diff --git a/.gitignore b/.gitignore
index f74e090..a743af2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/sssd-2.7.3.tar.gz
+SOURCES/sssd-2.8.2.tar.gz
diff --git a/.sssd.metadata b/.sssd.metadata
index 6132eb6..6575e58 100644
--- a/.sssd.metadata
+++ b/.sssd.metadata
@@ -1 +1 @@
-0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz
+4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz
diff --git a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch
deleted file mode 100644
index 271a5d8..0000000
--- a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Thu, 21 Jul 2022 20:16:32 +0200
-Subject: [PATCH] Makefile: remove unneeded dependency
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f)
----
- Makefile.am | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 669a0fc56..92d046888 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \
- $(KRB5_CFLAGS) \
- $(UUID_CFLAGS) \
- $(CURL_CFLAGS) \
-- $(JANSSON_CFLAGS) \
- $(NULL)
- sssd_kcm_LDADD = \
- $(LIBADD_DL) \
- $(KRB5_LIBS) \
-- $(JANSSON_LIBS) \
- $(SSSD_LIBS) \
- $(UUID_LIBS) \
- $(SYSTEMD_DAEMON_LIBS) \
-@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \
- $(UUID_CFLAGS) \
- $(NULL)
- test_kcm_marshalling_LDADD = \
-- $(JANSSON_LIBS) \
- $(UUID_LIBS) \
- $(KRB5_LIBS) \
- $(CMOCKA_LIBS) \
-@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \
- test_kcm_renewals_LDADD = \
- $(LIBADD_DL) \
- $(UUID_LIBS) \
-- $(JANSSON_LIBS) \
- $(KRB5_LIBS) \
- $(CARES_LIBS) \
- $(CMOCKA_LIBS) \
---
-2.37.1
-
diff --git a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
new file mode 100644
index 0000000..60feece
--- /dev/null
+++ b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
@@ -0,0 +1,158 @@
+From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 8 Dec 2022 15:14:05 +0100
+Subject: [PATCH] ldap: update shadow last change in sysdb as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise pam can use the changed information whe id chaching is
+enabled, so next authentication that fits into the id timeout
+(5 seconds by default) will still sees the password as expired.
+
+Resolves: https://github.com/SSSD/sssd/issues/6477
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
+---
+ src/db/sysdb.h | 4 ++++
+ src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
+ src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
+ 3 files changed, 52 insertions(+), 5 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 7c666f5c4..06b44f5ba 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
+ struct sysdb_attrs *attrs,
+ int mod_op);
+
++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
++ const char *name,
++ const char *attrname);
++
+ /* Replace group attrs */
+ int sysdb_set_group_attr(struct sss_domain_info *domain,
+ const char *name,
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 0d6f2d5cd..ed0df9872 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -1485,6 +1485,38 @@ done:
+ return ret;
+ }
+
++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
++ const char *name,
++ const char *attrname)
++{
++ struct sysdb_attrs *attrs;
++ char *value;
++ errno_t ret;
++
++ attrs = sysdb_new_attrs(NULL);
++ if (attrs == NULL) {
++ return ENOMEM;
++ }
++
++ /* The attribute contains number of days since the epoch */
++ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
++ if (value == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++
++ ret = sysdb_attrs_add_string(attrs, attrname, value);
++ if (ret != EOK) {
++ goto done;
++ }
++
++ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
++
++done:
++ talloc_free(attrs);
++ return ret;
++}
++
+ /* =Replace-Attributes-On-Group=========================================== */
+
+ int sysdb_set_group_attr(struct sss_domain_info *domain,
+diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
+index 6404a9d3a..96b9d6df4 100644
+--- a/src/providers/ldap/ldap_auth.c
++++ b/src/providers/ldap/ldap_auth.c
+@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
+ struct pam_data *pd;
+ struct sdap_handle *sh;
+ char *dn;
++ enum pwexpire pw_expire_type;
+ };
+
+ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
+@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ {
+ struct sdap_pam_chpass_handler_state *state;
+ struct tevent_req *req;
+- enum pwexpire pw_expire_type;
+ void *pw_expire_data;
+ size_t msg_len;
+ uint8_t *msg;
+@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
+
+ ret = auth_recv(subreq, state, &state->sh, &state->dn,
+- &pw_expire_type, &pw_expire_data);
++ &state->pw_expire_type, &pw_expire_data);
+ talloc_free(subreq);
+
+ if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
+@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ }
+
+ if (ret == EOK) {
+- switch (pw_expire_type) {
++ switch (state->pw_expire_type) {
+ case PWEXPIRE_SHADOW:
+ ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
+ break;
+@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ break;
+ default:
+ DEBUG(SSSDBG_CRIT_FAILURE,
+- "Unknown password expiration type %d.\n", pw_expire_type);
++ "Unknown password expiration type %d.\n",
++ state->pw_expire_type);
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ case ERR_PASSWORD_EXPIRED:
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "user [%s] successfully authenticated.\n", state->dn);
+- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
++ ret = sdap_pam_chpass_handler_change_step(state, req,
++ state->pw_expire_type);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sdap_pam_chpass_handler_change_step() failed.\n");
+@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
+
+ switch (ret) {
+ case EOK:
++ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
++ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
++ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
++ if (ret != EOK) {
++ state->pd->pam_status = PAM_SYSTEM_ERR;
++ goto done;
++ }
++ }
++
+ state->pd->pam_status = PAM_SUCCESS;
+ break;
+ case ERR_CHPASS_DENIED:
+--
+2.37.3
+
diff --git a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
deleted file mode 100644
index 6caa8fc..0000000
--- a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 29 Jul 2022 14:57:20 +0200
-Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it
- should survive context destruction / re-initialization
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911)
----
- src/sss_client/nss_mc.h | 4 ++--
- src/sss_client/nss_mc_common.c | 10 ++++++++--
- src/sss_client/nss_mc_group.c | 5 +++++
- src/sss_client/nss_mc_initgr.c | 5 +++++
- src/sss_client/nss_mc_passwd.c | 5 +++++
- src/sss_client/nss_mc_sid.c | 5 +++++
- 6 files changed, 30 insertions(+), 4 deletions(-)
-
-diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
-index b66e8f09f..de1496ccc 100644
---- a/src/sss_client/nss_mc.h
-+++ b/src/sss_client/nss_mc.h
-@@ -48,7 +48,7 @@ enum sss_mc_state {
- struct sss_cli_mc_ctx {
- enum sss_mc_state initialized;
- #if HAVE_PTHREAD
-- pthread_mutex_t mutex;
-+ pthread_mutex_t *mutex;
- #endif
- int fd;
-
-@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx {
- };
-
- #if HAVE_PTHREAD
--#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
-+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
- #else
- #define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
- #endif
-diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
-index c73a93a9a..f38a4a85a 100644
---- a/src/sss_client/nss_mc_common.c
-+++ b/src/sss_client/nss_mc_common.c
-@@ -58,14 +58,14 @@ do { \
- static void sss_mt_lock(struct sss_cli_mc_ctx *ctx)
- {
- #if HAVE_PTHREAD
-- pthread_mutex_lock(&ctx->mutex);
-+ pthread_mutex_lock(ctx->mutex);
- #endif
- }
-
- static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx)
- {
- #if HAVE_PTHREAD
-- pthread_mutex_unlock(&ctx->mutex);
-+ pthread_mutex_unlock(ctx->mutex);
- #endif
- }
-
-@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
- static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
- {
- uint32_t active_threads = ctx->active_threads;
-+#if HAVE_PTHREAD
-+ pthread_mutex_t *mutex = ctx->mutex;
-+#endif
-
- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
- munmap(ctx->mmap_base, ctx->mmap_size);
-@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
-
- /* restore count of active threads */
- ctx->active_threads = active_threads;
-+#if HAVE_PTHREAD
-+ ctx->mutex = mutex;
-+#endif
- }
-
- static errno_t sss_nss_mc_init_ctx(const char *name,
-diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
-index 2ea40c435..d4f2a82ab 100644
---- a/src/sss_client/nss_mc_group.c
-+++ b/src/sss_client/nss_mc_group.c
-@@ -29,7 +29,12 @@
- #include "nss_mc.h"
- #include "shared/safealign.h"
-
-+#if HAVE_PTHREAD
-+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
-+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex);
-+#else
- static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
-+#endif
-
- static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
- struct group *result,
-diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c
-index b05946263..bd7282935 100644
---- a/src/sss_client/nss_mc_initgr.c
-+++ b/src/sss_client/nss_mc_initgr.c
-@@ -32,7 +32,12 @@
- #include "nss_mc.h"
- #include "shared/safealign.h"
-
-+#if HAVE_PTHREAD
-+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
-+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex);
-+#else
- static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
-+#endif
-
- static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
- long int *start, long int *size,
-diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
-index 01c6801da..256d48444 100644
---- a/src/sss_client/nss_mc_passwd.c
-+++ b/src/sss_client/nss_mc_passwd.c
-@@ -28,7 +28,12 @@
- #include <time.h>
- #include "nss_mc.h"
-
-+#if HAVE_PTHREAD
-+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
-+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex);
-+#else
- static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
-+#endif
-
- static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
- struct passwd *result,
-diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c
-index af7d7bbd5..52e684da5 100644
---- a/src/sss_client/nss_mc_sid.c
-+++ b/src/sss_client/nss_mc_sid.c
-@@ -30,7 +30,12 @@
- #include "util/mmap_cache.h"
- #include "idmap/sss_nss_idmap.h"
-
-+#if HAVE_PTHREAD
-+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
-+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex);
-+#else
- static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
-+#endif
-
- static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type,
- char **sid, uint32_t *type,
---
-2.37.1
-
diff --git a/SOURCES/0002-MAN-mention-attributes-in-see-also.patch b/SOURCES/0002-MAN-mention-attributes-in-see-also.patch
new file mode 100644
index 0000000..c103d64
--- /dev/null
+++ b/SOURCES/0002-MAN-mention-attributes-in-see-also.patch
@@ -0,0 +1,29 @@
+From 897ccf40b2e7ab30c3b8a3fb42584d1d5b8c4bb3 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 13 Jan 2023 18:58:05 +0100
+Subject: [PATCH] MAN: mention `attributes` in 'see also'
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit b631c3174a3f8f5c169e9507969015dd79fdfd80)
+---
+ src/man/include/seealso.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
+index 9999496fa..7f0bbe9df 100644
+--- a/src/man/include/seealso.xml
++++ b/src/man/include/seealso.xml
+@@ -10,6 +10,9 @@
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>sssd-ldap-attributes</refentrytitle><manvolnum>5</manvolnum>
++ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+--
+2.37.3
+
diff --git a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
deleted file mode 100644
index 965ceaa..0000000
--- a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 1 Aug 2022 09:54:51 -0400
-Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Skip calling cache_req_data_set_hybrid_lookup() when hybrid data
-is NULL for certain NSS request types (e.g. Service by Name).
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7)
----
- src/responder/nss/nss_get_object.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
-index 9762d6bfe..5a2e7e9bd 100644
---- a/src/responder/nss/nss_get_object.c
-+++ b/src/responder/nss/nss_get_object.c
-@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx,
- input_name);
- }
-
-- cache_req_data_set_hybrid_lookup(hybrid_data, true);
-+ if (hybrid_data != NULL) {
-+ cache_req_data_set_hybrid_lookup(hybrid_data, true);
-+ }
-
- return hybrid_data;
- }
---
-2.37.1
-
diff --git a/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch b/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
new file mode 100644
index 0000000..df981a7
--- /dev/null
+++ b/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
@@ -0,0 +1,90 @@
+From 45a5630e0cfe95ab90bf4a7dd1b32f418c4c759e Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 23 Dec 2022 16:36:58 +0100
+Subject: [PATCH] SSS_CLIENT: delete key in lib destructor
+
+pthread_key_delete() disables thread at-exit destructors.
+Otherwise an attempt to execute already unloaded `sss_at_thread_exit()`
+would trigger segfault.
