Compare commits
62 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
5bf25dd87d | ||
|
1d4426f19f | ||
|
b1aca931e9 | ||
|
efa0c9fd07 | ||
|
ff32b0f35f | ||
|
b67161cd28 | ||
|
fb3a33a26b | ||
|
af12cc5788 | ||
|
8ad6fab779 | ||
|
b0a6617361 | ||
|
acfa98c03a | ||
|
feb088d91c | ||
|
a1fd1c66cf | ||
|
8e3e951bf6 | ||
|
c99cc5221a | ||
|
b23bb96b5d | ||
|
b6d54af437 | ||
|
c6eb48feab | ||
|
35934cf3ef | ||
|
ec7c43bb5d | ||
|
ce98ba4ba6 | ||
|
28ce4615a4 | ||
|
b103eab96c | ||
|
32f84803eb | ||
|
0caad9889d | ||
|
2c6ba2bf2b | ||
|
54dfcbfa15 | ||
|
b242978f9f | ||
|
2d8d8d1c8b | ||
|
eefe33aff1 | ||
|
c114eb6b3f | ||
|
bb5f960239 | ||
|
389295064e | ||
|
f338f8cb95 | ||
|
b429a75bce | ||
|
89a1543353 | ||
|
4a56bc21d2 | ||
|
97df14ee0f | ||
|
26eab693bb | ||
|
2a59fc635f | ||
|
44d6f59b93 | ||
|
46f52a9bd6 | ||
|
bfc60044d5 | ||
|
21443e5ebe | ||
|
ca31e2be64 | ||
|
47317c5649 | ||
|
c90915394e | ||
|
01409e3d48 | ||
|
8f047f7ff4 | ||
|
e8791c3999 | ||
|
bb0cc30393 | ||
|
f206fae248 | ||
|
da41c905c0 | ||
|
71b7ed1da0 | ||
|
ea632499ff | ||
|
4a8ad4c174 | ||
|
e15fc49cbf | ||
|
323dbdee02 | ||
|
2aa9f3bb10 | ||
|
601bb9f4eb | ||
|
e89cb59c68 | ||
|
3b8c6ea1d5 |
4
.gitignore
vendored
4
.gitignore
vendored
@ -77,3 +77,7 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-1.15.1.tar.gz
|
||||
/sssd-1.15.2.tar.gz
|
||||
/sssd-1.15.3.tar.gz
|
||||
/sssd-1.16.0.tar.gz
|
||||
/sssd-1.16.1.tar.gz
|
||||
/sssd-1.16.2.tar.gz
|
||||
/sssd-1.16.3.tar.gz
|
||||
|
@ -0,0 +1,37 @@
|
||||
From 62839f9187dde5b46e198f0cb61204a0613d826d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Sun, 12 Aug 2018 23:56:21 +0200
|
||||
Subject: [PATCH 1/7] man/sss_ssh_knownhostsproxy: fix typo pubkeys -> pubkey
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In commit 36f2fe8f63 a discrepancy between the command line option and
|
||||
the manpage has been introduced.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/3542
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 2b3b41dad27fcb03478c211ec82d9c2fd9dadcb4)
|
||||
---
|
||||
src/man/sss_ssh_knownhostsproxy.1.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/man/sss_ssh_knownhostsproxy.1.xml b/src/man/sss_ssh_knownhostsproxy.1.xml
|
||||
index f84732c..58aeb04 100644
|
||||
--- a/src/man/sss_ssh_knownhostsproxy.1.xml
|
||||
+++ b/src/man/sss_ssh_knownhostsproxy.1.xml
|
||||
@@ -86,7 +86,7 @@ GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>
|
||||
- <option>-k</option>,<option>--pubkeys</option>
|
||||
+ <option>-k</option>,<option>--pubkey</option>
|
||||
</term>
|
||||
<listitem>
|
||||
<para>
|
||||
--
|
||||
2.9.5
|
||||
|
29
0002-krb5_locator-Make-debug-function-internal.patch
Normal file
29
0002-krb5_locator-Make-debug-function-internal.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From de33a5c07eb8c9f821e684a49c4ee993c25776b9 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Thu, 19 Jul 2018 09:38:22 +0200
|
||||
Subject: [PATCH 2/7] krb5_locator: Make debug function internal
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3786
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 86de91f93f51d41d71c504b871c65fea31dd5485)
|
||||
---
|
||||
src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
index 952d487..7800ab0 100644
|
||||
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
@@ -82,7 +82,7 @@ struct sssd_ctx {
|
||||
bool disabled;
|
||||
};
|
||||
|
||||
-void plugin_debug_fn(const char *format, ...)
|
||||
+static void plugin_debug_fn(const char *format, ...)
|
||||
{
|
||||
va_list ap;
|
||||
char *s = NULL;
|
||||
--
|
||||
2.9.5
|
||||
|
275
0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch
Normal file
275
0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch
Normal file
@ -0,0 +1,275 @@
|
||||
From 0f44cbdfcbf35278c984a12b22a1c01f38a2c5ab Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Thu, 19 Jul 2018 09:44:33 +0200
|
||||
Subject: [PATCH 3/7] krb5_locator: Simplify usage of macro PLUGIN_DEBUG
|
||||
|
||||
It should look like real function call
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3786
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 276f2e345548947b66f7bd3b984628eaf6f4cbd4)
|
||||
---
|
||||
src/krb5_plugin/sssd_krb5_locator_plugin.c | 88 +++++++++++++++---------------
|
||||
1 file changed, 44 insertions(+), 44 deletions(-)
|
||||
|
||||
diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
index 7800ab0..61fee6b 100644
|
||||
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
@@ -63,9 +63,9 @@
|
||||
#define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG"
|
||||
#define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE"
|
||||
#define DEBUG_KEY "[sssd_krb5_locator] "
|
||||
-#define PLUGIN_DEBUG(body) do { \
|
||||
+#define PLUGIN_DEBUG(format, ...) do { \
|
||||
if (ctx->debug) { \
|
||||
- plugin_debug_fn body; \
|
||||
+ plugin_debug_fn(format, ##__VA_ARGS__); \
|
||||
} \
|
||||
} while(0)
|
||||
|
||||
@@ -236,26 +236,26 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
|
||||
port = strtol(port_str, &endptr, 10);
|
||||
if (errno != 0) {
|
||||
ret = errno;
|
||||
- PLUGIN_DEBUG(("strtol failed on [%s]: [%d][%s], "
|
||||
- "assuming default.\n", port_str, ret,
|
||||
- strerror(ret)));
|
||||
+ PLUGIN_DEBUG("strtol failed on [%s]: [%d][%s], "
|
||||
+ "assuming default.\n",
|
||||
+ port_str, ret, strerror(ret));
|
||||
port = 0;
|
||||
}
|
||||
if (*endptr != '\0') {
|
||||
- PLUGIN_DEBUG(("Found additional characters [%s] in port "
|
||||
- "number [%s], assuming default.\n", endptr,
