Compare commits
No commits in common. "imports/c8s/sssd-2.5.1-1.el8" and "c8" have entirely different histories.
imports/c8
...
c8
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/sssd-2.5.1.tar.gz
|
||||
SOURCES/sssd-2.9.4.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
cda4b8fd8a6862cbc315cd178b942e4b8313f654 SOURCES/sssd-2.5.1.tar.gz
|
||||
574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz
|
||||
|
||||
144
SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch
Normal file
144
SOURCES/0001-sssd-adding-mail-as-case-insensitive.patch
Normal file
@ -0,0 +1,144 @@
|
||||
From dd0f63246aa75d5f53b44cbc185e88833e79976e Mon Sep 17 00:00:00 2001
|
||||
From: Andre Boscatto <andreboscatto@gmail.com>
|
||||
Date: Wed, 7 Feb 2024 12:28:28 +0100
|
||||
Subject: [PATCH] sssd: adding mail as case insensitive
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7173
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51)
|
||||
---
|
||||
src/db/sysdb_init.c | 7 ++++++
|
||||
src/db/sysdb_private.h | 5 +++-
|
||||
src/db/sysdb_upgrade.c | 56 ++++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 67 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
||||
index c2ea6c369..38a9cd64a 100644
|
||||
--- a/src/db/sysdb_init.c
|
||||
+++ b/src/db/sysdb_init.c
|
||||
@@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (strcmp(version, SYSDB_VERSION_0_23) == 0) {
|
||||
+ ret = sysdb_upgrade_23(sysdb, &version);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
done:
|
||||
sysdb->ldb = save_ldb;
|
||||
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
||||
index 1f55007bc..63f7b5601 100644
|
||||
--- a/src/db/sysdb_private.h
|
||||
+++ b/src/db/sysdb_private.h
|
||||
@@ -23,6 +23,7 @@
|
||||
#ifndef __INT_SYS_DB_H__
|
||||
#define __INT_SYS_DB_H__
|
||||
|
||||
+#define SYSDB_VERSION_0_24 "0.24"
|
||||
#define SYSDB_VERSION_0_23 "0.23"
|
||||
#define SYSDB_VERSION_0_22 "0.22"
|
||||
#define SYSDB_VERSION_0_21 "0.21"
|
||||
@@ -47,7 +48,7 @@
|
||||
#define SYSDB_VERSION_0_2 "0.2"
|
||||
#define SYSDB_VERSION_0_1 "0.1"
|
||||
|
||||
-#define SYSDB_VERSION SYSDB_VERSION_0_23
|
||||
+#define SYSDB_VERSION SYSDB_VERSION_0_24
|
||||
|
||||
#define SYSDB_BASE_LDIF \
|
||||
"dn: @ATTRIBUTES\n" \
|
||||
@@ -60,6 +61,7 @@
|
||||
"objectclass: CASE_INSENSITIVE\n" \
|
||||
"ipHostNumber: CASE_INSENSITIVE\n" \
|
||||
"ipNetworkNumber: CASE_INSENSITIVE\n" \
|
||||
+ "mail: CASE_INSENSITIVE\n" \
|
||||
"\n" \
|
||||
"dn: @INDEXLIST\n" \
|
||||
"@IDXATTR: cn\n" \
|
||||
@@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
|
||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
|
||||
|
||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
|
||||
|
||||
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
|
||||
index 346a1cb0b..56083e6be 100644
|
||||
--- a/src/db/sysdb_upgrade.c
|
||||
+++ b/src/db/sysdb_upgrade.c
|
||||
@@ -2718,6 +2718,62 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ int ret;
|
||||
+ struct ldb_message *msg;
|
||||
+ struct upgrade_ctx *ctx;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (!tmp_ctx) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx);
|
||||
+ if (ret) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ /* Add new indexes */
|
||||
+ msg = ldb_msg_new(tmp_ctx);
|
||||
+ if (!msg) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES");
|
||||
+ if (!msg->dn) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Case insensitive search for mail */
|
||||
+ ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE");
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_modify(sysdb->ldb, msg);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* conversion done, update version number */
|
||||
+ ret = update_version(ctx);
|
||||
+
|
||||
+done:
|
||||
+ ret = finish_upgrade(ret, &ctx, ver);
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
|
||||
{
|
||||
struct upgrade_ctx *ctx;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,154 @@
|
||||
From a7621a5b464af7a3c8409dcbde038b35fee2c895 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 23 Jan 2024 13:47:53 +0100
|
||||
Subject: [PATCH 2/3] sdap: add search_bases option to groups_by_user_send()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD handles users and computer objects very similar and so does SSSD's
|
||||
GPO code when lookup up the host's group-memberships. But users and
|
||||
computers might be stored in different sub-tree of the AD LDAP tree and
|
||||
if a dedicated user search base is given with the ldap_user_search_base
|
||||
option in sssd.conf the host object might be in a different sub-tree. To
|
||||
make sure the host can still be found this patch uses the base DN of
|
||||
the LDAP tree when searching for hosts in the GPO code.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 10 ++++++++++
|
||||
src/providers/ldap/ldap_common.h | 1 +
|
||||
src/providers/ldap/ldap_id.c | 6 +++++-
|
||||
src/providers/ldap/sdap_async.h | 1 +
|
||||
src/providers/ldap/sdap_async_initgroups.c | 4 +++-
|
||||
5 files changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 94959c36b..b0ee3e616 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2091,6 +2091,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
char *server_uri;
|
||||
LDAPURLDesc *lud;
|
||||
struct sdap_domain *sdom;
|
||||
+ struct sdap_search_base **search_bases;
|
||||
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct ad_gpo_access_state);
|
||||
@@ -2184,9 +2185,18 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
||||
+ "AD_HOSTS", NULL, &search_bases);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to create dedicated search base for host lookups, "
|
||||
+ "trying with user search base.");
|
||||
+ }
|
||||
+
|
||||
subreq = groups_by_user_send(state, state->ev,
|
||||
state->access_ctx->ad_id_ctx->sdap_id_ctx,
|
||||
sdom, state->conn,
|
||||
+ search_bases,
|
||||
state->host_fqdn,
|
||||
BE_FILTER_NAME,
|
||||
NULL,
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index 7159d6356..2c984ef50 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -304,6 +304,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
struct sdap_id_ctx *ctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
||||
index da54816bd..b3ea2333f 100644
|
||||
--- a/src/providers/ldap/ldap_id.c
|
||||
+++ b/src/providers/ldap/ldap_id.c
|
||||
@@ -1139,6 +1139,7 @@ struct groups_by_user_state {
|
||||
struct sdap_id_op *op;
|
||||
struct sysdb_ctx *sysdb;
|
||||
struct sss_domain_info *domain;
|
||||
+ struct sdap_search_base **search_bases;
|
||||
|
||||
const char *filter_value;
|
||||
int filter_type;
|
||||
@@ -1160,6 +1161,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
struct sdap_id_ctx *ctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
@@ -1192,6 +1194,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
state->extra_value = extra_value;
|
||||
state->domain = sdom->dom;
|
||||
state->sysdb = sdom->dom->sysdb;
|
||||
+ state->search_bases = search_bases;
|
||||
|
||||
if (state->domain->type == DOM_TYPE_APPLICATION || set_non_posix) {
|
||||
state->non_posix = true;
|
||||
@@ -1254,6 +1257,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
|
||||
sdap_id_op_handle(state->op),
|
||||
state->ctx,
|
||||
state->conn,
|
||||
+ state->search_bases,
|
||||
state->filter_value,
|
||||
state->filter_type,
|
||||
state->extra_value,
|
||||
@@ -1449,7 +1453,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
|
||||
- sdom, conn,
|
||||
+ sdom, conn, NULL,
|
||||
ar->filter_value,
|
||||
ar->filter_type,
|
||||
ar->extra_value,
|
||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
||||
index 5458d21f1..89245f41f 100644
|
||||
--- a/src/providers/ldap/sdap_async.h
|
||||
+++ b/src/providers/ldap/sdap_async.h
|
||||
@@ -158,6 +158,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *name,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index 97be594a3..fb3d8fe24 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -2732,6 +2732,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
@@ -2764,7 +2765,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
state->orig_user = NULL;
|
||||
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
||||
state->user_base_iter = 0;
|
||||
- state->user_search_bases = sdom->user_search_bases;
|
||||
+ state->user_search_bases = (search_bases == NULL) ? sdom->user_search_bases
|
||||
+ : search_bases;
|
||||
if (!state->user_search_bases) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Initgroups lookup request without a user search base\n");
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,194 @@
|
||||
From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 24 Jan 2024 14:21:12 +0100
|
||||
Subject: [PATCH 3/3] sdap: add naming_context as new member of struct
|
||||
sdap_domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The naming_context could be a more reliable source than basedn for the
|
||||
actual base DN because basedn is set very early from the domain name
|
||||
given in sssd.conf. Although it is recommended to use the fully
|
||||
qualified DNS domain name here it is not required. As a result basedn
|
||||
might not reflect the actual based DN of the LDAP server. Also pure LDAP
|
||||
server (i.e. not AD or FreeIPA) might use different schemes to set the
|
||||
base DN which will not be based on the DNS domain of the LDAP server.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 6 ++++--
|
||||
src/providers/ldap/sdap.c | 36 +++++++++++++-----------------------
|
||||
src/providers/ldap/sdap.h | 11 +++++++++++
|
||||
3 files changed, 28 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index b0ee3e616..3d1ad39c7 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
||||
- "AD_HOSTS", NULL, &search_bases);
|
||||
+ ret = common_parse_search_base(state,
|
||||
+ sdom->naming_context == NULL ? sdom->basedn
|
||||
+ : sdom->naming_context,
|
||||
+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to create dedicated search base for host lookups, "
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index f5637c5fb..956eba93a 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
struct sdap_domain *sdom)
|
||||
{
|
||||
int ret;
|
||||
- char *naming_context = NULL;
|
||||
|
||||
- if (!sdom->search_bases
|
||||
- || !sdom->user_search_bases
|
||||
- || !sdom->group_search_bases
|
||||
- || !sdom->netgroup_search_bases
|
||||
- || !sdom->host_search_bases
|
||||
- || !sdom->sudo_search_bases
|
||||
- || !sdom->iphost_search_bases
|
||||
- || !sdom->ipnetwork_search_bases
|
||||
- || !sdom->autofs_search_bases) {
|
||||
- naming_context = get_naming_context(opts->basic, rootdse);
|
||||
- if (naming_context == NULL) {
|
||||
+ if (!sdom->naming_context) {
|
||||
+ sdom->naming_context = get_naming_context(sdom, rootdse);
|
||||
+ if (sdom->naming_context == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
|
||||
|
||||
/* This has to be non-fatal, since some servers offer
|
||||
@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->user_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_USER_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->group_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_GROUP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->netgroup_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_NETGROUP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->host_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_HOST_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->sudo_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SUDO_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->service_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SERVICE_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->autofs_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_AUTOFS_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->iphost_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_IPHOST_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->ipnetwork_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_IPNETWORK_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
- talloc_free(naming_context);
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index 161bc5c26..103d50ed4 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -454,6 +454,17 @@ struct sdap_domain {
|
||||
|
||||
char *basedn;
|
||||
|
||||
+ /* The naming_context could be a more reliable source than basedn for the
|
||||
+ * actual base DN because basedn is set very early from the domain name
|
||||
+ * given in sssd.conf. Although it is recommended to use the fully
|
||||
+ * qualified DNS domain name here it is not required. As a result basedn
|
||||
+ * might not reflect the actual based DN of the LDAP server. Also pure
|
||||
+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
|
||||
+ * the base DN which will not be based on the DNS domain of the LDAP
|
||||
+ * server. naming_context might be NULL even after connection to an LDAP
|
||||
+ * server. */
|
||||
+ char *naming_context;
|
||||
+
|
||||
struct sdap_search_base **search_bases;
|
||||
struct sdap_search_base **user_search_bases;
|
||||
struct sdap_search_base **group_search_bases;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,233 @@
|
||||
From 50077c3255177fe1b01837fbe31a7f8fd47dee74 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Jan 2024 13:08:17 +0100
|
||||
Subject: [PATCH] pam: fix SC auth with multiple certs and missing login name
|
||||
|
||||
While introducing the local_auth_policy option a quite specific use-case
|
||||
was not covered correctly. If there are multiple matching certificates
|
||||
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
|
||||
mode was used for login, i.e. there is no user name given and the user
|
||||
has to be derived from the certificate used for login, authentication
|
||||
failed. The main reason for the failure is that in this case the
|
||||
Smartcard interaction and the user mapping has to be done first to
|
||||
determine the user before local_auth_policy is evaluated. As a result
|
||||
when checking if the authentication can be finished the request was in
|
||||
an unexpected state because the indicator for local Smartcard
|
||||
authentication was not enabled.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7109
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Scott Poore <spoore@redhat.com>
|
||||
(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3)
|
||||
---
|
||||
src/responder/pam/pamsrv.h | 10 ++++
|
||||
src/responder/pam/pamsrv_cmd.c | 17 +++++--
|
||||
src/tests/intg/Makefile.am | 2 +
|
||||
src/tests/intg/test_pam_responder.py | 74 +++++++++++++++++++++++++++-
|
||||
4 files changed, 96 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 7013a8edd..618836189 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -93,7 +93,17 @@ struct pam_auth_req {
|
||||
struct ldb_message *user_obj;
|
||||
struct cert_auth_info *cert_list;
|
||||
struct cert_auth_info *current_cert;
|
||||
+ /* Switched to 'true' if the backend indicates that it cannot handle
|
||||
+ * Smartcard authentication, but Smartcard authentication is
|
||||
+ * possible and local Smartcard authentication is allowed. */
|
||||
bool cert_auth_local;
|
||||
+ /* Switched to 'true' if authentication (not pre-authentication) was
|
||||
+ * started without a login name and the name had to be lookup up with the
|
||||
+ * certificate used for authentication. Since reading the certificate from
|
||||
+ * the Smartcard already involves the PIN validation in this case there
|
||||
+ * would be no need for an additional Smartcard interaction if only local
|
||||
+ * Smartcard authentication is possible. */
|
||||
+ bool initial_cert_auth_successful;
|
||||
|
||||
bool passkey_data_exists;
|
||||
uint32_t client_id_num;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index c23ea7ba4..a7c181733 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -2200,8 +2200,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
ret = ENOENT;
|
||||
goto done;
|
||||
}
|
||||
-
|
||||
- if (cert_count > 1) {
|
||||
+ /* Multiple certificates are only expected during pre-auth */
|
||||
+ if (cert_count > 1 && preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
for (preq->current_cert = preq->cert_list;
|
||||
preq->current_cert != NULL;
|
||||
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
|
||||
@@ -2285,7 +2285,9 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
}
|
||||
|
||||
/* If logon_name was not given during authentication add a
|
||||
- * SSS_PAM_CERT_INFO message to send the name to the caller. */
|
||||
+ * SSS_PAM_CERT_INFO message to send the name to the caller.
