From 676224adc82b6234cd5931e0310c469bf0c9d0ac Mon Sep 17 00:00:00 2001 From: fangxiuning Date: Mon, 23 Dec 2024 14:56:06 +0800 Subject: [PATCH] add --- ...rt-CLIENT-idmap-fix-coverity-warning.patch | 51 +++++++++++ ...Missing-dns_update_per_family-option.patch | 76 +++++++++++++++++ ...ER-use-proper-context-for-getDomains.patch | 55 ++++++++++++ ...-SSH-sanity-check-to-please-coverity.patch | 48 +++++++++++ backport-TOOLS-mistype-fix.patch | 30 +++++++ ...S-inotify-avoid-potential-NULL-deref.patch | 57 +++++++++++++ ...o-remove-f-option-from-sysv-init-scr.patch | 36 ++++++++ ...ldaps-setting-with-ad_machine_pw_ren.patch | 61 ++++++++++++++ ...fresh-root-domain-when-read-directly.patch | 84 +++++++++++++++++++ ...l-to-add-non-posix-user-to-MPG-domai.patch | 61 ++++++++++++++ sssd.spec | 15 +++- 11 files changed, 573 insertions(+), 1 deletion(-) create mode 100644 backport-CLIENT-idmap-fix-coverity-warning.patch create mode 100644 backport-Missing-dns_update_per_family-option.patch create mode 100644 backport-RESPONDER-use-proper-context-for-getDomains.patch create mode 100644 backport-SSH-sanity-check-to-please-coverity.patch create mode 100644 backport-TOOLS-mistype-fix.patch create mode 100644 backport-UTILS-inotify-avoid-potential-NULL-deref.patch create mode 100644 backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch create mode 100644 backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch create mode 100644 backport-ad-refresh-root-domain-when-read-directly.patch create mode 100644 backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch diff --git a/backport-CLIENT-idmap-fix-coverity-warning.patch b/backport-CLIENT-idmap-fix-coverity-warning.patch new file mode 100644 index 0000000..d8ee642 --- /dev/null +++ b/backport-CLIENT-idmap-fix-coverity-warning.patch @@ -0,0 +1,51 @@ +From 7c913edc84e0201020b5ab770dd0823911387781 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 22 May 2024 20:19:05 +0200 +Subject: [PATCH] CLIENT:idmap: fix coverity warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes following issue: +``` +"Error: INTEGER_OVERFLOW (CWE-190): +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:306:5: tainted_data_argument: The value returned in ""replen"" is considered tainted. +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: overflow: The expression ""replen - 12UL"" might be negative, but is used in a context that treats it as unsigned. +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: assign: Assigning: ""data_len"" = ""replen - 12UL"". +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow: The expression ""1UL * data_len"" is deemed underflowed because at least one of its arguments has underflowed. +sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow_sink: ""1UL * data_len"", which might have underflowed, is passed to ""malloc(1UL * data_len)"". + # 345| } + # 346| + # 347|-> str = malloc(sizeof(char) * data_len); + # 348| if (str == NULL) { + # 349| ret = ENOMEM;" +``` + +Reviewed-by: Alejandro López + +Reference: https://github.com/SSSD/sssd/commit/7c913edc84e0201020b5ab770dd0823911387781 +Conflict: NA + +--- + src/sss_client/idmap/sss_nss_idmap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c +index 575d03057..604933c6d 100644 +--- a/src/sss_client/idmap/sss_nss_idmap.c ++++ b/src/sss_client/idmap/sss_nss_idmap.c +@@ -324,6 +324,11 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd, + goto done; + } + ++ if (replen < DATA_START) { /* make sure 'type' is present */ ++ ret = EBADMSG; ++ goto done; ++ } ++ + /* Skip first two 32 bit values (number of results and + * reserved padding) */ + SAFEALIGN_COPY_UINT32(&out->type, repbuf + 2 * sizeof(uint32_t), NULL); +-- +2.33.0 + diff --git a/backport-Missing-dns_update_per_family-option.patch b/backport-Missing-dns_update_per_family-option.patch new file mode 100644 index 0000000..6e677d6 --- /dev/null +++ b/backport-Missing-dns_update_per_family-option.patch @@ -0,0 +1,76 @@ +From a822206c7859b5f39af2b2ea1b117850a0589e3c Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Mon, 21 Oct 2024 16:31:38 +0200 +Subject: [PATCH] Missing 'dns_update_per_family' option + +This update fixes missing 'dns_update_per_family' option in python code +and config files. + +Reviewed-by: Alexey Tikhonov +--- + src/config/SSSDConfig/sssdoptions.py | 2 ++ + src/config/SSSDConfigTest.py | 2 ++ + src/config/cfg_rules.ini | 1 + + src/config/etc/sssd.api.conf | 1 + + 4 files changed, 6 insertions(+) + +diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py +index e7de867..3aba87a 100644 +--- a/src/config/SSSDConfig/sssdoptions.py ++++ b/src/config/SSSDConfig/sssdoptions.py +@@ -187,6 +187,8 @@ class SSSDOptions(object): + 'entry_cache_resolver_timeout' : _('Entry cache timeout length (seconds)'), + 'refresh_expired_interval': _('How often should expired entries be refreshed in background'), + 'dyndns_update': _("Whether to automatically update the client's DNS entry"), ++ 'dyndns_update_per_family': _('Whether DNS update of A and AAAA record should be performed ' ++ 'in one update or in two separate updates'), + 'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"), + 'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"), + 'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index e08109a..21a08c8 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -576,6 +576,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'dns_resolver_timeout', + 'dns_discovery_domain', + 'dyndns_update', ++ 'dyndns_update_per_family', + 'dyndns_ttl', + 'dyndns_iface', + 'dyndns_refresh_interval', +@@ -929,6 +930,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'dns_resolver_timeout', + 'dns_discovery_domain', + 'dyndns_update', ++ 'dyndns_update_per_family', + 'dyndns_ttl', + 'dyndns_iface', + 'dyndns_refresh_interval', +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index 39b66ba..0a630f1 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -412,6 +412,7 @@ option = refresh_expired_interval + + # Dynamic DNS updates + option = dyndns_update ++option = dyndns_update_per_family + option = dyndns_ttl + option = dyndns_iface + option = dyndns_refresh_interval +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index 67b7a5f..5930f4a 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -198,6 +198,7 @@ refresh_expired_interval = int, None, false + + # Dynamic DNS updates + dyndns_update = bool, None, false ++dyndns_update_per_family = bool, None, false + dyndns_ttl = int, None, false + dyndns_iface = str, None, false + dyndns_refresh_interval = int, None, false +-- +2.33.0 + diff --git a/backport-RESPONDER-use-proper-context-for-getDomains.patch b/backport-RESPONDER-use-proper-context-for-getDomains.patch new file mode 100644 index 0000000..98935e2 --- /dev/null +++ b/backport-RESPONDER-use-proper-context-for-getDomains.patch @@ -0,0 +1,55 @@ +From 18f378921ed95dfd6a5e373c87712f7935247d71 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 26 Apr 2024 14:04:50 +0200 +Subject: [PATCH] RESPONDER: use proper context for getDomains() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Request was created on a long term responder context, but a callback +for this request tries to access memory that is allocated on a short +term client context. So if client disconnects before request is +completed, then callback dereferences already freed memory. + +Resolves: https://github.com/SSSD/sssd/issues/7319 + +Reviewed-by: Alejandro López +Reviewed-by: Pavel Březina + +Reference:https://github.com/SSSD/sssd/commit/dc637c9730d0ba04a0d8aa2645ee537224cd4b19 +Conflict:NA + +--- + src/responder/pac/pacsrv_cmd.c | 2 +- + src/responder/pam/pamsrv_cmd.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c +index e3aab88..29d5574 100644 +--- a/src/responder/pac/pacsrv_cmd.c ++++ b/src/responder/pac/pacsrv_cmd.c +@@ -140,7 +140,7 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx) + ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str, + &pr_ctx->dom); + if (ret == EAGAIN || ret == ENOENT) { +- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, ++ req = sss_dp_get_domains_send(cctx, cctx->rctx, true, + pr_ctx->domain_name); + if (req == NULL) { + ret = ENOMEM; +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 20c332b..1570304 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -1510,7 +1510,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) + + ret = pam_forwarder_parse_data(cctx, pd); + if (ret == EAGAIN) { +- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, pd->domain); ++ req = sss_dp_get_domains_send(cctx, cctx->rctx, true, pd->domain); + if (req == NULL) { + ret = ENOMEM; + } else { +-- +2.33.0 + diff --git a/backport-SSH-sanity-check-to-please-coverity.patch b/backport-SSH-sanity-check-to-please-coverity.patch new file mode 100644 index 0000000..aac9381 --- /dev/null +++ b/backport-SSH-sanity-check-to-please-coverity.patch @@ -0,0 +1,48 @@ +From 19df6a5d2ed220e6236aa1c921b7abdeba233dd1 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 22 May 2024 21:13:31 +0200 +Subject: [PATCH] SSH: sanity check to please coverity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: +``` +Error: INTEGER_OVERFLOW (CWE-190): +sssd-2.10.0/src/util/sss_ssh.c:195:13: underflow: The decrement operator on the unsigned variable ""len"" might result in an underflow. +sssd-2.10.0/src/util/sss_ssh.c:204:9: overflow_sink: ""len"", which might have underflowed, is passed to ""memcpy(out, pubkey->data, len)"". [Note: The source code implementation of the function has been overridden by a builtin model.] + # 202| } + # 203| + # 204|-> memcpy(out, pubkey->data, len); + # 205| out[len] = '\0'; + # 206| } +``` + +Reviewed-by: Alejandro López +Reviewed-by: Justin Stephenson + +Reference: https://github.com/SSSD/sssd/commit/19df6a5d2ed220e6236aa1c921b7abdeba233dd1 +Conflict: NA + +--- + src/util/sss_ssh.