!168 backport patches from upstream community

From: @fwo 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-Missing-dns_update_per_family-option.patch

@@ -0,0 +1,76 @@
+From a822206c7859b5f39af2b2ea1b117850a0589e3c Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Mon, 21 Oct 2024 16:31:38 +0200
+Subject: [PATCH] Missing 'dns_update_per_family' option
+
+This update fixes missing 'dns_update_per_family' option in python code
+and config files.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/config/SSSDConfig/sssdoptions.py | 2 ++
+ src/config/SSSDConfigTest.py         | 2 ++
+ src/config/cfg_rules.ini             | 1 +
+ src/config/etc/sssd.api.conf         | 1 +
+ 4 files changed, 6 insertions(+)
+
+diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
+index e7de867..3aba87a 100644
+--- a/src/config/SSSDConfig/sssdoptions.py
++++ b/src/config/SSSDConfig/sssdoptions.py
+@@ -198,6 +198,8 @@ class SSSDOptions(object):
+         'refresh_expired_interval': _('How often should expired entries be refreshed in background'),
+         'refresh_expired_interval_offset': _("Maximum period deviation when refreshing expired entries in background"),
+         'dyndns_update': _("Whether to automatically update the client's DNS entry"),
++        'dyndns_update_per_family': _('Whether DNS update of A and AAAA record should be performed '
++                                      'in one update or in two separate updates'),
+         'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
+         'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
+         'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"),
+diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
+index e08109a..21a08c8 100755
+--- a/src/config/SSSDConfigTest.py
++++ b/src/config/SSSDConfigTest.py
+@@ -580,6 +580,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
+             'dns_resolver_timeout',
+             'dns_discovery_domain',
+             'dyndns_update',
++            'dyndns_update_per_family',
+             'dyndns_ttl',
+             'dyndns_iface',
+             'dyndns_refresh_interval',
+@@ -940,6 +941,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
+             'dns_resolver_timeout',
+             'dns_discovery_domain',
+             'dyndns_update',
++            'dyndns_update_per_family',
+             'dyndns_ttl',
+             'dyndns_iface',
+             'dyndns_refresh_interval',
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index 39b66ba..0a630f1 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -442,6 +442,7 @@ option = refresh_expired_interval_offset
+ 
+ # Dynamic DNS updates
+ option = dyndns_update
++option = dyndns_update_per_family
+ option = dyndns_ttl
+ option = dyndns_iface
+ option = dyndns_refresh_interval
+diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
+index 67b7a5f..5930f4a 100644
+--- a/src/config/etc/sssd.api.conf
++++ b/src/config/etc/sssd.api.conf
+@@ -208,6 +208,7 @@ refresh_expired_interval_offset = int, None, false
+ 
+ # Dynamic DNS updates
+ dyndns_update = bool, None, false
++dyndns_update_per_family = bool, None, false
+ dyndns_ttl = int, None, false
+ dyndns_iface = str, None, false
+ dyndns_refresh_interval = int, None, false
+-- 
+2.33.0
+

backport-TOOLS-mistype-fix.patch

@@ -0,0 +1,30 @@
+From 3621a587a32589e8404ed1f2356fcbfebc128efc Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Mon, 2 Sep 2024 21:04:34 +0200
+Subject: [PATCH] TOOLS: mistype fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/tools/sssctl/sssctl_data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index 79e12078e..43b9814ea 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -168,7 +168,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+         }
+     }
+ 
+-    if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
++    if (sssctl_backup_file_exists(SSS_BACKUP_GROUP_OVERRIDES)) {
+         ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+                                                   SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+-- 
+2.33.0
+

backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch

@@ -0,0 +1,61 @@
+From d004e7b4b977da3dd9f1d3de910c28c093a6fb26 Mon Sep 17 00:00:00 2001
+From: santeri3700 <santeri.pikarinen@gmail.com>
+Date: Tue, 15 Oct 2024 20:13:20 +0300
+Subject: [PATCH] ad: honor ad_use_ldaps setting with ad_machine_pw_renewal
+
+The value of ad_use_ldaps was not passed as `--use-ldaps`
+argument to the adcli update command which handles
+the automatic renewal of AD machine account password.
+
+Resolves: https://github.com/SSSD/sssd/issues/7642
+
+Signed-off-by: santeri3700 <santeri.pikarinen@gmail.com>
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_machine_pw_renewal.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
+index 56b64a2a9..2e54e9bff 100644
+--- a/src/providers/ad/ad_machine_pw_renewal.c
++++ b/src/providers/ad/ad_machine_pw_renewal.c
+@@ -39,6 +39,7 @@ struct renewal_data {
+ static errno_t get_adcli_extra_args(const char *ad_domain,
+                                     const char *ad_hostname,
+                                     const char *ad_keytab,
++				    bool ad_use_ldaps,
+                                     size_t pw_lifetime_in_days,
+                                     bool add_samba_data,
+                                     size_t period,
+@@ -59,7 +60,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
+         return ENOMEM;
+     }
+ 
+-    args = talloc_array(renewal_data, const char *, 9);
++    args = talloc_array(renewal_data, const char *, 10);
+     if (args == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
+         return ENOMEM;
+@@ -79,6 +80,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
+         args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab);
+     }
+     args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain);
++    if (ad_use_ldaps) {
++        args[c++] = talloc_strdup(args, "--use-ldaps");
++    }
+     if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) {
+         args[c++] = talloc_strdup(args, "--verbose");
+     }
+@@ -390,6 +394,7 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx,
+                    dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME),
+                    dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic,
+                                       SDAP_KRB5_KEYTAB),
++		   dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS),
+                    lifetime,
+                    dp_opt_get_bool(ad_opts->basic,
+                                    AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD),
+-- 
+2.33.0
+

sssd.spec

@@ -8,7 +8,7 @@
 
 Name: sssd
 Version: 2.9.4
-Release: 9
+Release: 10
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
@@ -22,6 +22,9 @@ Patch0005: backport-SSH-sanity-check-to-please-coverity.patch
 Patch0006: backport-CLIENT-idmap-fix-coverity-warning.patch
 Patch0007: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
 Patch0008: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
+Patch0009: backport-Missing-dns_update_per_family-option.patch
+Patch0010: backport-TOOLS-mistype-fix.patch
+Patch0011: backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch
 
 Requires: sssd-ad = %{version}-%{release}
 Requires: sssd-common = %{version}-%{release}
@@ -920,6 +923,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Tue Dec 03 2024 wangjiang <app@cameyan.com> - 2.9.4-10
+- backport upstream patches
+
 * Wed Oct 30 2024 xuraoqing <xuraoqing@huawei.com> - 2.9.4-9
 - option --enable-files-domain in configure has been removed