packages/sssd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport upstream patches

Browse Source 
(cherry picked from commit dfd154fc1eab69ccf7205c936abb022bbd1fb80a)
This commit is contained in:
fly_fzc 2023-09-22 14:42:09 +08:00 committed by openeuler-sync-bot
parent b194d39b3d
commit bcf7f22f07
17 changed files with 1143 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
backport-CONFDB-check-the-return-values.patch Normal file
View File

@ -0,0 +1,83 @@
From 54dd529d2777edc625e25c5ebd259b396360337c Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Thu, 18 Nov 2021 17:43:19 +0100
Subject: [PATCH] CONFDB: check the return values
Covscan pointed out that return value of chown and sete[ug]id is
not checked in some cases. There is not much we can do
in case of failure so only minor failure is logged.
Resolves: https://github.com/SSSD/sssd/issues/5876
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/54dd529d2777edc625e25c5ebd259b396360337c
Conflict: NA
---
src/confdb/confdb.c | 6 +++++-
src/util/usertools.c | 25 +++++++++++++++++++++----
2 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 6a6fac916..e557b469c 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -685,7 +685,11 @@ int confdb_init(TALLOC_CTX *mem_ctx,
old_umask = umask(SSS_DFL_UMASK);
/* file may exists and could be owned by root from previous version */
sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid);
- chown(confdb_location, sssd_uid, sssd_gid);
+ ret = chown(confdb_location, sssd_uid, sssd_gid);
+ if (ret != EOK && errno != ENOENT) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to chown config database [%s]: %s\n",
+ confdb_location, sss_strerror(errno));
+ }
sss_set_sssd_user_eid();
ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 370a98b41..72deceeee 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -863,17 +863,34 @@ void sss_set_sssd_user_eid(void)
uid_t uid;
gid_t gid;
+
if (geteuid() == 0) {
sss_sssd_user_uid_and_gid(&uid, &gid);
- seteuid(uid);
- setegid(gid);
+ if (seteuid(uid) != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to set euid to %"SPRIuid": %s\n",
+ uid, sss_strerror(errno));
+ }
+ if (setegid(gid) != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to set egid to %"SPRIgid": %s\n",
+ gid, sss_strerror(errno));
+ }
}
}
void sss_restore_sssd_user_eid(void)
{
if (getuid() == 0) {
- seteuid(getuid());
- setegid(getgid());
+ if (seteuid(getuid()) != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to restore euid: %s\n",
+ sss_strerror(errno));
+ }
+ if (setegid(getgid()) != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to restore egid: %s\n",
+ sss_strerror(errno));
+ }
}
}
--
2.27.0

33
backport-KRB5-avoid-FORWARD_NULL.patch Normal file
View File

@ -0,0 +1,33 @@
From 7f308c6fe01408fa6beb48b9f7627068968da771 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 21:46:08 +0200
Subject: [PATCH] KRB5: avoid FORWARD_NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/7f308c6fe01408fa6beb48b9f7627068968da771
Conflict: NA
---
src/providers/krb5/krb5_ccache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
index 20d932e53..88f75a8d8 100644
--- a/src/providers/krb5/krb5_ccache.c
+++ b/src/providers/krb5/krb5_ccache.c
@@ -788,7 +788,7 @@ done:
DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n");
}
- if (krb5_cc_close(kctx, mem_ccache) != 0) {
+ if ((mem_ccache != NULL) && (krb5_cc_close(kctx, mem_ccache) != 0)) {
DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n");
}
--
2.27.0

32
backport-KRB5-avoid-RESOURCE_LEAK.patch Normal file
View File

@ -0,0 +1,32 @@
From a83be8fb51172d4e1a282a0a078d81ee93afdcb5 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 22:03:43 +0200
Subject: [PATCH] KRB5: avoid RESOURCE_LEAK
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/a83be8fb51172d4e1a282a0a078d81ee93afdcb5
Conflict: NA
---
src/providers/krb5/krb5_child.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 158831198..a3d83b4c8 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1869,6 +1869,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
&validation_princ);
if (kerr != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n");
+ krb5_kt_end_seq_get(kr->ctx, keytab, &cursor);
goto done;
}
--
2.27.0

39
backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch Normal file
View File

