diff --git a/SOURCES/0016-ad-refresh-root-domain-when-read-directly.patch b/SOURCES/0016-ad-refresh-root-domain-when-read-directly.patch new file mode 100644 index 0000000..7652bcf --- /dev/null +++ b/SOURCES/0016-ad-refresh-root-domain-when-read-directly.patch @@ -0,0 +1,81 @@ +From db27a51f274640e1aa2f13476c80955a3ec9e91c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 1 Mar 2024 10:50:07 +0100 +Subject: [PATCH] ad: refresh root domain when read directly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the domain object of the forest root domain cannot be found in the +LDAP tree of the local AD domain SSSD tries to read the request data +from an LDAP server of the forest root domain directly. After reading +this data the information is stored in the cache but currently the +information about the domain store in memory is not updated with the +additional data. As a result e.g. the domain SID is missing in this data +and only becomes available after a restart where it is read from the +cache. + +With this patch an unconditional refresh is triggered at the end of the +fallback code path. + +Resolves: https://github.com/SSSD/sssd/issues/7250 + +Reviewed-by: Dan Lavu +Reviewed-by: Tomáš Halman +(cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53) +--- + src/providers/ad/ad_subdomains.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index a8d1892cc..d8f3738ce 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -1395,7 +1395,7 @@ struct ad_get_root_domain_state { + static void ad_get_root_domain_done(struct tevent_req *subreq); + static void ad_check_root_domain_done(struct tevent_req *subreq); + static errno_t +-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state); ++ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh); + + struct tevent_req * + ad_check_domain_send(TALLOC_CTX *mem_ctx, +@@ -1582,7 +1582,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) + return; + } + +- ret = ad_get_root_domain_refresh(state); ++ ret = ad_get_root_domain_refresh(state, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); + } +@@ -1682,7 +1682,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) + + state->reply_count = 1; + +- ret = ad_get_root_domain_refresh(state); ++ ret = ad_get_root_domain_refresh(state, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); + } +@@ -1697,7 +1697,7 @@ done: + } + + static errno_t +-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) ++ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh) + { + struct sss_domain_info *root_domain; + bool has_changes; +@@ -1713,7 +1713,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) + goto done; + } + +- if (has_changes) { ++ if (has_changes || refresh) { + ret = ad_subdom_reinit(state->sd_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n"); +-- +2.45.0 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index bc684b2..2af72dd 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.9.4 -Release: 6%{?dist} +Release: 6%{?dist}.1 Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -49,6 +49,7 @@ Patch0012: 0012-pam_sss-prefer-Smartcard-authentication.patch Patch0013: 0013-pam-fix-storing-auth-types-for-offline-auth.patch Patch0014: 0014-ad-gpo-use-hash-to-store-intermediate-results.patch Patch0015: 0015-tests-Drop-extensions-from-openssl-command-if-there-.patch +Patch0016: 0016-ad-refresh-root-domain-when-read-directly.patch ### Dependencies ### @@ -1098,6 +1099,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Wed May 15 2024 Diaa Sami - 2.9.4-6.1 +- Resolves: RHEL-33896 - SSSD fails to process AD groups with 'Global Scope' correctly causing incomplete group-membership on RHEL if cache is empty [rhel-9.4.0] + * Thu Apr 18 2024 Alexey Tikhonov - 2.9.4-6 - Resolves: RHEL-27209 - Race condition during authorization leads to GPO policies functioning inconsistently [rhel-9.4.0]