|
||||
- port_str));
|
||||
+ PLUGIN_DEBUG("Found additional characters [%s] in port "
|
||||
+ "number [%s], assuming default.\n",
|
||||
+ endptr, port_str);
|
||||
port = 0;
|
||||
}
|
||||
|
||||
if (port < 0 || port > 65535) {
|
||||
- PLUGIN_DEBUG(("Illegal port number [%ld], assuming "
|
||||
- "default.\n", port));
|
||||
+ PLUGIN_DEBUG("Illegal port number [%ld], assuming "
|
||||
+ "default.\n", port);
|
||||
port = 0;
|
||||
}
|
||||
} else {
|
||||
- PLUGIN_DEBUG(("Illegal port number [%s], assuming default.\n",
|
||||
- port_str));
|
||||
+ PLUGIN_DEBUG("Illegal port number [%s], assuming default.\n",
|
||||
+ port_str);
|
||||
port = 0;
|
||||
}
|
||||
}
|
||||
@@ -270,7 +270,7 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
|
||||
addr_str++;
|
||||
}
|
||||
|
||||
- PLUGIN_DEBUG(("Found [%s][%d].\n", addr_str, port));
|
||||
+ PLUGIN_DEBUG("Found [%s][%d].\n", addr_str, port);
|
||||
|
||||
l[c].addr = strdup(addr_str);
|
||||
if (l[c].addr == NULL) {
|
||||
@@ -314,7 +314,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
||||
name_tmpl = KPASSWDINFO_TMPL;
|
||||
break;
|
||||
default:
|
||||
- PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
|
||||
+ PLUGIN_DEBUG("Unsupported service [%d].\n", svc);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
@@ -323,13 +323,13 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
||||
|
||||
krb5info_name = calloc(1, len + 1);
|
||||
if (krb5info_name == NULL) {
|
||||
- PLUGIN_DEBUG(("malloc failed.\n"));
|
||||
+ PLUGIN_DEBUG("malloc failed.\n");
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
ret = snprintf(krb5info_name, len, name_tmpl, realm);
|
||||
if (ret < 0) {
|
||||
- PLUGIN_DEBUG(("snprintf failed.\n"));
|
||||
+ PLUGIN_DEBUG("snprintf failed.\n");
|
||||
ret = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
@@ -337,8 +337,8 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
||||
|
||||
fd = open(krb5info_name, O_RDONLY);
|
||||
if (fd == -1) {
|
||||
- PLUGIN_DEBUG(("open failed [%s][%d][%s].\n",
|
||||
- krb5info_name, errno, strerror(errno)));
|
||||
+ PLUGIN_DEBUG("open failed [%s][%d][%s].\n",
|
||||
+ krb5info_name, errno, strerror(errno));
|
||||
ret = errno;
|
||||
goto done;
|
||||
}
|
||||
@@ -349,15 +349,15 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
||||
len = sss_atomic_read_s(fd, buf, BUFSIZE);
|
||||
if (len == -1) {
|
||||
ret = errno;
|
||||
- PLUGIN_DEBUG(("read failed [%d][%s].\n", ret, strerror(ret)));
|
||||
+ PLUGIN_DEBUG("read failed [%d][%s].\n", ret, strerror(ret));
|
||||
close(fd);
|
||||
goto done;
|
||||
}
|
||||
close(fd);
|
||||
|
||||
if (len == BUFSIZE) {
|
||||
- PLUGIN_DEBUG(("Content of krb5info file [%s] is [%d] or larger.\n",
|
||||
- krb5info_name, BUFSIZE));
|
||||
+ PLUGIN_DEBUG("Content of krb5info file [%s] is [%d] or larger.\n",
|
||||
+ krb5info_name, BUFSIZE);
|
||||
}
|
||||
|
||||
switch (svc) {
|
||||
@@ -376,7 +376,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
||||
}
|
||||
break;
|
||||
default:
|
||||
- PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
|
||||
+ PLUGIN_DEBUG("Unsupported service [%d].\n", svc);
|
||||
ret = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
@@ -401,7 +401,7 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
|
||||
ctx->debug = false;
|
||||
} else {
|
||||
ctx->debug = true;
|
||||
- PLUGIN_DEBUG(("sssd_krb5_locator_init called\n"));
|
||||
+ PLUGIN_DEBUG("sssd_krb5_locator_init called\n");
|
||||
}
|
||||
|
||||
dummy = getenv(SSSD_KRB5_LOCATOR_DISABLE);
|
||||
@@ -409,7 +409,7 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
|
||||
ctx->disabled = false;
|
||||
} else {
|
||||
ctx->disabled = true;
|
||||
- PLUGIN_DEBUG(("SSSD KRB5 locator plugin is disabled.\n"));
|
||||
+ PLUGIN_DEBUG("SSSD KRB5 locator plugin is disabled.\n");
|
||||
}
|
||||
|
||||
*private_data = ctx;
|
||||
@@ -424,7 +424,7 @@ void sssd_krb5_locator_close(void *private_data)
|
||||
if (private_data == NULL) return;
|
||||
|
||||
ctx = (struct sssd_ctx *) private_data;
|
||||
- PLUGIN_DEBUG(("sssd_krb5_locator_close called\n"));
|
||||
+ PLUGIN_DEBUG("sssd_krb5_locator_close called\n");
|
||||
|
||||
free_addr_port_list(&(ctx->kdc_addr));
|
||||
free_addr_port_list(&(ctx->kpasswd_addr));
|
||||
@@ -460,7 +460,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
||||
}
|
||||
|
||||
if (ctx->disabled) {
|
||||
- PLUGIN_DEBUG(("Plugin disabled, nothing to do.\n"));
|
||||
+ PLUGIN_DEBUG("Plugin disabled, nothing to do.\n");
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
@@ -468,13 +468,13 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
||||
free(ctx->sssd_realm);
|
||||
ctx->sssd_realm = strdup(realm);
|
||||
if (ctx->sssd_realm == NULL) {
|
||||
- PLUGIN_DEBUG(("strdup failed.\n"));
|
||||
+ PLUGIN_DEBUG("strdup failed.\n");
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
ret = get_krb5info(realm, ctx, locate_service_kdc);
|
||||
if (ret != EOK) {
|
||||
- PLUGIN_DEBUG(("get_krb5info failed.\n"));
|
||||
+ PLUGIN_DEBUG("get_krb5info failed.\n");
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
@@ -482,22 +482,22 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
||||
svc == locate_service_master_kdc) {
|
||||
ret = get_krb5info(realm, ctx, locate_service_kpasswd);
|
||||
if (ret != EOK) {
|
||||
- PLUGIN_DEBUG(("reading kpasswd address failed, "
|
||||
- "using kdc address.\n"));
|
||||
+ PLUGIN_DEBUG("reading kpasswd address failed, "
|
||||
+ "using kdc address.\n");
|
||||
free_addr_port_list(&(ctx->kpasswd_addr));