+
+This doesn't solve an issue with leaking on `dlclose()` FDs initialized in
+multiple threads, but better than crash.
+
+Resolves: https://github.com/SSSD/sssd/issues/6505
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 08ccd23fb2c831d6ea918a59b777a0073d414858)
+---
+ src/sss_client/common.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index d762dff49..2c888faa9 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -27,6 +27,7 @@
+ #include <nss.h>
+ #include <security/pam_modules.h>
+ #include <errno.h>
++#include <stdatomic.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/un.h>
+@@ -63,7 +64,8 @@
+
+ #ifdef HAVE_PTHREAD_EXT
+ static pthread_key_t sss_sd_key;
+-static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
++static pthread_once_t sss_sd_key_init = PTHREAD_ONCE_INIT;
++static atomic_bool sss_sd_key_initialized = false;
+ static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
+ static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
+ #else
+@@ -71,9 +73,6 @@ static int sss_cli_sd = -1; /* the sss client socket descriptor */
+ static struct stat sss_cli_sb; /* the sss client stat buffer */
+ #endif
+
+-#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
+-__attribute__((destructor))
+-#endif
+ void sss_cli_close_socket(void)
+ {
+ if (sss_cli_sd != -1) {
+@@ -91,9 +90,24 @@ static void sss_at_thread_exit(void *v)
+ static void init_sd_key(void)
+ {
+ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
++ sss_sd_key_initialized = true;
++}
++#endif
++
++#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
++__attribute__((destructor)) void sss_at_lib_unload(void)
++{
++#ifdef HAVE_PTHREAD_EXT
++ if (sss_sd_key_initialized) {
++ sss_sd_key_initialized = false;
++ pthread_key_delete(sss_sd_key);
++ }
++#endif
++ sss_cli_close_socket();
+ }
+ #endif
+
++
+ /* Requests:
+ *
+ * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
+@@ -572,7 +586,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
+ }
+
+ #ifdef HAVE_PTHREAD_EXT
+- pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
++ pthread_once(&sss_sd_key_init, init_sd_key); /* once for all threads */
+
+ /* It actually doesn't matter what value to set for a key.
+ * The only important thing: key must be non-NULL to ensure
+--
+2.37.3
+
diff --git a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch
deleted file mode 100644
index 7f87ccc..0000000
--- a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Thu, 14 Jul 2022 11:21:04 -0400
-Subject: [PATCH] Analyzer: Fix escaping raw fstring
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19)
----
- src/tools/analyzer/modules/request.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index b8dd9b25c..935e13adc 100644
---- a/src/tools/analyzer/modules/request.py
-+++ b/src/tools/analyzer/modules/request.py
-@@ -243,8 +243,8 @@ class RequestAnalyzer:
- be_results = False
- component = source.Component.NSS
- resp = "nss"
-- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]']
-- pattern.append(rf"\[CID#{cid}\\]")
-+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
-+ pattern.append(rf"\[CID#{cid}\]")
-
- if args.pam:
- component = source.Component.PAM
---
-2.37.1
-
diff --git a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
deleted file mode 100644
index a820d44..0000000
--- a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Tue, 16 Aug 2022 21:48:43 +0200
-Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f)
----
- src/sss_client/nss_mc.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
-index de1496ccc..0f88521e9 100644
---- a/src/sss_client/nss_mc.h
-+++ b/src/sss_client/nss_mc.h
-@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx {
- };
-
- #if HAVE_PTHREAD
--#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
-+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
- #else
--#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
-+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
- #endif
-
- errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
---
-2.37.1
-
diff --git a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
deleted file mode 100644
index f759975..0000000
--- a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Tue, 16 Aug 2022 21:51:03 +0200
-Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be
- touched
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL`
-was creating a possibility for a race.
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757)
----
- src/sss_client/nss_mc.h | 4 +++-
- src/sss_client/nss_mc_common.c | 20 ++++++++++----------
- 2 files changed, 13 insertions(+), 11 deletions(-)
-
-diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
-index 0f88521e9..9ab2736fa 100644
---- a/src/sss_client/nss_mc.h
-+++ b/src/sss_client/nss_mc.h
-@@ -44,7 +44,9 @@ enum sss_mc_state {
- RECYCLED,
- };
-
--/* common stuff */
-+/* In the case this structure is extended, don't forget to update
-+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`.
-+ */
- struct sss_cli_mc_ctx {
- enum sss_mc_state initialized;
- #if HAVE_PTHREAD
-diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
-index f38a4a85a..3128861bf 100644
---- a/src/sss_client/nss_mc_common.c
-+++ b/src/sss_client/nss_mc_common.c
-@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
-
- static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
- {
-- uint32_t active_threads = ctx->active_threads;
--#if HAVE_PTHREAD
-- pthread_mutex_t *mutex = ctx->mutex;
--#endif
-
- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
- munmap(ctx->mmap_base, ctx->mmap_size);
- }
-+ ctx->mmap_base = NULL;
-+ ctx->mmap_size = 0;
-+
- if (ctx->fd != -1) {
- close(ctx->fd);
- }
-- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
- ctx->fd = -1;
-
-- /* restore count of active threads */
-- ctx->active_threads = active_threads;
--#if HAVE_PTHREAD
-- ctx->mutex = mutex;
--#endif
-+ ctx->seed = 0;
-+ ctx->data_table = NULL;
-+ ctx->dt_size = 0;
-+ ctx->hash_table = NULL;
-+ ctx->ht_size = 0;
-+ ctx->initialized = UNINITIALIZED;
-+ /* `mutex` and `active_threads` should be left intact */
- }
-
- static errno_t sss_nss_mc_init_ctx(const char *name,
---
-2.37.1
-
diff --git a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
deleted file mode 100644
index 0e06c29..0000000
--- a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 15 Aug 2022 16:17:59 -0400
-Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup
-
-Fixes an issue when the sssctl analyzer option is
-used on systems where SSSD is not running or configured. This is
-an expected use case when using --logdir option to analyze external
-log files.
-
-Resolves: https://github.com/SSSD/sssd/issues/6298
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/tools/sssctl/sssctl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 3816125ad..f18689f9f 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
- SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
- SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
- SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
-- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze),
-+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
- #ifdef HAVE_LIBINI_CONFIG_V1_3
- SSS_TOOL_DELIMITER("Configuration files tools:"),
- SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
---
-2.37.1
-
diff --git a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch
deleted file mode 100644
index 769e082..0000000
--- a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch
+++ /dev/null
@@ -1,297 +0,0 @@
-From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Fri, 19 Aug 2022 09:50:22 -0400
-Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Client ID is not stored properly to match requests
-when parallel requests are made to client SSSD
-
-Resolves: https://github.com/SSSD/sssd/issues/6307
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/responder/common/cache_req/cache_req.c | 5 +++--
- .../plugins/cache_req_autofs_entry_by_name.c | 3 ++-
- .../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++-
- .../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++-
- .../plugins/cache_req_ssh_host_id_by_name.c | 3 ++-
- src/responder/common/responder.h | 2 +-
- src/responder/common/responder_common.c | 12 +++++++-----
- src/responder/common/responder_dp.c | 5 +++--
- src/responder/common/responder_get_domains.c | 3 ++-
- src/responder/pam/pamsrv_cmd.c | 4 ++--
- 10 files changed, 26 insertions(+), 17 deletions(-)
-
-diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
-index 4dd45b038..bc65bae71 100644
---- a/src/responder/common/cache_req/cache_req.c
-+++ b/src/responder/common/cache_req/cache_req.c
-@@ -24,6 +24,7 @@
- #include <errno.h>
-
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "responder/common/responder.h"
- #include "responder/common/cache_req/cache_req_private.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx,
- }
- state->first_iteration = true;
-
-- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n",
-- rctx->client_id_num, cr->reqname);
-+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n",
-+ sss_chain_id_get(), cr->reqname);
-
- ret = cache_req_is_well_known_object(state, cr, &result);
- if (ret == EOK) {
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-index 788b6708c..b2b0a06eb 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-@@ -24,6 +24,7 @@
- #include "db/sysdb.h"
- #include "db/sysdb_autofs.h"
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "providers/data_provider.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-
-@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
- be_conn->bus_name, SSS_BUS_PATH,
- 0, data->name.name,
- data->autofs_entry_name,
-- cr->rctx->client_id_num);
-+ sss_chain_id_get());
- }
-
- bool
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-index 5d82641cc..23b11b1cd 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-@@ -24,6 +24,7 @@
- #include "db/sysdb.h"
- #include "db/sysdb_autofs.h"
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "providers/data_provider.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-
-@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
- return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
- be_conn->bus_name, SSS_BUS_PATH,
- 0, data->name.name,
-- cr->rctx->client_id_num);
-+ sss_chain_id_get());
- }
-
- bool
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-index 29f289723..18c08ca39 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-@@ -24,6 +24,7 @@
- #include "db/sysdb.h"
- #include "db/sysdb_autofs.h"
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "providers/data_provider.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-
-@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
- return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
- be_conn->bus_name, SSS_BUS_PATH,
- 0, data->name.name,
-- cr->rctx->client_id_num);
-+ sss_chain_id_get());
- }
-
- bool
-diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
-index a8b8f47a8..29f52f10d 100644
---- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
-@@ -23,6 +23,7 @@
-
- #include "db/sysdb_ssh.h"
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "providers/data_provider.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-
-@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
- return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn,
- be_conn->bus_name, SSS_BUS_PATH,
- 0, data->name.name, data->alias,
-- cr->rctx->client_id_num);
-+ sss_chain_id_get());
- }
-
- static bool
-diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
-index 5cb79e3e6..259b3ff13 100644
---- a/src/responder/common/responder.h
-+++ b/src/responder/common/responder.h
-@@ -165,13 +165,13 @@ struct cli_ctx {
-
- struct cli_creds *creds;
- char *cmd_line;
-- uint64_t old_chain_id;
-
- void *protocol_ctx;
- void *state_ctx;
-
- struct tevent_timer *idle;
- time_t last_request_time;
-+ uint32_t client_id_num;
- };
-
- struct sss_cmd_table {
-diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
-index 6e3b61ef0..a4ba8ea71 100644
---- a/src/responder/common/responder_common.c
-+++ b/src/responder/common/responder_common.c
-@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev,
- "Failed to close fd [%d]: [%s]\n",
- ctx->cfd, strerror(ret));
- }
-- /* Restore the original chain id */
-- sss_chain_id_set(ctx->old_chain_id);
-
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Terminated client [%p][%d]\n",
-@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev,
- int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd;
-
- rctx->client_id_num++;
--
- if (accept_ctx->is_private) {
- ret = stat(rctx->priv_sock_name, &stat_buf);
- if (ret == -1) {
-@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev,
-
- talloc_set_destructor(cctx, cli_ctx_destructor);
-
-+ cctx->client_id_num = rctx->client_id_num;
-+
- len = sizeof(cctx->addr);
- cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
- if (cctx->cfd == -1) {
-@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev,
-
- DEBUG(SSSDBG_TRACE_FUNC,
- "[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n",
-- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
-+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
- cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : "");
-
- return;
-@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr,
- uint16_t flags)
- {
- errno_t ret;
-+ uint64_t old_chain_id;
- struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx);
-
- /* Always reset the responder idle timer on any activity */
-@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr,
- }
-
- /* Set the chain id */
-- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num);
-+ old_chain_id = sss_chain_id_set(cctx->client_id_num);
-
- if (flags & TEVENT_FD_READ) {
- recv_fn(cctx);
-@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr,
- send_fn(cctx);
- return;
- }
-+ /* Restore the original chain id */
-+ sss_chain_id_set(old_chain_id);
- }
-
- int sss_connection_setup(struct cli_ctx *cctx)
-diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
-index d549e02d3..4b4770da1 100644
---- a/src/responder/common/responder_dp.c
-+++ b/src/responder/common/responder_dp.c
-@@ -23,6 +23,7 @@
- #include <sys/time.h>
- #include <time.h>
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "responder/common/responder_packet.h"
- #include "responder/common/responder.h"
- #include "providers/data_provider.h"
-@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
- subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn,
- be_conn->bus_name, SSS_BUS_PATH, dp_flags,
- entry_type, filter, dom->name, extra,
-- rctx->client_id_num);
-+ sss_chain_id_get());
- if (subreq == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
- ret = ENOMEM;
-@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx,
- SSS_BUS_PATH,
- dp_flags, entry_type,
- filter_type, filter_value,
-- rctx->client_id_num);
-+ sss_chain_id_get());
- if (subreq == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
- ret = ENOMEM;
-diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
-index 918124756..aeff28d73 100644
---- a/src/responder/common/responder_get_domains.c
-+++ b/src/responder/common/responder_get_domains.c
-@@ -19,6 +19,7 @@
- */
-
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "responder/common/responder.h"
- #include "providers/data_provider.h"
- #include "db/sysdb.h"
-@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx,
- be_conn->bus_name,
- SSS_BUS_PATH, dp_flags,
- entry_type, filter,
-- rctx->client_id_num);
-+ sss_chain_id_get());
- if (subreq == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
- ret = ENOMEM;
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index cb0e1b82f..1695554fc 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
- }
- preq->cctx = cctx;
- preq->cert_auth_local = false;
-- preq->client_id_num = pctx->rctx->client_id_num;
-+ preq->client_id_num = cctx->client_id_num;
-
- preq->pd = create_pam_data(preq);
- if (!preq->pd) {
-@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
-
- pd->cmd = pam_cmd;
- pd->priv = cctx->priv;
-- pd->client_id_num = pctx->rctx->client_id_num;
-+ pd->client_id_num = cctx->client_id_num;
-
- ret = pam_forwarder_parse_data(cctx, pd);
- if (ret == EAGAIN) {
---
-2.37.1
-
diff --git a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch
deleted file mode 100644
index b2c49e1..0000000
--- a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Fri, 19 Aug 2022 14:44:11 -0400
-Subject: [PATCH 9/9] Analyzer: support parallel requests parsing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Analyzer code(primarily the list verbose command) needs
-changes to handle parsing the necessary lines from
-NSS/PAM log files when multiple intermixed/parallel
-client requests are sent to SSSD.
