SOURCES/0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch

@@ -1,58 +0,0 @@
-From b4c496856d466ff00d06cd5177cb216110f5e3b3 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 18 Sep 2024 15:18:14 +0200
-Subject: [PATCH] pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never
- to 'false'.
-
-The krb5 backend will only returns that Smartcard authentication is
-available if a Smartcard is present. That means if the user
-authenticates with a different method and a Smartcard is not present at
-this time 'sc_allow' will be 'false' and might overwrite a 'true' value
-written during a previous authentication attempt where a Smartcard was
-present. To avoid this we only write 'true' values. Since the default if
-SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard
-authentication (offline) will still only be enabled if online Smartcard
-authentication was detected.
-
-Resolves: https://github.com/SSSD/sssd/issues/7532
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-(cherry picked from commit 67ba42c48abb9270982836310488e35d9fc1d451)
----
- src/responder/pam/pamsrv_cmd.c | 19 ++++++++++++++++---
- 1 file changed, 16 insertions(+), 3 deletions(-)
-
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index 1394147a0..941446d94 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -554,9 +554,22 @@ static errno_t set_local_auth_type(struct pam_auth_req *preq,
-         goto fail;
-     }
- 
--    ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow);
--    if (ret != EOK) {
--        goto fail;
-+    if (sc_allow) {
-+        /* Only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to
-+         * 'false'. The krb5 backend will only returns that Smartcard
-+         * authentication is available if a Smartcard is present. That means
-+         * if the user authenticates with a different method and a Smartcard
-+         * is not present at this time 'sc_allow' will be 'false' and might
-+         * overwrite a 'true' value written during a previous authentication
-+         * attempt where a Smartcard was present. To avoid this we only write
-+         * 'true' values. Since the default if SYSDB_LOCAL_SMARTCARD_AUTH is
-+         * missing is 'false' local Smartcard authentication (offline) will
-+         * still only be enabled if online Smartcard authentication was
-+         * detected. */
-+        ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow);
-+        if (ret != EOK) {
-+            goto fail;
-+        }
-     }
- 
-     ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_PASSKEY_AUTH, passkey_allow);
--- 
-2.45.0
-

SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch

@@ -1,307 +0,0 @@
-From 321ca19ae09609ac4195f323b696bdcd7ee573e4 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 6 Sep 2024 14:27:19 +0200
-Subject: [PATCH 10/11] sdap: allow to provide user_map when looking up group
- memberships
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-To allow to lookup group memberships of other objects similar to user
-objects but with different attribute mappings, e.g. host objects in AD,
-a new option to provide an alternative attribute map is added.
-
-Resolves: https://github.com/SSSD/sssd/issues/7590
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 69f63f1fa64bd9cc7c2ee1f8e8d736727b13b3be)
----
- src/providers/ad/ad_gpo.c                  |  2 +-
- src/providers/ldap/ldap_common.h           |  2 +
- src/providers/ldap/ldap_id.c               |  9 ++++
- src/providers/ldap/sdap_async.h            |  2 +
- src/providers/ldap/sdap_async_initgroups.c | 51 ++++++++++++++--------
- 5 files changed, 48 insertions(+), 18 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index ed664ec83..fa68d814f 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -2244,7 +2244,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
-                                  search_bases,
-                                  state->host_fqdn,
-                                  BE_FILTER_NAME,
--                                 NULL,
-+                                 NULL, NULL, 0,
-                                  true,
-                                  true);
-     tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
-diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
-index 2c984ef50..61a35553b 100644
---- a/src/providers/ldap/ldap_common.h
-+++ b/src/providers/ldap/ldap_common.h
-@@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
-                                        const char *filter_value,
-                                        int filter_type,
-                                        const char *extra_value,
-+                                       struct sdap_attr_map *user_map,
-+                                       size_t user_map_cnt,
-                                        bool noexist_delete,
-                                        bool set_non_posix);
- 
-diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
-index b3ea2333f..0596ad4cf 100644
---- a/src/providers/ldap/ldap_id.c
-+++ b/src/providers/ldap/ldap_id.c
-@@ -1144,6 +1144,8 @@ struct groups_by_user_state {
-     const char *filter_value;
-     int filter_type;
-     const char *extra_value;
-+    struct sdap_attr_map *user_map;
-+    size_t user_map_cnt;
-     const char **attrs;
-     bool non_posix;
- 
-@@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
-                                        const char *filter_value,
-                                        int filter_type,
-                                        const char *extra_value,
-+                                       struct sdap_attr_map *user_map,
-+                                       size_t user_map_cnt,
-                                        bool noexist_delete,
-                                        bool set_non_posix)
- {
-@@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
-     state->filter_value = filter_value;
-     state->filter_type = filter_type;
-     state->extra_value = extra_value;
-+    state->user_map = user_map;
-+    state->user_map_cnt = user_map_cnt;
-     state->domain = sdom->dom;
-     state->sysdb = sdom->dom->sysdb;
-     state->search_bases = search_bases;
-@@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
-                                   state->sdom,
-                                   sdap_id_op_handle(state->op),
-                                   state->ctx,
-+                                  state->user_map,
-+                                  state->user_map_cnt,
-                                   state->conn,
-                                   state->search_bases,
-                                   state->filter_value,
-@@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
-                                      ar->filter_value,
-                                      ar->filter_type,
-                                      ar->extra_value,
-+                                     NULL, 0,
-                                      noexist_delete, false);
-         break;
- 
-diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
-index 89245f41f..a45e057d0 100644
---- a/src/providers/ldap/sdap_async.h
-+++ b/src/providers/ldap/sdap_async.h
-@@ -157,6 +157,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-                                         struct sdap_domain *sdom,
-                                         struct sdap_handle *sh,
-                                         struct sdap_id_ctx *id_ctx,
-+                                        struct sdap_attr_map *user_map,
-+                                        size_t user_map_cnt,
-                                         struct sdap_id_conn_ctx *conn,
-                                         struct sdap_search_base **search_bases,
-                                         const char *name,
-diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
-index fb3d8fe24..8ce1f6cd4 100644
---- a/src/providers/ldap/sdap_async_initgroups.c
-+++ b/src/providers/ldap/sdap_async_initgroups.c
-@@ -785,6 +785,8 @@ struct sdap_initgr_nested_state {
-     struct tevent_context *ev;
-     struct sysdb_ctx *sysdb;
-     struct sdap_options *opts;
-+    struct sdap_attr_map *user_map;
-+    size_t user_map_cnt;
-     struct sss_domain_info *dom;
-     struct sdap_handle *sh;
- 
-@@ -812,6 +814,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req);
- static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
-                                                   struct tevent_context *ev,
-                                                   struct sdap_options *opts,
-+                                                  struct sdap_attr_map *user_map,
-+                                                  size_t user_map_cnt,
-                                                   struct sysdb_ctx *sysdb,
-                                                   struct sss_domain_info *dom,
-                                                   struct sdap_handle *sh,
-@@ -828,6 +832,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
- 
-     state->ev = ev;
-     state->opts = opts;
-+    state->user_map = user_map;
-+    state->user_map_cnt = user_map_cnt;
-     state->sysdb = sysdb;
-     state->dom = dom;
-     state->sh = sh;
-@@ -968,7 +974,7 @@ static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req)
- 
-     subreq = sdap_deref_search_send(state, state->ev, state->opts,
-                     state->sh, state->orig_dn,
--                    state->opts->user_map[SDAP_AT_USER_MEMBEROF].name,
-+                    state->user_map[SDAP_AT_USER_MEMBEROF].name,
-                     sdap_attrs, num_maps, maps, timeout);
-     if (!subreq) {
-         ret = EIO;
-@@ -2697,6 +2703,8 @@ struct sdap_get_initgr_state {
-     struct tevent_context *ev;
-     struct sysdb_ctx *sysdb;
-     struct sdap_options *opts;
-+    struct sdap_attr_map *user_map;
-+    size_t user_map_cnt;
