From ef432a404cb4aa5d7cfb8c91b90d71033bc57976 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 8 Nov 2023 17:16:18 +0300 Subject: [PATCH] import sssd-2.9.1-2.el9 --- .gitignore | 2 +- .sssd.metadata | 2 +- ...-shadow-last-change-in-sysdb-as-well.patch | 158 ------------------ ..._watchdog-and-disarm_watchdog-calls.patch} | 2 +- ...2-MAN-mention-attributes-in-see-also.patch | 29 ---- ...watchdog-for-sbus_connect_init_send.patch} | 2 +- ..._CLIENT-delete-key-in-lib-destructor.patch | 90 ---------- ...-comparison-when-checking-for-overri.patch | 42 ----- SPECS/sssd.spec | 52 ++++-- 9 files changed, 43 insertions(+), 336 deletions(-) delete mode 100644 SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch rename SOURCES/{0004-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch => 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch} (98%) delete mode 100644 SOURCES/0002-MAN-mention-attributes-in-see-also.patch rename SOURCES/{0005-sbus-arm-watchdog-for-sbus_connect_init_send.patch => 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch} (96%) delete mode 100644 SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch delete mode 100644 SOURCES/0006-sysdb-fix-string-comparison-when-checking-for-overri.patch diff --git a/.gitignore b/.gitignore index a743af2..4714c8c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.8.2.tar.gz +SOURCES/sssd-2.9.1.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 6575e58..9b2fbfd 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz +5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz diff --git a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch deleted file mode 100644 index 60feece..0000000 --- a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch +++ /dev/null @@ -1,158 +0,0 @@ -From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Thu, 8 Dec 2022 15:14:05 +0100 -Subject: [PATCH] ldap: update shadow last change in sysdb as well -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Otherwise pam can use the changed information whe id chaching is -enabled, so next authentication that fits into the id timeout -(5 seconds by default) will still sees the password as expired. - -Resolves: https://github.com/SSSD/sssd/issues/6477 - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) ---- - src/db/sysdb.h | 4 ++++ - src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ - src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- - 3 files changed, 52 insertions(+), 5 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 7c666f5c4..06b44f5ba 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, - struct sysdb_attrs *attrs, - int mod_op); - -+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, -+ const char *name, -+ const char *attrname); -+ - /* Replace group attrs */ - int sysdb_set_group_attr(struct sss_domain_info *domain, - const char *name, -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 0d6f2d5cd..ed0df9872 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -1485,6 +1485,38 @@ done: - return ret; - } - -+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, -+ const char *name, -+ const char *attrname) -+{ -+ struct sysdb_attrs *attrs; -+ char *value; -+ errno_t ret; -+ -+ attrs = sysdb_new_attrs(NULL); -+ if (attrs == NULL) { -+ return ENOMEM; -+ } -+ -+ /* The attribute contains number of days since the epoch */ -+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); -+ if (value == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = sysdb_attrs_add_string(attrs, attrname, value); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); -+ -+done: -+ talloc_free(attrs); -+ return ret; -+} -+ - /* =Replace-Attributes-On-Group=========================================== */ - - int sysdb_set_group_attr(struct sss_domain_info *domain, -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 6404a9d3a..96b9d6df4 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { - struct pam_data *pd; - struct sdap_handle *sh; - char *dn; -+ enum pwexpire pw_expire_type; - }; - - static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); -@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - { - struct sdap_pam_chpass_handler_state *state; - struct tevent_req *req; -- enum pwexpire pw_expire_type; - void *pw_expire_data; - size_t msg_len; - uint8_t *msg; -@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); - - ret = auth_recv(subreq, state, &state->sh, &state->dn, -- &pw_expire_type, &pw_expire_data); -+ &state->pw_expire_type, &pw_expire_data); - talloc_free(subreq); - - if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && -@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - } - - if (ret == EOK) { -- switch (pw_expire_type) { -+ switch (state->pw_expire_type) { - case PWEXPIRE_SHADOW: - ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); - break; -@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - break; - default: - DEBUG(SSSDBG_CRIT_FAILURE, -- "Unknown password expiration type %d.\n", pw_expire_type); -+ "Unknown password expiration type %d.\n", -+ state->pw_expire_type); - state->pd->pam_status = PAM_SYSTEM_ERR; - goto done; - } -@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - case ERR_PASSWORD_EXPIRED: - DEBUG(SSSDBG_TRACE_LIBS, - "user [%s] successfully authenticated.\n", state->dn); -- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); -+ ret = sdap_pam_chpass_handler_change_step(state, req, -+ state->pw_expire_type); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sdap_pam_chpass_handler_change_step() failed.