ALP-pool/sssd
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 sssd revision 090d8d71156b005d1fac9bb8e6115611

Browse Source
This commit is contained in:
Adrian Schröter 2025-02-28 13:57:59 +01:00
commit 83c4cdac0f
12 changed files with 3316 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

218
0005-ad-gpo-use-hash-to-store-intermediate-results.patch Normal file
View File

@ -0,0 +1,218 @@
From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 8 Nov 2023 14:50:24 +0100
Subject: [PATCH] ad-gpo: use hash to store intermediate results
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.
If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.
To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
---
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
1 file changed, 102 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 4d12ef780..f27213105 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1356,6 +1356,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
return ret;
}
+static errno_t
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
+{
+ int hret;
+ hash_key_t k;
+ hash_value_t v;
+
+ if (hash == NULL || key == NULL || value == NULL) {
+ return EINVAL;
+ }
+
+ k.type = HASH_KEY_CONST_STRING;
+ k.c_str = key;
+
+ v.type = HASH_VALUE_PTR;
+ v.ptr = value;
+
+ hret = hash_enter(hash, &k, &v);
+ if (hret != HASH_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
+ key, value, hash_error_string(hret));
+ return EIO;
+ }
+
+ return EOK;
+}
+
/*
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
* and stores the allow_key and deny_key of all of the gpo_map_types present
@@ -1363,6 +1390,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
*/
static errno_t
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
const char *filename)
{
struct ini_cfgfile *file_ctx = NULL;
@@ -1496,14 +1524,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = allow_value ? allow_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- allow_key,
- value);
+ ret = add_result_to_hash(allow_maps, allow_key,
+ talloc_strdup(allow_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to allow maps "
+ "[%d][%s].\n",
+ allow_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1523,14 +1551,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = deny_value ? deny_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- deny_key,
- value);
+ ret = add_result_to_hash(deny_maps, deny_key,
+ talloc_strdup(deny_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to deny maps "
+ "[%d][%s].\n",
+ deny_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1825,6 +1853,8 @@ struct ad_gpo_access_state {
int num_cse_filtered_gpos;
int cse_gpo_index;
const char *ad_domain;
+ hash_table_t *allow_maps;
+ hash_table_t *deny_maps;
};
static void ad_gpo_connect_done(struct tevent_req *subreq);
@@ -1946,6 +1976,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
goto immediately;
}
+ ret = sss_hash_create(state, 0, &state->allow_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
+
+ ret = sss_hash_create(state, 0, &state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
if (subreq == NULL) {
@@ -2632,6 +2675,43 @@ ad_gpo_cse_step(struct tevent_req *req)
return EAGAIN;
}
+static errno_t
+store_hash_maps_in_cache(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
+{
+ int ret;
+ struct hash_iter_context_t *iter;
+ hash_entry_t *entry;
+ size_t c;
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
+
+
+ for (c = 0; hash_list[c] != NULL; c++) {
+ iter = new_hash_iter_context(hash_list[c]);
+ if (iter == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
+ return EINVAL;
+ }
+
+ while ((entry = iter->next(iter)) != NULL) {
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
+ entry->key.c_str,
+ entry->value.ptr);
+ if (ret != EOK) {
+ free(iter);
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
+ return ret;
+ }
+ }
+ talloc_free(iter);
+ }
+
+ return EOK;
+}
+
/*
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
* cse_gpo_index until the policy settings for all applicable GPOs have been
@@ -2673,6 +2753,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
* (as part of the GPO Result object in the sysdb cache).
*/
ret = ad_gpo_store_policy_settings(state->host_domain,
+ state->allow_maps, state->deny_maps,
cse_filtered_gpo->policy_filename);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -2686,6 +2767,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
if (ret == EOK) {
/* ret is EOK only after all GPO policy files have been downloaded */
+ ret = store_hash_maps_in_cache(state->host_domain,
+ state->allow_maps, state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
+ "[%d][%s].\n", ret, sss_strerror(ret));
+ goto done;
+ }
ret = ad_gpo_perform_hbac_processing(state,
state->gpo_mode,
state->gpo_map_type,
--
2.47.1

4
baselibs.conf Normal file
View File

@ -0,0 +1,4 @@
sssd
supplements "packageand(sssd:pam-<targettype>)"
supplements "packageand(sssd:glibc-<targettype>)"
-/usr/lib(64)?/*

24
harden_sssd-ifp.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
===================================================================
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
+++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
@@ -5,6 +5,19 @@ After=sssd.service
BindsTo=sssd.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
Type=dbus

24
harden_sssd-kcm.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
===================================================================
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket
Also=sssd-kcm.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}

20
krb-noversion.diff Normal file
View File

@ -0,0 +1,20 @@
From: Jan Engelhardt <jengelh@inai.de>
Date: 2019-02-15 17:20:47.842813210 +0100
Remove versions checks that need updating every iteration.
---
src/external/pac_responder.m4 | 1 +
1 file changed, 1 insertion(+)
Index: sssd-2.0.0/src/external/pac_responder.m4
===================================================================
--- sssd-2.0.0.orig/src/external/pac_responder.m4
+++ sssd-2.0.0/src/external/pac_responder.m4
@@ -11,6 +11,7 @@ then
AC_MSG_CHECKING(for supported MIT krb5 version)
KRB5_VERSION="`$KRB5_CONFIG --version`"
case $KRB5_VERSION in
+ *|\
Kerberos\ 5\ release\ 1.9* | \
Kerberos\ 5\ release\ 1.10* | \
Kerberos\ 5\ release\ 1.11* | \

