode 100644 2002-orabug32810448-restore-default-debug-sss_cache.patch diff --git a/.gitignore b/.gitignore index ae5e98e..cc024b9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -sssd-2.10.2.tar.gz +sssd-2.11.1.tar.gz diff --git a/0001-KCM-fix-memory-leak.patch b/0001-KCM-fix-memory-leak.patch deleted file mode 100644 index e62c69b..0000000 --- a/0001-KCM-fix-memory-leak.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 50f703f25914254d2a545f52f504dfa5a6f65546 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 4 Feb 2025 18:59:36 +0100 -Subject: [PATCH] KCM: fix memory leak -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The copy of 'secret' argument - `secret_val.data` - was left hanging -on `sss_sec_ctx`, effectively resulting in a memory leak. -But this copy isn't actually required as this data isn't modified in -below operations. -Skipping alloc+memcpy+erase is also beneficial performance wise. - -:fixes:'sssd_kcm' memory leak was fixed. - -Reviewed-by: Alejandro López -Reviewed-by: Justin Stephenson -(cherry picked from commit 7f1b7c9689827df92e8b2166423d4e80688dbacb) ---- - src/responder/kcm/secrets/secrets.c | 34 ++++++++++------------------- - 1 file changed, 12 insertions(+), 22 deletions(-) - -diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c -index 625a09f39..fe7410cb3 100644 ---- a/src/responder/kcm/secrets/secrets.c -+++ b/src/responder/kcm/secrets/secrets.c -@@ -979,7 +979,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, - size_t secret_len) - { - struct ldb_message *msg; -- struct ldb_val secret_val = { .data = NULL }; -+ const struct ldb_val secret_val = { .length = secret_len, .data = secret }; - bool erase_msg = false; - int ret; - -@@ -1029,13 +1029,11 @@ errno_t sss_sec_put(struct sss_sec_req *req, - goto done; - } - -- secret_val.length = secret_len; -- secret_val.data = talloc_memdup(req->sctx, secret, secret_len); -- if (!secret_val.data) { -- ret = ENOMEM; -- goto done; -- } -- -+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data -+ * but rather copies a pointer under the hood. -+ * This is fine since no operations modifying this data are performed -+ * below and 'msg' is freed before function returns. -+ */ - ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, -@@ -1069,9 +1067,6 @@ errno_t sss_sec_put(struct sss_sec_req *req, - - ret = EOK; - done: -- if (secret_val.data != NULL) { -- sss_erase_mem_securely(secret_val.data, secret_val.length); -- } - if (erase_msg) { - db_result_erase_message_securely(msg, SEC_ATTR_SECRET); - } -@@ -1084,7 +1079,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, - size_t secret_len) - { - struct ldb_message *msg; -- struct ldb_val secret_val = { .data = NULL }; -+ const struct ldb_val secret_val = { .length = secret_len, .data = secret }; - bool erase_msg = false; - int ret; - -@@ -1134,13 +1129,6 @@ errno_t sss_sec_update(struct sss_sec_req *req, - goto done; - } - -- secret_val.length = secret_len; -- secret_val.data = talloc_memdup(req->sctx, secret, secret_len); -- if (!secret_val.data) { -- ret = ENOMEM; -- goto done; -- } -- - /* FIXME - should we have a lastUpdate timestamp? */ - ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { -@@ -1150,6 +1138,11 @@ errno_t sss_sec_update(struct sss_sec_req *req, - goto done; - } - -+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data -+ * but rather copies a pointer under the hood. -+ * This is fine since no operations modifying this data are performed -+ * below and 'msg' is freed before function returns. -+ */ - ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL); - if (ret != LDB_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, -@@ -1174,9 +1167,6 @@ errno_t sss_sec_update(struct sss_sec_req *req, - - ret = EOK; - done: -- if (secret_val.data != NULL) { -- sss_erase_mem_securely(secret_val.data, secret_val.length); -- } - if (erase_msg) { - db_result_erase_message_securely(msg, SEC_ATTR_SECRET); - } --- -2.47.0 - diff --git a/0001-Revert-ipa-improve-handling-of-external-group-member.patch