@ -0,0 +1,39 @@
From f6bbd591d636e4309ec37659f825b0f9c53d4b6b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 20:56:14 +0200
Subject: [PATCH] KRB5: avoid another attempt to free 'cc' in 'done:' section
if first attempt failed.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/f6bbd591d636e4309ec37659f825b0f9c53d4b6b
Conflict: NA
---
src/providers/krb5/krb5_ccache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
index 5b80fec52..72c3a23de 100644
--- a/src/providers/krb5/krb5_ccache.c
+++ b/src/providers/krb5/krb5_ccache.c
@@ -637,12 +637,12 @@ errno_t get_ccache_file_data(const char *ccache_file, const char *client_name,
krb5_free_cred_contents(ctx, &cred);
kerr = krb5_cc_close(ctx, cc);
+ cc = NULL;
if (kerr != 0) {
KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr);
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_close failed.\n");
goto done;
}
- cc = NULL;
kerr = 0;
--
2.27.0

34
backport-KRB5-fix-memory-leak-1.patch Normal file
View File

@ -0,0 +1,34 @@
From b69ff375a2b185219bae91c48aa7bfb3138b98f2 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 21:53:28 +0200
Subject: [PATCH] KRB5: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/b69ff375a2b185219bae91c48aa7bfb3138b98f2
Conflict: NA
---
src/providers/krb5/krb5_child.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index f69cd6d54..774b47e3a 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1400,6 +1400,9 @@ done:
/* FIXME: should we krb5_cc_destroy in case of error? */
krb5_cc_close(kctx, kcc);
}
+
+ krb5_free_context(kctx);
+
return kerr;
}
--
2.27.0

32
backport-KRB5-fix-memory-leak-2.patch Normal file
View File

@ -0,0 +1,32 @@
From 75822701770179582c344960603cce8bd54a7890 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 21:56:13 +0200
Subject: [PATCH] KRB5: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/75822701770179582c344960603cce8bd54a7890
Conflict: NA
---
src/providers/krb5/krb5_child.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 774b47e3a..158831198 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1854,6 +1854,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
if (kerr != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s], " \
"not verifying TGT.\n", kr->keytab);
+ krb5_kt_close(kr->ctx, keytab);
return kerr;
}
--
2.27.0

34
backport-KRB5-fixed-RESOURCE_LEAK.patch Normal file
View File

@ -0,0 +1,34 @@
From 01f0d067f1e4ba8ec3710f515d21631a53c9c9ef Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 20 Jun 2023 16:48:07 +0200
Subject: [PATCH] KRB5: fixed RESOURCE_LEAK
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/01f0d067f1e4ba8ec3710f515d21631a53c9c9ef
Conflict: NA
---
src/providers/krb5/krb5_keytab.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c
index e70408b9b..db383d411 100644
--- a/src/providers/krb5/krb5_keytab.c
+++ b/src/providers/krb5/krb5_keytab.c
@@ -214,6 +214,9 @@ done:
if (kerr != 0) {
talloc_free(mem_name);
+ if ((mem_keytab != NULL) && krb5_kt_close(kctx, mem_keytab) != 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed.\n");
+ }
}
if (tmp_mem_keytab != NULL && krb5_kt_close(kctx, tmp_mem_keytab) != 0) {
--
2.27.0

32
backport-LDAP-fixed-RESOURCE_LEAK.patch Normal file
View File

@ -0,0 +1,32 @@
From fd7da517ddd0e220f081ad9e7b5d7fcb0cae39b7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 20 Jun 2023 17:22:07 +0200
Subject: [PATCH] LDAP: fixed RESOURCE_LEAK
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/fd7da517ddd0e220f081ad9e7b5d7fcb0cae39b7
Conflict: NA
---
src/providers/ldap/ldap_child.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 4818240d4..6ad2fb63a 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -212,6 +212,7 @@ static int lc_verify_keytab_ex(const char *principal,
DEBUG(SSSDBG_FATAL_FAILURE,
"Could not parse keytab entry\n");
sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n");
+ krb5_kt_end_seq_get(context, keytab, &cursor);
return EIO;
}
--
2.27.0