|
||||
+ * Additionally initial_cert_auth_successful is set to
|
||||
+ * indicate that the user is already authenticated. */
|
||||
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& preq->pd->logon_name == NULL) {
|
||||
ret = add_pam_cert_response(preq->pd,
|
||||
@@ -2297,6 +2299,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
+ preq->initial_cert_auth_successful = true;
|
||||
}
|
||||
|
||||
/* cert_user will be returned to the PAM client as user name, so
|
||||
@@ -2851,12 +2855,15 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
if (found) {
|
||||
if (local_policy != NULL && strcasecmp(local_policy, "only") == 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
- DEBUG(SSSDBG_IMPORTANT_INFO, "Local auth only set, skipping online auth\n");
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Local auth only set and matching certificate was found, "
|
||||
+ "skipping online auth\n");
|
||||
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
} else if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& IS_SC_AUTHTOK(preq->pd->authtok)
|
||||
- && preq->cert_auth_local) {
|
||||
+ && (preq->cert_auth_local
|
||||
+ || preq->initial_cert_auth_successful)) {
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
preq->callback = pam_reply;
|
||||
}
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 3866d3ca6..0cfd268dc 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -199,6 +199,7 @@ clean-local:
|
||||
|
||||
PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
||||
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
||||
+SOFTHSM2_TWO_CONF="$(abs_builddir)/../test_CA/softhsm2_two.conf"
|
||||
|
||||
intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains sss_netgroup_thread_test
|
||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
||||
@@ -233,6 +234,7 @@ intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
|
||||
PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
||||
ABS_SRCDIR=$(abs_srcdir) \
|
||||
SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
||||
+ SOFTHSM2_TWO_CONF=$(SOFTHSM2_TWO_CONF) \
|
||||
KCM_RENEW=$(KCM_RENEW) \
|
||||
FILES_PROVIDER=$(FILES_PROVIDER) \
|
||||
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
||||
index 1fc3937e6..0fbf8065e 100644
|
||||
--- a/src/tests/intg/test_pam_responder.py
|
||||
+++ b/src/tests/intg/test_pam_responder.py
|
||||
@@ -168,7 +168,7 @@ def format_pam_cert_auth_conf(config, provider):
|
||||
{provider.p}
|
||||
|
||||
[certmap/auth_only/user1]
|
||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -201,7 +201,7 @@ def format_pam_cert_auth_conf_name_format(config, provider):
|
||||
{provider.p}
|
||||
|
||||
[certmap/auth_only/user1]
|
||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -380,6 +380,28 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
|
||||
return None
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def simple_pam_cert_auth_two_certs(request, passwd_ops_setup):
|
||||
+ """Setup SSSD with pam_cert_auth=True"""
|
||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
||||
+
|
||||
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
|
||||
+ softhsm2_two_conf = os.environ['SOFTHSM2_TWO_CONF']
|
||||
+ os.environ['SOFTHSM2_CONF'] = softhsm2_two_conf
|
||||
+
|
||||
+ conf = format_pam_cert_auth_conf(config, provider_switch(request.param))
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+
|
||||
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
|
||||
+
|
||||
+ passwd_ops_setup.useradd(**USER1)
|
||||
+ passwd_ops_setup.useradd(**USER2)
|
||||
+ sync_files_provider(USER2['name'])
|
||||
+
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def simple_pam_cert_auth_name_format(request, passwd_ops_setup):
|
||||
"""Setup SSSD with pam_cert_auth=True and full_name_format"""
|
||||
@@ -522,6 +544,54 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
||||
assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
|
||||
|
||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
||||
+def test_sc_auth_two(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth", "--service=pam_sss_service"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="2\n123456")
|
||||
+ except Exception:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
||||
+def test_sc_auth_two_missing_name(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "",
|
||||
+ "--action=auth", "--service=pam_sss_allow_missing_name"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="2\n123456")
|
||||
+ except Exception:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
@pytest.mark.parametrize('simple_pam_cert_auth', ['proxy_password'], indirect=True)
|
||||
def test_sc_proxy_password_fallback(simple_pam_cert_auth, env_for_sssctl):
|
||||
"""
|
||||
--
|
||||
2.41.0
|
||||
|
||||
218
SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch
Normal file
218
SOURCES/0005-ad-gpo-use-hash-to-store-intermediate-results.patch
Normal file
@ -0,0 +1,218 @@
|
||||
From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 8 Nov 2023 14:50:24 +0100
|
||||
Subject: [PATCH] ad-gpo: use hash to store intermediate results
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently after the evaluation of a single GPO file the intermediate
|
||||
results are stored in the cache and this cache entry is updated until
|
||||
all applicable GPO files are evaluated. Finally the data in the cache is
|
||||
used to make the decision of access is granted or rejected.
|
||||
|
||||
If there are two or more access-control request running in parallel one
|
||||
request might overwrite the cache object with intermediate data while
|
||||
another request reads the cached data for the access decision and as a
|
||||
result will do this decision based on intermediate data.
|
||||
|
||||
To avoid this the intermediate results are not stored in the cache
|
||||
anymore but in hash tables which are specific to the request. Only the
|
||||
final result is written to the cache to have it available for offline
|
||||
authentication.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 102 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 3d1ad39c7..b879b0a08 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
|
||||
+{
|
||||
+ int hret;
|
||||
+ hash_key_t k;
|
||||
+ hash_value_t v;
|
||||
+
|
||||
+ if (hash == NULL || key == NULL || value == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ k.type = HASH_KEY_CONST_STRING;
|
||||
+ k.c_str = key;
|
||||
+
|
||||
+ v.type = HASH_VALUE_PTR;
|
||||
+ v.ptr = value;
|
||||
+
|
||||
+ hret = hash_enter(hash, &k, &v);
|
||||
+ if (hret != HASH_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
|
||||
+ key, value, hash_error_string(hret));
|
||||
+ return EIO;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
|
||||
* and stores the allow_key and deny_key of all of the gpo_map_types present
|
||||
@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
static errno_t
|
||||
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
|
||||
const char *filename)
|
||||
{
|
||||
struct ini_cfgfile *file_ctx = NULL;
|
||||
@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
const char *value = allow_value ? allow_value : empty_val;
|
||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
- allow_key,
|
||||
- value);
|
||||
+ ret = add_result_to_hash(allow_maps, allow_key,
|
||||
+ talloc_strdup(allow_maps, value));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
||||
+ "value: [%s] to allow maps "
|
||||
+ "[%d][%s].\n",
|
||||
+ allow_key, value, ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
const char *value = deny_value ? deny_value : empty_val;
|
||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
- deny_key,
|
||||
- value);
|
||||
+ ret = add_result_to_hash(deny_maps, deny_key,
|
||||
+ talloc_strdup(deny_maps, value));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
||||
+ "value: [%s] to deny maps "
|
||||
+ "[%d][%s].\n",
|
||||
+ deny_key, value, ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state {
|
||||
int num_cse_filtered_gpos;
|
||||
int cse_gpo_index;
|
||||
const char *ad_domain;
|
||||
+ hash_table_t *allow_maps;
|
||||
+ hash_table_t *deny_maps;
|
||||
};
|
||||
|
||||
static void ad_gpo_connect_done(struct tevent_req *subreq);
|
||||
@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
||||
goto immediately;
|
||||
}
|
||||
|
||||
+ ret = sss_hash_create(state, 0, &state->allow_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
|
||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_hash_create(state, 0, &state->deny_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
|
||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
|
||||
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
|
||||
if (subreq == NULL) {
|
||||
@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req)
|
||||
return EAGAIN;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+store_hash_maps_in_cache(struct sss_domain_info *domain,
|
||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct hash_iter_context_t *iter;
|
||||
+ hash_entry_t *entry;
|
||||
+ size_t c;
|
||||
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
|
||||
+
|
||||
+
|
||||
+ for (c = 0; hash_list[c] != NULL; c++) {
|
||||
+ iter = new_hash_iter_context(hash_list[c]);
|
||||
+ if (iter == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ while ((entry = iter->next(iter)) != NULL) {
|
||||
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
+ entry->key.c_str,
|
||||
+ entry->value.ptr);
|
||||
+ if (ret != EOK) {
|
||||
+ free(iter);
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
|
||||
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+ talloc_free(iter);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
|
||||
* cse_gpo_index until the policy settings for all applicable GPOs have been
|
||||
@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
* (as part of the GPO Result object in the sysdb cache).