-     struct sss_domain_info *dom;
-     struct sdap_domain *sdom;
-     struct sdap_handle *sh;
-@@ -2731,6 +2739,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-                                         struct sdap_domain *sdom,
-                                         struct sdap_handle *sh,
-                                         struct sdap_id_ctx *id_ctx,
-+                                        struct sdap_attr_map *user_map,
-+                                        size_t user_map_cnt,
-                                         struct sdap_id_conn_ctx *conn,
-                                         struct sdap_search_base **search_bases,
-                                         const char *filter_value,
-@@ -2754,6 +2764,12 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
- 
-     state->ev = ev;
-     state->opts = id_ctx->opts;
-+    state->user_map = user_map;
-+    state->user_map_cnt = user_map_cnt;
-+    if (state->user_map == NULL) {
-+        state->user_map = id_ctx->opts->user_map;
-+        state->user_map_cnt = id_ctx->opts->user_map_cnt;
-+    }
-     state->dom = sdom->dom;
-     state->sysdb = sdom->dom->sysdb;
-     state->sdom = sdom;
-@@ -2785,7 +2801,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
- 
-     switch (filter_type) {
-     case BE_FILTER_SECID:
--        search_attr =  state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
-+        search_attr =  state->user_map[SDAP_AT_USER_OBJECTSID].name;
- 
-         ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
-         if (ret != EOK) {
-@@ -2794,7 +2810,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-         }
-         break;
-     case BE_FILTER_UUID:
--        search_attr =  state->opts->user_map[SDAP_AT_USER_UUID].name;
-+        search_attr =  state->user_map[SDAP_AT_USER_UUID].name;
- 
-         ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
-         if (ret != EOK) {
-@@ -2812,23 +2828,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-             }
- 
-             ep_filter = get_enterprise_principal_string_filter(state,
--                                 state->opts->user_map[SDAP_AT_USER_PRINC].name,
-+                                 state->user_map[SDAP_AT_USER_PRINC].name,
-                                  clean_name, state->opts->basic);
-             state->user_base_filter =
-                     talloc_asprintf(state,
-                                  "(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
--                                 state->opts->user_map[SDAP_AT_USER_PRINC].name,
-+                                 state->user_map[SDAP_AT_USER_PRINC].name,
-                                  clean_name,
--                                 state->opts->user_map[SDAP_AT_USER_EMAIL].name,
-+                                 state->user_map[SDAP_AT_USER_EMAIL].name,
-                                  clean_name,
-                                  ep_filter == NULL ? "" : ep_filter,
--                                 state->opts->user_map[SDAP_OC_USER].name);
-+                                 state->user_map[SDAP_OC_USER].name);
-             if (state->user_base_filter == NULL) {
-                 talloc_zfree(req);
-                 return NULL;
-             }
-         } else {
--            search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name;
-+            search_attr = state->user_map[SDAP_AT_USER_NAME].name;
- 
-             ret = sss_parse_internal_fqname(state, filter_value,
-                                             &state->shortname, NULL);
-@@ -2860,7 +2876,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-         state->user_base_filter =
-                 talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
-                                 search_attr, clean_name,
--                                state->opts->user_map[SDAP_OC_USER].name);
-+                                state->user_map[SDAP_OC_USER].name);
-         if (!state->user_base_filter) {
-             talloc_zfree(req);
-             return NULL;
-@@ -2877,14 +2893,14 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-          */
-         state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
-                                         "(%s=*))",
--                                        id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
-+                                        state->user_map[SDAP_AT_USER_OBJECTSID].name);
-     } else {
-         /* When not ID-mapping or looking up app users, make sure there
-          * is a non-NULL UID */
-         state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
-                                         "(&(%s=*)(!(%s=0))))",
--                                        id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
--                                        id_ctx->opts->user_map[SDAP_AT_USER_UID].name);
-+                                        state->user_map[SDAP_AT_USER_UID].name,
-+                                        state->user_map[SDAP_AT_USER_UID].name);
-     }
-     if (!state->user_base_filter) {
-         talloc_zfree(req);
-@@ -2892,8 +2908,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-     }
- 
-     ret = build_attrs_from_map(state,
--                               state->opts->user_map,
--                               state->opts->user_map_cnt,
-+                               state->user_map,
-+                               state->user_map_cnt,
-                                NULL, &state->user_attrs, NULL);
-     if (ret) {
-         talloc_zfree(req);
-@@ -2990,7 +3006,7 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
-             state->user_search_bases[state->user_base_iter]->basedn,
-             state->user_search_bases[state->user_base_iter]->scope,
-             state->filter, state->user_attrs,
--            state->opts->user_map, state->opts->user_map_cnt,
-+            state->user_map, state->user_map_cnt,
-             state->timeout,
-             false);
-     if (!subreq) {
-@@ -3179,6 +3195,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
- 
-     case SDAP_SCHEMA_IPA_V1:
-         subreq = sdap_initgr_nested_send(state, state->ev, state->opts,
-+                                         state->user_map, state->user_map_cnt,
-                                          state->sysdb, state->dom, state->sh,
-                                          state->orig_user, state->grp_attrs);
-         if (!subreq) {
-@@ -3377,7 +3394,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
-          */
-         ret = sdap_attrs_get_sid_str(
-                 tmp_ctx, opts->idmap_ctx, state->orig_user,
--                opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
-+                state->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
-                 &sid_str);
-         if (ret != EOK) goto done;
- 
-@@ -3392,7 +3409,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
- 
-         ret = sysdb_attrs_get_uint32_t(
-                 state->orig_user,
--                opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
-+                state->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
-                 &primary_gid);
-         if (ret != EOK) {
-             DEBUG(SSSDBG_MINOR_FAILURE,
--- 
-2.45.0
-

SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch

@@ -1,77 +0,0 @@
-From 2c233636c093708d5cdd7ddb69af9b0ecde633bd Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 6 Sep 2024 14:37:05 +0200
-Subject: [PATCH 11/11] ad: use default user_map when looking of host groups
- for GPO
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use the default AD user attribute map to lookup the group membership of
-the AD host object. This should help to avoid issues if user attributes
-are overwritten in the user attribute map.
-
-Resolves: https://github.com/SSSD/sssd/issues/7590
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
----
- src/providers/ad/ad_access.h |  1 +
- src/providers/ad/ad_gpo.c    | 15 ++++++++++++++-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
-index 34d5597da..c54b53eed 100644
---- a/src/providers/ad/ad_access.h
-+++ b/src/providers/ad/ad_access.h
-@@ -49,6 +49,7 @@ struct ad_access_ctx {
-     } gpo_map_type;
-     hash_table_t *gpo_map_options_table;
-     enum gpo_map_type gpo_default_right;
-+    struct sdap_attr_map *host_attr_map;
- };
- 
- struct tevent_req *
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index fa68d814f..6b154f71d 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -45,6 +45,7 @@
- #include "providers/ad/ad_common.h"
- #include "providers/ad/ad_domain_info.h"
- #include "providers/ad/ad_gpo.h"
-+#include "providers/ad/ad_opts.h"
- #include "providers/ldap/sdap_access.h"
- #include "providers/ldap/sdap_async.h"
- #include "providers/ldap/sdap.h"
-@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
-               "trying with user search base.");
-     }
- 
-+    if (state->access_ctx->host_attr_map == NULL) {
-+        ret = sdap_copy_map(state->access_ctx,
-+                            ad_2008r2_user_map, SDAP_OPTS_USER,
-+                            &state->access_ctx->host_attr_map);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
-+            goto done;
-+        }
-+    }
-+
-     subreq = groups_by_user_send(state, state->ev,
-                                  state->access_ctx->ad_id_ctx->sdap_id_ctx,
-                                  sdom, state->conn,
-                                  search_bases,
-                                  state->host_fqdn,
-                                  BE_FILTER_NAME,
--                                 NULL, NULL, 0,
-+                                 NULL,
-+                                 state->access_ctx->host_attr_map,
-+                                 SDAP_OPTS_USER,
-                                  true,
-                                  true);
-     tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
--- 
-2.45.0
-

