Compare commits
12 Commits
Author | SHA1 | Date |
---|---|---|
|
d16469c7d2 | |
|
eb05bfe301 | |
|
5f3a3a165d | |
|
93f4fd4069 | |
|
5e6e4461d9 | |
|
887943ac44 | |
|
6d02d64276 | |
|
225f46e6fd | |
|
9b05798757 | |
|
cbb93511cb | |
|
e994e1f91a | |
|
54406357e5 |
|
@ -81,3 +81,7 @@ sssd-1.2.91.tar.gz
|
|||
/sssd-1.16.1.tar.gz
|
||||
/sssd-1.16.2.tar.gz
|
||||
/sssd-2.0.0.tar.gz
|
||||
/sssd-2.1.0.tar.gz
|
||||
/sssd-2.2.0.tar.gz
|
||||
/sssd-2.2.1.tar.gz
|
||||
/sssd-2.2.2.tar.gz
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
From 2c9bdcf579e430fa8f7e5595a17cf7242adb5216 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 11 Oct 2019 09:20:20 +0200
|
||||
Subject: [PATCH] KCM: Set kdc_offset to zero initially
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4100
|
||||
|
||||
KCM assumed that the client library would always set the KDC offset, but
|
||||
that's not always the case, especially when using multiple krb contexts
|
||||
from the client application:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1757224#c64
|
||||
|
||||
Heimdal also creates ccaches with zero kdc_offset:
|
||||
https://github.com/heimdal/heimdal/commit/9f58896af958ae5e6e3ebde8c48dad4eda841986
|
||||
so we should do the same..
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ccache.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
|
||||
index e24da9aa2..66e2752ba 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ccache.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ccache.c
|
||||
@@ -82,7 +82,7 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
|
||||
|
||||
cc->owner.uid = cli_creds_get_uid(owner);
|
||||
cc->owner.gid = cli_creds_get_gid(owner);
|
||||
- cc->kdc_offset = INT32_MAX;
|
||||
+ cc->kdc_offset = 0;
|
||||
|
||||
talloc_set_destructor(cc, kcm_cc_destructor);
|
||||
*_cc = cc;
|
||||
--
|
||||
2.23.0
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
From e47f143bcb86d04aa053c17373f9d9991fc63913 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 14 Oct 2019 11:38:06 +0200
|
||||
Subject: [PATCH] SSS_CLIENT: got rid of using PRNG
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
1) no reason to expect "thundering herd issue"
|
||||
2) randomization as it was done (strictly 1 or 2 secs)
|
||||
would not help much anyway
|
||||
3) usage of PRNG might break app that depends on deterministic
|
||||
PRNG behaviour
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4094
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/sss_client/common.c | 7 +------
|
||||
1 file changed, 1 insertion(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 930efe4a1..270ca8b54 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -566,11 +566,6 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
|
||||
/* this piece is adapted from winbind client code */
|
||||
wait_time = 0;
|
||||
sleep_time = 0;
|
||||
- /* This is not security relevant functionality and
|
||||
- * it is undesirable to pull unnecessary dependency (util/crypto)
|
||||
- * so plain srand() & rand() are used here.
|
||||
- */
|
||||
- srand(time(NULL) * getpid());
|
||||
while (inprogress) {
|
||||
int connect_errno = 0;
|
||||
socklen_t errnosize;
|
||||
@@ -605,7 +600,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
|
||||
break;
|
||||
case EAGAIN:
|
||||
if (wait_time < timeout) {
|
||||
- sleep_time = rand() % 2 + 1;
|
||||
+ sleep_time = 1;
|
||||
sleep(sleep_time);
|
||||
}
|
||||
break;
|
||||
--
|
||||
2.23.0
|
||||
|
|
@ -15,11 +15,11 @@ index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab
|
|||
@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
|
||||
Type=notify
|
||||
NotifyAccess=main
|
||||
PIDFile=@localstatedir@/run/sssd.pid
|
||||
PIDFile=@pidpath@/sssd.pid
|
||||
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
--
|
||||
2.15.1
|
||||
|
||||
|
|
|
@ -1,39 +0,0 @@
|
|||
From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Fri, 3 Nov 2017 16:18:14 +0100
|
||||
Subject: [PATCH] Disable stopping idle socket activated responders
|
||||
|
||||
---
|
||||
src/confdb/confdb.h | 2 +-
|
||||
src/man/sssd.conf.5.xml | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -85,7 +85,7 @@
|
||||
/* Responders */
|
||||
#define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
|
||||
#define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
|
||||
-#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
|
||||
+#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
|
||||
#define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
|
||||
#define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
|
||||
#define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -706,7 +706,7 @@
|
||||
or dbus activated.
