Commit Graph

61 Commits

Author SHA1 Message Date
Alexey Tikhonov
9fd0c37b6b Resolves: RHEL-49711 - SYSDB: remove index on dataExpireTimestamp
Resolves: RHEL-49811 - 2FA is being enforced after upgrading 2.9.1->2.9.4
2024-07-19 17:31:11 +02:00
Alexey Tikhonov
510ddf8166 Resolves: RHEL-40742 - passkey_child with wrong owner 2024-07-08 11:07:10 +02:00
Alexey Tikhonov
6e32aafab0 Resolves: RHEL-40742 - passkey_child with wrong owner
Resolves: RHEL-41047 - sssd is skipping GPO evaluation with auto_private_groups
Resolves: RHEL-40570 - GPO access the wrong memory location
2024-06-24 13:56:00 +02:00
Alexey Tikhonov
3d50166fea Resolves: RHEL-36586 - Rebase SSSD for RHEL 9.5
Resolves: RHEL-27716 - SSSD fails to process AD groups with 'Global Scope' correctly causing incomplete group-membership on RHEL if cache is empty
Resolves: RHEL-17659 - [RfE] SSSD Failover Enhancements
Resolves: RHEL-35781 - Passkey errors when handling multiple altSecurityIdentities values
Resolves: RHEL-30142 - sssd_pac is crashing
Resolves: RHEL-22206 - Errors in krb5_child.log every time a user authenticates - Pre-authentication failed: No pkinit_anchors supplied
Resolves: RHEL-32595 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest
Resolves: RHEL-28666 - sssctl config-check is reporting false positive error msg
Resolves: RHEL-29454 - NULL dereference in inotify handling
Resolves: RHEL-1654 - Improve documentation for allowing e-mail address as username
2024-05-16 14:26:16 +02:00
Alexey Tikhonov
983f2cbb3e Relates: RHEL-33645 - Rebase Samba to the latest 4.20.x release 2024-04-29 12:56:30 +02:00
Alexey Tikhonov
9cde1a03b4 Relates: RHEL-33645 - Rebase Samba to the latest 4.20.x release 2024-04-29 09:07:19 +02:00
Alexey Tikhonov
9cec1baff8 Resolves: RHEL-27209 - Race condition during authorization leads to GPO policies functioning inconsistently [rhel-9.4.0] 2024-04-18 12:52:30 +02:00
Alexey Tikhonov
ddffedeb08 Resolves: RHEL-28161 - Passkey cannot fall back to password 2024-03-25 20:52:49 +01:00
Alexey Tikhonov
4f70d2204e Resolves: RHEL-28161 - Passkey cannot fall back to password 2024-03-21 15:43:15 +01:00
Alexey Tikhonov
ea62250f41 Resolves: RHEL-22340 - socket leak
Resolves: RHEL-28161 - Passkey cannot fall back to password
2024-03-13 15:59:01 +01:00
Alexey Tikhonov
9e669db919 Resolves: RHEL-12503 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address.