BIN
sssd-2.8.2.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
sssd-2.8.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmOTMrkACgkQ09IbKRDP
Z1kFrw//T/qEAStAfg8Fx6PDiTpgNazXQjgxDzdAhggrq7whqKFc5hiWLnzzYEHT
9M0f6ZpLEn02oTpv27qLtQU8Sq2tDH0vpWXSSWs2XHS4yMhqK0QiGG/chmYEt57c
mEIBXm5xiNATzFNYKyb44e5afCXO8w1e7YChZamIRftqwSZWqGzCge+Itn16yPO7
CIycneia1d5rZz2O5gTO2lkBNz9v5CLiWYtop2ey7PoPn967TZ9USh/1Y71wwQuc
3tPHsk651Wn5RzupB2YAeU3NHCc5FrI5nN9fm6bo+BZe6jCXmS2oLR9QPNCEVjW6
FPxsXS6/n7ZsrBvyxAAcDOB+xgwv9aLHCoJuhmzasjjuWQQMUi1YNPSbpCMa8XRl
T0MbYheqIhkJtcLF2/ZVTcSUIHEjVQVlDkHXGQXC4+qshhkNv/Eg5HQO66A0Y++Z
nQ83D5dNPEpnbySfm0mTQGT0A06EAmPs11E+FJMnHGmnfI/icOX7gs8Iif31lSFF
5az4QFD/E7gQl4ByP0REvYHoW2KvHgypJicFPxhSyznRuYsNzQvjYDWD4R8PMN22
96rnXzWlKgRL4ETA+/1eiW+l3ODj/SZfffvK887t3AvetxepkJ0LMaPkNoTowf2T
4XU0ii7mFrkwuLUn0Bkv6iEWaO3zf+hVqmDFP4B8UJrtjdiYd68=
=M9gu
-----END PGP SIGNATURE-----

