import CS sssd-2.9.7-4.el9
This commit is contained in:
parent
e9b714e709
commit
fd6b23abaf
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/sssd-2.9.6.tar.gz
|
||||
SOURCES/sssd-2.9.7.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
da2490cf07d91fd340ce87ffc209fc2420ccf60c SOURCES/sssd-2.9.6.tar.gz
|
||||
b8c9deadb0f0a9b0afdea1dcfc3f0f955f8a7f64 SOURCES/sssd-2.9.7.tar.gz
|
||||
|
||||
@ -1,83 +0,0 @@
|
||||
From 4f9fb5fd301d635ad54bf6d0ef93d6811445c7f9 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Wed, 22 May 2024 13:31:06 +0200
|
||||
Subject: [PATCH] SYSDB: Use SYSDB_NAME from cached entry when updating users
|
||||
and groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The sysdb_store_user() and sysdb_store_group() functinos search for the
|
||||
entry by name to check if it is already cached. This search considers
|
||||
SYSDB_ALIAS, added when the domain is case insensitive. If a matching
|
||||
entry is found use its SYSDB_NAME instead of the passed name.
|
||||
|
||||
It may happen the group is stored in uppercase, but later some server
|
||||
returns a memberOf attribute in lowercase. When updating the group to
|
||||
add the memberships the first search will find the entry, but the modify
|
||||
operation will fail as the group name in the built DN will differ in case.
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit d2b734b926e1f23370c9cabd8ba6f07bf6b29a86)
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
|
||||
1 file changed, 32 insertions(+)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 76f4580aa..32e49d759 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -2615,6 +2615,22 @@ int sysdb_store_user(struct sss_domain_info *domain,
|
||||
}
|
||||
} else {
|
||||
/* the user exists, let's just replace attributes when set */
|
||||
+ /*
|
||||
+ * The sysdb_search_user_by_name() function also matches lowercased
|
||||
+ * aliases, saved when the domain is case-insensitive. This means that
|
||||
+ * the stored entry name can differ in capitalization from the search
|
||||
+ * name. Use the cached entry name to perform the modification because
|
||||
+ * if name capitalization in entry's DN differs the modify operation
|
||||
+ * will fail.
|
||||
+ */
|
||||
+ const char *entry_name =
|
||||
+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
||||
+ if (entry_name != NULL) {
|
||||
+ name = entry_name;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "User '%s' without a name?\n", name);
|
||||
+ }
|
||||
+
|
||||
ret = sysdb_store_user_attrs(domain, name, uid, gid, gecos, homedir,
|
||||
shell, orig_dn, attrs, remove_attrs,
|
||||
cache_timeout, now);
|
||||
@@ -2849,6 +2865,22 @@ int sysdb_store_group(struct sss_domain_info *domain,
|
||||
ret = sysdb_store_new_group(domain, name, gid, attrs,
|
||||
cache_timeout, now);
|
||||
} else {
|
||||
+ /*
|
||||
+ * The sysdb_search_group_by_name() function also matches lowercased
|
||||
+ * aliases, saved when the domain is case-insensitive. This means that
|
||||
+ * the stored entry name can differ in capitalization from the search
|
||||
+ * name. Use the cached entry name to perform the modification because
|
||||
+ * if name capitalization in entry's DN differs the modify operation
|
||||
+ * will fail.
|
||||
+ */
|
||||
+ const char *entry_name =
|
||||
+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
||||
+ if (entry_name != NULL) {
|
||||
+ name = entry_name;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "Group '%s' without a name?\n", name);
|
||||
+ }
|
||||
+
|
||||
ret = sysdb_store_group_attrs(domain, name, gid, attrs,
|
||||
cache_timeout, now);
|
||||
}
|
||||
--
|
||||
2.47.0
|
||||
|
||||
42
SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
Normal file
42
SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 18 Jun 2025 14:30:57 +0200
|
||||
Subject: [PATCH 3/4] authtok: add IS_PW_OR_ST_AUTHTOK()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch adds a helper macro to determine if an authtok struct is of
|
||||
type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is
|
||||
useful if a password is expected but an authentication token forwarded
|
||||
by an different PAM module, which is most probably a password, can be
|
||||
used as well.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7968
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050)
|
||||
---
|
||||
src/util/authtok.h | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/util/authtok.h b/src/util/authtok.h
|
||||
index b58e9dbbd..acabb7078 100644
|
||||
--- a/src/util/authtok.h
|
||||
+++ b/src/util/authtok.h
|
||||
@@ -28,6 +28,10 @@
|
||||
sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
|
||||
|| sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
|
||||
|
||||
+#define IS_PW_OR_ST_AUTHTOK(tok) ( \
|
||||
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \
|
||||
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED)
|
||||
+
|
||||
|
||||
/* Use sss_authtok_* accessor functions instead of struct sss_auth_token
|
||||
*/
|
||||
--
|
||||
2.50.0
|
||||
|
||||
@ -1,93 +0,0 @@
|
||||
From 6aba9a7dd2261c19f053d5fbd5358fdaf335b807 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 5 Feb 2025 08:59:49 +0100
|
||||
Subject: [PATCH] KCM: fix memory leak
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The copy of 'secret' argument - `secret_val.data` - was left hanging
|
||||
on `sss_sec_ctx`, effectively resulting in a memory leak.