52
backport-LDAP-fixed-leak-of-kprinc.patch Normal file
View File

@ -0,0 +1,52 @@
From eca00ef4719c44c4e68ead3346a16229b6471d13 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 20 Jun 2023 17:41:36 +0200
Subject: [PATCH] LDAP: fixed leak of `kprinc`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/eca00ef4719c44c4e68ead3346a16229b6471d13
Conflict: NA
---
src/providers/ldap/ldap_child.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 6ad2fb63a..6c167d239 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -367,12 +367,6 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
DEBUG(SSSDBG_CONF_SETTINGS, "Principal name is: [%s]\n", full_princ);
- krberr = krb5_parse_name(context, full_princ, &kprinc);
- if (krberr != 0) {
- DEBUG(SSSDBG_OP_FAILURE, "krb5_parse_name() failed: %d\n", krberr);
- goto done;
- }
-
if (keytab_name) {
krberr = krb5_kt_resolve(context, keytab_name, &keytab);
} else {
@@ -447,8 +441,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
goto done;
}
+ krberr = krb5_parse_name(context, full_princ, &kprinc);
+ if (krberr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_parse_name() failed: %d\n", krberr);
+ goto done;
+ }
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
keytab, 0, NULL, options);
+ krb5_free_principal(context, kprinc);
if (krberr != 0) {
DEBUG(SSSDBG_OP_FAILURE,
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
--
2.27.0

50
backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch Normal file
View File

@ -0,0 +1,50 @@
From 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sat, 10 Jun 2023 16:28:23 +0200
Subject: [PATCH] SYSDB: in case (ignore_group_members == true) group is
actually complete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Example workflow:
- SSSD client is enrolled into AD domain (Token-Groups are enabled)
- `id $user` is executed
- initgroups() is called for this user
- during processing of initgroups() sssd_be obtains a list of group SIDs
user is a member of, and then partially resolves those groups and adds
it to the local cache as "incomplete" (i.e. 'expired')
- as a next step `id` calls getgrnam() for every group in initgroups() list
- since groups are saved into the cache as "incomplete" (technically - "expired")
this again results in LDAP search of this group.
But if `ignore_group_members = true` this search doesn't provide
new information. "Incomplete" groups could be used instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b
Conflict: NA
---
src/db/sysdb_ops.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index d11d8d956..7a3c00213 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2307,8 +2307,10 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now);
if (ret) goto done;
+ /* in case (ignore_group_members == true) group is actually complete */
ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
- now-1);
+ domain->ignore_group_members ?
+ (now + domain->group_timeout) : (now-1));
if (ret) goto done;
ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, posix);
--
2.27.0

69
backport-UTILS-swap-order-of-seteuid-setegid.patch Normal file
View File

@ -0,0 +1,69 @@
From fcfffb5cf14ddd2ff28873e2274bca226441b40b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 7 Aug 2023 18:51:54 +0200
Subject: [PATCH] UTILS: swap order of seteuid()/setegid()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise it fails with:
```
6906 16:40:32.455571 setresuid(-1, 996, -1) = 0
6906 16:40:32.455590 setresgid(-1, 993, -1) = -1 EPERM (Operation not permitted)
```
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/fcfffb5cf14ddd2ff28873e2274bca226441b40b
Conflict: NA
---
src/util/usertools.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 40c141032..8084760a0 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -860,16 +860,17 @@ void sss_set_sssd_user_eid(void)
if (geteuid() == 0) {
sss_sssd_user_uid_and_gid(&uid, &gid);
- if (seteuid(uid) != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Failed to set euid to %"SPRIuid": %s\n",
- uid, sss_strerror(errno));
- }
+
if (setegid(gid) != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Failed to set egid to %"SPRIgid": %s\n",
gid, sss_strerror(errno));
}
+ if (seteuid(uid) != EOK) {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Failed to set euid to %"SPRIuid": %s\n",
+ uid, sss_strerror(errno));
+ }
}
}
@@ -877,12 +878,12 @@ void sss_restore_sssd_user_eid(void)
{
if (getuid() == 0) {
if (seteuid(getuid()) != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Failed to restore euid: %s\n",
sss_strerror(errno));
}
if (setegid(getgid()) != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Failed to restore egid: %s\n",
sss_strerror(errno));
}
--
2.27.0

