Backport PR #900 to fix RHBZ #1755643

(cherry picked from commit 7f0d43352a)
(cherry picked from commit 9fb549e162)

.gitignore

@@ -81,3 +81,7 @@ sssd-1.2.91.tar.gz
 /sssd-1.16.1.tar.gz
 /sssd-1.16.2.tar.gz
 /sssd-2.0.0.tar.gz
+/sssd-2.1.0.tar.gz
+/sssd-2.2.0.tar.gz
+/sssd-2.2.1.tar.gz
+/sssd-2.2.2.tar.gz

0001-KCM-Set-kdc_offset-to-zero-initially.patch

@@ -0,0 +1,41 @@
+From 2c9bdcf579e430fa8f7e5595a17cf7242adb5216 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 11 Oct 2019 09:20:20 +0200
+Subject: [PATCH] KCM: Set kdc_offset to zero initially
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves: https://pagure.io/SSSD/sssd/issue/4100
+
+KCM assumed that the client library would always set the KDC offset, but
+that's not always the case, especially when using multiple krb contexts
+from the client application:
+    https://bugzilla.redhat.com/show_bug.cgi?id=1757224#c64
+
+Heimdal also creates ccaches with zero kdc_offset:
+    https://github.com/heimdal/heimdal/commit/9f58896af958ae5e6e3ebde8c48dad4eda841986
+so we should do the same..
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/responder/kcm/kcmsrv_ccache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
+index e24da9aa2..66e2752ba 100644
+--- a/src/responder/kcm/kcmsrv_ccache.c
++++ b/src/responder/kcm/kcmsrv_ccache.c
+@@ -82,7 +82,7 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
+ 
+     cc->owner.uid = cli_creds_get_uid(owner);
+     cc->owner.gid = cli_creds_get_gid(owner);
+-    cc->kdc_offset = INT32_MAX;
++    cc->kdc_offset = 0;
+ 
+     talloc_set_destructor(cc, kcm_cc_destructor);
+     *_cc = cc;
+-- 
+2.23.0
+

0001-SSS_CLIENT-got-rid-of-using-PRNG.patch

@@ -0,0 +1,49 @@
+From e47f143bcb86d04aa053c17373f9d9991fc63913 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Mon, 14 Oct 2019 11:38:06 +0200
+Subject: [PATCH] SSS_CLIENT: got rid of using PRNG
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+1) no reason to expect "thundering herd issue"
+2) randomization as it was done (strictly 1 or 2 secs)
+   would not help much anyway
+3) usage of PRNG might break app that depends on deterministic
+   PRNG behaviour
+
+Resolves: https://pagure.io/SSSD/sssd/issue/4094
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/sss_client/common.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index 930efe4a1..270ca8b54 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -566,11 +566,6 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
+     /* this piece is adapted from winbind client code */
+     wait_time = 0;
+     sleep_time = 0;
+-    /* This is not security relevant functionality and
+-     * it is undesirable to pull unnecessary dependency (util/crypto)
+-     * so plain srand() & rand() are used here.
+-     */
+-    srand(time(NULL) * getpid());
+     while (inprogress) {
+         int connect_errno = 0;
+         socklen_t errnosize;
+@@ -605,7 +600,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
+             break;
+         case EAGAIN:
+             if (wait_time < timeout) {
+-                sleep_time = rand() % 2 + 1;
++                sleep_time = 1;
+                 sleep(sleep_time);
+             }
+             break;
+-- 
+2.23.0
+

0502-SYSTEMD-Use-capabilities.patch

@@ -15,11 +15,11 @@ index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab
 @@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
  Type=notify
  NotifyAccess=main
- PIDFile=@localstatedir@/run/sssd.pid
+ PIDFile=@pidpath@/sssd.pid
 +CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
+ Restart=on-failure
  