-
-Resolves: https://github.com/SSSD/sssd/issues/6307
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/tools/analyzer/modules/request.py | 119 +++++++++++++++-----------
- 1 file changed, 67 insertions(+), 52 deletions(-)
-
-diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index 935e13adc..b9fe3caf8 100644
---- a/src/tools/analyzer/modules/request.py
-+++ b/src/tools/analyzer/modules/request.py
-@@ -16,7 +16,6 @@ class RequestAnalyzer:
- """
- module_parser = None
- consumed_logs = []
-- done = ""
- list_opts = [
- Option('--verbose', 'Verbose output', bool, '-v'),
- Option('--pam', 'Filter only PAM requests', bool),
-@@ -149,58 +148,74 @@ class RequestAnalyzer:
- print(line)
- return found_results
-
-- def print_formatted(self, line, verbose):
-+ def print_formatted_verbose(self, source, patterns):
-+ """
-+ Parse line and print formatted verbose list_requests output
-+
-+ Args:
-+ source (Reader): source Reader object
-+ patterns (list): List of regex patterns to use for
-+ matching lines
-+ """
-+ # Get CID number, and print the basic line first
-+ for line in self.matched_line(source, patterns):
-+ cid = self.print_formatted(line)
-+
-+ # Loop through each line with this CID number to extract and
-+ # print the verbose data needed
-+ verbose_patterns = ["(cache_req_send|cache_req_process_input|"
-+ "cache_req_search_send)"]
-+ for cidline in self.matched_line(source, verbose_patterns):
-+ plugin = ""
-+ name = ""
-+ id = ""
-+
-+ # skip any lines not pertaining to this CID
-+ if f"CID#{cid}]" not in cidline:
-+ continue
-+ if "refreshed" in cidline:
-+ continue
-+ # CR Plugin name
-+ if re.search("cache_req_send", cidline):
-+ plugin = cidline.split('\'')[1]
-+ # CR Input name
-+ elif re.search("cache_req_process_input", cidline):
-+ name = cidline.rsplit('[')[-1]
-+ # CR Input id
-+ elif re.search("cache_req_search_send", cidline):
-+ id = cidline.rsplit()[-1]
-+
-+ if plugin:
-+ print(" - " + plugin)
-+ if name:
-+ print(" - " + name[:-2])
-+ if (id and ("UID" in cidline or "GID" in cidline)):
-+ print(" - " + id)
-+
-+ def print_formatted(self, line):
- """
- Parse line and print formatted list_requests output
-
- Args:
- line (str): line to parse
-- verbose (bool): If true, enable verbose output
-+ Returns:
-+ Client ID from printed line, 0 otherwise
- """
-- plugin = ""
-- name = ""
-- id = ""
--
- # exclude backtrace logs
- if line.startswith(' * '):
-- return
-- fields = line.split("[")
-- cr_field = fields[3][7:]
-- cr = cr_field.split(":")[0][4:]
-+ return 0
- if "refreshed" in line:
-- return
-- # CR Plugin name
-- if re.search("cache_req_send", line):
-- plugin = line.split('\'')[1]
-- # CR Input name
-- elif re.search("cache_req_process_input", line):
-- name = line.rsplit('[')[-1]
-- # CR Input id
-- elif re.search("cache_req_search_send", line):
-- id = line.rsplit()[-1]
-- # CID and client process name
-- else:
-- ts = line.split(")")[0]
-- ts = ts[1:]
-- fields = line.split("[")
-- cid = fields[3][4:-9]
-- cmd = fields[4][4:-1]
-- uid = fields[5][4:-1]
-- if not uid.isnumeric():
-- uid = fields[6][4:-1]
-- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
--
-- if verbose:
-- if plugin:
-- print(" - " + plugin)
-- if name:
-- if cr not in self.done:
-- print(" - " + name[:-2])
-- self.done = cr
-- if id:
-- if cr not in self.done:
-- print(" - " + id)
-- self.done = cr
-+ return 0
-+ ts = line.split(")")[0]
-+ ts = ts[1:]
-+ fields = line.split("[")
-+ cid = fields[3][4:-9]
-+ cmd = fields[4][4:-1]
-+ uid = fields[5][4:-1]
-+ if not uid.isnumeric():
-+ uid = fields[6][4:-1]
-+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
-+ return cid
-
- def list_requests(self, args):
- """
-@@ -215,20 +230,20 @@ class RequestAnalyzer:
- # Log messages matching the following regex patterns contain
- # the useful info we need to produce list output
- patterns = [r'\[cmd']
-- patterns.append("(cache_req_send|cache_req_process_input|"
-- "cache_req_search_send)")
- if args.pam:
- component = source.Component.PAM
- resp = "pam"
-
- logger.info(f"******** Listing {resp} client requests ********")
- source.set_component(component, False)
-- self.done = ""
-- for line in self.matched_line(source, patterns):
-- if isinstance(source, Journald):
-- print(line)
-- else:
-- self.print_formatted(line, args.verbose)
-+ if args.verbose:
-+ self.print_formatted_verbose(source, patterns)
-+ else:
-+ for line in self.matched_line(source, patterns):
-+ if isinstance(source, Journald):
-+ print(line)
-+ else:
-+ self.print_formatted(line)
-
- def track_request(self, args):
- """
---
-2.37.1
-
diff --git a/SOURCES/0010-CLIENT-fix-client-fd-leak.patch b/SOURCES/0010-CLIENT-fix-client-fd-leak.patch
deleted file mode 100644
index 48622c8..0000000
--- a/SOURCES/0010-CLIENT-fix-client-fd-leak.patch
+++ /dev/null
@@ -1,295 +0,0 @@
-From 1b2e4760c52b9abd0d9b9f35b47ed72e79922ccc Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Thu, 25 Aug 2022 18:10:46 +0200
-Subject: [PATCH] CLIENT: fix client fd leak
-
- - close client socket at thread exit
- - only build lock-free client support if libc has required
- functionality for a proper cleanup
- - use proper mechanisms to init lock_mode only once
-
-:relnote:Lock-free client support will be only built if libc
-provides `pthread_key_create()` and `pthread_once()`. For glibc
-this means version 2.34+
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb)
----
- configure.ac | 29 +++++++++--
- src/man/Makefile.am | 5 +-
- src/man/sssd.8.xml | 2 +-
- src/sss_client/common.c | 83 +++++++++++++++++++-------------
- src/sss_client/idmap/common_ex.c | 4 ++
- 5 files changed, 84 insertions(+), 39 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 93bd93b85..5a05de41e 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -51,18 +51,39 @@ AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]])
- m4_include([src/build_macros.m4])
- BUILD_WITH_SHARED_BUILD_DIR
-
--AC_COMPILE_IFELSE(
-+
-+SAVE_LIBS=$LIBS
-+LIBS=
-+AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[#include <pthread.h>]],
- [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
-- (void) m; /* unused */
-+ pthread_mutex_lock(&m);
-+ pthread_mutex_unlock(&m);
- ]])],
- [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.])
- HAVE_PTHREAD=1
- ],
-- [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])])
-+ [AC_MSG_WARN([Pthread mutex support not found! Clients will not be thread safe...])])
-+LIBS=$SAVE_LIBS
-+AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
-
-
--AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"])
-+SAVE_LIBS=$LIBS
-+LIBS=
-+AC_LINK_IFELSE(
-+ [AC_LANG_PROGRAM([[#include <pthread.h>]],
-+ [[static pthread_key_t k;
-+ static pthread_once_t f = PTHREAD_ONCE_INIT;
-+ pthread_once(&f, NULL);
-+ pthread_key_create(&k, NULL);
-+ ]])],
-+ [AC_DEFINE([HAVE_PTHREAD_EXT], [1], [Extended pthread functionality is available.])
-+ HAVE_PTHREAD_EXT=1
-+ ],
-+ [AC_MSG_WARN([Extended pthread functionality is not available. Lock-free client feature will not be built.])])
-+LIBS=$SAVE_LIBS
-+AM_CONDITIONAL([BUILD_LOCKFREE_CLIENT], [test x"$HAVE_PTHREAD_EXT" != "x"])
-+
-
- # Check library for the timer_create function
- SAVE_LIBS=$LIBS
-diff --git a/src/man/Makefile.am b/src/man/Makefile.am
-index 93dd14819..063ff1bf0 100644
---- a/src/man/Makefile.am
-+++ b/src/man/Makefile.am
-@@ -46,9 +46,12 @@ endif
- if BUILD_KCM_RENEWAL
- KCM_RENEWAL_CONDS = ;enable_kcm_renewal
- endif
-+if BUILD_LOCKFREE_CLIENT
-+LOCKFREE_CLIENT_CONDS = ;enable_lockfree_support
-+endif
-
-
--CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)
-+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)
-
-
- #Special Rules:
-diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
-index df07b7f29..5f507c631 100644
---- a/src/man/sssd.8.xml
-+++ b/src/man/sssd.8.xml
-@@ -240,7 +240,7 @@
- If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO",
- client applications will not use the fast in-memory cache.
- </para>
-- <para>
-+ <para condition="enable_lockfree_support">
- If the environment variable SSS_LOCKFREE is set to "NO", requests
- from multiple threads of a single application will be serialized.