48
backport-ad-use-sAMAccountName-to-lookup-hosts.patch Normal file
View File

@ -0,0 +1,48 @@
From 67c11c2ebae843f7ddd6b857efa2e1f6449986f3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 7 Jun 2023 10:45:59 +0200
Subject: [PATCH] ad: use sAMAccountName to lookup hosts
To determine which GPOs apply to the host running SSSD the full DN of
the host object in AD is needed. To fine this object we use the NetBIOS
name of the host which is stored in AD in the sAMAccountName attribute.
Using other attributes, e.g. if ldap_user_name is set to a different
attribute, will most probably cause a failure since those attributes are
not managed as expected for host object. As a result sAMAccountName
should be hardcoded here to avoid issues.
Resolves: https://github.com/SSSD/sssd/issues/6766
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/67c11c2ebae843f7ddd6b857efa2e1f6449986f3
Conflict: NA
---
src/providers/ad/ad_gpo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 4b7bbf182..44e9cbb27 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -59,6 +59,7 @@
#define AD_AT_DN "distinguishedName"
#define AD_AT_UAC "userAccountControl"
+#define AD_AT_SAMACCOUNTNAME "sAMAccountName"
#define AD_AT_CONFIG_NC "configurationNamingContext"
#define AD_AT_GPLINK "gPLink"
#define AD_AT_GPOPTIONS "gpOptions"
@@ -2061,7 +2062,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
filter = talloc_asprintf(state,
"(&(objectclass=%s)(%s=%s))",
state->opts->user_map[SDAP_OC_USER].name,
- state->opts->user_map[SDAP_AT_USER_NAME].name,
+ AD_AT_SAMACCOUNTNAME,
sam_account_name);
if (filter == NULL) {
ret = ENOMEM;
--
2.27.0

172
backport-fail_over-protect-against-a-segmentation-fault.patch Normal file
View File

@ -0,0 +1,172 @@
From 8a8869994745429b3f5535a5d0b91f1d0b2fa723 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 29 Mar 2023 12:58:37 +0200
Subject: [PATCH] fail_over: protect against a segmentation fault
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A missing server name in struct fo_server will cause a segmentation
fault. Currently it is unclear why the server name is missing at this
point. To avoid the segmentation fault it is checked before if the
server name is missing. Additionally the state of some internal
structures is added to the debug logs to help debugging why the server
name is missing.
Resolves: https://github.com/SSSD/sssd/issues/6659
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/8a8869994745429b3f5535a5d0b91f1d0b2fa723
Conflict: data_provider_fo.c
---
src/providers/data_provider_fo.c | 14 +++++++++
src/providers/fail_over.c | 53 ++++++++++++++++++++++++++++++++
src/providers/fail_over.h | 3 ++
3 files changed, 70 insertions(+)
diff --git a/src/external/sizes.m4 b/src/external/sizes.m4
index c4f00d66ff..0b6b630026 100644
--- a/src/external/sizes.m4
+++ b/src/external/sizes.m4
@@ -9,6 +9,7 @@ AC_CHECK_SIZEOF(long long)
AC_CHECK_SIZEOF(uid_t)
AC_CHECK_SIZEOF(gid_t)
AC_CHECK_SIZEOF(id_t)
+AC_CHECK_SIZEOF(time_t)
if test $ac_cv_sizeof_long_long -lt 8 ; then
AC_MSG_ERROR([SSSD requires long long of 64-bits])
diff --git a/src/util/sss_format.h b/src/util/sss_format.h
index 9a30417..a9f3770 100644
--- a/src/util/sss_format.h
+++ b/src/util/sss_format.h
@@ -64,5 +64,12 @@
# error Unexpected sizeof gid_t
#endif /* SIZEOF_GID_T */
+#if SIZEOF_TIME_T == 8
+# define SPRItime PRId64
+#elif SIZEOF_TIME_T == 4
+# define SPRItime PRId32
+#else
+# error Unexpected sizeof time_t
+#endif /*SIZEOF_TIME_T*/
#endif /* __SSS_FORMAT_H__ */
diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c
index eca5f2f8e..b0aed54e9 100644
--- a/src/providers/data_provider_fo.c
+++ b/src/providers/data_provider_fo.c
@@ -594,6 +594,14 @@ fail:
tevent_req_error(req, ret);
}
+static void dump_be_svc_data(const struct be_svc_data *svc)
+{
+ DEBUG(SSSDBG_OP_FAILURE, "be_svc_data: name=[%s] last_good_srv=[%s] "
+ "last_good_port=[%d] last_status_change=[%"SPRItime"]\n",
+ svc->name, svc->last_good_srv, svc->last_good_port,
+ svc->last_status_change);
+}
+
errno_t be_resolve_server_process(struct tevent_req *subreq,
struct be_resolve_server_state *state,
struct tevent_req **new_subreq)
@@ -681,6 +689,12 @@ errno_t be_resolve_server_process(struct tevent_req *subreq,
DEBUG(SSSDBG_FUNC_DATA, "Found address for server %s: [%s] TTL %d\n",
fo_get_server_str_name(state->srv), ipaddr,
srvaddr->addr_list[0]->ttl);
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing server name.\n");
+ dump_be_svc_data(state->svc);
+ dump_fo_server(state->srv);
+ dump_fo_server_list(state->srv);
+ return ENOENT;
}
srv_status_change = fo_get_server_hostname_last_change(state->srv);
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
index 9cb26838c..7cb642448 100644
--- a/src/providers/fail_over.c
+++ b/src/providers/fail_over.c
@@ -200,6 +200,59 @@ str_srv_data_status(enum srv_lookup_status status)
return "unknown SRV lookup status";
}
+static void dump_srv_data(const struct srv_data *srv_data)
+{
+ if (srv_data == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "srv_data is NULL\n");
+ return;
+ }
+
+ DEBUG(SSSDBG_OP_FAILURE, "srv_data: dns_domain [%s] discovery_domain [%s] "
+ "sssd_domain [%s] proto [%s] srv [%s] "
+ "srv_lookup_status [%s] ttl [%d] "
+ "last_status_change [%"SPRItime"]\n",
+ srv_data->dns_domain == NULL ? "dns_domain is NULL"
+ : srv_data->dns_domain,
+ srv_data->discovery_domain == NULL ? "discovery_domain is NULL"
+ : srv_data->discovery_domain,
+ srv_data->sssd_domain == NULL ? "sssd_domain is NULL"
+ : srv_data->sssd_domain,
+ srv_data->proto == NULL ? "proto is NULL"
+ : srv_data->proto,
+ srv_data->srv == NULL ? "srv is NULL"
+ : srv_data->srv,
+ str_srv_data_status(srv_data->srv_lookup_status),
+ srv_data->ttl, srv_data->last_status_change.tv_sec);
+}
+
+void dump_fo_server(const struct fo_server *srv)
+{
+ DEBUG(SSSDBG_OP_FAILURE, "fo_server: primary [%s] port [%d] "
+ "port_status [%s] common->name [%s].\n",
+ srv->primary ? "true" : "false", srv->port,
+ str_port_status(srv->port_status),
+ srv->common == NULL ? "common is NULL"
+ : (srv->common->name == NULL
+ ? "common->name is NULL"
+ : srv->common->name));
+ dump_srv_data(srv->srv_data);
+}
+
+void dump_fo_server_list(const struct fo_server *srv)
+{
+ const struct fo_server *s;
+
+ s = srv;
+ while (s->prev != NULL) {
+ s = s->prev;
+ }
+
+ while (s != NULL) {
+ dump_fo_server(s);
+ s = s->next;
+ }
+}
+
static const char *
str_server_status(enum server_status status)
{
diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h
index 92a0456b5..36021ad6f 100644
--- a/src/providers/fail_over.h
+++ b/src/providers/fail_over.h
@@ -88,6 +88,9 @@ struct fo_options {
enum restrict_family family_order;
};
+void dump_fo_server(const struct fo_server *srv);
+void dump_fo_server_list(const struct fo_server *srv);
+
/*
* Create a new fail over context based on options passed in the
* opts parameter
--
2.27.0