|
||||
ret = copy_addr_port_list(ctx->kdc_addr, true,
|
||||
&(ctx->kpasswd_addr));
|
||||
if (ret != EOK) {
|
||||
- PLUGIN_DEBUG(("copying address list failed.\n"));
|
||||
+ PLUGIN_DEBUG("copying address list failed.\n");
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
- PLUGIN_DEBUG(("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] "
|
||||
- "locate_service[%d]\n", ctx->sssd_realm, realm, family,
|
||||
- socktype, svc));
|
||||
+ PLUGIN_DEBUG("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] "
|
||||
+ "locate_service[%d]\n",
|
||||
+ ctx->sssd_realm, realm, family, socktype, svc);
|
||||
|
||||
switch (svc) {
|
||||
case locate_service_kdc:
|
||||
@@ -547,7 +547,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
||||
memset(port_str, 0, PORT_STR_SIZE);
|
||||
ret = snprintf(port_str, PORT_STR_SIZE-1, "%u", port);
|
||||
if (ret < 0 || ret >= (PORT_STR_SIZE-1)) {
|
||||
- PLUGIN_DEBUG(("snprintf failed.\n"));
|
||||
+ PLUGIN_DEBUG("snprintf failed.\n");
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
@@ -557,31 +557,31 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
|
||||
|
||||
ret = getaddrinfo(addr[c].addr, port_str, &ai_hints, &ai);
|
||||
if (ret != 0) {
|
||||
- PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", ret,
|
||||
- gai_strerror(ret)));
|
||||
+ PLUGIN_DEBUG("getaddrinfo failed [%d][%s].\n",
|
||||
+ ret, gai_strerror(ret));
|
||||
if (ret == EAI_SYSTEM) {
|
||||
- PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n",
|
||||
- errno, strerror(errno)));
|
||||
+ PLUGIN_DEBUG("getaddrinfo failed [%d][%s].\n",
|
||||
+ errno, strerror(errno));
|
||||
}
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
- PLUGIN_DEBUG(("addr[%s:%s] family[%d] socktype[%d]\n", addr[c].addr,
|
||||
- port_str, ai->ai_family, ai->ai_socktype));
|
||||
+ PLUGIN_DEBUG("addr[%s:%s] family[%d] socktype[%d]\n",
|
||||
+ addr[c].addr, port_str, ai->ai_family, ai->ai_socktype);
|
||||
|
||||
if ((family == AF_UNSPEC || ai->ai_family == family) &&
|
||||
ai->ai_socktype == socktype) {
|
||||
|
||||
ret = cbfunc(cbdata, socktype, ai->ai_addr);
|
||||
if (ret != 0) {
|
||||
- PLUGIN_DEBUG(("cbfunc failed\n"));
|
||||
+ PLUGIN_DEBUG("cbfunc failed\n");
|
||||
freeaddrinfo(ai);
|
||||
return ret;
|
||||
} else {
|
||||
- PLUGIN_DEBUG(("[%s] used\n", addr[c].addr));
|
||||
+ PLUGIN_DEBUG("[%s] used\n", addr[c].addr);
|
||||
}
|
||||
} else {
|
||||
- PLUGIN_DEBUG(("[%s] NOT used\n", addr[c].addr));
|
||||
+ PLUGIN_DEBUG("[%s] NOT used\n", addr[c].addr);
|
||||
}
|
||||
freeaddrinfo(ai);
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
29
0004-krb5_locator-Fix-typo-in-debug-message.patch
Normal file
29
0004-krb5_locator-Fix-typo-in-debug-message.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From f748abb7b773a09c7be279b42774a5692fcb1fbb Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Thu, 19 Jul 2018 09:50:12 +0200
|
||||
Subject: [PATCH 4/7] krb5_locator: Fix typo in debug message
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3786
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 09dc1d9dc10780d126d477c394ae2ef4c0d0cff3)
|
||||
---
|
||||
src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
index 61fee6b..acb20f2 100644
|
||||
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
@@ -323,7 +323,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
|
||||
|
||||
krb5info_name = calloc(1, len + 1);
|
||||
if (krb5info_name == NULL) {
|
||||
- PLUGIN_DEBUG("malloc failed.\n");
|
||||
+ PLUGIN_DEBUG("calloc failed.\n");
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.5
|
||||
|
29
0005-krb5_locator-Fix-formatting-of-the-variable-port.patch
Normal file
29
0005-krb5_locator-Fix-formatting-of-the-variable-port.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 5c90d3a2890eb121ff6cb5e972b69bb118cbac39 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Sat, 21 Jul 2018 23:50:11 +0200
|
||||
Subject: [PATCH 5/7] krb5_locator: Fix formatting of the variable port
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3786
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit aefdf70351d01d1dcfe3ebb2769fbd3bb1bd0441)
|
||||
---
|
||||
src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
index acb20f2..4b0b6a1 100644
|
||||
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
@@ -270,7 +270,7 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
|
||||
addr_str++;
|
||||
}
|
||||
|
||||
- PLUGIN_DEBUG("Found [%s][%d].\n", addr_str, port);
|
||||
+ PLUGIN_DEBUG("Found [%s][%ld].\n", addr_str, port);
|
||||
|
||||
l[c].addr = strdup(addr_str);
|
||||
if (l[c].addr == NULL) {
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,31 @@
|
||||
From d5f87b392f8cefbf37674f410087c8cbe4a50dcd Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Thu, 19 Jul 2018 09:53:13 +0200
|
||||
Subject: [PATCH 6/7] krb5_locator: Use format string checking for debug
|
||||
function
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3786
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 9680ac9ce20511b3f34dc1c8635d0c4435006ce3)
|
||||
---
|
||||
src/krb5_plugin/sssd_krb5_locator_plugin.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
index 4b0b6a1..720878e 100644
|
||||
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
|
||||
@@ -82,6 +82,9 @@ struct sssd_ctx {
|
||||
bool disabled;
|
||||
};
|
||||
|
||||
+#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT
|
||||
+__attribute__((format(printf, 1, 2)))
|
||||
+#endif
|
||||
static void plugin_debug_fn(const char *format, ...)
