import sssd-2.10.0-2.el10

015893e8 · Rocky Automation · 1c5dcbaf · 015893e8 · 015893e8 · 015893e8
Commit 015893e8 authored 5 months ago by Rocky Automation
--- a/.sssd.metadata
+++ b/.sssd.metadata
-4161a8fa48cf753253811aedc2bdd2df290774432ccee72261208fec981ebdc3 SOURCES/sssd-2.10.0-beta2.tar.gz
+0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d SOURCES/sssd-2.10.0.tar.gz
--- a/SOURCES/0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
+++ b/SOURCES/0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
+From d523261c312c1ccab0253ddf14b54daba44ed268 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 13 Sep 2024 15:45:59 +0200
+Subject: [PATCH] ldap: add 'exop_force' value for ldap_pwmodify_mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In case the LDAP server allows to run the extended operation to change a
+password even if an authenticated bind fails due to missing grace logins
+the new option 'exop_force' can be used to run the extended operation to
+change the password anyways.
+
+:config: Added `exop_force` value for configuration option
+  `ldap_pwmodify_mode`. This can be used to force a password change even
+  if no grace logins are left. Depending on the configuration of the
+  LDAP server it might be expected that the password change will fail.
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 7184541976608d357a5da48d09a7fa08862477d8)
+---
+ src/man/sssd-ldap.5.xml                    | 11 +++++++++
+ src/providers/ipa/ipa_auth.c               |  3 ++-
+ src/providers/ldap/ldap_auth.c             |  5 +++-
+ src/providers/ldap/ldap_options.c          |  2 ++
+ src/providers/ldap/sdap.h                  |  5 ++--
+ src/providers/ldap/sdap_async.h            |  3 ++-
+ src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++-----
+ 7 files changed, 45 insertions(+), 11 deletions(-)
+
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index a6f9b1c97..d50aa65b2 100644
+--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
+@@ -234,6 +234,17 @@
+                                         userPassword (not recommended).
+                                     </para>
+                                 </listitem>
+                                <listitem>
+                                    <para>
+                                        exop_force - Try Password Modify
+                                        Extended Operation (RFC 3062) even if
+                                        there are no grace logins left.
+                                        Depending on the type and configuration
+                                        of the LDAP server the password change
+                                        might fail because an authenticated bind
+                                        is not possible.
+                                    </para>
+                                </listitem>
+                             </itemizedlist>
+                         </para>
+                         <para>
+diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
+index e238d0623..db1cd6ad3 100644
+--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
+@@ -397,7 +397,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq)
+                                   SDAP_USE_PPOLICY);
+ 
+     subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn,
+-                            state->pd->authtok, timeout, use_ppolicy);
+                            state->pd->authtok, timeout, use_ppolicy,
+                            state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode);
+     if (subreq == NULL) {
+         goto done;
+     }
+diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
+index 9ccbdabdb..370cdf171 100644
+--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
+@@ -914,7 +914,8 @@ static void auth_do_bind(struct tevent_req *req)
+     subreq = sdap_auth_send(state, state->ev, state->sh,
+                             NULL, NULL, state->dn,
+                             state->authtok,
+-                            timeout, use_ppolicy);
+                            timeout, use_ppolicy,
+                            state->ctx->opts->pwmodify_mode);
+     if (!subreq) {
+         tevent_req_error(req, ENOMEM);
+         return;
+@@ -1208,6 +1209,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx,
+ 
+     switch (opts->pwmodify_mode) {
+     case SDAP_PWMODIFY_EXOP:
+    case SDAP_PWMODIFY_EXOP_FORCE:
+         use_ppolicy = dp_opt_get_bool(opts->basic, SDAP_USE_PPOLICY);
+         subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn,
+                                               password, new_password,
+@@ -1252,6 +1254,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq)
+ 
+     switch (state->mode) {
+     case SDAP_PWMODIFY_EXOP:
+    case SDAP_PWMODIFY_EXOP_FORCE:
+         ret = sdap_exop_modify_passwd_recv(subreq, state,
+                                            &state->user_error_message);
+         break;
+diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
+index 277bcb529..72a95300d 100644
+--- a/src/providers/ldap/ldap_options.c
+++ b/src/providers/ldap/ldap_options.c
+@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
+         opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
+     } else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
+         opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
+    } else if (strcasecmp(pwmodify, "exop_force") == 0) {
+        opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE;
+     } else {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
+         ret = EINVAL;
+diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