250
backport-ipa-correctly-remove-missing-attributes-on-netgroup-.patch Normal file
View File

@ -0,0 +1,250 @@
From b033b0dda972e885f63234aa81dca317c8234c2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 23 May 2023 12:21:44 +0200
Subject: [PATCH] ipa: correctly remove missing attributes on netgroup update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When a netgroup is updated, previously it did not remove the missing
attributes. This caused an issue especially when a member was removed.
Resolves: https://github.com/SSSD/sssd/issues/6652
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/b033b0dda972e885f63234aa81dca317c8234c2c
Conflict: NA
---
src/db/sysdb.c | 9 ++
src/db/sysdb.h | 1 +
src/providers/ipa/ipa_netgroups.c | 35 +++++++-
src/tests/system/tests/test_netgroups.py | 108 +++++++++++++++++++++++
4 files changed, 151 insertions(+), 2 deletions(-)
create mode 100644 src/tests/system/tests/test_netgroups.py
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 649e79fca..1faa11b16 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -523,6 +523,15 @@ static int sysdb_attrs_add_val_int(struct sysdb_attrs *attrs,
return EOK;
}
+
+int sysdb_attrs_add_empty(struct sysdb_attrs *attrs, const char *name)
+{
+ struct ldb_message_element *el;
+
+ /* Calling this will create the element if it does not exist. */
+ return sysdb_attrs_get_el_ext(attrs, name, true, &el);
+}
+
int sysdb_attrs_add_val(struct sysdb_attrs *attrs,
const char *name, const struct ldb_val *val)
{
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 2f20692cc..887a9630e 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -398,6 +398,7 @@ enum sysdb_obj_type {
extern const char *sysdb_ts_cache_attrs[];
/* values are copied in the structure, allocated on "attrs" */
+int sysdb_attrs_add_empty(struct sysdb_attrs *attrs, const char *name);
int sysdb_attrs_add_val(struct sysdb_attrs *attrs,
const char *name, const struct ldb_val *val);
int sysdb_attrs_add_val_safe(struct sysdb_attrs *attrs,
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 52d90af4f..57f11a507 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -70,7 +70,10 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx,
struct ldb_message_element *el;
struct sysdb_attrs *netgroup_attrs;
const char *name = NULL;
+ char **missing;
+ int missing_index;
int ret;
+ int i;
size_t c;
ret = sysdb_attrs_get_el(attrs,
@@ -90,6 +93,23 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx,
goto fail;
}
+ missing = talloc_zero_array(netgroup_attrs, char *, attrs->num + 1);
+ if (missing == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ for (i = 0, missing_index = 0; i < attrs->num; i++) {
+ if (attrs->a[i].num_values == 0) {
+ missing[missing_index] = talloc_strdup(missing, attrs->a[i].name);
+ if (missing[missing_index] == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+ missing_index++;
+ }
+ }
+
ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el);
if (ret) {
goto fail;
@@ -138,7 +158,6 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx,
if (el->num_values == 0) {
DEBUG(SSSDBG_TRACE_LIBS,
"No original members for netgroup [%s]\n", name);
-
} else {
DEBUG(SSSDBG_TRACE_LIBS,
"Adding original members to netgroup [%s]\n", name);
@@ -173,7 +192,7 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_FUNC, "Storing info for netgroup %s\n", name);
- ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, NULL,
+ ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing,
dom->netgroup_timeout, 0);
if (ret) goto fail;
@@ -866,6 +885,18 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
hash_iterate(state->new_netgroups, extract_netgroups, state);
for (i = 0; i < state->netgroups_count; i++) {
+ /* Make sure these attributes always exist, so we can remove them if
+ * there are no members. */
+ ret = sysdb_attrs_add_empty(state->netgroups[i], SYSDB_NETGROUP_MEMBER);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_empty(state->netgroups[i], SYSDB_NETGROUP_TRIPLE);
