11 changed files with 105 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,11 @@
-SOURCES/sssd-2.9.4.tar.gz
+/sssd-2.6.2.tar.gz
 /sssd-2.7.0.tar.gz
 /sssd-2.7.2.tar.gz
 /sssd-2.7.3.tar.gz
 /sssd-2.8.1.tar.gz
 /sssd-2.8.2.tar.gz
 /sssd-2.9.0.tar.gz
 /sssd-2.9.1.tar.gz
 /sssd-2.9.2.tar.gz
 /sssd-2.9.3.tar.gz
 /sssd-2.9.4.tar.gz
--- a/.sssd.metadata
+++ b/.sssd.metadata
@ -1 +0,0 @@
 574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz
--- a/SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch
+++ b/SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch
--- a/SOURCES/0002-sdap-add-search_bases-option-to-groups_by_user_send.patch
+++ b/SOURCES/0002-sdap-add-search_bases-option-to-groups_by_user_send.patch
--- a/SOURCES/0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch
+++ b/SOURCES/0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch
--- a/SOURCES/0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
+++ b/SOURCES/0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
--- a/SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch
+++ b/SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch
--- a/0006-ad-refresh-root-domain-when-read-directly.patch
+++ b/0006-ad-refresh-root-domain-when-read-directly.patch
@ -0,0 +1,81 @@
 From db27a51f274640e1aa2f13476c80955a3ec9e91c Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Fri, 1 Mar 2024 10:50:07 +0100
 Subject: [PATCH] ad: refresh root domain when read directly
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 If the domain object of the forest root domain cannot be found in the
 LDAP tree of the local AD domain SSSD tries to read the request data
 from an LDAP server of the forest root domain directly. After reading
 this data the information is stored in the cache but currently the
 information about the domain store in memory is not updated with the
 additional data. As a result e.g. the domain SID is missing in this data
 and only becomes available after a restart where it is read from the
 cache.
 With this patch an unconditional refresh is triggered at the end of the
 fallback code path.
 Resolves: https://github.com/SSSD/sssd/issues/7250
 Reviewed-by: Dan Lavu <dlavu@redhat.com>
 Reviewed-by: Tomáš Halman <thalman@redhat.com>
 (cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53)
 ---
 src/providers/ad/ad_subdomains.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
 index a8d1892cc..d8f3738ce 100644
 --- a/src/providers/ad/ad_subdomains.c
 +++ b/src/providers/ad/ad_subdomains.c
@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state {
 static void ad_get_root_domain_done(struct tevent_req *subreq);
 static void ad_check_root_domain_done(struct tevent_req *subreq);
 static errno_t
 -ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
 +ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
 struct tevent_req *
 ad_check_domain_send(TALLOC_CTX *mem_ctx,
@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
         return;
     }
 -    ret = ad_get_root_domain_refresh(state);
 +    ret = ad_get_root_domain_refresh(state, false);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
     }
@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
     state->reply_count = 1;
 -    ret = ad_get_root_domain_refresh(state);
 +    ret = ad_get_root_domain_refresh(state, true);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
     }
@@ -1697,7 +1697,7 @@ done:
 }
 static errno_t
 -ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
 +ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
 {
     struct sss_domain_info *root_domain;
     bool has_changes;
@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
         goto done;
     }
 -    if (has_changes) {
 +    if (has_changes || refresh) {
         ret = ad_subdom_reinit(state->sd_ctx);
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
 -- 
 2.45.0
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,7 @@
 # recipients: sssd-qe, ftrivino
 --- !Policy
 product_versions:
  - rhel-8
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (sssd-2.9.4.tar.gz) = 9546cf074628f32137b16ca0c763988785271124244b645d1e786762e8578f10d983793a29bffcc004b064452fe8d465476a3041688d2f3c11c2751fb5bec3e2
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@ -19,7 +19,7 @@
 Name: sssd
 Version: 2.9.4
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -32,6 +32,7 @@ Patch0002: 0002-sdap-add-search_bases-option-to-groups_by_user_send.patch
 Patch0003: 0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch
 Patch0004: 0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
 Patch0005: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch
 Patch0006: 0006-ad-refresh-root-domain-when-read-directly.patch
 ### Downstream Patches ###
@ -1216,6 +1217,9 @@ fi
 %systemd_postun_with_restart sssd.service
 %changelog
 * Fri May 17 2024 Arun Bansal <arbansal@redhat.com> - 2.9.4-4
 - Resolves: RHEL-33957 - ad: refresh root domain when read directly 
 * Thu Apr 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-3
 - Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently
		`@ -1 +0,0 @@`
			`574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz`
		`@ -0,0 +1 @@`
							`SHA512 (sssd-2.9.4.tar.gz) = 9546cf074628f32137b16ca0c763988785271124244b645d1e786762e8578f10d983793a29bffcc004b064452fe8d465476a3041688d2f3c11c2751fb5bec3e2`