- </para>
-diff --git a/src/sss_client/common.c b/src/sss_client/common.c
-index 29c751a50..d762dff49 100644
---- a/src/sss_client/common.c
-+++ b/src/sss_client/common.c
-@@ -35,7 +35,6 @@
- #include <stdlib.h>
- #include <stdbool.h>
- #include <stdint.h>
--#include <stdatomic.h>
- #include <string.h>
- #include <fcntl.h>
- #include <poll.h>
-@@ -62,8 +61,15 @@
-
- /* common functions */
-
-+#ifdef HAVE_PTHREAD_EXT
-+static pthread_key_t sss_sd_key;
-+static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
- static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
- static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
-+#else
-+static int sss_cli_sd = -1; /* the sss client socket descriptor */
-+static struct stat sss_cli_sb; /* the sss client stat buffer */
-+#endif
-
- #if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
- __attribute__((destructor))
-@@ -76,6 +82,18 @@ void sss_cli_close_socket(void)
- }
- }
-
-+#ifdef HAVE_PTHREAD_EXT
-+static void sss_at_thread_exit(void *v)
-+{
-+ sss_cli_close_socket();
-+}
-+
-+static void init_sd_key(void)
-+{
-+ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
-+}
-+#endif
-+
- /* Requests:
- *
- * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
-@@ -553,6 +571,16 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
- return -1;
- }
-
-+#ifdef HAVE_PTHREAD_EXT
-+ pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
-+
-+ /* It actually doesn't matter what value to set for a key.
-+ * The only important thing: key must be non-NULL to ensure
-+ * destructor is executed at thread exit.
-+ */
-+ pthread_setspecific(sss_sd_key, &sss_cli_sd);
-+#endif
-+
- /* set as non-blocking, close on exec, and make sure standard
- * descriptors are not used */
- sd = make_safe_fd(sd);
-@@ -1129,41 +1157,38 @@ errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len)
- }
-
- #if HAVE_PTHREAD
--bool sss_is_lockfree_mode(void)
-+
-+#ifdef HAVE_PTHREAD_EXT
-+static bool sss_lock_free = true;
-+static pthread_once_t sss_lock_mode_initialized = PTHREAD_ONCE_INIT;
-+
-+static void init_lock_mode(void)
- {
-- const char *env = NULL;
-- enum {
-- MODE_UNDEF,
-- MODE_LOCKING,
-- MODE_LOCKFREE
-- };
-- static atomic_int mode = MODE_UNDEF;
--
-- if (mode == MODE_UNDEF) {
-- env = getenv("SSS_LOCKFREE");
-- if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
-- mode = MODE_LOCKING;
-- } else {
-- mode = MODE_LOCKFREE;
-- }
-+ const char *env = getenv("SSS_LOCKFREE");
-+
-+ if ((env != NULL) && (strcasecmp(env, "NO") == 0)) {
-+ sss_lock_free = false;
- }
-+}
-
-- return (mode == MODE_LOCKFREE);
-+bool sss_is_lockfree_mode(void)
-+{
-+ pthread_once(&sss_lock_mode_initialized, init_lock_mode);
-+ return sss_lock_free;
- }
-+#endif
-
- struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
--
- static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
--
--static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
--
- static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER };
-
- static void sss_mt_lock(struct sss_mutex *m)
- {
-+#ifdef HAVE_PTHREAD_EXT
- if (sss_is_lockfree_mode()) {
- return;
- }
-+#endif
-
- pthread_mutex_lock(&m->mtx);
- pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state);
-@@ -1171,9 +1196,11 @@ static void sss_mt_lock(struct sss_mutex *m)
-
- static void sss_mt_unlock(struct sss_mutex *m)
- {
-+#ifdef HAVE_PTHREAD_EXT
- if (sss_is_lockfree_mode()) {
- return;
- }
-+#endif
-
- pthread_setcancelstate(m->old_cancel_state, NULL);
- pthread_mutex_unlock(&m->mtx);
-@@ -1189,7 +1216,7 @@ void sss_nss_unlock(void)
- sss_mt_unlock(&sss_nss_mtx);
- }
-
--/* NSS mutex wrappers */
-+/* PAM mutex wrappers */
- void sss_pam_lock(void)
- {
- sss_mt_lock(&sss_pam_mtx);
-@@ -1199,16 +1226,6 @@ void sss_pam_unlock(void)
- sss_mt_unlock(&sss_pam_mtx);
- }
-
--/* NSS mutex wrappers */
--void sss_nss_mc_lock(void)
--{
-- sss_mt_lock(&sss_nss_mc_mtx);
--}
--void sss_nss_mc_unlock(void)
--{
-- sss_mt_unlock(&sss_nss_mc_mtx);
--}
--
- /* PAC mutex wrappers */
- void sss_pac_lock(void)
- {
-diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c
-index 4f454cd63..8c4894fd9 100644
---- a/src/sss_client/idmap/common_ex.c
-+++ b/src/sss_client/idmap/common_ex.c
-@@ -28,7 +28,9 @@
- #include "common_private.h"
-
- extern struct sss_mutex sss_nss_mtx;
-+#ifdef HAVE_PTHREAD_EXT
- bool sss_is_lockfree_mode(void);
-+#endif
-
- #define SEC_FROM_MSEC(ms) ((ms) / 1000)
- #define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000)
-@@ -51,9 +53,11 @@ static int sss_mt_timedlock(struct sss_mutex *m, const struct timespec *endtime)
- {
- int ret;
-
-+#ifdef HAVE_PTHREAD_EXT
- if (sss_is_lockfree_mode()) {
- return 0;
- }
-+#endif
-
- ret = pthread_mutex_timedlock(&m->mtx, endtime);
- if (ret != 0) {
---
-2.37.1
-
diff --git a/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch b/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch
deleted file mode 100644
index d747ae3..0000000
--- a/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 20 Sep 2022 15:37:01 +0200
-Subject: [PATCH] krb5: respect krb5_validate for PAC checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The first step of checking the PAC is the same as during the Kerberos
-ticket validation, requesting a service ticket for a service principal
-from the local keytab. By default ticket validation is enable for the
-IPA and AD provider where checking the PAC might become important. If
-ticket validation is disabled manually it is most probably because there
-are issues requesting the service ticket and fixing those is currently
-not possible.
-
-Currently when SSSD is configured to check the PAC it ignores the
-krb5_validate setting and tries to request a service ticket which would
-fail in the case ticket validation is disabled for a reason. To not
-cause regressions with this patch SSSD will skip the PAC checks if
-ticket validation is disabled.
-
-Resolves: https://github.com/SSSD/sssd/issues/6355
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc)
----
- src/man/include/krb5_options.xml | 11 ++++++++++-
- src/man/sssd.conf.5.xml | 13 ++++++++++---
- src/providers/krb5/krb5_child.c | 9 ++++-----
- src/providers/krb5/krb5_init_shared.c | 10 ++++++++++
- 4 files changed, 34 insertions(+), 9 deletions(-)
-
-diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml
-index c3292d1bb..d82be7bfa 100644
---- a/src/man/include/krb5_options.xml
-+++ b/src/man/include/krb5_options.xml
-@@ -26,7 +26,16 @@
- keytab entry as the last entry or the only entry in the keytab file.
- </para>
- <para>
-- Default: false
-+ Default: false (IPA and AD provider: true)
-+ </para>
-+ <para>
-+ Please note that the ticket validation is the first step when
-+ checking the PAC (see 'pac_check' in the
-+ <citerefentry>
-+ <refentrytitle>sssd.conf</refentrytitle>
-+ <manvolnum>5</manvolnum>
-+ </citerefentry> manual page for details). If ticket
-+ validation is disabled the PAC checks will be skipped as well.
- </para>
- </listitem>
- </varlistentry>
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 615b41550..7a9920815 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
- <para>
- Apply additional checks on the PAC of the Kerberos
- ticket which is available in Active Directory and
-- FreeIPA domains, if configured. The following
-- options can be used alone or in a comma-separated
-- list:
-+ FreeIPA domains, if configured. Please note that
-+ Kerberos ticket validation must be enabled to be
-+ able to check the PAC, i.e. the krb5_validate option
-+ must be set to 'True' which is the default for the
-+ IPA and AD provider. If krb5_validate is set to
-+ 'False' the PAC checks will be skipped.
-+ </para>
-+ <para>
-+ The following options can be used alone or in a
-+ comma-separated list:
- <variablelist>
- <varlistentry>
- <term>no_check</term>
-diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
-index 0a592da00..8727b4202 100644
---- a/src/providers/krb5/krb5_child.c
-+++ b/src/providers/krb5/krb5_child.c
-@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[])
- goto done;
- }
-
-- /* To be able to read the PAC we have to request a service ticket where we
-- * have a key to decrypt it, this is the same step we use for validating
-- * the ticket. */
-- if (cli_opts.check_pac_flags != 0) {
-- kr->validate = true;
-+ if (cli_opts.check_pac_flags != 0 && !kr->validate) {
-+ DEBUG(SSSDBG_IMPORTANT_INFO,
-+ "PAC check is requested but krb5_validate is set to false. "
-+ "PAC checks will be skipped.\n");
- }
-
- kerr = privileged_krb5_setup(kr, offline);
-diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
-index ee48f459b..3e6ebe2ed 100644
---- a/src/providers/krb5/krb5_init_shared.c
-+++ b/src/providers/krb5/krb5_init_shared.c
-@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
- goto done;
- }
-
-+ if (krb5_auth_ctx->check_pac_flags != 0
-+ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) {
-+ DEBUG(SSSDBG_IMPORTANT_INFO,
-+ "PAC check is requested but krb5_validate is set to false. "
-+ "PAC checks will be skipped.\n");
-+ sss_log(SSS_LOG_WARNING,
-+ "PAC check is requested but krb5_validate is set to false. "
-+ "PAC checks will be skipped.");
-+ }
-+
- ret = parse_krb5_map_user(krb5_auth_ctx,
- dp_opt_get_cstring(krb5_auth_ctx->opts,
- KRB5_MAP_USER),
---
-2.37.3
-
diff --git a/SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch b/SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch
deleted file mode 100644
index 97db9b4..0000000
--- a/SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 70e254653edb21923d7565c80704e1ce6865d991 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Wed, 12 Oct 2022 08:48:45 -0400
-Subject: [PATCH] Analyzer: Optimize list verbose output
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Modify the analyzer to parse the responder log file in one pass. This
-avoids repeated parsing of a single log file. This operation will now
-store log lines in a dictionary on a single pass then format and print
-the output accordingly. Does not affect 'list' or 'show' output.
