diff --git a/backport-add-option-for-dp_opt_dyndns_refresh_offset.patch b/backport-add-option-for-dp_opt_dyndns_refresh_offset.patch new file mode 100644 index 0000000000000000000000000000000000000000..14cb358c4c3a9eda124fca1a0a8b4537f9ca34d2 --- /dev/null +++ b/backport-add-option-for-dp_opt_dyndns_refresh_offset.patch @@ -0,0 +1,28 @@ +From ee51f604ad0d32e8e25451909114fb4870f65f3f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Thu, 14 Nov 2024 17:27:49 +0100 +Subject: [PATCH] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET + +The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in +https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55 +but the corresponding option is missing in +https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200 + +This error was introduced by +https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5 +--- + src/providers/be_dyndns.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c +index 2c655ef1eeb..5d0f5111977 100644 +--- a/src/providers/be_dyndns.c ++++ b/src/providers/be_dyndns.c +@@ -1200,6 +1200,7 @@ static struct dp_option default_dyndns_opts[] = { + { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, ++ { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, + { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER }, + { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE }, diff --git a/backport-fix-Missing-dns_update_per_family-option.patch b/backport-fix-Missing-dns_update_per_family-option.patch new file mode 100644 index 0000000000000000000000000000000000000000..1366ebc9b6c19a0b30e6625308e9962ef868b2b3 --- /dev/null +++ b/backport-fix-Missing-dns_update_per_family-option.patch @@ -0,0 +1,73 @@ +From a822206c7859b5f39af2b2ea1b117850a0589e3c Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Mon, 21 Oct 2024 16:31:38 +0200 +Subject: [PATCH] Missing 'dns_update_per_family' option + +This update fixes missing 'dns_update_per_family' option in python code +and config files. + +Reviewed-by: Alexey Tikhonov +--- + src/config/SSSDConfig/sssdoptions.py | 2 ++ + src/config/SSSDConfigTest.py | 2 ++ + src/config/cfg_rules.ini | 1 + + src/config/etc/sssd.api.conf | 1 + + 4 files changed, 6 insertions(+) + +diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py +index affe2e52918..7eed403e4bd 100644 +--- a/src/config/SSSDConfig/sssdoptions.py ++++ b/src/config/SSSDConfig/sssdoptions.py +@@ -197,6 +197,8 @@ def __init__(self): + 'refresh_expired_interval': _('How often should expired entries be refreshed in background'), + 'refresh_expired_interval_offset': _("Maximum period deviation when refreshing expired entries in background"), + 'dyndns_update': _("Whether to automatically update the client's DNS entry"), ++ 'dyndns_update_per_family': _('Whether DNS update of A and AAAA record should be performed ' ++ 'in one update or in two separate updates'), + 'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"), + 'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"), + 'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index bc398cc8b8e..1ce4637eda7 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -558,6 +558,7 @@ def testListOptions(self): + 'dns_discovery_domain', + 'failover_primary_timeout', + 'dyndns_update', ++ 'dyndns_update_per_family', + 'dyndns_ttl', + 'dyndns_iface', + 'dyndns_refresh_interval', +@@ -919,6 +920,7 @@ def testRemoveProvider(self): + 'dns_discovery_domain', + 'failover_primary_timeout', + 'dyndns_update', ++ 'dyndns_update_per_family', + 'dyndns_ttl', + 'dyndns_iface', + 'dyndns_refresh_interval', +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index b33cd876b95..950eae630fb 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -433,6 +433,7 @@ option = refresh_expired_interval_offset + + # Dynamic DNS updates + option = dyndns_update ++option = dyndns_update_per_family + option = dyndns_ttl + option = dyndns_iface + option = dyndns_refresh_interval +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index b5d42afbb1e..4377a1fc571 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -207,6 +207,7 @@ refresh_expired_interval_offset = int, None, false + + # Dynamic DNS updates + dyndns_update = bool, None, false ++dyndns_update_per_family = bool, None, false + dyndns_ttl = int, None, false + dyndns_iface = str, None, false + dyndns_refresh_interval = int, None, false diff --git a/backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch b/backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb15c7cca8587277979dd5e94577882eff9a9ff1 --- /dev/null +++ b/backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch @@ -0,0 +1,58 @@ +From d004e7b4b977da3dd9f1d3de910c28c093a6fb26 Mon Sep 17 00:00:00 2001 +From: santeri3700 +Date: Tue, 15 Oct 2024 20:13:20 +0300 +Subject: [PATCH] ad: honor ad_use_ldaps setting with ad_machine_pw_renewal + +The value of ad_use_ldaps was not passed as `--use-ldaps` +argument to the adcli update command which handles +the automatic renewal of AD machine account password. + +Resolves: https://github.com/SSSD/sssd/issues/7642 + +Signed-off-by: santeri3700 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +--- + src/providers/ad/ad_machine_pw_renewal.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c +index 56b64a2a955..2e54e9bff0d 100644 +--- a/src/providers/ad/ad_machine_pw_renewal.c ++++ b/src/providers/ad/ad_machine_pw_renewal.c +@@ -39,6 +39,7 @@ struct renewal_data { + static errno_t get_adcli_extra_args(const char *ad_domain, + const char *ad_hostname, + const char *ad_keytab, ++ bool ad_use_ldaps, + size_t pw_lifetime_in_days, + bool add_samba_data, + size_t period, +@@ -59,7 +60,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, + return ENOMEM; + } + +- args = talloc_array(renewal_data, const char *, 9); ++ args = talloc_array(renewal_data, const char *, 10); + if (args == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + return ENOMEM; +@@ -79,6 +80,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain, + args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab); + } + args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain); ++ if (ad_use_ldaps) { ++ args[c++] = talloc_strdup(args, "--use-ldaps"); ++ } + if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) { + args[c++] = talloc_strdup(args, "--verbose"); + } +@@ -390,6 +394,7 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, + dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME), + dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic, + SDAP_KRB5_KEYTAB), ++ dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS), + lifetime, + dp_opt_get_bool(ad_opts->basic, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD), diff --git a/backport-mistype-fix.patch b/backport-mistype-fix.patch new file mode 100644 index 0000000000000000000000000000000000000000..d56bdf11808f2a7fd3c5f9de8e0f6ff665d7aaf7 --- /dev/null +++ b/backport-mistype-fix.patch @@ -0,0 +1,27 @@ +From 3621a587a32589e8404ed1f2356fcbfebc128efc Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 2 Sep 2024 21:04:34 +0200 +Subject: [PATCH] TOOLS: mistype fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Iker Pedrosa +Reviewed-by: Tomáš Halman +--- + src/tools/sssctl/sssctl_data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 79e12078e4b..43b9814eaf0 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -168,7 +168,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + } + +- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { ++ if (sssctl_backup_file_exists(SSS_BACKUP_GROUP_OVERRIDES)) { + ret = sssctl_run_command((const char *[]){"sss_override", "group-import", + SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { diff --git a/backport-test-default_dyndns_opts.patch