packages/sssd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:70e8b6fb5d5a100e0a09009465bd4e3fd857f1ef
Branches Tags
packages:main
...
compare: packages:19f4c2d9f9d684027d9a3afbfca7d8c074c0af9a
Branches Tags
packages:main

10 Commits
70e8b6fb5d ... 19f4c2d9f9

Author SHA1 Message Date
openeuler-ci-bot
19f4c2d9f9
!179 回合上游补丁,修复krb5配置文件导致segment fault 
From: @fwo 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-12-06 03:48:11 +00:00
wjiang
301827827a ldap_child: make sure invalid krb5 context is not used 2024-12-05 15:53:51 +08:00
openeuler-ci-bot
c01bfe6188
!167 backport patches from upstream community 
From: @fwo 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-12-03 07:13:40 +00:00
wjiang
c339a0b2f4 backport patches from upstream community 2024-12-03 10:53:42 +08:00
openeuler-ci-bot
b4eb680a4a
!157 backport patches to fix bugs 
From: @fangxiuning 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-10-28 02:14:54 +00:00
fangxiuning
ac1f0cbd67 change 2024-10-25 19:35:16 +08:00
openeuler-ci-bot
451eb5eeba
!152 backport patches to fix bugs 
From: @fangxiuning 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001
 2024-09-30 02:11:15 +00:00
fangxiuning
3d92f589f8 add 2024-09-29 17:44:07 +08:00
openeuler-ci-bot
53cc2cf347
!144 [sync] PR-143: backport upstream patches 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-06-19 01:53:22 +00:00
wangjiang
f449ad618f backport upstream patches 
(cherry picked from commit 01d514387f372a0471720762657d1c3644d1f555)
 2024-06-19 09:12:01 +08:00
12 changed files with 619 additions and 1 deletions
Show Stats Expand all files Collapse all files

51
backport-CLIENT-idmap-fix-coverity-warning.patch Normal file
View File

@ -0,0 +1,51 @@
From 7c913edc84e0201020b5ab770dd0823911387781 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 22 May 2024 20:19:05 +0200
Subject: [PATCH] CLIENT:idmap: fix coverity warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes following issue:
```
"Error: INTEGER_OVERFLOW (CWE-190):
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:306:5: tainted_data_argument: The value returned in ""replen"" is considered tainted.
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: overflow: The expression ""replen - 12UL"" might be negative, but is used in a context that treats it as unsigned.
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: assign: Assigning: ""data_len"" = ""replen - 12UL"".
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow: The expression ""1UL * data_len"" is deemed underflowed because at least one of its arguments has underflowed.
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow_sink: ""1UL * data_len"", which might have underflowed, is passed to ""malloc(1UL * data_len)"".
# 345| }
# 346|
# 347|-> str = malloc(sizeof(char) * data_len);
# 348| if (str == NULL) {
# 349| ret = ENOMEM;"
```
Reviewed-by: Alejandro López <allopez@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/7c913edc84e0201020b5ab770dd0823911387781
Conflict: NA
---
src/sss_client/idmap/sss_nss_idmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c
index 575d03057..604933c6d 100644
--- a/src/sss_client/idmap/sss_nss_idmap.c
+++ b/src/sss_client/idmap/sss_nss_idmap.c
@@ -324,6 +324,11 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd,
goto done;
}
+ if (replen < DATA_START) { /* make sure 'type' is present */
+ ret = EBADMSG;
+ goto done;
+ }
+
/* Skip first two 32 bit values (number of results and
* reserved padding) */
SAFEALIGN_COPY_UINT32(&out->type, repbuf + 2 * sizeof(uint32_t), NULL);
--
2.33.0

33
backport-Make-sure-invalid-krb5-context-is-not-used.patch Normal file
View File