1921
sssd.changes Normal file
View File

File diff suppressed because it is too large Load Diff

75
sssd.keyring Normal file
View File

@ -0,0 +1,75 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGI9m7YBEACjfmpZrW6wpmz+QRfnx1UuOABpTmsBi6ElTqx+ZzLU2R3N4KLl
PDycp6Pm5PqnLRLoC0TzHh1MjpVWiCfrnlTm6yD2Y6A37c6/elFjiZlbY93zUJi9
mE3OXyxe3RQHVjEYiQZ+DCcgQe5r2mFL8prK2OBIIoJJK2t46EjcjsJJkOIgT9H0
7FaLWfT2MHhO0mg6EqwqOsSKI392sVhJ0GTDULiI1ZlRULZwn3oWdXglO5O9KAhu
jSAIrKuX6QsIxXfVDG1wmOR99yyuiXpJhlKbgdw3Y37IcHRD9DLbqCnp//3WkW9W
k5Mn/bYK1TIed92U4CWNqz557lGnQxwPyyaNkJW9L1kNWO6P9Kl8RgxuX0689Zb0
sqooxTK//O+BBOso1iSRsdyqo2KSIBF06Fe9x5i+jwX2N3hHbzODfT0rHOokPj5p
jT/o6NFQ0lMqYQJxQA7/71Dk/6EkkxE3kHTkFNHBii1pt0msyQij8URmTTN39V1f
n+HlxDOrzDSccrs5x0b+cT5wuB1tSp9JhkmmAk5rb8vsHL+iPRM4ZDIOJNm/Qlg6
pQ+V4FEamntO9undQro0hSShEq69JDbBhT+fmHcAH2a03buTdyu3aqok3OSdxMj/
aprl84eFxE3cwlCXzsu0qf8ue9UjFWynmwsDQgR4EMMbVDwInd/rrV+wOwARAQAB
tElTU1NEIFByb2plY3QgKGh0dHBzOi8vc3NzZC5pbykgPHNzc2QtbWFpbnRhaW5l
cnNAbGlzdHMuZmVkb3JhcHJvamVjdC5vcmc+iQJOBBMBCAA4FiEEwTzQf/stsUCO
RXo809IbKRDPZ1kFAmI9m7YCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ
09IbKRDPZ1nmShAAlEZD+l7OSTb8uOQDj9wHXjkJbrz2vp3vfHiUo69NIssEQRUE
WRpygejjCsc3XlS8XivWwLIqrDOczenyCVVNSSWfaQpBc2ZR+XXBKMpxa1PlFduQ
wax2cbPXVdo47t3gVWAzicO0zxeAQVEZHUKyoWmaKtuFdN1ZJpNCvFJcr6yEFY5k
vQy5Caf6G1oDS9XYsx4YZZT0YhMo3d/8awJLJuVfnqsC/mTOaC7Khms31c2SC+50
+i+gE9HOVkLqanYkQcmdWIMN/oOljAd3zCFBNw5cXXuNmjp32URcm4khLKuxgV12
RetW63SAMydavCp8jMpjuE1pBo6s+/ZcvHe0IhS5fcAbXnIuxqhB2FfeJVg3Udx8
u+zZjwtndUZ9NCETomHa77Beq3h/0A/hiEmNl6xAYttNRvF/bbNg9k3o6lZydDYM
zhdmGh+VfZhuyyGJXWsrK0ZzJ0zXjorIKPlCi32cMrOPlYd94N4aWZaHC+uDZSMW
Xwjl79Tt92psOIiQwSSm1vaRvXV9w3HzyZtOIlK+Nc7T6qTOIHGgCuQI5zXNorNb
sdmzOR+ZrnYBk/E6hiaU8b4hQS2HJyr9YqERi2LjB9VICC+KHhsjba/hxIoVZR/v
Hg+WM/NBpOoaiScxLaqWNuoxY84SNJCgupWlCmBEDxWG+Q0ku/xgyRARCt2JATME
EAEIAB0WIQQaQdxnUF+JozCCi2av/nXd6FCOEgUCYj2dVAAKCRCv/nXd6FCOEihw
CACcbB3JuIeSGZbtVOvepRSjoaWRzC97V7Lj2lz9nIc610W0WfzHCePi+I9leuup
R/eV3Hhhx04QU9Zisc0CWVUC4mpgqzSgB1o4DYu1vPVPXZdfZkGVGtSiW+5rfjZo
iqGBGX8JalieI0wNYHQz660f21w08niecpnpFyadZh8/8oH3or0xvtCbPXOM+YH3
CpsBGS0aP2sf+uhvbGHoEygmLqr5rkkkC8XmEa8GxFFFpYVc1nzys7zVFoMWZ9Ta
UnyNwyo1JZHgVEbyCL3lK8OS9xXoPyOAqFT6Ux+Odj36hqamAsGAHL9O/DoEaUKI
fuGGvRb6Dlebrt3KDTiXbR9DiHUEEBYKAB0WIQQoeTnfBirYxTh2pTXC17mKk07s
FwUCYj2umAAKCRDC17mKk07sFyBsAQCAL84Bwe4BA8DEhGYhrl9Eb38LQ2hbNeJX
nLtjKqQlnwEA0BC1FR+bBm5NunMYbKtKcMLIAHtzSBbBrNqQzTO8XguJAjMEEAEI
AB0WIQSTAgGqtC3RlHIQt4ONcyY1GnJiEQUCYj28PgAKCRCNcyY1GnJiEZHdD/95
sK4SFrSb1fJYcvk6OQMW2hW7VCohuqDOYWob2Tm7RWP9CxJ7I3PilEUizbp76AoX
V6UvXiBtY2q6omXMv2qBeEja7OWd3HWl0SXA5XLyRSF7hwirP2CqQZM8+zSyiYKf
TNw3rWTJjjarUnv6GYdoH55jEfk7sCIrbp5xEzvWu+9w/5pnIsSsFhYwJOD5ic+h
or3LHRN5Jn+jm6ec6H4Ums5zA4rnvTdxfcHKx1sX1KDez2d0k1BYONHGh5tTJSrx
3F5xxOqXHzPt7obiVOCYbE3NU2LswcHz2XNpdoXTyO/LLmvRVvoG1O6LGRrw5Tkg
lnres9gWMccHna4AnDGpXtXzyhlMlzIY5LNrROsg462tIWJcIopSmRct+IQxnOyW
te7k4BAVA/vO6FGnzfLPdH6Lwnos5OMfBew2j2b8yddM8qkBQxR7NUVhYMei7jLh
MiN1FTwtrtuAeMUddbIo/lZYMqUlNyl7Kiwqxse7EFGUvZwq5qhlaKfMZ48qVSYM
QQb6NILl9t5f/UrAkOSrgTF3uWQbcAOMQWusfDuBmHOolFVPTujQP7N5Asob9Nw0
+oL2zY0MuG41xAf1tej25i8iYctJuB2L1uJULhw3i3iswPSuTJIKtYpKoES81jxG
Tit45gyS7XYpYdvAnYPTOPwF3sezy3uwmsob3geYR4h1BBAWCgAdFiEEf4f7DbyL
UMrqkdmCWuS5aYPSAzAFAmJDI/4ACgkQWuS5aYPSAzCznAD8DpzDOP5ILp2FbUGh
ROWM5T6cOppAOXDX2VN8hViDDmsA/24jLp5ga8cUwy7QVHduC9f8LLwN3O7q7XYz
BdBNnRMCuQINBGI9m7YBEACyE5/YORGMmYqKksDPFZNUW7unejUW7XTuLSMXrI9m
u8sFXT8tqPQJetYxaKiZqXxiS652u1XnLZf3ps4t6OINHSuT61Xw1Z6Svhn+o+Wz
Tmnfneahk1Czjlzs59qv3YXwLKffws7H5vGuOTnesgTyWJJG1A0wpehcZsI+rUzC
6mDwip1rSxocuFET6HK2eMpAo1B4V7XLC6srh3HzCNr5AB5UkjMWAuQqjUrqIt6O
dfPO9mqYf/w+CoI2HhVebwDjIXtoO5nVjPUncb0lUEsVWiA9C3xWi/pk2pd3nfkW
s+P0iJNYut+CQwGaHV8+gmwSLUUw/fraMASY5FVxLdSHKZ402Q6aSyuk93k7UQ7i
VIuZpOdjWASWgkATM5KEQHRVrt2enurn6oYBY2tSjzXmbTiCaaCG0p8CBtDvCIxT
Pz4Y0uaWcbIHLz3k0Tr4+zko/PEdh7qLCO83BJPf7/bVxGBMynxkAKXXgBlfjlFt
q7KMpbiM+qndP3SJpjlb0AnI7nCV1KvEeW+oIO+uQ2PwAlyFyV0pf8IYOeI0SN/R
3QSKL8CjlzSIwraUoCk79h3hJgBPG9D4ASwxeSPmriY9tbhNtsVUCT9YZgfxrJg8
bzZvObeng+2IknKbxDzs/hnkNQ7uWx2GGeq7BYZ1eTwctWsw3V8VejiPByJEjQve
PQARAQABiQI2BBgBCAAgFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmI9m7YCGwwA
CgkQ09IbKRDPZ1mbeA//YYPvboEUjp/qqXK8XEgcEL33M+uWJJQucuhtBEjfwAlQ
m29NqO6I3n9cbuINXRtNMUawk86LMouEkhexqUmSg7NNDu1Nqp32yHn8MMJjOPsy
u6AZQinQoT8UKnUMqvmqMFJiotvDb2j2aP9yL0PjCiEeyYkk3bl2oGSdMD4A4o4D
0PUpLWt+w+3YbG58iBazPD/FwiGhe8TO7EAm3I7dYZ4ErALdmT6ptCW90IG9AHfK
CZTvaMB0NX/IksfJ9DEwMgsF0Hwlx5dmTin9ufFKfhKFcwV5aDXlEsYDMqT2o7z9
l/7UTNXnk6VG/QXFhRjBDPtQNkgZoze1VV5itGmBsVE+c9lRtr+6YPJ04CDDv9dX
DI0eGdPxVmfDTR2tHOt+LOYIw4umsID3/qQzYluoUx5Cpud45qaBRjq7/iE+KJgS
IqxgBTXkV39C8T4gXrDRRjlBsOcIc7P6yUVqyClExynQ1BAJSEueO95CtxXV2btK
xSkZ2CyhVtjRxW5TOfQdvrFPueoxC17syQTslM/mKk6DBRHJrullqPLbSieKEJyc
SMkza3BVIhi0hdPfVfBRnSYe8jRFmBIR+cXnyAOkDkPqWK7q/icGVDpJPuunteH3
1vXu/KcDrL7GVRj2LD136Xla1sgGUEbYmLfIHvYmqh1DXJQvnoAyUFKaBWEpSBg=
=E0Gq
-----END PGP PUBLIC KEY BLOCK-----