|
||||
*/
|
||||
ret = ad_gpo_store_policy_settings(state->host_domain,
|
||||
+ state->allow_maps, state->deny_maps,
|
||||
cse_filtered_gpo->policy_filename);
|
||||
if (ret != EOK && ret != ENOENT) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
|
||||
if (ret == EOK) {
|
||||
/* ret is EOK only after all GPO policy files have been downloaded */
|
||||
+ ret = store_hash_maps_in_cache(state->host_domain,
|
||||
+ state->allow_maps, state->deny_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
|
||||
+ "[%d][%s].\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
ret = ad_gpo_perform_hbac_processing(state,
|
||||
state->gpo_mode,
|
||||
state->gpo_map_type,
|
||||
--
|
||||
2.44.0
|
||||
|
||||
81
SOURCES/0006-ad-refresh-root-domain-when-read-directly.patch
Normal file
81
SOURCES/0006-ad-refresh-root-domain-when-read-directly.patch
Normal file
@ -0,0 +1,81 @@
|
||||
From db27a51f274640e1aa2f13476c80955a3ec9e91c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 1 Mar 2024 10:50:07 +0100
|
||||
Subject: [PATCH] ad: refresh root domain when read directly
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the domain object of the forest root domain cannot be found in the
|
||||
LDAP tree of the local AD domain SSSD tries to read the request data
|
||||
from an LDAP server of the forest root domain directly. After reading
|
||||
this data the information is stored in the cache but currently the
|
||||
information about the domain store in memory is not updated with the
|
||||
additional data. As a result e.g. the domain SID is missing in this data
|
||||
and only becomes available after a restart where it is read from the
|
||||
cache.
|
||||
|
||||
With this patch an unconditional refresh is triggered at the end of the
|
||||
fallback code path.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7250
|
||||
|
||||
Reviewed-by: Dan Lavu <dlavu@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53)
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index a8d1892cc..d8f3738ce 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state {
|
||||
static void ad_get_root_domain_done(struct tevent_req *subreq);
|
||||
static void ad_check_root_domain_done(struct tevent_req *subreq);
|
||||
static errno_t
|
||||
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
|
||||
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
|
||||
|
||||
struct tevent_req *
|
||||
ad_check_domain_send(TALLOC_CTX *mem_ctx,
|
||||
@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- ret = ad_get_root_domain_refresh(state);
|
||||
+ ret = ad_get_root_domain_refresh(state, false);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
||||
}
|
||||
@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
|
||||
|
||||
state->reply_count = 1;
|
||||
|
||||
- ret = ad_get_root_domain_refresh(state);
|
||||
+ ret = ad_get_root_domain_refresh(state, true);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
|
||||
}
|
||||
@@ -1697,7 +1697,7 @@ done:
|
||||
}
|
||||
|
||||
static errno_t
|
||||
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
||||
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
|
||||
{
|
||||
struct sss_domain_info *root_domain;
|
||||
bool has_changes;
|
||||
@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (has_changes) {
|
||||
+ if (has_changes || refresh) {
|
||||
ret = ad_subdom_reinit(state->sd_ctx);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
|
||||
--
|
||||
2.45.0
|
||||
|
||||
306
SOURCES/0007-failover-add-failover_primary_timeout-option.patch
Normal file
306
SOURCES/0007-failover-add-failover_primary_timeout-option.patch
Normal file
@ -0,0 +1,306 @@
|
||||
From 14f32f681a25aac185d72bc6d22a9e3b59dd265a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 12:28:53 +0200
|
||||
Subject: [PATCH] failover: add failover_primary_timeout option
|
||||
|
||||
This was previously hardcoded to 31 seconds (hardcoded retry_timout +
|
||||
1). This may be too short period under some circumstances.
|
||||
|
||||
When we retry primary server we drop connection to the backup server and
|
||||
if the primary server is not yet available (and there are many
|
||||
unavailable primary servers) we may go through a long timeout cycle
|
||||
every half minute.
|
||||
|
||||
This patch makes the value configurable.
|
||||
|
||||
:config: Added `failover_primary_timout` configuration option. This
|
||||
can be used to configure how often SSSD tries to reconnect to a
|
||||
primary server after a successful connection to a backup server.
|
||||
This was previously hardcoded to 31 seconds which is kept as
|
||||
the default value.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7375
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
(cherry picked from commit e9738e36937e78f80bb2772c48cffbddf39bd5fe)
|
||||
---
|
||||
src/config/SSSDConfig/sssdoptions.py | 2 +
|
||||
src/config/SSSDConfigTest.py | 2 +
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.conf | 1 +
|
||||
src/man/sssd.conf.5.xml | 19 ++++++++
|
||||
src/providers/data_provider.h | 1 +
|
||||
src/providers/data_provider_fo.c | 14 +++++-
|
||||
src/providers/fail_over.c | 10 +++++
|
||||
src/providers/fail_over.h | 3 ++
|
||||
src/tests/system/tests/test_failover.py | 59 +++++++++++++++++++++++++
|
||||
10 files changed, 110 insertions(+), 2 deletions(-)
|
||||
create mode 100644 src/tests/system/tests/test_failover.py
|
||||
|
||||
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
|
||||
index 0d75e6d82..95b39aa59 100644
|
||||
--- a/src/config/SSSDConfig/sssdoptions.py
|
||||
+++ b/src/config/SSSDConfig/sssdoptions.py
|
||||
@@ -186,6 +186,8 @@ class SSSDOptions(object):
|
||||
'dns_resolver_op_timeout': _('How long should keep trying to resolve single DNS query (seconds)'),
|
||||
'dns_resolver_timeout': _('How long to wait for replies from DNS when resolving servers (seconds)'),
|
||||
'dns_discovery_domain': _('The domain part of service discovery DNS query'),
|
||||
+ 'failover_primary_timeout': _('How often SSSD tries to reconnect to the primary server after a successful '
|
||||
+ 'connection to the backup server.'),
|
||||
'override_gid': _('Override GID value from the identity provider with this value'),
|
||||
'case_sensitive': _('Treat usernames as case sensitive'),
|
||||
'entry_cache_user_timeout': _('Entry cache timeout length (seconds)'),
|
||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
||||
index b160be2b1..f333c35eb 100755
|
||||
--- a/src/config/SSSDConfigTest.py
|
||||
+++ b/src/config/SSSDConfigTest.py
|
||||
@@ -579,6 +579,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
||||
'dns_resolver_op_timeout',
|
||||
'dns_resolver_timeout',
|
||||
'dns_discovery_domain',
|
||||
+ 'failover_primary_timeout',
|
||||
'dyndns_update',
|
||||
'dyndns_ttl',
|
||||
'dyndns_iface',
|
||||
@@ -939,6 +940,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
||||
'dns_resolver_op_timeout',
|
||||
'dns_resolver_timeout',
|
||||
'dns_discovery_domain',
|
||||
+ 'failover_primary_timeout',
|
||||
'dyndns_update',
|
||||
'dyndns_ttl',
|
||||
'dyndns_iface',
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 92e87fb18..4c2ea0b87 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -405,6 +405,7 @@ option = dns_resolver_op_timeout
|
||||
option = dns_resolver_timeout
|
||||
option = dns_resolver_use_search_list
|
||||
option = dns_discovery_domain
|
||||
+option = failover_primary_timeout
|
||||
option = override_gid
|
||||
option = case_sensitive
|
||||
option = override_homedir
|
||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
||||
index 5ae6aab19..31787c23c 100644
|
||||
--- a/src/config/etc/sssd.api.conf
|
||||
+++ b/src/config/etc/sssd.api.conf
|
||||
@@ -172,6 +172,7 @@ dns_resolver_server_timeout = int, None, false
|
||||
dns_resolver_op_timeout = int, None, false
|
||||
dns_resolver_timeout = int, None, false
|
||||
dns_discovery_domain = str, None, false
|
||||
+failover_primary_timeout = int, None, false
|
||||
override_gid = int, None, false
|
||||
case_sensitive = str, None, false
|
||||
override_homedir = str, None, false
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 339f21e25..fbb82e357 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -3773,6 +3773,25 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>failover_primary_timeout (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ When no primary server is currently available,
|
||||
+ SSSD fail overs to a backup server. This option
|
||||
+ defines the amount of time (in seconds) to
|
||||
+ wait before SSSD tries to reconnect to a primary
|
||||
+ server again.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Note: The minimum value is 31.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: 31
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>override_gid (integer)</term>
|
||||
<listitem>
|
||||
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
|
||||
index 36a82b84d..def35e491 100644
|
||||
--- a/src/providers/data_provider.h
|
||||
+++ b/src/providers/data_provider.h
|
||||
@@ -267,6 +267,7 @@ enum dp_res_opts {
|
||||
DP_RES_OPT_RESOLVER_SERVER_TIMEOUT,
|
||||
DP_RES_OPT_RESOLVER_USE_SEARCH_LIST,
|
||||
DP_RES_OPT_DNS_DOMAIN,
|
||||
+ DP_RES_OPT_FAILOVER_PRIMARY_TIMEOUT,
|
||||
|
||||
DP_RES_OPTS /* attrs counter */
|
||||
};
|
||||
diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c
|
||||
index b0aed54e9..c23f92e35 100644
|
||||
--- a/src/providers/data_provider_fo.c
|
||||
+++ b/src/providers/data_provider_fo.c
|
||||
@@ -48,10 +48,20 @@ static int be_fo_get_options(struct be_ctx *ctx,
|
||||
DP_RES_OPT_RESOLVER_TIMEOUT);
|
||||
opts->use_search_list = dp_opt_get_bool(ctx->be_res->opts,
|
||||
DP_RES_OPT_RESOLVER_USE_SEARCH_LIST);
|
||||
+ opts->primary_timeout = dp_opt_get_int(ctx->be_res->opts,
|
||||
+ DP_RES_OPT_FAILOVER_PRIMARY_TIMEOUT);
|
||||
+
|
||||
opts->retry_timeout = 30;
|
||||
opts->srv_retry_neg_timeout = 15;
|
||||
opts->family_order = ctx->be_res->family_order;
|
||||
|
||||
+ if (opts->primary_timeout <= opts->retry_timeout) {
|
||||
+ opts->primary_timeout = opts->retry_timeout + 1;
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "Warning: failover_primary_timeout is too low, using %lu "
|
||||
+ "seconds instead\n", opts->primary_timeout);
|
||||
+ }
|
||||
+
|
||||
return EOK;
|
||||
}
|
||||
|
||||
@@ -551,7 +561,7 @@ static void be_resolve_server_done(struct tevent_req *subreq)
|
||||
struct tevent_req);
|
||||
struct be_resolve_server_state *state = tevent_req_data(req,
|
||||
struct be_resolve_server_state);
|
||||
- time_t timeout = fo_get_service_retry_timeout(state->svc->fo_service) + 1;
|
||||
+ time_t timeout = fo_get_primary_retry_timeout(state->svc->fo_service);
|
||||
int ret;
|
||||
|
||||
ret = be_resolve_server_process(subreq, state, &new_subreq);
|
||||
@@ -564,7 +574,6 @@ static void be_resolve_server_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
if (!fo_is_server_primary(state->srv)) {
|
||||
- /* FIXME: make the timeout configurable */
|
||||
ret = be_primary_server_timeout_activate(state->ctx, state->ev,
|
||||
state->ctx, state->svc,
|
||||
timeout);
|
||||
@@ -871,6 +880,7 @@ static struct dp_option dp_res_default_opts[] = {
|
||||
{ "dns_resolver_server_timeout", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER },
|
||||
{ "dns_resolver_use_search_list", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||
{ "dns_discovery_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
+ { "failover_primary_timeout", DP_OPT_NUMBER, { .number = 31 }, NULL_NUMBER },
|
||||
DP_OPTION_TERMINATOR
|
||||
};
|
||||
|
||||
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
|
||||
index 7cb642448..7f94407c5 100644
|
||||
--- a/src/providers/fail_over.c
|
||||
+++ b/src/providers/fail_over.c
|
||||
@@ -158,6 +158,7 @@ fo_context_init(TALLOC_CTX *mem_ctx, struct fo_options *opts)
|
||||
|
||||
ctx->opts->srv_retry_neg_timeout = opts->srv_retry_neg_timeout;
|
||||
ctx->opts->retry_timeout = opts->retry_timeout;
|
||||
+ ctx->opts->primary_timeout = opts->primary_timeout;
|
||||
ctx->opts->family_order = opts->family_order;
|
||||
ctx->opts->service_resolv_timeout = opts->service_resolv_timeout;
|
||||
ctx->opts->use_search_list = opts->use_search_list;
|
||||
@@ -1740,6 +1741,15 @@ time_t fo_get_service_retry_timeout(struct fo_service *svc)
|
||||
return svc->ctx->opts->retry_timeout;
|
||||
}
|
||||
|
||||
+time_t fo_get_primary_retry_timeout(struct fo_service *svc)
|
||||
+{
|
||||
+ if (svc == NULL || svc->ctx == NULL || svc->ctx->opts == NULL) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return svc->ctx->opts->primary_timeout;
|
||||
+}
|
||||
+
|
||||
bool fo_get_use_search_list(struct fo_server *server)
|
||||
{
|
||||
if (
|
||||
diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h
|
||||
index 36021ad6f..924a09970 100644
|
||||
--- a/src/providers/fail_over.h
|
||||
+++ b/src/providers/fail_over.h
|
||||
@@ -83,6 +83,7 @@ struct fo_server;
|
||||
struct fo_options {
|
||||
time_t srv_retry_neg_timeout;
|
||||
time_t retry_timeout;
|
||||
+ time_t primary_timeout;
|
||||
int service_resolv_timeout;
|
||||
bool use_search_list;
|
||||
enum restrict_family family_order;
|
||||
@@ -211,6 +212,8 @@ int fo_is_srv_lookup(struct fo_server *s);
|
||||
|
||||
time_t fo_get_service_retry_timeout(struct fo_service *svc);
|
||||
|
||||
+time_t fo_get_primary_retry_timeout(struct fo_service *svc);
|
||||
+
|
||||
bool fo_get_use_search_list(struct fo_server *server);
|
||||
|
||||
void fo_reset_services(struct fo_ctx *fo_ctx);
|
||||
diff --git a/src/tests/system/tests/test_failover.py b/src/tests/system/tests/test_failover.py
|
||||
new file mode 100644
|
||||
index 000000000..565cec9bc
|
||||
--- /dev/null
|
||||
+++ b/src/tests/system/tests/test_failover.py
|
||||
@@ -0,0 +1,59 @@
|
||||
+"""
|
||||
+SSSD Failover tests.