@ -0,0 +1,33 @@
From bdfb92012d6dec2999469d483ba67d6c2521a078 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 21 Nov 2024 09:23:36 +0100
Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used -
2.9.4
Resolves: https://github.com/SSSD/sssd/issues/7715
---
src/util/sss_krb5.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 3f57e5b268f..0b83142ddfc 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -140,6 +140,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
kerr = sss_krb5_init_context(&krb_ctx);
if (kerr) {
+ krb_ctx = NULL;
error_message = "Failed to init Kerberos context";
ret = EFAULT;
goto done;
@@ -269,7 +270,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
}
done:
- if (ret != EOK) {
+ if (ret != EOK && krb_ctx != NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n",
sss_printable_keytab_name(krb_ctx, keytab_name),
(error_message ? error_message : sss_strerror(ret)));

76
backport-Missing-dns_update_per_family-option.patch Normal file
View File

@ -0,0 +1,76 @@
From a822206c7859b5f39af2b2ea1b117850a0589e3c Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 21 Oct 2024 16:31:38 +0200
Subject: [PATCH] Missing 'dns_update_per_family' option
This update fixes missing 'dns_update_per_family' option in python code
and config files.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/config/SSSDConfig/sssdoptions.py | 2 ++
src/config/SSSDConfigTest.py | 2 ++
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
4 files changed, 6 insertions(+)
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
index e7de867..3aba87a 100644
--- a/src/config/SSSDConfig/sssdoptions.py
+++ b/src/config/SSSDConfig/sssdoptions.py
@@ -187,6 +187,8 @@ class SSSDOptions(object):
'entry_cache_resolver_timeout' : _('Entry cache timeout length (seconds)'),
'refresh_expired_interval': _('How often should expired entries be refreshed in background'),
'dyndns_update': _("Whether to automatically update the client's DNS entry"),
+ 'dyndns_update_per_family': _('Whether DNS update of A and AAAA record should be performed '
+ 'in one update or in two separate updates'),
'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index e08109a..21a08c8 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -576,6 +576,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'dns_resolver_timeout',
'dns_discovery_domain',
'dyndns_update',
+ 'dyndns_update_per_family',
'dyndns_ttl',
'dyndns_iface',
'dyndns_refresh_interval',
@@ -929,6 +930,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'dns_resolver_timeout',
'dns_discovery_domain',
'dyndns_update',
+ 'dyndns_update_per_family',
'dyndns_ttl',
'dyndns_iface',
'dyndns_refresh_interval',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 39b66ba..0a630f1 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -412,6 +412,7 @@ option = refresh_expired_interval
# Dynamic DNS updates
option = dyndns_update
+option = dyndns_update_per_family
option = dyndns_ttl
option = dyndns_iface
option = dyndns_refresh_interval
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 67b7a5f..5930f4a 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -198,6 +198,7 @@ refresh_expired_interval = int, None, false
# Dynamic DNS updates
dyndns_update = bool, None, false
+dyndns_update_per_family = bool, None, false
dyndns_ttl = int, None, false
dyndns_iface = str, None, false
dyndns_refresh_interval = int, None, false
--
2.33.0

55
backport-RESPONDER-use-proper-context-for-getDomains.patch Normal file
View File

@ -0,0 +1,55 @@
From 18f378921ed95dfd6a5e373c87712f7935247d71 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 26 Apr 2024 14:04:50 +0200
Subject: [PATCH] RESPONDER: use proper context for getDomains()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Request was created on a long term responder context, but a callback
for this request tries to access memory that is allocated on a short
term client context. So if client disconnects before request is
completed, then callback dereferences already freed memory.
Resolves: https://github.com/SSSD/sssd/issues/7319
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/dc637c9730d0ba04a0d8aa2645ee537224cd4b19
Conflict:NA
---
src/responder/pac/pacsrv_cmd.c | 2 +-
src/responder/pam/pamsrv_cmd.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c
index e3aab88..29d5574 100644
--- a/src/responder/pac/pacsrv_cmd.c
+++ b/src/responder/pac/pacsrv_cmd.c
@@ -140,7 +140,7 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx)
ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str,
&pr_ctx->dom);
if (ret == EAGAIN || ret == ENOENT) {
- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true,
+ req = sss_dp_get_domains_send(cctx, cctx->rctx, true,
pr_ctx->domain_name);
if (req == NULL) {
ret = ENOMEM;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 20c332b..1570304 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1510,7 +1510,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
ret = pam_forwarder_parse_data(cctx, pd);
if (ret == EAGAIN) {
- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, pd->domain);
+ req = sss_dp_get_domains_send(cctx, cctx->rctx, true, pd->domain);
if (req == NULL) {
ret = ENOMEM;
} else {
--
2.33.0