807
sssd.spec Normal file
View File

@ -0,0 +1,807 @@
#
# spec file for package sssd
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: sssd
Version: 2.8.2
Release: 0
Summary: System Security Services Daemon
License: GPL-3.0-or-later AND LGPL-3.0-or-later
Group: System/Daemons
URL: https://github.com/SSSD/sssd
#Git-Clone: https://github.com/SSSD/sssd
Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
Source3: baselibs.conf
Source5: %name.keyring
Patch1: krb-noversion.diff
Patch2: harden_sssd-ifp.service.patch
Patch3: harden_sssd-kcm.service.patch
Patch4: symvers.patch
Patch5: 0005-ad-gpo-use-hash-to-store-intermediate-results.patch
BuildRequires: autoconf >= 2.59
BuildRequires: automake
BuildRequires: bind-utils
BuildRequires: check-devel
BuildRequires: cifs-utils-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: docbook-xsl-stylesheets
BuildRequires: krb5-devel >= 1.12
BuildRequires: libcmocka-devel
BuildRequires: libsubid-devel
BuildRequires: libtool
BuildRequires: libunistring-devel
BuildRequires: libxml2-tools
BuildRequires: libxslt-tools
BuildRequires: nscd
BuildRequires: nss_wrapper
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pkg-config >= 0.21
BuildRequires: systemd-rpm-macros
BuildRequires: uid_wrapper
BuildRequires: pkgconfig(augeas) >= 1.0.0
BuildRequires: pkgconfig(collection) >= 0.5.1
BuildRequires: pkgconfig(dbus-1) >= 1.0.0
BuildRequires: pkgconfig(dhash) >= 0.4.2
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(ini_config) >= 1.1.0
BuildRequires: pkgconfig(jansson)
BuildRequires: pkgconfig(ldb) >= 0.9.2
BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libcrypto)
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libnfsidmap)
BuildRequires: pkgconfig(libnl-3.0) >= 3.0
BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0
BuildRequires: pkgconfig(libpcre2-8)
BuildRequires: pkgconfig(libsemanage)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(ndr_krb5pac)
BuildRequires: pkgconfig(ndr_nbt)
BuildRequires: pkgconfig(p11-kit-1) >= 0.23.3
BuildRequires: pkgconfig(popt)
BuildRequires: pkgconfig(python3)
BuildRequires: pkgconfig(smbclient)
BuildRequires: pkgconfig(talloc)
BuildRequires: pkgconfig(tdb) >= 1.1.3
BuildRequires: pkgconfig(tevent)
BuildRequires: pkgconfig(uuid)
%{?systemd_ordering}
Requires: sssd-ldap = %version-%release
Requires(postun):pam-config
Provides: libsss_sudo = %version-%release
Provides: sssd-client = %version-%release
Obsoletes: libsss_sudo < %version-%release
%define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss
%define dbpath %sssdstatedir/db
%define pipepath %sssdstatedir/pipes
%define pubconfpath %sssdstatedir/pubconf
%define gpocachepath %sssdstatedir/gpo_cache
%define ldbdir %(pkg-config ldb --variable=modulesdir)
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
# * cifs-utils one is the default (priority 20)
# * installing SSSD should NOT switch to SSSD plugin (priority 10)
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
%define cifs_idmap_name cifs-idmap-plugin
%define cifs_idmap_priority 10
Requires(post): update-alternatives
Requires(postun):update-alternatives
%description
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.
%package ad
Summary: The ActiveDirectory backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
Requires: %name-krb5-common = %version
Requires: adcli
%description ad
Provides the Active Directory back end that the SSSD can utilize to
fetch identity data from and authenticate against an Active Directory
server.
%package dbus
Summary: The D-Bus responder of sssd
License: GPL-3.0-or-later
Group: System/Base
Requires: %name = %version
%description dbus
Provides the D-Bus responder of sssd, called InfoPipe, which allows
information from sssd to be transmitted over the system bus.
%package ipa
Summary: FreeIPA backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
Requires: %name = %version
Requires: %name-ad = %version-%release
Requires: %name-krb5-common = %version-%release
Obsoletes: %name-ipa-provider < %version-%release
Provides: %name-ipa-provider = %version-%release
%description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity
data from and authenticate against an IPA server.
%package kcm
Summary: SSSD's Kerberos cache manager
License: GPL-3.0-or-later
Group: System/Daemons
Requires: sssd = %version-%release
%description kcm
KCM is a process that stores, tracks and manages Kerberos credential
caches.
%package krb5
Summary: The Kerberos authentication backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
Requires: %name-krb5-common = %version-%release
%description krb5
Provides the Kerberos back end that the SSSD can utilize authenticate
against a Kerberos server.
%package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPL-3.0-or-later
Group: System/Daemons
Requires: cyrus-sasl-gssapi
%description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can
use for Kerberos user or host authentication.
%package ldap
Summary: The LDAP backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
Requires: %name-krb5-common = %version-%release
%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch
identity data from and authenticate against an LDAP server.
%package proxy
Summary: The proxy backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
%description proxy
Provides the proxy back end which can be used to wrap an existing NSS