+ if (ret != EOK) {
+ goto done;
+ }
+
/* load all its member netgroups, translate */
DEBUG(SSSDBG_TRACE_INTERNAL, "Extracting netgroup members of netgroup %d\n", i);
ret = sysdb_attrs_get_string_array(state->netgroups[i],
diff --git a/src/tests/system/tests/test_netgroups.py b/src/tests/system/tests/test_netgroups.py
new file mode 100644
index 000000000..6b6bc8e8b
--- /dev/null
+++ b/src/tests/system/tests/test_netgroups.py
@@ -0,0 +1,108 @@
+"""
+Netgroup tests.
+
+:requirement: netgroup
+"""
+
+from __future__ import annotations
+
+import pytest
+from sssd_test_framework.roles.client import Client
+from sssd_test_framework.roles.generic import GenericProvider
+from sssd_test_framework.topology import KnownTopologyGroup
+
+
+@pytest.mark.tier(1)
+@pytest.mark.ticket(gh=6652, bz=2162552)
+@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
+def test_netgroups__add_remove_netgroup_triple(client: Client, provider: GenericProvider):
+ """
+ :title: Netgroup triple is correctly removed from cached record
+ :setup:
+ 1. Create local user "user-1"
+ 2. Create netgroup "ng-1"
+ 3. Add "(-,user-1,)" triple to the netgroup
+ 4. Start SSSD
+ :steps:
+ 1. Run "getent netgroup ng-1"
+ 2. Remove "(-,user-1,)" triple from "ng-1"
+ 3. Invalidate netgroup in cache "sssctl cache-expire -n ng-1"
+ 4. Run "getent netgroup ng-1"
+ :expectedresults:
+ 1. "(-,user-1,)" is present in the netgroup
+ 2. Triple was removed from the netgroup
+ 3. Cached record was invalidated
+ 4. "(-,user-1,)" is not present in the netgroup
+ :customerscenario: True
+ """
+ user = provider.user("user-1").add()
+ ng = provider.netgroup("ng-1").add().add_member(user=user)
+
+ client.sssd.start()
+
+ result = client.tools.getent.netgroup("ng-1")
+ assert result is not None
+ assert result.name == "ng-1"
+ assert len(result.members) == 1
+ assert "(-, user-1)" in result.members
+
+ ng.remove_member(user=user)
+ client.sssctl.cache_expire(netgroups=True)
+
+ result = client.tools.getent.netgroup("ng-1")
+ assert result is not None
+ assert result.name == "ng-1"
+ assert len(result.members) == 0
+
+
+@pytest.mark.tier(1)
+@pytest.mark.ticket(gh=6652, bz=2162552)
+@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
+def test_netgroups__add_remove_netgroup_member(client: Client, provider: GenericProvider):
+ """
+ :title: Netgroup member is correctly removed from cached record
+ :setup:
+ 1. Create local user "user-1"
+ 2. Create local user "user-2"
+ 3. Create netgroup "ng-1"
+ 4. Create netgroup "ng-2"
+ 5. Add "(-,user-1,)" triple to the netgroup "ng-1"
+ 6. Add "(-,user-2,)" triple to the netgroup "ng-2"
+ 7. Add "ng-1" as a member to "ng-2"
+ 8. Start SSSD
+ :steps:
+ 1. Run "getent netgroup ng-2"
+ 2. Remove "ng-1" from "ng-2"
+ 3. Invalidate netgroup "ng-2" in cache "sssctl cache-expire -n ng-2"
+ 4. Run "getent netgroup ng-2"
+ :expectedresults:
+ 1. "(-,user-1,)", "(-,user-2,)" is present in the netgroup
+ 2. Netgroup member was removed from the netgroup
+ 3. Cached record was invalidated
+ 4. "(-,user-1,)" is not present in the netgroup, only "(-,user-2,)"
+ :customerscenario: True
+ """
+ u1 = provider.user("user-1").add()
+ u2 = provider.user("user-2").add()
+
+ ng1 = provider.netgroup("ng-1").add().add_member(user=u1)
+ ng2 = provider.netgroup("ng-2").add().add_member(user=u2, ng=ng1)
+
+ client.sssd.start()
+
+ result = client.tools.getent.netgroup("ng-2")
+ assert result is not None
+ assert result.name == "ng-2"
+ assert len(result.members) == 2
+ assert "(-, user-1)" in result.members
+ assert "(-, user-2)" in result.members
+
+ ng2.remove_member(ng=ng1)
+ client.sssctl.cache_expire(netgroups=True)
+
+ result = client.tools.getent.netgroup("ng-2")
+ assert result is not None
+ assert result.name == "ng-2"
+ assert len(result.members) == 1
+ assert "(-, user-1)" not in result.members
+ assert "(-, user-2)" in result.members
--
2.27.0