  [Install]
- WantedBy=multi-user.target
 -- 
 2.15.1
 

0503-Disable-stopping-idle-socket-activated-responders.patch

@@ -1,39 +0,0 @@
-From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@fedoraproject.org>
-Date: Fri, 3 Nov 2017 16:18:14 +0100
-Subject: [PATCH] Disable stopping idle socket activated responders
-
----
- src/confdb/confdb.h     | 2 +-
- src/man/sssd.conf.5.xml | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
---- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -85,7 +85,7 @@
- /* Responders */
- #define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
- #define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
--#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
-+#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
- #define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
- #define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
- #define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -706,7 +706,7 @@
-                             or dbus activated.
-                         </para>
-                         <para>
--                            Default: 300
-+                            Default: 0
-                         </para>
-                     </listitem>
-                 </varlistentry>
--- 
-2.14.3
-

0504-sbus_generate-python-platform-python.patch

@@ -1,25 +0,0 @@
-From 7459b3326e99e5d2e6ea924100705ef56525cb96 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Mon, 13 Aug 2018 19:34:47 +0200
-Subject: [PATCH] sbus_generate: python -> platform-python
-
----
- sbus_generate.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sbus_generate.sh b/sbus_generate.sh
-index 338fd9d33..1eefa4cb5 100755
---- a/sbus_generate.sh
-+++ b/sbus_generate.sh
-@@ -13,7 +13,7 @@ generate() {
- 
-     echo "Generating sbus code for: $XML"
- 
--    python $CODEGEN --sbus sbus --util util \
-+    python3 $CODEGEN --sbus sbus --util util \
-         --headers "$HEADERS" \
-         --dest "$SRCDIR/src/$DEST" \
-         --fileprefix "sbus_${PREFIX}_" \
--- 
-2.17.1
-

sources

@@ -1 +1 @@
-SHA512 (sssd-2.0.0.tar.gz) = affeb0799d8a4fcbcb4b2ed7925b397ae6ba0e2982c5603e98636b765d3820a3b29ac58b0771e5cc00c752512f091ae4fd271d441544147a0570d3c14b535701
+SHA512 (sssd-2.2.2.tar.gz) = 4cce8fdbcc05d1469dad5ba987cb0f9bc33702b37f85e8e248975461bb50b0740fec92ff213bdb640b506405be7ead936ff253ab02d4a27205ddf20cc0e54801

sssd.spec

@@ -35,9 +35,8 @@
 %endif
 
 Name: sssd
-Version: 2.0.0
-Release: 1%{?dist}
-Group: Applications/System
+Version: 2.2.2
+Release: 3%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -45,10 +44,17 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
 
 ### Patches ###
 
+# Fix KCM cached tickets behaving as if expired shortly after issue
+# https://github.com/SSSD/sssd/pull/904
+# https://bugzilla.redhat.com/show_bug.cgi?id=1757224
+Patch0: 0001-KCM-Set-kdc_offset-to-zero-initially.patch
+# Workaround a problem setting up replica in containers
+# https://github.com/SSSD/sssd/pull/900
+# https://bugzilla.redhat.com/show_bug.cgi?id=1755643
+Patch1: 0001-SSS_CLIENT-got-rid-of-using-PRNG.patch
+
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
-Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
-Patch0504: 0504-sbus_generate-python-platform-python.patch
 
 ### Dependencies ###
 
@@ -116,6 +122,7 @@ BuildRequires: selinux-policy-targeted
 BuildRequires: libcmocka-devel >= 1.0.0
 BuildRequires: uid_wrapper
 BuildRequires: nss_wrapper
+BuildRequires: pam_wrapper
 BuildRequires: libnl3-devel
 BuildRequires: systemd-devel
 BuildRequires: systemd
@@ -564,8 +571,7 @@ UIDs/GIDs to names and vice versa. It can be also used for mapping principal
 (user) name to IDs(UID or GID) or to obtain groups which user are member of.
 