Resolves: RHEL-22288 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd
Resolves: RHEL-22194 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities
2024-02-12 10:25:10 +01:00
Alexey Tikhonov
9710a94123 Resolves: RHEL-2632 - Rebase SSSD for RHEL 9.4
Resolves: RHEL-18395 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users
Resolves: RHEL-17498 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') [rhel-9]
Resolves: RHEL-21079 - SSSD GPO lacks group resolution on hosts [rhel-9]
Resolves: RHEL-19211 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest [rhel-9]
2024-01-12 21:25:10 +01:00
Alexey Tikhonov
c6ead80a96 Resolves: RHEL-2632 - Rebase SSSD for RHEL 9.4 2023-11-13 18:23:42 +01:00
Alexey Tikhonov
98fa4310c5 Resolves: RHEL-2632 - Rebase SSSD for RHEL 9.4
Resolves: RHEL-14427 - Expected cn in RDN, got uid
Resolves: RHEL-12229 - HANA validation on RHEL 9.2 issue possibly related to libc/nss_sss behaviour
Resolves: RHEL-3925 - SSSD goes offline when, while reading a single user, misses a required attribute (i.e. SID)
Resolves: RHEL-2319 - Passkey authentication for centrally managed users
Resolves: RHEL-4146 - Incorrect handling of reverse IPv6 update results in update failure
Resolves: RHEL-4971 - sssd-kcm does not appear to expire Kerberos tickets (RFE: sssd_kcm should have the option to automatically delete the expired tickets)
2023-11-13 16:10:41 +01:00
Alexey Tikhonov
2f5a668e6a Resolves: RHEL-2319 - Passkey authentication for centrally managed users 2023-10-05 14:24:57 +02:00
Alexey Tikhonov
8083cf0ccf Resolves: RHEL-2632 - Rebase SSSD for RHEL 9.4
Resolves: RHEL-2319 - Passkey authentication for centrally managed users
Resolves: rhbz#2234829 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working)
Resolves: rhbz#2236119 - dbus and crond getting terminated with SIGBUS in sss_client code
2023-09-08 19:00:48 +02:00
Alexey Tikhonov
26c81cdfa6 Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system 2023-07-10 18:16:53 +02:00
Alexey Tikhonov
efb42d7981 Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3
Resolves: rhbz#2196816 - [RHEL9] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
Resolves: rhbz#2162552 - sssd client caches old data after removing netgroup member on IDM
Resolves: rhbz#2189542 - [sssd] RHEL 9.3 Tier 0 Localization
Resolves: rhbz#2133854 - [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete
Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
2023-06-23 17:08:46 +02:00
Alexey Tikhonov
efc5d15ac2 Related: rhbz#2190415 - Rebase Samba to the latest 4.18.x release
Rebuild against rebased Samba libs.
2023-06-06 15:24:27 +02:00
Alexey Tikhonov
091a17c5ca Related: rhbz#2190415 - Rebase Samba to the latest 4.18.x release
Rebuild against rebased Samba libs.
2023-05-30 16:13:13 +02:00
Alexey Tikhonov
2d39376072 Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3 2023-05-25 11:02:30 +02:00
jvavra
dacb66a14f Jvavra c9s patch 35826 - remove tier0 from osci 2023-05-19 08:59:57 +00:00
Alexey Tikhonov
6849c706fc Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3
Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
Resolves: rhbz#1913839 - filter_groups doesn't filter GID from 'id' output: AD + 'ldap_id_mapping = True' corner case
Resolves: rhbz#2100789 - [Improvement] sssctl config-check command does not show an error when we don't have id_provider in the domain section
Resolves: rhbz#2152177 - [RFE] Add support for ldapi:// URLs
Resolves: rhbz#2164852 - man page entry should make clear that a nested group needs a name
Resolves: rhbz#2166627 - Improvement: sss_client: add 'getsidbyusername()' and 'getsidbygroupname()' and corresponding python bindings
Resolves: rhbz#2166943 - kinit switches KCM away from the newly issued ticket
Resolves: rhbz#2167728 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
2023-05-15 15:55:07 +02:00
Alexey Tikhonov
7a5851d647 Resolves: rhbz#2160001 - Reference to 'sssd-ldap-attributes' man page is missing in 'sssd-ldap', etc man pages
Resolves: rhbz#2143159 - automount killed by SIGSEGV
2023-01-16 14:02:21 +01:00
Alexey Tikhonov
6d6ccdb21b Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2
Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search
Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service)
Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization
Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately
Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
2022-12-19 11:13:56 +01:00
Scott Poore
70d23470fd tests: modify pb to move results to always run
The "Prepare results.yml in STI format" task in sssd-tasks.yml was set
to run after the pytest task.  If pytest failed, the results were not
properly prepared and caused processing issues with the log results.
Moving the task to under always section.

