From 3d92f589f8b205de92aded9c4f81ab55dadd521e Mon Sep 17 00:00:00 2001
From: fangxiuning <fangxiuning@huawei.com>
Date: Sun, 29 Sep 2024 17:21:26 +0800
Subject: [PATCH] add

---
 ...o-remove-f-option-from-sysv-init-scr.patch | 36 +++++++++++
 ...l-to-add-non-posix-user-to-MPG-domai.patch | 61 +++++++++++++++++++
 sssd.spec                                     |  7 ++-
 3 files changed, 103 insertions(+), 1 deletion(-)
 create mode 100644 backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
 create mode 100644 backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch

diff --git a/backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch b/backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
new file mode 100644
index 0000000..da0992f
--- /dev/null
+++ b/backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
@@ -0,0 +1,36 @@
+From 30a9f4f389f0a09057f9d7c424b96020c940c5e1 Mon Sep 17 00:00:00 2001
+From: John Veitch <john.veitch@glasgow.ac.uk>
+Date: Mon, 1 Jul 2024 13:02:20 +0100
+Subject: [PATCH] Update sssd.in to remove -f option from sysv init script
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fee3883 removed the -f option from the sssd but the init script was
+not updated accordingly at that time.
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference:https://github.com/SSSD/sssd/commit/30a9f4f389f0a09057f9d7c424b96020c940c5e1
+Conflict:NA
+
+---
+ src/sysv/sssd.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sysv/sssd.in b/src/sysv/sssd.in
+index 68485bfb8..52308a4e2 100644
+--- a/src/sysv/sssd.in
++++ b/src/sysv/sssd.in
+@@ -45,7 +45,7 @@ TIMEOUT=15
+ start() {
+     [ -x $SSSD ] || exit 5
+     echo -n $"Starting $prog: "
+-    daemon $SSSD -f -D
++    daemon $SSSD -D
+     RETVAL=$?
+     echo
+     [ "$RETVAL" = 0 ] && touch $LOCK_FILE
+-- 
+2.33.0
+
diff --git a/backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch b/backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
new file mode 100644
index 0000000..0695816
--- /dev/null
+++ b/backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
@@ -0,0 +1,61 @@
+From 986bb726202e69b05f861c14c3a220379baf9bd1 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 14 Jun 2024 16:10:34 +0200
+Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+SSSD does not handle the root user (UID==0) and treats all accounts with
+UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
+well and as a result for those accounts in MPG domains the check for a
+collisions of the primary GID should be skipped. The current code might
+e.g. cause issues during GPO evaluation when adding a host account into
+the cache which does not have any UID or GID set in AD and SSSD is
+configured to read UID and GID from AD.
+
+Resolves: https://github.com/SSSD/sssd/issues/7451
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference:https://github.com/SSSD/sssd/commit/986bb726202e69b05f861c14c3a220379baf9bd1
+Conflict:NA
+
+---
+ src/db/sysdb_ops.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index a47d9b174..32e49d759 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
+             goto done;
+         }
+ 
+-        ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+-        if (ret != ENOENT) {
+-            if (ret == EOK) {
+-                DEBUG(SSSDBG_OP_FAILURE,
+-                    "Group with GID [%"SPRIgid"] already exists in an "
+-                    "MPG domain\n", gid);
+-                ret = EEXIST;
++        if (uid != 0) { /* uid == 0 means non-POSIX object */
++            ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
++            if (ret != ENOENT) {
++                if (ret == EOK) {
++                    DEBUG(SSSDBG_OP_FAILURE,
++                        "Group with GID [%"SPRIgid"] already exists in an "
++                        "MPG domain\n", uid);
++                    ret = EEXIST;
++                }
++                goto done;
+             }
+-            goto done;
+         }
+     }
+ 
+-- 
+2.33.0
+
diff --git a/sssd.spec b/sssd.spec
index 96cbf25..b40ff00 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -1,6 +1,6 @@
 Name: sssd
 Version: 2.6.1
-Release: 15
+Release: 16
 Summary: System Security Services Daemon
 License: GPLv3+ and LGPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -52,6 +52,8 @@ Patch6042: backport-CVE-2023-3758.patch
 Patch6043: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
 Patch6044: backport-ad-refresh-root-domain-when-read-directly.patch
 Patch6045: backport-RESPONDER-use-proper-context-for-getDomains.patch
+Patch6046: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
+Patch6047: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
 
 Requires: python3-sssd = %{version}-%{release}
 Requires: libldb
@@ -559,6 +561,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Sun Sep 29 2024 fangxiuning<fangxiuning@huawei.com> - 2.6.1-16
+- backport upstream patches
+
 * Tue Jun 18 2024 wangjiang <wangjiang37@h-partners.com> - 2.6.1-15
 - backport upstream patches
 
-- 
Gitee