import sssd-2.2.3-6.el8

.gitignore

@@ -1 +1 @@
-SOURCES/sssd-2.2.0.tar.gz
+SOURCES/sssd-2.2.3.tar.gz

.sssd.metadata

@@ -1 +1 @@
-6c4ba24eb19a821c69e19675e76f01c94cbd5aa0 SOURCES/sssd-2.2.0.tar.gz
+c2b457f85586750f5b22bfedd4cbca5b6f8fdb88 SOURCES/sssd-2.2.3.tar.gz

SOURCES/0001-INI-sssctl-config-check-command-error-messages.patch

@@ -0,0 +1,35 @@
+From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Tue, 10 Dec 2019 16:30:32 +0100
+Subject: [PATCH] INI: sssctl config-check command error messages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In case of parsing error sssctl config-check command does not give
+proper error messages with line number. With this patch the error
+message is printed again.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4129
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/util/sss_ini.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
+index e3699805d..5d91602cd 100644
+--- a/src/util/sss_ini.c
++++ b/src/util/sss_ini.c
+@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
+ 
+     ret = sss_ini_parse(self);
+     if (ret != EOK) {
++        sss_ini_config_print_errors(self->error_list);
+         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
+         return ERR_INI_PARSE_FAILED;
+     }
+-- 
+2.20.1
+

SOURCES/0002-certmap-mention-special-regex-characters-in-man-page.patch

@@ -0,0 +1,42 @@
+From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 12 Dec 2019 13:10:16 +0100
+Subject: [PATCH] certmap: mention special regex characters in man page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since some of the matching rules use regular expressions some characters
+must be escaped so that they can be used a ordinary characters in the
+rules.
+
+Related to https://pagure.io/SSSD/sssd/issue/4127
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/man/sss-certmap.5.xml | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
+index db258d14a..10343625e 100644
+--- a/src/man/sss-certmap.5.xml
++++ b/src/man/sss-certmap.5.xml
+@@ -92,6 +92,15 @@
+                     <para>
+                         Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN
+                     </para>
++                    <para>
++                        Please note that the characters "^.[$()|*+?{\" have a
++                        special meaning in regular expressions and must be
++                        escaped with the help of the '\' character so that they
++                        are matched as ordinary characters.
++                    </para>
++                    <para>
++                        Example: &lt;SUBJECT&gt;^CN=.* \(Admin\),DC=MY,DC=DOMAIN$
++                    </para>
+                     </listitem>
+                 </varlistentry>
+                 <varlistentry>
+-- 
+2.20.1
+

SOURCES/0003-ldap_child-do-not-try-PKINIT.patch

@@ -0,0 +1,98 @@
+From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 6 Dec 2019 12:29:49 +0100
+Subject: [PATCH] ldap_child: do not try PKINIT
+
+if the PKINIT plugin is installed and pkinit_identities is set in
+/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
+wants to authenticate with a keytab. As a result ldap_child might try to
+access a Smartcard which is either not allowed at all or might cause
+unexpected delays.
+
+To avoid this the current patch sets pkinit_identities for LDAP child
+explicitly to make the PKINIT plugin fail because if installed libkrb5
+will always use it.
+
+It turned out the setting pre-authentication options requires some
+internal flags to be set and krb5_get_init_creds_opt_alloc() must be
+used to initialize the options struct.
+
+Related to https://pagure.io/SSSD/sssd/issue/4126
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
+index 408d64db4..b081df90f 100644
+--- a/src/providers/ldap/ldap_child.c
++++ b/src/providers/ldap/ldap_child.c
+@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+     krb5_ccache ccache = NULL;
+     krb5_principal kprinc;
+     krb5_creds my_creds;
+-    krb5_get_init_creds_opt options;
++    krb5_get_init_creds_opt *options = NULL;
+     krb5_error_code krberr;
+     krb5_timestamp kdc_time_offset;
+     int canonicalize = 0;
+@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+     }
+ 
+     memset(&my_creds, 0, sizeof(my_creds));
+-    memset(&options, 0, sizeof(options));
+ 
+-    krb5_get_init_creds_opt_set_address_list(&options, NULL);
+-    krb5_get_init_creds_opt_set_forwardable(&options, 0);
+-    krb5_get_init_creds_opt_set_proxiable(&options, 0);
+-    krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
++    krberr = krb5_get_init_creds_opt_alloc(context, &options);
++    if (krberr != 0) {
++        DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
++        goto done;
++    }
++
++    krb5_get_init_creds_opt_set_address_list(options, NULL);
++    krb5_get_init_creds_opt_set_forwardable(options, 0);
++    krb5_get_init_creds_opt_set_proxiable(options, 0);
++    krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
++    krberr = krb5_get_init_creds_opt_set_pa(context, options,
++                                            "X509_user_identity", "");
++    if (krberr != 0) {
++        DEBUG(SSSDBG_OP_FAILURE,
++              "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
++              krberr);
++    }
++
+ 
+     tmp_str = getenv("KRB5_CANONICALIZE");
+     if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
+         DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
+         canonicalize = 1;
+     }
+-    sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
++    sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
+ 
+     ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
+                                   DB_PATH, realm_name);
+@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+     }
+ 
+     krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
+-                                        keytab, 0, NULL, &options);
++                                        keytab, 0, NULL, options);
+     if (krberr != 0) {
+         DEBUG(SSSDBG_OP_FAILURE,
+               "krb5_get_init_creds_keytab() failed: %d\n", krberr);
+@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
+     *expire_time_out = my_creds.times.endtime - kdc_time_offset;
+ 
+ done:
++    krb5_get_init_creds_opt_free(context, options);
+     if (krberr != 0) {
+         if (*_krb5_msg == NULL) {
+             /* no custom error message provided hence get one from libkrb5 */
+-- 
+2.20.1
+

