diff --git a/backport-Make-sure-invalid-krb5-context-is-not-used.patch b/backport-Make-sure-invalid-krb5-context-is-not-used.patch deleted file mode 100644 index 1d874e0196534f634af9f2319d9bf39dc830865b..0000000000000000000000000000000000000000 --- a/backport-Make-sure-invalid-krb5-context-is-not-used.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bdfb92012d6dec2999469d483ba67d6c2521a078 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 21 Nov 2024 09:23:36 +0100 -Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used - - 2.9.4 - -Resolves: https://github.com/SSSD/sssd/issues/7715 ---- - src/util/sss_krb5.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c -index 3f57e5b268f..0b83142ddfc 100644 ---- a/src/util/sss_krb5.c -+++ b/src/util/sss_krb5.c -@@ -140,6 +140,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, - - kerr = sss_krb5_init_context(&krb_ctx); - if (kerr) { -+ krb_ctx = NULL; - error_message = "Failed to init Kerberos context"; - ret = EFAULT; - goto done; -@@ -269,7 +270,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, - } - - done: -- if (ret != EOK) { -+ if (ret != EOK && krb_ctx != NULL) { - DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n", - sss_printable_keytab_name(krb_ctx, keytab_name), - (error_message ? error_message : sss_strerror(ret))); - diff --git a/backport-PAM-fix-issue-found-by-Coverity.patch b/backport-PAM-fix-issue-found-by-Coverity.patch deleted file mode 100644 index 7cb11fed4447e544e1110c0e758ab15c13da96cd..0000000000000000000000000000000000000000 --- a/backport-PAM-fix-issue-found-by-Coverity.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c36c320d12e48178b041d9859e3035f0c65c4909 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 14 Jan 2025 12:35:43 +0100 -Subject: [PATCH] PAM: fix issue found by Coverity - -``` -1614 D(("Illegal task [%#x]", task)); - 9. out_of_scope: Variable buf goes out of scope. - -CID 530049: (#1 of 1): Resource leak (RESOURCE_LEAK) -10. leaked_storage: Variable rd going out of scope leaks the storage rd.data points to. -1615 return PAM_SYSTEM_ERR; -1616 } -``` - -Reviewed-by: Justin Stephenson ---- - src/sss_client/pam_sss.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 600c3616a..9aec74ce3 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -1612,7 +1612,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, - break; - default: - D(("Illegal task [%#x]", task)); -- return PAM_SYSTEM_ERR; -+ pam_status = PAM_SYSTEM_ERR; - } - - done: --- -2.43.0 - diff --git a/backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch b/backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch deleted file mode 100644 index b79c8ff67e404baf5e3a979d2abed8fc18032e27..0000000000000000000000000000000000000000 --- a/backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch +++ /dev/null @@ -1,42 +0,0 @@ -From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 18 Jun 2025 14:30:57 +0200 -Subject: [PATCH] authtok: add IS_PW_OR_ST_AUTHTOK() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch adds a helper macro to determine if an authtok struct is of -type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is -useful if a password is expected but an authentication token forwarded -by an different PAM module, which is most probably a password, can be -used as well. - -Resolves: https://github.com/SSSD/sssd/issues/7968 - -Reviewed-by: Pavel Březina -Reviewed-by: Shridhar Gadekar -Reviewed-by: Tomáš Halman -(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050) ---- - src/util/authtok.h | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/util/authtok.h b/src/util/authtok.h -index b58e9dbbd..acabb7078 100644 ---- a/src/util/authtok.h -+++ b/src/util/authtok.h -@@ -28,6 +28,10 @@ - sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ - || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) - -+#define IS_PW_OR_ST_AUTHTOK(tok) ( \ -+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \ -+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED) -+ - - /* Use sss_authtok_* accessor functions instead of struct sss_auth_token - */ --- -2.43.0 - diff --git a/backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch b/backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch deleted file mode 100644 index aeee2bcc7f52f1e6c8e1ee58a3076bd7fc828ea6..0000000000000000000000000000000000000000 --- a/backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 10 Jun 2025 14:22:19 +0200 -Subject: [PATCH] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to -handle credentials forwarded by other PAM modules. Before it was -unconditionally assumed that it is a password and hence -SSS_AUTHTOK_TYPE_PASSWORD was used. - -When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were -already handled but currently offline use-cases fail because here only -SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch -SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline -credentials as well. - -Resolves: https://github.com/SSSD/sssd/issues/7968 - -Reviewed-by: Pavel Březina -Reviewed-by: Shridhar Gadekar -Reviewed-by: Tomáš Halman -(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48) ---- - src/providers/krb5/krb5_auth.c | 11 +++++++---- - src/providers/krb5/krb5_child.c | 4 ++++ - .../krb5/krb5_delayed_online_authentication.c | 2 +- - src/responder/pam/pamsrv_cmd.c | 1 + - 4 files changed, 13 insertions(+), 5 deletions(-) - -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index 07e4d807f..fb2f58869 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, - domain->cache_credentials_min_ff_length); - ret = EINVAL; - } -- } else if (sss_authtok_get_type(pd->authtok) == -- SSS_AUTHTOK_TYPE_PASSWORD) { -+ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) { -+ /* At this point we can be sure that -+ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because -+ * krb5_auth_store_creds() is not called if 2FA/otp was used, -+ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication. -+ */ - ret = sss_authtok_get_password(pd->authtok, &password, NULL); - } else { - DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n", -@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq) - if (kr->is_offline) { - if (dp_opt_get_bool(kr->krb5_ctx->opts, - KRB5_STORE_PASSWORD_IF_OFFLINE) -- && sss_authtok_get_type(pd->authtok) -- == SSS_AUTHTOK_TYPE_PASSWORD) { -+ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) { - krb5_auth_cache_creds(state->kr->krb5_ctx, - state->domain, - state->be_ctx->cdb, -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 5830305a0..21ec38627 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, - if (kerr != 0) { - KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); - -+ if (kerr == EAGAIN) { -+ kerr = KRB5_KDC_UNREACH; -+ } -+ - /* Special case for IPA password migration */ - if (kr->pd->cmd == SSS_PAM_AUTHENTICATE - && kerr == KRB5_PREAUTH_FAILED -diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c -index f88d8ab9b..1fac986a6 100644 ---- a/src/providers/krb5/krb5_delayed_online_authentication.c -+++ b/src/providers/krb5/krb5_delayed_online_authentication.c -@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, - return EINVAL; - } - -- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { -+ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Invalid authtok for user [%s].\n", pd->user); - return EINVAL; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index d4cb421f4..c6a436069 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, - - switch (sss_authtok_get_type(authtok)) { - case SSS_AUTHTOK_TYPE_PASSWORD: -+ case SSS_AUTHTOK_TYPE_PAM_STACKED: - ret = sss_authtok_get_password(authtok, password, NULL); - break; - case SSS_AUTHTOK_TYPE_2FA: --- -2.43.0 - diff --git a/backport-mistype-fix.patch b/backport-mistype-fix.patch deleted file mode 100644 index d56bdf11808f2a7fd3c5f9de8e0f6ff665d7aaf7..0000000000000000000000000000000000000000 --- a/backport-mistype-fix.