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
----
- src/tools/analyzer/modules/request.py | 71 ++++++++++++++++++---------
- 1 file changed, 48 insertions(+), 23 deletions(-)
-
-diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index b9fe3caf8..15c8e6bfb 100644
---- a/src/tools/analyzer/modules/request.py
-+++ b/src/tools/analyzer/modules/request.py
-@@ -148,36 +148,57 @@ class RequestAnalyzer:
- print(line)
- return found_results
-
-- def print_formatted_verbose(self, source, patterns):
-+ def print_formatted_verbose(self, source):
- """
-- Parse line and print formatted verbose list_requests output
-+ Parse log file and print formatted verbose list_requests output
-
- Args:
- source (Reader): source Reader object
-- patterns (list): List of regex patterns to use for
-- matching lines
- """
-- # Get CID number, and print the basic line first
-- for line in self.matched_line(source, patterns):
-- cid = self.print_formatted(line)
--
-- # Loop through each line with this CID number to extract and
-- # print the verbose data needed
-- verbose_patterns = ["(cache_req_send|cache_req_process_input|"
-- "cache_req_search_send)"]
-- for cidline in self.matched_line(source, verbose_patterns):
-+ data = {}
-+ # collect cid log lines from single run through of parsing the log
-+ # into dictionary # (cid, ts) -> logline_output
-+ for line in source:
-+ if "CID#" not in line:
-+ continue
-+
-+ # parse CID and ts from line, key is a tuple of (cid,ts)
-+ fields = line.split("[")
-+ # timestamp to the minute, cut off seconds, ms
-+ ts = fields[0][:17]
-+ result = re.search('CID#[0-9]*', fields[3])
-+ cid = result.group(0)
-+
-+ # if mapping exists, append line to output. Otherwise create new mapping
-+ if (cid, ts) in data.keys():
-+ data[(cid, ts)] += line
-+ else:
-+ data[(cid, ts)] = line
-+
-+ # pretty print the data
-+ for k, v in data.items():
-+ cr_done = []
-+ id_done = []
-+ for cidline in v.splitlines():
- plugin = ""
- name = ""
- id = ""
-
-- # skip any lines not pertaining to this CID
-- if f"CID#{cid}]" not in cidline:
-- continue
-- if "refreshed" in cidline:
-- continue
-+ # CR number
-+ fields = cidline.split("[")
-+ cr_field = fields[3][7:]
-+ cr = cr_field.split(":")[0][4:]
-+ # Client connected, top-level info line
-+ if re.search(r'\[cmd', cidline):
-+ self.print_formatted(cidline)
- # CR Plugin name
- if re.search("cache_req_send", cidline):
- plugin = cidline.split('\'')[1]
-+ id_done.clear()
-+ # Extract CR number
-+ fields = cidline.split("[")
-+ cr_field = fields[3][7:]
-+ cr = cr_field.split(":")[0][4:]
- # CR Input name
- elif re.search("cache_req_process_input", cidline):
- name = cidline.rsplit('[')[-1]
-@@ -188,9 +209,14 @@ class RequestAnalyzer:
- if plugin:
- print(" - " + plugin)
- if name:
-- print(" - " + name[:-2])
-+ # Avoid duplicate output with the same CR #
-+ if cr not in cr_done:
-+ print(" - " + name[:-1])
-+ cr_done.append(cr)
- if (id and ("UID" in cidline or "GID" in cidline)):
-- print(" - " + id)
-+ if id not in id_done:
-+ print(" - " + id)
-+ id_done.append(id)
-
- def print_formatted(self, line):
- """
-@@ -237,7 +263,7 @@ class RequestAnalyzer:
- logger.info(f"******** Listing {resp} client requests ********")
- source.set_component(component, False)
- if args.verbose:
-- self.print_formatted_verbose(source, patterns)
-+ self.print_formatted_verbose(source)
- else:
- for line in self.matched_line(source, patterns):
- if isinstance(source, Journald):
-@@ -258,8 +284,7 @@ class RequestAnalyzer:
- be_results = False
- component = source.Component.NSS
- resp = "nss"
-- pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
-- pattern.append(rf"\[CID#{cid}\]")
-+ pattern = [rf"\[CID#{cid}\]"]
-
- if args.pam:
- component = source.Component.PAM
---
-2.37.3
-
diff --git a/SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch b/SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch
deleted file mode 100644
index aea3aae..0000000
--- a/SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 89ea4a5feaf30f80a79ca3ba8166f304cc414e07 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Tue, 15 Nov 2022 12:47:51 -0500
-Subject: [PATCH] Analyzer: Ensure parsed id contains digit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In analyzer list verbose output, we parse the last field of cache_req_search_send() lines.
-Certain log messages need to be filtered out by ensuring the parsed field is
-a digit, such as the last line below.
-
-[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test
-[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test
-[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@domain-zflo.com
-[cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119@domain-zflo.com] from cache
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit bfa8d50c479cf8ef7b299eb5848309a3a9ea7f12)
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
----
- src/tools/analyzer/modules/request.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index 15c8e6bfb..bf279ea75 100644
---- a/src/tools/analyzer/modules/request.py
-+++ b/src/tools/analyzer/modules/request.py
-@@ -214,7 +214,7 @@ class RequestAnalyzer:
- print(" - " + name[:-1])
- cr_done.append(cr)
- if (id and ("UID" in cidline or "GID" in cidline)):
-- if id not in id_done:
-+ if id not in id_done and bool(re.search(r'\d', id)):
- print(" - " + id)
- id_done.append(id)
-
---
-2.37.3
-
diff --git a/SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch b/SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch
deleted file mode 100644
index 7a5c780..0000000
--- a/SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 7e23e6394b518dd013c6b03a1a63715899180935 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Sun, 6 Nov 2022 11:22:22 +0100
-Subject: [PATCH 14/16] TOOLS: don't export internal helpers
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 6ef3aade0394e32540242f902c9f21bb8d6c41f2)
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
----
- src/tools/common/sss_tools.c | 16 ++++++++--------
- src/tools/common/sss_tools.h | 12 ------------
- 2 files changed, 8 insertions(+), 20 deletions(-)
-
-diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
-index c066ddc5c..47b85bdd2 100644
---- a/src/tools/common/sss_tools.c
-+++ b/src/tools/common/sss_tools.c
-@@ -178,9 +178,9 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx,
- return ret;
- }
-
--errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
-- int *argc, const char **argv,
-- struct sss_tool_ctx **_tool_ctx)
-+static errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
-+ int *argc, const char **argv,
-+ struct sss_tool_ctx **_tool_ctx)
- {
- struct sss_tool_ctx *tool_ctx;
-
-@@ -235,7 +235,7 @@ static size_t sss_tool_max_length(struct sss_route_cmd *commands)
- return max;
- }
-
--void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands)
-+static void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands)
- {
- int min_len;
- int i;
-@@ -304,10 +304,10 @@ done:
- return ret;
- }
-
--errno_t sss_tool_route(int argc, const char **argv,
-- struct sss_tool_ctx *tool_ctx,
-- struct sss_route_cmd *commands,
-- void *pvt)
-+static errno_t sss_tool_route(int argc, const char **argv,
-+ struct sss_tool_ctx *tool_ctx,
-+ struct sss_route_cmd *commands,
-+ void *pvt)
- {
- struct sss_cmdline cmdline;
- const char *cmd;
-diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
-index 0e4308ee6..578186633 100644
---- a/src/tools/common/sss_tools.h
-+++ b/src/tools/common/sss_tools.h
-@@ -35,10 +35,6 @@ struct sss_tool_ctx {
- struct sss_domain_info *domains;
- };
-
--errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
-- int *argc, const char **argv,
-- struct sss_tool_ctx **_tool_ctx);
--
- struct sss_cmdline {
- const char *exec; /* argv[0] */
- const char *command; /* command name */
-@@ -69,14 +65,6 @@ struct sss_route_cmd {
- int flags;
- };
-
--void sss_tool_usage(const char *tool_name,
-- struct sss_route_cmd *commands);
--
--errno_t sss_tool_route(int argc, const char **argv,
-- struct sss_tool_ctx *tool_ctx,
-- struct sss_route_cmd *commands,
-- void *pvt);
--
- typedef errno_t (*sss_popt_fn)(poptContext pc, char option, void *pvt);
-
- enum sss_tool_opt {
---
-2.37.3
-
diff --git a/SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch b/SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch
deleted file mode 100644
index 45c291a..0000000
--- a/SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From bd16242ef6780fd2808bf03f79eda5d940094bc5 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Sun, 6 Nov 2022 12:25:37 +0100
-Subject: [PATCH 15/16] TOOLS: fixed handling of init error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Before execution of `tool_cmd_init()` `init_err` wasn't set,
-so `sss_tools_handles_init_error()` check was a no-op.
-
-Consequently, a proper check after `tool_cmd_init()` was missing.
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 7af46ba0e925da61b7b4003c3fa6d51c05c1116e)
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
----
- src/tools/common/sss_tools.c | 17 ++++-------------
- src/tools/common/sss_tools.h | 1 -
- 2 files changed, 4 insertions(+), 14 deletions(-)
-
-diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
-index 47b85bdd2..38ae88306 100644
---- a/src/tools/common/sss_tools.c
-+++ b/src/tools/common/sss_tools.c
-@@ -336,22 +336,13 @@ static errno_t sss_tool_route(int argc, const char **argv,
- cmdline.argc = argc - 2;
- cmdline.argv = argv + 2;
-
-- if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
-- DEBUG(SSSDBG_FATAL_FAILURE,
-- "Command %s does not handle initialization error [%d] %s\n",
-- cmdline.command, tool_ctx->init_err,
-- sss_strerror(tool_ctx->init_err));
-- return tool_ctx->init_err;
-- }
--
- if (!tool_ctx->print_help) {
- ret = tool_cmd_init(tool_ctx, &commands[i]);
-- if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
-- tool_ctx->init_err = ret;
-- } else if (ret != EOK) {
-+
-+ if (!sss_tools_handles_init_error(&commands[i], ret)) {
- DEBUG(SSSDBG_FATAL_FAILURE,
-- "Command initialization failed [%d] %s\n",
-- ret, sss_strerror(ret));
-+ "Command %s does not handle initialization error [%d] %s\n",
-+ cmdline.command, ret, sss_strerror(ret));
- return ret;
- }
- }
-diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
-index 578186633..75dc15391 100644
---- a/src/tools/common/sss_tools.h
-+++ b/src/tools/common/sss_tools.h
-@@ -30,7 +30,6 @@ struct sss_tool_ctx {
- struct confdb_ctx *confdb;
-
- bool print_help;
-- errno_t init_err;
- char *default_domain;
- struct sss_domain_info *domains;
- };
---
-2.37.3
-
diff --git a/SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch b/SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch
deleted file mode 100644
index 698472c..0000000
--- a/SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 66c318d212d56e26f303fc52d5fecbde4a6b9589 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Thu, 10 Nov 2022 22:18:06 +0100
-Subject: [PATCH 16/16] SSSCTL: don't require 'root' for "analyze" cmd
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-:relnote: `sssctl analyze` tool doesn't require anymore to be run under root.
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 99791400bec1054cf0081884e013a3cbed75fe8a)
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
----
- src/tools/common/sss_tools.c | 16 +++++++++-------
- src/tools/common/sss_tools.h | 3 ++-
- src/tools/sssctl/sssctl.c | 2 +-
- 3 files changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
-index 38ae88306..d16de7c4d 100644
---- a/src/tools/common/sss_tools.c
-+++ b/src/tools/common/sss_tools.c
-@@ -267,6 +267,15 @@ static int tool_cmd_init(struct sss_tool_ctx *tool_ctx,
- struct sss_route_cmd *command)
- {
- int ret;
-+ uid_t uid;
-+
-+ if (!(command->flags & SSS_TOOL_FLAG_SKIP_ROOT_CHECK)) {
-+ uid = getuid();
-+ if (uid != 0) {
-+ ERROR("'%s' must be run as root\n", command->command);
-+ return EXIT_FAILURE;
-+ }
-+ }
-
- if (command->flags & SSS_TOOL_FLAG_SKIP_CMD_INIT) {
- return EOK;
-@@ -515,15 +524,8 @@ int sss_tool_main(int argc, const char **argv,
- void *pvt)
- {
- struct sss_tool_ctx *tool_ctx;
-- uid_t uid;
- errno_t ret;
-
-- uid = getuid();
-- if (uid != 0) {
-- ERROR("%1$s must be run as root\n", argv[0]);
-- return EXIT_FAILURE;
-- }
--
- ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
-diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
-index 75dc15391..24dd4b559 100644
---- a/src/tools/common/sss_tools.h
-+++ b/src/tools/common/sss_tools.h
-@@ -54,7 +54,8 @@ typedef errno_t
- #define SSS_TOOL_DELIMITER(message) {"", _(message), 0, NULL, 0}
- #define SSS_TOOL_LAST {NULL, NULL, 0, NULL, 0}
-
--#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01
-+#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01
-+#define SSS_TOOL_FLAG_SKIP_ROOT_CHECK 0x02
-
- struct sss_route_cmd {
- const char *command;
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index f18689f9f..b73d19ffe 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
- SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
- SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
- SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
-- SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
-+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
- #ifdef HAVE_LIBINI_CONFIG_V1_3
- SSS_TOOL_DELIMITER("Configuration files tools:"),
- SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
---
-2.37.3
-
diff --git a/SOURCES/0017-PAC-allow-to-disable-UPN-check.patch b/SOURCES/0017-PAC-allow-to-disable-UPN-check.patch
deleted file mode 100644
index f5b565d..0000000
--- a/SOURCES/0017-PAC-allow-to-disable-UPN-check.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From a86d1740167031bf6444ff821a201164c11ba09c Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 16 Nov 2022 09:28:54 +0100
-Subject: [PATCH 17/19] PAC: allow to disable UPN check
-
-Currently it was not possible to skip the UPN check which checks if the
-UPN in the PAC and the one stored in SSSD's cache are different.
-Additionally the related debug message will show both principals if they
-differ.
-
-Resolves: https://github.com/SSSD/sssd/issues/6451
-
-(cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a)
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/providers/ad/ad_pac_common.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
-index 0ed817111..79f79b7a7 100644
---- a/src/providers/ad/ad_pac_common.c
-+++ b/src/providers/ad/ad_pac_common.c
-@@ -224,9 +224,19 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
-
- if (user_data != NULL) {
- if (strcasecmp(user_data, upn_dns_info->upn_name) != 0) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "UPN of user entry and PAC do not match.\n");
-- return ERR_CHECK_PAC_FAILED;
-+ if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "UPN of user entry [%s] and "
-+ "PAC [%s] do not match.\n",
-+ user_data,
-+ upn_dns_info->upn_name);
-+ return ERR_CHECK_PAC_FAILED;
-+ } else {
-+ DEBUG(SSSDBG_IMPORTANT_INFO, "UPN of user entry [%s] and "
-+ "PAC [%s] do not match, "
-+ "ignored.\n", user_data,
-+ upn_dns_info->upn_name);
-+ return EOK;
-+ }
- }
- }
-
---
-2.37.3
-
diff --git a/SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch b/SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch
deleted file mode 100644
index 7ab2783..0000000
--- a/SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 29aa434816ce6ae2aaf3b0bcf24b89f05f426d1b Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 22 Nov 2022 13:39:26 +0100
-Subject: [PATCH 18/19] ipa: do not add guessed principal to the cache
-
-Currently on IPA clients a calculated principal based on the user name
-and the Kerberos realm is added to the cached user object. This code is
-quite old and might have been necessary at times when sub-domain support
-was added to SSSD. But since quite some time SSSD is capable of
-generating the principal on the fly during authentication if nothing is
-stored in the cache.
-
-Removing the code makes the cache more consistent with other use-cases,
-e.g. with the IPA server where this attribute is empty, and allows to
-properly detect a missing UPN, e.g. during the PAC validation.
-
-Resolves: https://github.com/SSSD/sssd/issues/6451
-
-(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/providers/ipa/ipa_s2n_exop.c | 44 --------------------------------
- 1 file changed, 44 deletions(-)
-
-diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
-index c68c1de26..81927a6b8 100644
---- a/src/providers/ipa/ipa_s2n_exop.c
-+++ b/src/providers/ipa/ipa_s2n_exop.c
-@@ -2467,8 +2467,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
- time_t now;
- struct sss_nss_homedir_ctx homedir_ctx;
- char *name = NULL;
-- char *realm;
-- char *short_name = NULL;
- char *upn = NULL;
- gid_t gid;
- gid_t orig_gid = 0;
-@@ -2607,48 +2605,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
- goto done;
- }
-
-- if (upn == NULL) {
-- /* We also have to store a fake UPN here, because otherwise the
-- * krb5 child later won't be able to properly construct one as
-- * the username is fully qualified but the child doesn't have
-- * access to the regex to deconstruct it */
-- /* FIXME: The real UPN is available from the PAC, we should get
-- * it from there. */
-- realm = get_uppercase_realm(tmp_ctx, dom->name);
-- if (!realm) {
-- DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n");
-- ret = ENOMEM;
-- goto done;
-- }
--
-- ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
-- &short_name, NULL);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Cannot parse internal name %s\n",
-- attrs->a.user.pw_name);
-- goto done;
-- }
--
-- upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
-- if (!upn) {
-- DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
-- ret = ENOMEM;
-- goto done;
-- }
--
-- /* We might already have the SID or the UPN from other sources
-- * hence sysdb_attrs_add_string_safe is used to avoid double
-- * entries. */
-- ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN,
-- upn);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_OP_FAILURE,
-- "sysdb_attrs_add_string failed.\n");
-- goto done;
-- }
-- }
--
- if (req_input->type == REQ_INP_SECID) {
- ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs,
- SYSDB_SID_STR,
---
-2.37.3
-
diff --git a/SOURCES/0019-pac-relax-default-check.patch b/SOURCES/0019-pac-relax-default-check.patch
deleted file mode 100644
index 178a1e2..0000000
--- a/SOURCES/0019-pac-relax-default-check.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From 0e618c36ed74c240f7acd071ccb7bfd405b2d827 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 22 Nov 2022 14:43:21 +0100
-Subject: [PATCH 19/19] pac: relax default check
-
-To avoid issues with the UPN check during PAC validation when
-'ldap_user_principal' is set to a not existing attribute to skip reading
-user principals a new 'pac_check' option, 'check_upn_allow_missing' is
-added to the default options. With this option only a log message is
-shown but the check will not fail.
-
-Resolves: https://github.com/SSSD/sssd/issues/6451
-
-(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/confdb/confdb.h | 2 +-
- src/man/sssd.conf.5.xml | 30 +++++++++++++++++++++++++++++-
- src/providers/ad/ad_pac_common.c | 24 ++++++++++++++++++++----
- src/util/pac_utils.c | 10 ++++++++++
- src/util/util.h | 2 ++
- 5 files changed, 62 insertions(+), 6 deletions(-)
-
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index 83f6be7f9..5fda67585 100644
---- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -181,7 +181,7 @@
- #define CONFDB_PAC_LIFETIME "pac_lifetime"
- #define CONFDB_PAC_CHECK "pac_check"
- #define CONFDB_PAC_CHECK_DEFAULT "no_check"
--#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
-+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_allow_missing, check_upn_dns_info_ex"
-
- /* InfoPipe */
- #define CONFDB_IFP_CONF_ENTRY "config/ifp"
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 7a9920815..d9f4a7481 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -2275,6 +2275,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
- consistent.</para>
- </listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term>check_upn_allow_missing</term>
-+ <listitem>
-+ <para>This option should be used together
-+ with 'check_upn' and handles the case where
-+ a UPN is set on the server-side but is not
-+ read by SSSD. The typical example is a
-+ FreeIPA domain where 'ldap_user_principal'
-+ is set to a not existing attribute name.
-+ This was typically done to work-around
-+ issues in the handling of enterprise
-+ principals. But this is fixed since quite
-+ some time and FreeIPA can handle enterprise
-+ principals just fine and there is no need
-+ anymore to set 'ldap_user_principal'.</para>
-+ <para>Currently this option is set by
-+ default to avoid regressions in such
-+ environments. A log message will be added
-+ to the system log and SSSD's debug log in
-+ case a UPN is found in the PAC but not in
-+ SSSD's cache. To avoid this log message it
-+ would be best to evaluate if the
-+ 'ldap_user_principal' option can be removed.
-+ If this is not possible, removing
-+ 'check_upn' will skip the test and avoid the
-+ log message.</para>
-+ </listitem>
-+ </varlistentry>
- <varlistentry>
- <term>upn_dns_info_present</term>
- <listitem>
-@@ -2305,7 +2333,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
- </para>
- <para>
- Default: no_check (AD and IPA provider
-- 'check_upn, check_upn_dns_info_ex')
-+ 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex')
- </para>
- </listitem>
- </varlistentry>
-diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
-index 79f79b7a7..fcb54cd2c 100644
---- a/src/providers/ad/ad_pac_common.c
-+++ b/src/providers/ad/ad_pac_common.c
-@@ -215,10 +215,26 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
- DEBUG(SSSDBG_MINOR_FAILURE, "User object does not have a UPN but PAC "
- "says otherwise, maybe ldap_user_principal option is set.\n");
- if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "UPN is missing but PAC UPN check required, "
-- "PAC validation failed.\n");
-- return ERR_CHECK_PAC_FAILED;
-+ if (pac_check_opts & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) {
-+ DEBUG(SSSDBG_IMPORTANT_INFO,
-+ "UPN is missing but PAC UPN check required, "
-+ "PAC validation failed. However, "
-+ "'check_upn_allow_missing' is set and the error is "
-+ "ignored. To make this message go away please check "
-+ "why the UPN is not read from the server. In FreeIPA "
-+ "environments 'ldap_user_principal' is most probably "
-+ "set to a non-existing attribute name to avoid "
-+ "issues with enterprise principals. This is not "
-+ "needed anymore with recent versions of FreeIPA.\n");
-+ sss_log(SSS_LOG_CRIT, "PAC validation issue, please check "
-+ "sssd_pac.log for details");
-+ return EOK;
-+ } else {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "UPN is missing but PAC UPN check required, "
-+ "PAC validation failed.\n");
-+ return ERR_CHECK_PAC_FAILED;
-+ }
- }
- }
-
-diff --git a/src/util/pac_utils.c b/src/util/pac_utils.c
-index c53b0c082..4499d8dfd 100644
---- a/src/util/pac_utils.c
-+++ b/src/util/pac_utils.c
-@@ -64,6 +64,8 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
- flags |= CHECK_PAC_CHECK_UPN_DNS_INFO_EX;
- flags |= CHECK_PAC_UPN_DNS_INFO_PRESENT;
- flags |= CHECK_PAC_CHECK_UPN;
-+ } else if (strcasecmp(list[c], CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR) == 0) {
-+ flags |= CHECK_PAC_CHECK_UPN_ALLOW_MISSING;
- } else {
- DEBUG(SSSDBG_OP_FAILURE, "Unknown value [%s] for pac_check.\n",
- list[c]);
-@@ -72,6 +74,14 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
- }
- }
-
-+ if ((flags & CHECK_PAC_CHECK_UPN_ALLOW_MISSING)
-+ && !(flags & CHECK_PAC_CHECK_UPN)) {
-+ DEBUG(SSSDBG_CONF_SETTINGS,
-+ "pac_check option '%s' is set but '%s' is not set, this means "
-+ "the UPN is not checked.\n",
-+ CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR, CHECK_PAC_CHECK_UPN_STR);
-+ }
-+
- ret = EOK;
-
- done:
-diff --git a/src/util/util.h b/src/util/util.h
-index 6d9111874..4b2651c2c 100644
---- a/src/util/util.h
-+++ b/src/util/util.h
-@@ -818,6 +818,8 @@ uint64_t get_spend_time_us(uint64_t st);
- #define CHECK_PAC_CHECK_UPN_DNS_INFO_EX (1 << 3)
- #define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT_STR "upn_dns_info_ex_present"
- #define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT (1 << 4)
-+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR "check_upn_allow_missing"
-+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING (1 << 5)
-
- errno_t get_pac_check_config(struct confdb_ctx *cdb, uint32_t *pac_check_opts);
- #endif /* __SSSD_UTIL_H__ */
---
-2.37.3
-
diff --git a/SOURCES/0020-CLIENT-fix-thread-unsafe-acces-to-get-ent-structs.patch b/SOURCES/0020-CLIENT-fix-thread-unsafe-acces-to-get-ent-structs.patch
deleted file mode 100644
index 8f1332d..0000000
--- a/SOURCES/0020-CLIENT-fix-thread-unsafe-acces-to-get-ent-structs.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-From 181d6fb901afa5aa2e87c4e5f5de4a0b77a1cac5 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Mon, 29 Aug 2022 17:44:09 +0200
-Subject: [PATCH] CLIENT: fix thread unsafe acces to get*ent structs.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-All get*ent structs were protected with socket mutex. In case SSSD
-is built with lock-free client support, `sss_nss_lock()` is a no-op,
-thus resulting in thread unsafe access.
-
-This patch changes those structs to have thread local storage.
-
-This conradicts following note in the man page:
-```
-The function getgrent_r() is not really reentrant since it shares
-the reading position in the stream with all other threads.
-```
-I'm not sure if 3rd party apps can legally assume this behaviour
-based on a note in a man page. And in some cases, non-sharing reading
-position between threads might make more sense.