SOURCES/0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch

@@ -1,227 +0,0 @@
-From e3a3f44c4cdcb936b59941636ff576de613366d1 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 13 Sep 2024 15:45:59 +0200
-Subject: [PATCH] ldap: add 'exop_force' value for ldap_pwmodify_mode
-
-In case the LDAP server allows to run the extended operation to change a
-password even if an authenticated bind fails due to missing grace logins
-the new option 'exop_force' can be used to run the extended operation to
-change the password anyways.
-
-:config: Added `exop_force` value for configuration option
-  `ldap_pwmodify_mode`. This can be used to force a password change even
-  if no grace logins are left. Depending on the configuration of the
-  LDAP server it might be expected that the password change will fail.
-
-(cherry picked from commit 72a7fd0ded236a16b00bb4e26221f7e23b702a53)
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
----
- src/man/sssd-ldap.5.xml                    | 11 +++++++++
- src/providers/ipa/ipa_auth.c               |  3 ++-
- src/providers/ldap/ldap_auth.c             |  5 +++-
- src/providers/ldap/ldap_options.c          |  2 ++
- src/providers/ldap/sdap.h                  |  5 ++--
- src/providers/ldap/sdap_async.h            |  3 ++-
- src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++-----
- 7 files changed, 45 insertions(+), 11 deletions(-)
-
-diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
-index cdf6b483e..42514ae50 100644
---- a/src/man/sssd-ldap.5.xml
-+++ b/src/man/sssd-ldap.5.xml
-@@ -234,6 +234,17 @@
-                                         userPassword (not recommended).
-                                     </para>
-                                 </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        exop_force - Try Password Modify
-+                                        Extended Operation (RFC 3062) even if
-+                                        there are no grace logins left.
-+                                        Depending on the type and configuration
-+                                        of the LDAP server the password change
-+                                        might fail because an authenticated bind
-+                                        is not possible.
-+                                    </para>
-+                                </listitem>
-                             </itemizedlist>
-                         </para>
-                         <para>
-diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
-index e5e1bf30c..af33cea2d 100644
---- a/src/providers/ipa/ipa_auth.c
-+++ b/src/providers/ipa/ipa_auth.c
-@@ -394,7 +394,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq)
-                              SDAP_OPT_TIMEOUT);
- 
-     subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn,
--                            state->pd->authtok, timeout);
-+                            state->pd->authtok, timeout,
-+                            state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode);
-     if (subreq == NULL) {
-         goto done;
-     }
-diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
-index 8ec4d3af5..023ed2277 100644
---- a/src/providers/ldap/ldap_auth.c
-+++ b/src/providers/ldap/ldap_auth.c
-@@ -896,7 +896,8 @@ static void auth_do_bind(struct tevent_req *req)
-                             NULL, NULL, state->dn,
-                             state->authtok,
-                             dp_opt_get_int(state->ctx->opts->basic,
--                                           SDAP_OPT_TIMEOUT));
-+                                           SDAP_OPT_TIMEOUT),
-+                            state->ctx->opts->pwmodify_mode);
-     if (!subreq) {
-         tevent_req_error(req, ENOMEM);
-         return;
-@@ -1186,6 +1187,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx,
- 
-     switch (opts->pwmodify_mode) {
-     case SDAP_PWMODIFY_EXOP:
-+    case SDAP_PWMODIFY_EXOP_FORCE:
-         subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn,
-                                               password, new_password,
-                                               timeout);
-@@ -1229,6 +1231,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq)
- 
-     switch (state->mode) {
-     case SDAP_PWMODIFY_EXOP:
-+    case SDAP_PWMODIFY_EXOP_FORCE:
-         ret = sdap_exop_modify_passwd_recv(subreq, state,
-                                            &state->user_error_message);
-         break;
-diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
-index 277bcb529..72a95300d 100644
---- a/src/providers/ldap/ldap_options.c
-+++ b/src/providers/ldap/ldap_options.c
-@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
-         opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
-     } else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
-         opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
-+    } else if (strcasecmp(pwmodify, "exop_force") == 0) {
-+        opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE;
-     } else {
-         DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
-         ret = EINVAL;
-diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
-index 103d50ed4..cc34c8198 100644
---- a/src/providers/ldap/sdap.h
-+++ b/src/providers/ldap/sdap.h
-@@ -546,8 +546,9 @@ struct sdap_options {
- 
-     /* password modify mode */
-     enum pwmodify_mode {