|
||||
{
|
||||
va_list ap;
|
||||
--
|
||||
2.9.5
|
||||
|
363
0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch
Normal file
363
0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch
Normal file
@ -0,0 +1,363 @@
|
||||
From 9f5fbbdac3658f5f1695fbf3cf89544b4b578b92 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 20 Jan 2016 13:15:11 +0100
|
||||
Subject: [PATCH 7/7] PAM: Allow to configure pam services for Smartcards
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/2926
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3799
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 93caaf294cfd85b4e0d7faa2fc5c2298d6b13020)
|
||||
---
|
||||
src/confdb/confdb.h | 1 +
|
||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.conf | 1 +
|
||||
src/man/sssd.conf.5.xml | 76 +++++++++++++++-
|
||||
src/responder/pam/pamsrv.h | 1 +
|
||||
src/responder/pam/pamsrv_p11.c | 164 +++++++++++++++++++++++++++++++++--
|
||||
7 files changed, 237 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 8af625f..700ab76 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -131,6 +131,7 @@
|
||||
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
|
||||
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
|
||||
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
|
||||
+#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
|
||||
|
||||
/* SUDO */
|
||||
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index 32b74e4..2846ea2 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -103,6 +103,7 @@ option_strings = {
|
||||
'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'),
|
||||
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
|
||||
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
|
||||
+ 'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
|
||||
|
||||
# [sudo]
|
||||
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 5513227..c18fcbd 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -126,6 +126,7 @@ option = pam_cert_auth
|
||||
option = pam_cert_db_path
|
||||
option = p11_child_timeout
|
||||
option = pam_app_services
|
||||
+option = pam_p11_allowed_services
|
||||
|
||||
[rule/allowed_sudo_options]
|
||||
validator = ini_allowed_options
|
||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
||||
index 2be2e3e..7156142 100644
|
||||
--- a/src/config/etc/sssd.api.conf
|
||||
+++ b/src/config/etc/sssd.api.conf
|
||||
@@ -75,6 +75,7 @@ pam_cert_auth = bool, None, false
|
||||
pam_cert_db_path = str, None, false
|
||||
p11_child_timeout = int, None, false
|
||||
pam_app_services = str, None, false
|
||||
+pam_p11_allowed_services = str, None, false
|
||||
|
||||
[sudo]
|
||||
# sudo service
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index ed3c100..881ffc6 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -1389,7 +1389,81 @@ pam_account_locked_message = Account locked, please contact help desk.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
-
|
||||
+ <varlistentry>
|
||||
+ <term>pam_p11_allowed_services (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ A comma-separated list of PAM service names for
|
||||
+ which it will be allowed to use Smartcards.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ It is possible to add another PAM service name to
|
||||
+ the default set by using
|
||||
+ <quote>+service_name</quote> or to explicitly
|
||||
+ remove a PAM service name from the default set by
|
||||
+ using <quote>-service_name</quote>. For example,
|
||||
+ in order to replace a default PAM service name for
|
||||
+ authentication with Smartcards
|
||||
+ (e.g. <quote>login</quote>) with a custom PAM
|
||||
+ service name (e.g. <quote>my_pam_service</quote>),
|
||||
+ you would use the following configuration:
|
||||
+ <programlisting>
|
||||
+pam_p11_allowed_services = +my_pam_service, -login
|
||||
+ </programlisting>
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: the default set of PAM service names
|
||||
+ includes:
|
||||
+ <itemizedlist>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ login
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ su
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ su-l
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ gdm-smartcard
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ gdm-password
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ kdm
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ sudo
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ sudo-i
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ gnome-screensaver
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </itemizedlist>
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect2>
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index dfd9821..3325d9b 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -51,6 +51,7 @@ struct pam_ctx {
|
||||
int p11_child_debug_fd;
|
||||
char *nss_db;
|
||||
struct sss_certmap_ctx *sss_certmap_ctx;
|
||||
+ char **smartcard_services;
|
||||
};
|
||||
|
||||
struct pam_auth_dp_req {
|
||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
||||
index 0b6a162..ddb2def 100644
|
||||
--- a/src/responder/pam/pamsrv_p11.c
|
||||
+++ b/src/responder/pam/pamsrv_p11.c
|
||||
@@ -224,12 +224,148 @@ errno_t p11_child_init(struct pam_ctx *pctx)
|
||||
return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
|
||||
}
|
||||
|
||||
+static inline bool
|
||||
+service_in_list(char **list, size_t nlist, const char *str)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < nlist; i++) {
|
||||
+ if (strcasecmp(list[i], str) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return (i < nlist) ? true : false;
|
||||
+}
|
||||
+
|
||||
+static errno_t get_sc_services(TALLOC_CTX *mem_ctx, struct pam_ctx *pctx,
|
||||
+ char ***_sc_list)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ errno_t ret;
|
||||
+ char *conf_str;
|
||||
+ char **conf_list;
|
||||
+ int conf_list_size;
|
||||
+ char **add_list;
|
||||
+ char **remove_list;
|
||||
+ int ai = 0;
|
||||
+ int ri = 0;
|
||||
+ int j = 0;
|
||||
+ char **sc_list;
|
||||
+ int expected_sc_list_size;
|
||||
+
|
||||
+ const char *default_sc_services[] = {
|
||||
+ "login", "su", "su-l", "gdm-smartcard", "gdm-password", "kdm", "sudo",
|
||||
+ "sudo-i", "gnome-screensaver", NULL,
|
||||
+ };
|
||||
+ const int default_sc_services_size =
|
||||
+ sizeof(default_sc_services) / sizeof(default_sc_services[0]);
|
||||
+
|
||||
+ tmp_ctx = talloc_new(mem_ctx);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_get_string(pctx->rctx->cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY,
|
||||
+ CONFDB_PAM_P11_ALLOWED_SERVICES, NULL,
|
||||
+ &conf_str);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "confdb_get_string failed %d [%s]\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (conf_str != NULL) {
|
||||
+ ret = split_on_separator(tmp_ctx, conf_str, ',', true, true,
|
||||
+ &conf_list, &conf_list_size);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot parse list of service names '%s': %d [%s]\n",
|
||||
+ conf_str, ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else {
|
||||
+ conf_list = talloc_zero_array(tmp_ctx, char *, 1);
|
||||
+ conf_list_size = 0;
|
||||
+ }
|
||||
+
|
||||
+ add_list = talloc_zero_array(tmp_ctx, char *, conf_list_size + 1);
|
||||
+ remove_list = talloc_zero_array(tmp_ctx, char *, conf_list_size + 1);
|
||||
+
|
||||
+ if (add_list == NULL || remove_list == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (int i = 0; conf_list[i] != NULL; ++i) {
|
||||
+ switch (conf_list[i][0]) {
|
||||
+ case '+':
|
||||
+ add_list[ai] = conf_list[i] + 1;
|
||||
+ ++ai;
|
||||
+ break;
|
||||
+ case '-':
|
||||
+ remove_list[ri] = conf_list[i] + 1;
|
||||
+ ++ri;
|
||||
+ break;
|
||||
+ default:
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "The option "CONFDB_PAM_P11_ALLOWED_SERVICES" must start"
|
||||
+ "with either '+' (for adding service) or '-' (for "
|
||||
+ "removing service) got '%s'\n", conf_list[i]);
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ expected_sc_list_size = default_sc_services_size + ai + 1;
|
||||
+
|
||||