b/0001-Revert-ipa-improve-handling-of-external-group-member.patch new file mode 100644 index 0000000..c2360c1 --- /dev/null +++ b/0001-Revert-ipa-improve-handling-of-external-group-member.patch @@ -0,0 +1,222 @@ +From 98a91d170f7a6074ed1bd3b8ed9161c4a11b4074 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 14 Aug 2025 16:21:00 +0200 +Subject: [PATCH] Revert "ipa: improve handling of external group memberships" + +This reverts commit 63a6f51069a86765417f044a62705fe20572e0da. +--- + src/providers/ipa/ipa_subdomains_ext_groups.c | 152 +++--------------- + 1 file changed, 22 insertions(+), 130 deletions(-) + +diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c +index f86130d89..ba3fb3953 100644 +--- a/src/providers/ipa/ipa_subdomains_ext_groups.c ++++ b/src/providers/ipa/ipa_subdomains_ext_groups.c +@@ -312,19 +312,11 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, + bool *missing_groups) + { + size_t c; +- size_t d = 0; + struct sysdb_attrs *user_attrs; + size_t msgs_count; + struct ldb_message **msgs; + TALLOC_CTX *tmp_ctx; + int ret; +- const struct ldb_val *val; +- char *user_name; +- char **sysdb_ipa_group_memberships; +- char **add_groups; +- char **del_groups; +- errno_t sret; +- bool in_transaction = false; + + *missing_groups = false; + +@@ -334,96 +326,18 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, + return ENOMEM; + } + +- val = ldb_dn_get_rdn_val(user_dn); +- if (val == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "user_dn has no RDN.\n"); +- ret = EINVAL; +- goto done; +- } +- user_name = talloc_strndup(tmp_ctx, (char *) val->data, val->length); +- if (user_name == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user name.\n"); +- ret = ENOMEM; +- goto done; +- } +- +- ret = sysdb_transaction_start(user_dom->sysdb); +- if (ret != EOK) { +- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to start update transaction\n"); +- goto done; +- } +- +- in_transaction = true; +- +- ret = sysdb_get_direct_parents_ex(tmp_ctx, user_dom, group_dom, +- SYSDB_MEMBER_USER, user_name, +- SYSDB_ORIG_DN, +- &sysdb_ipa_group_memberships); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Failed to get current IPA group memberships " +- "of user [%s].\n", user_name); +- goto done; +- } +- +- ret = diff_string_lists(tmp_ctx, groups, sysdb_ipa_group_memberships, +- &add_groups, &del_groups, NULL); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Failed to get difference in group lists.\n"); +- goto done; +- } +- +- user_attrs = sysdb_new_attrs(tmp_ctx); +- if (user_attrs == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); +- ret = ENOMEM; +- goto done; +- } +- +- /* Add all new IPA groups to SYSDB_ORIG_MEMBEROF because they are most +- * probably removed by the previous user update and mark all new groups as +- * processed. */ + for (c = 0; groups[c] != NULL; c++) { +- ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, +- groups[c]); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); +- goto done; ++ if (groups[c][0] == '\0') { ++ continue; + } + +- groups[c][0] = '\0'; +- } +- +- if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { +- DEBUG(SSSDBG_TRACE_ALL, "New IPA groups [%zu].\n", c); +- +- for (c = 0; sysdb_ipa_group_memberships[c] != NULL; c++); +- DEBUG(SSSDBG_TRACE_ALL, "Cached IPA groups [%zu].\n", c); +- +- for (c = 0; add_groups[c] != NULL; c++); +- DEBUG(SSSDBG_TRACE_ALL, "Groups to add [%zu].\n", c); +- +- for (c = 0; del_groups[c] != NULL; c++); +- DEBUG(SSSDBG_TRACE_ALL, "Groups to delete [%zu].\n", c); +- } +- +- /* TODO: there is a similar functionality (adding and removing group +- * memberships in sysdb_update_members_ex(), but the missing group feature +- * is missing. It might be worth to evaluate if either the missing group +- * feature can be added there or if group which are missing in the cache +- * can bew handled differently here. */ +- +- for (c = 0; add_groups[c] != NULL; c++) { +- +- ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, add_groups[c], ++ ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, groups[c], + NULL, &msgs_count, &msgs); + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, "Group [%s] not in the cache.