SPECS/sssd.spec

@@ -23,8 +23,8 @@
 %endif
 
 Name: sssd
-Version: 2.2.0
+Version: 2.2.3
-Release: 1%{?dist}
+Release: 6%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -32,7 +32,9 @@ URL: https://pagure.io/SSSD/sssd/
 Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
 
 ### Patches ###
-# Patch0001: ...
+Patch0001: 0001-INI-sssctl-config-check-command-error-messages.patch
+Patch0002: 0002-certmap-mention-special-regex-characters-in-man-page.patch
+Patch0003: 0003-ldap_child-do-not-try-PKINIT.patch
 
 ### Downstream Patches ###
 
@@ -63,6 +65,7 @@ Suggests: sssd-dbus = %{version}-%{release}
 
 ### Build Dependencies ###
 
+BuildRequires: make
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
@@ -830,6 +833,7 @@ done
 %{_datadir}/sssd/systemtap/id_perf.stp
 %{_datadir}/sssd/systemtap/nested_group_perf.stp
 %{_datadir}/sssd/systemtap/dp_request.stp
+%{_datadir}/sssd/systemtap/ldap_perf.stp
 %dir %{_datadir}/systemtap
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/sssd.stp
@@ -846,6 +850,7 @@ done
 %license COPYING
 %{_libdir}/%{name}/libsss_ldap.so
 %{_mandir}/man5/sssd-ldap.5*
+%{_mandir}/man5/sssd-ldap-attributes.5*
 
 %files krb5-common
 %defattr(-,root,root,-)
@@ -1185,7 +1190,106 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
-%changelog
+* Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-6
+* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized
+
+* Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-5
+* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character
+                           for match rules sss-certmap
+
+* Thu Dec 12 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-4
+* Resolves: rhbz#1781728 - sssctl config-check command does not give proper
+                           error messages with line numbers
+
+* Mon Dec 2 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-3
+* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release
+            Increasing version number to pick latest libldb
+
+* Sat Nov 30 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-2
+* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release
+            PART2: Fix gating issue.
+
+* Sat Nov 30 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-1
+* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release
+
+* Thu Nov 21 2019 Michal Židek <mzidek@redhat.com> - 2.2.2-1
+* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release
+
+* Wed Sep 4 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-19
+- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid
+                           new ones (kcm)
+
+* Sun Sep 1 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-18
+- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8
+- Also sync. kcm multihost tests with master
+
+* Sun Sep 1 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-17
+- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome
+                           keyring
+- Also apply a patch to fix gating tests issue
+
+* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-16
+- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get
+                           the IP address of the machine updated in IPA upon
+                           sssd.service startup
+
+* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-15
+- Resolves: rhbz#1736265 - Smart Card auth of local user: endless
+                           loop if wrong PIN was provided
+
+* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-14
+- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix"
+                           should not cause files domain entries to be
+                           qualified, this can break sudo access
+
+* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-13
+- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the
+            systemd-user service in the account phase in RHEL-8 
+
+* Sun Aug 18 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-12
+- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets
+
+* Fri Aug 9 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-11
+- Resolves: rhbz#1733372 - permission denied on logs when running sssd as
+                           non-root user
+
+* Fri Aug 9 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-10
+- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing
+                           the trailing colon
+
+* Fri Aug 9 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-9
+- Resolves: rhbz#1382750 - Conflicting default timeout values
+
+* Fri Aug 2 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-8
+- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder
+                           repository
+                         - This just required a raise in release number
+                           and changelog for the record.
+
+* Fri Aug 2 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-7
+- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is
+                           not FIPS140 compliant
+
+* Fri Aug 2 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-6
+- Resolves: rhbz#1726945 - negative cache does not use values from
+                           'filter_users' config option for known domains
+
+* Thu Jul 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-5
+- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo
+
+* Thu Jul 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-4
+- Resolves: rhbz#1283798 - sssd failover does not work on connecting to
+                           non-responsive ldaps:// server
+
+* Wed Jul  3 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-3
+- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with
+                           no members
+
+* Wed Jul  3 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-2
+- Resolves: rhbz#1673443 - sssd man pages: The default value of
+                           "ldap_user_home_directory" is not mentioned
+                           with AD server configuration
+
 * Fri Jun 14 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
 - Resolves: rhbz#1687281
   Rebase sssd in RHEL-8.1 to the latest upstream release