+ sc_list = talloc_zero_array(tmp_ctx, char *, expected_sc_list_size);
|
||||
+ if (sc_list == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (int i = 0; add_list[i] != NULL; ++i) {
|
||||
+ if (service_in_list(remove_list, ri, add_list[i])) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ sc_list[j] = talloc_strdup(sc_list, add_list[i]);
|
||||
+ if (sc_list[j] == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ++j;
|
||||
+ }
|
||||
+
|
||||
+ for (int i = 0; default_sc_services[i] != NULL; ++i) {
|
||||
+ if (service_in_list(remove_list, ri, default_sc_services[i])) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ sc_list[j] = talloc_strdup(sc_list, default_sc_services[i]);
|
||||
+ if (sc_list[j] == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ++j;
|
||||
+ }
|
||||
+
|
||||
+ if (_sc_list != NULL) {
|
||||
+ *_sc_list = talloc_steal(mem_ctx, sc_list);
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ talloc_zfree(tmp_ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
|
||||
{
|
||||
size_t c;
|
||||
- const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard",
|
||||
- "gdm-password", "kdm", "sudo", "sudo-i",
|
||||
- "gnome-screensaver", NULL };
|
||||
+ errno_t ret;
|
||||
+
|
||||
if (!pctx->cert_auth) {
|
||||
return false;
|
||||
}
|
||||
@@ -244,16 +380,30 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
|
||||
return false;
|
||||
}
|
||||
|
||||
- /* TODO: make services configurable */
|
||||
if (pd->service == NULL || *pd->service == '\0') {
|
||||
return false;
|
||||
}
|
||||
- for (c = 0; sc_services[c] != NULL; c++) {
|
||||
- if (strcmp(pd->service, sc_services[c]) == 0) {
|
||||
+
|
||||
+ /* Initialize smartcard allowed services just once */
|
||||
+ if (pctx->smartcard_services == NULL) {
|
||||
+ ret = get_sc_services(pctx, pctx, &pctx->smartcard_services);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to get p11 allowed services %d[%s]",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ sss_log(SSS_LOG_ERR,
|
||||
+ "Failed to evaluate pam_p11_allowed_services option, "
|
||||
+ "please check for typos in the SSSD configuration");
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ for (c = 0; pctx->smartcard_services[c] != NULL; c++) {
|
||||
+ if (strcmp(pd->service, pctx->smartcard_services[c]) == 0) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
- if (sc_services[c] == NULL) {
|
||||
+ if (pctx->smartcard_services[c] == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Smartcard authentication for service [%s] not supported.\n",
|
||||
pd->service);
|
||||
--
|
||||
2.9.5
|
||||
|
@ -1,86 +0,0 @@
|
||||
From 213dac21410f3c7aaeac660c5fc9c09bd1ab3d59 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 7 Jul 2017 11:15:20 +0200
|
||||
Subject: [PATCH] libwbclient-sssd: update interface to version 0.14
|
||||
|
||||
The main change is a new member of the wbcAuthErrorInfo struct.
|
||||
---
|
||||
src/conf_macros.m4 | 4 ++--
|
||||
src/sss_client/libwbclient/wbclient.exports | 3 +++
|
||||
src/sss_client/libwbclient/wbclient_sssd.h | 9 +++++++--
|
||||
3 files changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
||||
index 420997229cb3c244afd8fb21b074e43a21de0eda..bd33d3aee194c23ceac01b3729ba3152d9de9f89 100644
|
||||
--- a/src/conf_macros.m4
|
||||
+++ b/src/conf_macros.m4
|
||||
@@ -727,10 +727,10 @@ AC_DEFUN([WITH_LIBWBCLIENT],
|
||||
if test x"$with_libwbclient" = xyes; then
|
||||
AC_DEFINE(BUILD_LIBWBCLIENT, 1, [whether to build SSSD implementation of libwbclient])
|
||||
|
||||
- libwbclient_version="0.13"
|
||||
+ libwbclient_version="0.14"
|
||||
AC_SUBST(libwbclient_version)
|
||||
|
||||
- libwbclient_version_info="13:0:13"
|
||||
+ libwbclient_version_info="14:0:14"
|
||||
AC_SUBST(libwbclient_version_info)
|
||||
fi
|
||||
AM_CONDITIONAL([BUILD_LIBWBCLIENT], [test x"$with_libwbclient" = xyes])
|
||||
diff --git a/src/sss_client/libwbclient/wbclient.exports b/src/sss_client/libwbclient/wbclient.exports
|
||||
index 9d3c2040e7d393c0057d44864826cefc2e3f7a31..7abbaba6036c604177f247521e877c86720a1b4d 100644
|
||||
--- a/src/sss_client/libwbclient/wbclient.exports
|
||||
+++ b/src/sss_client/libwbclient/wbclient.exports
|
||||
@@ -150,3 +150,6 @@ WBCLIENT_0.13 {
|
||||
wbcUnixIdsToSids;
|
||||
wbcCtxUnixIdsToSids;
|
||||
} WBCLIENT_0.12;
|
||||
+
|
||||
+WBCLIENT_0.14 {
|
||||
+} WBCLIENT_0.13;
|
||||
diff --git a/src/sss_client/libwbclient/wbclient_sssd.h b/src/sss_client/libwbclient/wbclient_sssd.h
|
||||
index 50ba7f84304df5f24a31cbbad857f22d1c70964d..f2fe8fe60e2ff55399e408056ccfbbfff044b88b 100644
|
||||
--- a/src/sss_client/libwbclient/wbclient_sssd.h
|
||||
+++ b/src/sss_client/libwbclient/wbclient_sssd.h
|
||||
@@ -74,9 +74,11 @@ const char *wbcErrorString(wbcErr error);
|
||||
* 0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
|
||||
* 0.12: Added wbcCtxCreate and friends
|
||||
* 0.13: Added wbcCtxUnixIdsToSids and wbcUnixIdsToSids
|
||||
+ * 0.14: Added "authoritative" to wbcAuthErrorInfo
|
||||
+ * Added WBC_SID_NAME_LABEL
|
||||
**/
|
||||
#define WBCLIENT_MAJOR_VERSION 0
|
||||
-#define WBCLIENT_MINOR_VERSION 13
|
||||
+#define WBCLIENT_MINOR_VERSION 14
|
||||
#define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
|
||||
struct wbcLibraryDetails {
|
||||
uint16_t major_version;
|
||||
@@ -138,7 +140,8 @@ enum wbcSidType {
|
||||
WBC_SID_NAME_DELETED=6,
|
||||
WBC_SID_NAME_INVALID=7,
|
||||
WBC_SID_NAME_UNKNOWN=8,
|
||||
- WBC_SID_NAME_COMPUTER=9
|
||||
+ WBC_SID_NAME_COMPUTER=9,
|
||||
+ WBC_SID_NAME_LABEL=10
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -316,6 +319,7 @@ struct wbcChangePasswordParams {
|
||||
#define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0x00000020
|
||||
#define WBC_MSV1_0_RETURN_PROFILE_PATH 0x00000200
|
||||
#define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0x00000800
|
||||
+#define WBC_MSV1_0_ALLOW_MSVCHAPV2 0x00010000
|
||||
|
||||
/* wbcAuthUserParams->flags */
|
||||
|
||||
@@ -418,6 +422,7 @@ struct wbcAuthErrorInfo {
|
||||
char *nt_string;
|
||||
int32_t pam_error;
|
||||
char *display_string;
|
||||
+ uint8_t authoritative;
|
||||
};
|
||||
|
||||
/**
|
||||
--
|
||||
2.13.2
|
||||
|
@ -1,5 +1,5 @@
|
||||
From 5381ad1bd7693a6681f00bef093241f13e3a2c4f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Mon, 12 Dec 2016 21:56:16 +0100
|
||||
Subject: [PATCH] SYSTEMD: Use capabilities
|
||||
|
||||
@ -9,17 +9,17 @@ copied from selinux policy
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
|
||||
index 05cfd3705084dbff8b46fb07e736612612c58b70..e7bbbdb5093f52e4b71e3c85a9082192013385e8 100644
|
||||
index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
|
||||
--- a/src/sysv/systemd/sssd.service.in
|
||||
+++ b/src/sysv/systemd/sssd.service.in
|
||||
@@ -9,6 +9,7 @@ EnvironmentFile=-@environment_file@
|
||||
ExecStart=@sbindir@/sssd -i -f
|
||||
@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
|
||||
Type=notify
|
||||
NotifyAccess=main
|
||||
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
|
||||
PIDFile=@localstatedir@/run/sssd.pid
|
||||
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
--
|
||||
2.11.0
|
||||
2.15.1
|
||||
|
||||
|
39
0503-Disable-stopping-idle-socket-activated-responders.patch
Normal file
39
0503-Disable-stopping-idle-socket-activated-responders.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Fri, 3 Nov 2017 16:18:14 +0100
|
||||
Subject: [PATCH] Disable stopping idle socket activated responders
|
||||
|
||||
---
|
||||
src/confdb/confdb.h | 2 +-
|
||||
src/man/sssd.conf.5.xml | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -85,7 +85,7 @@
|
||||
/* Responders */
|
||||
#define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
|
||||
#define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
|
||||
-#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
|
||||
+#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
|
||||
#define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
|
||||
#define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
|
||||
#define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -706,7 +706,7 @@
|
||||
or dbus activated.