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3621a587a32589e8404ed1f2356fcbfebc128efc Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Mon, 2 Sep 2024 21:04:34 +0200 -Subject: [PATCH] TOOLS: mistype fix -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Iker Pedrosa -Reviewed-by: Tomáš Halman ---- - src/tools/sssctl/sssctl_data.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c -index 79e12078e4b..43b9814eaf0 100644 ---- a/src/tools/sssctl/sssctl_data.c -+++ b/src/tools/sssctl/sssctl_data.c -@@ -168,7 +168,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) - } - } - -- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { -+ if (sssctl_backup_file_exists(SSS_BACKUP_GROUP_OVERRIDES)) { - ret = sssctl_run_command((const char *[]){"sss_override", "group-import", - SSS_BACKUP_GROUP_OVERRIDES, NULL}); - if (ret != EOK) { diff --git a/replace-openEuler-version.patch b/replace-openEuler-version.patch new file mode 100644 index 0000000000000000000000000000000000000000..1ee10b7b1eb6262e34559ea7f8c5dfc5ecc48931 --- /dev/null +++ b/replace-openEuler-version.patch @@ -0,0 +1,26 @@ +From 63b9265686bb68f7067b0d1dc3a8ddb8fcc2e0ff Mon Sep 17 00:00:00 2001 +From: Xu Raoqing +Date: Fri, 10 Oct 2025 15:06:22 +0800 +Subject: [PATCH] replace openEuler version + +Signed-off-by: Xu Raoqing +--- + src/config/setup.py.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/config/setup.py.in b/src/config/setup.py.in +index 8482f27..702e02b 100644 +--- a/src/config/setup.py.in ++++ b/src/config/setup.py.in +@@ -34,7 +34,7 @@ def sanitize_version(version): + # X.Y.Z-alpha1 -> X.Y.Za1 + # X.Y.Z-beta1 -> X.Y.Zb1 + # X.Y.Z-rc1 -> X.Y.Zrc1 +- return version.replace('-', '').replace('alpha', 'a').replace('beta', 'b') ++ return version.replace('-', '').replace('alpha', 'a').replace('beta', 'b').replace(' (LTS)', '') + + setup( + name='SSSDConfig', +-- +2.48.1 + diff --git a/sssd-2.11.1.tar.gz b/sssd-2.11.1.tar.gz new file mode 100755 index 0000000000000000000000000000000000000000..932d5ddb5c7b9efe632c549dd2b6461cda8726bf Binary files /dev/null and b/sssd-2.11.1.tar.gz differ diff --git a/sssd-2.9.7.tar.gz b/sssd-2.9.7.tar.gz deleted file mode 100644 index f6b495872bd41465d51d863511074a2ef13d5fde..0000000000000000000000000000000000000000 --- a/sssd-2.9.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6b5284a4d72b67c0897699794360d79e0f67461957e20273c2649f025e76c248 -size 9161891 diff --git a/sssd-openEuler-replace-version.patch b/sssd-openEuler-replace-version.patch deleted file mode 100644 index 3145ed5c2fadf3261f077b74b666ab16e937d485..0000000000000000000000000000000000000000 --- a/sssd-openEuler-replace-version.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/src/config/setup.py.in b/src/config/setup.py.in -index 27f63c4..9b9db31 100644 ---- a/src/config/setup.py.in -+++ b/src/config/setup.py.in -@@ -24,9 +24,21 @@ Python-level packaging using distutils. - - from distutils.core import setup - -+def sanitize_version(version): -+ """ -+ We need to convert Fedora version guidelines which we follow in version.m4 -+ to Python guidelines. See: -+ * https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/ -+ * https://packaging.python.org/en/latest/discussions/versioning/ -+ """ -+ # X.Y.Z-alpha1 -> X.Y.Za1 -+ # X.Y.Z-beta1 -> X.Y.Zb1 -+ # X.Y.Z-rc1 -> X.Y.Zrc1 -+ return version.replace('-', '').replace('alpha', 'a').replace('beta', 'b').replace(' (LTS)', '') -+ - setup( - name='SSSDConfig', -- version='@VERSION@', -+ version=sanitize_version('@VERSION@'), - license='GPLv3+', - url='https://github.com/SSSD/sssd/', - packages=['SSSDConfig'], diff --git a/sssd.spec b/sssd.spec index 9140b935d85c0f6811bb5a5fd6aca786fc7c29de..542f461529bf8e9c5972b87b474b533fe81e22e7 100644 --- a/sssd.spec +++ b/sssd.spec @@ -7,20 +7,15 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.9.7 -Release: 6 +Version: 2.11.1 +Release: 1 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz -Patch0000: sssd-openEuler-replace-version.patch -Patch0001: backport-Make-sure-invalid-krb5-context-is-not-used.patch -Patch0002: backport-mistype-fix.patch -Patch0003: backport-PAM-fix-issue-found-by-Coverity.patch -Patch0004: backport-SSS_CLIENT-MC-simplify-logic-and.patch -Patch0005: backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch -Patch0006: backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch +Patch0001: replace-openEuler-version.patch +Patch0002: backport-SSS_CLIENT-MC-simplify-logic-and.patch Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} @@ -35,7 +30,7 @@ Suggests: sssd-dbus = %{version}-%{release} Obsoletes: python3-sssd < %{version}-%{release} BuildRequires: make autoconf automake libtool -BuildRequires: openldap-devel pam-devel +BuildRequires: openldap-devel pam-devel libcap-devel BuildRequires: libxslt docbook-style-xsl BuildRequires: python3-devel check-devel BuildRequires: doxygen libsemanage-devel bind-utils @@ -511,7 +506,6 @@ chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_iface.so chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_iface_sync.so chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_krb5_common.so chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_ldap_common.so -chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_semanage.so chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_simple.so chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_util.so chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/p11_child @@ -631,7 +625,6 @@ done %{_unitdir}/sssd-pac.socket %{_unitdir}/sssd-pac.service %{_unitdir}/sssd-pam.socket -%{_unitdir}/sssd-pam-priv.socket %{_unitdir}/sssd-pam.service %{_unitdir}/sssd-ssh.socket %{_unitdir}/sssd-ssh.service @@ -658,7 +651,6 @@ done %{_libdir}/%{name}/libsss_krb5_common.so %{_libdir}/%{name}/libsss_ldap_common.so %{_libdir}/%{name}/libsss_util.so -%{_libdir}/%{name}/libsss_semanage.so %{_libdir}/%{name}/libifp_iface.so %{_libdir}/%{name}/libifp_iface_sync.so %{_libdir}/%{name}/libsss_iface.so @@ -668,6 +660,7 @@ done %{ldb_modulesdir}/memberof.so %{_bindir}/sss_ssh_authorizedkeys +%{_bindir}/sss_ssh_knownhosts %{_bindir}/sss_ssh_knownhostsproxy %{_sbindir}/sss_cache %{_libexecdir}/sssd/sss_signal @@ -866,6 +859,7 @@ done %files idp %{_libexecdir}/sssd/oidc_child +%{_libdir}/%{name}/libsss_idp.so %{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so %{_datadir}/sssd/krb5-snippets/sssd_enable_idp %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp @@ -882,7 +876,6 @@ done %systemd_post sssd-nss.socket %systemd_post sssd-pac.socket %systemd_post sssd-pam.socket -%systemd_post sssd-pam-priv.socket %systemd_post sssd-ssh.socket %systemd_post sssd-sudo.socket @@ -892,7 +885,6 @@ done %systemd_preun sssd-nss.socket %systemd_preun sssd-pac.socket %systemd_preun sssd-pam.socket -%systemd_preun sssd-pam-priv.socket %systemd_preun sssd-ssh.socket %systemd_preun sssd-sudo.socket @@ -901,7 +893,6 @@ done %systemd_postun_with_restart sssd-nss.socket %systemd_postun_with_restart sssd-pac.socket %systemd_postun_with_restart sssd-pam.socket -%systemd_postun_with_restart sssd-pam-priv.socket %systemd_postun_with_restart sssd-ssh.socket %systemd_postun_with_restart sssd-sudo.socket @@ -943,6 +934,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Fri Oct 10 2025 Xu Raoqing - 2.11.1-1 +- update to 2.11.1 + * Mon Sep 08 2025 Linux_zhang - 2.9.7-6 - Fix sssd offline validation failure diff --git a/sssd.yaml b/sssd.yaml deleted file mode 100644 index ab20b640de944d6ec554f58a9baf67bb4d510920..0000000000000000000000000000000000000000 --- a/sssd.yaml +++ /dev/null @@ -1,4 +0,0 @@ -version_control: github -src_repo: SSSD/sssd -tag_prefix: -separator: .