--        SDAP_PWMODIFY_EXOP = 1,     /* pwmodify extended operation */
--        SDAP_PWMODIFY_LDAP = 2      /* ldap_modify of userPassword */
-+        SDAP_PWMODIFY_EXOP = 1,      /* pwmodify extended operation */
-+        SDAP_PWMODIFY_LDAP = 2,      /* ldap_modify of userPassword */
-+        SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */
-     } pwmodify_mode;
- 
-     /* The search bases for the domain or its subdomain */
-diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
-index a45e057d0..80b403bc3 100644
---- a/src/providers/ldap/sdap_async.h
-+++ b/src/providers/ldap/sdap_async.h
-@@ -146,7 +146,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
-                                   const char *sasl_user,
-                                   const char *user_dn,
-                                   struct sss_auth_token *authtok,
--                                  int simple_bind_timeout);
-+                                  int simple_bind_timeout,
-+                                  enum pwmodify_mode pwmodify_mode);
- 
- errno_t sdap_auth_recv(struct tevent_req *req,
-                        TALLOC_CTX *memctx,
-diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
-index e8638725c..992a5798c 100644
---- a/src/providers/ldap/sdap_async_connection.c
-+++ b/src/providers/ldap/sdap_async_connection.c
-@@ -643,6 +643,7 @@ struct simple_bind_state {
-     struct tevent_context *ev;
-     struct sdap_handle *sh;
-     const char *user_dn;
-+    enum pwmodify_mode pwmodify_mode;
- 
-     struct sdap_op *op;
- 
-@@ -659,7 +660,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
-                                            struct sdap_handle *sh,
-                                            int timeout,
-                                            const char *user_dn,
--                                           struct berval *pw)
-+                                           struct berval *pw,
-+                                           enum pwmodify_mode pwmodify_mode)
- {
-     struct tevent_req *req;
-     struct simple_bind_state *state;
-@@ -682,6 +684,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
-     state->ev = ev;
-     state->sh = sh;
-     state->user_dn = user_dn;
-+    state->pwmodify_mode = pwmodify_mode;
- 
-     ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
-                                   0, NULL, 0, &ctrls[0]);
-@@ -866,7 +869,12 @@ static void simple_bind_done(struct sdap_op *op,
-                      * Grace Authentications". */
-                     DEBUG(SSSDBG_TRACE_LIBS,
-                           "Password expired, grace logins exhausted.\n");
--                    ret = ERR_AUTH_FAILED;
-+                    if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
-+                        DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
-+                        ret = ERR_PASSWORD_EXPIRED;
-+                    } else {
-+                        ret = ERR_AUTH_FAILED;
-+                    }
-                 }
-             } else if (strcmp(response_controls[c]->ldctl_oid,
-                               LDAP_CONTROL_PWEXPIRED) == 0) {
-@@ -879,7 +887,12 @@ static void simple_bind_done(struct sdap_op *op,
-                 if (result == LDAP_INVALID_CREDENTIALS) {
-                     DEBUG(SSSDBG_TRACE_LIBS,
-                           "Password expired, grace logins exhausted.\n");
--                    ret = ERR_AUTH_FAILED;
-+                    if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
-+                        DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
-+                        ret = ERR_PASSWORD_EXPIRED;
-+                    } else {
-+                        ret = ERR_AUTH_FAILED;
-+                    }
-                 } else {
-                     DEBUG(SSSDBG_TRACE_LIBS,
-                           "Password expired, user must set a new password.\n");
-@@ -1358,7 +1371,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
-                                   const char *sasl_user,
-                                   const char *user_dn,
-                                   struct sss_auth_token *authtok,
--                                  int simple_bind_timeout)
-+                                  int simple_bind_timeout,
-+                                  enum pwmodify_mode pwmodify_mode)
- {
-     struct tevent_req *req, *subreq;
-     struct sdap_auth_state *state;
-@@ -1397,7 +1411,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
-         pw.bv_len = pwlen;
- 
-         state->is_sasl = false;
--        subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw);
-+        subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, pwmodify_mode);
-         if (!subreq) {
-             tevent_req_error(req, ENOMEM);
-             return tevent_req_post(req, ev);
-@@ -1972,7 +1986,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
-                                               SDAP_SASL_AUTHID),
-                             user_dn, authtok,
-                             dp_opt_get_int(state->opts->basic,
--                                           SDAP_OPT_TIMEOUT));
-+                                           SDAP_OPT_TIMEOUT),
-+                            state->opts->pwmodify_mode);
-     talloc_free(authtok);
-     if (!subreq) {
-         tevent_req_error(req, ENOMEM);
--- 
-2.46.1
-

