From f98a0db8c14ed2ce670296b03315e91948aac77a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 23 2024 15:59:48 +0000 Subject: import sssd-1.16.5-10.el7_9.16 --- diff --git a/SOURCES/0097-ad-use-sAMAccountName-to-lookup-hosts.patch b/SOURCES/0097-ad-use-sAMAccountName-to-lookup-hosts.patch new file mode 100644 index 0000000..090bb77 --- /dev/null +++ b/SOURCES/0097-ad-use-sAMAccountName-to-lookup-hosts.patch @@ -0,0 +1,46 @@ +From ead272e1e4e9e3e605cfb91fa333310edf27b2ed Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 7 Jun 2023 10:45:59 +0200 +Subject: [PATCH] ad: use sAMAccountName to lookup hosts + +To determine which GPOs apply to the host running SSSD the full DN of +the host object in AD is needed. To fine this object we use the NetBIOS +name of the host which is stored in AD in the sAMAccountName attribute. +Using other attributes, e.g. if ldap_user_name is set to a different +attribute, will most probably cause a failure since those attributes are +not managed as expected for host object. As a result sAMAccountName +should be hardcoded here to avoid issues. + +Resolves: https://github.com/SSSD/sssd/issues/6766 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Justin Stephenson +(cherry picked from commit 67c11c2ebae843f7ddd6b857efa2e1f6449986f3) +--- + src/providers/ad/ad_gpo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 27885ef8a..c6ea859fd 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -56,6 +56,7 @@ + + #define AD_AT_DN "distinguishedName" + #define AD_AT_UAC "userAccountControl" ++#define AD_AT_SAMACCOUNTNAME "sAMAccountName" + #define AD_AT_CONFIG_NC "configurationNamingContext" + #define AD_AT_GPLINK "gPLink" + #define AD_AT_GPOPTIONS "gpOptions" +@@ -1882,7 +1883,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) + filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s=%s))", + state->opts->user_map[SDAP_OC_USER].name, +- state->opts->user_map[SDAP_AT_USER_NAME].name, ++ AD_AT_SAMACCOUNTNAME, + sam_account_name); + if (filter == NULL) { + ret = ENOMEM; +-- +2.41.0 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index a8052e3..620b221 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -50,7 +50,7 @@ Name: sssd Version: 1.16.5 -Release: 10%{?dist}.15 +Release: 10%{?dist}.16 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -155,6 +155,7 @@ Patch0093: 0093-RESPONDER-fixed-condition-in-responder_idle_handler.patch Patch0094: 0094-SUDO-Fix-timezone-issues-with-sudoNotBefore-and-sudo.patch Patch0095: 0095-BACKEND-Reload-resolv.conf-after-initialization.patch Patch0096: 0096-sc-escape-special-chars.patch +Patch0097: 0097-ad-use-sAMAccountName-to-lookup-hosts.patch #Those patches should not be removed in RHEL-7 Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1330,6 +1331,9 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Thu Nov 16 2023 Eduardo Lima (Etrunko) 1.16.5-10.16 +- Resolves: RHEL-16003 - sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy [rhel-7.9.z] + * Fri Jan 6 2023 Alexey Tikhonov 1.16.5-10.15 - Resolves: rhbz#2149703 - smartcards: special characters must be escaped when building search filter [rhel-7.9.z] - Resolves: rhbz#2149902 - EMBARGOED CVE-2022-4254 sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters [rhel-7.9.z]