|
||||
</para>
|
||||
<para>
|
||||
- Default: 300
|
||||
+ Default: 0
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
From 7459b3326e99e5d2e6ea924100705ef56525cb96 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 13 Aug 2018 19:34:47 +0200
|
||||
Subject: [PATCH] sbus_generate: python -> platform-python
|
||||
|
||||
---
|
||||
sbus_generate.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sbus_generate.sh b/sbus_generate.sh
|
||||
index 338fd9d33..1eefa4cb5 100755
|
||||
--- a/sbus_generate.sh
|
||||
+++ b/sbus_generate.sh
|
||||
@@ -13,7 +13,7 @@ generate() {
|
||||
|
||||
echo "Generating sbus code for: $XML"
|
||||
|
||||
- python $CODEGEN --sbus sbus --util util \
|
||||
+ python3 $CODEGEN --sbus sbus --util util \
|
||||
--headers "$HEADERS" \
|
||||
--dest "$SRCDIR/src/$DEST" \
|
||||
--fileprefix "sbus_${PREFIX}_" \
|
||||
--
|
||||
2.17.1
|
||||
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (sssd-2.0.0.tar.gz) = affeb0799d8a4fcbcb4b2ed7925b397ae6ba0e2982c5603e98636b765d3820a3b29ac58b0771e5cc00c752512f091ae4fd271d441544147a0570d3c14b535701
|
||||
SHA512 (sssd-2.2.2.tar.gz) = 4cce8fdbcc05d1469dad5ba987cb0f9bc33702b37f85e8e248975461bb50b0740fec92ff213bdb640b506405be7ead936ff253ab02d4a27205ddf20cc0e54801
|
||||
|
|
113
sssd.spec
113
sssd.spec
|
@ -35,9 +35,8 @@
|
|||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 2.0.0
|
||||
Release: 1%{?dist}
|
||||
Group: Applications/System
|
||||
Version: 2.2.2
|
||||
Release: 3%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://pagure.io/SSSD/sssd/
|
||||
|
@ -45,10 +44,17 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
|||
|
||||
### Patches ###
|
||||
|
||||
# Fix KCM cached tickets behaving as if expired shortly after issue
|
||||
# https://github.com/SSSD/sssd/pull/904
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1757224
|
||||
Patch0: 0001-KCM-Set-kdc_offset-to-zero-initially.patch
|
||||
# Workaround a problem setting up replica in containers
|
||||
# https://github.com/SSSD/sssd/pull/900
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1755643
|
||||
Patch1: 0001-SSS_CLIENT-got-rid-of-using-PRNG.patch
|
||||
|
||||
### Downstream only patches ###
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
|
||||
Patch0504: 0504-sbus_generate-python-platform-python.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
|
@ -116,6 +122,7 @@ BuildRequires: selinux-policy-targeted
|
|||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: uid_wrapper
|
||||
BuildRequires: nss_wrapper
|
||||
BuildRequires: pam_wrapper
|
||||
BuildRequires: libnl3-devel
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: systemd
|
||||
|
@ -564,8 +571,7 @@ UIDs/GIDs to names and vice versa. It can be also used for mapping principal
|
|||
(user) name to IDs(UID or GID) or to obtain groups which user are member of.
