overlay coreos/user-patches: Regenerate patches for sys-auth/pambase

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
2026-02-28 11:01:39 +01:00 · 2026-01-20 14:26:28 +01:00 · 2026-01-20 14:26:28 +01:00 · e7075f68be
commit e7075f68be
parent 0656bf04b7
4 changed files with 57 additions and 33 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Fix-sssd-login.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Fix-sssd-login.patch
@ -0,0 +1,36 @@
+From 77582617c9cd7b3ac3bd36bb3bbfeee07d014406 Mon Sep 17 00:00:00 2001
+From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
+Date: Tue, 17 Feb 2026 16:59:05 +0100
+Subject: [PATCH 1/3] Fix sssd login
+
+Seems like sssd logins fail if they happen after faillock.
+
+Related: https://github.com/flatcar/scripts/pull/3696
+
+Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
+---
+ templates/system-auth.tpl | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
+index 905d04f..479bd77 100644
+--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
+@@ -21,13 +21,11 @@ auth		[success=2 default=ignore]	pam_systemd_home.so
+ 
+ {% if sssd %}
+ auth		sufficient	pam_unix.so {{ nullok }} {{ debug }}
+auth		sufficient	pam_sss.so forward_pass {{ debug }}
+ {% else %}
+ auth		[success=1 new_authtok_reqd=1 ignore=ignore default=bad]	pam_unix.so {{ nullok }} {{ debug }} try_first_pass
+ {% endif %}
+ auth		[default=die]	pam_faillock.so authfail
+-{% if sssd %}
+-auth		sufficient	pam_sss.so forward_pass {{ debug }}
+-{% endif %}
+ {% if caps %}
+ auth		optional	pam_cap.so
+ {% endif %}
+-- 
+2.52.0
+
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Reorganize-the-login-sessions.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Reorganize-the-login-sessions.patch
@ -1,7 +1,7 @@
-From 7dce3aef1c67e5884aa7962c5c34a51d9760bd13 Mon Sep 17 00:00:00 2001
+From c5be94c717fc86bd055efdca8f9e828b3098f9aa Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Thu, 9 Oct 2025 17:32:38 +0200
-Subject: [PATCH 1/2] Reorganize the login sessions
+Subject: [PATCH 2/3] Reorganize the login sessions

 - Move selinux parts from system-login to separate a system-selinux
  file. It is conditionally included by system-local-login and
@ -37,13 +37,13 @@ pam_selinux.so lines would be absent.
 Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 ---
 pambase.py                        |  2 ++
- templates/system-local-login.tpl  |  9 +++++++++
+ templates/system-local-login.tpl  |  8 ++++++++
 templates/system-login.tpl        | 17 +++--------------
 templates/system-postlogin.tpl    |  3 +++
 templates/system-remote-login.tpl |  7 +++++++
 templates/system-selinux.tpl      |  2 ++
 templates/system-session.tpl      |  1 +
- 7 files changed, 27 insertions(+), 14 deletions(-)
+ 7 files changed, 26 insertions(+), 14 deletions(-)
 create mode 100644 templates/system-postlogin.tpl
 create mode 100644 templates/system-selinux.tpl

@ -61,10 +61,10 @@ index 4180cbb..0c7450d 100755
     ]
 
 diff --git a/templates/system-local-login.tpl b/templates/system-local-login.tpl
-index 5e01090..34d8459 100644
+index b1bd7e7..53f420a 100644
 --- a/templates/system-local-login.tpl
 +++ b/templates/system-local-login.tpl
-@@ -2,12 +2,21 @@ auth		include		system-login
+@@ -2,11 +2,16 @@ auth		include		system-login
 {% if gnome_keyring %}
 auth		optional	pam_gnome_keyring.so
 {% endif %}
@ -75,14 +75,16 @@ index 5e01090..34d8459 100644
 {% if gnome_keyring %}
 password	optional	pam_gnome_keyring.so use_authtok
 {% endif %}
-+
 +{% if selinux %}
 +session		include		system-selinux
 +{% endif %}
- {% if gnome_keyring %}
+ {% if gnome_keyring and openrc %}
+ session		optional	pam_gnome_keyring.so auto_start
+ {% endif %}
+@@ -14,3 +19,6 @@ session		include		system-login
+ {% if gnome_keyring and not openrc %}
 session		optional	pam_gnome_keyring.so auto_start
 {% endif %}
- session		include		system-login
 +{% if not minimal %}
 +session		include		system-postlogin
 +{% endif %}
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0003-Flatcar-modifications.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0003-Flatcar-modifications.patch
@ -1,14 +1,14 @@
-From 41efbef049829f738d1e6ad172f4b1a8bc6a6e6d Mon Sep 17 00:00:00 2001
+From 94176f7d3a66c413d79acff22c8d576775698392 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Fri, 10 Oct 2025 11:47:43 +0200
-Subject: [PATCH 2/2] Flatcar modifications
+Subject: [PATCH 3/3] Flatcar modifications

 ---
- templates/system-auth.tpl | 24 +++++++++++++++---------
- 1 file changed, 15 insertions(+), 9 deletions(-)
+ templates/system-auth.tpl | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)

 diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
-index 905d04f..b211abb 100644
+index 479bd77..b211abb 100644
 --- a/templates/system-auth.tpl
 +++ b/templates/system-auth.tpl
@@ -9,11 +9,15 @@ auth		[default={{ 3 + homed + (sssd * 3) }}]	pam_permit.so
@ -30,22 +30,7 @@ index 905d04f..b211abb 100644
 
 {% if homed %}
 auth		[success=2 default=ignore]	pam_systemd_home.so
-@@ -21,13 +25,11 @@ auth		[success=2 default=ignore]	pam_systemd_home.so
- 
- {% if sssd %}
- auth		sufficient	pam_unix.so {{ nullok }} {{ debug }}
-+auth		sufficient	pam_sss.so forward_pass {{ debug }}
- {% else %}
- auth		[success=1 new_authtok_reqd=1 ignore=ignore default=bad]	pam_unix.so {{ nullok }} {{ debug }} try_first_pass
- {% endif %}
- auth		[default=die]	pam_faillock.so authfail
-{% if sssd %}
-auth		sufficient	pam_sss.so forward_pass {{ debug }}
-{% endif %}
- {% if caps %}
- auth		optional	pam_cap.so
- {% endif %}
-@@ -45,9 +47,13 @@ account		[success={{ 2 if sssd else 1 }} default=ignore]	pam_systemd_home.so
+@@ -43,9 +47,13 @@ account		[success={{ 2 if sssd else 1 }} default=ignore]	pam_systemd_home.so
 account		required	pam_unix.so {{ debug }}
 account		required	pam_faillock.so
 {% if sssd %}
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md
@ -1,6 +1,7 @@
-The `0001-Reorganize-the-login-sessions.patch` is something we could
-try to upstream if it is proven to work.
+The patches `0001-Fix-sssd-login.patch` and
+`0002-Reorganize-the-login-sessions.patch` are something we could try
+to upstream if it is proven to work.

-The `0002-Flatcar-modifications.patch` is just some Flatcar-specific
+The `0003-Flatcar-modifications.patch` is just some Flatcar-specific
 changes. Not sure if all them are necessary, but it is trying to
 more-or-less match the config files from old baselayout.