diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo new file mode 100644 index 0000000..10a45d3 --- /dev/null +++ b/_scmsync.obsinfo @@ -0,0 +1,4 @@ +mtime: 1721128452 +commit: 747483e6173b31472d61e166a581bb9c9034cf6a690a8bc476176dd5b5befaba +url: https://src.opensuse.org/jengelh/sssd +revision: master diff --git a/baselibs.conf b/baselibs.conf index b125802..d35a1bc 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -2,3 +2,5 @@ sssd supplements "packageand(sssd:pam-)" supplements "packageand(sssd:glibc-)" -/usr/lib(64)?/* + obsoletes "sssd-common- < " + provides "sssd-common- = " diff --git a/build.specials.obscpio b/build.specials.obscpio new file mode 100644 index 0000000..114e570 --- /dev/null +++ b/build.specials.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8e9d70dca414f164c37d455e73d3eec0537555e5183567128cf0ef329962fed3 +size 256 diff --git a/sssd-2.8.2.tar.gz b/sssd-2.8.2.tar.gz deleted file mode 100644 index 2872a95..0000000 --- a/sssd-2.8.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ae16447d06bb725bfa9ccb47a9287135015f789ba7414f50cebcb62d52402fef -size 7842210 diff --git a/sssd-2.8.2.tar.gz.asc b/sssd-2.8.2.tar.gz.asc deleted file mode 100644 index 1a41893..0000000 --- a/sssd-2.8.2.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmOTMrkACgkQ09IbKRDP -Z1kFrw//T/qEAStAfg8Fx6PDiTpgNazXQjgxDzdAhggrq7whqKFc5hiWLnzzYEHT -9M0f6ZpLEn02oTpv27qLtQU8Sq2tDH0vpWXSSWs2XHS4yMhqK0QiGG/chmYEt57c -mEIBXm5xiNATzFNYKyb44e5afCXO8w1e7YChZamIRftqwSZWqGzCge+Itn16yPO7 -CIycneia1d5rZz2O5gTO2lkBNz9v5CLiWYtop2ey7PoPn967TZ9USh/1Y71wwQuc -3tPHsk651Wn5RzupB2YAeU3NHCc5FrI5nN9fm6bo+BZe6jCXmS2oLR9QPNCEVjW6 -FPxsXS6/n7ZsrBvyxAAcDOB+xgwv9aLHCoJuhmzasjjuWQQMUi1YNPSbpCMa8XRl -T0MbYheqIhkJtcLF2/ZVTcSUIHEjVQVlDkHXGQXC4+qshhkNv/Eg5HQO66A0Y++Z -nQ83D5dNPEpnbySfm0mTQGT0A06EAmPs11E+FJMnHGmnfI/icOX7gs8Iif31lSFF -5az4QFD/E7gQl4ByP0REvYHoW2KvHgypJicFPxhSyznRuYsNzQvjYDWD4R8PMN22 -96rnXzWlKgRL4ETA+/1eiW+l3ODj/SZfffvK887t3AvetxepkJ0LMaPkNoTowf2T -4XU0ii7mFrkwuLUn0Bkv6iEWaO3zf+hVqmDFP4B8UJrtjdiYd68= -=M9gu ------END PGP SIGNATURE----- diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz new file mode 100644 index 0000000..09b8ff1 --- /dev/null +++ b/sssd-2.9.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3 +size 8001964 diff --git a/sssd-2.9.5.tar.gz.asc b/sssd-2.9.5.tar.gz.asc new file mode 100644 index 0000000..05b00fc --- /dev/null +++ b/sssd-2.9.5.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP +Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf +SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu +oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f +v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er +zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ +Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav +l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi +T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ +eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED +mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH +d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek= +=pY7t +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 8e5602c..ec838e0 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,139 @@ +------------------------------------------------------------------- +Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero + +- Revert the change dropping the default configuration file. If + /usr/etc exists will be installed there, otherwise in /etc. + (bsc#1226157); + +------------------------------------------------------------------- +Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt + +- Update to release 2.9.5 + * Added failover_primary_timout configuration option. This can + be used to configure how often SSSD tries to reconnect to a + primary server after a successful connection to a backup + server. This was previously hardcoded to 31 seconds which is + kept as the default value. + +------------------------------------------------------------------- +Fri Mar 8 12:49:59 UTC 2024 - pgajdos@suse.com + +- remove dependency on /usr/bin/python3 using + %python3_fix_shebang_path macro, [bsc#1212476] + +------------------------------------------------------------------- +Fri Jan 12 14:02:10 UTC 2024 - Jan Engelhardt + +- Update to release 2.9.4 + * Fixes a crash when PAM passkey processing incorrectly handles + non-passkey data. + * Fixed group membership handling when members are coming from + different forest domains and using ldap token groups is + prohibited. + * Files provider was erroneously taking into consideration + ``local_auth_policy`` config option, thus breaking smartcard + authentication of local user in setups that did not explicitly + specify this option. This is now fixed. + +------------------------------------------------------------------- +Tue Nov 21 09:43:57 UTC 