 %package -n libsss_certmap
-Summary: SSSD Certficate Mapping Library
-Group: Development/Libraries
+Summary: SSSD Certificate Mapping Library
 License: LGPLv3+
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
@@ -575,8 +581,7 @@ Conflicts: sssd-common < %{version}-%{release}
 Library to map certificates to users based on rules
 
 %package -n libsss_certmap-devel
-Summary: SSSD Certficate Mapping Library
-Group: Development/Libraries
+Summary: SSSD Certificate Mapping Library
 License: LGPLv3+
 Requires: libsss_certmap = %{version}-%{release}
 
@@ -847,12 +852,12 @@ done
 %dir %{sssdstatedir}
 %dir %{_localstatedir}/cache/krb5rcache
 %attr(700,root,root) %dir %{dbpath}
-%attr(755,root,root) %dir %{mcpath}
+%attr(775,root,root) %dir %{mcpath}
 %attr(700,root,root) %dir %{secdbpath}
 %attr(751,root,root) %dir %{deskprofilepath}
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
 %attr(755,root,root) %dir %{pipepath}
 %attr(700,root,root) %dir %{pipepath}/private
 %attr(755,root,root) %dir %{pubconfpath}
@@ -1211,6 +1216,88 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Tue Oct 22 2019 Adam Williamson <awilliam@redhat.com> - 2.2.2-3
+- Resolves: rhbz#1755643 - Upgrade to sssd 2.2.2-1.fc30 breaks setting
+                           up FreeIPA replica in containers
+
+* Tue Oct 22 2019 Adam Williamson <awilliam@redhat.com> - 2.2.2-2
+- Resolves: rhbz#1757224 - Tickets act like they're expiring prematurely
+                           when using KCM cache
+
+* Wed Sep 11 2019 Michal Židek <mzidek@redhat.com> - 2.2.2-1
+- Update to latest released upstream version
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_2.html
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_1.html
+
+* Fri Jul  5 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-3
+- Resolves: rhbz#1721636 - sssd-kcm calls sssd-genconf which triggers
+                           nscd warning
+
+* Fri Jul  5 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.2.0-2
+- Resolves: rhbz#1724717 - sssd-proxy crashes resolving groups with
+                           no members
+
+* Mon Jun 17 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
+- Update to latest released upstream version
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_0.html
+
+* Wed Mar 27 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-2
+- Resolves: upstream#3867 - [RFE] Need an option in SSSD so that it will skip
+                             GPOs that have groupPolicyContainers unreadable
+                             by SSSD.
+- CVE-2018-16838
+
+* Wed Mar 27 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-1
+- Update to latest released upstream version
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_1_0.html
+
+* Wed Dec 12 2018 Adam Williamson <awilliam@redhat.com> - 2.0.0-5
+- Resolves: rhbz#1654537 - sbus: use 120 second default timeout
+
+* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-4
+- Resolves: upstream#3821 - crash related to sbus_router_destructor()
+- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
+- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
+                            differs from the default
+- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
+                            might not be available on all distributions
+- Resolves: upstream#3820 - sudo: search with lower cased name for case
+                            insensitive domains
+- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
+                            an allow-any default to a deny-any default when it
+                            can't find any GPOs to apply to a user login.
+- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
+                            startup
+- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
+                            also for local account authentication
+- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
+- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
+                            commands in man pages since local provider is
+                            deprecated
+- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
+                            started due to a misconfiguration
+- Resolves: upstream#3830 - Printing incorrect information about domain with
+                            sssctl utility
+- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
+- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
+                            changes in nsswitch.conf
+- Resovles: upstream#3650 - RFE: Require smartcard authentication
+- Resolves: upstream#3334 - sssctl config-check does not check any special
+                            characters in domain name of domain section
+- Resolves: upstream#3849 - Files: The files provider always enumerates
+                            which causes duplicate when running getent passwd
+- Related: upstream#3855 - session not recording for local user when groups
+                           defined
+- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
+- Related: upstream#3493 - Remove the pysss.local interface
+
+* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-3
+- Resolves: rhbz#1622760 - Console login as FreeIPA domain user fails in
+                           current Fedora Rawhide / 29
+
+* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-2
+- Fix linking issues
+
 * Tue Aug 14 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-1
 - New upstream release 2.0.0