+index d66ca156a..35a4d5e1c 100644
+--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
+@@ -550,8 +550,9 @@ struct sdap_options {
+ 
+     /* password modify mode */
+     enum pwmodify_mode {
+-        SDAP_PWMODIFY_EXOP = 1,     /* pwmodify extended operation */
+-        SDAP_PWMODIFY_LDAP = 2      /* ldap_modify of userPassword */
+        SDAP_PWMODIFY_EXOP = 1,      /* pwmodify extended operation */
+        SDAP_PWMODIFY_LDAP = 2,      /* ldap_modify of userPassword */
+        SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */
+     } pwmodify_mode;
+ 
+     /* The search bases for the domain or its subdomain */
+diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
+index a78a1157c..700cd6f9c 100644
+--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
+@@ -147,7 +147,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
+                                   const char *user_dn,
+                                   struct sss_auth_token *authtok,
+                                   int simple_bind_timeout,
+-                                  bool use_ppolicy);
+                                  bool use_ppolicy,
+                                  enum pwmodify_mode pwmodify_mode);
+ 
+ errno_t sdap_auth_recv(struct tevent_req *req,
+                        TALLOC_CTX *memctx,
+diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
+index a6d4ee443..67c09835b 100644
+--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
+@@ -646,6 +646,7 @@ struct simple_bind_state {
+     struct tevent_context *ev;
+     struct sdap_handle *sh;
+     const char *user_dn;
+    enum pwmodify_mode pwmodify_mode;
+ 
+     struct sdap_op *op;
+ 
+@@ -663,7 +664,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
+                                            int timeout,
+                                            const char *user_dn,
+                                            struct berval *pw,
+-                                           bool use_ppolicy)
+                                           bool use_ppolicy,
+                                           enum pwmodify_mode pwmodify_mode)
+ {
+     struct tevent_req *req;
+     struct simple_bind_state *state;
+@@ -686,6 +688,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
+     state->ev = ev;
+     state->sh = sh;
+     state->user_dn = user_dn;
+    state->pwmodify_mode = pwmodify_mode;
+ 
+     if (use_ppolicy) {
+         ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
+@@ -872,7 +875,12 @@ static void simple_bind_done(struct sdap_op *op,
+                      * Grace Authentications". */
+                     DEBUG(SSSDBG_TRACE_LIBS,
+                           "Password expired, grace logins exhausted.\n");
+-                    ret = ERR_AUTH_FAILED;
+                    if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
+                        DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
+                        ret = ERR_PASSWORD_EXPIRED;
+                    } else {
+                        ret = ERR_AUTH_FAILED;
+                    }
+                 }
+             } else if (strcmp(response_controls[c]->ldctl_oid,
+                               LDAP_CONTROL_PWEXPIRED) == 0) {
+@@ -885,7 +893,12 @@ static void simple_bind_done(struct sdap_op *op,
+                 if (result == LDAP_INVALID_CREDENTIALS) {
+                     DEBUG(SSSDBG_TRACE_LIBS,
+                           "Password expired, grace logins exhausted.\n");
+-                    ret = ERR_AUTH_FAILED;
+                    if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
+                        DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
+                        ret = ERR_PASSWORD_EXPIRED;
+                    } else {
+                        ret = ERR_AUTH_FAILED;
+                    }
+                 } else {
+                     DEBUG(SSSDBG_TRACE_LIBS,
+                           "Password expired, user must set a new password.\n");
+@@ -1365,7 +1378,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
+                                   const char *user_dn,
+                                   struct sss_auth_token *authtok,
+                                   int simple_bind_timeout,
+-                                  bool use_ppolicy)
+                                  bool use_ppolicy,
+                                  enum pwmodify_mode pwmodify_mode)
+ {
+     struct tevent_req *req, *subreq;
+     struct sdap_auth_state *state;
+@@ -1404,7 +1418,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
+         pw.bv_len = pwlen;
+ 
+         state->is_sasl = false;
+-        subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, use_ppolicy);
+        subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, use_ppolicy, pwmodify_mode);
+         if (!subreq) {
+             tevent_req_error(req, ENOMEM);
+             return tevent_req_post(req, ev);
+@@ -1981,7 +1995,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
+                             dp_opt_get_int(state->opts->basic,
+                                            SDAP_OPT_TIMEOUT),
+                             dp_opt_get_bool(state->opts->basic,
+-                                            SDAP_USE_PPOLICY));
+                                            SDAP_USE_PPOLICY),
+                            state->opts->pwmodify_mode);
+     talloc_free(authtok);
+     if (!subreq) {
+         tevent_req_error(req, ENOMEM);
+-- 
+2.46.1
+
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -59,20 +59,16 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})

