diff --git a/SOURCES/0086-pam_sss-fix-missing-initializer.patch b/SOURCES/0086-pam_sss-fix-missing-initializer.patch new file mode 100644 index 0000000..3689f82 --- /dev/null +++ b/SOURCES/0086-pam_sss-fix-missing-initializer.patch @@ -0,0 +1,43 @@ +From 62af4b5baa54bb4838197969064d3c2b090325cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 18 Jun 2020 15:08:24 +0200 +Subject: [PATCH] pam_sss: fix missing initializer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix the following error introduced by: +3ed254765fc92e9cc9e4c35335818eaf1256e0d6 + +``` +/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c: In function ‘prompt_sc_pin’: +/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:1839:41: error: missing initializer for field ‘next’ of ‘struct cert_auth_info’ [-Werror=missing-field-initializers] + NULL, NULL, NULL, NULL, NULL }; + ^~~~ +/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:132:28: note: ‘next’ declared here + struct cert_auth_info *next; + +``` + +Reviewed-by: Alexey Tikhonov +(cherry picked from commit a08d4741cd5d2ecea44eb590e881baf2071e34d2) +--- + src/sss_client/pam_sss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index 38a75e1b6..7084ce953 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -1800,7 +1800,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) + struct pam_response *resp = NULL; + struct cert_auth_info *cai = pi->selected_cert; + struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"), +- NULL, NULL, NULL, NULL, NULL }; ++ NULL, NULL, NULL, NULL, NULL, NULL }; + + if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) { + cai = &empty_cai; +-- +2.35.3 + diff --git a/SOURCES/0087-pam-better-SC-fallback-message.patch b/SOURCES/0087-pam-better-SC-fallback-message.patch new file mode 100644 index 0000000..181a9ee --- /dev/null +++ b/SOURCES/0087-pam-better-SC-fallback-message.patch @@ -0,0 +1,109 @@ +From bcb392e60c1935a98738988c5289585acd89ce82 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 21 Feb 2022 18:02:47 +0100 +Subject: [PATCH 87/88] pam: better SC fallback message +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If no suitable certificates were found or if gdm-smartcard was somehow +activated without a Smartcard present ask to (re)-insert a Smartcard. + +Resolves: https://github.com/SSSD/sssd/issues/6022 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit 4d2277f8c3065771a8c3bbc7938309a4905640f0) + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +--- + src/sss_client/pam_sss.c | 47 +++++++++++++++++++++++----------------- + 1 file changed, 27 insertions(+), 20 deletions(-) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index 7084ce953..feb4837fb 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -1787,40 +1787,39 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi) + return ret; + } + ++#define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard") ++ + static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) + { + int ret; + char *answer = NULL; +- char *prompt; +- size_t size; ++ char *prompt = NULL; + size_t needed_size; + const struct pam_conv *conv; + const struct pam_message *mesg[2] = { NULL, NULL }; + struct pam_message m[2] = { { 0 }, { 0 } }; + struct pam_response *resp = NULL; + struct cert_auth_info *cai = pi->selected_cert; +- struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"), +- NULL, NULL, NULL, NULL, NULL, NULL }; + + if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) { +- cai = &empty_cai; ++ ret = asprintf(&prompt, SC_INSERT_PROMPT); + } else if (cai == NULL || cai->token_name == NULL + || *cai->token_name == '\0') { +- return EINVAL; ++ return PAM_SYSTEM_ERR; ++ } else { ++ ret = asprintf(&prompt, SC_PROMPT_FMT, cai->token_name); + } + +- size = sizeof(SC_PROMPT_FMT) + strlen(cai->token_name); +- prompt = malloc(size); +- if (prompt == NULL) { +- D(("malloc failed.")); +- return ENOMEM; ++ if (ret == -1) { ++ D(("asprintf failed.")); ++ return PAM_SYSTEM_ERR; + } + +- ret = snprintf(prompt, size, SC_PROMPT_FMT, cai->token_name); +- if (ret < 0 || ret >= size) { +- D(("snprintf failed.")); +- free(prompt); +- return EFAULT; ++ if (cai == NULL) { ++ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL); ++ if (ret != PAM_SUCCESS) { ++ D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret))); ++ } + } + + if (pi->user_name_hint) { +@@ -1907,10 +1906,18 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) + } + } + +- if (answer == NULL) { +- pi->pam_authtok = NULL; +- pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; +- pi->pam_authtok_size=0; ++ if (cai == NULL) { ++ /* it is expected that the user just replaces the Smartcard which ++ * would trigger gdm to restart the PAM module, so it is not ++ * expected that this part of the code is reached. */ ++ ret = PAM_AUTHINFO_UNAVAIL; ++ goto done; ++ } ++ ++ if (answer == NULL || *answer == '\0') { ++ D(("Missing PIN.")); ++ ret = PAM_CRED_INSUFFICIENT; ++ goto done; + } else { + + ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0, +-- +2.35.3 + diff --git a/SOURCES/0088-pam_sss-fix-for-old-GDM-screen-lock.patch b/SOURCES/0088-pam_sss-fix-for-old-GDM-screen-lock.patch new file mode 100644 index 0000000..eab3575 --- /dev/null +++ b/SOURCES/0088-pam_sss-fix-for-old-GDM-screen-lock.patch @@ -0,0 +1,68 @@ +From ddfc7e99e96ee732586c07342900d287d2378802 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 30 May 2022 11:56:24 +0200 +Subject: [PATCH 88/88] pam_sss: fix for old GDM screen lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In contrast to the login screen the lock screen of older GDM versions +does not restart PAM if a new Smartcard is inserted. So the user must +press the enter key explicitly restart PAM. This patch uses a dedicated +prompt in this case and overwrites any other error message shown in +between. + +Resolves: https://github.com/SSSD/sssd/issues/6022 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +--- + src/sss_client/pam_sss.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index feb4837fb..db41fdb67 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -1788,6 +1788,7 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi) + } + + #define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard") ++#define SC_INSERT_PROMPT_ENTER _("Please (re)insert (different) Smartcard and press enter") + + static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) + { +@@ -1802,7 +1803,16 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) + struct cert_auth_info *cai = pi->selected_cert; + + if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) { +- ret = asprintf(&prompt, SC_INSERT_PROMPT); ++ /* Older versions of the GDM screen lock do not restart PAM if a ++ * Smartcard is removed and inserted again in contrast to the login ++ * screen. The PKCS11_LOGIN_TOKEN_NAME enviroment variable is used to ++ * detect the screen lock mode and the user is prompted to press the ++ * enter key. */ ++ if (getenv("PKCS11_LOGIN_TOKEN_NAME") == NULL) { ++ ret = asprintf(&prompt, SC_INSERT_PROMPT); ++ } else { ++ ret = asprintf(&prompt, SC_INSERT_PROMPT_ENTER); ++ } + } else if (cai == NULL || cai->token_name == NULL + || *cai->token_name == '\0') { + return PAM_SYSTEM_ERR; +@@ -1820,6 +1830,12 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) + if (ret != PAM_SUCCESS) { + D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret))); + } ++ } else { ++ /* clear previous messages, if any */ ++ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, "", NULL, NULL); ++ if (ret != PAM_SUCCESS) { ++ D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret))); ++ } + } + + if (pi->user_name_hint) { +-- +2.35.3 + diff --git a/SOURCES/0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch b/SOURCES/0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch new file mode 100644 index 0000000..14d8eb1 --- /dev/null +++ b/SOURCES/0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch @@ -0,0 +1,176 @@ +From 2b84dddf8c3d3b30bb1919205b4eb53e1ba31714 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 15 Mar 2022 11:36:45 +0100 +Subject: [PATCH] ad: use right sdap_domain in ad_domain_info_send +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally ad_domain_info_send() was only called when there was only a +single domain available and hence only a single sdap_domain struct with +the search bases in the sdap_domain list. Since ad_domain_info_send() is +now called at other times as well the right sdap_domain struct must be +selected so that the right search bases are used. + +Resolves: https://github.com/SSSD/sssd/issues/6063 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Pavel Březina +(cherry