Compare commits
18 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
21e5a50f91 | ||
|
07f0353b8d | ||
|
6f70027c66 | ||
|
2d27e0be45 | ||
|
47b60da52b | ||
|
449250fa3d | ||
|
886000cc4e | ||
|
4fb46a33b0 | ||
|
c65021b500 | ||
|
c30b87e483 | ||
|
881ed84e73 | ||
|
604f5bdcf8 | ||
|
0ad4118238 | ||
|
3c5ce355b5 | ||
|
8c50a34c87 | ||
|
a6fca72c9a | ||
|
ba5f40ef58 | ||
|
66800435e8 |
4
.gitignore
vendored
4
.gitignore
vendored
@ -85,3 +85,7 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-2.2.0.tar.gz
|
||||
/sssd-2.2.1.tar.gz
|
||||
/sssd-2.2.2.tar.gz
|
||||
/sssd-2.2.3.tar.gz
|
||||
/sssd-2.3.0.tar.gz
|
||||
/sssd-2.3.1.tar.gz
|
||||
/sssd-2.4.0.tar.gz
|
||||
|
@ -1,48 +0,0 @@
|
||||
From 391dc02eafed23892c5752834b18174b6cd54e20 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||
Date: Fri, 24 Jan 2020 15:17:39 +0100
|
||||
Subject: [PATCH] Fix build failure against samba 4.12.0rc1
|
||||
|
||||
The ndr_pull_get_switch() function was dropped, but it was just a wrapper
|
||||
around the ndr_token_peek() function, so we can use this approach on both
|
||||
old and new versions of libndr.
|
||||
|
||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_gpo_ndr.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
|
||||
index d573033494bc5aa3b56bd698a6860261834e58fd..8f405aa62b1b65a5ab9e4e9131c37fda84c5ffba 100644
|
||||
--- a/src/providers/ad/ad_gpo_ndr.c
|
||||
+++ b/src/providers/ad/ad_gpo_ndr.c
|
||||
@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
|
||||
union security_ace_object_type *r)
|
||||
{
|
||||
uint32_t level;
|
||||
- level = ndr_pull_get_switch_value(ndr, r);
|
||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||
if (ndr_flags & NDR_SCALARS) {
|
||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||
@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
|
||||
union security_ace_object_inherited_type *r)
|
||||
{
|
||||
uint32_t level;
|
||||
- level = ndr_pull_get_switch_value(ndr, r);
|
||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||
if (ndr_flags & NDR_SCALARS) {
|
||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||
@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
|
||||
union security_ace_object_ctr *r)
|
||||
{
|
||||
uint32_t level;
|
||||
- level = ndr_pull_get_switch_value(ndr, r);
|
||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||
if (ndr_flags & NDR_SCALARS) {
|
||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||
--
|
||||
2.24.1
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 2c9bdcf579e430fa8f7e5595a17cf7242adb5216 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 11 Oct 2019 09:20:20 +0200
|
||||
Subject: [PATCH] KCM: Set kdc_offset to zero initially
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4100
|
||||
|
||||
KCM assumed that the client library would always set the KDC offset, but
|
||||
that's not always the case, especially when using multiple krb contexts
|
||||
from the client application:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1757224#c64
|
||||
|
||||
Heimdal also creates ccaches with zero kdc_offset:
|
||||
https://github.com/heimdal/heimdal/commit/9f58896af958ae5e6e3ebde8c48dad4eda841986
|
||||
so we should do the same..