\n", +- add_groups[c]); ++ groups[c]); + *missing_groups = true; +- talloc_free(groups[d]); +- /* add missing group back to the list */ +- groups[d++] = talloc_steal(groups, add_groups[c]); + continue; + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); +@@ -431,6 +345,9 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, + } + } + ++/* TODO? Do we have to remove members as well? I think not because the AD ++ * query before removes all memberships. */ ++ + ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn, + LDB_FLAG_MOD_ADD); + if (ret != EOK && ret != EEXIST) { +@@ -438,58 +355,33 @@ static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, + goto done; + } + +- } +- talloc_free(groups[d]); +- groups[d] = NULL; ++ user_attrs = sysdb_new_attrs(tmp_ctx); ++ if (user_attrs == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } + +- for (c = 0; del_groups[c] != NULL; c++) { +- ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, del_groups[c], +- NULL, &msgs_count, &msgs); ++ ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, ++ groups[c]); + if (ret != EOK) { +- if (ret == ENOENT) { +- DEBUG(SSSDBG_TRACE_ALL, +- "Group [%s] not in the cache, skipping.\n", +- del_groups[c]); +- continue; +- } else { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); +- goto done; +- } ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); ++ goto done; + } + +- ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn, +- LDB_FLAG_MOD_DELETE); ++ ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs, ++ LDB_FLAG_MOD_ADD); + if (ret != EOK && ret != EEXIST) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sysdb_mod_group_member failed to delete member.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n"); + goto done; + } +- } + +- /* Update SYSDB_ORIG_MEMBEROF with the IPA groups. */ +- ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs, +- LDB_FLAG_MOD_ADD); +- if (ret != EOK && ret != EEXIST) { +- DEBUG(SSSDBG_OP_FAILURE, "Failed to add original IPA group DNs, ignored.\n"); +- } +- +- ret = sysdb_transaction_commit(user_dom->sysdb); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); +- goto done; ++ /* mark group as already processed */ ++ groups[c][0] = '\0'; + } + +- in_transaction = false; +- + ret = EOK; + done: +- if (in_transaction) { +- sret = sysdb_transaction_cancel(user_dom->sysdb); +- if (sret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); +- } +- } +- + talloc_free(tmp_ctx); + + return ret; +-- +2.50.0 + diff --git a/0002-KCM-another-memory-leak-fixed.patch b/0002-KCM-another-memory-leak-fixed.patch deleted file mode 100644 index 0fb27bc..0000000 --- a/0002-KCM-another-memory-leak-fixed.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 9e72bc242b600158d7920b2b98644efa42fd1ffa Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 12 Feb 2025 11:30:22 +0100 -Subject: [PATCH] KCM: another memory leak fixed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -``` -... - talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0 - talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90 - talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520 -... -``` - -Reviewed-by: Alejandro López ---- - src/responder/kcm/kcmsrv_ccache.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c -index f614156cc..bf8daffd0 100644 ---- a/src/responder/kcm/kcmsrv_ccache.c -+++ b/src/responder/kcm/kcmsrv_ccache.c -@@ -407,7 +407,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { -- goto done; -+ goto fail; - } - - for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) { -@@ -420,7 +420,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, - cred_list[i] = kcm_cred_to_krb5(krb_context, cred); - if (cred_list[i] == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n"); -- goto done; -+ goto fail; - } - } - -@@ -429,8 +429,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx, - - talloc_steal(mem_ctx, cred_list); - -+ talloc_free(tmp_ctx); - return cred_list; --done: -+ -+fail: - talloc_free(tmp_ctx); - return NULL; - #endif --- -2.47.0 - diff --git a/0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch b/0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch similarity index 92% rename from 0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch rename to 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch index 98ccfbd..3c3755a 100644 --- a/0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch +++ b/0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch @@ -1,4 +1,4 @@ -From e9da1315ec32e2eb65e4159b2318f8a756768b9d Mon Sep 17 00:00:00 2001 +From a08e5862693ed1191ba464351ae43c779b509096 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 10 Oct 2025 12:57:40 +0200 Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA @@ -33,7 +33,7 @@ Reviewed-by: Pavel Březina 1 file changed, 1 insertion(+) diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c -index 79400e901..4a27e8123 100644 +index 677b76ff352198b8b6049213ae32c80f2f59026e..00f22b19d29fb24a8c49219e857a02cc24886a7d 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -747,6 +747,7 @@ done: diff --git a/0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch b/0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch deleted file mode 100644 index 6f5c7f7..0000000 --- a/0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch +++ /dev/null @@ -1,440 +0,0 @@ -From 281d9c3ed66ee28a9572433a629eb0d72525ca46 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 14 Feb 2025 21:15:16 +0100 -Subject: [PATCH] SYSDB: don't add group members if 'ignore_group_members == - true' -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: https://github.com/SSSD/sssd/issues/7793 - -Reviewed-by: Alejandro López -Reviewed-by: Sumit Bose ---- - src/db/sysdb.h | 51 ++++++--- - src/db/sysdb_search.c | 6 +- - src/db/sysdb_views.c | 10 +- - src/tests/cmocka/test_responder_cache_req.c | 112 +++++++------------- - src/tests/cmocka/test_sysdb_ts_cache.c | 6 +- - src/tools/sss_override.c | 2 +- - 6 files changed, 90 insertions(+), 97 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 1b827caf9..319b88e25 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -277,19 +277,44 @@ - SYSDB_ORIG_DN, \ - NULL} - --#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \ -- SYSDB_MEMBERUID, \ -- SYSDB_MEMBER, \ -- SYSDB_GHOST, \ -- SYSDB_DEFAULT_ATTRS, \ -- SYSDB_SID_STR, \ -- SYSDB_OVERRIDE_DN, \ -- SYSDB_OVERRIDE_OBJECT_DN, \ -- SYSDB_DEFAULT_OVERRIDE_NAME, \ -- SYSDB_UUID, \ -- ORIGINALAD_PREFIX SYSDB_NAME, \ -- ORIGINALAD_PREFIX SYSDB_GIDNUM, \ -- NULL} -+/* Strictly speaking it should return 'const char * const *' but -+ * that gets really unreadable. -+ */ -+__attribute__((always_inline)) -+static inline const char **SYSDB_GRSRC_ATTRS(const struct sss_domain_info *domain) -+{ -+ static const char * __SYSDB_GRSRC_ATTRS_NO_MEMBERS[] = { -+ SYSDB_NAME, SYSDB_GIDNUM, -+ SYSDB_DEFAULT_ATTRS, -+ SYSDB_SID_STR, -+ SYSDB_OVERRIDE_DN, -+ SYSDB_OVERRIDE_OBJECT_DN, -+ SYSDB_DEFAULT_OVERRIDE_NAME, -+ SYSDB_UUID, -+ NULL -+ }; -+ static const char * __SYSDB_GRSRC_ATTRS_WITH_MEMBERS[] = { -+ SYSDB_NAME, SYSDB_GIDNUM, -+ SYSDB_MEMBERUID, -+ SYSDB_MEMBER, -+ SYSDB_GHOST, -+ SYSDB_DEFAULT_ATTRS, -+ SYSDB_SID_STR, -+ SYSDB_OVERRIDE_DN, -+ SYSDB_OVERRIDE_OBJECT_DN, -+ SYSDB_DEFAULT_OVERRIDE_NAME, -+ SYSDB_UUID, -+ ORIGINALAD_PREFIX SYSDB_NAME, -+ ORIGINALAD_PREFIX SYSDB_GIDNUM, -+ NULL -+ }; -+ -+ if (domain && domain->ignore_group_members) { -+ return __SYSDB_GRSRC_ATTRS_NO_MEMBERS; -+ } else { -+ return __SYSDB_GRSRC_ATTRS_WITH_MEMBERS; -+ } -+} - - #define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \ - SYSDB_NETGROUP_MEMBER, \ -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index e4c53b853..7f34ddbcb 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -1176,7 +1176,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - struct ldb_result **_res) - { - TALLOC_CTX *tmp_ctx; -- static const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - const char *fmt_filter; - char *sanitized_name; - struct ldb_dn *base_dn; -@@ -1378,7 +1378,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx, - struct ldb_dn *base_dn; - struct ldb_result *res = NULL; - int ret; -- static const char *default_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **default_attrs = SYSDB_GRSRC_ATTRS(domain); - const char **attrs = NULL; - - tmp_ctx = talloc_new(NULL); -@@ -1484,7 +1484,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx, - struct ldb_result **_res) - { - TALLOC_CTX *tmp_ctx; -- static const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - const char *filter = NULL; - const char *ts_filter = NULL; - const char *base_filter; -diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c -index 19c10977b..71f627974 100644 ---- a/src/db/sysdb_views.c -+++ b/src/db/sysdb_views.c -@@ -1237,7 +1237,7 @@ errno_t sysdb_search_group_override_by_name(TALLOC_CTX *mem_ctx, - struct ldb_result **override_obj, - struct ldb_result **orig_obj) - { -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - - return sysdb_search_override_by_name(mem_ctx, domain, name, - SYSDB_GROUP_NAME_OVERRIDE_FILTER, -@@ -1253,7 +1253,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx, - { - TALLOC_CTX *tmp_ctx; - static const char *user_attrs[] = SYSDB_PW_ATTRS; -- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); - const char **attrs; - struct ldb_dn *base_dn; - struct ldb_result *override_res; -@@ -1417,7 +1417,7 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain, - struct ldb_message *override; - uint64_t uid; - static const char *user_attrs[] = SYSDB_PW_ATTRS; -- static const char *group_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); /* members don't matter */ - const char **attrs; - struct attr_map { - const char *attr; -@@ -1551,6 +1551,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain, - char *val; - struct sss_domain_info *orig_dom; - -+ if (domain->ignore_group_members) { -+ return EOK; -+ } -+ - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c -index 32718c1f1..fcc7eca35 100644 ---- a/src/tests/cmocka/test_responder_cache_req.c -+++ b/src/tests/cmocka/test_responder_cache_req.c -@@ -3267,10 +3267,8 @@ void test_object_by_sid_user_multiple_domains_notfound(void **state) - - void test_object_by_sid_group_cache_valid(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); -@@ -3283,10 +3281,8 @@ void test_object_by_sid_group_cache_valid(void **state) - - void test_object_by_sid_group_cache_expired(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); -@@ -3305,10 +3301,8 @@ void test_object_by_sid_group_cache_expired(void **state) - - void test_object_by_sid_group_cache_midpoint(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); -@@ -3326,12 +3320,10 @@ void test_object_by_sid_group_cache_midpoint(void **state) - - void test_object_by_sid_group_ncache(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - errno_t ret; - -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -- - /* Setup user. */ - ret = sss_ncache_set_sid(test_ctx->ncache, false, test_ctx->tctx->dom, groups[0].sid); - assert_int_equal(ret, EOK); -@@ -3344,10 +3336,8 @@ void test_object_by_sid_group_ncache(void **state) - - void test_object_by_sid_group_missing_found(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3365,10 +3355,8 @@ void test_object_by_sid_group_missing_found(void **state) - - void test_object_by_sid_group_missing_notfound(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3382,17 +3370,13 @@ void test_object_by_sid_group_missing_notfound(void **state) - - void test_object_by_sid_group_multiple_domains_found(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- struct sss_domain_info *domain = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -- -- /* Setup user. */ -- domain = find_domain_by_name(test_ctx->tctx->dom, -- "responder_cache_req_test_d", true); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom, -+ "responder_cache_req_test_d", true); - assert_non_null(domain); -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - -+ /* Setup user. */ - prepare_group(domain, &groups[0], 1000, time(NULL)); - - /* Mock values. */ -@@ -3408,10 +3392,8 @@ void test_object_by_sid_group_multiple_domains_found(void **state) - - void test_object_by_sid_group_multiple_domains_notfound(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return_always(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3590,10 +3572,8 @@ void test_object_by_id_user_multiple_domains_notfound(void **state) - - void test_object_by_id_group_cache_valid(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); -@@ -3605,10 +3585,8 @@ void test_object_by_id_group_cache_valid(void **state) - - void test_object_by_id_group_cache_expired(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); -@@ -3626,10 +3604,8 @@ void test_object_by_id_group_cache_expired(void **state) - - void test_object_by_id_group_cache_midpoint(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Setup user. */ - prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); -@@ -3646,12 +3622,10 @@ void test_object_by_id_group_cache_midpoint(void **state) - - void test_object_by_id_group_ncache(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - errno_t ret; - -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -- - /* Setup group. We explicitly add the UID into BOTH UID and GID - * namespaces, because otherwise the cache_req plugin would - * search the Data Provider anyway, because it can't be sure -@@ -3678,10 +3652,8 @@ void test_object_by_id_group_ncache(void **state) - - void test_object_by_id_group_missing_found(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3698,10 +3670,8 @@ void test_object_by_id_group_missing_found(void **state) - - void test_object_by_id_group_missing_notfound(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return(__wrap_sss_dp_get_account_send, test_ctx); -@@ -3714,17 +3684,13 @@ void test_object_by_id_group_missing_notfound(void **state) - - void test_object_by_id_group_multiple_domains_found(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- struct sss_domain_info *domain = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -- -- /* Setup user. */ -- domain = find_domain_by_name(test_ctx->tctx->dom, -- "responder_cache_req_test_d", true); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom, -+ "responder_cache_req_test_d", true); - assert_non_null(domain); -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - -+ /* Setup user. */ - prepare_group(domain, &groups[0], 1000, time(NULL)); - - /* Mock values. */ -@@ -3740,10 +3706,8 @@ void test_object_by_id_group_multiple_domains_found(void **state) - - void test_object_by_id_group_multiple_domains_notfound(void **state) - { -- struct cache_req_test_ctx *test_ctx = NULL; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -- -- test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - - /* Mock values. */ - will_return_always(__wrap_sss_dp_get_account_send, test_ctx); -diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c -index 24b26d950..f349b7061 100644 ---- a/src/tests/cmocka/test_sysdb_ts_cache.c -+++ b/src/tests/cmocka/test_sysdb_ts_cache.c -@@ -694,7 +694,7 @@ static void test_sysdb_getgr_merges(void **state) - struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, - struct sysdb_ts_test_ctx); - struct sysdb_attrs *group_attrs = NULL; -- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - char *filter = NULL; - struct ldb_result *res = NULL; - size_t msgs_count; -@@ -783,7 +783,7 @@ static void test_merge_ldb_results(void **state) - int ret; - struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, - struct sysdb_ts_test_ctx); -- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - char *filter; - struct ldb_result *res; - struct ldb_result *res1; -@@ -856,7 +856,7 @@ static void test_group_bysid(void **state) - int ret; - struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, - struct sysdb_ts_test_ctx); -- const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom); - struct sysdb_attrs *group_attrs = NULL; - struct ldb_result *res; - struct ldb_message *msg = NULL; -diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c -index e4bad848e..1968dde3a 100644 ---- a/src/tools/sss_override.c -+++ b/src/tools/sss_override.c -@@ -1218,7 +1218,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx, - size_t count; - size_t i; - errno_t ret; -- const char *attrs[] = SYSDB_GRSRC_ATTRS; -+ const char **attrs = SYSDB_GRSRC_ATTRS(domain); - const char *fqname; - char *name; - --- -2.47.0 - diff --git a/2002-orabug32810448-restore-default-debug-sss_cache.patch b/2002-orabug32810448-restore-default-debug-sss_cache.patch new file mode 100644 index 0000000..0d56be5 --- /dev/null +++ b/2002-orabug32810448-restore-default-debug-sss_cache.patch @@ -0,0 +1,26 @@ +From: Alex Burmashev +Date: Tue, 04 May 2021 13:31:41 +0100 +Subject: [PATCH] restore default debug level for sss_cache + +We want only fatal failures to be logged, otherwise in some conditions log is. +flooded with unneeded "errors" + +Resolves: https://github.com/SSSD/sssd/issues/5488 + +Orabug: 32810448 +Signed-off-by: Alex Burmashev + +Patch migrated from ol8 to ol9 without any modification +Signed-off-by: Darren Archibald +diff -uNr a/src/tools/sss_cache.c b/src/tools/sss_cache.c +--- a/src/tools/sss_cache.c 2024-06-26 02:11:39.000000000 -0700 ++++ b/src/tools/sss_cache.c 2024-09-05 16:17:12.686336046 -0700 +@@ -722,7 +722,7 @@ + struct cache_tool_ctx *ctx = NULL; + int idb = INVALIDATE_NONE; + struct input_values values = { 0 }; +- int debug = SSSDBG_TOOLS_DEFAULT; ++ int debug = SSSDBG_FATAL_FAILURE; + errno_t ret = EOK; + + poptContext pc = NULL; diff --git a/sources b/sources index 5dd7b85..f12bd80 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.10.2.tar.gz) = 14ad222802e5426b0959ee32602e04ce24b3eb8d3bdd5e188cf29e3c7d32e0631b41c386fdbd129acf281317538460015d35410a688ea48dd546f9ae28522eac +SHA512 (sssd-2.11.1.tar.gz) = e65897bcb9ddd64f6c01787ad7b7eab3c9916e10f9ead02a6e92de503a4ea71c091e998ccf0344576b520bea75abfe5fd2880e8401237a26274d764d291f6fa4 diff --git a/sssd.spec b/sssd.spec index f7eb665..542c523 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,48 +1,14 @@ -# SSSD SPEC file for Fedora 34+ and RHEL-9+ +# SSSD SPEC file for RHEL-10 -# define SSSD user -%if 0%{?fedora} >= 41 || 0%{?rhel} %global use_sssd_user 1 %global sssd_user sssd -%else -%global use_sssd_user 0 -%global sssd_user root -%endif - -# sysusers depends on presence of sssd user -%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 %global use_sysusers 1 -%else -%global use_sysusers 0 -%endif - -%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 %global build_subid 1 -%else -%global build_subid 0 -%endif - -%if 0%{?fedora} >= 34 -%global build_kcm_renewals 1 -%global krb5_version 1.19.1 -%elif 0%{?rhel} >= 8 %global build_kcm_renewals 1 %global krb5_version 1.18.2 -%else -%global build_kcm_renewals 0 -%endif - -%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9 %global build_passkey 1 -%else -%global build_passkey 0 -%endif - -%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 +%global build_idp 0 %global build_ssh_known_hosts_proxy 0 -%else -%global build_ssh_known_hosts_proxy 1 -%endif # we don't want to provide private python extension libs %define __provides_exclude_from %{python3_sitearch}/.*\.so$ @@ -56,19 +22,18 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}) Name: sssd -Version: 2.10.2 -Release: 3%{?dist}.3 +Version: 2.11.1 +Release: 2.0.1%{?dist}.1 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ -Source0: https://github.com/SSSD/sssd/releases/download/2.10.2/sssd-2.10.2.tar.gz +Source0: https://github.com/SSSD/sssd/releases/download/2.11.1/sssd-2.11.1.tar.gz Source1: sssd.sysusers +Patch2002: 2002-orabug32810448-restore-default-debug-sss_cache.patch ### Patches ### -Patch0001: 0001-KCM-fix-memory-leak.patch -Patch0002: 0002-KCM-another-memory-leak-fixed.patch -Patch0003: 0003-SYSDB-don-t-add-group-members-if-ignore_group_member.patch -Patch0004: 0004-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch +Patch0001: 0001-Revert-ipa-improve-handling-of-external-group-member.patch +Patch0002: 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch ### Dependencies ### @@ -166,7 +131,9 @@ BuildRequires: systemtap-sdt-devel BuildRequires: systemtap-sdt-dtrace BuildRequires: uid_wrapper BuildRequires: po4a +%ifarch %{valgrind_arches} BuildRequires: valgrind-devel +%endif %if %{build_subid} BuildRequires: shadow-utils-subid-devel %endif @@ -533,7 +500,7 @@ enable authentication with passkey token. %endif %prep -%autosetup -n sssd-2.10.2 -p1 +%autosetup -n sssd-2.11.1 -p1 %build @@ -568,6 +535,9 @@ autoreconf -ivf %endif %if %{build_ssh_known_hosts_proxy} --with-ssh-known-hosts-proxy \ +%endif +%if ! %{build_idp} + --with-id-provider-idp=no %endif %{nil} @@ -1013,6 +983,10 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %{_mandir}/man8/sssd-kcm.8* %files idp +%if %{build_idp} +%{_libdir}/%{name}/libsss_idp.so +%{_mandir}/man5/sssd-idp.5* +%endif %{_libexecdir}/%{servicename}/oidc_child %{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so %{_datadir}/sssd/krb5-snippets/sssd_enable_idp @@ -1031,7 +1005,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %if %{use_sssd_user} %pre common -! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null || true +! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null 2>&1 || true %if %{use_sysusers} %sysusers_create_compat %{SOURCE1} %else @@ -1052,6 +1026,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi %__rm -f %{mcpath}/group %__rm -f %{mcpath}/initgroups %__rm -f %{mcpath}/sid +%__rm -f %{pubconfpath}/known_hosts %__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true %__chmod -f -R g+r %{_sysconfdir}/sssd || true %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true @@ -1119,8 +1094,41 @@ fi %systemd_postun_with_restart sssd.service %changelog -* Mon Oct 20 2025 Masahiro Matsuya - 2.10.2-3.3 -- Resolves: RHEL-120286 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-10.0.z] +* Tue Nov 25 2025 EL Errata - 2.11.1-2.0.1.1 +- Restore default debug level for sss_cache [Orabug: 32810448] + +* Tue Oct 21 2025 Sumit Bose - 2.11.1-2.1 +- Resovles: RHEL-120288 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows + privilege escalation on AD-joined Linux systems [rhel-10.1.z] + +* Thu Aug 14 2025 Alexey Tikhonov - 2.11.1-2 +- Related: RHEL-77184 - AD user in external group is not cleared when expiring the cache + Patch used to fix this ticket causes a regression (RHEL-106987) and is being reverted. + +* Thu Jul 31 2025 Alexey Tikhonov - 2.11.1-1 +- Resolves: RHEL-95058 - Rebase SSSD for RHEL 10.1 +- Resolves: RHEL-77184 - AD user in external group is not cleared when expiring the cache + +* Fri Jun 13 2025 Alexey Tikhonov - 2.11.0-3 +- Related: RHEL-89870 - Rebase Samba to the latest 4.22.x release + +* Fri Jun 6 2025 Alexey Tikhonov - 2.11.0-2 +- Resolves: RHEL-95058 - Rebase SSSD for RHEL 10.1 + +* Thu Jun 5 2025 Alexey Tikhonov - 2.11.0-1 +- Resolves: RHEL-95058 - Rebase SSSD for RHEL 10.1 +- Resolves: RHEL-4976 - [RFE] Continue searching other PKCS#11 tokens if certificates are not found +- Resolves: RHEL-87200 - SSSD fails to connect with ipv4_first when on a machine with only IPv6 and server is dual-stack +- Resolves: RHEL-25593 - Improve sssd-simple man page description +- Resolves: RHEL-14752 - [RFE] Add IPA subdomain support to allow IPA-IPA trust +- Resolves: RHEL-92569 - SSSD LDAPU1 Mapping braces problem +- Resolves: RHEL-4981 - p11_child currently has an infinite timeout +- Resolves: RHEL-5042 - IDM homedir %%o is not working, returns /home/domain/user instead of AD POSIX unixHomeDir +- Resolves: RHEL-13086 - [RFE] Anonymous bind requests on RootDSE +- Resolves: RHEL-45824 - SSSD unable to enumerate LDAP groups if LDAP server contains any group with # character in their names + +* Fri May 2 2025 Andrea Bolognani - 2.10.2-4 +- Resolves: RHEL-89474 - Fails to build on riscv64 * Mon Apr 7 2025 Alexey Tikhonov - 2.10.2-3.2 - Resolves: RHEL-79158 - Disk cache failure with large db sizes