SOURCES/0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch

@@ -1,35 +0,0 @@
-From dafe48341d2f74c97619be799e915b7588484ef7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
-Date: Thu, 14 Nov 2024 17:27:49 +0100
-Subject: [PATCH 13/14] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
-
-The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in
-https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55
-but the corresponding option is missing in
-https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200
-
-This error was introduced by
-https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 9ee10f98e0070774e0e7f0794bc296ef06a671e4)
----
- src/providers/be_dyndns.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
-index 2c655ef1e..5d0f51119 100644
---- a/src/providers/be_dyndns.c
-+++ b/src/providers/be_dyndns.c
-@@ -1201,6 +1201,7 @@ static struct dp_option default_dyndns_opts[] = {
-     { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-     { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-     { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
-+    { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
-     { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-     { "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER },
-     { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
--- 
-2.46.1
-

SOURCES/0014-TESTS-Also-test-default_dyndns_opts.patch

@@ -1,69 +0,0 @@
-From 5411fa745f939bdf4cb105bd9f6b9b77703532af Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
-Date: Thu, 14 Nov 2024 18:46:44 +0100
-Subject: [PATCH 14/14] TESTS: Also test default_dyndns_opts
-
-Compare this structure to ipa_dyndns_opts, which is already compared
-to ad_dyndns_opts.
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 2c72834e657197012b3a32207ffe307e8ba5f9e2)
----
- src/providers/be_dyndns.c      | 2 +-
- src/providers/be_dyndns.h      | 1 +
- src/tests/ipa_ldap_opt-tests.c | 6 ++++++
- 3 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
-index 5d0f51119..e6fa7dfd6 100644
---- a/src/providers/be_dyndns.c
-+++ b/src/providers/be_dyndns.c
-@@ -1197,7 +1197,7 @@ be_nsupdate_check(void)
-     return ret;
- }
- 
--static struct dp_option default_dyndns_opts[] = {
-+struct dp_option default_dyndns_opts[] = {
-     { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-     { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-     { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
-diff --git a/src/providers/be_dyndns.h b/src/providers/be_dyndns.h
-index 2185fee95..719c13942 100644
---- a/src/providers/be_dyndns.h
-+++ b/src/providers/be_dyndns.h
-@@ -63,6 +63,7 @@ enum dp_dyndns_opts {
- 
-     DP_OPT_DYNDNS /* attrs counter */
- };
-+extern struct dp_option default_dyndns_opts[DP_OPT_DYNDNS + 1];
- 
- #define DYNDNS_REMOVE_A     0x1
- #define DYNDNS_REMOVE_AAAA  0x2
-diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c
-index a1a0e9cc6..da990acaf 100644
---- a/src/tests/ipa_ldap_opt-tests.c
-+++ b/src/tests/ipa_ldap_opt-tests.c
-@@ -103,6 +103,10 @@ START_TEST(test_compare_opts)
-     ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS,
-                              ad_dyndns_opts);
-     ck_assert_msg(ret == EOK, "[%s]", strerror(ret));
-+
-+    ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS,
-+                             default_dyndns_opts);
-+    ck_assert_msg(ret == EOK, "[%s]", strerror(ret));
- }
- END_TEST
- 
-@@ -200,6 +204,8 @@ START_TEST(test_dp_opt_sentinel)
- 
-     fail_unless_dp_opt_is_terminator(&default_krb5_opts[KRB5_OPTS]);
- 
-+    fail_unless_dp_opt_is_terminator(&default_dyndns_opts[DP_OPT_DYNDNS]);
-+
-     fail_unless_dp_opt_is_terminator(&ad_basic_opts[AD_OPTS_BASIC]);
-     fail_unless_dp_opt_is_terminator(&ad_def_ldap_opts[SDAP_OPTS_BASIC]);
-     fail_unless_dp_opt_is_terminator(&ad_def_krb5_opts[KRB5_OPTS]);
--- 
-2.46.1
-