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ccache.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
|
||||
index e24da9aa2..66e2752ba 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ccache.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ccache.c
|
||||
@@ -82,7 +82,7 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
|
||||
|
||||
cc->owner.uid = cli_creds_get_uid(owner);
|
||||
cc->owner.gid = cli_creds_get_gid(owner);
|
||||
- cc->kdc_offset = INT32_MAX;
|
||||
+ cc->kdc_offset = 0;
|
||||
|
||||
talloc_set_destructor(cc, kcm_cc_destructor);
|
||||
*_cc = cc;
|
||||
--
|
||||
2.23.0
|
||||
|
@ -1,49 +0,0 @@
|
||||
From e47f143bcb86d04aa053c17373f9d9991fc63913 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 14 Oct 2019 11:38:06 +0200
|
||||
Subject: [PATCH] SSS_CLIENT: got rid of using PRNG
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
1) no reason to expect "thundering herd issue"
|
||||
2) randomization as it was done (strictly 1 or 2 secs)
|
||||
would not help much anyway
|
||||
3) usage of PRNG might break app that depends on deterministic
|
||||
PRNG behaviour
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/4094
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/sss_client/common.c | 7 +------
|
||||
1 file changed, 1 insertion(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 930efe4a1..270ca8b54 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -566,11 +566,6 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
|
||||
/* this piece is adapted from winbind client code */
|
||||
wait_time = 0;
|
||||
sleep_time = 0;
|
||||
- /* This is not security relevant functionality and
|
||||
- * it is undesirable to pull unnecessary dependency (util/crypto)
|
||||
- * so plain srand() & rand() are used here.
|
||||
- */
|
||||
- srand(time(NULL) * getpid());
|
||||
while (inprogress) {
|
||||
int connect_errno = 0;
|
||||
socklen_t errnosize;
|
||||
@@ -605,7 +600,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
|
||||
break;
|
||||
case EAGAIN:
|
||||
if (wait_time < timeout) {
|
||||
- sleep_time = rand() % 2 + 1;
|
||||
+ sleep_time = 1;
|
||||
sleep(sleep_time);
|
||||
}
|
||||
break;
|
||||
--
|
||||
2.23.0
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (sssd-2.2.2.tar.gz) = 4cce8fdbcc05d1469dad5ba987cb0f9bc33702b37f85e8e248975461bb50b0740fec92ff213bdb640b506405be7ead936ff253ab02d4a27205ddf20cc0e54801
|
||||
SHA512 (sssd-2.4.0.tar.gz) = d9a4b17665ce3a1ea51cfe2fdb53818ac1e265a33c61f657f61699ecc716e1244e45b5b628aeae6c54e601383084f3cac327cb3edd7bea80bca397b1fbe4ab72
|
||||
|
92
sssd.spec
92
sssd.spec
@ -35,29 +35,15 @@
|
||||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 2.2.2
|
||||
Release: 6%{?dist}
|
||||
Version: 2.4.0
|
||||
Release: 1%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://pagure.io/SSSD/sssd/
|
||||
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
||||
URL: https://github.com/SSSD/sssd/
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_4_0/sssd-2.4.0.tar.gz
|
||||
|
||||
### Patches ###
|
||||
|
||||
# Fix KCM cached tickets behaving as if expired shortly after issue
|
||||
# https://github.com/SSSD/sssd/pull/904
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1757224
|
||||
Patch0: 0001-KCM-Set-kdc_offset-to-zero-initially.patch
|
||||
# Workaround a problem setting up replica in containers
|
||||
# https://github.com/SSSD/sssd/pull/900
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1755643
|
||||
Patch1: 0001-SSS_CLIENT-got-rid-of-using-PRNG.patch
|
||||
|
||||
|
||||
# Work around samba 4.12.0rc1 dropping a function we use
|
||||
Patch2: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
|
||||
|
||||
|
||||
### Downstream only patches ###
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
|
||||
@ -86,6 +72,7 @@ Suggests: sssd-dbus = %{version}-%{release}
|
||||
|
||||
### Build Dependencies ###
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
@ -221,6 +208,7 @@ Requires: sssd-common = %{version}-%{release}
|
||||
# required by sss_obfuscate
|
||||
Requires: python3-sss = %{version}-%{release}
|
||||
Requires: python3-sssdconfig = %{version}-%{release}
|
||||
Recommends: sssd-dbus
|
||||
|
||||
%description tools
|