|
||||
But this copy isn't actually required as this data isn't modified in
|
||||
below operations.
|
||||
|
||||
This is a backport of https://github.com/SSSD/sssd/pull/7823
|
||||
|
||||
:fixes:'sssd_kcm' memory leak was fixed.
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/responder/kcm/secrets/secrets.c | 28 ++++++++++++----------------
|
||||
1 file changed, 12 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
|
||||
index 730fa68b6..d1a9672d5 100644
|
||||
--- a/src/responder/kcm/secrets/secrets.c
|
||||
+++ b/src/responder/kcm/secrets/secrets.c
|
||||
@@ -953,7 +953,7 @@ errno_t sss_sec_put(struct sss_sec_req *req,
|
||||
size_t secret_len)
|
||||
{
|
||||
struct ldb_message *msg;
|
||||
- struct ldb_val secret_val;
|
||||
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
|
||||
int ret;
|
||||
|
||||
if (req == NULL || secret == NULL) {
|
||||
@@ -1002,13 +1002,11 @@ errno_t sss_sec_put(struct sss_sec_req *req,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- secret_val.length = secret_len;
|
||||
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
|
||||
- if (!secret_val.data) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
|
||||
+ * but rather copies a pointer under the hood.
|
||||
+ * This is fine since no operations modifying this data are performed
|
||||
+ * below and 'msg' is freed before function returns.
|
||||
+ */
|
||||
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
@@ -1050,7 +1048,7 @@ errno_t sss_sec_update(struct sss_sec_req *req,
|
||||
size_t secret_len)
|
||||
{
|
||||
struct ldb_message *msg;
|
||||
- struct ldb_val secret_val;
|
||||
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
|
||||
int ret;
|
||||
|
||||
if (req == NULL || secret == NULL) {
|
||||
@@ -1099,13 +1097,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- secret_val.length = secret_len;
|
||||
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
|
||||
- if (!secret_val.data) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
/* FIXME - should we have a lastUpdate timestamp? */
|
||||
ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
@@ -1115,6 +1106,11 @@ errno_t sss_sec_update(struct sss_sec_req *req,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
|
||||
+ * but rather copies a pointer under the hood.
|
||||
+ * This is fine since no operations modifying this data are performed
|
||||
+ * below and 'msg' is freed before function returns.
|
||||
+ */
|
||||
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
--
|
||||
2.47.0
|
||||
|
||||
@ -0,0 +1,104 @@
|
||||
From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 10 Jun 2025 14:22:19 +0200
|
||||
Subject: [PATCH 4/4] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to
|
||||
handle credentials forwarded by other PAM modules. Before it was
|
||||
unconditionally assumed that it is a password and hence
|
||||
SSS_AUTHTOK_TYPE_PASSWORD was used.
|
||||
|
||||
When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were
|
||||
already handled but currently offline use-cases fail because here only
|
||||
SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch
|
||||
SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline
|
||||
credentials as well.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7968
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48)
|
||||
---
|
||||
src/providers/krb5/krb5_auth.c | 11 +++++++----
|
||||
src/providers/krb5/krb5_child.c | 4 ++++
|
||||
.../krb5/krb5_delayed_online_authentication.c | 2 +-
|
||||
src/responder/pam/pamsrv_cmd.c | 1 +
|
||||
4 files changed, 13 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index 07e4d807f..fb2f58869 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
|
||||
domain->cache_credentials_min_ff_length);
|
||||
ret = EINVAL;
|
||||
}
|
||||
- } else if (sss_authtok_get_type(pd->authtok) ==
|
||||
- SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
+ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
|
||||
+ /* At this point we can be sure that
|
||||
+ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because
|
||||
+ * krb5_auth_store_creds() is not called if 2FA/otp was used,
|
||||
+ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication.