Related: rhbz#2127510
2022-11-04 14:50:05 -05:00
Alexey Tikhonov
5974ce9186 Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2
Resolves: rhbz#1507035 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file
Resolves: rhbz#1766490 - Use negative cache better and domain checks for lookup by SIDs
Resolves: rhbz#1964121 - RFE: Add an option to sssd config to convert home directories to lowercase (or add a new template for the 'override_homedir' option)
Resolves: rhbz#2074307 - reduce debug level in case well_known_sid_to_name() fails
Resolves: rhbz#2096031 - SSSD: sdap_handle_id_collision_for_incomplete_groups debug message missing a new line
Resolves: rhbz#2103325 - Supported AD group types should be explained in the docs
Resolves: rhbz#2111388 - authenticating against external IdP services okta (native app) with OAuth client secret failed
Resolves: rhbz#2115171 - SSSD: duplicate dns_resolver_* option in man sssd.conf
Resolves: rhbz#2127492 - sssd timezone issues sudonotafter
Resolves: rhbz#2128840 - [RFE] provide dbus method to find users by attr
Resolves: rhbz#2128883 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
2022-11-04 13:08:07 +01:00
Alexey Tikhonov
24837d953f Related: rhbz#1978119 - [Improvement] avoid interlocking among threads that use libsss_nss_idmap API (or other sss_client libs) 2022-08-26 18:36:13 +02:00
Alexey Tikhonov
d544103a96 Resolves: rhbz#2116389 - rpc.gssd crash when access a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-2.el9
Resolves: rhbz#2119373 - sssctl analyze --logdir option requires sssd to be configured
Resolves: rhbz#2120657 - Incorrect request ID tracking from responder to backend
2022-08-23 18:25:46 +02:00
Alexey Tikhonov
0bcf677ee4 Resolves: rhbz#2106660 - [regression] sssd goes offline with forced ldaps configuration
Resolves: rhbz#2109451 - virsh command will hang after the host run several auto test cases
Resolves: rhbz#2098654 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL
Resolves: rhbz#2106685 - [regression] sssctl analyze fails to parse PAM related sssd logs
2022-08-08 15:19:57 +02:00
Alexey Tikhonov
1b653c21ec Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN
Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)
Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization
2022-07-05 11:07:29 +02:00
Alexey Tikhonov
4a2d3451f2 Resolves: rhbz#2073095 - Harden kerberos ticket validation (additional patch)
Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol (additional patch)
2022-06-13 12:45:54 +02:00
Alexey Tikhonov
61baec62c2 Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
Resolves: rhbz#1893192 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets
Resolves: rhbz#1927553 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file
Resolves: rhbz#2089216 - pam_sss_gss ceased to work after upgrade to 8.6
Resolves: rhbz#2090776 - Add idp authentication indicator in man page of sssd.conf
Resolves: rhbz#1927195 - sssd runs out of proxy child slots and doesn't clear the counter for Active requests
Resolves: rhbz#2073095 - Harden kerberos ticket validation
Resolves: rhbz#2082455 - 'getent hosts' not return hosts if they have more than one CN in LDAP
Resolves: rhbz#2087581 - Regression "Missing internal domain data." when setting ad_domain to incorrect
2022-06-04 12:28:43 +02:00
Alexey Tikhonov
ea39f4d1e1 Resolves: rhbz#2065693 - [RHEL9] Ship new sub-package called sssd-idp into sssd 2022-05-11 18:01:11 +02:00
Alexey Tikhonov
f90ae3e47e Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
Test settings changes are required for gating.
2022-05-10 09:02:45 +02:00
Alexey Tikhonov
c745d2f717 Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
Resolves: rhbz#2072640 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
Resolves: rhbz#2070189 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
Resolves: rhbz#2070138 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
Resolves: rhbz#2065693 - [RHEL9] Ship new sub-package called sssd-idp into sssd
Resolves: rhbz#2065098 - Use right sdap_domain in ad_domain_info_send
Resolves: rhbz#2062716 - [Improvement] Add user and group version of sss_nss_getorigbyname()
Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol
Resolves: rhbz#2056482 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
Resolves: rhbz#1937895 - SSSD update prompts for smartcard pin twice - After update to 7.9
Resolves: rhbz#1925559 - [RFE] Implement time logging for the LDAP queries and warning of high queries time
Resolves: rhbz#1915564 - sssd does not enforce smartcard auth for kde screen locker
Resolves: rhbz#1859751 - [RFE] Allow SSSD to use anonymous pkinit for FAST
Resolves: rhbz#1749279 - 2FA prompting setting ineffective
Resolves: rhbz#1661055 - sssd fails GPO-based access if AD have setup with Japanese language
Resolves: rhbz#1245367 - [RFE] Implement memory cache for SID requests to improve performance
2022-05-09 13:02:32 +02:00
Alexey Tikhonov
4cdadec076 Resolves: rhbz#2035244 - AD Domain in the AD Forest Missing after sssd latest update
Resolves: rhbz#2041560 - sssd does not use kerberos port that is set.
