import CS sssd-2.9.7-4.el9

This commit is contained in:
eabdullin 2025-09-15 12:50:07 +00:00
parent e9b714e709
commit fd6b23abaf
8 changed files with 176 additions and 242 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.9.6.tar.gz
SOURCES/sssd-2.9.7.tar.gz

View File

@ -1 +1 @@
da2490cf07d91fd340ce87ffc209fc2420ccf60c SOURCES/sssd-2.9.6.tar.gz
b8c9deadb0f0a9b0afdea1dcfc3f0f955f8a7f64 SOURCES/sssd-2.9.7.tar.gz

View File

@ -1,83 +0,0 @@
From 4f9fb5fd301d635ad54bf6d0ef93d6811445c7f9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 22 May 2024 13:31:06 +0200
Subject: [PATCH] SYSDB: Use SYSDB_NAME from cached entry when updating users
and groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The sysdb_store_user() and sysdb_store_group() functinos search for the
entry by name to check if it is already cached. This search considers
SYSDB_ALIAS, added when the domain is case insensitive. If a matching
entry is found use its SYSDB_NAME instead of the passed name.
It may happen the group is stored in uppercase, but later some server
returns a memberOf attribute in lowercase. When updating the group to
add the memberships the first search will find the entry, but the modify
operation will fail as the group name in the built DN will differ in case.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d2b734b926e1f23370c9cabd8ba6f07bf6b29a86)
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 76f4580aa..32e49d759 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2615,6 +2615,22 @@ int sysdb_store_user(struct sss_domain_info *domain,
}
} else {
/* the user exists, let's just replace attributes when set */
+ /*
+ * The sysdb_search_user_by_name() function also matches lowercased
+ * aliases, saved when the domain is case-insensitive. This means that
+ * the stored entry name can differ in capitalization from the search
+ * name. Use the cached entry name to perform the modification because
+ * if name capitalization in entry's DN differs the modify operation
+ * will fail.
+ */
+ const char *entry_name =
+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (entry_name != NULL) {
+ name = entry_name;
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "User '%s' without a name?\n", name);
+ }
+
ret = sysdb_store_user_attrs(domain, name, uid, gid, gecos, homedir,
shell, orig_dn, attrs, remove_attrs,
cache_timeout, now);
@@ -2849,6 +2865,22 @@ int sysdb_store_group(struct sss_domain_info *domain,
ret = sysdb_store_new_group(domain, name, gid, attrs,
cache_timeout, now);
} else {
+ /*
+ * The sysdb_search_group_by_name() function also matches lowercased
+ * aliases, saved when the domain is case-insensitive. This means that
+ * the stored entry name can differ in capitalization from the search
+ * name. Use the cached entry name to perform the modification because
+ * if name capitalization in entry's DN differs the modify operation
+ * will fail.
+ */
+ const char *entry_name =
+ ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (entry_name != NULL) {
+ name = entry_name;
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Group '%s' without a name?\n", name);
+ }
+
ret = sysdb_store_group_attrs(domain, name, gid, attrs,
cache_timeout, now);
}
--
2.47.0

View File

@ -0,0 +1,42 @@
From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Jun 2025 14:30:57 +0200
Subject: [PATCH 3/4] authtok: add IS_PW_OR_ST_AUTHTOK()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch adds a helper macro to determine if an authtok struct is of
type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is
useful if a password is expected but an authentication token forwarded
by an different PAM module, which is most probably a password, can be
used as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050)
---
src/util/authtok.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/util/authtok.h b/src/util/authtok.h
index b58e9dbbd..acabb7078 100644
--- a/src/util/authtok.h
+++ b/src/util/authtok.h
@@ -28,6 +28,10 @@
sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
|| sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+#define IS_PW_OR_ST_AUTHTOK(tok) ( \
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED)
+
/* Use sss_authtok_* accessor functions instead of struct sss_auth_token
*/
--
2.50.0

View File

@ -1,93 +0,0 @@
From 6aba9a7dd2261c19f053d5fbd5358fdaf335b807 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 5 Feb 2025 08:59:49 +0100
Subject: [PATCH] KCM: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The copy of 'secret' argument - `secret_val.data` - was left hanging
on `sss_sec_ctx`, effectively resulting in a memory leak.
But this copy isn't actually required as this data isn't modified in
below operations.
This is a backport of https://github.com/SSSD/sssd/pull/7823
:fixes:'sssd_kcm' memory leak was fixed.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/responder/kcm/secrets/secrets.c | 28 ++++++++++++----------------
1 file changed, 12 insertions(+), 16 deletions(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 730fa68b6..d1a9672d5 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -953,7 +953,7 @@ errno_t sss_sec_put(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val;
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
int ret;
if (req == NULL || secret == NULL) {
@@ -1002,13 +1002,11 @@ errno_t sss_sec_put(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -1050,7 +1048,7 @@ errno_t sss_sec_update(struct sss_sec_req *req,
size_t secret_len)
{
struct ldb_message *msg;
- struct ldb_val secret_val;
+ const struct ldb_val secret_val = { .length = secret_len, .data = secret };
int ret;
if (req == NULL || secret == NULL) {
@@ -1099,13 +1097,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
- secret_val.length = secret_len;
- secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
- if (!secret_val.data) {
- ret = ENOMEM;
- goto done;
- }
-
/* FIXME - should we have a lastUpdate timestamp? */
ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL);
if (ret != LDB_SUCCESS) {
@@ -1115,6 +1106,11 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
+ /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
+ * but rather copies a pointer under the hood.
+ * This is fine since no operations modifying this data are performed
+ * below and 'msg' is freed before function returns.
+ */
ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_MINOR_FAILURE,
--
2.47.0