55
backport-sbus-arm-watchdog-for-sbus_connect_init_send.patch Normal file
View File

@ -0,0 +1,55 @@
From cca9361d92501e0be34d264d370fe897a0c970af Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 13:01:47 +0200
Subject: [PATCH] sbus: arm watchdog for sbus_connect_init_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There seem to be conditions where the reply in the
sbus_call_DBus_Hello_send() request gets lost and the backend cannot
properly initialize its sbus/DBus server. Since the backend cannot be
connected by the frontends in this state the best way to recover would
be a restart. Since the event-loop is active in this state, e.g. waiting
for the reply, the watchdog will not consider the process as hung and
will not restart the process.
To make the watchdog handle this case arm_watchdog() and
disarm_watchdog() are called before and after the request, respectively.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/cca9361d92501e0be34d264d370fe897a0c970af
Conflict: Makefile.am
---
src/sbus/connection/sbus_connection_connect.c | 4 ++++
1 files changed, 4 insertions(+)
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
index 45a0fa491..edc090e15 100644
--- a/src/sbus/connection/sbus_connection_connect.c
+++ b/src/sbus/connection/sbus_connection_connect.c
@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req);
+ arm_watchdog();
+
return req;
}
@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq)
uint32_t res;
errno_t ret;
+ disarm_watchdog();
+
req = tevent_req_callback_data(subreq, struct tevent_req);
ret = sbus_call_DBus_RequestName_recv(subreq, &res);
--
2.27.0

108
backport-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch Normal file
View File

