!185 回合上游补丁，修复krb5配置文件导致segment fault

From: @fwo 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

backport-CLIENT-idmap-fix-coverity-warning.patch

@@ -0,0 +1,51 @@
+From 7c913edc84e0201020b5ab770dd0823911387781 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 22 May 2024 20:19:05 +0200
+Subject: [PATCH] CLIENT:idmap: fix coverity warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following issue:
+```
+"Error: INTEGER_OVERFLOW (CWE-190):
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:306:5: tainted_data_argument: The value returned in ""replen"" is considered tainted.
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: overflow: The expression ""replen - 12UL"" might be negative, but is used in a context that treats it as unsigned.
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: assign: Assigning: ""data_len"" = ""replen - 12UL"".
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow: The expression ""1UL * data_len"" is deemed underflowed because at least one of its arguments has underflowed.
+sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow_sink: ""1UL * data_len"", which might have underflowed, is passed to ""malloc(1UL * data_len)"".
+ #  345|           }
+ #  346|
+ #  347|->         str = malloc(sizeof(char) * data_len);
+ #  348|           if (str == NULL) {
+ #  349|               ret = ENOMEM;"
+```
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/7c913edc84e0201020b5ab770dd0823911387781
+Conflict: NA
+
+---
+ src/sss_client/idmap/sss_nss_idmap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c
+index 575d03057..604933c6d 100644
+--- a/src/sss_client/idmap/sss_nss_idmap.c
++++ b/src/sss_client/idmap/sss_nss_idmap.c
+@@ -324,6 +324,11 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd,
+         goto done;
+     }
+ 
++    if (replen < DATA_START) { /* make sure 'type' is present */
++        ret = EBADMSG;
++        goto done;
++    }
++
+     /* Skip first two 32 bit values (number of results and
+      * reserved padding) */
+     SAFEALIGN_COPY_UINT32(&out->type, repbuf + 2 * sizeof(uint32_t), NULL);
+-- 
+2.33.0
+

backport-Make-sure-invalid-krb5-context-is-not-used.patch

@@ -0,0 +1,33 @@
+From bdfb92012d6dec2999469d483ba67d6c2521a078 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 21 Nov 2024 09:23:36 +0100
+Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used -
+ 2.9.4
+
+Resolves: https://github.com/SSSD/sssd/issues/7715
+---
+ src/util/sss_krb5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
+index 3f57e5b268f..0b83142ddfc 100644
+--- a/src/util/sss_krb5.c
++++ b/src/util/sss_krb5.c
+@@ -140,6 +140,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+ 
+     kerr = sss_krb5_init_context(&krb_ctx);
+     if (kerr) {
++        krb_ctx = NULL;
+         error_message = "Failed to init Kerberos context";
+         ret = EFAULT;
+         goto done;
+@@ -269,7 +270,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+     }
+ 
+ done:
+-    if (ret != EOK) {
++    if (ret != EOK && krb_ctx != NULL) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n",
+               sss_printable_keytab_name(krb_ctx, keytab_name),
+               (error_message ? error_message : sss_strerror(ret)));
+