48
backport-SSH-sanity-check-to-please-coverity.patch Normal file
View File

@ -0,0 +1,48 @@
From 19df6a5d2ed220e6236aa1c921b7abdeba233dd1 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 22 May 2024 21:13:31 +0200
Subject: [PATCH] SSH: sanity check to please coverity
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes:
```
Error: INTEGER_OVERFLOW (CWE-190):
sssd-2.10.0/src/util/sss_ssh.c:195:13: underflow: The decrement operator on the unsigned variable ""len"" might result in an underflow.
sssd-2.10.0/src/util/sss_ssh.c:204:9: overflow_sink: ""len"", which might have underflowed, is passed to ""memcpy(out, pubkey->data, len)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
# 202| }
# 203|
# 204|-> memcpy(out, pubkey->data, len);
# 205| out[len] = '\0';
# 206| }
```
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/19df6a5d2ed220e6236aa1c921b7abdeba233dd1
Conflict: NA
---
src/util/sss_ssh.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/util/sss_ssh.c b/src/util/sss_ssh.c
index 9df397873..f9c0918fd 100644
--- a/src/util/sss_ssh.c
+++ b/src/util/sss_ssh.c
@@ -191,6 +191,10 @@ sss_ssh_format_pubkey(TALLOC_CTX *mem_ctx,
}
len = pubkey->data_len;
+ if (len == 0) {
+ ret = EINVAL;
+ goto done;
+ }
if (pubkey->data[len - 1] == '\n') {
len--;
}
--
2.33.0

30
backport-TOOLS-mistype-fix.patch Normal file
View File

@ -0,0 +1,30 @@
From 3621a587a32589e8404ed1f2356fcbfebc128efc Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 2 Sep 2024 21:04:34 +0200
Subject: [PATCH] TOOLS: mistype fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/tools/sssctl/sssctl_data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
index 79e12078e..43b9814ea 100644
--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
@@ -168,7 +168,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
}
- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+ if (sssctl_backup_file_exists(SSS_BACKUP_GROUP_OVERRIDES)) {
ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
--
2.33.0

57
backport-UTILS-inotify-avoid-potential-NULL-deref.patch Normal file
View File

@ -0,0 +1,57 @@
From d24073823fa7d82726f631628923e9a5378d529d Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 18 Mar 2024 12:15:21 +0100
Subject: [PATCH] UTILS: inotify: avoid potential NULL deref
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes following error:
```
Error: STRING_NULL (CWE-170):
sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.]
sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string.
sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string.
sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string.
# 325|
# 326| if (snctx->wctx->dir_wd == in_event->wd) {
# 327|-> ret = process_dir_event(snctx, in_event);
# 328| } else if (snctx->wctx->file_wd == in_event->wd) {
# 329| ret = process_file_event(snctx, in_event);
```
-- it might be unsafe to dereference `in_event->name`
if `in_event->len == 0`
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/4085ee07926303aa26e46dfcc6dec87776432c62
Conflict:NA
---
src/util/inotify.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/util/inotify.c b/src/util/inotify.c
index a3c33ed..8192cfd 100644
--- a/src/util/inotify.c
+++ b/src/util/inotify.c
@@ -233,9 +233,13 @@ static errno_t process_dir_event(struct snotify_ctx *snctx,
{
errno_t ret;
+ if (in_event->len == 0) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Not interested in nameless event\n");
+ return EOK;
+ }
+
DEBUG(SSSDBG_TRACE_ALL, "inotify name: %s\n", in_event->name);
- if (in_event->len == 0 \
- || strcmp(in_event->name, snctx->base_name) != 0) {
+ if (strcmp(in_event->name, snctx->base_name) != 0) {
DEBUG(SSSDBG_TRACE_FUNC, "Not interested in %s\n", in_event->name);
return EOK;
}
--
2.33.0