|
||||
+
|
||||
+:requirement: Failover
|
||||
+"""
|
||||
+
|
||||
+from __future__ import annotations
|
||||
+
|
||||
+import pytest
|
||||
+from sssd_test_framework.roles.client import Client
|
||||
+from sssd_test_framework.roles.ldap import LDAP
|
||||
+from sssd_test_framework.topology import KnownTopology
|
||||
+
|
||||
+
|
||||
+@pytest.mark.parametrize("value, expected", [(None, 31), (15, 31), (60, 60)])
|
||||
+@pytest.mark.importance("low")
|
||||
+@pytest.mark.ticket(gh=7375, jira="RHEL-17659")
|
||||
+@pytest.mark.topology(KnownTopology.LDAP)
|
||||
+def test_failover__retry_primary(client: Client, ldap: LDAP, value: int | None, expected: int):
|
||||
+ """
|
||||
+ :title: Primary server reactivation timeout is respected
|
||||
+ :setup:
|
||||
+ 1. Create LDAP user "user-1"
|
||||
+ 2. Set failover_primary_timeout to @value
|
||||
+ 3. Set ldap_uri to invalid, not working server
|
||||
+ 4. Set ldap_backup_uri to working server
|
||||
+ 5. Start SSSD
|
||||
+ :steps:
|
||||
+ 1. Lookup user-1
|
||||
+ 2. Check that SSSD is connected to backup server
|
||||
+ 3. Find "Primary server reactivation timeout set to @expected seconds" in domain logs
|
||||
+ :expectedresults:
|
||||
+ 1. SSSD failover to backup server
|
||||
+ 2. SSSD is indeed connected to the backup server
|
||||
+ 3. String is found
|
||||
+ :customerscenario: True
|
||||
+ """
|
||||
+ ldap.user("user-1").add()
|
||||
+
|
||||
+ if value is not None:
|
||||
+ client.sssd.domain["failover_primary_timeout"] = str(value)
|
||||
+
|
||||
+ client.sssd.enable_responder("ifp")
|
||||
+ client.sssd.domain["ldap_uri"] = "ldap://ldap.invalid"
|
||||
+ client.sssd.domain["ldap_backup_uri"] = f"ldap://{ldap.host.hostname}"
|
||||
+ client.sssd.start()
|
||||
+
|
||||
+ # Lookup user to make sure SSSD did correctly failover to backup server
|
||||
+ result = client.tools.id("user-1")
|
||||
+ assert result is not None
|
||||
+
|
||||
+ # Check that SSSD is indeed connected to backup server
|
||||
+ assert client.sssd.default_domain is not None
|
||||
+ status = client.sssctl.domain_status(client.sssd.default_domain, active=True)
|
||||
+ assert ldap.host.hostname in status.stdout
|
||||
+
|
||||
+ # Check that primary server reactivation timeout was correctly created
|
||||
+ log = client.fs.read(client.sssd.logs.domain())
|
||||
+ assert f"Primary server reactivation timeout set to {expected} seconds" in log
|
||||
--
|
||||
2.46.0
|
||||
|
||||
@ -0,0 +1,35 @@
|
||||
From 5fc4540e97625a23f2573b0804a1509cf46931c9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
|
||||
Date: Thu, 14 Nov 2024 17:27:49 +0100
|
||||
Subject: [PATCH 08/15] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
|
||||
|
||||
The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in
|
||||
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55
|
||||
but the corresponding option is missing in
|
||||
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200
|
||||
|
||||
This error was introduced by
|
||||
https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 9ee10f98e0070774e0e7f0794bc296ef06a671e4)
|
||||
---
|
||||
src/providers/be_dyndns.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
|
||||
index 2c655ef1e..5d0f51119 100644
|
||||
--- a/src/providers/be_dyndns.c
|
||||
+++ b/src/providers/be_dyndns.c
|
||||
@@ -1201,6 +1201,7 @@ static struct dp_option default_dyndns_opts[] = {
|
||||
{ "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||
{ "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
|
||||
+ { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
|
||||
{ "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER },
|
||||
{ "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
|
||||
--
|
||||
2.46.1
|
||||
|
||||
69
SOURCES/0009-TESTS-Also-test-default_dyndns_opts.patch
Normal file
69
SOURCES/0009-TESTS-Also-test-default_dyndns_opts.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From b34aa979919ec6f3d73e3229c5ad3ab88bc5028a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
|
||||
Date: Thu, 14 Nov 2024 18:46:44 +0100
|
||||
Subject: [PATCH 09/15] TESTS: Also test default_dyndns_opts
|
||||
|
||||
Compare this structure to ipa_dyndns_opts, which is already compared
|
||||
to ad_dyndns_opts.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 2c72834e657197012b3a32207ffe307e8ba5f9e2)
|
||||
---
|
||||
src/providers/be_dyndns.c | 2 +-
|
||||
src/providers/be_dyndns.h | 1 +
|
||||
src/tests/ipa_ldap_opt-tests.c | 6 ++++++
|
||||
3 files changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
|
||||
index 5d0f51119..e6fa7dfd6 100644
|
||||
--- a/src/providers/be_dyndns.c
|
||||
+++ b/src/providers/be_dyndns.c
|
||||
@@ -1197,7 +1197,7 @@ be_nsupdate_check(void)
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static struct dp_option default_dyndns_opts[] = {
|
||||
+struct dp_option default_dyndns_opts[] = {
|
||||
{ "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||
{ "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
|
||||
diff --git a/src/providers/be_dyndns.h b/src/providers/be_dyndns.h
|
||||
index 2185fee95..719c13942 100644
|
||||
--- a/src/providers/be_dyndns.h
|
||||
+++ b/src/providers/be_dyndns.h
|
||||
@@ -63,6 +63,7 @@ enum dp_dyndns_opts {
|
||||
|
||||
DP_OPT_DYNDNS /* attrs counter */
|
||||
};
|
||||
+extern struct dp_option default_dyndns_opts[DP_OPT_DYNDNS + 1];
|
||||
|
||||
#define DYNDNS_REMOVE_A 0x1
|
||||
#define DYNDNS_REMOVE_AAAA 0x2
|
||||
diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c
|
||||
index a1a0e9cc6..da990acaf 100644
|
||||
--- a/src/tests/ipa_ldap_opt-tests.c
|
||||
+++ b/src/tests/ipa_ldap_opt-tests.c
|
||||
@@ -103,6 +103,10 @@ START_TEST(test_compare_opts)
|
||||
ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS,
|
||||
ad_dyndns_opts);
|
||||
ck_assert_msg(ret == EOK, "[%s]", strerror(ret));
|
||||
+
|
||||
+ ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS,
|
||||
+ default_dyndns_opts);
|
||||
+ ck_assert_msg(ret == EOK, "[%s]", strerror(ret));
|
||||
}
|
||||
END_TEST
|
||||
|
||||
@@ -200,6 +204,8 @@ START_TEST(test_dp_opt_sentinel)
|
||||
|
||||
fail_unless_dp_opt_is_terminator(&default_krb5_opts[KRB5_OPTS]);
|
||||
|
||||
+ fail_unless_dp_opt_is_terminator(&default_dyndns_opts[DP_OPT_DYNDNS]);
|
||||
+
|
||||
fail_unless_dp_opt_is_terminator(&ad_basic_opts[AD_OPTS_BASIC]);
|
||||
fail_unless_dp_opt_is_terminator(&ad_def_ldap_opts[SDAP_OPTS_BASIC]);
|
||||
fail_unless_dp_opt_is_terminator(&ad_def_krb5_opts[KRB5_OPTS]);
|
||||
--
|
||||
2.46.1
|
||||
|
||||
@ -0,0 +1,310 @@
|
||||
From ebbde00722489c51cfcc70aa6550ed6ea4b97ff8 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 6 Sep 2024 14:27:19 +0200
|
||||
Subject: [PATCH 10/15] sdap: allow to provide user_map when looking up group
|
||||
memberships
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
To allow to lookup group memberships of other objects similar to user
|
||||
objects but with different attribute mappings, e.g. host objects in AD,
|
||||
a new option to provide an alternative attribute map is added.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7590
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 69f63f1fa64bd9cc7c2ee1f8e8d736727b13b3be)
|
||||
(cherry picked from commit 321ca19ae09609ac4195f323b696bdcd7ee573e4)
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 2 +-
|
||||
src/providers/ldap/ldap_common.h | 2 +
|
||||
src/providers/ldap/ldap_id.c | 9 ++++
|
||||
src/providers/ldap/sdap_async.h | 2 +
|
||||
src/providers/ldap/sdap_async_initgroups.c | 51 ++++++++++++++--------
|
||||
5 files changed, 48 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index b879b0a08..69dd54f5b 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2244,7 +2244,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
search_bases,
|
||||
state->host_fqdn,
|
||||
BE_FILTER_NAME,
|
||||
- NULL,
|
||||
+ NULL, NULL, 0,
|
||||
true,
|
||||
true);
|
||||
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index 2c984ef50..61a35553b 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
+ struct sdap_attr_map *user_map,
|
||||
+ size_t user_map_cnt,
|
||||
bool noexist_delete,
|
||||
bool set_non_posix);
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
||||
index b3ea2333f..0596ad4cf 100644
|
||||
--- a/src/providers/ldap/ldap_id.c
|
||||
+++ b/src/providers/ldap/ldap_id.c
|
||||
@@ -1144,6 +1144,8 @@ struct groups_by_user_state {
|
||||
const char *filter_value;
|
||||
int filter_type;
|
||||
const char *extra_value;
|
||||
+ struct sdap_attr_map *user_map;
|
||||
+ size_t user_map_cnt;
|
||||
const char **attrs;
|
||||
bool non_posix;
|
||||
|
||||
@@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
+ struct sdap_attr_map *user_map,
|
||||
+ size_t user_map_cnt,
|
||||
bool noexist_delete,
|
||||
bool set_non_posix)
|
||||
{
|
||||
@@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
state->filter_value = filter_value;
|
||||
state->filter_type = filter_type;
|
||||
state->extra_value = extra_value;
|
||||
+ state->user_map = user_map;
|
||||
+ state->user_map_cnt = user_map_cnt;
|
||||
state->domain = sdom->dom;
|
||||
state->sysdb = sdom->dom->sysdb;
|
||||
state->search_bases = search_bases;
|
||||
@@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
|
||||
state->sdom,
|
||||
sdap_id_op_handle(state->op),
|
||||
state->ctx,
|
||||
+ state->user_map,
|
||||
+ state->user_map_cnt,
|
||||
state->conn,
|
||||
state->search_bases,
|
||||
state->filter_value,
|
||||
@@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
|
||||
ar->filter_value,
|
||||
ar->filter_type,
|
||||
ar->extra_value,
|
||||
+ NULL, 0,
|
||||
noexist_delete, false);
|
||||
break;
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
||||
index 89245f41f..a45e057d0 100644
|
||||
--- a/src/providers/ldap/sdap_async.h
|
||||
+++ b/src/providers/ldap/sdap_async.h
|
||||
@@ -157,6 +157,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
+ struct sdap_attr_map *user_map,
|
||||
+ size_t user_map_cnt,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