b/backport-test-default_dyndns_opts.patch new file mode 100644 index 0000000000000000000000000000000000000000..440e4e9b2d2cba88d59f44678cd7c0a3fefa9994 --- /dev/null +++ b/backport-test-default_dyndns_opts.patch @@ -0,0 +1,62 @@ +From 181b8e90e9a32f33cf75652864fbf0fe4d9f05f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Thu, 14 Nov 2024 18:46:44 +0100 +Subject: [PATCH] TESTS: Also test default_dyndns_opts + +Compare this structure to ipa_dyndns_opts, which is already compared +to ad_dyndns_opts. +--- + src/providers/be_dyndns.c | 2 +- + src/providers/be_dyndns.h | 1 + + src/tests/ipa_ldap_opt-tests.c | 6 ++++++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c +index 5d0f5111977..e6fa7dfd69e 100644 +--- a/src/providers/be_dyndns.c ++++ b/src/providers/be_dyndns.c +@@ -1197,7 +1197,7 @@ be_nsupdate_check(void) + return ret; + } + +-static struct dp_option default_dyndns_opts[] = { ++struct dp_option default_dyndns_opts[] = { + { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, +diff --git a/src/providers/be_dyndns.h b/src/providers/be_dyndns.h +index 2185fee9563..719c1394255 100644 +--- a/src/providers/be_dyndns.h ++++ b/src/providers/be_dyndns.h +@@ -63,6 +63,7 @@ enum dp_dyndns_opts { + + DP_OPT_DYNDNS /* attrs counter */ + }; ++extern struct dp_option default_dyndns_opts[DP_OPT_DYNDNS + 1]; + + #define DYNDNS_REMOVE_A 0x1 + #define DYNDNS_REMOVE_AAAA 0x2 +diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c +index a1a0e9cc6db..da990acaf9a 100644 +--- a/src/tests/ipa_ldap_opt-tests.c ++++ b/src/tests/ipa_ldap_opt-tests.c +@@ -103,6 +103,10 @@ START_TEST(test_compare_opts) + ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS, + ad_dyndns_opts); + ck_assert_msg(ret == EOK, "[%s]", strerror(ret)); ++ ++ ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS, ++ default_dyndns_opts); ++ ck_assert_msg(ret == EOK, "[%s]", strerror(ret)); + } + END_TEST + +@@ -200,6 +204,8 @@ START_TEST(test_dp_opt_sentinel) + + fail_unless_dp_opt_is_terminator(&default_krb5_opts[KRB5_OPTS]); + ++ fail_unless_dp_opt_is_terminator(&default_dyndns_opts[DP_OPT_DYNDNS]); ++ + fail_unless_dp_opt_is_terminator(&ad_basic_opts[AD_OPTS_BASIC]); + fail_unless_dp_opt_is_terminator(&ad_def_ldap_opts[SDAP_OPTS_BASIC]); + fail_unless_dp_opt_is_terminator(&ad_def_krb5_opts[KRB5_OPTS]); diff --git a/sssd.spec b/sssd.spec index f8a42e30ed184d6b2cbfbbda86c78bd0da13bf19..bd54f277ce7d233e394deb5e3e77a4d458f59e3a 100644 --- a/sssd.spec +++ b/sssd.spec @@ -8,13 +8,18 @@ Name: sssd Version: 2.9.5 -Release: 2 +Release: 3 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz Patch0001: backport-Make-sure-invalid-krb5-context-is-not-used.patch +Patch0002: backport-fix-Missing-dns_update_per_family-option.patch +Patch0003: backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch +Patch0004: backport-mistype-fix.patch +Patch0005: backport-add-option-for-dp_opt_dyndns_refresh_offset.patch +Patch0006: backport-test-default_dyndns_opts.patch Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} @@ -914,6 +919,13 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Dec 02 2024 Majianhan - 2.9.5-3 +- Adds the missing dns_update_per_family option to support separate or combined DNS updates for A and AAAA records. +- Ensures the ad_use_ldaps setting is passed correctly to the adcli update command for secure AD machine account password renewals. +- Corrects a typo in sssctl_restore by replacing SSS_BACKUP_USER_OVERRIDES with SSS_BACKUP_GROUP_OVERRIDES. +- Introduces the missing dyndns_refresh_interval_offset option to enhance configuration flexibility for dynamic DNS refresh intervals. +- Expands test coverage to include default_dyndns_opts, ensuring consistency and correctness across dynamic DNS options. + * Fri Nov 22 2024 Majianhan - 2.9.5-2 - backport make sure invalid krb5 context is not used