SOURCES/0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch

@@ -1,55 +0,0 @@
-From a34098c541a3a533abf0eacdf75b5e99adf18d46 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 21 Nov 2024 09:16:09 +0100
-Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves: https://github.com/SSSD/sssd/issues/7715
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744)
----
- src/util/sss_krb5.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
-index 3f57e5b26..f44df2b5f 100644
---- a/src/util/sss_krb5.c
-+++ b/src/util/sss_krb5.c
-@@ -83,6 +83,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name)
-         return keytab_name;
-     }
- 
-+    if (ctx == NULL) {
-+        return "-unknown-";
-+    }
-+
-     if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) {
-         return "-default keytab-";
-     }
-@@ -1355,8 +1359,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
- {
-     krb5_error_code kerr;
-     const char *msg;
-+    krb5_context ctx;
- 
--    kerr = krb5_init_context(context);
-+    kerr = krb5_init_context(&ctx);
-     if (kerr != 0) {
-         /* It is safe to call (sss_)krb5_get_error_message() with NULL as first
-          * argument. */
-@@ -1365,6 +1370,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
-               "Failed to init Kerberos context [%s]\n", msg);
-         sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg);
-         sss_krb5_free_error_message(NULL, msg);
-+    } else {
-+        *context = ctx;
-     }
- 
-     return kerr;
--- 
-2.46.1
-

SPECS/sssd.spec

@@ -27,7 +27,7 @@
 
 Name: sssd
 Version: 2.9.5
-Release: 4%{?dist}.4
+Release: 4%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
@@ -42,13 +42,6 @@ Patch0005: 0005-SYSDB-remove-index-on-dataExpireTimestamp.patch
 Patch0006: 0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
 Patch0007: 0007-krb5_child-do-not-try-passwords-with-OTP.patch
 Patch0008: 0008-pam_sss-add-missing-optional-2nd-factor-handling.patch
-Patch0009: 0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch
-Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
-Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
-Patch0012: 0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
-Patch0013: 0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch
-Patch0014: 0014-TESTS-Also-test-default_dyndns_opts.patch
-Patch0015: 0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
 
 ### Dependencies ###
 
@@ -1098,19 +1091,6 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
-* Fri Nov 22 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-4.4
-- Resolves: RHEL-68508 - sssd backend process segfaults when krb5.conf is invalid [rhel-9.5.z]
-
-* Mon Nov 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-4.3
-- Resolves: RHEL-67673 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-9.5.z]
-
-* Fri Nov  8 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-4.2
-- Resolves: RHEL-66268 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-9.5.z]
-
-* Tue Sep 24 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-4.1
-- Resolves: RHEL-59876 - EL9/CentOS Stream 9 lost offline smart card authentication
-- Resolves: RHEL-50912 - possible regression of rhbz#2196521
-
 * Thu Jul 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-4
 - Resolves: RHEL-49711 - SYSDB: remove index on dataExpireTimestamp
 - Resolves: RHEL-49811 - 2FA is being enforced after upgrading 2.9.1->2.9.4
@@ -1218,6 +1198,9 @@ fi
 - Resolves: rhbz#2166943 - kinit switches KCM away from the newly issued ticket
 - Resolves: rhbz#2167728 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
 
+* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.8.2-2
+- Rebuilt for MSVSphere 9.2 beta
+
 * Mon Jan 16 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
 - Resolves: rhbz#2160001 - Reference to 'sssd-ldap-attributes' man page is missing in 'sssd-ldap', etc man pages
 - Resolves: rhbz#2143159 - automount killed by SIGSEGV