struct sdap_search_base **search_bases,
|
||||
const char *name,
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index fb3d8fe24..8ce1f6cd4 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -785,6 +785,8 @@ struct sdap_initgr_nested_state {
|
||||
struct tevent_context *ev;
|
||||
struct sysdb_ctx *sysdb;
|
||||
struct sdap_options *opts;
|
||||
+ struct sdap_attr_map *user_map;
|
||||
+ size_t user_map_cnt;
|
||||
struct sss_domain_info *dom;
|
||||
struct sdap_handle *sh;
|
||||
|
||||
@@ -812,6 +814,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req);
|
||||
static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
|
||||
struct tevent_context *ev,
|
||||
struct sdap_options *opts,
|
||||
+ struct sdap_attr_map *user_map,
|
||||
+ size_t user_map_cnt,
|
||||
struct sysdb_ctx *sysdb,
|
||||
struct sss_domain_info *dom,
|
||||
struct sdap_handle *sh,
|
||||
@@ -828,6 +832,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
|
||||
|
||||
state->ev = ev;
|
||||
state->opts = opts;
|
||||
+ state->user_map = user_map;
|
||||
+ state->user_map_cnt = user_map_cnt;
|
||||
state->sysdb = sysdb;
|
||||
state->dom = dom;
|
||||
state->sh = sh;
|
||||
@@ -968,7 +974,7 @@ static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req)
|
||||
|
||||
subreq = sdap_deref_search_send(state, state->ev, state->opts,
|
||||
state->sh, state->orig_dn,
|
||||
- state->opts->user_map[SDAP_AT_USER_MEMBEROF].name,
|
||||
+ state->user_map[SDAP_AT_USER_MEMBEROF].name,
|
||||
sdap_attrs, num_maps, maps, timeout);
|
||||
if (!subreq) {
|
||||
ret = EIO;
|
||||
@@ -2697,6 +2703,8 @@ struct sdap_get_initgr_state {
|
||||
struct tevent_context *ev;
|
||||
struct sysdb_ctx *sysdb;
|
||||
struct sdap_options *opts;
|
||||
+ struct sdap_attr_map *user_map;
|
||||
+ size_t user_map_cnt;
|
||||
struct sss_domain_info *dom;
|
||||
struct sdap_domain *sdom;
|
||||
struct sdap_handle *sh;
|
||||
@@ -2731,6 +2739,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
+ struct sdap_attr_map *user_map,
|
||||
+ size_t user_map_cnt,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
@@ -2754,6 +2764,12 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
|
||||
state->ev = ev;
|
||||
state->opts = id_ctx->opts;
|
||||
+ state->user_map = user_map;
|
||||
+ state->user_map_cnt = user_map_cnt;
|
||||
+ if (state->user_map == NULL) {
|
||||
+ state->user_map = id_ctx->opts->user_map;
|
||||
+ state->user_map_cnt = id_ctx->opts->user_map_cnt;
|
||||
+ }
|
||||
state->dom = sdom->dom;
|
||||
state->sysdb = sdom->dom->sysdb;
|
||||
state->sdom = sdom;
|
||||
@@ -2785,7 +2801,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
|
||||
switch (filter_type) {
|
||||
case BE_FILTER_SECID:
|
||||
- search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
|
||||
+ search_attr = state->user_map[SDAP_AT_USER_OBJECTSID].name;
|
||||
|
||||
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
|
||||
if (ret != EOK) {
|
||||
@@ -2794,7 +2810,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
}
|
||||
break;
|
||||
case BE_FILTER_UUID:
|
||||
- search_attr = state->opts->user_map[SDAP_AT_USER_UUID].name;
|
||||
+ search_attr = state->user_map[SDAP_AT_USER_UUID].name;
|
||||
|
||||
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
|
||||
if (ret != EOK) {
|
||||
@@ -2812,23 +2828,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
}
|
||||
|
||||
ep_filter = get_enterprise_principal_string_filter(state,
|
||||
- state->opts->user_map[SDAP_AT_USER_PRINC].name,
|
||||
+ state->user_map[SDAP_AT_USER_PRINC].name,
|
||||
clean_name, state->opts->basic);
|
||||
state->user_base_filter =
|
||||
talloc_asprintf(state,
|
||||
"(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
|
||||
- state->opts->user_map[SDAP_AT_USER_PRINC].name,
|
||||
+ state->user_map[SDAP_AT_USER_PRINC].name,
|
||||
clean_name,
|
||||
- state->opts->user_map[SDAP_AT_USER_EMAIL].name,
|
||||
+ state->user_map[SDAP_AT_USER_EMAIL].name,
|
||||
clean_name,
|
||||
ep_filter == NULL ? "" : ep_filter,
|
||||
- state->opts->user_map[SDAP_OC_USER].name);
|
||||
+ state->user_map[SDAP_OC_USER].name);
|
||||
if (state->user_base_filter == NULL) {
|
||||
talloc_zfree(req);
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
- search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name;
|
||||
+ search_attr = state->user_map[SDAP_AT_USER_NAME].name;
|
||||
|
||||
ret = sss_parse_internal_fqname(state, filter_value,
|
||||
&state->shortname, NULL);
|
||||
@@ -2860,7 +2876,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
state->user_base_filter =
|
||||
talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
|
||||
search_attr, clean_name,
|
||||
- state->opts->user_map[SDAP_OC_USER].name);
|
||||
+ state->user_map[SDAP_OC_USER].name);
|
||||
if (!state->user_base_filter) {
|
||||
talloc_zfree(req);
|
||||
return NULL;
|
||||
@@ -2877,14 +2893,14 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
*/
|
||||
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
|
||||
"(%s=*))",
|
||||
- id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
|
||||
+ state->user_map[SDAP_AT_USER_OBJECTSID].name);
|
||||
} else {
|
||||
/* When not ID-mapping or looking up app users, make sure there
|
||||
* is a non-NULL UID */
|
||||
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
|
||||
"(&(%s=*)(!(%s=0))))",
|
||||
- id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
|
||||
- id_ctx->opts->user_map[SDAP_AT_USER_UID].name);
|
||||
+ state->user_map[SDAP_AT_USER_UID].name,
|
||||
+ state->user_map[SDAP_AT_USER_UID].name);
|
||||
}
|
||||
if (!state->user_base_filter) {
|
||||
talloc_zfree(req);
|
||||
@@ -2892,8 +2908,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
}
|
||||
|
||||
ret = build_attrs_from_map(state,
|
||||
- state->opts->user_map,
|
||||
- state->opts->user_map_cnt,
|
||||
+ state->user_map,
|
||||
+ state->user_map_cnt,
|
||||
NULL, &state->user_attrs, NULL);
|
||||
if (ret) {
|
||||
talloc_zfree(req);
|
||||
@@ -2990,7 +3006,7 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
|
||||
state->user_search_bases[state->user_base_iter]->basedn,
|
||||
state->user_search_bases[state->user_base_iter]->scope,
|
||||
state->filter, state->user_attrs,
|
||||
- state->opts->user_map, state->opts->user_map_cnt,
|
||||
+ state->user_map, state->user_map_cnt,
|
||||
state->timeout,
|
||||
false);
|
||||
if (!subreq) {
|
||||
@@ -3179,6 +3195,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
|
||||
|
||||
case SDAP_SCHEMA_IPA_V1:
|
||||
subreq = sdap_initgr_nested_send(state, state->ev, state->opts,
|
||||
+ state->user_map, state->user_map_cnt,
|
||||
state->sysdb, state->dom, state->sh,
|
||||
state->orig_user, state->grp_attrs);
|
||||
if (!subreq) {
|
||||
@@ -3377,7 +3394,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
|
||||
*/
|
||||
ret = sdap_attrs_get_sid_str(
|
||||
tmp_ctx, opts->idmap_ctx, state->orig_user,
|
||||
- opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
|
||||
+ state->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
|
||||
&sid_str);
|
||||
if (ret != EOK) goto done;
|
||||
|
||||
@@ -3392,7 +3409,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
|
||||
|
||||
ret = sysdb_attrs_get_uint32_t(
|
||||
state->orig_user,
|
||||
- opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
|
||||
+ state->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
|
||||
&primary_gid);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
--
|
||||
2.46.1
|
||||
|
||||
@ -0,0 +1,80 @@
|
||||
From 9ff2e55000d146381db5f66575e40ada5ecaf0cf Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 6 Sep 2024 14:37:05 +0200
|
||||
Subject: [PATCH 11/15] ad: use default user_map when looking of host groups
|
||||
for GPO
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Use the default AD user attribute map to lookup the group membership of
|
||||
the AD host object. This should help to avoid issues if user attributes
|
||||
are overwritten in the user attribute map.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7590
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
|
||||
(cherry picked from commit 2c233636c093708d5cdd7ddb69af9b0ecde633bd)
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_access.h | 1 +
|
||||
src/providers/ad/ad_gpo.c | 15 ++++++++++++++-
|
||||
2 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
|
||||
index 34d5597da..c54b53eed 100644
|
||||
--- a/src/providers/ad/ad_access.h
|
||||
+++ b/src/providers/ad/ad_access.h
|
||||
@@ -49,6 +49,7 @@ struct ad_access_ctx {
|
||||
} gpo_map_type;
|
||||
hash_table_t *gpo_map_options_table;
|
||||
enum gpo_map_type gpo_default_right;
|
||||
+ struct sdap_attr_map *host_attr_map;
|
||||
};
|
||||
|
||||
struct tevent_req *
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 69dd54f5b..4e2f06b0d 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -45,6 +45,7 @@
|
||||
#include "providers/ad/ad_common.h"
|
||||
#include "providers/ad/ad_domain_info.h"
|
||||
#include "providers/ad/ad_gpo.h"
|
||||
+#include "providers/ad/ad_opts.h"
|
||||
#include "providers/ldap/sdap_access.h"
|
||||
#include "providers/ldap/sdap_async.h"
|
||||
#include "providers/ldap/sdap.h"
|
||||
@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
"trying with user search base.");
|
||||
}
|
||||
|
||||
+ if (state->access_ctx->host_attr_map == NULL) {
|
||||
+ ret = sdap_copy_map(state->access_ctx,
|
||||
+ ad_2008r2_user_map, SDAP_OPTS_USER,
|
||||
+ &state->access_ctx->host_attr_map);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
subreq = groups_by_user_send(state, state->ev,
|
||||
state->access_ctx->ad_id_ctx->sdap_id_ctx,
|
||||
sdom, state->conn,
|
||||
search_bases,
|
||||
state->host_fqdn,
|
||||
BE_FILTER_NAME,
|
||||
- NULL, NULL, 0,
|
||||
+ NULL,
|
||||
+ state->access_ctx->host_attr_map,
|
||||
+ SDAP_OPTS_USER,
|
||||
true,
|
||||
true);
|
||||
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
|
||||
--
|
||||
2.46.1
|
||||
|
||||
@ -0,0 +1,61 @@
|
||||
From 0e86f1a53b893a296488d96a432b98458403bcb9 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 14 Jun 2024 16:10:34 +0200