-But that way or another, this is better than thread unsafe access.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 69fd828c1d5e92bc3b2e327a45dfed116f49d50a)
----
- src/sss_client/nss_group.c | 14 ++++++++++++--
- src/sss_client/nss_hosts.c | 8 +++++++-
- src/sss_client/nss_ipnetworks.c | 8 +++++++-
- src/sss_client/nss_passwd.c | 8 +++++++-
- src/sss_client/nss_services.c | 8 +++++++-
- 5 files changed, 40 insertions(+), 6 deletions(-)
-
-diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c
-index f102711ec..fcabf8cfc 100644
---- a/src/sss_client/nss_group.c
-+++ b/src/sss_client/nss_group.c
-@@ -19,6 +19,8 @@
-
- /* GROUP database NSS interface */
-
-+#include "config.h"
-+
- #include <nss.h>
- #include <errno.h>
- #include <sys/types.h>
-@@ -31,7 +33,11 @@
- #include "nss_mc.h"
- #include "nss_common.h"
-
--static struct sss_nss_getgrent_data {
-+static
-+#ifdef HAVE_PTHREAD_EXT
-+__thread
-+#endif
-+struct sss_nss_getgrent_data {
- size_t len;
- size_t ptr;
- uint8_t *data;
-@@ -53,7 +59,11 @@ enum sss_nss_gr_type {
- GETGR_GID
- };
-
--static struct sss_nss_getgr_data {
-+static
-+#ifdef HAVE_PTHREAD_EXT
-+__thread
-+#endif
-+struct sss_nss_getgr_data {
- enum sss_nss_gr_type type;
- union {
- char *grname;
-diff --git a/src/sss_client/nss_hosts.c b/src/sss_client/nss_hosts.c
-index 59fe82e59..81017bc9d 100644
---- a/src/sss_client/nss_hosts.c
-+++ b/src/sss_client/nss_hosts.c
-@@ -20,6 +20,8 @@
- along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-
-+#include "config.h"
-+
- #include <nss.h>
- #include <netdb.h>
- #include <resolv.h>
-@@ -33,7 +35,11 @@
- #include <string.h>
- #include "sss_cli.h"
-
--static struct sss_nss_gethostent_data {
-+static
-+#ifdef HAVE_PTHREAD_EXT
-+__thread
-+#endif
-+struct sss_nss_gethostent_data {
- size_t len;
- size_t ptr;
- uint8_t *data;
-diff --git a/src/sss_client/nss_ipnetworks.c b/src/sss_client/nss_ipnetworks.c
-index 93d564496..85d9cc746 100644
---- a/src/sss_client/nss_ipnetworks.c
-+++ b/src/sss_client/nss_ipnetworks.c
-@@ -20,6 +20,8 @@
- along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-
-+#include "config.h"
-+
- #include <nss.h>
- #include <netdb.h>
- #include <resolv.h>
-@@ -33,7 +35,11 @@
- #include <string.h>
- #include "sss_cli.h"
-
--static struct sss_nss_getnetent_data {
-+static
-+#ifdef HAVE_PTHREAD_EXT
-+__thread
-+#endif
-+struct sss_nss_getnetent_data {
- size_t len;
- size_t ptr;
- uint8_t *data;
-diff --git a/src/sss_client/nss_passwd.c b/src/sss_client/nss_passwd.c
-index c386dd370..ec19908f7 100644
---- a/src/sss_client/nss_passwd.c
-+++ b/src/sss_client/nss_passwd.c
-@@ -19,6 +19,8 @@
-
- /* PASSWD database NSS interface */
-
-+#include "config.h"
-+
- #include <nss.h>
- #include <errno.h>
- #include <sys/types.h>
-@@ -30,7 +32,11 @@
- #include "nss_mc.h"
- #include "nss_common.h"
-
--static struct sss_nss_getpwent_data {
-+static
-+#ifdef HAVE_PTHREAD_EXT
-+__thread
-+#endif
-+struct sss_nss_getpwent_data {
- size_t len;
- size_t ptr;
- uint8_t *data;
-diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c
-index f8c2092cb..4f44cb29c 100644
---- a/src/sss_client/nss_services.c
-+++ b/src/sss_client/nss_services.c
-@@ -20,6 +20,8 @@
- along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-
-+#include "config.h"
-+
- #include <nss.h>
- #include <netdb.h>
- #include <errno.h>
-@@ -31,7 +33,11 @@
- #include <string.h>
- #include "sss_cli.h"
-
--static struct sss_nss_getservent_data {
-+static
-+#ifdef HAVE_PTHREAD_EXT
-+__thread
-+#endif
-+struct sss_nss_getservent_data {
- size_t len;
- size_t ptr;
- uint8_t *data;
---
-2.37.3
-
diff --git a/SOURCES/0021-oidc_child-escape-scopes.patch b/SOURCES/0021-oidc_child-escape-scopes.patch
deleted file mode 100644
index 8d8b3f0..0000000
--- a/SOURCES/0021-oidc_child-escape-scopes.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From ace43c8ce02d19cf536ce35749aa2ed734089189 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 18 Aug 2022 13:55:21 +0200
-Subject: [PATCH 21/24] oidc_child: escape scopes
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Before using the user provided scopes in the HTTP request they should be
-properly escaped according to RFC-3986.
-
-Resolves: https://github.com/SSSD/sssd/issues/6146
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb)
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/oidc_child/oidc_child.c | 4 ++--
- src/oidc_child/oidc_child_curl.c | 35 ++++++++++++++++++++++++++++++++
- src/oidc_child/oidc_child_util.h | 2 ++
- 3 files changed, 39 insertions(+), 2 deletions(-)
-
-diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
-index e58afccd3..aeeac3595 100644
---- a/src/oidc_child/oidc_child.c
-+++ b/src/oidc_child/oidc_child.c
-@@ -119,9 +119,9 @@ static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
- }
-
- if (scope != NULL && *scope != '\0') {
-- dc_ctx->scope = talloc_strdup(dc_ctx, scope);
-+ dc_ctx->scope = url_encode_string(dc_ctx, scope);
- if (dc_ctx->scope == NULL) {
-- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy scopes.\n");
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to encode and copy scopes.\n");
- ret = ENOMEM;
- goto done;
- }
-diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
-index 20e17a566..df438e007 100644
---- a/src/oidc_child/oidc_child_curl.c
-+++ b/src/oidc_child/oidc_child_curl.c
-@@ -26,6 +26,41 @@
- #include <curl/curl.h>
- #include "oidc_child/oidc_child_util.h"
-
-+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp)
-+{
-+ CURL *curl_ctx = NULL;
-+ char *tmp;
-+ char *out = NULL;
-+
-+ if (inp == NULL) {
-+ DEBUG(SSSDBG_TRACE_ALL, "Empty input.\n");
-+ return NULL;
-+ }
-+
-+ curl_ctx = curl_easy_init();
-+ if (curl_ctx == NULL) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize curl.\n");
-+ return NULL;
-+ }
-+
-+ tmp = curl_easy_escape(curl_ctx, inp, 0);
-+ if (tmp == NULL) {
-+ DEBUG(SSSDBG_TRACE_ALL, "curl_easy_escape failed for [%s].\n", inp);
-+ goto done;
-+ }
-+
-+ out = talloc_strdup(mem_ctx, tmp);
-+ curl_free(tmp);
-+ if (out == NULL) {
-+ DEBUG(SSSDBG_TRACE_ALL, "talloc_strdup failed.\n");
-+ goto done;
-+ }
-+
-+done:
-+ curl_easy_cleanup(curl_ctx);
-+ return (out);
-+}
-+
- /* The curl write_callback will always append the received data. To start a
- * new string call clean_http_data() before the curl request.*/
- void clean_http_data(struct devicecode_ctx *dc_ctx)
-diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
-index c781bf1b1..ae5a72bc2 100644
---- a/src/oidc_child/oidc_child_util.h
-+++ b/src/oidc_child/oidc_child_util.h
-@@ -61,6 +61,8 @@ struct devicecode_ctx {
- };
-
- /* oidc_child_curl.c */
-+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp);
-+
- errno_t init_curl(void *p);
-
- void clean_http_data(struct devicecode_ctx *dc_ctx);
---
-2.37.3
-
diff --git a/SOURCES/0022-oidc_child-use-client-secret-if-available-to-get-dev.patch b/SOURCES/0022-oidc_child-use-client-secret-if-available-to-get-dev.patch
deleted file mode 100644
index 0fd820a..0000000
--- a/SOURCES/0022-oidc_child-use-client-secret-if-available-to-get-dev.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 18 Aug 2022 14:01:34 +0200
-Subject: [PATCH 22/24] oidc_child: use client secret if available to get
- device code
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Some IdP have the concept of confidential client, i.e. clients where the
-client's secret can be stored safely by the related application. For a
-confidential client some IdPs expects that the client secret is used in
-all requests together with the client ID although OAuth2 specs currently
-only mention this explicitly for the token request. To make sure the
-device code can be requested in this case the client secret is added to
-the device code request if the secret is provided.
-
-Resolves: https://github.com/SSSD/sssd/issues/6146
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a)
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/oidc_child/oidc_child.c | 2 +-
- src/oidc_child/oidc_child_curl.c | 12 +++++++++++-
- src/oidc_child/oidc_child_util.h | 2 +-
- 3 files changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
-index aeeac3595..c8d35d5d8 100644
---- a/src/oidc_child/oidc_child.c
-+++ b/src/oidc_child/oidc_child.c
-@@ -454,7 +454,7 @@ int main(int argc, const char *argv[])
- }
-
- if (opts.get_device_code) {
-- ret = get_devicecode(dc_ctx, opts.client_id);
-+ ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
- goto done;
-diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
-index df438e007..6e80c3abf 100644
---- a/src/oidc_child/oidc_child_curl.c
-+++ b/src/oidc_child/oidc_child_curl.c
-@@ -428,7 +428,7 @@ done:
- #define DEFAULT_SCOPE "user"
-
- errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
-- const char *client_id)
-+ const char *client_id, const char *client_secret)
- {
- int ret;
-
-@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
- return ENOMEM;
- }
-
-+ if (client_secret != NULL) {
-+ post_data = talloc_asprintf_append(post_data, "&client_secret=%s",
-+ client_secret);
-+ if (post_data == NULL) {
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Failed to add client secret to POST data.\n");
-+ return ENOMEM;
-+ }
-+ }
-+
- clean_http_data(dc_ctx);
- ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint,
- post_data, NULL);
-diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
-index ae5a72bc2..8b106ae79 100644
---- a/src/oidc_child/oidc_child_util.h
-+++ b/src/oidc_child/oidc_child_util.h
-@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx,
- errno_t get_jwks(struct devicecode_ctx *dc_ctx);
-
- errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
-- const char *client_id);
-+ const char *client_id, const char *client_secret);
-
- errno_t get_token(TALLOC_CTX *mem_ctx,
- struct devicecode_ctx *dc_ctx, const char *client_id,
---
-2.37.3
-
diff --git a/SOURCES/0023-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch b/SOURCES/0023-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch
deleted file mode 100644
index 35821eb..0000000
--- a/SOURCES/0023-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 55bfa944ad0197ae294d85ac42abf98297fa3a5d Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 18 Aug 2022 14:19:59 +0200
-Subject: [PATCH 23/24] oidc_child: increase wait interval by 5s if 'slow_down'
- is returned
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While waiting for the user to authenticate with the IdP oidc_child
-currently only handles the error code 'authorization_pending' and waits
-for the given interval until a new request is send. But there is also
-'slow_down' which should not be treated as fatal error but should just
-increase the waiting time permanently for 5s.
