From e7075f68be5ec36a059ec23cbe335734fef6e302 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 20 Jan 2026 14:26:28 +0100
Subject: [PATCH] overlay coreos/user-patches: Regenerate patches for
 sys-auth/pambase

Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
---
 .../pambase/0001-Fix-sssd-login.patch         | 36 +++++++++++++++++++
 ... 0002-Reorganize-the-login-sessions.patch} | 20 ++++++-----
 ...patch => 0003-Flatcar-modifications.patch} | 27 ++++----------
 .../user-patches/sys-auth/pambase/README.md   |  7 ++--
 4 files changed, 57 insertions(+), 33 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Fix-sssd-login.patch
 rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/{0001-Reorganize-the-login-sessions.patch => 0002-Reorganize-the-login-sessions.patch} (91%)
 rename sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/{0002-Flatcar-modifications.patch => 0003-Flatcar-modifications.patch} (68%)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Fix-sssd-login.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Fix-sssd-login.patch
new file mode 100644
index 0000000000..d026254144
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Fix-sssd-login.patch
@@ -0,0 +1,36 @@
+From 77582617c9cd7b3ac3bd36bb3bbfeee07d014406 Mon Sep 17 00:00:00 2001
+From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
+Date: Tue, 17 Feb 2026 16:59:05 +0100
+Subject: [PATCH 1/3] Fix sssd login
+
+Seems like sssd logins fail if they happen after faillock.
+
+Related: https://github.com/flatcar/scripts/pull/3696
+
+Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
+---
+ templates/system-auth.tpl | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
+index 905d04f..479bd77 100644
+--- a/templates/system-auth.tpl
++++ b/templates/system-auth.tpl
+@@ -21,13 +21,11 @@ auth		[success=2 default=ignore]	pam_systemd_home.so
+ 
+ {% if sssd %}
+ auth		sufficient	pam_unix.so {{ nullok }} {{ debug }}
++auth		sufficient	pam_sss.so forward_pass {{ debug }}
+ {% else %}
+ auth		[success=1 new_authtok_reqd=1 ignore=ignore default=bad]	pam_unix.so {{ nullok }} {{ debug }} try_first_pass
+ {% endif %}
+ auth		[default=die]	pam_faillock.so authfail
+-{% if sssd %}
+-auth		sufficient	pam_sss.so forward_pass {{ debug }}
+-{% endif %}
+ {% if caps %}
+ auth		optional	pam_cap.so
+ {% endif %}
+-- 
+2.52.0
+
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Reorganize-the-login-sessions.patch
similarity index 91%
rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch
rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Reorganize-the-login-sessions.patch
index dba7a9f1ee..9ae7053940 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0001-Reorganize-the-login-sessions.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Reorganize-the-login-sessions.patch
@@ -1,7 +1,7 @@
-From 7dce3aef1c67e5884aa7962c5c34a51d9760bd13 Mon Sep 17 00:00:00 2001
+From c5be94c717fc86bd055efdca8f9e828b3098f9aa Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Thu, 9 Oct 2025 17:32:38 +0200
-Subject: [PATCH 1/2] Reorganize the login sessions
+Subject: [PATCH 2/3] Reorganize the login sessions
 
 - Move selinux parts from system-login to separate a system-selinux
   file. It is conditionally included by system-local-login and
@@ -37,13 +37,13 @@ pam_selinux.so lines would be absent.
 Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
 ---
  pambase.py                        |  2 ++
- templates/system-local-login.tpl  |  9 +++++++++
+ templates/system-local-login.tpl  |  8 ++++++++
  templates/system-login.tpl        | 17 +++--------------
  templates/system-postlogin.tpl    |  3 +++
  templates/system-remote-login.tpl |  7 +++++++
  templates/system-selinux.tpl      |  2 ++
  templates/system-session.tpl      |  1 +
- 7 files changed, 27 insertions(+), 14 deletions(-)
+ 7 files changed, 26 insertions(+), 14 deletions(-)
  create mode 100644 templates/system-postlogin.tpl
  create mode 100644 templates/system-selinux.tpl
 
