diff --git a/.gitignore b/.gitignore index bffaf09..eee5b09 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.2.0.tar.gz +SOURCES/sssd-2.2.3.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 637397e..3fa9e18 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -6c4ba24eb19a821c69e19675e76f01c94cbd5aa0 SOURCES/sssd-2.2.0.tar.gz +c2b457f85586750f5b22bfedd4cbca5b6f8fdb88 SOURCES/sssd-2.2.3.tar.gz diff --git a/SOURCES/0001-INI-sssctl-config-check-command-error-messages.patch b/SOURCES/0001-INI-sssctl-config-check-command-error-messages.patch new file mode 100644 index 0000000..124b9be --- /dev/null +++ b/SOURCES/0001-INI-sssctl-config-check-command-error-messages.patch @@ -0,0 +1,35 @@ +From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Tue, 10 Dec 2019 16:30:32 +0100 +Subject: [PATCH] INI: sssctl config-check command error messages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case of parsing error sssctl config-check command does not give +proper error messages with line number. With this patch the error +message is printed again. + +Resolves: +https://pagure.io/SSSD/sssd/issue/4129 + +Reviewed-by: Michal Židek +--- + src/util/sss_ini.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index e3699805d..5d91602cd 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + + ret = sss_ini_parse(self); + if (ret != EOK) { ++ sss_ini_config_print_errors(self->error_list); + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); + return ERR_INI_PARSE_FAILED; + } +-- +2.20.1 + diff --git a/SOURCES/0002-certmap-mention-special-regex-characters-in-man-page.patch b/SOURCES/0002-certmap-mention-special-regex-characters-in-man-page.patch new file mode 100644 index 0000000..1eee827 --- /dev/null +++ b/SOURCES/0002-certmap-mention-special-regex-characters-in-man-page.patch @@ -0,0 +1,42 @@ +From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 12 Dec 2019 13:10:16 +0100 +Subject: [PATCH] certmap: mention special regex characters in man page +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since some of the matching rules use regular expressions some characters +must be escaped so that they can be used a ordinary characters in the +rules. + +Related to https://pagure.io/SSSD/sssd/issue/4127 + +Reviewed-by: Michal Židek +--- + src/man/sss-certmap.5.xml | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml +index db258d14a..10343625e 100644 +--- a/src/man/sss-certmap.5.xml ++++ b/src/man/sss-certmap.5.xml +@@ -92,6 +92,15 @@ + + Example: <SUBJECT>.*,DC=MY,DC=DOMAIN + ++ ++ Please note that the characters "^.[$()|*+?{\" have a ++ special meaning in regular expressions and must be ++ escaped with the help of the '\' character so that they ++ are matched as ordinary characters. ++ ++ ++ Example: <SUBJECT>^CN=.* \(Admin\),DC=MY,DC=DOMAIN$ ++ + + + +-- +2.20.1 + diff --git a/SOURCES/0003-ldap_child-do-not-try-PKINIT.patch b/SOURCES/0003-ldap_child-do-not-try-PKINIT.patch new file mode 100644 index 0000000..c0d5c51 --- /dev/null +++ b/SOURCES/0003-ldap_child-do-not-try-PKINIT.patch @@ -0,0 +1,98 @@ +From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 6 Dec 2019 12:29:49 +0100 +Subject: [PATCH] ldap_child: do not try PKINIT + +if the PKINIT plugin is installed and pkinit_identities is set in +/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only +wants to authenticate with a keytab. As a result ldap_child might try to +access a Smartcard which is either not allowed at all or might cause +unexpected delays. + +To avoid this the current patch sets pkinit_identities for LDAP child +explicitly to make the PKINIT plugin fail because if installed libkrb5 +will always use it. + +It turned out the setting pre-authentication options requires some +internal flags to be set and krb5_get_init_creds_opt_alloc() must be +used to initialize the options struct. + +Related to https://pagure.io/SSSD/sssd/issue/4126 + +Reviewed-by: Alexey Tikhonov +--- + src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index 408d64db4..b081df90f 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + krb5_ccache ccache = NULL; + krb5_principal kprinc; + krb5_creds my_creds; +- krb5_get_init_creds_opt options; ++ krb5_get_init_creds_opt *options = NULL; + krb5_error_code krberr; + krb5_timestamp kdc_time_offset; + int canonicalize = 0; +@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + } + + memset(&my_creds, 0, sizeof(my_creds)); +- memset(&options, 0, sizeof(options)); + +- krb5_get_init_creds_opt_set_address_list(&options, NULL); +- krb5_get_init_creds_opt_set_forwardable(&options, 0); +- krb5_get_init_creds_opt_set_proxiable(&options, 0); +- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); ++ krberr = krb5_get_init_creds_opt_alloc(context, &options); ++ if (krberr != 0) { ++ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n"); ++ goto done; ++ } ++ ++ krb5_get_init_creds_opt_set_address_list(options, NULL); ++ krb5_get_init_creds_opt_set_forwardable(options, 0); ++ krb5_get_init_creds_opt_set_proxiable(options, 0); ++ krb5_get_init_creds_opt_set_tkt_life(options, lifetime); ++ krberr = krb5_get_init_creds_opt_set_pa(context, options, ++ "X509_user_identity", ""); ++ if (krberr != 0) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n", ++ krberr); ++ } ++ + + tmp_str = getenv("KRB5_CANONICALIZE"); + if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n"); + canonicalize = 1; + } +- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); ++ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize); + + ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", + DB_PATH, realm_name); +@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + } + + krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, +- keytab, 0, NULL, &options); ++ keytab, 0, NULL, options); + if (krberr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_get_init_creds_keytab() failed: %d\n", krberr); +@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + *expire_time_out = my_creds.times.endtime - kdc_time_offset; + + done: ++ krb5_get_init_creds_opt_free(context, options); + if (krberr != 0) { + if (*_krb5_msg == NULL) { + /* no custom error message provided hence get one from libkrb5 */ +-- +2.20.