|
||||
+ */
|
||||
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
|
||||
} else {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n",
|
||||
@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||
if (kr->is_offline) {
|
||||
if (dp_opt_get_bool(kr->krb5_ctx->opts,
|
||||
KRB5_STORE_PASSWORD_IF_OFFLINE)
|
||||
- && sss_authtok_get_type(pd->authtok)
|
||||
- == SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
+ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
|
||||
krb5_auth_cache_creds(state->kr->krb5_ctx,
|
||||
state->domain,
|
||||
state->be_ctx->cdb,
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index 5830305a0..21ec38627 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
||||
if (kerr != 0) {
|
||||
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
|
||||
|
||||
+ if (kerr == EAGAIN) {
|
||||
+ kerr = KRB5_KDC_UNREACH;
|
||||
+ }
|
||||
+
|
||||
/* Special case for IPA password migration */
|
||||
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& kerr == KRB5_PREAUTH_FAILED
|
||||
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
|
||||
index f88d8ab9b..1fac986a6 100644
|
||||
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
|
||||
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
|
||||
@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
+ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Invalid authtok for user [%s].\n", pd->user);
|
||||
return EINVAL;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index d4cb421f4..c6a436069 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
|
||||
|
||||
switch (sss_authtok_get_type(authtok)) {
|
||||
case SSS_AUTHTOK_TYPE_PASSWORD:
|
||||
+ case SSS_AUTHTOK_TYPE_PAM_STACKED:
|
||||
ret = sss_authtok_get_password(authtok, password, NULL);
|
||||
break;
|
||||
case SSS_AUTHTOK_TYPE_2FA:
|
||||
--
|
||||
2.50.0
|
||||
|
||||
@ -1,59 +0,0 @@
|
||||
From e7c76df8c0fa4a361c433684553ba1384166a564 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 12 Feb 2025 11:30:22 +0100
|
||||
Subject: [PATCH] KCM: another memory leak fixed
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
```
|
||||
...
|
||||
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0
|
||||
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90
|
||||
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520
|
||||
...
|
||||
```
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
(cherry picked from commit 9e72bc242b600158d7920b2b98644efa42fd1ffa)
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ccache.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
|
||||
index 6e4ea64e0..4f4f8b46a 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ccache.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ccache.c
|
||||
@@ -404,7 +404,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
- goto done;
|
||||
+ goto fail;
|
||||
}
|
||||
|
||||
for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) {
|
||||
@@ -417,7 +417,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
|
||||
cred_list[i] = kcm_cred_to_krb5(krb_context, cred);
|
||||
if (cred_list[i] == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
|
||||
- goto done;
|
||||
+ goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -426,8 +426,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
|
||||
|
||||
talloc_steal(mem_ctx, cred_list);
|
||||
|
||||
+ talloc_free(tmp_ctx);
|
||||
return cred_list;
|
||||
-done:
|
||||
+
|
||||
+fail:
|
||||
talloc_free(tmp_ctx);
|
||||
return NULL;
|
||||
#endif
|
||||
--
|
||||
2.47.0
|
||||
|
||||
@ -23,10 +23,10 @@
|
||||
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
||||
%global ldb_version 1.2.0
|
||||
|
||||
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
|
||||
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
|
||||
|
||||
Name: sssd
|
||||
Version: 2.9.6
|
||||
Version: 2.9.7
|
||||
Release: 4%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -34,9 +34,8 @@ URL: https://github.com/SSSD/sssd/
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
|
||||
Patch0002: 0002-KCM-fix-memory-leak.patch
|
||||
Patch0003: 0003-KCM-another-memory-leak-fixed.patch
|
||||
Patch0001: 0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
|
||||
Patch0002: 0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
@ -1086,6 +1085,30 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Thu Aug 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-4
|
||||
- Related: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]
|
||||
Patch used to fix this ticket causes a regression (RHEL-106987) and is being reverted.
|
||||
|
||||
* Mon Jul 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-3
|
||||
- Resolves: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]
|
||||
- Resolves: RHEL-103434 - cache_credentials = true not working
|
||||
|
||||
* Wed Jun 11 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-2
|
||||
- Related: RHEL-89873 - Rebase Samba to the latest 4.22.x release
|
||||
|
||||
* Tue May 20 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-1
|
||||
- Resolves: RHEL-92622 - Rebase SSSD for RHEL 9.7
|
||||
- Resolves: RHEL-87205 - SSSD fails to connect with ipv4_first when on a machine with only IPv6 and server is dual-stack [rhel-9]
|
||||
- Resolves: RHEL-73906 - OAuth2 using UPN attribute from Entra ID
|
||||
- Resolves: RHEL-92590 - SSSD LDAPU1 Mapping braces problem [rhel-9]
|
||||
- Resolves: RHEL-90136 - backport https://github.com/SSSD/sssd/pull/7649
|
||||
|
||||
* Mon Apr 7 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.2
|
||||
- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
|
||||
|
||||
* Wed Apr 2 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.1
|
||||
- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
|
||||
|
||||
* Wed Feb 12 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4
|
||||
- Resolves: RHEL-78253 - 'sssd_kcm' leaks memory [rhel-9]
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user