From ecd8e1bf55015daac5fca89b787d674e51e9b513 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 07 2019 19:24:03 +0000
Subject: import sssd-2.0.0-43.el8_0.3


---

diff --git a/SOURCES/0100-pam_sss-PAM_USER_UNKNOWN-if-socket-is-missing.patch b/SOURCES/0100-pam_sss-PAM_USER_UNKNOWN-if-socket-is-missing.patch
new file mode 100644
index 0000000..ece50bc
--- /dev/null
+++ b/SOURCES/0100-pam_sss-PAM_USER_UNKNOWN-if-socket-is-missing.patch
@@ -0,0 +1,139 @@
+From 0479c6f1598602909487c499266fe410085251a5 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 25 Mar 2019 10:17:17 +0100
+Subject: [PATCH] pam_sss: PAM_USER_UNKNOWN if socket is missing
+
+If SSSD used without explicit configuration in the files-only mode and
+pam_sss is also used in the PAM configuration, as e.g. in recent Fedora
+systems, users handled by other NSS modules might get an 'Access Denied'
+when trying to log in.
+
+The culprit is the line like
+
+    account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+
+in the PAM configuration which can only grant access if pam_sss.so
+returns PAM_SUCCESS or PAM_USER_UNKNOWN. Even PAM_IGNORE causes a
+rejection because of 'default=bad'.
+
+Of the PAM responder is running PAM_USER_UNKNOWN is returned for users
+from other NSS modules. With this patch PAM_USER_UNKNOWN is returned as
+well during the 'account' step if the PAM responder socket is not
+available.
+
+Related to https://pagure.io/SSSD/sssd/issue/3988
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/man/pam_sss.8.xml    |  4 ++++
+ src/sss_client/common.c  | 18 ++++++++++++++++++
+ src/sss_client/pam_sss.c | 16 +++++++++++++---
+ src/sss_client/sss_cli.h |  2 ++
+ 4 files changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
+index 86ed0fefe..834d9d268 100644
+--- a/src/man/pam_sss.8.xml
++++ b/src/man/pam_sss.8.xml
+@@ -256,6 +256,10 @@ auth sufficient pam_sss.so allow_missing_name
+         <para>All module types (<option>account</option>, <option>auth</option>,
+         <option>password</option> and <option>session</option>) are provided.
+         </para>
++        <para>If SSSD's PAM responder is not running, e.g. if the PAM responder
++        socket is not available, pam_sss will return PAM_USER_UNKNOWN when
++        called as <option>account</option> module to avoid issues with users
++        from other sources during access control.</para>
+     </refsect1>
+ 
+     <refsect1 id='files'>
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index 224f33b55..e2d840540 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -913,8 +913,14 @@ int sss_pam_make_request(enum sss_cli_command cmd,
+     /* only root shall use the privileged pipe */
+     if (getuid() == 0 && getgid() == 0) {
+         socket_name = SSS_PAM_PRIV_SOCKET_NAME;
++        errno = 0;
+         statret = stat(socket_name, &stat_buf);
+         if (statret != 0) {
++            if (errno == ENOENT) {
++                *errnop = ESSS_NO_SOCKET;
++            } else {
++                *errnop = ESSS_SOCKET_STAT_ERROR;
++            }
+             ret = PAM_SERVICE_ERR;
+             goto out;
+         }
+@@ -928,8 +934,14 @@ int sss_pam_make_request(enum sss_cli_command cmd,
+         }
+     } else {
+         socket_name = SSS_PAM_SOCKET_NAME;
++        errno = 0;
+         statret = stat(socket_name, &stat_buf);
+         if (statret != 0) {
++            if (errno == ENOENT) {
++                *errnop = ESSS_NO_SOCKET;
++            } else {
++                *errnop = ESSS_SOCKET_STAT_ERROR;
++            }
+             ret = PAM_SERVICE_ERR;
+             goto out;
+         }
+@@ -1075,6 +1087,12 @@ const char *ssscli_err2string(int err)
+         case ESSS_SERVER_NOT_TRUSTED:
+             return _("SSSD is not run by root.");
+             break;
++        case ESSS_NO_SOCKET:
++            return _("SSSD socket does not exist.");
++            break;
++        case ESSS_SOCKET_STAT_ERROR:
++            return _("Cannot get stat of SSSD socket.");
++            break;
+         default:
+             m = strerror(err);
+             if (m == NULL) {
+diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
+index 69dc50dfd..9d51aefc6 100644
+--- a/src/sss_client/pam_sss.c
++++ b/src/sss_client/pam_sss.c
+@@ -1304,10 +1304,20 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
+     }
+ 
+     if (ret != PAM_SUCCESS) {
+-        if (errnop != 0) {
+-            logger(pamh, LOG_ERR, "Request to sssd failed. %s", ssscli_err2string(errnop));
++        /* If there is no PAM responder socket during the access control step
++         * we assume this is on purpose, i.e. PAM responder is not configured.
++         * PAM_USER_UNKNOWN is returned to the PAM stack to avoid unexpected
++         * denials. */
++        if (errnop == ESSS_NO_SOCKET && task == SSS_PAM_ACCT_MGMT) {
++            pam_status = PAM_USER_UNKNOWN;
++        } else {
++            if (errnop != 0 && errnop != ESSS_NO_SOCKET) {
++                logger(pamh, LOG_ERR, "Request to sssd failed. %s",
++                                      ssscli_err2string(errnop));
++            }
++
++            pam_status = PAM_AUTHINFO_UNAVAIL;
+         }
+-        pam_status = PAM_AUTHINFO_UNAVAIL;
+         goto done;
+     }
+ 
+diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
+index af8a43916..31b4e50f7 100644
+--- a/src/sss_client/sss_cli.h
++++ b/src/sss_client/sss_cli.h
+@@ -584,6 +584,8 @@ enum sss_cli_error_codes {
+     ESSS_BAD_PUB_SOCKET,
+     ESSS_BAD_CRED_MSG,
+     ESSS_SERVER_NOT_TRUSTED,
++    ESSS_NO_SOCKET,
++    ESSS_SOCKET_STAT_ERROR,
+ 
+     ESS_SSS_CLI_ERROR_MAX
+ };
+-- 
+2.19.1
+
diff --git a/SOURCES/0101-ipa-ipa_getkeytab-don-t-call-libnss_sss.patch b/SOURCES/0101-ipa-ipa_getkeytab-don-t-call-libnss_sss.patch
new file mode 100644
index 0000000..31be7f1
--- /dev/null
+++ b/SOURCES/0101-ipa-ipa_getkeytab-don-t-call-libnss_sss.patch
@@ -0,0 +1,44 @@
+From b927dc7c8d5d4f467749958d3e6330ff70fc3ea2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 1 Apr 2019 17:27:45 +0200
+Subject: [PATCH] ipa: ipa_getkeytab don't call libnss_sss
+
+Resolves: https://pagure.io/SSSD/sssd/issue/3992
+
+ipa-getkeytab is a help process which might even get called during
+the startup of SSSD. Hence it should not try to use any SSSD responder
+especially not the NSS responder.
+
+Typically we call helpers with the environment of the calling SSSD
+component where then _SSS_LOOPS environment variable is set to 'NO' to
+skip calls to SSSD in libnss_sss. Since we have to set the KRB5CCNAME
+environment variable to the ccache with the current TGT for the host
+principal when calling ipa-getkeytab execle() is used to call
+ipa_getkeytab which unfortunately replaces the environment of the caller
+with the one provided in the last argument of the call. To make sure
+ipa_getkeytab does not call back into SSSD we have to set _SSS_LOOPS=NO
+here as well.
+
+Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit d409c10d00101734d1af0c9e0256e607ee8b09c7)
+---
+ src/providers/ipa/ipa_subdomains_server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
+index dd0933642..1d480e52b 100644
+--- a/src/providers/ipa/ipa_subdomains_server.c
++++ b/src/providers/ipa/ipa_subdomains_server.c
+@@ -481,7 +481,7 @@ static void ipa_getkeytab_exec(const char *ccache,
+ {
+     errno_t ret;
+     int debug_fd;
+-    const char *gkt_env[2] = { NULL, NULL };
++    const char *gkt_env[3] = { NULL, "_SSS_LOOPS=NO", NULL };
+ 
+     if (debug_level >= SSSDBG_TRACE_LIBS) {
+         debug_fd = get_fd_from_debug_file();
+-- 
+2.19.1
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 6ecbcdd..4e50f5d 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -24,7 +24,7 @@
 