backport-Missing-dns_update_per_family-option.patch

@@ -0,0 +1,76 @@
+From a822206c7859b5f39af2b2ea1b117850a0589e3c Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Mon, 21 Oct 2024 16:31:38 +0200
+Subject: [PATCH] Missing 'dns_update_per_family' option
+
+This update fixes missing 'dns_update_per_family' option in python code
+and config files.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/config/SSSDConfig/sssdoptions.py | 2 ++
+ src/config/SSSDConfigTest.py         | 2 ++
+ src/config/cfg_rules.ini             | 1 +
+ src/config/etc/sssd.api.conf         | 1 +
+ 4 files changed, 6 insertions(+)
+
+diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
+index e7de867..3aba87a 100644
+--- a/src/config/SSSDConfig/sssdoptions.py
++++ b/src/config/SSSDConfig/sssdoptions.py
+@@ -198,6 +198,8 @@ class SSSDOptions(object):
+         'refresh_expired_interval': _('How often should expired entries be refreshed in background'),
+         'refresh_expired_interval_offset': _("Maximum period deviation when refreshing expired entries in background"),
+         'dyndns_update': _("Whether to automatically update the client's DNS entry"),
++        'dyndns_update_per_family': _('Whether DNS update of A and AAAA record should be performed '
++                                      'in one update or in two separate updates'),
+         'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
+         'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
+         'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"),
+diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
+index e08109a..21a08c8 100755
+--- a/src/config/SSSDConfigTest.py
++++ b/src/config/SSSDConfigTest.py
+@@ -580,6 +580,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
+             'dns_resolver_timeout',
+             'dns_discovery_domain',
+             'dyndns_update',
++            'dyndns_update_per_family',
+             'dyndns_ttl',
+             'dyndns_iface',
+             'dyndns_refresh_interval',
+@@ -940,6 +941,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
+             'dns_resolver_timeout',
+             'dns_discovery_domain',
+             'dyndns_update',
++            'dyndns_update_per_family',
+             'dyndns_ttl',
+             'dyndns_iface',
+             'dyndns_refresh_interval',
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index 39b66ba..0a630f1 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -442,6 +442,7 @@ option = refresh_expired_interval_offset
+ 
+ # Dynamic DNS updates
+ option = dyndns_update
++option = dyndns_update_per_family
+ option = dyndns_ttl
+ option = dyndns_iface
+ option = dyndns_refresh_interval
+diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
+index 67b7a5f..5930f4a 100644
+--- a/src/config/etc/sssd.api.conf
++++ b/src/config/etc/sssd.api.conf
+@@ -208,6 +208,7 @@ refresh_expired_interval_offset = int, None, false
+ 
+ # Dynamic DNS updates
+ dyndns_update = bool, None, false
++dyndns_update_per_family = bool, None, false
+ dyndns_ttl = int, None, false
+ dyndns_iface = str, None, false
+ dyndns_refresh_interval = int, None, false
+-- 
+2.33.0
+

backport-SSH-sanity-check-to-please-coverity.patch

@@ -0,0 +1,48 @@
+From 19df6a5d2ed220e6236aa1c921b7abdeba233dd1 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 22 May 2024 21:13:31 +0200
+Subject: [PATCH] SSH: sanity check to please coverity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes:
+```
+Error: INTEGER_OVERFLOW (CWE-190):
+sssd-2.10.0/src/util/sss_ssh.c:195:13: underflow: The decrement operator on the unsigned variable ""len"" might result in an underflow.
+sssd-2.10.0/src/util/sss_ssh.c:204:9: overflow_sink: ""len"", which might have underflowed, is passed to ""memcpy(out, pubkey->data, len)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
+ #  202|           }
+ #  203|
+ #  204|->         memcpy(out, pubkey->data, len);
+ #  205|           out[len] = '\0';
+ #  206|       }
+```
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/19df6a5d2ed220e6236aa1c921b7abdeba233dd1
+Conflict: NA
+
+---
+ src/util/sss_ssh.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/util/sss_ssh.c b/src/util/sss_ssh.c
+index 9df397873..f9c0918fd 100644
+--- a/src/util/sss_ssh.c
++++ b/src/util/sss_ssh.c
+@@ -191,6 +191,10 @@ sss_ssh_format_pubkey(TALLOC_CTX *mem_ctx,
+         }
+ 
+         len = pubkey->data_len;
++        if (len == 0) {
++            ret = EINVAL;
++            goto done;
++        }
+         if (pubkey->data[len - 1] == '\n') {
+             len--;
+         }
+-- 
+2.33.0
+