|
||||
|
||||
%package -n libsss_certmap
|
||||
Summary: SSSD Certficate Mapping Library
|
||||
Group: Development/Libraries
|
||||
Summary: SSSD Certificate Mapping Library
|
||||
License: LGPLv3+
|
||||
Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
|
@ -575,8 +581,7 @@ Conflicts: sssd-common < %{version}-%{release}
|
|||
Library to map certificates to users based on rules
|
||||
|
||||
%package -n libsss_certmap-devel
|
||||
Summary: SSSD Certficate Mapping Library
|
||||
Group: Development/Libraries
|
||||
Summary: SSSD Certificate Mapping Library
|
||||
License: LGPLv3+
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
|
||||
|
@ -847,12 +852,12 @@ done
|
|||
%dir %{sssdstatedir}
|
||||
%dir %{_localstatedir}/cache/krb5rcache
|
||||
%attr(700,root,root) %dir %{dbpath}
|
||||
%attr(755,root,root) %dir %{mcpath}
|
||||
%attr(775,root,root) %dir %{mcpath}
|
||||
%attr(700,root,root) %dir %{secdbpath}
|
||||
%attr(751,root,root) %dir %{deskprofilepath}
|
||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
|
||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
|
||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
|
||||
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
|
||||
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group
|
||||
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
|
||||
%attr(755,root,root) %dir %{pipepath}
|
||||
%attr(700,root,root) %dir %{pipepath}/private
|
||||
%attr(755,root,root) %dir %{pubconfpath}
|
||||
|
@ -1211,6 +1216,88 @@ fi
|
|||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Tue Oct 22 2019 Adam Williamson <awilliam@redhat.com> - 2.2.2-3
|
||||
- Resolves: rhbz#1755643 - Upgrade to sssd 2.2.2-1.fc30 breaks setting
|
||||
up FreeIPA replica in containers
|
||||
|
||||
* Tue Oct 22 2019 Adam Williamson <awilliam@redhat.com> - 2.2.2-2
|
||||
- Resolves: rhbz#1757224 - Tickets act like they're expiring prematurely
|
||||
when using KCM cache
|
||||
|
||||
* Wed Sep 11 2019 Michal Židek <mzidek@redhat.com> - 2.2.2-1
|
||||
- Update to latest released upstream version
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_2.html
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_1.html
|
||||
|
||||
* Fri Jul 5 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-3
|
||||
- Resolves: rhbz#1721636 - sssd-kcm calls sssd-genconf which triggers
|
||||
nscd warning
|
||||
|
||||
* Fri Jul 5 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-2
|
||||
- Resolves: rhbz#1724717 - sssd-proxy crashes resolving groups with
|
||||
no members
|
||||
|
||||
* Mon Jun 17 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
|
||||
- Update to latest released upstream version
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_0.html
|
||||
|
||||
* Wed Mar 27 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-2
|
||||
- Resolves: upstream#3867 - [RFE] Need an option in SSSD so that it will skip
|
||||
GPOs that have groupPolicyContainers unreadable
|
||||
by SSSD.
|
||||
- CVE-2018-16838
|
||||
|
||||
* Wed Mar 27 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-1
|
||||
- Update to latest released upstream version
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_1_0.html
|
||||
|
||||
* Wed Dec 12 2018 Adam Williamson <awilliam@redhat.com> - 2.0.0-5
|
||||
- Resolves: rhbz#1654537 - sbus: use 120 second default timeout
|
||||
|
||||
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-4
|
||||
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
|
||||
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
|
||||
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
|
||||
differs from the default
|
||||
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
|
||||
might not be available on all distributions
|
||||
- Resolves: upstream#3820 - sudo: search with lower cased name for case
|
||||
insensitive domains
|
||||
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
|
||||
an allow-any default to a deny-any default when it
|
||||
can't find any GPOs to apply to a user login.
|
||||
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
|
||||
startup
|
||||
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
|
||||
also for local account authentication
|
||||
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
|
||||
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
|
||||
commands in man pages since local provider is
|
||||
deprecated
|
||||
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
|
||||
started due to a misconfiguration
|
||||
- Resolves: upstream#3830 - Printing incorrect information about domain with
|
||||
sssctl utility
|
||||
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
|
||||
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
|
||||
changes in nsswitch.conf
|
||||
- Resovles: upstream#3650 - RFE: Require smartcard authentication
|
||||
- Resolves: upstream#3334 - sssctl config-check does not check any special
|
||||
characters in domain name of domain section
|
||||
- Resolves: upstream#3849 - Files: The files provider always enumerates
|
||||
which causes duplicate when running getent passwd
|
||||
- Related: upstream#3855 - session not recording for local user when groups
|
||||
defined
|
||||
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
|
||||
- Related: upstream#3493 - Remove the pysss.local interface
|
||||
|
||||
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-3
|
||||
- Resolves: rhbz#1622760 - Console login as FreeIPA domain user fails in
|
||||
current Fedora Rawhide / 29
|
||||
|
||||
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-2
|
||||
- Fix linking issues
|
||||
|
||||
* Tue Aug 14 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-1
|
||||
- New upstream release 2.0.0
|
||||
|
||||
|
|
Loading…
Reference in New Issue