and/or PAM modules to leverage SSSD caching.
%package tools
Summary: Commandline tools for sssd
License: GPL-3.0-or-later AND LGPL-3.0-or-later
Group: System/Management
Requires: python3-sssd-config = %version
Requires: sssd = %version
%description tools
The packages contains commandline tools for managing users and groups using
the "local" id provider of the System Security Services Daemon (sssd).
%package winbind-idmap
Summary: The sss idmap backend for Winbind
Group: System/Libraries
%description winbind-idmap
The idmap_sss module provides a way for Winbind to call SSSD to map
UIDs/GIDs and SIDs.
%package -n libsss_certmap0
Summary: FreeIPA ID mapping library
License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libsss_certmap0
A utility library for FreeIPA to map certs.
%package -n libsss_certmap-devel
Summary: Development files for the FreeIPA certmap library
License: LGPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libsss_certmap0 = %version
%description -n libsss_certmap-devel
A utility library for FreeIPA to map certs.
%package -n libipa_hbac0
Summary: FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libipa_hbac0
Utility library to validate FreeIPA HBAC rules for authorization
requests.
%package -n libipa_hbac-devel
Summary: Development files for the FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libipa_hbac0 = %version
%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization
requests.
%package -n libnfsidmap-sss
Summary: Library to allow communication between libnfsidmap and SSSD
License: GPL-3.0-or-later
Group: System/Libraries
Supplements: (nfsidmap and sssd-client)
%description -n libnfsidmap-sss
A utility library to allow communication between libnfsidmap and SSSD.
%package -n libsss_idmap0
Summary: FreeIPA ID mapping library
License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libsss_idmap0
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%package -n libsss_idmap-devel
Summary: Development files for the FreeIPA idmap library
License: LGPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libsss_idmap0 = %version
%description -n libsss_idmap-devel
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%package -n libsss_nss_idmap0
Summary: FreeIPA ID mapping library
License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libsss_nss_idmap0
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%package -n libsss_nss_idmap-devel
Summary: Development files for the FreeIPA idmap library
License: LGPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libsss_nss_idmap0 = %version
%description -n libsss_nss_idmap-devel
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%package -n libsss_simpleifp0
Summary: The SSSD D-Bus responder helper library
License: GPL-3.0-or-later
Group: System/Libraries
%description -n libsss_simpleifp0
This subpackage provides a library that simplifies the D-Bus API for
the SSSD InfoPipe responder.
%package -n libsss_simpleifp-devel
Summary: Development files for the SSSD D-Bus responder helper library
License: GPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libsss_simpleifp0 = %version
%description -n libsss_simpleifp-devel
This subpackage provides the development files for sssd's simpleifp,
a library that simplifies the D-Bus API for the SSSD InfoPipe
responder.
%package -n libsss_sudo
Summary: A library to allow communication between sudo and SSSD
License: LGPL-3.0-or-later
Group: System/Libraries
Supplements: (sudo and sssd-client)
%description -n libsss_sudo
A utility library to allow communication between sudo and SSSD.
%package -n python3-ipa_hbac
Summary: Python bindings for the FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Group: Development/Libraries/Python
Requires: python3
%description -n python3-ipa_hbac
The python-ipa_hbac package contains the bindings so that libipa_hbac
can be used by Python applications.
%package -n python3-sss-murmur
Summary: Python3 bindings for SSSD Murmur hash function
License: LGPL-3.0-or-later
Group: Development/Libraries/Python
Requires: python3
%description -n python3-sss-murmur
This subpackage provides the python3 module for calculating the
Murmur hash version 3.
%package -n python3-sss_nss_idmap
Summary: Python bindings for libsss_nss_idmap
License: LGPL-3.0-or-later
Group: Development/Libraries/Python
Requires: python3
%description -n python3-sss_nss_idmap
The libsss_nss_idmap-python contains the bindings so that
libsss_nss_idmap can be used by Python applications.
%package -n python3-sssd-config
Summary: Python API for configuring sssd
License: GPL-3.0-or-later AND LGPL-3.0-or-later
Group: Development/Libraries/Python
Requires: python3
%description -n python3-sssd-config
Provide python module to access and manage configuration of the System
Security Services Daemon (sssd).
%prep
%autosetup -p1
%build
# help configure find nscd
export PATH="$PATH:/usr/sbin"
autoreconf -fiv
%configure \
--with-db-path="%dbpath" \
--with-pipe-path="%pipepath" \
--with-pubconf-path="%pubconfpath" \
--with-gpo-cache-path="%gpocachepath" \
--with-init-dir="%_initrddir" \
--with-environment-file="%_sysconfdir/sysconfig/sssd" \
--with-initscript=systemd \
--with-syslog=journald \
--with-pid-path="%_rundir" \
--enable-nsslibdir="/%_lib" \
--enable-pammoddir="%_pam_moduledir" \
--with-ldb-lib-dir="%ldbdir" \