picked from commit 51e92297157562511baf8902777f02a4aa2e70e6) +--- + src/providers/ad/ad_domain_info.c | 10 +++++- + src/providers/ldap/ldap_common.h | 3 ++ + src/providers/ldap/sdap_domain.c | 21 ++++++++++++ + src/tests/cmocka/test_search_bases.c | 48 +++++++++++++++++++++++++++- + 4 files changed, 80 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c +index 52b2e2442..f3a82a198 100644 +--- a/src/providers/ad/ad_domain_info.c ++++ b/src/providers/ad/ad_domain_info.c +@@ -181,6 +181,7 @@ struct ad_domain_info_state { + struct sdap_id_op *id_op; + struct sdap_id_ctx *id_ctx; + struct sdap_options *opts; ++ struct sdap_domain *sdom; + + const char *dom_name; + int base_iter; +@@ -215,6 +216,13 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx, + state->id_ctx = conn->id_ctx; + state->opts = conn->id_ctx->opts; + state->dom_name = dom_name; ++ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name); ++ if (state->sdom == NULL || state->sdom->search_bases == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n"); ++ ret = EINVAL; ++ goto immediate; ++ } ++ + + ret = ad_domain_info_next(req); + if (ret != EOK && ret != EAGAIN) { +@@ -243,7 +251,7 @@ ad_domain_info_next(struct tevent_req *req) + struct ad_domain_info_state *state = + tevent_req_data(req, struct ad_domain_info_state); + +- base = state->opts->sdom->search_bases[state->base_iter]; ++ base = state->sdom->search_bases[state->base_iter]; + if (base == NULL) { + return EOK; + } +diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h +index 19a696a3d..1a122ea03 100644 +--- a/src/providers/ldap/ldap_common.h ++++ b/src/providers/ldap/ldap_common.h +@@ -352,6 +352,9 @@ sdap_domain_remove(struct sdap_options *opts, + struct sdap_domain *sdap_domain_get(struct sdap_options *opts, + struct sss_domain_info *dom); + ++struct sdap_domain *sdap_domain_get_by_name(struct sdap_options *opts, ++ const char *dom_name); ++ + struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts, + const char *dn); + +diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c +index fa6e9340d..1785dd20d 100644 +--- a/src/providers/ldap/sdap_domain.c ++++ b/src/providers/ldap/sdap_domain.c +@@ -44,6 +44,27 @@ sdap_domain_get(struct sdap_options *opts, + return sditer; + } + ++struct sdap_domain * ++sdap_domain_get_by_name(struct sdap_options *opts, ++ const char *dom_name) ++{ ++ struct sdap_domain *sditer = NULL; ++ ++ if (dom_name == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Missing domain name.\n"); ++ return NULL; ++ } ++ ++ DLIST_FOR_EACH(sditer, opts->sdom) { ++ if (sditer->dom->name != NULL ++ && strcasecmp(sditer->dom->name, dom_name) == 0) { ++ break; ++ } ++ } ++ ++ return sditer; ++} ++ + struct sdap_domain * + sdap_domain_get_by_dn(struct sdap_options *opts, + const char *dn) +diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c +index 4538eaceb..0d06786ca 100644 +--- a/src/tests/cmocka/test_search_bases.c ++++ b/src/tests/cmocka/test_search_bases.c +@@ -177,6 +177,51 @@ void test_get_by_dn_fail(void **state) + do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS); + } + ++void test_sdap_domain_get_by_name(void **state) ++{ ++ struct sdap_options *opts; ++ struct sss_domain_info dom1 = { 0 }; ++ dom1.name = discard_const("dom1"); ++ struct sss_domain_info dom2 = { 0 }; ++ dom2.name = discard_const("dom2"); ++ struct sss_domain_info dom3 = { 0 }; ++ dom3.name = discard_const("dom3"); ++ int ret; ++ struct sdap_domain *sdom; ++ ++ opts = talloc_zero(NULL, struct sdap_options); ++ assert_non_null(opts); ++ ++ ret = sdap_domain_add(opts, &dom1, NULL); ++ assert_int_equal(ret, EOK); ++ ++ ret = sdap_domain_add(opts, &dom2, NULL); ++ assert_int_equal(ret, EOK); ++ ++ ret = sdap_domain_add(opts, &dom3, NULL); ++ assert_int_equal(ret, EOK); ++ ++ sdom = sdap_domain_get_by_name(opts, NULL); ++ assert_null(sdom); ++ ++ sdom = sdap_domain_get_by_name(opts, "abc"); ++ assert_null(sdom); ++ ++ sdom = sdap_domain_get_by_name(opts, "dom1"); ++ assert_non_null(sdom); ++ assert_ptr_equal(sdom->dom, &dom1); ++ ++ sdom = sdap_domain_get_by_name(opts, "dom2"); ++ assert_non_null(sdom); ++ assert_ptr_equal(sdom->dom, &dom2); ++ ++ sdom = sdap_domain_get_by_name(opts, "dom3"); ++ assert_non_null(sdom); ++ assert_ptr_equal(sdom->dom, &dom3); ++ ++ talloc_free(opts); ++} ++ + int main(void) + { + const struct