Bug 1851 - [UPDATE REQUEST] [UPSTREAM UPDATE] sssd
: [UPDATE REQUEST] [UPSTREAM UPDATE] sssd
Status: RESOLVED FIXED
Product: Server Bugs
Classification: ROSA Server
Component: Main Packages
: unspecified
: All Linux
: Normal normal
: ---
Assigned To: Andrew Lukoshko
: ROSA Server Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-30 01:43 MSK by Andrew Lukoshko
Modified: 2013-04-01 13:22 MSD (History)
1 user (show)

See Also:
RPM Package:
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified+
andrew.lukoshko: published_server+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Lukoshko 2013-03-30 01:43:25 MSK
Update for sssd from RHEL6 upstream.

Advisory:
* When the ldap_chpass_update_last_change option was enabled, the
shadowLastChange attribute contained number of seconds instead of days.
Consequently, when shadowLastChange was in use and the user was prompted to
update their expiring password, shadowLastChange was not updated. The user then
continued to get the error until they were locked out of the system. With this
update, number of days is stored in shadowLastChange attribute and users are
able to change their expiring passwords as expected.

* Kerberos options were loaded separately in the krb5 utility and the IPA
provider with different codepaths. The code was fixed in krb5 but not in the IPA
provider. Consequently, a Kerberos ticket was not renewed in time when IPA was
used as an authentication provider. With this update, Kerberos options are
loaded using a common API and Kerberos tickets are renewed as expected in the
described scenario.

* When SSSD was built without sudo support, the ldap_sudo_search_base value was
not set and the namingContexts LDAP attribute contained a zero-length string.
Consequently, SSSD tried to set ldap_sudo_search_base with this string and
failed. Therefore, SSSD was unable to establish connection with LDAP server and
switched to offline mode. With this update, SSSD considers the zero-length
namingContexts value the same way as if no value was available, thus preventing
this bug.

http://rhn.redhat.com/errata/RHBA-2013-0677.html

Build lists:
https://abf.rosalinux.ru/build_lists/1042502
https://abf.rosalinux.ru/build_lists/1042503
Comment 1 Vladimir Potapov 2013-04-01 13:15:10 MSD
sssd-1.8.0-32.4.res6
*********************** RHEL Advisory ***********************
Advisory:
* When the ldap_chpass_update_last_change option was enabled, the
shadowLastChange attribute contained number of seconds instead of days.
Consequently, when shadowLastChange was in use and the user was prompted to
update their expiring password, shadowLastChange was not updated. The user then
continued to get the error until they were locked out of the system. With this
update, number of days is stored in shadowLastChange attribute and users are
able to change their expiring passwords as expected.

* Kerberos options were loaded separately in the krb5 utility and the IPA
provider with different codepaths. The code was fixed in krb5 but not in the IPA
provider. Consequently, a Kerberos ticket was not renewed in time when IPA was
used as an authentication provider. With this update, Kerberos options are
loaded using a common API and Kerberos tickets are renewed as expected in the
described scenario.

* When SSSD was built without sudo support, the ldap_sudo_search_base value was
not set and the namingContexts LDAP attribute contained a zero-length string.
Consequently, SSSD tried to set ldap_sudo_search_base with this string and
failed. Therefore, SSSD was unable to establish connection with LDAP server and
switched to offline mode. With this update, SSSD considers the zero-length
namingContexts value the same way as if no value was available, thus preventing
this bug.
****************************************************************
QA Verified