@ -0,0 +1,108 @@
From 75f2b35ad3b9256de905d05c5108400d35688554 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 12:31:39 +0200
Subject: [PATCH] watchdog: add arm_watchdog() and disarm_watchdog() calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Those two new calls can be used if there are requests stuck by e.g.
waiting on replies where there is no other way to handle the timeout and
get the system back into a stable state. They should be only used as a
last resort.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/75f2b35ad3b9256de905d05c5108400d35688554
Conflict: NA
---
src/util/util.h | 12 ++++++++++++
src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++--
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/util/util.h b/src/util/util.h
index 11dc40d57..02fd53237 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
void teardown_watchdog(void);
int get_watchdog_ticks(void);
+/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable
+ * the watchdog reset, respectively. This means that after arm_watchdog() is
+ * called the watchdog will not be resetted anymore and it will kill the
+ * process if disarm_watchdog() wasn't called before.
+ * Those calls should only be used when there is no other way to handle
+ * waiting request and recover into a stable state.
+ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should
+ * not be called a second time in a different request because then
+ * disarm_watchdog() will disable the watchdog coverage for both. */
+void arm_watchdog(void);
+void disarm_watchdog(void);
+
/* from files.c */
int sss_remove_tree(const char *root);
int sss_remove_subtree(const char *root);
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index b1534e499..abafd94b9 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -40,6 +40,7 @@ struct watchdog_ctx {
time_t timestamp;
struct tevent_fd *tfd;
int pipefd[2];
+ bool armed; /* if 'true' ticks counter will not be reset */
} watchdog_ctx;
static void watchdog_detect_timeshift(void)
@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev,
struct timeval current_time,
void *private_data)
{
- /* first thing reset the watchdog ticks */
- watchdog_reset();
+ if (!watchdog_ctx.armed) {
+ /* first thing reset the watchdog ticks */
+ watchdog_reset();
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Watchdog armed, process might be terminated soon.\n");
+ }
/* then set a new watchodg event */
watchdog_ctx.te = tevent_add_timer(ev, ev,
@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval)
watchdog_ctx.ev = ev;
watchdog_ctx.input_interval = interval;
watchdog_ctx.timestamp = time(NULL);
+ watchdog_ctx.armed = false;
ret = pipe(watchdog_ctx.pipefd);
if (ret == -1) {
@@ -264,3 +271,20 @@ int get_watchdog_ticks(void)
{
return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
}
+
+void arm_watchdog(void)
+{
+ if (watchdog_ctx.armed) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "arm_watchdog() is called although the watchdog is already armed. "
+ "This indicates a programming error and should be avoided because "
+ "it will most probably not work as expected.\n");
+ }
+
+ watchdog_ctx.armed = true;
+}
+
+void disarm_watchdog(void)
+{
+ watchdog_ctx.armed = false;
+}
--
2.27.0

21
sssd.spec
View File

@ -1,6 +1,6 @@
Name: sssd
Version: 2.6.1
Release: 10
Release: 11
Summary: System Security Services Daemon
License: GPLv3+ and LGPLv3+
URL: https://pagure.io/SSSD/sssd/
@ -20,6 +20,22 @@ Patch6010: backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch
Patch6011: backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch
Patch6012: backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch
Patch6013: backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch
Patch6014: backport-fail_over-protect-against-a-segmentation-fault.patch
Patch6015: backport-ipa-correctly-remove-missing-attributes-on-netgroup-.patch
Patch6016: backport-ad-use-sAMAccountName-to-lookup-hosts.patch
Patch6017: backport-KRB5-avoid-FORWARD_NULL.patch
Patch6018: backport-KRB5-fix-memory-leak-1.patch
Patch6019: backport-KRB5-fix-memory-leak-2.patch
Patch6020: backport-KRB5-avoid-RESOURCE_LEAK.patch
Patch6021: backport-KRB5-fixed-RESOURCE_LEAK.patch
Patch6022: backport-LDAP-fixed-RESOURCE_LEAK.patch
Patch6023: backport-LDAP-fixed-leak-of-kprinc.patch
Patch6024: backport-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
Patch6025: backport-sbus-arm-watchdog-for-sbus_connect_init_send.patch
Patch6026: backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch
Patch6027: backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch
Patch6028: backport-CONFDB-check-the-return-values.patch
Patch6029: backport-UTILS-swap-order-of-seteuid-setegid.patch
Requires: python3-sssd = %{version}-%{release}
Requires: libldb
@ -527,6 +543,9 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Fri Sep 22 2023 fuanan <fuanan3@h-partners.com> - 2.6.1-11
- backport upstream patches
* Wed Aug 2 2023 xuraoqing<xuraoqing@huawei.com> - 2.6.1-10
- backport upstream patch