--with-selinux=yes \
--with-subid \
--with-os=suse \
--disable-ldb-version-check \
--without-secrets \
--without-python2-bindings \
--without-oidc-child
%make_build all
%install
# sss_obfuscate is compatible with both python 2 and 3
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
%make_install dbuspolicydir=%{_datadir}/dbus-1/system.d
b="%buildroot"
# Copy some defaults
mkdir -pv "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d"
install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
install -d "$b/%_unitdir"
%if 0%{?suse_version} > 1500
install -d "$b/%_distconfdir/logrotate.d"
install -m644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
install -d "$b/%_pam_vendordir"
mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir"
%else
install -d "$b/%_sysconfdir/logrotate.d"
install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
%endif
rm -Rfv "$b/%_initddir"
mkdir -pv "$b/%sssdstatedir/mc"
find "$b" -type f -name "*.la" -print -delete
%find_lang %name --all-name
# dummy target for cifs-idmap-plugin
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
%check
# sss_config-tests fails
%make_build check || :
%pre
%service_add_pre sssd.service
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in pam.d/sssd-shadowutils ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
%post
/sbin/ldconfig
# migrate config variable krb5_kdcip to krb5_server (bnc#851048)
/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf
%service_add_post sssd.service
# install SSSD cifs-idmap plugin as an alternative
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
%preun
%service_del_preun sssd.service
%postun
/sbin/ldconfig
if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
"%_sbindir/pam-config" -d --sss || :
fi
# del_postun includes a try-restart
%service_del_postun sssd.service
if [ ! -f "%cifs_idmap_lib" ]; then
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
fi
%post -n libsss_certmap0 -p /sbin/ldconfig
%postun -n libsss_certmap0 -p /sbin/ldconfig
%post -n libipa_hbac0 -p /sbin/ldconfig
%postun -n libipa_hbac0 -p /sbin/ldconfig
%post -n libsss_idmap0 -p /sbin/ldconfig
%postun -n libsss_idmap0 -p /sbin/ldconfig
%post -n libsss_nss_idmap0 -p /sbin/ldconfig
%postun -n libsss_nss_idmap0 -p /sbin/ldconfig
%post -n libsss_simpleifp0 -p /sbin/ldconfig
%postun -n libsss_simpleifp0 -p /sbin/ldconfig
%triggerun -- %{name} < %{version}-%{release}
# sssd takes care of upgrading the database but it doesn't handle downgrades.
# Clear caches when downgrading the package, which may have an
# incompatible format afterwards preventing the daemon from startup.
if [ "$1" = "1" ] && [ "$2" = "2" ]; then
echo "Package downgrade detected, removing cache files which may have an incompatible format."
rm -f /var/lib/sss/db/*.ldb
fi
%pre dbus
%service_add_pre sssd-ifp.service
%post dbus
%service_add_post sssd-ifp.service
%preun dbus
%service_del_preun sssd-ifp.service
%postun dbus
%service_del_postun sssd-ifp.service
%pre kcm
%service_add_pre sssd-kcm.service sssd-kcm.socket
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in logrotate.d/sssd ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
%if 0%{?suse_version} > 1500
%posttrans
# Migration to /usr/etc, restore just created .rpmsave
for i in logrotate.d/sssd pam.d/sssd-shadowutils ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
%post kcm
%service_add_post sssd-kcm.service sssd-kcm.socket
%preun kcm
%service_del_preun sssd-kcm.service sssd-kcm.socket
%postun kcm
%service_del_postun sssd-kcm.service sssd-kcm.socket
%files -f sssd.lang
%license COPYING
%_unitdir/sssd.service
%_unitdir/sssd-autofs.socket
%_unitdir/sssd-autofs.service
%_unitdir/sssd-nss.socket
%_unitdir/sssd-nss.service
%_unitdir/sssd-pac.socket
%_unitdir/sssd-pac.service
%_unitdir/sssd-pam.socket
%_unitdir/sssd-pam-priv.socket
%_unitdir/sssd-pam.service
%_unitdir/sssd-ssh.socket
%_unitdir/sssd-ssh.service
%_unitdir/sssd-sudo.socket
%_unitdir/sssd-sudo.service
%_bindir/sss_ssh_*
%_sbindir/sssd
%dir %_mandir/??/
%dir %_mandir/??/man[158]/
%_mandir/??/man1/sss_ssh_*
%_mandir/??/man5/sss-certmap.5*
%_mandir/??/man5/sssd-ad.5*
%_mandir/??/man5/sssd-files.5*
%_mandir/??/man5/sssd-ldap-attributes.5*
%_mandir/??/man5/sssd-session-recording.5*
%_mandir/??/man5/sssd-simple.5*
%_mandir/??/man5/sssd-sudo.5*
%_mandir/??/man5/sssd-systemtap.5*
%_mandir/??/man5/sssd.conf.5*
%_mandir/??/man8/idmap_sss.8*
%_mandir/??/man8/sssd.8*
%_mandir/man1/sss_ssh_*
%_mandir/man5/sss-certmap.5*
%_mandir/man5/sssd-files.5*
%_mandir/man5/sssd-ldap-attributes.5*
%_mandir/man5/sssd-session-recording.5*
%_mandir/man5/sssd-simple.5*
%_mandir/man5/sssd-sudo.5*
%_mandir/man5/sssd.conf.5*
%_mandir/man8/sssd.8*
%dir %_libdir/%name/
%_libdir/%name/conf/
%_libdir/%name/libifp_iface*
%_libdir/%name/libsss_child*
%_libdir/%name/libsss_cert*
%_libdir/%name/libsss_crypt*
%_libdir/%name/libsss_debug*
%_libdir/%name/libsss_files*
%_libdir/%name/libsss_iface*
%_libdir/%name/libsss_semanage*
%_libdir/%name/libsss_sbus*
%_libdir/%name/libsss_simple*
%_libdir/%name/libsss_util*
%dir %_libdir/%name/modules/
%_libdir/%name/modules/libsss_autofs.so
%_libdir/libsss_sudo.so
%ldbdir/
%dir %_libexecdir/%name/
%_libexecdir/%name/p11_child
%_libexecdir/%name/sssd_autofs
%_libexecdir/%name/sssd_be
%_libexecdir/%name/sssd_nss
%_libexecdir/%name/sssd_pam
%_libexecdir/%name/sssd_ssh