-
-Resolves: https://github.com/SSSD/sssd/issues/6146
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 5ed7670766483040211713f8182510775c76b962)
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/oidc_child/oidc_child_curl.c | 8 +++++++-
- src/oidc_child/oidc_child_json.c | 6 ++++++
- 2 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
-index 6e80c3abf..cf0976021 100644
---- a/src/oidc_child/oidc_child_curl.c
-+++ b/src/oidc_child/oidc_child_curl.c
-@@ -378,8 +378,14 @@ errno_t get_token(TALLOC_CTX *mem_ctx,
- break;
- }
-
-- sleep(dc_ctx->interval);
- waiting_time += dc_ctx->interval;
-+ if (waiting_time >= dc_ctx->expires_in) {
-+ /* Next sleep will end after the request is expired on the
-+ * server side, so we can just error out now. */
-+ ret = ETIMEDOUT;
-+ break;
-+ }
-+ sleep(dc_ctx->interval);
- } while (waiting_time < dc_ctx->expires_in);
-
- if (ret != EOK) {
-diff --git a/src/oidc_child/oidc_child_json.c b/src/oidc_child/oidc_child_json.c
-index efc1997aa..a89794c4c 100644
---- a/src/oidc_child/oidc_child_json.c
-+++ b/src/oidc_child/oidc_child_json.c
-@@ -413,6 +413,12 @@ errno_t parse_token_result(struct devicecode_ctx *dc_ctx,
- if (strcmp(json_string_value(tmp), "authorization_pending") == 0) {
- json_decref(result);
- return EAGAIN;
-+ } else if (strcmp(json_string_value(tmp), "slow_down") == 0) {
-+ /* RFC 8628: "... the interval MUST be increased by 5 seconds for"
-+ * "this and all subsequent requests." */
-+ dc_ctx->interval += 5;
-+ json_decref(result);
-+ return EAGAIN;
- } else {
- *error_description = get_json_string(dc_ctx, result,
- "error_description");
---
-2.37.3
-
diff --git a/SOURCES/0024-oidc_child-add-client-secret-stdin-option.patch b/SOURCES/0024-oidc_child-add-client-secret-stdin-option.patch
deleted file mode 100644
index aa62216..0000000
--- a/SOURCES/0024-oidc_child-add-client-secret-stdin-option.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-From 2f3cd781879e7063fcd996389071458587623e1c Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 22 Aug 2022 11:37:07 +0200
-Subject: [PATCH 24/24] oidc_child: add --client-secret-stdin option
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since there is the use-case of confidential client which requires that
-the client secret must be sent to the IdP we should handle it
-confidentially by not putting it on the command line but sending it via
-stdin.
-
-Resolves: https://github.com/SSSD/sssd/issues/6146
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 1a475e0c537c905c80406ceb88c7b34e6400bc40)
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/oidc_child/oidc_child.c | 89 ++++++++++++++++++++++++++++++++++---
- 1 file changed, 82 insertions(+), 7 deletions(-)
-
-diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
-index c8d35d5d8..7758cdc25 100644
---- a/src/oidc_child/oidc_child.c
-+++ b/src/oidc_child/oidc_child.c
-@@ -34,7 +34,7 @@
- #include "util/atomic_io.h"
-
- #define IN_BUF_SIZE 4096
--static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
-+static errno_t read_from_stdin(TALLOC_CTX *mem_ctx, char **out)
- {
- uint8_t buf[IN_BUF_SIZE];
- ssize_t len;
-@@ -56,7 +56,7 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
- return EINVAL;
- }
-
-- str = talloc_strndup(dc_ctx, (char *) buf, len);
-+ str = talloc_strndup(mem_ctx, (char *) buf, len);
- sss_erase_mem_securely(buf, IN_BUF_SIZE);
- if (str == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
-@@ -65,21 +65,72 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
- talloc_set_destructor((void *) str, sss_erase_talloc_mem_securely);
-
- if (strlen(str) != len) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Input contains additional data, "
-- "only JSON encoded device code expected.\n");
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Input contains additional data.\n");
- talloc_free(str);
- return EINVAL;
- }
-
-+ *out = str;
-+
-+ return EOK;
-+}
-+
-+static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx,
-+ const char **out)
-+{
-+ char *str;
-+ errno_t ret;
-+ char *sep;
-+
-+ ret = read_from_stdin(dc_ctx, &str);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
-+ return ret;
-+ }
-+
-+ if (out != NULL) {
-+ /* expect the client secret in the first line */
-+ sep = strchr(str, '\n');
-+ if (sep == NULL) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Format error, expecting client secret and JSON data.\n");
-+ talloc_free(str);
-+ return EINVAL;
-+ }
-+ *sep = '\0';
-+ *out = str;
-+ sep++;
-+ } else {
-+ sep = str;
-+ }
-+
- clean_http_data(dc_ctx);
-- dc_ctx->http_data = str;
-+ dc_ctx->http_data = talloc_strdup(dc_ctx, sep);
-
- DEBUG(SSSDBG_TRACE_ALL, "JSON device code: [%s].\n", dc_ctx->http_data);
-
- return EOK;
- }
-
-+static errno_t read_client_secret_from_stdin(struct devicecode_ctx *dc_ctx,
-+ const char **out)
-+{
-+ char *str;
-+ errno_t ret;
-+
-+ ret = read_from_stdin(dc_ctx, &str);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
-+ return ret;
-+ }
-+
-+ *out = str;
-+
-+ DEBUG(SSSDBG_TRACE_ALL, "Client secret: [%s].\n", *out);
-+
-+ return EOK;
-+}
-+
- static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
- const char *device_auth_endpoint,
- const char *token_endpoint,
-@@ -210,6 +261,7 @@ struct cli_opts {
- const char *jwks_uri;
- const char *scope;
- const char *client_secret;
-+ bool client_secret_stdin;
- const char *ca_db;
- const char *user_identifier_attr;
- bool libcurl_debug;
-@@ -253,6 +305,8 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
- {"client-id", 0, POPT_ARG_STRING, &opts->client_id, 0, _("Client ID"), NULL},
- {"client-secret", 0, POPT_ARG_STRING, &opts->client_secret, 0,
- _("Client secret (if needed)"), NULL},
-+ {"client-secret-stdin", 0, POPT_ARG_NONE, NULL, 's',
-+ _("Read client secret from standard input"), NULL},
- {"ca-db", 0, POPT_ARG_STRING, &opts->ca_db, 0,
- _("Path to PEM file with CA certificates"), NULL},
- {"libcurl-debug", 0, POPT_ARG_NONE, NULL, 'c',
-@@ -280,6 +334,9 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
- case 'c':
- opts->libcurl_debug = true;
- break;
-+ case 's':
-+ opts->client_secret_stdin = true;
-+ break;
- default:
- fprintf(stderr, "\nInvalid option %s: %s\n\n",
- poptBadOption(pc, 0), poptStrerror(opt));
-@@ -324,6 +381,12 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
- goto done;
- }
-
-+ if (opts->client_secret != NULL && opts->client_secret_stdin) {
-+ fprintf(stderr, "\n--client-secret and --client-secret-stdin are "
-+ "mutually exclusive.\n\n");
-+ goto done;
-+ }
-+
- poptFreeContext(pc);
- print_usage = false;
-
-@@ -454,6 +517,15 @@ int main(int argc, const char *argv[])
- }
-
- if (opts.get_device_code) {
-+ if (opts.client_secret_stdin) {
-+ ret = read_client_secret_from_stdin(dc_ctx, &opts.client_secret);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Failed to read client secret from stdin.\n");
-+ goto done;
-+ }
-+ }
-+
- ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
-@@ -463,7 +535,10 @@ int main(int argc, const char *argv[])
-
- if (opts.get_access_token) {
- if (dc_ctx->device_code == NULL) {
-- ret = read_device_code_from_stdin(dc_ctx);
-+ ret = read_device_code_from_stdin(dc_ctx,
-+ opts.client_secret_stdin
-+ ? &opts.client_secret
-+ : NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Failed to read device code from stdin.\n");
---
-2.37.3
-
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 6ddedfe..f598498 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -26,38 +26,17 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd
-Version: 2.7.3
-Release: 4%{?dist}.3
+Version: 2.8.2
+Release: 2%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
-Patch0001: 0001-Makefile-remove-unneeded-dependency.patch
-Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
-Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
-Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch
-Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
-Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
-Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
-Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
-Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
-Patch0010: 0010-CLIENT-fix-client-fd-leak.patch
-Patch0011: 0011-krb5-respect-krb5_validate-for-PAC-checks.patch
-Patch0012: 0012-Analyzer-Optimize-list-verbose-output.patch
-Patch0013: 0013-Analyzer-Ensure-parsed-id-contains-digit.patch
-Patch0014: 0014-TOOLS-don-t-export-internal-helpers.patch
-Patch0015: 0015-TOOLS-fixed-handling-of-init-error.patch
-Patch0016: 0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch
-Patch0017: 0017-PAC-allow-to-disable-UPN-check.patch
-Patch0018: 0018-ipa-do-not-add-guessed-principal-to-the-cache.patch
-Patch0019: 0019-pac-relax-default-check.patch
-Patch0020: 0020-CLIENT-fix-thread-unsafe-acces-to-get-ent-structs.patch
-Patch0021: 0021-oidc_child-escape-scopes.patch
-Patch0022: 0022-oidc_child-use-client-secret-if-available-to-get-dev.patch
-Patch0023: 0023-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch
-Patch0024: 0024-oidc_child-add-client-secret-stdin-option.patch
+Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
+Patch0002: 0002-MAN-mention-attributes-in-see-also.patch
+Patch0003: 0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
### Dependencies ###
@@ -141,6 +120,7 @@ BuildRequires: samba-winbind
BuildRequires: selinux-policy-targeted
# required for p11_child smartcard tests
BuildRequires: softhsm >= 2.1.0
+BuildRequires: bc
BuildRequires: systemd-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: uid_wrapper
@@ -1082,17 +1062,36 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
-* Fri Dec 16 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.3
-- Resolves: rhbz#2152884 - authenticating against external IdP services okta (native app) with OAuth client secret failed [rhel-9.1.0.z]
-
-* Fri Dec 9 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.2
-- Resolves: rhbz#2141830 - SSS_CLIENT: fix thread unsafe access to get*ent structs. [rhel-9.1.0.z]
-- Resolves: rhbz#2139870 - Analyzer: Optimize and remove duplicate messages in verbose list [rhel-9.1.0.z]
-- Resolves: rhbz#2142960 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged [rhel-9.1.0.z]
-- Resolves: rhbz#2148988 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around [rhel-9.1.0.z]
-
-* Fri Oct 14 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.1
-- Resolves: rhbz#2128902 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) [rhel-9.1.0.z]
+* Mon Jan 16 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
+- Resolves: rhbz#2160001 - Reference to 'sssd-ldap-attributes' man page is missing in 'sssd-ldap', etc man pages
+- Resolves: rhbz#2143159 - automount killed by SIGSEGV
+
+* Fri Dec 16 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
+- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2
+- Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search
+- Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service)
+- Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
+- Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization
+- Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
+- Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
+- Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately
+- Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
+
+* Fri Nov 4 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
+- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2
+- Resolves: rhbz#1507035 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file
+- Resolves: rhbz#1766490 - Use negative cache better and domain checks for lookup by SIDs
+- Resolves: rhbz#1964121 - RFE: Add an option to sssd config to convert home directories to lowercase (or add a new template for the 'override_homedir' option)
+- Resolves: rhbz#2074307 - reduce debug level in case well_known_sid_to_name() fails
+- Resolves: rhbz#2096031 - SSSD: sdap_handle_id_collision_for_incomplete_groups debug message missing a new line
+- Resolves: rhbz#2103325 - Supported AD group types should be explained in the docs
+- Resolves: rhbz#2111388 - authenticating against external IdP services okta (native app) with OAuth client secret failed
+- Resolves: rhbz#2115171 - SSSD: duplicate dns_resolver_* option in man sssd.conf
+- Resolves: rhbz#2127492 - sssd timezone issues sudonotafter
+- Resolves: rhbz#2128840 - [RFE] provide dbus method to find users by attr
+- Resolves: rhbz#2128883 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
+- Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
+- Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
- Related: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)