|
||||
</para>
|
||||
<para>
|
||||
- Default: 300
|
||||
+ Default: 0
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.14.3
|
||||
|
@ -0,0 +1,44 @@
|
||||
From ae98cc4985bd3a19bbcadb5c4b77c5e01819e8ac Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 21 Aug 2018 13:59:33 +0200
|
||||
Subject: [PATCH] SYSDB: Prepend cached hash with the salt identifier if it's
|
||||
not there
|
||||
|
||||
This is a downstream-only patch for
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1561105#c13
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/db/sysdb_ops.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index df0fb83c5546809a2d643e2e585153ad61a6a334..3a7e8fed507e9d96301f97112f9230e031cb5896 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -4516,6 +4516,7 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
|
||||
time_t expire_date = -1;
|
||||
time_t delayed_until = -1;
|
||||
int ret;
|
||||
+ const char *salt_prefix = "$6$";
|
||||
|
||||
if (name == NULL || *name == '\0') {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Missing user name.\n");
|
||||
@@ -4601,6 +4602,14 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (strncmp(userhash, salt_prefix, strlen(salt_prefix)) != 0) {
|
||||
+ userhash = talloc_asprintf(tmp_ctx, "%s%s", salt_prefix, userhash);
|
||||
+ if (userhash == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash);
|
||||
if (ret) {
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "Failed to create password hash.\n");
|
||||
--
|
||||
2.14.4
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (sssd-1.15.3.tar.gz) = 92478205ee1b1cebc3d35b733576180db51cee8cc84d0c2cb78386924ffa90ae355b6ad9b7b51e5e5f5a7a4588764d1c7afb0673c035b1fe9b1a283beb79a428
|
||||
SHA512 (sssd-1.16.3.tar.gz) = 6165923f652f624bbe3ddc625ae682c4867eb7a20652d0cf74bbb8dda2307c917d3189ede26fd21a4fb5fd5926149271a65fa09f3affe928029ed99e6422b728
|
||||
|
251
sssd.spec
251
sssd.spec
@ -16,8 +16,6 @@
|
||||
|
||||
%global with_cifs_utils_plugin 1
|
||||
|
||||
%global with_krb5_localauth_plugin 1
|
||||
|
||||
%global enable_systemtap 1
|
||||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
@ -25,6 +23,12 @@
|
||||
|
||||
%global with_kcm 1
|
||||
|
||||
%global with_gdm_pam_extensions 1
|
||||
|
||||
%if (0%{?fedora} > 28)