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/sss_ssh.c b/src/util/sss_ssh.c +index 9df397873..f9c0918fd 100644 +--- a/src/util/sss_ssh.c ++++ b/src/util/sss_ssh.c +@@ -191,6 +191,10 @@ sss_ssh_format_pubkey(TALLOC_CTX *mem_ctx, + } + + len = pubkey->data_len; ++ if (len == 0) { ++ ret = EINVAL; ++ goto done; ++ } + if (pubkey->data[len - 1] == '\n') { + len--; + } +-- +2.33.0 + diff --git a/backport-TOOLS-mistype-fix.patch b/backport-TOOLS-mistype-fix.patch new file mode 100644 index 0000000..e4a7a64 --- /dev/null +++ b/backport-TOOLS-mistype-fix.patch @@ -0,0 +1,30 @@ +From 3621a587a32589e8404ed1f2356fcbfebc128efc Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 2 Sep 2024 21:04:34 +0200 +Subject: [PATCH] TOOLS: mistype fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Iker Pedrosa +Reviewed-by: Tomáš Halman +--- + src/tools/sssctl/sssctl_data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 79e12078e..43b9814ea 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -168,7 +168,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + } + +- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { ++ if (sssctl_backup_file_exists(SSS_BACKUP_GROUP_OVERRIDES)) { + ret = sssctl_run_command((const char *[]){"sss_override", "group-import", + SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { +-- +2.33.0 + diff --git a/backport-UTILS-inotify-avoid-potential-NULL-deref.patch b/backport-UTILS-inotify-avoid-potential-NULL-deref.patch new file mode 100644 index 0000000..9011e50 --- /dev/null +++ b/backport-UTILS-inotify-avoid-potential-NULL-deref.patch @@ -0,0 +1,57 @@ +From d24073823fa7d82726f631628923e9a5378d529d Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 18 Mar 2024 12:15:21 +0100 +Subject: [PATCH] UTILS: inotify: avoid potential NULL deref +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes following error: +``` +Error: STRING_NULL (CWE-170): +sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.] +sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string. +sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string. +sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string. + # 325| + # 326| if (snctx->wctx->dir_wd == in_event->wd) { + # 327|-> ret = process_dir_event(snctx, in_event); + # 328| } else if (snctx->wctx->file_wd == in_event->wd) { + # 329| ret = process_file_event(snctx, in_event); +``` + -- it might be unsafe to dereference `in_event->name` +if `in_event->len == 0` + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose + +Reference:https://github.com/SSSD/sssd/commit/4085ee07926303aa26e46dfcc6dec87776432c62 +Conflict:NA + +--- + src/util/inotify.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/util/inotify.c b/src/util/inotify.c +index a3c33ed..8192cfd 100644 +--- a/src/util/inotify.c ++++ b/src/util/inotify.c +@@ -233,9 +233,13 @@ static errno_t process_dir_event(struct snotify_ctx *snctx, + { + errno_t ret; + ++ if (in_event->len == 0) { ++ DEBUG(SSSDBG_TRACE_FUNC, "Not interested in nameless event\n"); ++ return EOK; ++ } ++ + DEBUG(SSSDBG_TRACE_ALL, "inotify name: %s\n", in_event->name); +- if (in_event->len == 0 \ +- || strcmp(in_event->name, snctx->base_name) != 0) { ++ if (strcmp(in_event->name, snctx->base_name) != 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Not interested in %s\n", in_event->name); + return EOK; + } +-- +2.33.0 + diff --git a/backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch b/backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch new file mode 100644 index 0000000..da0992f --- /dev/null +++ b/backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch @@ -0,0 +1,36 @@ +From 30a9f4f389f0a09057f9d7c424b96020c940c5e1 Mon Sep 17 00:00:00 2001 +From: John Veitch +Date: Mon, 1 Jul 2024 13:02:20 +0100 +Subject: [PATCH] Update sssd.in to remove -f option from sysv init script +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +fee3883 removed the -f option from the sssd but the init script was +not updated accordingly at that time. + +Reviewed-by: Tomáš Halman + +Reference:https://github.com/SSSD/sssd/commit/30a9f4f389f0a09057f9d7c424b96020c940c5e1 +Conflict:NA + +--- + src/sysv/sssd.