2022-01-17 20:04:23 +01:00
Alexey Tikhonov
6a5a87a373 Resolves: rhbz#2011224 - Rebase SSSD for RHEL 9.0-GA
Resolves: rhbz#2017390 - [sssd] RHEL 9.0 GA Tier 0 Localization
Resolves: rhbz#2013263 - [RHEL9] Add ability to parse child log files
Resolves: rhbz#2013262 - [RHEL9] Add tevent chain ID logic into responders
Resolves: rhbz#1992432 - Add client certificate validation D-Bus API
Resolves: rhbz#1940517 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
2022-01-05 18:12:21 +01:00
Alexey Tikhonov
5309d21cac Resolves: rhbz#2011224 - Rebase SSSD for RHEL 9.0-GA
Resolves: rhbz#1966201 - sssd: incorrect checks on length values during packet decoding in unpack_authtok()
Resolves: rhbz#977803 - incorrect checks of `strto*()` string to number convertion functions
Resolves: rhbz#1992432 - Add client certificate validation D-Bus API
Resolves: rhbz#1992973 - Lookup with fully-qualified name does not work with 'cache_first = True'
Resolves: rhbz#1996151 - Add support for CKM_RSA_PKCS in smart card authentication.
Resolves: rhbz#1998459 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
Resolves: rhbz#2000476 - disabled root ad domain causes subdomains to be marked offline
Resolves: rhbz#2014249 - Consistency in defaults between OpenSSH and SSSD
Resolves: rhbz#2029419 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
2021-12-06 21:00:02 +01:00
Alexey Tikhonov
4fc9503558 Resolves: rhbz#1909755 - Suppress log message "[sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory" during logrote
Resolves: rhbz#1962123 - [sssd] RHEL 9.0 Beta Tier 0 Localization
2021-08-16 19:55:25 +02:00
Alexey Tikhonov
f017fabf25 Resolves: rhbz#1973411 - CVE-2021-3621 sssd: shell command injection in sssctl [rhel-9] 2021-08-16 17:38:42 +02:00
Mohan Boddu
7ac0b3ada9 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-10 00:58:10 +00:00
Alexey Tikhonov
76fe5d637c Resolves: rhbz#1803943 - [RFE] support subid ranges managed by FreeIPA 2021-08-02 15:41:48 +00:00
Steeve Goveas
7b6882ef34 Add epel 8 repo link for sshpass
Resolves: rhbz#1954686
epel 9 is not availabe yet. epel 8 was removed from the rhel9 compose,
so added task in playbook to add epel 8 repo.
Pacakge python3-virtualenv is removed from rhel9. Removed it from list
of packages to install
2021-07-30 17:49:02 +05:30
Alexey Tikhonov
adc6d02a6b Resolves: rhbz#1952922 - Rebase SSSD for RHEL 9-Beta
Resolves: rhbz#1975691 - covscan NULL pointer dereference cache_req_data_create()
2021-07-16 14:42:44 +02:00
Steeve Goveas
341c8ac4b6 Add script to prepare results.yml
Resolves: rhbz#1954686
This update is to conform to STI standards
2021-06-17 18:17:21 +05:30
Mohan Boddu
44e720a583 Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-16 03:39:14 +00:00
Alexey Tikhonov
832b09ac19 Resolves: rhbz#1952922 - Rebase SSSD for RHEL 9-Beta 2021-06-14 20:57:15 +02:00
Alexey Tikhonov
7f0c855c8f Resolves: rhbz#1952922 - Rebase SSSD for RHEL 9-Beta
Resolves: rhbz#1938876 - review of important potential issues detected by static analyzers in sssd-2.4.1-1.el9
Resolves: rhbz#1942277 - Wrong default debug level of sssd tools
2021-06-14 20:37:12 +02:00
Steeve Goveas
8420c052fa Use openssh transport 2021-06-09 21:43:19 +05:30