\n"); -@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) - - switch (ret) { - case EOK: -+ if (state->pw_expire_type == PWEXPIRE_SHADOW) { -+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, -+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); -+ if (ret != EOK) { -+ state->pd->pam_status = PAM_SYSTEM_ERR; -+ goto done; -+ } -+ } -+ - state->pd->pam_status = PAM_SUCCESS; - break; - case ERR_CHPASS_DENIED: --- -2.37.3 - diff --git a/SOURCES/0004-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch b/SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch similarity index 98% rename from SOURCES/0004-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch rename to SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch index 19f2218..6a77149 100644 --- a/SOURCES/0004-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch +++ b/SOURCES/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch @@ -1,7 +1,7 @@ From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 9 Jun 2023 12:31:39 +0200 -Subject: [PATCH 5/6] watchdog: add arm_watchdog() and disarm_watchdog() calls +Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/SOURCES/0002-MAN-mention-attributes-in-see-also.patch b/SOURCES/0002-MAN-mention-attributes-in-see-also.patch deleted file mode 100644 index c103d64..0000000 --- a/SOURCES/0002-MAN-mention-attributes-in-see-also.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 897ccf40b2e7ab30c3b8a3fb42584d1d5b8c4bb3 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 13 Jan 2023 18:58:05 +0100 -Subject: [PATCH] MAN: mention `attributes` in 'see also' - -Reviewed-by: Justin Stephenson -Reviewed-by: Sumit Bose -(cherry picked from commit b631c3174a3f8f5c169e9507969015dd79fdfd80) ---- - src/man/include/seealso.xml | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml -index 9999496fa..7f0bbe9df 100644 ---- a/src/man/include/seealso.xml -+++ b/src/man/include/seealso.xml -@@ -10,6 +10,9 @@ - - sssd-ldap5 - , -+ -+ sssd-ldap-attributes5 -+ , - - sssd-krb55 - , --- -2.37.3 - diff --git a/SOURCES/0005-sbus-arm-watchdog-for-sbus_connect_init_send.patch b/SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch similarity index 96% rename from SOURCES/0005-sbus-arm-watchdog-for-sbus_connect_init_send.patch rename to SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch index 7c86bf2..99e7c04 100644 --- a/SOURCES/0005-sbus-arm-watchdog-for-sbus_connect_init_send.patch +++ b/SOURCES/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch @@ -1,7 +1,7 @@ From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 9 Jun 2023 13:01:47 +0200 -Subject: [PATCH 6/6] sbus: arm watchdog for sbus_connect_init_send() +Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch b/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch deleted file mode 100644 index df981a7..0000000 --- a/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 45a5630e0cfe95ab90bf4a7dd1b32f418c4c759e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 23 Dec 2022 16:36:58 +0100 -Subject: [PATCH] SSS_CLIENT: delete key in lib destructor - -pthread_key_delete() disables thread at-exit destructors. -Otherwise an attempt to execute already unloaded `sss_at_thread_exit()` -would trigger segfault. - -This doesn't solve an issue with leaking on `dlclose()` FDs initialized in -multiple threads, but better than crash. - -Resolves: https://github.com/SSSD/sssd/issues/6505 - -Reviewed-by: Iker Pedrosa -Reviewed-by: Sumit Bose -(cherry picked from commit 08ccd23fb2c831d6ea918a59b777a0073d414858) ---- - src/sss_client/common.c | 24 +++++++++++++++++++----- - 1 file changed, 19 insertions(+), 5 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index d762dff49..2c888faa9 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -27,6 +27,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -63,7 +64,8 @@ - - #ifdef HAVE_PTHREAD_EXT - static pthread_key_t sss_sd_key; --static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT; -+static pthread_once_t sss_sd_key_init = PTHREAD_ONCE_INIT; -+static atomic_bool sss_sd_key_initialized = false; - static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */ - static __thread struct stat sss_cli_sb; /* the sss client stat buffer */ - #else -@@ -71,9 +73,6 @@ static int sss_cli_sd = -1; /* the sss client socket descriptor */ - static struct stat sss_cli_sb; /* the sss client stat buffer */ - #endif - --#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR --__attribute__((destructor)) --#endif - void sss_cli_close_socket(void) - { - if (sss_cli_sd != -1) { -@@ -91,9 +90,24 @@ static void sss_at_thread_exit(void *v) - static void init_sd_key(void) - { - pthread_key_create(&sss_sd_key, sss_at_thread_exit); -+ sss_sd_key_initialized = true; -+} -+#endif -+ -+#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR -+__attribute__((destructor)) void sss_at_lib_unload(void) -+{ -+#ifdef HAVE_PTHREAD_EXT -+ if (sss_sd_key_initialized) { -+ sss_sd_key_initialized = false; -+ pthread_key_delete(sss_sd_key); -+ } -+#endif -+ sss_cli_close_socket(); - } - #endif - -+ - /* Requests: - * - * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) -@@ -572,7 +586,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout - } - - #ifdef HAVE_PTHREAD_EXT -- pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */ -+ pthread_once(&sss_sd_key_init, init_sd_key); /* once for all threads */ - - /* It actually doesn't matter what value to set for a key. - * The only important thing: key must be non-NULL to ensure --- -2.37.3 - diff --git a/SOURCES/0006-sysdb-fix-string-comparison-when-checking-for-overri.patch b/SOURCES/0006-sysdb-fix-string-comparison-when-checking-for-overri.patch deleted file mode 100644 index 5a953ce..0000000 --- a/SOURCES/0006-sysdb-fix-string-comparison-when-checking-for-overri.