36
backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch Normal file
View File

@ -0,0 +1,36 @@
From 30a9f4f389f0a09057f9d7c424b96020c940c5e1 Mon Sep 17 00:00:00 2001
From: John Veitch <john.veitch@glasgow.ac.uk>
Date: Mon, 1 Jul 2024 13:02:20 +0100
Subject: [PATCH] Update sssd.in to remove -f option from sysv init script
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
fee3883 removed the -f option from the sssd but the init script was
not updated accordingly at that time.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/30a9f4f389f0a09057f9d7c424b96020c940c5e1
Conflict:NA
---
src/sysv/sssd.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sysv/sssd.in b/src/sysv/sssd.in
index 68485bfb8..52308a4e2 100644
--- a/src/sysv/sssd.in
+++ b/src/sysv/sssd.in
@@ -45,7 +45,7 @@ TIMEOUT=15
start() {
[ -x $SSSD ] || exit 5
echo -n $"Starting $prog: "
- daemon $SSSD -f -D
+ daemon $SSSD -D
RETVAL=$?
echo
[ "$RETVAL" = 0 ] && touch $LOCK_FILE
--
2.33.0

61
backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch Normal file
View File

@ -0,0 +1,61 @@
From d004e7b4b977da3dd9f1d3de910c28c093a6fb26 Mon Sep 17 00:00:00 2001
From: santeri3700 <santeri.pikarinen@gmail.com>
Date: Tue, 15 Oct 2024 20:13:20 +0300
Subject: [PATCH] ad: honor ad_use_ldaps setting with ad_machine_pw_renewal
The value of ad_use_ldaps was not passed as `--use-ldaps`
argument to the adcli update command which handles
the automatic renewal of AD machine account password.
Resolves: https://github.com/SSSD/sssd/issues/7642
Signed-off-by: santeri3700 <santeri.pikarinen@gmail.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ad/ad_machine_pw_renewal.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
index 56b64a2a9..2e54e9bff 100644
--- a/src/providers/ad/ad_machine_pw_renewal.c
+++ b/src/providers/ad/ad_machine_pw_renewal.c
@@ -39,6 +39,7 @@ struct renewal_data {
static errno_t get_adcli_extra_args(const char *ad_domain,
const char *ad_hostname,
const char *ad_keytab,
+ bool ad_use_ldaps,
size_t pw_lifetime_in_days,
bool add_samba_data,
size_t period,
@@ -59,7 +60,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
return ENOMEM;
}
- args = talloc_array(renewal_data, const char *, 9);
+ args = talloc_array(renewal_data, const char *, 10);
if (args == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
return ENOMEM;
@@ -79,6 +80,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab);
}
args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain);
+ if (ad_use_ldaps) {
+ args[c++] = talloc_strdup(args, "--use-ldaps");
+ }
if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) {
args[c++] = talloc_strdup(args, "--verbose");
}
@@ -390,6 +394,7 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx,
dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME),
dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic,
SDAP_KRB5_KEYTAB),
+ dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS),
lifetime,
dp_opt_get_bool(ad_opts->basic,
AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD),
--
2.33.0

84
backport-ad-refresh-root-domain-when-read-directly.patch Normal file
View File