|
||||
Subject: [PATCH 12/15] sysdb: do not fail to add non-posix user to MPG domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
SSSD does not handle the root user (UID==0) and treats all accounts with
|
||||
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
|
||||
well and as a result for those accounts in MPG domains the check for a
|
||||
collisions of the primary GID should be skipped. The current code might
|
||||
e.g. cause issues during GPO evaluation when adding a host account into
|
||||
the cache which does not have any UID or GID set in AD and SSSD is
|
||||
configured to read UID and GID from AD.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7451
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 986bb726202e69b05f861c14c3a220379baf9bd1)
|
||||
(cherry picked from commit d234cf5d6e793daf2c96856887acb641c4dff407)
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/db/sysdb_ops.c | 18 ++++++++++--------
|
||||
1 file changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 3331d4687..fa2d81217 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
|
||||
- if (ret != ENOENT) {
|
||||
- if (ret == EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Group with GID [%"SPRIgid"] already exists in an "
|
||||
- "MPG domain\n", gid);
|
||||
- ret = EEXIST;
|
||||
+ if (uid != 0) { /* uid == 0 means non-POSIX object */
|
||||
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
|
||||
+ if (ret != ENOENT) {
|
||||
+ if (ret == EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Group with GID [%"SPRIgid"] already exists in an "
|
||||
+ "MPG domain\n", uid);
|
||||
+ ret = EEXIST;
|
||||
+ }
|
||||
+ goto done;
|
||||
}
|
||||
- goto done;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.46.1
|
||||
|
||||
@ -0,0 +1,230 @@
|
||||
From acd5da528789734411b12fa8b19007b00eea9f2c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 13 Sep 2024 15:45:59 +0200
|
||||
Subject: [PATCH 13/15] ldap: add 'exop_force' value for ldap_pwmodify_mode
|
||||
|
||||
In case the LDAP server allows to run the extended operation to change a
|
||||
password even if an authenticated bind fails due to missing grace logins
|
||||
the new option 'exop_force' can be used to run the extended operation to
|
||||
change the password anyways.
|
||||
|
||||
:config: Added `exop_force` value for configuration option
|
||||
`ldap_pwmodify_mode`. This can be used to force a password change even
|
||||
if no grace logins are left. Depending on the configuration of the
|
||||
LDAP server it might be expected that the password change will fail.
|
||||
|
||||
(cherry picked from commit 72a7fd0ded236a16b00bb4e26221f7e23b702a53)
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
(cherry picked from commit e3a3f44c4cdcb936b59941636ff576de613366d1)
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/man/sssd-ldap.5.xml | 11 +++++++++
|
||||
src/providers/ipa/ipa_auth.c | 3 ++-
|
||||
src/providers/ldap/ldap_auth.c | 5 +++-
|
||||
src/providers/ldap/ldap_options.c | 2 ++
|
||||
src/providers/ldap/sdap.h | 5 ++--
|
||||
src/providers/ldap/sdap_async.h | 3 ++-
|
||||
src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++-----
|
||||
7 files changed, 45 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||
index 0a814ec35..a9994aade 100644
|
||||
--- a/src/man/sssd-ldap.5.xml
|
||||
+++ b/src/man/sssd-ldap.5.xml
|
||||
@@ -234,6 +234,17 @@
|
||||
userPassword (not recommended).
|
||||
</para>
|
||||
</listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ exop_force - Try Password Modify
|
||||
+ Extended Operation (RFC 3062) even if
|
||||
+ there are no grace logins left.
|
||||
+ Depending on the type and configuration
|
||||
+ of the LDAP server the password change
|
||||
+ might fail because an authenticated bind
|
||||
+ is not possible.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
<para>
|
||||
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
|
||||
index 1d61a1052..b2e5b6f35 100644
|
||||
--- a/src/providers/ipa/ipa_auth.c
|
||||
+++ b/src/providers/ipa/ipa_auth.c
|
||||
@@ -381,7 +381,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq)
|
||||
SDAP_OPT_TIMEOUT);
|
||||
|
||||
subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn,
|
||||
- state->pd->authtok, timeout);
|
||||
+ state->pd->authtok, timeout,
|
||||
+ state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode);
|
||||
if (subreq == NULL) {
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index 8ec4d3af5..023ed2277 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -896,7 +896,8 @@ static void auth_do_bind(struct tevent_req *req)
|
||||
NULL, NULL, state->dn,
|
||||
state->authtok,
|
||||
dp_opt_get_int(state->ctx->opts->basic,
|
||||
- SDAP_OPT_TIMEOUT));
|
||||
+ SDAP_OPT_TIMEOUT),
|
||||
+ state->ctx->opts->pwmodify_mode);
|
||||
if (!subreq) {
|
||||
tevent_req_error(req, ENOMEM);
|
||||
return;
|
||||
@@ -1186,6 +1187,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
switch (opts->pwmodify_mode) {
|
||||
case SDAP_PWMODIFY_EXOP:
|
||||
+ case SDAP_PWMODIFY_EXOP_FORCE:
|
||||
subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn,
|
||||
password, new_password,
|
||||
timeout);
|
||||
@@ -1229,6 +1231,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq)
|
||||
|
||||
switch (state->mode) {
|
||||
case SDAP_PWMODIFY_EXOP:
|
||||
+ case SDAP_PWMODIFY_EXOP_FORCE:
|
||||
ret = sdap_exop_modify_passwd_recv(subreq, state,
|
||||
&state->user_error_message);
|
||||
break;
|
||||
diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
|
||||
index 277bcb529..72a95300d 100644
|
||||
--- a/src/providers/ldap/ldap_options.c
|
||||
+++ b/src/providers/ldap/ldap_options.c
|
||||
@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
|
||||
opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
|
||||
} else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
|
||||
opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
|
||||
+ } else if (strcasecmp(pwmodify, "exop_force") == 0) {
|
||||
+ opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE;
|
||||
} else {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
|
||||
ret = EINVAL;
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index 103d50ed4..cc34c8198 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -546,8 +546,9 @@ struct sdap_options {
|
||||
|
||||
/* password modify mode */
|
||||
enum pwmodify_mode {
|
||||
- SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
|
||||
- SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */
|
||||
+ SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
|
||||
+ SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */
|
||||
+ SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */
|
||||
} pwmodify_mode;
|
||||
|
||||
/* The search bases for the domain or its subdomain */
|
||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
||||
index a45e057d0..80b403bc3 100644
|
||||
--- a/src/providers/ldap/sdap_async.h
|
||||
+++ b/src/providers/ldap/sdap_async.h
|
||||
@@ -146,7 +146,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
|
||||
const char *sasl_user,
|
||||
const char *user_dn,
|
||||
struct sss_auth_token *authtok,
|
||||
- int simple_bind_timeout);
|
||||
+ int simple_bind_timeout,
|
||||
+ enum pwmodify_mode pwmodify_mode);
|
||||
|
||||
errno_t sdap_auth_recv(struct tevent_req *req,
|
||||
TALLOC_CTX *memctx,
|
||||
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
||||
index e8638725c..992a5798c 100644
|
||||
--- a/src/providers/ldap/sdap_async_connection.c
|
||||
+++ b/src/providers/ldap/sdap_async_connection.c
|
||||
@@ -643,6 +643,7 @@ struct simple_bind_state {
|
||||
struct tevent_context *ev;
|
||||
struct sdap_handle *sh;
|
||||
const char *user_dn;
|
||||
+ enum pwmodify_mode pwmodify_mode;
|
||||
|
||||
struct sdap_op *op;
|
||||
|
||||
@@ -659,7 +660,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
int timeout,
|
||||
const char *user_dn,
|
||||
- struct berval *pw)
|
||||
+ struct berval *pw,
|
||||
+ enum pwmodify_mode pwmodify_mode)
|
||||
{
|
||||
struct tevent_req *req;
|
||||
struct simple_bind_state *state;
|
||||
@@ -682,6 +684,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
|
||||
state->ev = ev;
|
||||
state->sh = sh;
|
||||
state->user_dn = user_dn;
|
||||
+ state->pwmodify_mode = pwmodify_mode;
|
||||
|
||||
ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
||||
0, NULL, 0, &ctrls[0]);
|
||||
@@ -866,7 +869,12 @@ static void simple_bind_done(struct sdap_op *op,
|
||||
* Grace Authentications". */
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"Password expired, grace logins exhausted.\n");
|
||||
- ret = ERR_AUTH_FAILED;
|
||||
+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
|
||||
+ ret = ERR_PASSWORD_EXPIRED;
|
||||
+ } else {
|
||||
+ ret = ERR_AUTH_FAILED;
|
||||
+ }
|
||||
}
|
||||
} else if (strcmp(response_controls[c]->ldctl_oid,
|
||||
LDAP_CONTROL_PWEXPIRED) == 0) {
|
||||
@@ -879,7 +887,12 @@ static void simple_bind_done(struct sdap_op *op,
|
||||
if (result == LDAP_INVALID_CREDENTIALS) {
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"Password expired, grace logins exhausted.\n");
|
||||
- ret = ERR_AUTH_FAILED;
|
||||
+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
|
||||
+ ret = ERR_PASSWORD_EXPIRED;
|
||||
+ } else {
|
||||
+ ret = ERR_AUTH_FAILED;
|
||||
+ }
|
||||
} else {
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"Password expired, user must set a new password.\n");
|
||||
@@ -1358,7 +1371,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
|
||||
const char *sasl_user,
|
||||
const char *user_dn,
|
||||
struct sss_auth_token *authtok,
|
||||
- int simple_bind_timeout)
|
||||
+ int simple_bind_timeout,
|
||||
+ enum pwmodify_mode pwmodify_mode)
|
||||
{
|
||||
struct tevent_req *req, *subreq;
|
||||
struct sdap_auth_state *state;
|
||||
@@ -1397,7 +1411,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
|
||||
pw.bv_len = pwlen;
|
||||
|
||||
state->is_sasl = false;
|
||||
- subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw);
|
||||
+ subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, pwmodify_mode);
|
||||
if (!subreq) {
|
||||
tevent_req_error(req, ENOMEM);
|
||||
return tevent_req_post(req, ev);
|
||||
@@ -1972,7 +1986,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
|
||||
SDAP_SASL_AUTHID),
|
||||
user_dn, authtok,
|
||||
dp_opt_get_int(state->opts->basic,
|
||||
- SDAP_OPT_TIMEOUT));
|
||||
+ SDAP_OPT_TIMEOUT),
|
||||
+ state->opts->pwmodify_mode);
|
||||
talloc_free(authtok);
|
||||
if (!subreq) {
|
||||
tevent_req_error(req, ENOMEM);
|
||||
--
|
||||
2.46.1
|
||||
|
||||
@ -0,0 +1,54 @@
|
||||
From aa81ab093966c1717ebfafbeef9f9f78944b9c23 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 15 Apr 2024 16:29:33 +0200
|
||||
Subject: [PATCH 14/15] DEBUG: reduce log level in case a responder asks for
|
||||
unknown domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Addition to 718fed9c53807b8502d6547bc0253b979d35e677
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
(cherry picked from commit ab2671c00866d917f3e737a007ae64753f8440aa)
|
||||
(cherry picked from commit 8dcf23f215fe2a7fadf13598ce7f04523caa5eb0)
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/plugins/cache_req_common.c | 5 ++++-
|
||||
src/sbus/router/sbus_router_handler.c | 2 ++
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
|
||||
index 7eb09215a..00b9383ee 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_common.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
|
||||
@@ -129,7 +129,10 @@ cache_req_common_process_dp_reply(struct cache_req *cr,
|
||||
bool bret;
|
||||
|
||||
if (ret != EOK) {
|
||||
- CACHE_REQ_DEBUG(SSSDBG_IMPORTANT_INFO, cr,
|
||||
+ int msg_level = SSSDBG_IMPORTANT_INFO;
|
||||
+ /* ERR_DOMAIN_NOT_FOUND: 'ad_enabled_domains' option can exclude domain */
|
||||
+ if (ret == ERR_DOMAIN_NOT_FOUND) msg_level = SSSDBG_CONF_SETTINGS;
|
||||
+ CACHE_REQ_DEBUG(msg_level, cr,
|
||||
"Could not get account info [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
|
||||
diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c
|
||||
index 7b6c2441f..732716046 100644
|
||||
--- a/src/sbus/router/sbus_router_handler.c
|
||||
+++ b/src/sbus/router/sbus_router_handler.c
|
||||
@@ -150,6 +150,8 @@ static void sbus_issue_request_done(struct tevent_req *subreq)
|
||||
} else {
|
||||
int msg_level = SSSDBG_OP_FAILURE;
|
||||
if (ret == ERR_MISSING_DP_TARGET) msg_level = SSSDBG_FUNC_DATA;
|
||||
+ /* ERR_DOMAIN_NOT_FOUND: 'ad_enabled_domains' option can exclude domain */
|
||||
+ if (ret == ERR_DOMAIN_NOT_FOUND) msg_level = SSSDBG_CONF_SETTINGS;
|
||||
DEBUG(msg_level, "%s.%s: Error [%d]: %s\n",
|
||||
meta.interface, meta.member, ret, sss_strerror(ret));
|
||||
}
|
||||
--
|
||||
2.46.1
|
||||
|
||||
@ -0,0 +1,55 @@
|
||||
From 3e7e0cc7038c89132c9f4b8a48b6b1e0c0febff4 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 21 Nov 2024 09:16:09 +0100
|
||||
Subject: [PATCH 15/15] ldap_child: make sure invalid krb5 context is not used
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7715
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744)
|
||||
---
|
||||
src/util/sss_krb5.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
|
||||
index 3f57e5b26..f44df2b5f 100644
|
||||
--- a/src/util/sss_krb5.c
|
||||
+++ b/src/util/sss_krb5.c
|
||||
@@ -83,6 +83,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name)
|
||||
return keytab_name;
|
||||
}
|
||||
|
||||
+ if (ctx == NULL) {
|
||||
+ return "-unknown-";
|
||||
+ }
|
||||
+
|
||||
if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) {
|
||||
return "-default keytab-";
|
||||
}
|
||||
@@ -1355,8 +1359,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
|
||||
{
|
||||
krb5_error_code kerr;
|
||||
const char *msg;
|
||||
+ krb5_context ctx;
|
||||
|
||||
- kerr = krb5_init_context(context);
|
||||
+ kerr = krb5_init_context(&ctx);
|
||||
if (kerr != 0) {
|
||||
/* It is safe to call (sss_)krb5_get_error_message() with NULL as first
|
||||
* argument. */
|
||||
@@ -1365,6 +1370,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
|
||||
"Failed to init Kerberos context [%s]\n", msg);
|
||||
sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg);
|
||||
sss_krb5_free_error_message(NULL, msg);
|
||||
+ } else {
|
||||
+ *context = ctx;
|
||||
}
|
||||
|
||||
return kerr;
|
||||
--
|
||||
2.46.1
|
||||
|
||||
330
SPECS/sssd.spec
330
SPECS/sssd.spec
@ -18,8 +18,8 @@
|
||||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
Name: sssd
|
||||
Version: 2.5.1
|
||||
Release: 1%{?dist}
|
||||
Version: 2.9.4
|
||||
Release: 5%{?dist}.1
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -27,7 +27,21 @@ URL: https://github.com/SSSD/sssd
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
#Patch0001:
|
||||
Patch0001: 0001-sssd-adding-mail-as-case-insensitive.patch
|
||||
Patch0002: 0002-sdap-add-search_bases-option-to-groups_by_user_send.patch
|
||||
Patch0003: 0003-sdap-add-naming_context-as-new-member-of-struct-sdap.patch
|
||||
Patch0004: 0004-pam-fix-SC-auth-with-multiple-certs-and-missing-logi.patch
|
||||
Patch0005: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch
|
||||
Patch0006: 0006-ad-refresh-root-domain-when-read-directly.patch
|
||||
Patch0007: 0007-failover-add-failover_primary_timeout-option.patch
|
||||
Patch0008: 0008-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch
|
||||
Patch0009: 0009-TESTS-Also-test-default_dyndns_opts.patch
|
||||
Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
|
||||
Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
|
||||
Patch0012: 0012-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
|
||||
Patch0013: 0013-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
|
||||
Patch0014: 0014-DEBUG-reduce-log-level-in-case-a-responder-asks-for-.patch
|
||||
Patch0015: 0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
|
||||
|
||||
### Downstream Patches ###
|
||||
|
||||
@ -75,11 +89,12 @@ BuildRequires: openldap-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: nss-devel
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: pcre2-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: libxml2
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: krb5-libs >= 1.18.2-11
|
||||
BuildRequires: c-ares-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: check-devel
|
||||
@ -92,7 +107,6 @@ BuildRequires: gettext-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: diffstat
|
||||
BuildRequires: findutils
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: selinux-policy-targeted
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: uid_wrapper
|
||||
@ -101,7 +115,11 @@ BuildRequires: pam_wrapper
|
||||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: libjose-devel
|
||||
BuildRequires: softhsm >= 2.1.0
|
||||
BuildRequires: bc
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssh
|
||||
BuildRequires: libnl3-devel
|
||||
@ -114,8 +132,10 @@ BuildRequires: libsmbclient-devel
|
||||
BuildRequires: samba-winbind
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: gdm-pam-extensions-devel
|
||||
BuildRequires: libunistring-devel
|
||||
BuildRequires: shadow-utils-subid-devel
|
||||
BuildRequires: po4a
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
@ -136,6 +156,7 @@ Conflicts: selinux-policy < 3.10.0-46
|
||||
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
|
||||
# sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5
|
||||
Obsoletes: sssd-libwbclient < 2.5.0
|
||||
Obsoletes: sssd-libwbclient-debuginfo < 2.5.0
|
||||
# Requires
|
||||
# Explicitly require RHEL-8.0 versions of the Samba libraries
|
||||
# in order to prevent untested combinations of a new SSSD and
|
||||
@ -204,18 +225,16 @@ Summary: Userspace tools for use with the SSSD
|
||||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: libsss_simpleifp = %{version}-%{release}
|
||||
# required by sss_obfuscate
|
||||
Requires: python3-sss = %{version}-%{release}
|
||||
Requires: python3-sssdconfig = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
# for logger=journald support with sss_analyze
|
||||
Requires: python3-systemd
|
||||
Recommends: sssd-dbus
|
||||
|
||||
%description tools
|
||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
|
||||
Also provides several other administrative tools:
|
||||
Provides several administrative tools:
|
||||
* sss_debuglevel to change the debug level on the fly
|
||||
* sss_seed which pre-creates a user entry for use in kickstarts
|
||||
* sss_obfuscate for generating an obfuscated LDAP password
|
||||
@ -239,11 +258,8 @@ Requires: sssd-common = %{version}-%{release}
|
||||
%{?python_provide:%python_provide python3-sss}
|
||||
|
||||
%description -n python3-sss
|
||||
Provides python3 module for manipulating users, groups, and nested groups in
|
||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
|
||||
Also provides several other useful python3 bindings:
|
||||
* function for retrieving list of groups user belongs to.
|
||||
Provides python3 bindings:
|
||||
* function for retrieving list of groups user belongs to
|
||||
* class for obfuscation of passwords
|
||||
|
||||
%package -n python3-sss-murmur
|
||||
@ -349,6 +365,7 @@ Group: Applications/System
|
||||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Requires(pre): shadow-utils
|
||||
|
||||
%description proxy
|
||||
@ -527,12 +544,23 @@ Summary: An implementation of a Kerberos KCM server
|
||||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: krb5-libs >= 1.18.2-11
|
||||
%{?systemd_requires}
|
||||
|
||||
%description kcm
|
||||
An implementation of a Kerberos KCM server. Use this package if you want to
|
||||
use the KCM: Kerberos credentials cache.
|
||||
|
||||
%package idp
|
||||
Summary: Kerberos plugins and OIDC helper for external identity providers.
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
%description idp
|
||||
This package provides Kerberos plugins that are required to enable
|
||||
authentication against external identity providers. Additionally a helper
|
||||
program to handle the OAuth 2.0 Device Authorization Grant is provided.