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sysv/sssd.in b/src/sysv/sssd.in +index 68485bfb8..52308a4e2 100644 +--- a/src/sysv/sssd.in ++++ b/src/sysv/sssd.in +@@ -45,7 +45,7 @@ TIMEOUT=15 + start() { + [ -x $SSSD ] || exit 5 + echo -n $"Starting $prog: " +- daemon $SSSD -f -D ++ daemon $SSSD -D + RETVAL=$? + echo + [ "$RETVAL" = 0 ] && touch $LOCK_FILE +-- +2.33.0 + diff --git a/backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch b/backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch new file mode 100644 index 0000000..6530c04 --- /dev/null +++ b/backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch @@ -0,0 +1,61 @@ +From d004e7b4b977da3dd9f1d3de910c28c093a6fb26 Mon Sep 17 00:00:00 2001 +From: santeri3700 +Date: Tue, 15 Oct 2024 20:13:20 +0300 +Subject: [PATCH] ad: honor ad_use_ldaps setting with ad_machine_pw_renewal + +The value of ad_use_ldaps was not passed as `--use-ldaps` +argument to the adcli update command which handles +the automatic renewal of AD machine account password. + +Resolves: https://github.com/SSSD/sssd/issues/7642 + +Signed-off-by: santeri3700 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +--- + src/providers/ad/ad_machine_pw_renewal.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c +index 56b64a2a9..2e54e9bff 100644 +--- a/src/providers/ad/ad_machine_pw_renewal.c ++++ b/src/providers/ad/ad_machine_pw_renewal.c +@@ -39,6 +39,7 @@ struct renewal_data { + static errno_t get_adcli_extra_args(const char *ad_domain, + const char *ad_hostname, + const char *ad_keytab, ++ bool ad_use_ldaps, + size_t pw_lifetime_in_days, + bool add_samba_data, + size_t period, +@@ -59,7 +60,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain, + return ENOMEM; + } + +- args = talloc_array(renewal_data, const char *, 9); ++ args = talloc_array(renewal_data, const char *, 10); + if (args == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + return ENOMEM; +@@ -79,6 +80,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain, + args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab); + } + args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain); ++ if (ad_use_ldaps) { ++ args[c++] = talloc_strdup(args, "--use-ldaps"); ++ } + if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) { + args[c++] = talloc_strdup(args, "--verbose"); + } +@@ -390,6 +394,7 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, + dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME), + dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic, + SDAP_KRB5_KEYTAB), ++ dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS), + lifetime, + dp_opt_get_bool(ad_opts->basic, + AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD), +-- +2.33.0 + diff --git a/backport-ad-refresh-root-domain-when-read-directly.patch b/backport-ad-refresh-root-domain-when-read-directly.patch new file mode 100644 index 0000000..3a1a300 --- /dev/null +++ b/backport-ad-refresh-root-domain-when-read-directly.patch @@ -0,0 +1,84 @@ +From 4d841bf2060717171fecad628480c8f2bc03760d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 1 Mar 2024 10:50:07 +0100 +Subject: [PATCH] ad: refresh root domain when read directly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the domain object of the forest root domain cannot be found in the +LDAP tree of the local AD domain SSSD tries to read the request data +from an LDAP server of the forest root domain directly. After reading +this data the information is stored in the cache but currently the +information about the domain store in memory is not updated with the +additional data. As a result e.g. the domain SID is missing in this data +and only becomes available after a restart where it is read from the +cache. + +With this patch an unconditional refresh is triggered at the end of the +fallback code path. + +Resolves: https://github.com/SSSD/sssd/issues/7250 + +Reviewed-by: Dan Lavu +Reviewed-by: Tomáš Halman + +Reference:https://github.com/SSSD/sssd/commit/0de6c33047ac7a2b5316ec5ec936d6b675671c53 +Conflict:NA + +--- + src/providers/ad/ad_subdomains.