MSVSphere Packaging Team
1 year ago
parent
318026edbb
commit
ef8a256010
@ -1 +1 @@
|
||||
SOURCES/sssd-2.8.2.tar.gz
|
||||
SOURCES/sssd-2.9.1.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz
|
||||
5eb0d3e600aed685a7e3ea49154dadef52361f84 SOURCES/sssd-2.9.1.tar.gz
|
||||
|
||||
@ -1,158 +0,0 @@
|
||||
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 8 Dec 2022 15:14:05 +0100
|
||||
Subject: [PATCH] ldap: update shadow last change in sysdb as well
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Otherwise pam can use the changed information whe id chaching is
|
||||
enabled, so next authentication that fits into the id timeout
|
||||
(5 seconds by default) will still sees the password as expired.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6477
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
|
||||
---
|
||||
src/db/sysdb.h | 4 ++++
|
||||
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
|
||||
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
|
||||
3 files changed, 52 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index 7c666f5c4..06b44f5ba 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
|
||||
struct sysdb_attrs *attrs,
|
||||
int mod_op);
|
||||
|
||||
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
|
||||
+ const char *name,
|
||||
+ const char *attrname);
|
||||
+
|
||||
/* Replace group attrs */
|
||||
int sysdb_set_group_attr(struct sss_domain_info *domain,
|
||||
const char *name,
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 0d6f2d5cd..ed0df9872 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -1485,6 +1485,38 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
|
||||
+ const char *name,
|
||||
+ const char *attrname)
|
||||
+{
|
||||
+ struct sysdb_attrs *attrs;
|
||||
+ char *value;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ attrs = sysdb_new_attrs(NULL);
|
||||
+ if (attrs == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ /* The attribute contains number of days since the epoch */
|
||||
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
|
||||
+ if (value == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(attrs);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* =Replace-Attributes-On-Group=========================================== */
|
||||
|
||||
int sysdb_set_group_attr(struct sss_domain_info *domain,
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index 6404a9d3a..96b9d6df4 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
|
||||
struct pam_data *pd;
|
||||
struct sdap_handle *sh;
|
||||
char *dn;
|
||||
+ enum pwexpire pw_expire_type;
|
||||
};
|
||||
|
||||
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
|
||||
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
{
|
||||
struct sdap_pam_chpass_handler_state *state;
|
||||
struct tevent_req *req;
|
||||
- enum pwexpire pw_expire_type;
|
||||
void *pw_expire_data;
|
||||
size_t msg_len;
|
||||
uint8_t *msg;
|
||||
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
|
||||
|
||||
ret = auth_recv(subreq, state, &state->sh, &state->dn,
|
||||
- &pw_expire_type, &pw_expire_data);
|
||||
+ &state->pw_expire_type, &pw_expire_data);
|
||||
talloc_free(subreq);
|
||||
|
||||
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
|
||||
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
if (ret == EOK) {
|
||||
- switch (pw_expire_type) {
|
||||
+ switch (state->pw_expire_type) {
|
||||
case PWEXPIRE_SHADOW:
|
||||
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
|
||||
break;
|
||||
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
break;
|
||||
default:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Unknown password expiration type %d.\n", pw_expire_type);
|
||||
+ "Unknown password expiration type %d.\n",
|
||||
+ state->pw_expire_type);
|
||||
state->pd->pam_status = PAM_SYSTEM_ERR;
|
||||
goto done;
|
||||
}
|
||||
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
case ERR_PASSWORD_EXPIRED:
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"user [%s] successfully authenticated.\n", state->dn);
|
||||
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
|
||||
+ ret = sdap_pam_chpass_handler_change_step(state, req,
|
||||
+ state->pw_expire_type);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"sdap_pam_chpass_handler_change_step() failed.\n");
|
||||
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
|
||||
|
||||
switch (ret) {
|
||||
case EOK:
|
||||
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
|
||||
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
|
||||
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
|
||||
+ if (ret != EOK) {
|
||||
+ state->pd->pam_status = PAM_SYSTEM_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
state->pd->pam_status = PAM_SUCCESS;
|
||||
break;
|
||||
case ERR_CHPASS_DENIED:
|
||||
--
|
||||
2.37.3
|
||||
|
||||
@ -1,58 +0,0 @@
|
||||
From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 3 Feb 2023 11:35:42 +0100
|
||||
Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
|
||||
read/write/check helpers.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
|
||||
error condition is detected, regular `POLLIN/POLLOUT` won't be set.
|
||||
Error code set by error condition should have a priority. This enables
|
||||
users of this helper to retry attempt (as designed).