|
||||
%global use_openssl 1
|
||||
%endif
|
||||
|
||||
%global libwbc_alternatives_version 0.14
|
||||
%global libwbc_lib_version %{libwbc_alternatives_version}.0
|
||||
%global libwbc_alternatives_suffix %nil
|
||||
@ -33,7 +37,7 @@
|
||||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 1.15.3
|
||||
Version: 1.16.3
|
||||
Release: 2%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
@ -43,8 +47,23 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
Patch0501: 0501-libwbclient-sssd-update-interface-to-version-0.14.patch
|
||||
Patch0001: 0001-man-sss_ssh_knownhostsproxy-fix-typo-pubkeys-pubkey.patch
|
||||
Patch0002: 0002-krb5_locator-Make-debug-function-internal.patch
|
||||
Patch0003: 0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch
|
||||
Patch0004: 0004-krb5_locator-Fix-typo-in-debug-message.patch
|
||||
Patch0005: 0005-krb5_locator-Fix-formatting-of-the-variable-port.patch
|
||||
Patch0006: 0006-krb5_locator-Use-format-string-checking-for-debug-fu.patch
|
||||
Patch0007: 0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch
|
||||
|
||||
### Dowsntream only patches ###
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
|
||||
|
||||
# Keep this downstream patch for the lifetime of f27 and f28.
|
||||
# It fixes offline authentication of users that were cached in sysdb
|
||||
# with SSSD version affected by this BZ#1602781. Note that this patch
|
||||
# only fixes the offline authentication (not the local provider).
|
||||
Patch1000: 1000-SYSDB-Prepend-cached-hash-with-the-salt-identifier-i.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
@ -66,6 +85,7 @@ Suggests: sssd-dbus = %{version}-%{release}
|
||||
%global pubconfpath %{sssdstatedir}/pubconf
|
||||
%global gpocachepath %{sssdstatedir}/gpo_cache
|
||||
%global secdbpath %{sssdstatedir}/secrets
|
||||
%global deskprofilepath %{sssdstatedir}/deskprofile
|
||||
|
||||
### Build Dependencies ###
|
||||
|
||||
@ -112,17 +132,26 @@ BuildRequires: uid_wrapper
|
||||
BuildRequires: nss_wrapper
|
||||
BuildRequires: libnl3-devel
|
||||
BuildRequires: systemd-devel
|
||||
%if (0%{?with_cifs_utils_plugin} == 1)
|
||||
BuildRequires: cifs-utils-devel
|
||||
%endif
|
||||
BuildRequires: libnfsidmap-devel
|
||||
BuildRequires: samba4-devel
|
||||
BuildRequires: libsmbclient-devel
|
||||
BuildRequires: samba-winbind
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: http-parser-devel
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: gdm-pam-extensions-devel
|
||||
%if (0%{?use_openssl} == 1)
|
||||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: softhsm >= 2.1.0
|
||||
%endif
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssh
|
||||
BuildRequires: nss-tools
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
@ -153,7 +182,6 @@ Requires(post): systemd-units chkconfig
|
||||
Requires(preun): systemd-units chkconfig
|
||||
Requires(postun): systemd-units chkconfig
|
||||
|
||||
|
||||
### Provides ###
|
||||
Provides: libsss_sudo-devel = %{version}-%{release}
|
||||
Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1
|
||||
@ -621,11 +649,13 @@ autoreconf -ivf
|
||||
--disable-rpath \
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
%if (0%{?use_openssl} == 1)
|
||||
--with-crypto=libcrypto \
|
||||
%endif
|
||||
--enable-sss-default-nss-plugin \
|
||||
--enable-files-domain \
|
||||
%{?with_cifs_utils_plugin_option} \
|
||||
%{?enable_systemtap_opt} \
|
||||
|
||||
%{?enable_systemtap_opt}
|
||||
|
||||
make %{?_smp_mflags} all docs
|
||||
|
||||
@ -657,11 +687,14 @@ install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/s
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d
|
||||
install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd
|
||||
|
||||
%if (0%{?with_cifs_utils_plugin} == 1)
|
||||
# Kerberos KCM credential cache by default
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
|
||||
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||
|
||||
# Create directory for cifs-idmap alternative
|
||||
# Otherwise this directory could not be owned by sssd-client
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
|
||||
%endif
|
||||
|
||||
# Remove .la files created by libtool
|
||||
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
|
||||
@ -828,6 +861,7 @@ done
|
||||
%attr(700,root,root) %dir %{dbpath}
|
||||
%attr(755,root,root) %dir %{mcpath}
|
||||
%attr(700,root,root) %dir %{secdbpath}
|
||||
%attr(751,root,root) %dir %{deskprofilepath}
|
||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
|
||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
|
||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
|
||||
@ -838,15 +872,17 @@ done
|
||||
%attr(750,root,root) %dir %{_var}/log/%{name}
|
||||
%attr(700,root,root) %dir %{_sysconfdir}/sssd
|
||||
%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
|
||||
%if (0%{?use_openssl} == 1)
|
||||
%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
|
||||
%endif
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
||||
%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/sssd.service.d
|
||||
%config(noreplace) %{_sysconfdir}/systemd/system/sssd.service.d/journal.conf
|
||||
%dir %{_sysconfdir}/logrotate.d
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
|
||||
%dir %{_sysconfdir}/rwtab.d
|
||||
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
||||
%dir %{_datadir}/sssd
|
||||
%{_sysconfdir}/pam.d/sssd-shadowutils
|
||||
%dir %{_libdir}/%{name}/conf
|
||||
%{_libdir}/%{name}/conf/sssd.conf
|
||||
|
||||
%{_datadir}/sssd/cfg_rules.ini
|
||||
@ -858,16 +894,19 @@ done
|
||||
%{_mandir}/man5/sssd-files.5*
|
||||
%{_mandir}/man5/sssd-simple.5*
|
||||
%{_mandir}/man5/sssd-sudo.5*
|
||||
%{_mandir}/man5/sssd-session-recording.5*
|
||||
%{_mandir}/man5/sssd-secrets.5*
|
||||
%{_mandir}/man8/sssd.8*
|
||||
%{_mandir}/man8/sss_cache.8*
|
||||
%dir %{_datadir}/sssd/systemtap
|
||||
%{_datadir}/sssd/systemtap/id_perf.stp
|
||||
%{_datadir}/sssd/systemtap/nested_group_perf.stp
|
||||
%{_datadir}/sssd/systemtap/dp_request.stp
|
||||
%dir %{_datadir}/systemtap
|
||||
%dir %{_datadir}/systemtap/tapset
|
||||
%{_datadir}/systemtap/tapset/sssd.stp
|
||||
%{_datadir}/systemtap/tapset/sssd_functions.stp
|
||||
%{_mandir}/man5/sssd-systemtap.5*
|
||||
|
||||
|
||||
%files ldap -f sssd_ldap.lang
|
||||
@ -944,17 +983,13 @@ done
|
||||
%{_libdir}/security/pam_sss.so
|
||||
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
||||
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
|
||||
%if (0%{?with_cifs_utils_plugin} == 1)
|
||||
%dir %{_libdir}/cifs-utils
|
||||
%{_libdir}/cifs-utils/cifs_idmap_sss.so
|
||||
%dir %{_sysconfdir}/cifs-utils
|
||||
%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
|
||||
%endif
|
||||
%if (0%{?with_krb5_localauth_plugin} == 1)
|
||||
%dir %{_libdir}/%{name}
|
||||
%dir %{_libdir}/%{name}/modules
|
||||
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
|
||||
%endif
|
||||
%{_mandir}/man8/pam_sss.8*
|
||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||
|
||||
@ -1113,6 +1148,7 @@ done
|
||||
|
||||
%files kcm -f sssd_kcm.lang
|
||||
%{_libexecdir}/%{servicename}/sssd_kcm
|
||||
%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache
|
||||
%dir %{_datadir}/sssd-kcm
|
||||
%{_datadir}/sssd-kcm/kcm_default_ccache
|
||||
%{_unitdir}/sssd-kcm.socket
|
||||
@ -1177,7 +1213,6 @@ done
|
||||
%systemd_postun_with_restart sssd-kcm.socket
|
||||
%systemd_postun_with_restart sssd-kcm.service
|
||||
|
||||
%if (0%{?with_cifs_utils_plugin} == 1)
|
||||
%post client
|
||||
/sbin/ldconfig
|
||||
/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20
|
||||
@ -1186,9 +1221,6 @@ done
|
||||
if [ $1 -eq 0 ] ; then
|
||||
/usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
|
||||
fi
|
||||
%else
|
||||
%post client -p /sbin/ldconfig
|
||||
%endif
|
||||
|
||||
%postun client -p /sbin/ldconfig
|
||||
|
||||
@ -1243,6 +1275,183 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Tue Aug 21 2018 Michal Židek <mzidek@redhat.com> - 1.16.3-2
|
||||
- Resolves: rhbz#1561105 - sssd update prevented login using kerberos user
|
||||
|
||||
* Tue Aug 14 2018 Michal Židek <mzidek@redhat.com> - 1.16.3-1
|
||||
- New upstream release 1.16.3
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_3.html
|
||||
- Resolves: upstream#2926 - Make list of local PAM services allowed for
|
||||
Smartcard authentication configurable
|
||||
- Related: upstream#3542 - Get host key without proxying connection
|
||||
|
||||
* Mon Jun 25 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.2-4
|
||||
- Related: upstream#941 - return multiple server addresses to the Kerberos
|
||||
locator plugin
|
||||
- Related: upstream#3652 - kdcinfo doesn't get populated for other domains
|
||||
- Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD
|
||||
closes its end of the pipe before reading all the
|
||||
SSH keys
|
||||
- Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully
|
||||
- Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes
|
||||
stored in AD GC also for regular AD DC queries
|
||||
- Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being
|
||||
able to consume an @-sign in the user/group name.