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 5bddf9b..e6745ce 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -1389,7 +1389,7 @@ struct ad_get_root_domain_state { + static void ad_get_root_domain_done(struct tevent_req *subreq); + static void ad_check_root_domain_done(struct tevent_req *subreq); + static errno_t +-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state); ++ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh); + + struct tevent_req * + ad_check_domain_send(TALLOC_CTX *mem_ctx, +@@ -1571,7 +1571,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) + return; + } + +- ret = ad_get_root_domain_refresh(state); ++ ret = ad_get_root_domain_refresh(state, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); + } +@@ -1664,7 +1664,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) + + state->reply_count = 1; + +- ret = ad_get_root_domain_refresh(state); ++ ret = ad_get_root_domain_refresh(state, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); + } +@@ -1679,7 +1679,7 @@ done: + } + + static errno_t +-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) ++ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh) + { + struct sss_domain_info *root_domain; + bool has_changes; +@@ -1695,7 +1695,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) + goto done; + } + +- if (has_changes) { ++ if (has_changes || refresh) { + ret = ad_subdom_reinit(state->sd_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n"); +-- +2.33.0 + diff --git a/backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch b/backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch new file mode 100644 index 0000000..0695816 --- /dev/null +++ b/backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch @@ -0,0 +1,61 @@ +From 986bb726202e69b05f861c14c3a220379baf9bd1 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 14 Jun 2024 16:10:34 +0200 +Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +SSSD does not handle the root user (UID==0) and treats all accounts with +UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as +well and as a result for those accounts in MPG domains the check for a +collisions of the primary GID should be skipped. The current code might +e.g. cause issues during GPO evaluation when adding a host account into +the cache which does not have any UID or GID set in AD and SSSD is +configured to read UID and GID from AD. + +Resolves: https://github.com/SSSD/sssd/issues/7451 + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference:https://github.com/SSSD/sssd/commit/986bb726202e69b05f861c14c3a220379baf9bd1 +Conflict:NA + +--- + src/db/sysdb_ops.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index a47d9b174..32e49d759 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain, + goto done; + } + +- ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg); +- if (ret != ENOENT) { +- if (ret == EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Group with GID [%"SPRIgid"] already exists in an " +- "MPG domain\n", gid); +- ret = EEXIST; ++ if (uid != 0) { /* uid == 0 means non-POSIX object */ ++ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg); ++ if (ret != ENOENT) { ++ if (ret == EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Group with GID [%"SPRIgid"] already exists in an " ++ "MPG domain\n", uid); ++ ret = EEXIST; ++ } ++ goto done; + } +- goto done; + } + } + +-- +2.33.0 + diff --git a/sssd.spec b/sssd.spec index fcd8d3f..44fe00e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,6 +1,6 @@ Name: sssd Version: 2.6.1 -Release: 14 +Release: 15 Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ URL: https://pagure.io/SSSD/sssd/ @@ -49,6 +49,16 @@ Patch6039: backport-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch Patch6040: backport-nssidmap-fix-sss_nss_getgrouplist_timeout-with-empty.patch Patch6041: backport-KCM-Fix-a-memory-leak.patch Patch6042: backport-CVE-2023-3758.patch +Patch6043: backport-UTILS-inotify-avoid-potential-NULL-deref.patch +Patch6044: backport-ad-refresh-root-domain-when-read-directly.patch +Patch6045: backport-RESPONDER-use-proper-context-for-getDomains.patch +Patch6046: backport-SSH-sanity-check-to-please-coverity.patch +Patch6047: backport-CLIENT-idmap-fix-coverity-warning.patch +Patch6048: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch +Patch6049: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch +Patch6050: backport-Missing-dns_update_per_family-option.patch +Patch6051: backport-TOOLS-mistype-fix.patch +Patch6052: backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch Requires: python3-sssd = %{version}-%{release} Requires: libldb @@ -556,6 +566,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Dec 23 2024 fangxiuning - 2.6.1-15 +- backport upstream patches + * Fri Apr 19 2024 liweigang - 2.6.1-14 - fix CVE-2023-3758 -- Gitee