import sssd-2.2.3-6.el8

This commit is contained in:
CentOS Sources 2020-01-21 14:41:03 -05:00 committed by Stepan Oksanichenko
parent 1a63ff8815
commit fe0e7f4858
6 changed files with 285 additions and 6 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.2.0.tar.gz SOURCES/sssd-2.2.3.tar.gz

View File

@ -1 +1 @@
6c4ba24eb19a821c69e19675e76f01c94cbd5aa0 SOURCES/sssd-2.2.0.tar.gz c2b457f85586750f5b22bfedd4cbca5b6f8fdb88 SOURCES/sssd-2.2.3.tar.gz

View File

@ -0,0 +1,35 @@
From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Tue, 10 Dec 2019 16:30:32 +0100
Subject: [PATCH] INI: sssctl config-check command error messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case of parsing error sssctl config-check command does not give
proper error messages with line number. With this patch the error
message is printed again.
Resolves:
https://pagure.io/SSSD/sssd/issue/4129
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/util/sss_ini.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index e3699805d..5d91602cd 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_parse(self);
if (ret != EOK) {
+ sss_ini_config_print_errors(self->error_list);
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
return ERR_INI_PARSE_FAILED;
}
--
2.20.1

View File

@ -0,0 +1,42 @@
From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 12 Dec 2019 13:10:16 +0100
Subject: [PATCH] certmap: mention special regex characters in man page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since some of the matching rules use regular expressions some characters
must be escaped so that they can be used a ordinary characters in the
rules.
Related to https://pagure.io/SSSD/sssd/issue/4127
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/man/sss-certmap.5.xml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
index db258d14a..10343625e 100644
--- a/src/man/sss-certmap.5.xml
+++ b/src/man/sss-certmap.5.xml
@@ -92,6 +92,15 @@
<para>
Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN
</para>
+ <para>
+ Please note that the characters "^.[$()|*+?{\" have a
+ special meaning in regular expressions and must be
+ escaped with the help of the '\' character so that they
+ are matched as ordinary characters.
+ </para>
+ <para>
+ Example: &lt;SUBJECT&gt;^CN=.* \(Admin\),DC=MY,DC=DOMAIN$
+ </para>
</listitem>
</varlistentry>
<varlistentry>
--
2.20.1

View File

@ -0,0 +1,98 @@
From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Dec 2019 12:29:49 +0100
Subject: [PATCH] ldap_child: do not try PKINIT
if the PKINIT plugin is installed and pkinit_identities is set in
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
wants to authenticate with a keytab. As a result ldap_child might try to
access a Smartcard which is either not allowed at all or might cause
unexpected delays.
To avoid this the current patch sets pkinit_identities for LDAP child
explicitly to make the PKINIT plugin fail because if installed libkrb5
will always use it.
It turned out the setting pre-authentication options requires some
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
used to initialize the options struct.
Related to https://pagure.io/SSSD/sssd/issue/4126
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 408d64db4..b081df90f 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krb5_ccache ccache = NULL;
krb5_principal kprinc;
krb5_creds my_creds;
- krb5_get_init_creds_opt options;
+ krb5_get_init_creds_opt *options = NULL;
krb5_error_code krberr;
krb5_timestamp kdc_time_offset;
int canonicalize = 0;
@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
memset(&my_creds, 0, sizeof(my_creds));
- memset(&options, 0, sizeof(options));
- krb5_get_init_creds_opt_set_address_list(&options, NULL);
- krb5_get_init_creds_opt_set_forwardable(&options, 0);
- krb5_get_init_creds_opt_set_proxiable(&options, 0);
- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
+ krberr = krb5_get_init_creds_opt_alloc(context, &options);
+ if (krberr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
+ goto done;
+ }
+
+ krb5_get_init_creds_opt_set_address_list(options, NULL);
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
+ krberr = krb5_get_init_creds_opt_set_pa(context, options,
+ "X509_user_identity", "");
+ if (krberr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
+ krberr);
+ }
+
tmp_str = getenv("KRB5_CANONICALIZE");
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
canonicalize = 1;
}
- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
DB_PATH, realm_name);
@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
- keytab, 0, NULL, &options);
+ keytab, 0, NULL, options);
if (krberr != 0) {
DEBUG(SSSDBG_OP_FAILURE,
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
done:
+ krb5_get_init_creds_opt_free(context, options);
if (krberr != 0) {
if (*_krb5_msg == NULL) {
/* no custom error message provided hence get one from libkrb5 */
--
2.20.1