%_libexecdir/%name/sssd_sudo
%_libexecdir/%name/sss_analyze
%_libexecdir/%name/sss_signal
%_libexecdir/%name/sssd_check_socket_activated_responders
%_libexecdir/%name/selinux_child
%dir %sssdstatedir
%attr(700,root,root) %dir %dbpath/
%attr(755,root,root) %dir %pipepath/
%attr(700,root,root) %dir %pipepath/private/
%attr(755,root,root) %dir %pubconfpath/
%attr(755,root,root) %dir %pubconfpath/krb5.include.d
%attr(755,root,root) %dir %gpocachepath/
%attr(755,root,root) %dir %sssdstatedir/mc/
%attr(700,root,root) %dir %sssdstatedir/keytabs/
%attr(750,root,root) %dir %_localstatedir/log/%name/
%dir %_sysconfdir/sssd/
%config(noreplace) %_sysconfdir/sssd/sssd.conf
%if 0%{?suse_version} > 1500
%_distconfdir/logrotate.d/sssd
%_pam_vendordir/sssd-shadowutils
%else
%config(noreplace) %_sysconfdir/logrotate.d/sssd
%config(noreplace) %_pam_confdir/sssd-shadowutils
%endif
%dir %_sysconfdir/sssd/conf.d
%dir %_datadir/%name/
%_datadir/%name/cfg_rules.ini
%_datadir/%name/sssd.api.conf
%dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-simple.conf
%_datadir/%name/sssd.api.d/sssd-files.conf
#
# sssd-client
#
/%_lib/libnss_sss.so.2
%_pam_moduledir/pam_sss.so
%_pam_moduledir/pam_sss_gss.so
%_libdir/krb5/
%_libdir/%name/modules/sssd_krb5_localauth_plugin.so
%_libdir/%name/modules/sssd_krb5_idp_plugin.so
%_libdir/libsubid_sss.so
%_mandir/??/man8/sssd_krb5_locator_plugin.8*
%_mandir/??/man8/pam_sss.8*
%_mandir/??/man8/pam_sss_gss.8*
%_mandir/man8/pam_sss.8*
%_mandir/man8/pam_sss_gss.8*
%_mandir/man8/sssd_krb5_localauth_plugin.8*
%_mandir/??/man8/sssd_krb5_localauth_plugin.8*
%_mandir/man8/sssd_krb5_locator_plugin.8*
# cifs idmap plugin
%dir %_sysconfdir/cifs-utils
%cifs_idmap_plugin
%dir %_libdir/cifs-utils
%cifs_idmap_lib
%ghost %_sysconfdir/alternatives/%cifs_idmap_name
%files ad
%dir %_libdir/%name/
%_libdir/%name/libsss_ad.so
%dir %_libexecdir/%name/
%_libexecdir/%name/sssd_pac
%_libexecdir/%name/gpo_child
%dir %_datadir/%name/
%dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-ad.conf
%_mandir/man5/sssd-ad.5*
%dir %_mandir/??/
%dir %_mandir/??/man5/
%files dbus
%dir %_libexecdir/sssd/
%_libexecdir/sssd/sssd_ifp
%dir %_libdir/sssd/
%_mandir/man5/sssd-ifp.5*
%dir %_mandir/??/
%dir %_mandir/??/man5/
%_mandir/??/man5/sssd-ifp.5*
%_unitdir/sssd-ifp.service
%_datadir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
%files ipa
%dir %_libdir/%name/
%_libdir/%name/libsss_ipa*
%dir %_datadir/%name/
%dir %_datadir/%name/sssd.api.d
%_datadir/%name/sssd.api.d/sssd-ipa.conf
%_mandir/man5/sssd-ipa.5*
%dir %_mandir/??/
%dir %_mandir/??/man5/
%_mandir/??/man5/sssd-ipa.5*
%files kcm
%dir %_libexecdir/sssd/
%_libexecdir/sssd/sssd_kcm
%dir %_libdir/sssd/
%_mandir/man8/sssd-kcm.8*
%_mandir/??/man8/sssd-kcm.8*
%_datadir/sssd-kcm/
%_unitdir/sssd-kcm.*
%files krb5
%dir %_libdir/%name/
%_libdir/%name/libsss_krb5.so
%dir %_datadir/%name/
%_datadir/%name/krb5-snippets/
%dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-krb5.conf
%dir %_mandir/??/
%dir %_mandir/??/man5/
%_mandir/man5/sssd-krb5.5*
%_mandir/??/man5/sssd-krb5.5*
%files krb5-common
%dir %_libdir/%name/
%_libdir/%name/libsss_krb5_common.so
%dir %_libexecdir/%name/
%_libexecdir/%name/krb5_child
%_libexecdir/%name/ldap_child
%files ldap
%dir %_libdir/%name/
%_libdir/%name/libsss_ldap*
%dir %_datadir/%name/
%dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-ldap.conf
%_mandir/man5/sssd-ldap.5*
%dir %_mandir/??/
%dir %_mandir/??/man5/
%_mandir/??/man5/sssd-ldap.5*
%files proxy
%dir %_libdir/%name/
%_libdir/%name/libsss_proxy.so
%dir %_libexecdir/%name/
%_libexecdir/%name/proxy_child
%dir %_datadir/%name/
%dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-proxy.conf
%files tools
%_sbindir/sssctl
%_sbindir/sss_cache
%_sbindir/sss_debuglevel
%_sbindir/sss_seed
%_sbindir/sss_obfuscate
%_sbindir/sss_override
%dir %_mandir/??/man8/
%_mandir/??/man8/sssctl.8*
%_mandir/??/man8/sss_*.8*
%_mandir/man8/sssctl.8*
%_mandir/man8/sss_*.8*
%python3_sitelib/sssd/
%files winbind-idmap
%_libdir/samba/
%_mandir/man8/idmap_sss.8*
%files -n libipa_hbac0
%_libdir/libipa_hbac.so.0*
%files -n libipa_hbac-devel
%_includedir/ipa_hbac.h
%_libdir/libipa_hbac.so
%_libdir/pkgconfig/ipa_hbac.pc
%files -n libsss_certmap0
%_libdir/libsss_certmap.so.0*
%files -n libsss_certmap-devel
%_includedir/sss_certmap.h
%_libdir/libsss_certmap.so
%_libdir/pkgconfig/sss_certmap.pc
%files -n libnfsidmap-sss
%_libdir/libnfsidmap/
%_mandir/man5/sss_rpcidmapd.5*
%dir %_mandir/??/man5/
%_mandir/??/man5/sss_rpcidmapd.5*
%files -n libsss_idmap0
%_libdir/libsss_idmap.so.0*
%files -n libsss_idmap-devel
%_includedir/sss_idmap.h
%_libdir/libsss_idmap.so
%_libdir/pkgconfig/sss_idmap.pc
%files -n libsss_nss_idmap0
%_libdir/libsss_nss_idmap.so.0*
%files -n libsss_nss_idmap-devel
%_includedir/sss_nss_idmap.h
%_libdir/libsss_nss_idmap.so
%_libdir/pkgconfig/sss_nss_idmap.pc
%files -n libsss_simpleifp0
%_libdir/libsss_simpleifp.so.0*
%files -n libsss_simpleifp-devel
%_includedir/sss_sifp*.h
%_libdir/libsss_simpleifp.so
%_libdir/pkgconfig/sss_simpleifp.pc
%files -n python3-ipa_hbac
%dir %python3_sitearch
%python3_sitearch/pyhbac.so
%files -n python3-sss-murmur
%python3_sitearch/pysss_murmur.so
%files -n python3-sss_nss_idmap
%dir %python3_sitearch
%python3_sitearch/pysss_nss_idmap.so
%files -n python3-sssd-config
%python3_sitearch/pysss.so
%python3_sitelib/SSSDConfig*
%changelog