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 41f1901230099c2a8b5c4b117bddd993665430cc Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 10 May 2023 10:27:08 +0200 -Subject: [PATCH] sysdb: fix string comparison when checking for overrides - -When checking if the input group-name is the original name from AD or an -overwritten one the comparison is currently done case sensitive. Since -AD handles names case-insensitive and hence SSSD should do this as well -this comparison might cause issues. - -The patch replace the case sensitive comparison with a comparison with -respects the case_sensitive of the domain the object is coming from. - -Resolves: https://github.com/SSSD/sssd/issues/6720 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Iker Pedrosa -(cherry picked from commit 01d02794e02f051ea9a78cd63b30384de3e7c9b0) - -Reviewed-by: Alexey Tikhonov ---- - src/db/sysdb_search.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index 7efd570e7..e4c53b853 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL); - - if (originalad_sanitized_name != NULL -- && strcmp(originalad_sanitized_name, sanitized_name) != 0) { -+ && !sss_string_equal(domain->case_sensitive, -+ originalad_sanitized_name, -+ sanitized_name)) { - fmt_filter = SYSDB_GRNAM_FILTER; - base_dn = sysdb_group_base_dn(tmp_ctx, domain); - res = NULL; --- -2.38.1 - diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index c525c50..372efda 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,20 +26,16 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.8.2 -Release: 3%{?dist} +Version: 2.9.1 +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch -Patch0002: 0002-MAN-mention-attributes-in-see-also.patch -Patch0003: 0003-SSS_CLIENT-delete-key-in-lib-destructor.patch -Patch0004: 0004-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch -Patch0005: 0005-sbus-arm-watchdog-for-sbus_connect_init_send.patch -Patch0006: 0006-sysdb-fix-string-comparison-when-checking-for-overri.patch +Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch +Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch ### Dependencies ### @@ -526,8 +522,9 @@ autoreconf -ivf --with-syslog=journald \ --with-test-dir=/dev/shm \ --with-subid \ + --with-files-provider \ + --with-libsifp \ %if 0%{?fedora} - --enable-files-domain \ --disable-polkit-rules-path \ %endif %{nil} @@ -833,7 +830,7 @@ done %{_mandir}/man5/sssd-ifp.5* %{_unitdir}/sssd-ifp.service # InfoPipe DBus plumbing -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service %files -n libsss_simpleifp @@ -1065,9 +1062,38 @@ fi %systemd_postun_with_restart sssd.service %changelog -* Mon Jul 10 2023 Alexey Tikhonov - 2.8.2-3 -- Resolves: rhbz#2219353 - [sssd] SSSD enters failed state after heavy load in the system [rhel-9.2.0.z] -- Resolves: rhbz#2196839 - [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' [rhel-9.2.0.z] +* Mon Jul 10 2023 Alexey Tikhonov - 2.9.1-2 +- Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system + +* Fri Jun 23 2023 Alexey Tikhonov - 2.9.1-1 +- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3 +- Resolves: rhbz#2196816 - [RHEL9] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' +- Resolves: rhbz#2162552 - sssd client caches old data after removing netgroup member on IDM +- Resolves: rhbz#2189542 - [sssd] RHEL 9.3 Tier 0 Localization +- Resolves: rhbz#2133854 - [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete +- Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys + +* Tue Jun 6 2023 Alexey Tikhonov - 2.9.0-5 +- Related: rhbz#2190415 - Rebase Samba to the latest 4.18.x release + Rebuild against rebased Samba libs. + +* Tue May 30 2023 Alexey Tikhonov - 2.9.0-4 +- Related: rhbz#2190415 - Rebase Samba to the latest 4.18.x release + Rebuild against rebased Samba libs. + +* Thu May 25 2023 Alexey Tikhonov - 2.9.0-3 +- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3 + +* Mon May 15 2023 Alexey Tikhonov - 2.9.0-1 +- Resolves: rhbz#2167837 - Rebase SSSD for RHEL 9.3 +- Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys +- Resolves: rhbz#1913839 - filter_groups doesn't filter GID from 'id' output: AD + 'ldap_id_mapping = True' corner case +- Resolves: rhbz#2100789 - [Improvement] sssctl config-check command does not show an error when we don't have id_provider in the domain section +- Resolves: rhbz#2152177 - [RFE] Add support for ldapi:// URLs +- Resolves: rhbz#2164852 - man page entry should make clear that a nested group needs a name +- Resolves: rhbz#2166627 - Improvement: sss_client: add 'getsidbyusername()' and 'getsidbygroupname()' and corresponding python bindings +- Resolves: rhbz#2166943 - kinit switches KCM away from the newly issued ticket +- Resolves: rhbz#2167728 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) * Mon Jan 16 2023 Alexey Tikhonov - 2.8.2-2 - Resolves: rhbz#2160001 - Reference to 'sssd-ldap-attributes' man page is missing in 'sssd-ldap', etc man pages