 Name: sssd
 Version: 2.0.0
-Release: 43%{?dist}
+Release: 43%{?dist}.3
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -131,6 +131,8 @@ Patch0096: 0096-KCM-Return-a-valid-tevent-error-code-if-a-request-ca.patch
 Patch0097: 0097-KCM-Allow-representing-ccaches-with-a-NULL-principal.patch
 Patch0098: 0098-KCM-Create-an-empty-ccache-on-switch-to-a-non-existi.patch
 Patch0099: 0099-PAM-use-user-name-hint-if-any-domain-has-set-it.patch
+Patch0100: 0100-pam_sss-PAM_USER_UNKNOWN-if-socket-is-missing.patch
+Patch0101: 0101-ipa-ipa_getkeytab-don-t-call-libnss_sss.patch
 
 ### Downstream Patches ###
 
@@ -1282,6 +1284,18 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Thu Apr 18 2019 Michal Židek <mzidek@redhat.com> - 2.0.0-43.3
+- Resolves: rhbz#1701135 - Include libsss_nss_idmap-devel in the Builder
+                           repository
+
+* Fri Apr 05 2019 Michal Židek <mzidek@redhat.com> - 2.0.0-43.2
+- Resolves: rhbz#1696596 - AD user not found after establishing trust and
+                           restarting sssd [ZStream Clone]
+
+* Fri Mar 29 2019 Michal Židek <mzidek@redhat.com> - 2.0.0-43.1
+- Resolves: rhbz#1691750 - pam_sss failing for external users not configured
+                           via sssd
+
 * Sun Feb 10 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.0.0-43
 - Resolves: rhbz#1672780 - gdm login not prompting for username when smart
                            card maps to multiple users