@ -0,0 +1,84 @@
From 4d841bf2060717171fecad628480c8f2bc03760d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Mar 2024 10:50:07 +0100
Subject: [PATCH] ad: refresh root domain when read directly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the domain object of the forest root domain cannot be found in the
LDAP tree of the local AD domain SSSD tries to read the request data
from an LDAP server of the forest root domain directly. After reading
this data the information is stored in the cache but currently the
information about the domain store in memory is not updated with the
additional data. As a result e.g. the domain SID is missing in this data
and only becomes available after a restart where it is read from the
cache.
With this patch an unconditional refresh is triggered at the end of the
fallback code path.
Resolves: https://github.com/SSSD/sssd/issues/7250
Reviewed-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/0de6c33047ac7a2b5316ec5ec936d6b675671c53
Conflict:NA
---
src/providers/ad/ad_subdomains.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 5bddf9b..e6745ce 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1389,7 +1389,7 @@ struct ad_get_root_domain_state {
static void ad_get_root_domain_done(struct tevent_req *subreq);
static void ad_check_root_domain_done(struct tevent_req *subreq);
static errno_t
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
struct tevent_req *
ad_check_domain_send(TALLOC_CTX *mem_ctx,
@@ -1571,7 +1571,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
return;
}
- ret = ad_get_root_domain_refresh(state);
+ ret = ad_get_root_domain_refresh(state, false);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
}
@@ -1664,7 +1664,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
state->reply_count = 1;
- ret = ad_get_root_domain_refresh(state);
+ ret = ad_get_root_domain_refresh(state, true);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
}
@@ -1679,7 +1679,7 @@ done:
}
static errno_t
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
{
struct sss_domain_info *root_domain;
bool has_changes;
@@ -1695,7 +1695,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
goto done;
}
- if (has_changes) {
+ if (has_changes || refresh) {
ret = ad_subdom_reinit(state->sd_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
--
2.33.0

61
backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch Normal file
View File

@ -0,0 +1,61 @@
From 986bb726202e69b05f861c14c3a220379baf9bd1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 14 Jun 2024 16:10:34 +0200
Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.
Resolves: https://github.com/SSSD/sssd/issues/7451
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/986bb726202e69b05f861c14c3a220379baf9bd1
Conflict:NA
---
src/db/sysdb_ops.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index a47d9b174..32e49d759 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
goto done;
}
- ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
- if (ret != ENOENT) {
- if (ret == EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Group with GID [%"SPRIgid"] already exists in an "
- "MPG domain\n", gid);
- ret = EEXIST;
+ if (uid != 0) { /* uid == 0 means non-POSIX object */
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+ if (ret != ENOENT) {
+ if (ret == EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Group with GID [%"SPRIgid"] already exists in an "
+ "MPG domain\n", uid);
+ ret = EEXIST;
+ }
+ goto done;
}
- goto done;
}
}
--
2.33.0

28
sssd.spec
View File

@ -1,6 +1,6 @@
Name: sssd
Version: 2.6.1
Release: 14
Release: 19
Summary: System Security Services Daemon
License: GPLv3+ and LGPLv3+
URL: https://pagure.io/SSSD/sssd/
@ -49,6 +49,17 @@ Patch6039: backport-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
Patch6040: backport-nssidmap-fix-sss_nss_getgrouplist_timeout-with-empty.patch
Patch6041: backport-KCM-Fix-a-memory-leak.patch
Patch6042: backport-CVE-2023-3758.patch
Patch6043: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
Patch6044: backport-ad-refresh-root-domain-when-read-directly.patch
Patch6045: backport-RESPONDER-use-proper-context-for-getDomains.patch
Patch6046: backport-SSH-sanity-check-to-please-coverity.patch
Patch6047: backport-CLIENT-idmap-fix-coverity-warning.patch
Patch6048: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
Patch6049: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
Patch6050: backport-Missing-dns_update_per_family-option.patch
Patch6051: backport-TOOLS-mistype-fix.patch
Patch6052: backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch
Patch6053: backport-Make-sure-invalid-krb5-context-is-not-used.patch
Requires: python3-sssd = %{version}-%{release}
Requires: libldb
@ -556,6 +567,21 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Thu Dec 05 2024 wangjiang <app@cameyan.com> - 2.6.1-19
- backport make sure invalid krb5 context is not used
* Tue Dec 03 2024 wangjiang <app@cameyan.com> - 2.6.1-18
- backport upstream patches
* Fri Oct 25 2024 fangxiuning<fangxiuning@huawei.com> - 2.6.1-17
- backport patches to fix bugs
* Sun Sep 29 2024 fangxiuning<fangxiuning@huawei.com> - 2.6.1-16
- backport upstream patches
* Tue Jun 18 2024 wangjiang <wangjiang37@h-partners.com> - 2.6.1-15
- backport upstream patches
* Fri Apr 19 2024 liweigang <liweiganga@uniontech.com> - 2.6.1-14
- fix CVE-2023-3758