CMUnitTest tests[] = { +@@ -184,7 +229,8 @@ int main(void) + cmocka_unit_test(test_search_bases_success), + cmocka_unit_test(test_get_by_dn_fail), + cmocka_unit_test(test_get_by_dn), +- cmocka_unit_test(test_get_by_dn2) ++ cmocka_unit_test(test_get_by_dn2), ++ cmocka_unit_test(test_sdap_domain_get_by_name) + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +-- +2.35.3 + diff --git a/SOURCES/0090-ad-add-fallback-in-ad_domain_info_send.patch b/SOURCES/0090-ad-add-fallback-in-ad_domain_info_send.patch new file mode 100644 index 0000000..766de92 --- /dev/null +++ b/SOURCES/0090-ad-add-fallback-in-ad_domain_info_send.patch @@ -0,0 +1,58 @@ +From 410a3faa8cf1e358e53728fae7440a81763ab743 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 23 May 2022 09:05:43 +0200 +Subject: [PATCH] ad: add fallback in ad_domain_info_send() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed +ad_domain_info_send() to handle multiple domains by searching for the +matching sdap_domain data. Unfortunately it assumed that the configured +name and the DNS domain name are always matching. This is true for all +sub-domains discovered at runtime by DNS lookups but might not be true +for the domain configured in sssd.conf. Since the configured domain is +the first in the list of sdap_domain data it will be used as a fallback +in case no data could be found by name. + +Resolves: https://github.com/SSSD/sssd/issues/6170 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Pavel Březina +(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e) +--- + src/providers/ad/ad_domain_info.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c +index f3a82a198..9583c74b9 100644 +--- a/src/providers/ad/ad_domain_info.c ++++ b/src/providers/ad/ad_domain_info.c +@@ -217,8 +217,23 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx, + state->opts = conn->id_ctx->opts; + state->dom_name = dom_name; + state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name); ++ /* The first domain in the list is the domain configured in sssd.conf and ++ * here it might be possible that the domain name from the config file and ++ * the DNS domain name do not match. All other sub-domains are discovered ++ * at runtime with the help of DNS lookups so it is expected that the ++ * names matches. Hence it makes sense to fall back to the first entry in ++ * the list if no matching domain was found since it is most probably ++ * related to the configured domain. */ ++ if (state->sdom == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "No internal domain data found for [%s], " ++ "falling back to first domain.\n", ++ state->dom_name); ++ state->sdom = state->opts->sdom; ++ } + if (state->sdom == NULL || state->sdom->search_bases == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Missing internal domain data for domain [%s].\n", ++ state->dom_name); + ret = EINVAL; + goto immediate; + } +-- +2.35.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 6103e53..b8f71fa 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -50,7 +50,7 @@ Name: sssd Version: 1.16.5 -Release: 10%{?dist}.12 +Release: 10%{?dist}.13 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -144,6 +144,11 @@ Patch0082: 0082-ad-only-send-cldap-ping-to-our-local-domain.patch Patch0083: 0083-cldap-use-dns_resolver_server_timeout-timeout-for-cl.patch Patch0084: 0084-sysdb-more-specific-mpg-search-filter.patch Patch0085: 0085-ad-add-required-cn-attribute-to-subdomain-object.patch +Patch0086: 0086-pam_sss-fix-missing-initializer.patch +Patch0087: 0087-pam-better-SC-fallback-message.patch +Patch0088: 0088-pam_sss-fix-for-old-GDM-screen-lock.patch +Patch0089: 0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch +Patch0090: 0090-ad-add-fallback-in-ad_domain_info_send.patch #Those patches should not be removed in RHEL-7 Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1319,6 +1324,10 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Fri Jun 10 2022 Alexey Tikhonov 1.16.5-10.13 +- Resolves: rhbz#2079441 - SSSD update prompts for smartcard pin twice - After update to 7.9 [rhel-7.9.z] +- Resolves: rhbz#2073352 - Use right sdap_domain in ad_domain_info_send [rhel-7.9.z] + * Mon Jan 31 2022 Alexey Tikhonov 1.16.5-10.12 - Resolves: rhbz#2006382 - IPA Intermittence fetching groups - Resolves: rhbz#2006866 - sssd_be segfault due to empty forest root name