|
||||
|
||||
%prep
|
||||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||||
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
||||
@ -576,8 +604,10 @@ autoreconf -ivf
|
||||
--disable-rpath \
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
--with-subid \
|
||||
--with-files-provider \
|
||||
--with-libsifp \
|
||||
--enable-sss-default-nss-plugin \
|
||||
--enable-files-domain \
|
||||
--without-python2-bindings \
|
||||
--with-sssd-user=sssd \
|
||||
%{?with_cifs_utils_plugin_option} \
|
||||
@ -596,6 +626,7 @@ unset CK_TIMEOUT_MULTIPLIER
|
||||
|
||||
%install
|
||||
|
||||
%py3_shebang_fix src/tools/analyzer/sss_analyze
|
||||
sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate
|
||||
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
@ -616,6 +647,14 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||
|
||||
# Enable krb5 idp plugins by default (when sssd-idp package is installed)
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||
|
||||
# krb5 configuration snippet
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
|
||||
# Create directory for cifs-idmap alternative
|
||||
# Otherwise this directory could not be owned by sssd-client
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
|
||||
@ -798,7 +837,7 @@ done
|
||||
%dir %{_sysconfdir}/rwtab.d
|
||||
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
||||
%dir %{_datadir}/sssd
|
||||
%{_sysconfdir}/pam.d/sssd-shadowutils
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
|
||||
%dir %{_libdir}/%{name}/conf
|
||||
%{_libdir}/%{name}/conf/sssd.conf
|
||||
|
||||
@ -847,6 +886,9 @@ done
|
||||
%license COPYING
|
||||
%{_libdir}/%{name}/libsss_krb5.so
|
||||
%{_mandir}/man5/sssd-krb5.5*
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
|
||||
%dir %{_datadir}/sssd/krb5-snippets
|
||||
%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
|
||||
|
||||
%files common-pac
|
||||
%defattr(-,root,root,-)
|
||||
@ -881,7 +923,7 @@ done
|
||||
%{_mandir}/man5/sssd-ifp.5*
|
||||
%{_unitdir}/sssd-ifp.service
|
||||
# InfoPipe DBus plumbing
|
||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
|
||||
|
||||
%files -n libsss_simpleifp
|
||||
@ -900,6 +942,7 @@ done
|
||||
%defattr(-,root,root,-)
|
||||
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
%{_libdir}/libnss_sss.so.2
|
||||
%{_libdir}/libsubid_sss.so
|
||||
%{_libdir}/security/pam_sss.so
|
||||
%{_libdir}/security/pam_sss_gss.so
|
||||
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
||||
@ -914,6 +957,7 @@ done
|
||||
%{_mandir}/man8/pam_sss.8*
|
||||
%{_mandir}/man8/pam_sss_gss.8*
|
||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||
%{_mandir}/man8/sssd_krb5_localauth_plugin.8*
|
||||
|
||||
%files -n libsss_sudo
|
||||
%defattr(-,root,root,-)
|
||||
@ -934,6 +978,8 @@ done
|
||||
%{_sbindir}/sss_debuglevel
|
||||
%{_sbindir}/sss_seed
|
||||
%{_sbindir}/sssctl
|
||||
%{_libexecdir}/%{servicename}/sss_analyze
|
||||
%{python3_sitelib}/sssd/
|
||||
%{_mandir}/man8/sss_obfuscate.8*
|
||||
%{_mandir}/man8/sss_override.8*
|
||||
%{_mandir}/man8/sss_debuglevel.8*
|
||||
@ -1032,7 +1078,12 @@ done
|
||||
%{_unitdir}/sssd-kcm.socket
|
||||
%{_unitdir}/sssd-kcm.service
|
||||
%{_mandir}/man8/sssd-kcm.8*
|
||||
%{_libdir}/%{name}/libsss_secrets.so
|
||||
|
||||
%files idp
|
||||
%{_libexecdir}/%{servicename}/oidc_child
|
||||
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
|
||||
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
|
||||
|
||||
%pre ipa
|
||||
getent group sssd >/dev/null || groupadd -r sssd
|
||||
@ -1060,6 +1111,38 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
|
||||
%systemd_post sssd-ssh.socket
|
||||
%systemd_post sssd-sudo.socket
|
||||
|
||||
function mod_nss() {
|
||||
if [ -f "$1" ] ; then
|
||||
# Change order 'sss <-> files' if default pattern is found
|
||||
match_pattern="^[[:blank:]]*(passwd|group):(.*)sss[[:blank:]]+files(.*)"
|
||||
if grep -E -r -q -s "$match_pattern" "$1"; then
|
||||
sed -i.save_by_rpm -E -e "
|
||||
s/$match_pattern/\1:\2files sss\3/
|
||||
" "$1" &>/dev/null || :
|
||||
# Remove obsolete comment
|
||||
sed -i -E -e '/# .sssd. performs its own .files.-based caching, so it should generally/d' "$1" &>/dev/null || :
|
||||
sed -i -E -e '/# come before .files.\./d' "$1" &>/dev/null || :
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if grep -E -r -q -s "[[:blank:]]*id_provider[[:blank:]]*=[[:blank:]]*files" /etc/sssd/ ||
|
||||
grep -E -i -r -q -s "[[:blank:]]*enable_files_domain[[:blank:]]*=[[:blank:]]*true" /etc/sssd ; then
|
||||
# "files provider" configured explicitly, leave nsswitch.conf intact
|
||||
:
|
||||
else
|
||||
NSSFILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)"
|
||||
if [ "$NSSFILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then
|
||||
mod_nss "/etc/authselect/user-nsswitch.conf"
|
||||
authselect apply-changes &> /dev/null || :
|
||||
else
|
||||
mod_nss "$NSSFILE"
|
||||
# also apply the same changes to user-nsswitch.conf to affect
|
||||
# possible future authselect configuration
|
||||
mod_nss "/etc/authselect/user-nsswitch.conf"
|
||||
fi
|
||||
fi
|
||||
|
||||
%preun common
|
||||
%systemd_preun sssd.service
|
||||
%systemd_preun sssd-autofs.socket
|
||||
@ -1143,6 +1226,213 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Fri Nov 22 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-5.1
|
||||
- Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z]
|
||||
- Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z]
|
||||
- Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z]
|
||||
- Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z]
|
||||
- Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z]
|
||||
- Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z]
|
||||
|
||||
* Mon Sep 09 2024 Anuar Beisembayev <abeisemb@redhat.com> - 2.9.4-5
|
||||
- Resolves: RHEL-39085 - [RfE] SSSD Failover Enhancements
|
||||
|
||||
* Fri May 17 2024 Arun Bansal <arbansal@redhat.com> - 2.9.4-4
|
||||
- Resolves: RHEL-33957 - ad: refresh root domain when read directly
|
||||
|
||||
* Thu Apr 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-3
|
||||
- Resolves: RHEL-27205 - Race condition during authorization leads to GPO policies functioning inconsistently
|
||||
|
||||
* Mon Feb 12 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-2
|
||||
- Resolves: RHEL-25064 - AD users are unable to log in due to case sensitivity of user because the domain is found as an alias to the email address. [rhel-8]
|
||||
- Resolves: RHEL-25066 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities [rhel-8]
|
||||
- Resolves: RHEL-25065 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd [rhel-8]
|
||||
|
||||
* Sat Jan 13 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: RHEL-1680 - auto_private_groups does not create cache in IPA server SSSD cache
|
||||
- Resolves: RHEL-10092 - logfile rotation for sssd_kcm not working properly, sssd_kcm never receives a 'kill -HUP'
|
||||
- Resolves: RHEL-17495 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider')
|
||||
- Resolves: RHEL-18431 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest
|
||||
- Resolves: RHEL-5033 - Incorrect IdM product name in man sssd.conf
|
||||
- Resolves: RHEL-15368 - SSSD GPO lacks group resolution on hosts [rhel-8]
|
||||
- Resolves: RHEL-10721 - very bad performance when requesting service tickets
|
||||
- Resolves: RHEL-19011 - Invalid handling groups from child domain
|
||||
- Resolves: RHEL-19949 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users [rhel-8]
|
||||
|
||||
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-2
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
|
||||
* Mon Nov 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.3-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: RHEL-14070 - sssd-2.9.2-1.el8 breaks smart card authentication
|
||||
- Resolves: RHEL-3665 - Unexplainable error "Unable to find primary gid [2]: No such file or directory" when SSSD performs lookup for an AD user
|
||||
|
||||
* Mon Sep 11 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.2-1
|
||||
- Resolves: RHEL-2630 - Rebase SSSD for RHEL 8.10
|
||||
- Resolves: rhbz#2226021 - dbus and crond getting terminated with SIGBUS in sss_client code
|
||||
- Resolves: rhbz#2237253 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7)
|
||||
|
||||
* Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
|
||||
- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system
|
||||
|
||||
* Fri Jun 23 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-1
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
|
||||
- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files
|
||||
- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
|
||||
- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure
|
||||
- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000]
|
||||
- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization
|
||||
- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working
|
||||
- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides
|
||||
- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true'
|
||||
|
||||
* Tue May 30 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-4
|
||||
- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release
|
||||
Rebuild against rebased Samba libs
|
||||
|
||||
* Thu May 25 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-3
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
|
||||
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
|
||||
- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
|
||||
- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
|
||||
- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
|
||||
- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
|
||||
- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
|
||||
|
||||
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
|
||||
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
|
||||
|
||||
* Mon Dec 19 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
|
||||
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
|
||||
- Resolves: rhbz#2136701 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
|
||||
- Resolves: rhbz#2139760 - [sssd] RHEL 8.8 Tier 0 Localization
|
||||
- Resolves: rhbz#2139865 - Analyzer: Optimize and remove duplicate messages in verbose list
|
||||
- Resolves: rhbz#2142795 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
|
||||
- Resolves: rhbz#2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
|
||||
- Resolves: rhbz#2150357 - Smart Card auth does not work with p11_uri (with-smartcard-required)
|
||||
|
||||
* Tue Nov 22 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
|
||||
- Resolves: rhbz#2127511 - Rebase SSSD for RHEL 8.8
|
||||
- Resolves: rhbz#2144581 - [RFE] provide dbus method to find users by attr
|
||||
- Resolves: rhbz#2144579 - sssd timezone issues sudonotafter
|
||||
- Resolves: rhbz#2144519 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file
|
||||
- Resolves: rhbz#2127822 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
|
||||
- Resolves: rhbz#2111393 - authenticating against external IdP services okta (native app) with OAuth client secret failed
|
||||
|
||||
* Mon Oct 31 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-5
|
||||
- Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release
|
||||
Rebuild against Samba rebase.
|
||||
|
||||
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
|
||||
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
|
||||
|
||||
* Tue Aug 23 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-3
|
||||
- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8
|
||||
- Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured
|
||||
- Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend
|
||||
|
||||
* Wed Aug 10 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-2
|
||||
- Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases
|
||||
- Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs
|
||||
- Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL
|
||||
|
||||
* Wed Jul 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-1
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization
|
||||
|
||||
* Mon Jun 20 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.2-1
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets
|
||||
- Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file
|
||||
- Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6
|
||||
- Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf
|
||||
- Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP
|
||||
- Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect
|
||||
- Resolves: rhbz#2098617 - Harden kerberos ticket validation
|
||||
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
|
||||
|
||||
* Wed May 18 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.0-2
|
||||
- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7
|
||||
- Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
|
||||
- Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
|
||||
- Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
|
||||
- Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname()
|
||||
- Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd
|
||||
- Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
|
||||
- Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send
|
||||
- Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker
|
||||
- Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol
|
||||
- Resolves: rhbz#2087745 - 2FA prompting setting ineffective
|
||||
- Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language
|
||||
|
||||
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
|
||||
- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
|
||||
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
|
||||
- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
|
||||
- Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update
|
||||
- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
|
||||
|
||||
* Tue Jan 04 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
|
||||
- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)
|
||||
|
||||
* Mon Dec 27 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
|
||||
- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
|
||||
- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files
|
||||
- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
|
||||
- Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
|
||||
- Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf
|
||||
- Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name
|
||||
- Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry
|
||||
- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
|
||||
- Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon).
|
||||
- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
|
||||
- Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders
|
||||
- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
|
||||
|
||||
* Fri Nov 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-2
|
||||
- Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
|
||||
|
||||
* Mon Nov 15 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-1
|
||||
- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
|
||||
- Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
|
||||
- Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator
|
||||
- Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed
|
||||
- Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb
|
||||
- Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces)
|
||||
- Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
|
||||
- Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD
|
||||
- Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline
|
||||
- Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True'
|
||||
- Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s
|
||||
- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
|
||||
- Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication.
|
||||
- Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA
|
||||
- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
|
||||
- Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing
|
||||
|
||||
* Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
|
||||
- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]
|
||||
- Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization
|
||||
|
||||
* Mon Jul 12 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-1
|
||||
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
|
||||
- Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU
|
||||
- Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber`
|
||||
- Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling
|
||||
- Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address
|
||||
- Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group
|
||||
- Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade
|
||||
|
||||
* Mon Jun 21 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.1-2
|
||||
- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken
|
||||
- Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument
|
||||
- Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)
|
||||
|
||||
* Tue Jun 08 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.1-1
|
||||
- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5
|
||||
- Resolves: rhbz#1942387 - Wrong default debug level of sssd tools
|
||||
|
||||
Loading…
Reference in New Issue
Block a user