From ecd8e1bf55015daac5fca89b787d674e51e9b513 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 07 2019 19:24:03 +0000 Subject: import sssd-2.0.0-43.el8_0.3 --- diff --git a/SOURCES/0100-pam_sss-PAM_USER_UNKNOWN-if-socket-is-missing.patch b/SOURCES/0100-pam_sss-PAM_USER_UNKNOWN-if-socket-is-missing.patch new file mode 100644 index 0000000..ece50bc --- /dev/null +++ b/SOURCES/0100-pam_sss-PAM_USER_UNKNOWN-if-socket-is-missing.patch @@ -0,0 +1,139 @@ +From 0479c6f1598602909487c499266fe410085251a5 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 25 Mar 2019 10:17:17 +0100 +Subject: [PATCH] pam_sss: PAM_USER_UNKNOWN if socket is missing + +If SSSD used without explicit configuration in the files-only mode and +pam_sss is also used in the PAM configuration, as e.g. in recent Fedora +systems, users handled by other NSS modules might get an 'Access Denied' +when trying to log in. + +The culprit is the line like + + account [default=bad success=ok user_unknown=ignore] pam_sss.so + +in the PAM configuration which can only grant access if pam_sss.so +returns PAM_SUCCESS or PAM_USER_UNKNOWN. Even PAM_IGNORE causes a +rejection because of 'default=bad'. + +Of the PAM responder is running PAM_USER_UNKNOWN is returned for users +from other NSS modules. With this patch PAM_USER_UNKNOWN is returned as +well during the 'account' step if the PAM responder socket is not +available. + +Related to https://pagure.io/SSSD/sssd/issue/3988 + +Reviewed-by: Jakub Hrozek +--- + src/man/pam_sss.8.xml | 4 ++++ + src/sss_client/common.c | 18 ++++++++++++++++++ + src/sss_client/pam_sss.c | 16 +++++++++++++--- + src/sss_client/sss_cli.h | 2 ++ + 4 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml +index 86ed0fefe..834d9d268 100644 +--- a/src/man/pam_sss.8.xml ++++ b/src/man/pam_sss.8.xml +@@ -256,6 +256,10 @@ auth sufficient pam_sss.so allow_missing_name + All module types (, , + and ) are provided. + ++ If SSSD's PAM responder is not running, e.g. if the PAM responder ++ socket is not available, pam_sss will return PAM_USER_UNKNOWN when ++ called as module to avoid issues with users ++ from other sources during access control. + + + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 224f33b55..e2d840540 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -913,8 +913,14 @@ int sss_pam_make_request(enum sss_cli_command cmd, + /* only root shall use the privileged pipe */ + if (getuid() == 0 && getgid() == 0) { + socket_name = SSS_PAM_PRIV_SOCKET_NAME; ++ errno = 0; + statret = stat(socket_name, &stat_buf); + if (statret != 0) { ++ if (errno == ENOENT) { ++ *errnop = ESSS_NO_SOCKET; ++ } else { ++ *errnop = ESSS_SOCKET_STAT_ERROR; ++ } + ret = PAM_SERVICE_ERR; + goto out; + } +@@ -928,8 +934,14 @@ int sss_pam_make_request(enum sss_cli_command cmd, + } + } else { + socket_name = SSS_PAM_SOCKET_NAME; ++ errno = 0; + statret = stat(socket_name, &stat_buf); + if (statret != 0) { ++ if (errno == ENOENT) { ++ *errnop = ESSS_NO_SOCKET; ++ } else { ++ *errnop = ESSS_SOCKET_STAT_ERROR; ++ } + ret = PAM_SERVICE_ERR; + goto out; + } +@@ -1075,6 +1087,12 @@ const char *ssscli_err2string(int err) + case ESSS_SERVER_NOT_TRUSTED: + return _("SSSD is not run by root."); + break; ++ case ESSS_NO_SOCKET: ++ return _("SSSD socket does not exist."); ++ break; ++ case ESSS_SOCKET_STAT_ERROR: ++ return _("Cannot get stat of SSSD socket."); ++ break; + default: + m = strerror(err); + if (m == NULL) { +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index 69dc50dfd..9d51aefc6 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -1304,10 +1304,20 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, + } + + if (ret != PAM_SUCCESS) { +- if (errnop != 0) { +- logger(pamh, LOG_ERR, "Request to sssd failed. %s", ssscli_err2string(errnop)); ++ /* If there is no PAM responder socket during the access control step ++ * we assume this is on purpose, i.e. PAM responder is not configured. ++ * PAM_USER_UNKNOWN is returned to the PAM stack to avoid unexpected ++ * denials. */ ++ if (errnop == ESSS_NO_SOCKET && task == SSS_PAM_ACCT_MGMT) { ++ pam_status = PAM_USER_UNKNOWN; ++ } else { ++ if (errnop != 0 && errnop != ESSS_NO_SOCKET) { ++ logger(pamh, LOG_ERR, "Request to sssd failed. %s", ++ ssscli_err2string(errnop)); ++ } ++ ++ pam_status = PAM_AUTHINFO_UNAVAIL; + } +- pam_status = PAM_AUTHINFO_UNAVAIL; + goto done; + } + +diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h +index af8a43916..31b4e50f7 100644 +--- a/src/sss_client/sss_cli.h ++++ b/src/sss_client/sss_cli.h +@@ -584,6 +584,8 @@ enum sss_cli_error_codes { + ESSS_BAD_PUB_SOCKET, + ESSS_BAD_CRED_MSG, + ESSS_SERVER_NOT_TRUSTED, ++ ESSS_NO_SOCKET, ++ ESSS_SOCKET_STAT_ERROR, + + ESS_SSS_CLI_ERROR_MAX + }; +-- +2.19.1 + diff --git a/SOURCES/0101-ipa-ipa_getkeytab-don-t-call-libnss_sss.patch b/SOURCES/0101-ipa-ipa_getkeytab-don-t-call-libnss_sss.patch new file mode 100644 index 0000000..31be7f1 --- /dev/null +++ b/SOURCES/0101-ipa-ipa_getkeytab-don-t-call-libnss_sss.patch @@ -0,0 +1,44 @@ +From b927dc7c8d5d4f467749958d3e6330ff70fc3ea2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 1 Apr 2019 17:27:45 +0200 +Subject: [PATCH] ipa: ipa_getkeytab don't call libnss_sss + +Resolves: https://pagure.io/SSSD/sssd/issue/3992 + +ipa-getkeytab is a help process which might even get called during +the startup of SSSD. Hence it should not try to use any SSSD responder +especially not the NSS responder. + +Typically we call helpers with the environment of the calling SSSD +component where then _SSS_LOOPS environment variable is set to 'NO' to +skip calls to SSSD in libnss_sss. Since we have to set the KRB5CCNAME +environment variable to the ccache with the current TGT for the host +principal when calling ipa-getkeytab execle() is used to call +ipa_getkeytab which unfortunately replaces the environment of the caller +with the one provided in the last argument of the call. To make sure +ipa_getkeytab does not call back into SSSD we have to set _SSS_LOOPS=NO +here as well. + +Reviewed-by: Alexander Bokovoy +Reviewed-by: Alexey Tikhonov +(cherry picked from commit d409c10d00101734d1af0c9e0256e607ee8b09c7) +--- + src/providers/ipa/ipa_subdomains_server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c +index dd0933642..1d480e52b 100644 +--- a/src/providers/ipa/ipa_subdomains_server.c ++++ b/src/providers/ipa/ipa_subdomains_server.c +@@ -481,7 +481,7 @@ static void ipa_getkeytab_exec(const char *ccache, + { + errno_t ret; + int debug_fd; +- const char *gkt_env[2] = { NULL, NULL }; ++ const char *gkt_env[3] = { NULL, "_SSS_LOOPS=NO", NULL }; + + if (debug_level >= SSSDBG_TRACE_LIBS) { + debug_fd = get_fd_from_debug_file(); +-- +2.19.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 6ecbcdd..4e50f5d 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -24,7 +24,7 @@ Name: sssd Version: 2.0.0 -Release: 43%{?dist} +Release: 43%{?dist}.3 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -131,6 +131,8 @@ Patch0096: 0096-KCM-Return-a-valid-tevent-error-code-if-a-request-ca.patch Patch0097: 0097-KCM-Allow-representing-ccaches-with-a-NULL-principal.patch Patch0098: 0098-KCM-Create-an-empty-ccache-on-switch-to-a-non-existi.patch Patch0099: 0099-PAM-use-user-name-hint-if-any-domain-has-set-it.patch +Patch0100: 0100-pam_sss-PAM_USER_UNKNOWN-if-socket-is-missing.patch +Patch0101: 0101-ipa-ipa_getkeytab-don-t-call-libnss_sss.patch ### Downstream Patches ### @@ -1282,6 +1284,18 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Thu Apr 18 2019 Michal Židek - 2.0.0-43.3 +- Resolves: rhbz#1701135 - Include libsss_nss_idmap-devel in the Builder + repository + +* Fri Apr 05 2019 Michal Židek - 2.0.0-43.2 +- Resolves: rhbz#1696596 - AD user not found after establishing trust and + restarting sssd [ZStream Clone] + +* Fri Mar 29 2019 Michal Židek - 2.0.0-43.1 +- Resolves: rhbz#1691750 - pam_sss failing for external users not configured + via sssd + * Sun Feb 10 2019 Jakub Hrozek - 2.0.0-43 - Resolves: rhbz#1672780 - gdm login not prompting for username when smart card maps to multiple users