From 57f72fd0dac6633273d5de06937ad8a42545f477 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 22 2020 18:29:49 +0000 Subject: import sssd-2.3.0-8.el8 --- diff --git a/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch b/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch new file mode 100644 index 0000000..527067e --- /dev/null +++ b/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch @@ -0,0 +1,42 @@ +From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= +Date: Thu, 28 May 2020 12:12:58 +0200 +Subject: [PATCH] AD: Enforcing GPO rule restriction on user + +This fixes bug related to ad_gpo_implicit_deny option set to True. +gpo_implict_denay was checked only for dacl_filtered_gpos, +but not for cse_filtered_gpos. + +Resolves: +https://github.com/SSSD/sssd/issues/5181 + +Reviewed-by: Sumit Bose +--- + src/providers/ad/ad_gpo.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 53560a754..2c6aa7fa6 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) + /* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */ + DEBUG(SSSDBG_TRACE_FUNC, + "no applicable gpos found after cse_guid filtering\n"); +- ret = EOK; ++ ++ if (state->gpo_implicit_deny == true) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "No applicable GPOs have been found and ad_gpo_implicit_deny" ++ " is set to 'true'. The user will be denied access.\n"); ++ ret = ERR_ACCESS_DENIED; ++ } else { ++ ret = EOK; ++ } ++ + goto done; + } + +-- +2.21.3 + diff --git a/SOURCES/0041-man-clarify-AD-certificate-rule.patch b/SOURCES/0041-man-clarify-AD-certificate-rule.patch new file mode 100644 index 0000000..a54281a --- /dev/null +++ b/SOURCES/0041-man-clarify-AD-certificate-rule.patch @@ -0,0 +1,33 @@ +From 3bb910503bb7cbc20105f0a302db400f04436d2a Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Tue, 18 Aug 2020 11:45:18 +0200 +Subject: [PATCH] man: clarify AD certificate rule + +Clarify AD specific certificate rule example by changing userPrincipal to +userPrincipalName. Moreover, match the subject principal name in the +example with the rule name. + +Resolves: +https://github.com/SSSD/sssd/issues/5278 + +Reviewed-by: Sumit Bose +--- + src/man/sss-certmap.5.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml +index 10343625e..09aec997c 100644 +--- a/src/man/sss-certmap.5.xml ++++ b/src/man/sss-certmap.5.xml +@@ -487,7 +487,7 @@ + sign. + + +- Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) ++ Example: (|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name})) + + + +-- +2.21.3 + diff --git a/SOURCES/0042-config-allow-prompting-options-in-configuration.patch b/SOURCES/0042-config-allow-prompting-options-in-configuration.patch new file mode 100644 index 0000000..20e4c7e --- /dev/null +++ b/SOURCES/0042-config-allow-prompting-options-in-configuration.patch @@ -0,0 +1,72 @@ +From 4526858adb58736066a0b2cf2dc793ddfe671b2b Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Tue, 4 Aug 2020 15:39:51 +0200 +Subject: [PATCH] config: allow prompting options in configuration + +False warnings were logged after enabling prompting options in +configuration file. This change modifies the configuration rules to +allow prompting options. + +Resolves: +https://github.com/SSSD/sssd/issues/5259 + +Reviewed-by: Sumit Bose +--- + src/config/cfg_rules.ini | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index 2874ea048..2d4e7b51d 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -14,6 +14,10 @@ section = session_recording + section_re = ^secrets/users/[0-9]\+$ + section_re = ^secrets/secrets$ + section_re = ^secrets/kcm$ ++section_re = ^prompting/password$ ++section_re = ^prompting/password/[^/\@]\+$ ++section_re = ^prompting/2fa$ ++section_re = ^prompting/2fa/[^/\@]\+$ + section_re = ^domain/[^/\@]\+$ + section_re = ^domain/[^/\@]\+/[^/\@]\+$ + section_re = ^application/[^/\@]\+$ +@@ -332,6 +336,36 @@ option = scope + option = users + option = groups + ++# Prompting during authentication ++[rule/allowed_prompting_password_options] ++validator = ini_allowed_options ++section_re = ^prompting/password$ ++ ++option = password_prompt ++ ++[rule/allowed_prompting_2fa_options] ++validator = ini_allowed_options ++section_re = ^prompting/2fa$ ++ ++option = single_prompt ++option = first_prompt ++option = second_prompt ++ ++[rule/allowed_prompting_password_subsec_options] ++validator = ini_allowed_options ++section_re = ^prompting/password/[^/\@]\+$ ++ ++option = password_prompt ++ ++[rule/allowed_prompting_2fa_subsec_options] ++validator = ini_allowed_options ++section_re = ^prompting/2fa/[^/\@]\+$ ++ ++option = single_prompt ++option = first_prompt ++option = second_prompt ++ ++ + [rule/allowed_domain_options] + validator = ini_allowed_options + section_re = ^\(domain\|application\)/[^/]\+$ +-- +2.21.3 + diff --git a/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch b/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch new file mode 100644 index 0000000..95cac65 --- /dev/null +++ b/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch @@ -0,0 +1,77 @@ +From 10366b4ee8c01ea20d908102e92d52fdeda168c3 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 18 Aug 2020 14:37:04 +0200 +Subject: [PATCH] p11_child: switch default ocsp_dgst to sha1 + +For details please see discussion at +https://github.com/SSSD/sssd/pull/837#issuecomment-672831519 + +:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1 + +Resolves: +https://github.com/SSSD/sssd/issues/5002 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Sumit Bose +--- + src/man/sssd.conf.5.xml | 3 ++- + src/p11_child/p11_child_common_utils.c | 6 +++--- + src/p11_child/p11_child_openssl.c | 4 ++-- + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index 874a09c49..50692dfdd 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -507,7 +507,8 @@ + sha512 + + +- Default: sha256 ++ Default: sha1 (to allow compatibility with ++ RFC5019-compliant responder) + + (NSS Version) This option is + ignored, because NSS uses sha1 +diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c +index 6798752c7..95791b1f0 100644 +--- a/src/p11_child/p11_child_common_utils.c ++++ b/src/p11_child/p11_child_common_utils.c +@@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx) + cert_verify_opts->ocsp_default_responder = NULL; + cert_verify_opts->ocsp_default_responder_signing_cert = NULL; + cert_verify_opts->crl_file = NULL; +- cert_verify_opts->ocsp_dgst = CKM_SHA256; ++ cert_verify_opts->ocsp_dgst = CKM_SHA_1; + cert_verify_opts->soft_ocsp = false; + cert_verify_opts->soft_crl = false; + +@@ -174,8 +174,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unsupported digest for OCSP [%s], " +- "using default sha256.\n", &opts[c][OCSP_DGST_LEN]); +- cert_verify_opts->ocsp_dgst = CKM_SHA256; ++ "using default sha1.\n", &opts[c][OCSP_DGST_LEN]); ++ cert_verify_opts->ocsp_dgst = CKM_SHA_1; + } + #endif + } else if (strcasecmp(opts[c], "soft_ocsp") == 0) { +diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c +index 321cf162e..04b3e1467 100644 +--- a/src/p11_child/p11_child_openssl.c ++++ b/src/p11_child/p11_child_openssl.c +@@ -372,8 +372,8 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert) + ocsp_dgst = get_dgst(p11_ctx->cert_verify_opts->ocsp_dgst); + if (ocsp_dgst == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot determine configured digest function " +- "for OCSP, using default sha256.\n"); +- ocsp_dgst = EVP_sha256(); ++ "for OCSP, using default sha1.\n"); ++ ocsp_dgst = EVP_sha1(); + } + cid = OCSP_cert_to_id(ocsp_dgst, cert, issuer); + if (cid == NULL) { +-- +2.21.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 52cfcd4..afe21c4 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -26,7 +26,7 @@ Name: sssd Version: 2.3.0 -Release: 7%{?dist} +Release: 8%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -73,6 +73,10 @@ Patch0036: 0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch Patch0037: 0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch Patch0038: 0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch Patch0039: 0039-certmap-sanitize-LDAP-search-filter.patch +Patch0040: 0040-AD-Enforcing-GPO-rule-restriction-on-user.patch +Patch0041: 0041-man-clarify-AD-certificate-rule.patch +Patch0042: 0042-config-allow-prompting-options-in-configuration.patch +Patch0043: 0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch ### Downstream Patches ### @@ -1245,6 +1249,12 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Fri Aug 21 2020 Alexey Tikhonov - 2.3.0-8 +- Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working +- Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema +- Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf +- Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1 + * Fri Aug 07 2020 Alexey Tikhonov - 2.3.0-7 - Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter