diff --git a/SOURCES/0009-ad-add-required-cn-attribute-to-subdomain-object.patch b/SOURCES/0009-ad-add-required-cn-attribute-to-subdomain-object.patch new file mode 100644 index 0000000..2ff9888 --- /dev/null +++ b/SOURCES/0009-ad-add-required-cn-attribute-to-subdomain-object.patch @@ -0,0 +1,42 @@ +From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 16 Dec 2021 11:14:18 +0100 +Subject: [PATCH] ad: add required 'cn' attribute to subdomain object +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the forest root is not part of the return trusted domain objects +from the local domain controller we generate an object for further +processing. During this processing it is expected that the 'cn' +attribute is set and contains the name of the forest root. So far this +attribute was missing and it is now added by this patch. + +Resolves: https://github.com/SSSD/sssd/issues/5926 + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_subdomains.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 0353de76f..0c3f8ac31 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) + goto done; + } + ++ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME, ++ state->forest); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); ++ goto done; ++ } ++ + err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id, + &id_val.data, &id_val.length); + if (err != IDMAP_SUCCESS) { +-- +2.26.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index d947ab6..8aeedd5 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 2.5.2 -Release: 2%{?dist}.3 +Release: 2%{?dist}.4 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -35,6 +35,7 @@ Patch0005: 0005-MONITOR-reduce-logs-severity-around-signalling-and-t.patch Patch0006: 0006-DEBUG-avoid-backtrace-dups.patch Patch0007: 0007-cache_req-cache_first-fix-for-fully-qualified-names.patch Patch0008: 0008-utils-ignore-systemd-and-sd-pam-process-in-get_activ.patch +Patch0009: 0009-ad-add-required-cn-attribute-to-subdomain-object.patch ### Downstream Patches ### @@ -87,6 +88,7 @@ BuildRequires: libxslt BuildRequires: libxml2 BuildRequires: docbook-style-xsl BuildRequires: krb5-devel +BuildRequires: krb5-libs >= 1.18.2-11 BuildRequires: c-ares-devel BuildRequires: python3-devel BuildRequires: check-devel @@ -535,6 +537,7 @@ Summary: An implementation of a Kerberos KCM server Group: Applications/System License: GPLv3+ Requires: sssd-common = %{version}-%{release} +Requires: krb5-libs >= 1.18.2-11 %{?systemd_requires} %description kcm @@ -1151,6 +1154,10 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Jan 17 2022 Alexey Tikhonov - 2.5.2-2.4 +- Resolves: rhbz#2030651 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries [rhel-8.5.0.z] +- Resolves: rhbz#2035285 - AD Domain in the AD Forest Missing after sssd latest update [rhel-8.5.0.z] + * Tue Dec 07 2021 Alexey Tikhonov - 2.5.2-2.3 - Resolves: rhbz#2028828 - pam responder does not call initgroups to refresh the user entry [rhel-8.5.0.z]