backport-TOOLS-mistype-fix.patch

@@ -0,0 +1,30 @@
+From 3621a587a32589e8404ed1f2356fcbfebc128efc Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Mon, 2 Sep 2024 21:04:34 +0200
+Subject: [PATCH] TOOLS: mistype fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/tools/sssctl/sssctl_data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index 79e12078e..43b9814ea 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -168,7 +168,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+         }
+     }
+ 
+-    if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
++    if (sssctl_backup_file_exists(SSS_BACKUP_GROUP_OVERRIDES)) {
+         ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+                                                   SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+-- 
+2.33.0
+

backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch

@@ -0,0 +1,36 @@
+From 30a9f4f389f0a09057f9d7c424b96020c940c5e1 Mon Sep 17 00:00:00 2001
+From: John Veitch <john.veitch@glasgow.ac.uk>
+Date: Mon, 1 Jul 2024 13:02:20 +0100
+Subject: [PATCH] Update sssd.in to remove -f option from sysv init script
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fee3883 removed the -f option from the sssd but the init script was
+not updated accordingly at that time.
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference:https://github.com/SSSD/sssd/commit/30a9f4f389f0a09057f9d7c424b96020c940c5e1
+Conflict:NA
+
+---
+ src/sysv/sssd.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sysv/sssd.in b/src/sysv/sssd.in
+index 68485bfb8..52308a4e2 100644
+--- a/src/sysv/sssd.in
++++ b/src/sysv/sssd.in
+@@ -45,7 +45,7 @@ TIMEOUT=15
+ start() {
+     [ -x $SSSD ] || exit 5
+     echo -n $"Starting $prog: "
+-    daemon $SSSD -f -D
++    daemon $SSSD -D
+     RETVAL=$?
+     echo
+     [ "$RETVAL" = 0 ] && touch $LOCK_FILE
+-- 
+2.33.0
+

backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch

@@ -0,0 +1,61 @@
+From d004e7b4b977da3dd9f1d3de910c28c093a6fb26 Mon Sep 17 00:00:00 2001
+From: santeri3700 <santeri.pikarinen@gmail.com>
+Date: Tue, 15 Oct 2024 20:13:20 +0300
+Subject: [PATCH] ad: honor ad_use_ldaps setting with ad_machine_pw_renewal
+
+The value of ad_use_ldaps was not passed as `--use-ldaps`
+argument to the adcli update command which handles
+the automatic renewal of AD machine account password.
+
+Resolves: https://github.com/SSSD/sssd/issues/7642
+
+Signed-off-by: santeri3700 <santeri.pikarinen@gmail.com>
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_machine_pw_renewal.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
+index 56b64a2a9..2e54e9bff 100644
+--- a/src/providers/ad/ad_machine_pw_renewal.c
++++ b/src/providers/ad/ad_machine_pw_renewal.c
+@@ -39,6 +39,7 @@ struct renewal_data {
+ static errno_t get_adcli_extra_args(const char *ad_domain,
+                                     const char *ad_hostname,
+                                     const char *ad_keytab,
++				    bool ad_use_ldaps,
+                                     size_t pw_lifetime_in_days,
+                                     bool add_samba_data,
+                                     size_t period,
+@@ -59,7 +60,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
+         return ENOMEM;
+     }
+ 
+-    args = talloc_array(renewal_data, const char *, 9);
++    args = talloc_array(renewal_data, const char *, 10);
+     if (args == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
+         return ENOMEM;
+@@ -79,6 +80,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
+         args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab);
+     }
+     args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain);
++    if (ad_use_ldaps) {
++        args[c++] = talloc_strdup(args, "--use-ldaps");
++    }
+     if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) {
+         args[c++] = talloc_strdup(args, "--verbose");
+     }
+@@ -390,6 +394,7 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx,
+                    dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME),
+                    dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic,
+                                       SDAP_KRB5_KEYTAB),
++		   dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS),
+                    lifetime,
+                    dp_opt_get_bool(ad_opts->basic,
+                                    AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD),
+-- 
+2.33.0
+

backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch

@@ -0,0 +1,61 @@
+From 986bb726202e69b05f861c14c3a220379baf9bd1 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 14 Jun 2024 16:10:34 +0200
+Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+SSSD does not handle the root user (UID==0) and treats all accounts with
+UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
+well and as a result for those accounts in MPG domains the check for a
+collisions of the primary GID should be skipped. The current code might
+e.g. cause issues during GPO evaluation when adding a host account into
+the cache which does not have any UID or GID set in AD and SSSD is
+configured to read UID and GID from AD.
+
+Resolves: https://github.com/SSSD/sssd/issues/7451
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference:https://github.com/SSSD/sssd/commit/986bb726202e69b05f861c14c3a220379baf9bd1
+Conflict:NA
+
+---
+ src/db/sysdb_ops.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index a47d9b174..32e49d759 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
+             goto done;
+         }
+ 
+-        ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+-        if (ret != ENOENT) {
+-            if (ret == EOK) {
+-                DEBUG(SSSDBG_OP_FAILURE,
+-                    "Group with GID [%"SPRIgid"] already exists in an "
+-                    "MPG domain\n", gid);
+-                ret = EEXIST;
++        if (uid != 0) { /* uid == 0 means non-POSIX object */
++            ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
++            if (ret != ENOENT) {
++                if (ret == EOK) {
++                    DEBUG(SSSDBG_OP_FAILURE,
++                        "Group with GID [%"SPRIgid"] already exists in an "
++                        "MPG domain\n", uid);
++                    ret = EEXIST;
++                }
++                goto done;
+             }
+-            goto done;
+         }
+     }
+ 
+-- 
+2.33.0
+

sssd.spec

@@ -8,7 +8,7 @@
 
 Name: sssd
 Version: 2.9.4
-Release: 6
+Release: 11
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
@@ -18,6 +18,14 @@ Patch0001: backport-CVE-2023-3758.patch
 Patch0002: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
 Patch0003: backport-ad-refresh-root-domain-when-read-directly.patch
 Patch0004: backport-RESPONDER-use-proper-context-for-getDomains.patch
+Patch0005: backport-SSH-sanity-check-to-please-coverity.patch
+Patch0006: backport-CLIENT-idmap-fix-coverity-warning.patch
+Patch0007: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
+Patch0008: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
+Patch0009: backport-Missing-dns_update_per_family-option.patch
+Patch0010: backport-TOOLS-mistype-fix.patch
+Patch0011: backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch
+Patch0012: backport-Make-sure-invalid-krb5-context-is-not-used.patch
 
 Requires: sssd-ad = %{version}-%{release}
 Requires: sssd-common = %{version}-%{release}
@@ -397,7 +405,6 @@ autoreconf -ivf
     --with-crypto=libcrypto \
     --without-python2-bindings \
     --enable-sss-default-nss-plugin \
-    --enable-files-domain \
     %{?with_cifs_utils_plugin_option} \
     --enable-systemtap
 
@@ -917,6 +924,21 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Thu Dec 05 2024 wangjiang <app@cameyan.com> - 2.9.4-11
+- backport make sure invalid krb5 context is not used
+
+* Mon Dec 02 2024 wangjiang <app@cameyan.com> - 2.9.4-10
+- backport upstream patches
+
+* Mon Dec 2 2024 xuraoqing <xuraoqing@huawei.com> - 2.9.4-9
+- option --enable-files-domain in configure has been removed
+
+* Fri Oct 25 2024 fangxiuning <fangxiuning@huawei.com> - 2.9.4-8
+- backport patches to fix bugs
+
+* Sun Sep 29 2024 fangxiuning <fangxiuning@huawei.com> - 2.9.4-7
+- backport patches to fix bugs
+
 * Tue Jun 18 2024 wangjiang <wangjiang37@h-partners.com> - 2.9.4-6
 - backport upstream patches