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 44dcc09..bc700d2 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -23,8 +23,8 @@ %endif Name: sssd -Version: 2.2.0 -Release: 1%{?dist} +Version: 2.2.3 +Release: 6%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -32,7 +32,9 @@ URL: https://pagure.io/SSSD/sssd/ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz ### Patches ### -# Patch0001: ... +Patch0001: 0001-INI-sssctl-config-check-command-error-messages.patch +Patch0002: 0002-certmap-mention-special-regex-characters-in-man-page.patch +Patch0003: 0003-ldap_child-do-not-try-PKINIT.patch ### Downstream Patches ### @@ -63,6 +65,7 @@ Suggests: sssd-dbus = %{version}-%{release} ### Build Dependencies ### +BuildRequires: make BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -830,6 +833,7 @@ done %{_datadir}/sssd/systemtap/id_perf.stp %{_datadir}/sssd/systemtap/nested_group_perf.stp %{_datadir}/sssd/systemtap/dp_request.stp +%{_datadir}/sssd/systemtap/ldap_perf.stp %dir %{_datadir}/systemtap %dir %{_datadir}/systemtap/tapset %{_datadir}/systemtap/tapset/sssd.stp @@ -846,6 +850,7 @@ done %license COPYING %{_libdir}/%{name}/libsss_ldap.so %{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man5/sssd-ldap-attributes.5* %files krb5-common %defattr(-,root,root,-) @@ -1185,7 +1190,106 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog -%changelog +* Sun Dec 15 2019 Michal Židek - 2.2.3-6 +* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized + +* Sun Dec 15 2019 Michal Židek - 2.2.3-5 +* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character + for match rules sss-certmap + +* Thu Dec 12 2019 Michal Židek - 2.2.3-4 +* Resolves: rhbz#1781728 - sssctl config-check command does not give proper + error messages with line numbers + +* Mon Dec 2 2019 Michal Židek - 2.2.3-3 +* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release + Increasing version number to pick latest libldb + +* Sat Nov 30 2019 Michal Židek - 2.2.3-2 +* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release + PART2: Fix gating issue. + +* Sat Nov 30 2019 Michal Židek - 2.2.3-1 +* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release + +* Thu Nov 21 2019 Michal Židek - 2.2.2-1 +* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release + +* Wed Sep 4 2019 Michal Židek - 2.2.0-19 +- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid + new ones (kcm) + +* Sun Sep 1 2019 Michal Židek - 2.2.0-18 +- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 +- Also sync. kcm multihost tests with master + +* Sun Sep 1 2019 Michal Židek - 2.2.0-17 +- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome + keyring +- Also apply a patch to fix gating tests issue + +* Sun Aug 18 2019 Michal Židek - 2.2.0-16 +- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get + the IP address of the machine updated in IPA upon + sssd.service startup + +* Sun Aug 18 2019 Michal Židek - 2.2.0-15 +- Resolves: rhbz#1736265 - Smart Card auth of local user: endless + loop if wrong PIN was provided + +* Sun Aug 18 2019 Michal Židek - 2.2.0-14 +- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" + should not cause files domain entries to be + qualified, this can break sudo access + +* Sun Aug 18 2019 Michal Židek - 2.2.0-13 +- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the + systemd-user service in the account phase in RHEL-8 + +* Sun Aug 18 2019 Michal Židek - 2.2.0-12 +- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets + +* Fri Aug 9 2019 Michal Židek - 2.2.0-11 +- Resolves: rhbz#1733372 - permission denied on logs when running sssd as + non-root user + +* Fri Aug 9 2019 Michal Židek - 2.2.0-10 +- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing + the trailing colon + +* Fri Aug 9 2019 Michal Židek - 2.2.0-9 +- Resolves: rhbz#1382750 - Conflicting default timeout values + +* Fri Aug 2 2019 Michal Židek - 2.2.0-8 +- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder + repository + - This just required a raise in release number + and changelog for the record. + +* Fri Aug 2 2019 Michal Židek - 2.2.0-7 +- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is + not FIPS140 compliant + +* Fri Aug 2 2019 Michal Židek - 2.2.0-6 +- Resolves: rhbz#1726945 - negative cache does not use values from + 'filter_users' config option for known domains + +* Thu Jul 25 2019 Jakub Hrozek - 2.2.0-5 +- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo + +* Thu Jul 25 2019 Jakub Hrozek - 2.2.0-4 +- Resolves: rhbz#1283798 - sssd failover does not work on connecting to + non-responsive ldaps:// server + +* Wed Jul 3 2019 Jakub Hrozek - 2.2.0-3 +- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with + no members + +* Wed Jul 3 2019 Jakub Hrozek - 2.2.0-2 +- Resolves: rhbz#1673443 - sssd man pages: The default value of + "ldap_user_home_directory" is not mentioned + with AD server configuration + * Fri Jun 14 2019 Michal Židek - 2.2.0-1 - Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release