181
symvers.patch Normal file
View File

@ -0,0 +1,181 @@
From: Jan Engelhardt <jengelh@inai.de>
Date: 2022-12-22 00:09:20.375896408 +0100
References: https://bugzilla.suse.com/show_bug.cgi?id=1206592
The theory for this sssd crash is that during rpm upgrading it,
sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls
over its feet when it loads 2.7.4 .so files. Addin symvers like below
should prevent this and pin the modules to another: sssd_be's attempt
to dlopen libsss_ldap.so(-2.7.4) will fail because
libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
the system only has libsss_util.so(-2.8.2) at this point.
---
Makefile.am | 47 ++++++++++++++++++++++++++++++++---------------
1 file changed, 32 insertions(+), 15 deletions(-)
Index: sssd-2.8.2/Makefile.am
===================================================================
--- sssd-2.8.2.orig/Makefile.am
+++ sssd-2.8.2/Makefile.am
@@ -941,7 +941,11 @@ libsss_debug_la_SOURCES = \
libsss_debug_la_LIBADD = \
$(SYSLOG_LIBS)
libsss_debug_la_LDFLAGS = \
- -avoid-version
+ -avoid-version ${symv}
+EXTRA_libsss_debug_la_DEPENDENCIES = x.sym
+symv = -Wl,--version-script=${builddir}/x.sym
+x.sym: ${top_builddir}/config.status
+ echo "V_${PACKAGE_VERSION} { global: *; };" >$@
pkglib_LTLIBRARIES += libsss_child.la
libsss_child_la_SOURCES = src/util/child_common.c
@@ -951,7 +955,8 @@ libsss_child_la_LIBADD = \
$(DHASH_LIBS) \
libsss_debug.la \
$(NULL)
-libsss_child_la_LDFLAGS = -avoid-version
+libsss_child_la_LDFLAGS = -avoid-version ${symv}
+EXTRA_libsss_child_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_crypt.la
@@ -990,7 +995,8 @@ libsss_crypt_la_LIBADD = \
libsss_debug.la \
$(NULL)
libsss_crypt_la_LDFLAGS = \
- -avoid-version
+ -avoid-version ${symv}
+EXTRA_libsss_crypt_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_cert.la
@@ -1015,8 +1021,9 @@ libsss_cert_la_LIBADD = \
libsss_debug.la \
$(NULL)
libsss_cert_la_LDFLAGS = \
- -avoid-version \
+ -avoid-version ${symv} \
$(NULL)
+EXTRA_libsss_cert_la_DEPENDENCIES = x.sym
generate-sbus-code:
$(builddir)/sbus_generate.sh $(abs_srcdir)
@@ -1117,8 +1124,9 @@ libsss_sbus_la_CFLAGS = \
$(DBUS_CFLAGS) \
$(NULL)
libsss_sbus_la_LDFLAGS = \
- -avoid-version \
+ -avoid-version ${symv} \
$(NULL)
+EXTRA_libsss_sbus_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_sbus_sync.la
libsss_sbus_sync_la_SOURCES = \
@@ -1153,8 +1161,9 @@ libsss_sbus_sync_la_CFLAGS = \
$(UNICODE_LIBS) \
$(NULL)
libsss_sbus_sync_la_LDFLAGS = \
- -avoid-version \
+ -avoid-version ${symv} \
$(NULL)
+EXTRA_libsss_sbus_sync_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_iface.la
libsss_iface_la_SOURCES = \
@@ -1183,8 +1192,9 @@ libsss_iface_la_CFLAGS = \
$(DBUS_CFLAGS) \
$(NULL)
libsss_iface_la_LDFLAGS = \
- -avoid-version \
+ -avoid-version ${symv} \
$(NULL)
+EXTRA_libsss_iface_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_iface_sync.la
libsss_iface_sync_la_SOURCES = \
@@ -1211,8 +1221,9 @@ libsss_iface_sync_la_CFLAGS = \
$(DBUS_CFLAGS) \
$(NULL)
libsss_iface_sync_la_LDFLAGS = \
- -avoid-version \
+ -avoid-version ${symv} \
$(NULL)
+EXTRA_libsss_iface_sync_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_util.la
libsss_util_la_SOURCES = \
@@ -1303,7 +1314,8 @@ endif
if BUILD_SYSTEMTAP
libsss_util_la_LIBADD += stap_generated_probes.lo
endif
-libsss_util_la_LDFLAGS = -avoid-version
+libsss_util_la_LDFLAGS = -avoid-version ${symv}
+EXTRA_libsss_util_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_semanage.la
libsss_semanage_la_CFLAGS = \
@@ -1322,7 +1334,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
endif
libsss_semanage_la_LDFLAGS = \
- -avoid-version
+ -avoid-version ${symv}
+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym
SSSD_INTERNAL_LTLIBS = \
libsss_util.la \
@@ -1338,7 +1351,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
$(NULL)
pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
-libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports
+EXTRA_libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports
libipa_hbac_la_SOURCES = \
src/lib/ipa_hbac/hbac_evaluator.c \
src/util/sss_utf8.c
@@ -1664,8 +1677,9 @@ libifp_iface_la_CFLAGS = \
$(DBUS_CFLAGS) \
$(NULL)
libifp_iface_la_LDFLAGS = \
- -avoid-version \
+ -avoid-version ${symv} \
$(NULL)
+EXTRA_libifp_iface_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libifp_iface_sync.la
libifp_iface_sync_la_SOURCES = \
@@ -1690,8 +1704,9 @@ libifp_iface_sync_la_CFLAGS = \
$(DBUS_CFLAGS) \
$(NULL)
libifp_iface_sync_la_LDFLAGS = \
- -avoid-version \
+ -avoid-version ${symv} \
$(NULL)
+EXTRA_libifp_iface_sync_la_DEPENDENCIES = x.sym
sssd_ifp_SOURCES = \
src/responder/ifp/ifpsrv.c \
@@ -4196,8 +4211,9 @@ libsss_ldap_common_la_LIBADD = \
$(SSSD_INTERNAL_LTLIBS) \
$(NULL)
libsss_ldap_common_la_LDFLAGS = \
- -avoid-version \
+ -avoid-version ${symv} \
$(NULL)
+EXTRA_libsss_ldap_common_la_DEPENDENCIES = x.sym
if BUILD_SYSTEMTAP
libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
endif
@@ -4254,7 +4270,8 @@ libsss_krb5_common_la_LIBADD = \
$(SSSD_INTERNAL_LTLIBS) \
$(NULL)
libsss_krb5_common_la_LDFLAGS = \
- -avoid-version
+ -avoid-version ${symv}
+EXTRA_libsss_krb5_common_la_DEPENDENCIES = x.sym
libsss_ldap_la_SOURCES = \
src/providers/ldap/ldap_init.c \