View File

@ -23,8 +23,8 @@
%endif %endif
Name: sssd Name: sssd
Version: 2.2.0 Version: 2.2.3
Release: 1%{?dist} Release: 6%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -32,7 +32,9 @@ URL: https://pagure.io/SSSD/sssd/
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
### Patches ### ### Patches ###
# Patch0001: ... Patch0001: 0001-INI-sssctl-config-check-command-error-messages.patch
Patch0002: 0002-certmap-mention-special-regex-characters-in-man-page.patch
Patch0003: 0003-ldap_child-do-not-try-PKINIT.patch
### Downstream Patches ### ### Downstream Patches ###
@ -63,6 +65,7 @@ Suggests: sssd-dbus = %{version}-%{release}
### Build Dependencies ### ### Build Dependencies ###
BuildRequires: make
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libtool BuildRequires: libtool
@ -830,6 +833,7 @@ done
%{_datadir}/sssd/systemtap/id_perf.stp %{_datadir}/sssd/systemtap/id_perf.stp
%{_datadir}/sssd/systemtap/nested_group_perf.stp %{_datadir}/sssd/systemtap/nested_group_perf.stp
%{_datadir}/sssd/systemtap/dp_request.stp %{_datadir}/sssd/systemtap/dp_request.stp
%{_datadir}/sssd/systemtap/ldap_perf.stp
%dir %{_datadir}/systemtap %dir %{_datadir}/systemtap
%dir %{_datadir}/systemtap/tapset %dir %{_datadir}/systemtap/tapset
%{_datadir}/systemtap/tapset/sssd.stp %{_datadir}/systemtap/tapset/sssd.stp
@ -846,6 +850,7 @@ done
%license COPYING %license COPYING
%{_libdir}/%{name}/libsss_ldap.so %{_libdir}/%{name}/libsss_ldap.so
%{_mandir}/man5/sssd-ldap.5* %{_mandir}/man5/sssd-ldap.5*
%{_mandir}/man5/sssd-ldap-attributes.5*
%files krb5-common %files krb5-common
%defattr(-,root,root,-) %defattr(-,root,root,-)
@ -1185,7 +1190,106 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so %{_libdir}/%{name}/modules/libwbclient.so
%changelog %changelog
%changelog * Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-6
* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized
* Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-5
* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character
for match rules sss-certmap
* Thu Dec 12 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-4
* Resolves: rhbz#1781728 - sssctl config-check command does not give proper
error messages with line numbers
* Mon Dec 2 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-3
* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release
Increasing version number to pick latest libldb
* Sat Nov 30 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-2
* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release
PART2: Fix gating issue.
* Sat Nov 30 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-1
* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release
* Thu Nov 21 2019 Michal Židek <mzidek@redhat.com> - 2.2.2-1
* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release
* Wed Sep 4 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-19
- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid
new ones (kcm)
* Sun Sep 1 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-18
- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8
- Also sync. kcm multihost tests with master
* Sun Sep 1 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-17
- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome
keyring
- Also apply a patch to fix gating tests issue
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-16
- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get
the IP address of the machine updated in IPA upon
sssd.service startup
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-15
- Resolves: rhbz#1736265 - Smart Card auth of local user: endless
loop if wrong PIN was provided
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-14
- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix"
should not cause files domain entries to be
qualified, this can break sudo access
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-13
- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the
systemd-user service in the account phase in RHEL-8
* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-12
- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets
* Fri Aug 9 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-11
- Resolves: rhbz#1733372 - permission denied on logs when running sssd as
non-root user
* Fri Aug 9 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-10
- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing
the trailing colon
* Fri Aug 9 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-9
- Resolves: rhbz#1382750 - Conflicting default timeout values
* Fri Aug 2 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-8
- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder
repository
- This just required a raise in release number
and changelog for the record.
* Fri Aug 2 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-7
- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is
not FIPS140 compliant
* Fri Aug 2 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-6
- Resolves: rhbz#1726945 - negative cache does not use values from
'filter_users' config option for known domains
* Thu Jul 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-5
- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo
* Thu Jul 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-4
- Resolves: rhbz#1283798 - sssd failover does not work on connecting to
non-responsive ldaps:// server
* Wed Jul 3 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-3
- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with
no members
* Wed Jul 3 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-2
- Resolves: rhbz#1673443 - sssd man pages: The default value of
"ldap_user_home_directory" is not mentioned
with AD server configuration
* Fri Jun 14 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1 * Fri Jun 14 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
- Resolves: rhbz#1687281 - Resolves: rhbz#1687281
Rebase sssd in RHEL-8.1 to the latest upstream release Rebase sssd in RHEL-8.1 to the latest upstream release