View File

@ -0,0 +1,104 @@
From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 10 Jun 2025 14:22:19 +0200
Subject: [PATCH 4/4] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to
handle credentials forwarded by other PAM modules. Before it was
unconditionally assumed that it is a password and hence
SSS_AUTHTOK_TYPE_PASSWORD was used.
When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were
already handled but currently offline use-cases fail because here only
SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch
SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline
credentials as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48)
---
src/providers/krb5/krb5_auth.c | 11 +++++++----
src/providers/krb5/krb5_child.c | 4 ++++
.../krb5/krb5_delayed_online_authentication.c | 2 +-
src/responder/pam/pamsrv_cmd.c | 1 +
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 07e4d807f..fb2f58869 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
domain->cache_credentials_min_ff_length);
ret = EINVAL;
}
- } else if (sss_authtok_get_type(pd->authtok) ==
- SSS_AUTHTOK_TYPE_PASSWORD) {
+ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
+ /* At this point we can be sure that
+ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because
+ * krb5_auth_store_creds() is not called if 2FA/otp was used,
+ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication.
+ */
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
} else {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n",
@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
if (kr->is_offline) {
if (dp_opt_get_bool(kr->krb5_ctx->opts,
KRB5_STORE_PASSWORD_IF_OFFLINE)
- && sss_authtok_get_type(pd->authtok)
- == SSS_AUTHTOK_TYPE_PASSWORD) {
+ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
krb5_auth_cache_creds(state->kr->krb5_ctx,
state->domain,
state->be_ctx->cdb,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 5830305a0..21ec38627 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
if (kerr != 0) {
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+ if (kerr == EAGAIN) {
+ kerr = KRB5_KDC_UNREACH;
+ }
+
/* Special case for IPA password migration */
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
&& kerr == KRB5_PREAUTH_FAILED
diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
index f88d8ab9b..1fac986a6 100644
--- a/src/providers/krb5/krb5_delayed_online_authentication.c
+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
return EINVAL;
}
- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid authtok for user [%s].\n", pd->user);
return EINVAL;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index d4cb421f4..c6a436069 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
switch (sss_authtok_get_type(authtok)) {
case SSS_AUTHTOK_TYPE_PASSWORD:
+ case SSS_AUTHTOK_TYPE_PAM_STACKED:
ret = sss_authtok_get_password(authtok, password, NULL);
break;
case SSS_AUTHTOK_TYPE_2FA:
--
2.50.0

View File

@ -1,59 +0,0 @@
From e7c76df8c0fa4a361c433684553ba1384166a564 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 12 Feb 2025 11:30:22 +0100
Subject: [PATCH] KCM: another memory leak fixed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
```
...
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520
...
```
Reviewed-by: Alejandro López <allopez@redhat.com>
(cherry picked from commit 9e72bc242b600158d7920b2b98644efa42fd1ffa)
---
src/responder/kcm/kcmsrv_ccache.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index 6e4ea64e0..4f4f8b46a 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -404,7 +404,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
- goto done;
+ goto fail;
}
for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) {
@@ -417,7 +417,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
cred_list[i] = kcm_cred_to_krb5(krb_context, cred);
if (cred_list[i] == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
- goto done;
+ goto fail;
}
}
@@ -426,8 +426,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
talloc_steal(mem_ctx, cred_list);
+ talloc_free(tmp_ctx);
return cred_list;
-done:
+
+fail:
talloc_free(tmp_ctx);
return NULL;
#endif
--
2.47.0

View File

@ -23,10 +23,10 @@
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.2.0
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
Name: sssd
Version: 2.9.6
Version: 2.9.7
Release: 4%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
@ -34,9 +34,8 @@ URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
Patch0001: 0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
Patch0002: 0002-KCM-fix-memory-leak.patch
Patch0003: 0003-KCM-another-memory-leak-fixed.patch
Patch0001: 0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
Patch0002: 0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
### Dependencies ###
@ -1086,6 +1085,30 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Thu Aug 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-4
- Related: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]
Patch used to fix this ticket causes a regression (RHEL-106987) and is being reverted.
* Mon Jul 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-3
- Resolves: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]
- Resolves: RHEL-103434 - cache_credentials = true not working
* Wed Jun 11 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-2
- Related: RHEL-89873 - Rebase Samba to the latest 4.22.x release
* Tue May 20 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-1
- Resolves: RHEL-92622 - Rebase SSSD for RHEL 9.7
- Resolves: RHEL-87205 - SSSD fails to connect with ipv4_first when on a machine with only IPv6 and server is dual-stack [rhel-9]
- Resolves: RHEL-73906 - OAuth2 using UPN attribute from Entra ID
- Resolves: RHEL-92590 - SSSD LDAPU1 Mapping braces problem [rhel-9]
- Resolves: RHEL-90136 - backport https://github.com/SSSD/sssd/pull/7649
* Mon Apr 7 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.2
- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
* Wed Apr 2 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.1
- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
* Wed Feb 12 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4
- Resolves: RHEL-78253 - 'sssd_kcm' leaks memory [rhel-9]