@@ -61,10 +61,10 @@ index 4180cbb..0c7450d 100755
      ]
  
 diff --git a/templates/system-local-login.tpl b/templates/system-local-login.tpl
-index 5e01090..34d8459 100644
+index b1bd7e7..53f420a 100644
 --- a/templates/system-local-login.tpl
 +++ b/templates/system-local-login.tpl
-@@ -2,12 +2,21 @@ auth		include		system-login
+@@ -2,11 +2,16 @@ auth		include		system-login
  {% if gnome_keyring %}
  auth		optional	pam_gnome_keyring.so
  {% endif %}
@@ -75,14 +75,16 @@ index 5e01090..34d8459 100644
  {% if gnome_keyring %}
  password	optional	pam_gnome_keyring.so use_authtok
  {% endif %}
-+
 +{% if selinux %}
 +session		include		system-selinux
 +{% endif %}
- {% if gnome_keyring %}
+ {% if gnome_keyring and openrc %}
+ session		optional	pam_gnome_keyring.so auto_start
+ {% endif %}
+@@ -14,3 +19,6 @@ session		include		system-login
+ {% if gnome_keyring and not openrc %}
  session		optional	pam_gnome_keyring.so auto_start
  {% endif %}
- session		include		system-login
 +{% if not minimal %}
 +session		include		system-postlogin
 +{% endif %}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0003-Flatcar-modifications.patch
similarity index 68%
rename from sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch
rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0003-Flatcar-modifications.patch
index b272ec6e9a..076964e5be 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0002-Flatcar-modifications.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/0003-Flatcar-modifications.patch
@@ -1,14 +1,14 @@
-From 41efbef049829f738d1e6ad172f4b1a8bc6a6e6d Mon Sep 17 00:00:00 2001
+From 94176f7d3a66c413d79acff22c8d576775698392 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <knowak@microsoft.com>
 Date: Fri, 10 Oct 2025 11:47:43 +0200
-Subject: [PATCH 2/2] Flatcar modifications
+Subject: [PATCH 3/3] Flatcar modifications
 
 ---
- templates/system-auth.tpl | 24 +++++++++++++++---------
- 1 file changed, 15 insertions(+), 9 deletions(-)
+ templates/system-auth.tpl | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
 
 diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
-index 905d04f..b211abb 100644
+index 479bd77..b211abb 100644
 --- a/templates/system-auth.tpl
 +++ b/templates/system-auth.tpl
 @@ -9,11 +9,15 @@ auth		[default={{ 3 + homed + (sssd * 3) }}]	pam_permit.so
@@ -30,22 +30,7 @@ index 905d04f..b211abb 100644
  
  {% if homed %}
  auth		[success=2 default=ignore]	pam_systemd_home.so
-@@ -21,13 +25,11 @@ auth		[success=2 default=ignore]	pam_systemd_home.so
- 
- {% if sssd %}
- auth		sufficient	pam_unix.so {{ nullok }} {{ debug }}
-+auth		sufficient	pam_sss.so forward_pass {{ debug }}
- {% else %}
- auth		[success=1 new_authtok_reqd=1 ignore=ignore default=bad]	pam_unix.so {{ nullok }} {{ debug }} try_first_pass
- {% endif %}
- auth		[default=die]	pam_faillock.so authfail
--{% if sssd %}
--auth		sufficient	pam_sss.so forward_pass {{ debug }}
--{% endif %}
- {% if caps %}
- auth		optional	pam_cap.so
- {% endif %}
-@@ -45,9 +47,13 @@ account		[success={{ 2 if sssd else 1 }} default=ignore]	pam_systemd_home.so
+@@ -43,9 +47,13 @@ account		[success={{ 2 if sssd else 1 }} default=ignore]	pam_systemd_home.so
  account		required	pam_unix.so {{ debug }}
  account		required	pam_faillock.so
  {% if sssd %}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md
index b36dac0439..6d5b48ee66 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-auth/pambase/README.md
@@ -1,6 +1,7 @@
-The `0001-Reorganize-the-login-sessions.patch` is something we could
-try to upstream if it is proven to work.
+The patches `0001-Fix-sssd-login.patch` and
+`0002-Reorganize-the-login-sessions.patch` are something we could try
+to upstream if it is proven to work.
 
-The `0002-Flatcar-modifications.patch` is just some Flatcar-specific
+The `0003-Flatcar-modifications.patch` is just some Flatcar-specific
 changes. Not sure if all them are necessary, but it is trying to
 more-or-less match the config files from old baselayout.