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
|
||||
---
|
||||
src/sss_client/common.c | 9 +++------
|
||||
1 file changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 2c888faa9..27e09f6f3 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
|
||||
case 1:
|
||||
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
||||
*errnop = EPIPE;
|
||||
- }
|
||||
- if (!(pfd.revents & POLLOUT)) {
|
||||
+ } else if (!(pfd.revents & POLLOUT)) {
|
||||
*errnop = EBUSY;
|
||||
}
|
||||
break;
|
||||
@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
|
||||
}
|
||||
if (pfd.revents & (POLLERR | POLLNVAL)) {
|
||||
*errnop = EPIPE;
|
||||
- }
|
||||
- if (!(pfd.revents & POLLIN)) {
|
||||
+ } else if (!(pfd.revents & POLLIN)) {
|
||||
*errnop = EBUSY;
|
||||
}
|
||||
break;
|
||||
@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
|
||||
case 1:
|
||||
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
||||
*errnop = EPIPE;
|
||||
- }
|
||||
- if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
||||
+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
||||
*errnop = EBUSY;
|
||||
}
|
||||
break;
|
||||
--
|
||||
2.37.3
|
||||
|
||||
@ -1,63 +0,0 @@
|
||||
From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 8 Feb 2023 17:48:52 +0100
|
||||
Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
|
||||
alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
|
||||
there is a risk to close "foreign" socket opened in another thread.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
|
||||
---
|
||||
src/sss_client/common.c | 18 +++++++++++++++---
|
||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 27e09f6f3..c8ade645b 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
|
||||
*errnop = ETIME;
|
||||
break;
|
||||
case 1:
|
||||
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
||||
+ if (pfd.revents & (POLLERR | POLLHUP)) {
|
||||
+ *errnop = EPIPE;
|
||||
+ } else if (pfd.revents & POLLNVAL) {
|
||||
+ /* Invalid request: fd is not opened */
|
||||
+ sss_cli_sd = -1;
|
||||
*errnop = EPIPE;
|
||||
} else if (!(pfd.revents & POLLOUT)) {
|
||||
*errnop = EBUSY;
|
||||
@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
|
||||
if (pfd.revents & (POLLHUP)) {
|
||||
pollhup = true;
|
||||
}
|
||||
- if (pfd.revents & (POLLERR | POLLNVAL)) {
|
||||
+ if (pfd.revents & POLLERR) {
|
||||
+ *errnop = EPIPE;
|
||||
+ } else if (pfd.revents & POLLNVAL) {
|
||||
+ /* Invalid request: fd is not opened */
|
||||
+ sss_cli_sd = -1;
|
||||
*errnop = EPIPE;
|
||||
} else if (!(pfd.revents & POLLIN)) {
|
||||
*errnop = EBUSY;
|
||||
@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
|
||||
*errnop = ETIME;
|
||||
break;
|
||||
case 1:
|
||||
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
||||
+ if (pfd.revents & (POLLERR | POLLHUP)) {
|
||||
+ *errnop = EPIPE;
|
||||
+ } else if (pfd.revents & POLLNVAL) {
|
||||
+ /* Invalid request: fd is not opened */
|
||||
+ sss_cli_sd = -1;
|
||||
*errnop = EPIPE;
|
||||
} else if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
||||
*errnop = EBUSY;
|
||||
--
|
||||
2.37.3
|
||||
|
||||
@ -1,53 +0,0 @@
|
||||
From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 8 Feb 2023 18:58:37 +0100
|
||||
Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with
|
||||
mutex. Otherwise a thread calling pam_end() can close socket mid pam
|
||||
transaction in another thread.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bug only manifested on platforms where "lockfree client"
|
||||
feature wasn't built.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082)
|
||||
---
|
||||
src/sss_client/pam_sss.c | 3 +++
|
||||
src/sss_client/pam_sss_gss.c | 2 ++
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index afbdef59a..39ad17188 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
|
||||
#endif /* PAM_DATA_REPLACE */
|
||||
|
||||
D(("Closing the fd"));
|
||||
+
|
||||
+ sss_pam_lock();
|
||||
sss_cli_close_socket();
|
||||
+ sss_pam_unlock();
|
||||
}
|
||||
|
||||
struct cert_auth_info {
|
||||
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
|
||||
index 1109ec570..dd578ae5d 100644
|
||||
--- a/src/sss_client/pam_sss_gss.c
|
||||
+++ b/src/sss_client/pam_sss_gss.c
|
||||
@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,
|
||||
}
|
||||
|
||||
done:
|
||||
+ sss_pam_lock();
|
||||
sss_cli_close_socket();
|
||||
+ sss_pam_unlock();
|
||||
free(username);
|
||||
free(domain);
|
||||
free(target);
|
||||
--
|
||||
2.37.3
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
From 41f1901230099c2a8b5c4b117bddd993665430cc Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 10 May 2023 10:27:08 +0200
|
||||
Subject: [PATCH] sysdb: fix string comparison when checking for overrides
|
||||
|
||||
When checking if the input group-name is the original name from AD or an
|
||||
overwritten one the comparison is currently done case sensitive. Since
|
||||
AD handles names case-insensitive and hence SSSD should do this as well
|
||||
this comparison might cause issues.
|
||||
|
||||
The patch replace the case sensitive comparison with a comparison with
|
||||
respects the case_sensitive of the domain the object is coming from.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6720
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
(cherry picked from commit 01d02794e02f051ea9a78cd63b30384de3e7c9b0)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/db/sysdb_search.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
|
||||
index 7efd570e7..e4c53b853 100644
|
||||
--- a/src/db/sysdb_search.c
|
||||
+++ b/src/db/sysdb_search.c
|
||||
@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
|
||||
res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
|
||||
|
||||
if (originalad_sanitized_name != NULL
|
||||
- && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
|
||||
+ && !sss_string_equal(domain->case_sensitive,
|
||||
+ originalad_sanitized_name,
|
||||
+ sanitized_name)) {
|
||||
fmt_filter = SYSDB_GRNAM_FILTER;
|
||||
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
|
||||
res = NULL;
|
||||
--
|
||||
2.38.1
|
||||
|
||||
Loading…
Reference in new issue