||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||
@ -535,11 +523,13 @@ autoreconf -ivf
|
||||
--with-gpo-cache-path=%{gpocachepath} \
|
||||
--with-init-dir=%{_initrddir} \
|
||||
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
|
||||
--with-pid-path=%{_rundir} \
|
||||
--enable-nsslibdir=%{_libdir} \
|
||||
--enable-pammoddir=%{_libdir}/security \
|
||||
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
|
||||
--disable-static \
|
||||
--disable-rpath \
|
||||
--with-libwbclient \
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
--without-python2-bindings \
|
||||
@ -551,7 +541,7 @@ autoreconf -ivf
|
||||
%{?with_cifs_utils_plugin_option} \
|
||||
%{?enable_systemtap_opt}
|
||||
|
||||
make %{?_smp_mflags} all docs
|
||||
make %{?_smp_mflags} all docs runstatedir=%{_rundir}
|
||||
|
||||
sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
|
||||
|
||||
@ -788,6 +778,7 @@ done
|
||||
%{_datadir}/sssd/systemtap/id_perf.stp
|
||||
%{_datadir}/sssd/systemtap/nested_group_perf.stp
|
||||
%{_datadir}/sssd/systemtap/dp_request.stp
|
||||
%{_datadir}/sssd/systemtap/ldap_perf.stp
|
||||
%dir %{_datadir}/systemtap
|
||||
%dir %{_datadir}/systemtap/tapset
|
||||
%{_datadir}/systemtap/tapset/sssd.stp
|
||||
@ -799,6 +790,7 @@ done
|
||||
%license COPYING
|
||||
%{_libdir}/%{name}/libsss_ldap.so
|
||||
%{_mandir}/man5/sssd-ldap.5*
|
||||
%{_mandir}/man5/sssd-ldap-attributes.5*
|
||||
|
||||
%files krb5-common
|
||||
%license COPYING
|
||||
@ -1082,6 +1074,68 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Mon Oct 12 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-1
|
||||
- Rebase to SSSD 2.4.0
|
||||
|
||||
* Mon Jul 27 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.1-2
|
||||
- Use correct run dir (RHBZ#1557622)
|
||||
|
||||
* Fri Jul 24 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.1-1
|
||||
- Rebase to SSSD 2.3.1
|
||||
|
||||
* Wed May 20 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.0-1
|
||||
- Rebase to SSSD 2.3.0
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-13
|
||||
- Resolves: upstream#4159 - p11_child should have an option to skip
|
||||
C_WaitForSlotEvent if the PKCS#11 module does not
|
||||
implement it properly
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-12
|
||||
- Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in
|
||||
`sss_ptr_hash_delete_cb()`
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-11
|
||||
- Resolves: upstream#4118 - sssd requires timed sudoers ldap entries to be
|
||||
specified up to the seconds
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-11
|
||||
- Add sssd-dbus package as a dependency of sssd-tools
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-10
|
||||
- Resolves: upstream#4142 - sssd_be frequent crash
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-9
|
||||
- Resolves: upstream#4131 Force LDAPS over 636 with AD Provider
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-8
|
||||
- Resolves: upstream#3630 - Randomize ldap_connection_expire_timeout either
|
||||
by default or w/ a configure option
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-7
|
||||
- Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in
|
||||
`sss_ptr_hash_delete_cb()`
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-6
|
||||
- Resolves: upstream#4088 - server/be: SIGTERM handling is incorrect
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-5
|
||||
- Resolves: upstream##4089 Watchdog implementation or usage is incorrect
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-4
|
||||
- Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-3
|
||||
- Resolves: upstream#4127 - [Doc]Provide explanation on escape character for
|
||||
match rules sss-certmap
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-2
|
||||
- Resolves: upstream#4129 - sssctl config-check command does not give proper
|
||||
error messages with line numbers
|
||||
|
||||
* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-1
|
||||
- Update to latest released upstream version
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_3.htm
|
||||
|
||||
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.2-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user