|
||||
- Resolves: upstream#3766 - CVE-2018-10852: information leak from the sssd-sudo
|
||||
responder
|
||||
|
||||
* Thu Jun 21 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.2-3
|
||||
- Resolves: rhbz#1591804 - something keeps /lib/libnss_systemd.so.2 open on
|
||||
minimal appliance image, breaking composes
|
||||
|
||||
* Mon Jun 11 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.2-1
|
||||
- New upstream release 1.16.2
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html
|
||||
|
||||
* Thu May 24 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-9
|
||||
- Related: upstream#3742 - Change of: User may not run sudo --> a password is
|
||||
required
|
||||
|
||||
* Thu May 17 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-8
|
||||
- Revert 589d1a48 as the builders are back to f27
|
||||
|
||||
* Wed May 16 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-7
|
||||
- Related: upstream#3436 - Certificates used in unit tests have limited
|
||||
lifetime
|
||||
- Add: "ExcludeArch: armv7hl"
|
||||
|
||||
* Mon May 14 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-6
|
||||
- Related: upstream#3436 - Add openssl, openssh and nss-tools as BuildRequires
|
||||
|
||||
* Mon May 14 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-5
|
||||
- Related: upstream#3436 - Certificates used in unit tests have limited
|
||||
lifetime
|
||||
- Resolves: upstream#3725 - sssd not honoring dyndns_server if the DNS update
|
||||
process is terminated with a signal
|
||||
- Resolves: upstream#3726 - SSSD with ID provider 'ad' should give a warning
|
||||
in case the ldap schema is manually changed to
|
||||
something different than 'ad'.
|
||||
- Related: upstream#2653 - Group renaming issue when "id_provider = ldap" is
|
||||
set.
|
||||
- Resolves: upstream#3719 - The SSSD IPA provider allocates information about
|
||||
external groups on a long lived memory context,
|
||||
causing memory growth of the sssd_be process
|
||||
- Resolves: upstream#3728 - Request by ID outside the min_id/max_id limit of a
|
||||
first domain does not reach the second domain
|
||||
- Resolves: upstream#3731 - nss_clear_netgroup_hash_table(): only remove
|
||||
entries from the hash table, do not free them
|
||||
- Resolves: upstream#3595 - ID override GID from Default Trust View is not
|
||||
properly resolved in case domain resolution order
|
||||
is set
|
||||
|
||||
* Sat May 05 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-4
|
||||
- Resolves: rhbz#1574778 - sssd fails to download known_hosts from freeipa
|
||||
|
||||
* Fri Apr 27 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-3
|
||||
- Resolves: upstream#3684 - A group is not updated if its member is removed
|
||||
with the cleanup task, but the group does not
|
||||
change
|
||||
- Resolves: upstream#3558 - sudo: report error when two rules share cn
|
||||
- Tone down shutdown messages for socket activated responders
|
||||
- IPA: Qualify the externalUser sudo attribute
|
||||
- Resolves: upstream#3550 - refresh_expired_interval does not work with
|
||||
netgrous in 1.15
|
||||
- Resolves: upstream#3402 - Support alternative sources for the files provider
|
||||
- Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option
|
||||
- Resolves: upstream#3679 - Make nss netgroup requests more robust
|
||||
- Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not
|
||||
configured
|
||||
- Resolves: upstream#3469 - extend sss-certmap man page regarding priority
|
||||
processing
|
||||
- Improve docs/debug message about GC detection
|
||||
- Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes
|
||||
list out of bound?
|
||||
- Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
|
||||
set.
|
||||
- Document which principal does the AD provider use
|
||||
- Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is
|
||||
defined, but contains no SIDs
|
||||
- Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM
|
||||
- Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data
|
||||
Provider returned an error
|
||||
[org.freedesktop.sssd.Error.DataProvider.Fatal]
|
||||
|
||||
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
|
||||
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain
|
||||
- Resolves: upstream#3660 - confdb_expand_app_domains() always fails
|
||||
- Resolves: upstream#3658 - Application domain is not interpreted correctly
|
||||
- Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to
|
||||
json_loads()
|
||||
- Resolves: upstream#3386 - KCM: Payload buffer is too small
|
||||
- Resolves: upstream#3666 - Fix usage of str.decode() in our tests
|
||||
- A few KCM misc fixes
|
||||
|
||||
* Fri Mar 9 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-1
|
||||
- New upstream release 1.16.1
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html
|
||||
|
||||
* Tue Feb 20 2018 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-8
|
||||
- Resolves: upstream#3621 - backport bug fix found by static analyzers
|
||||
|
||||
* Wed Feb 14 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.0-7
|
||||
- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile
|
||||
with no specific host/hostgroup set
|
||||
- Resolves: upstream#3621 - FleetCommander integration must not require
|
||||
capability DAC_OVERRIDE
|
||||
|
||||
* Wed Feb 07 2018 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-6
|
||||
- Resolves: upstream#3618 - selinux_child segfaults in a docker container
|
||||
|
||||
* Mon Dec 04 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-5
|
||||
- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in
|
||||
setnetgrent_result_timeout
|
||||
- Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
|
||||
or machine swaps
|
||||
- Resolves: failure in glibc tests
|
||||
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
|
||||
- Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
|
||||
auth_provider ldap, login fails if the LDAP server
|
||||
is not allowing anonymous binds
|
||||
- Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
|
||||
corrected with AD
|
||||
- Resolves: upstream#3586 - Give a more detailed debug and system-log message
|
||||
if krb5_init_context() failed
|
||||
- Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
|
||||
in /etc/systemd/system
|
||||
- Backport few upstream features from 1.16.1
|
||||
|
||||
* Tue Nov 21 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-4
|
||||
- Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next
|
||||
|
||||
* Fri Nov 17 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.16.0-3
|
||||
- Backport extended NSS API from upstream master branch
|
||||
|
||||
* Fri Nov 03 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-2
|
||||
- Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade
|
||||
|
||||
* Fri Oct 20 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-1
|
||||
- New upstream release 1.16.0
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html
|
||||
|
||||
* Wed Oct 11 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-5
|
||||
- Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when
|
||||
searching in local cache database access on
|
||||
the sock_file system_bus_socket
|
||||
|
||||
* Mon Sep 11 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-4
|
||||
- Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write
|
||||
access on the sock_file system_bus_socket
|
||||
- Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and
|
||||
fails to download desktop profile data
|
||||
- Resolves: upstream#3485 - getsidbyid does not work with 1.15.3
|
||||
- Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients
|
||||
after applying ID Views for them in IPA server
|
||||
- Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id
|
||||
mapping is applied
|
||||
|
||||
* Fri Sep 01 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-3
|
||||
- Backport few upstream patches/fixes
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.3-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user