 Name: sssd
-Version: 2.10.0~beta2
-# Using '.el10' directly is a work around RHEL-38900
-Release: 3%{?dist}
+Version: 2.10.0
+Release: 2%{?dist}
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
-Source0: https://github.com/SSSD/sssd/releases/download/2.10.0-beta2/sssd-2.10.0-beta2.tar.gz
+Source0: https://github.com/SSSD/sssd/releases/download/2.10.0/sssd-2.10.0.tar.gz
 Source1: sssd.sysusers

 ### Patches ###
-Patch0001: 0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch
-Patch0002: 0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch
-Patch0003: 0003-SYSDB-remove-index-on-dataExpireTimestamp.patch
-Patch0004: 0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch
+Patch0001: 0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch

 ### Dependencies ###

@@ -197,9 +193,7 @@ License: GPL-3.0-or-later
 # libsss_simpleifp is removed
 Obsoletes: libsss_simpleifp < 2.9.2
 Obsoletes: libsss_simpleifp-debuginfo < 2.9.2
-%if %{use_sssd_user}
 Obsoletes: sssd-polkit-rules < 2.10.0
-%endif
 # Requires
 # due to ABI changes in 1.1.30/1.2.0
 Requires: libldb >= %{ldb_version}
@@ -538,7 +532,7 @@ enable authentication with passkey token.
 %endif

 %prep
-%autosetup -n sssd-2.10.0-beta2 -p1
+%autosetup -n sssd-2.10.0 -p1

 %build

@@ -568,9 +562,6 @@ autoreconf -ivf
 %if %{build_subid}
    --with-subid \
 %endif
-%if ! %{use_sssd_user}
-    --disable-polkit-rules-path \
-%endif
 %if %{build_passkey}
    --with-passkey \
 %endif
@@ -1040,11 +1031,12 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf

 %if %{use_sssd_user}
 %pre common
+! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null || true
 %if %{use_sysusers}
 %sysusers_create_compat %{SOURCE1}
 %else
 getent group sssd >/dev/null || groupadd -r sssd
-getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologin -c "User for sssd" sssd
 %endif
 %endif

@@ -1065,6 +1057,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 %__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
 %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
 %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
+%__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true

 %preun common
 %systemd_preun sssd.service
@@ -1119,13 +1112,18 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us

 %preun client
 if [ $1 -eq 0 ] ; then
-        /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
+        /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so || true
 fi

 %posttrans common
 %systemd_postun_with_restart sssd.service

 %changelog
+* Tue Oct 15 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.0-1
+- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0
+- Resolves: RHEL-56701 - sss_ssh_knownhosts is breaking ansible-pull
+- Resolves: RHEL-55993 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not
+
 * Thu Aug 22 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.0~beta2-3
 - Resolves: RHEL-50243 - Please install sssd-polkit-rules by default