2023 - Samuel Cabrero + +- Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714); + * Remove package sssd-common, merged into sssd + * Continue building deprecated files provider and infopipe + responder + * Disable selinux and semanage + * Provide rcsssd shortcut + +------------------------------------------------------------------- +Fri Nov 17 14:52:30 UTC 2023 - Samuel Cabrero + +- Fix spec file for Leap + +------------------------------------------------------------------- +Fri Nov 17 12:30:33 UTC 2023 - Samuel Cabrero + +- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after + update (bsc#1216865) +- Do not install the KRB5 IDP plugin, it is useless without the + OIDC child +- Drop no longer valid --without-secrets configure switch + +------------------------------------------------------------------- +Mon Nov 13 12:48:09 UTC 2023 - Jan Engelhardt + +- Update to release 2.9.3 + * The proxy provider is now able to handle certificate mapping + and matching rules and users handled by the proxy provider can + be configured for local Smartcard authentication. Besides the + mapping rule local Smartcard authentication should be enabled + with the `local_auth_policy` option in the backend and with + `pam_cert_auth` in the PAM responder. + +------------------------------------------------------------------- +Thu Nov 2 16:09:55 UTC 2023 - Jan Engelhardt + +- Offer the sssd.conf template as %doc (for examples, do actually + see the "Examples" section of the sssd.conf(5) manpage) + +------------------------------------------------------------------- +Tue Oct 31 15:20:37 UTC 2023 - Samuel Cabrero + +- Update dependencies to require the same subpackages version and + release +- Fix /usr/etc migration fragment in wrong "%pre kcm" instead of + "%pre" +- Move sss_analyze to sssd-tools package + +------------------------------------------------------------------- +Tue Oct 31 11:04:57 UTC 2023 - Jan Engelhardt + +- Default config is unworkable, just stop installing it altogether + [boo#1216739] + +------------------------------------------------------------------- +Thu Sep 7 12:07:10 UTC 2023 - Jan Engelhardt + +- Update to release 2.9.2 + * sssctl cert-show and cert-show cert-eval-rule can now be run as + non-root user. + * New option local_auth_policy is added to control which offline + authentication methods will be enabled by SSSD. + * Fix sssd entering failed state under heavy load by adding + watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283); + Drop SLE patch 0001-sssd-watchdog.patch + +------------------------------------------------------------------- +Fri Jun 23 14:49:30 UTC 2023 - Jan Engelhardt + +- Update to relese 2.9.1 + * A regression was fixed that prevented autofs lookups to + function correctly when cache_first is set to True. + * A regression where SSSD failed to properly watch for changes + in ``/etc/resolv.conf`` when it was a symbolic link or was a + relative path, was fixed. + * ldap password policy: return failure if there are no grace logins + left; (bsc#1214434); Drop SLE patch + 0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch + +------------------------------------------------------------------- +Fri May 5 10:47:41 UTC 2023 - Jan Engelhardt + +- Update to release 2.9 + * The sss_simpleifp library is deprecated (and for openSUSE, + already removed) + * The "Files provider" (i.e. id_provider = files) is deprecated + (and for openSUSE, already removed) + * SSSD will no longer warn about changed defaults when using + ldap_schema = rfc2307 and default autofs mapping. + * New passkey functionality, which will allow the use of FIDO2 + compliant devices to authenticate a centrally managed user + locally. + * Add support for ldapi:// URLs to allow connections to local + LDAP servers. + * NSS IDMAP has two new methods: getsidbyusername and + getsidbygroupname. + ------------------------------------------------------------------- Thu Jan 26 15:23:54 UTC 2023 - Callum Farmer @@ -6,14 +142,14 @@ Thu Jan 26 15:23:54 UTC 2023 - Callum Farmer ------------------------------------------------------------------- Tue Jan 3 12:01:41 UTC 2023 - Stefan Schubert -- Migration of PAM settings to /usr/lib/pam.d. +- Migration of PAM settings to /usr/lib/pam.d. ------------------------------------------------------------------- Wed Dec 21 19:29:45 UTC 2022 - Jan Engelhardt - Take systemd units off the restart list that have RefuseManualStart=yes [boo#1206592] -- Add symvers.patch [boo#1206592] +- Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166] ------------------------------------------------------------------- Sun Dec 11 14:17:23 UTC 2022 - Jan Engelhardt @@ -45,12 +181,17 @@ Fri Oct 7 12:05:29 UTC 2022 - Jan Engelhardt level independently. * A number of new configuration options are available, cf. https://sssd.io/release-notes/sssd-2.8.0.html . + * Fix sdap_access_host No matching host rule found; + (bsc#1202559); Drop SLE patch + 0001-Fix-sdap_access_host-No-matching-host-rule-found.patch + * Accept krb5 1.20 for building the PAC plugin; Drop SLE patch + 0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch ------------------------------------------------------------------- Thu Sep 1 13:45:36 UTC 2022 - Stefan Schubert - Migration to /usr/etc: Saving user changed configuration files - in /etc and restoring them while an RPM update. + in /etc and restoring them while an RPM update. ------------------------------------------------------------------- Fri Aug 26 20:54:33 UTC 2022 - Jan Engelhardt @@ -130,6 +271,10 @@ Thu Apr 14 22:43:03 UTC 2022 - Jan Engelhardt * Added support for anonymous PKINIT to get FAST credentials. * SSSD now correctly falls back to UPN search if the user was not found even with `cache_first = true`. + * Add 'ldap_ignore_unreadable_references' parameter to skip + unreadable objects referenced by 'member' attributte; + (bsc#1190775); (gh#SSSD/sssd#4893); Drop SLE patch + 0001-ldap-ignore-unreadable-references.patch ------------------------------------------------------------------- Mon Feb 21 14:50:38 UTC 2022 - Callum Farmer @@ -207,14 +352,15 @@ Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt * Support of long time deprecated local provider was dropped. * The sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands, - which was fixed. + which was fixed; (CVE-2021-3621); (bsc#1189492); Drop SLE patch + 0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch * Basic support of user's 'subuid and subgid ranges' for IPA provider and corresponding plugin for shadow-utils were added. ------------------------------------------------------------------- Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt -- Update to release 2.5.2 +- Update to release 2.5.2; (jsc#SLE-17763); * originalADgidNumber attribute in the SSSD cache is now indexed. * Add new config option fallback_to_nss. @@ -226,8 +372,7 @@ Tue Jun 8 16:35:25 UTC 2021 - Jan Engelhardt range setting in IPA (see ipa idrange commands family). This feature requires SSSD update on both client and server. This feature also requires freeipa 4.9.4 and newer. - * Fix getsidbyname issues with IPA users with a - user-private-group. + * Fix getsidbyname issues with IPA users with a user-private-group. * Default value of ldap_sudo_random_offset changed to 0 (disabled). This makes sure that sudo rules are available as soon as possible after SSSD start in default configuration. @@ -241,8 +386,25 @@ Mon May 10 13:58:04 UTC 2021 - Jan Engelhardt tgt_renewal = true. See the sssd-kcm man page for more details. This feature requires MIT Kerberos krb5-1.19-0.beta2.3 or higher. + * Backround sudo periodic tasks (smart and full refresh) periods are + now extended by a random offset to spread the load on the server in + environments with many clients. + * Completing a sudo full refresh now postpones the smart refresh by + ldap_sudo_smart_refresh_interval value. This ensure that the smart + refresh is not run too soon after a successful full refresh. + * If debug_backtrace_enabled is set to true then on any error all prior + debug messages (to some limit) are printed even if debug_level is set + to low value. + * Besides trusted domains known by the forest root, trusted domains known + by the local domain are used as well. + * New configuration option offline_timeout_random_offset to control random + factor in backend probing interval when SSSD is in offline mode. * ad_gpo_implicit_deny is now respected even if there are no applicable GPOs present. + * During the IPA subdomains request a failure in reading a single specific + configuration option is not considered fatal and the request will + continue. + * Unknown IPA id-range types are not considered as an error ------------------------------------------------------------------- Tue Apr 6 12:08:29 UTC 2021 - Samuel Cabrero @@ -298,6 +460,8 @@ Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt with principal that can be associated with target user. * Added pam_gssapi_services to list PAM services that can authenticate using GSSAPI. + * Create timestamp attribute in cache objects if missing; + (bsc#1182637); ------------------------------------------------------------------- Mon Oct 12 13:10:26 UTC 2020 - Jan Engelhardt @@ -331,6 +495,7 @@ Fri Jul 24 16:57:58 UTC 2020 - Jan Engelhardt lookups are no longer considered fatal. * Fixed regression in proxy provider: pwfield=x is now default value only for sssd-shadowutils target. + * Rotate child debug file descriptors on SIGHUP (bsc#1080156) - sssd-wbclient is obsolete and no longer shipped ------------------------------------------------------------------- @@ -350,6 +515,9 @@ Tue May 19 11:32:22 UTC 2020 - Jan Engelhardt * SSSD now accepts host entries from GPO's security filter. * New debug level (0x10000) added for low level LDB messages only (see sssd.conf man page). + * Update samba secrets after changing machine password; (jsc#SLE-11503); + * Delete linked local user overrides when deleting a user + (bsc#1133168) - Drop sssd-gpo_host_security_filter-2.2.2.patch, 0001-Resolve-computer-lookup-failure-when-sam-cn.patch, 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged) @@ -367,11 +535,12 @@ Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt the checks for revoked certificates more flexible if the system is offline. * Smart card authentication in polkit is now allowed by default. - * Fixes: - * Handling of FreeIPA users and groups containing ‘@’ sign now - works. + * Handling of FreeIPA users and groups containing ‘@’ sign now works. + * Issue when autofs was unable to mount shares was fixed. * SSSD was unable to hande ldap_uri containing URIs with different port numbers, which has been rectified. + * Fix domain offline after first boot when resolv.conf is a symlink + (bsc#1136139) - Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch ------------------------------------------------------------------- @@ -440,6 +609,10 @@ Tue Jun 18 08:00:46 UTC 2019 - Jan Engelhardt "GSS-SPNEGO" in addition to "GSSAPI". * The sssctl tool has two new commands, "cert-show" and "cert-map". + * Added an option to skip GPOs that have groupPolicyContainers, + unreadable by SSSD (bsc#1124194) (CVE-2018-16838) + * Fix fallback_homedir returning '/' for empty home directories + (CVE-2019-3811) (bsc#1121759) ------------------------------------------------------------------- Fri Apr 26 10:59:25 UTC 2019 - Samuel Cabrero @@ -461,12 +634,16 @@ Sat Mar 16 11:50:58 UTC 2019 - Jan Engelhardt users even if there is not applicable GPO. * The dynamic DNS update can now batch DNS updates to include all address family updates in a single transaction. + * Fix sss_cache spurious error messages when invoked from shadow-utils; + (bsc#1185017); + * Fix building with newer samba versions (bsc#1137876) + * Fix memory leak in nss netgroup enumeration (bsc#1139247); ------------------------------------------------------------------- Wed Feb 20 16:01:52 UTC 2019 - Samuel Cabrero - Install systemd service unit file created from source's template - (bsc#1120852) + (bsc#1120852); (bsc#1185185); - Install logrotate configuration (bsc#1004220) - Set journald as system logger @@ -502,6 +679,7 @@ Fri Sep 7 18:52:18 UTC 2018 - Jan Engelhardt * The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option pam_p11_allowed_services. + * Allow defaults sudoRole without sudoUser attribute (bsc#1135247) ------------------------------------------------------------------- Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com @@ -534,6 +712,9 @@ Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com * The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work. + * Fix login not possible when email address is duplicated in ldap + attributes (bsc#1149597) + * Strip whitespaces in netgroup triples (bsc#1087320) - Removed patches that are included upstream now: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch, 0002-intg-Do-not-hardcode-nsslibdir.patch, @@ -603,6 +784,10 @@ Bugfixes: domain resolution order was used (#3740) * SSSD start up issue on systems that use the libldb library with version 1.4.0 or newer was fixed. + * Update winbind idmap plugin to support interface version 6 + (jsc#SLE-9819) + * Add a netgroup counter to struct nss_enum_index (bsc#1132657) + * Fix sssd not starting in foreground mode (bsc#1125277) Introduce a patch: * Fix build of sssd of 1.16.2 version: 0003-Fix-build-for-1-16-2-version.patch @@ -1912,3 +2097,4 @@ Fri Sep 4 08:59:21 UTC 2009 - rhafer@novell.com Tue Sep 1 08:58:37 UTC 2009 - rhafer@novell.com - initial package submission + diff --git a/sssd.spec b/sssd.spec index d0628d4..41a153c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: sssd -Version: 2.8.2 +Version: 2.9.5 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -41,7 +41,9 @@ BuildRequires: cyrus-sasl-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: krb5-devel >= 1.12 BuildRequires: libcmocka-devel +%if 0%{?suse_version} >= 1600 BuildRequires: libsubid-devel +%endif BuildRequires: libtool BuildRequires: libunistring-devel BuildRequires: libxml2-tools @@ -63,12 +65,16 @@ BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libcrypto) +%if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) +%endif BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libpcre2-8) +%if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libsemanage) +%endif BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_nbt) @@ -82,10 +88,12 @@ BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) %{?systemd_ordering} Requires: sssd-ldap = %version-%release -Requires(postun):pam-config +Requires(postun): pam-config Provides: libsss_sudo = %version-%release Provides: sssd-client = %version-%release Obsoletes: libsss_sudo < %version-%release +Provides: sssd-common = %version-%release +Obsoletes: sssd-common < %version-%release %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -96,7 +104,7 @@ Obsoletes: libsss_sudo < %version-%release %define ldbdir %(pkg-config ldb --variable=modulesdir) # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko -# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins +# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # * cifs-utils one is the default (priority 20) # * installing SSSD should NOT switch to SSSD plugin (priority 10) %define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin @@ -104,7 +112,7 @@ Obsoletes: libsss_sudo < %version-%release %define cifs_idmap_name cifs-idmap-plugin %define cifs_idmap_priority 10 Requires(post): update-alternatives -Requires(postun):update-alternatives +Requires(postun): update-alternatives %description Provides a set of daemons to manage access to remote directories and @@ -117,7 +125,7 @@ services for projects like FreeIPA. Summary: The ActiveDirectory backend plugin for sssd License: GPL-3.0-or-later Group: System/Daemons -Requires: %name-krb5-common = %version +Requires: %name-krb5-common = %version-%release Requires: adcli %description ad @@ -202,7 +210,7 @@ and/or PAM modules to leverage SSSD caching. Summary: Commandline tools for sssd License: GPL-3.0-or-later AND LGPL-3.0-or-later Group: System/Management -Requires: python3-sssd-config = %version +Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools @@ -296,10 +304,14 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. +%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later Group: System/Libraries +# Even though sssd has obsoleted simpleifp, the plan here is to retain ABI +# compatibility with the existing SUSE 15.x product line. ...at least, until +# sssd completely removes SIFP from source. %description -n libsss_simpleifp0 This subpackage provides a library that simplifies the D-Bus API for @@ -315,6 +327,7 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. +%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -378,7 +391,6 @@ autoreconf -fiv --with-pipe-path="%pipepath" \ --with-pubconf-path="%pubconfpath" \ --with-gpo-cache-path="%gpocachepath" \ - --with-init-dir="%_initrddir" \ --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ @@ -386,24 +398,35 @@ autoreconf -fiv --enable-nsslibdir="/%_lib" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ - --with-selinux=yes \ - --with-subid \ --with-os=suse \ --disable-ldb-version-check \ - --without-secrets \ --without-python2-bindings \ - --without-oidc-child + --without-oidc-child \ +%if 0%{?suse_version} >= 1600 + --with-selinux=yes \ + --with-subid +%else + --with-selinux=no \ + --with-semanage=no \ + --with-libsifp \ + --with-files-provider +%endif %make_build all %install # sss_obfuscate is compatible with both python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate -%make_install dbuspolicydir=%{_datadir}/dbus-1/system.d +%make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" # Copy some defaults -mkdir -pv "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d" -install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" +%if %{?_distconfdir:1} +install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" +install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" +%else +install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" +install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d" +%endif install -d "$b/%_unitdir" %if 0%{?suse_version} > 1500 install -d "$b/%_distconfdir/logrotate.d" @@ -416,6 +439,10 @@ install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd" %endif rm -Rfv "$b/%_initddir" +%if 0%{?suse_version} < 1600 +ln -s service "$b/%_sbindir/rcsssd" +%endif + mkdir -pv "$b/%sssdstatedir/mc" find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name @@ -423,6 +450,10 @@ find "$b" -type f -name "*.la" -print -delete # dummy target for cifs-idmap-plugin mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +%python3_fix_shebang +%if 0%{?suse_version} >= 1600 +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ +%endif %check # sss_config-tests fails @@ -430,17 +461,19 @@ ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin %pre %service_add_pre sssd.service -%if 0%{?suse_version} > 1500 +%if %{?_distconfdir:1} # Prepare for migration to /usr/etc; save any old .rpmsave -for i in pam.d/sssd-shadowutils ; do - test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do + test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : done %endif %post /sbin/ldconfig # migrate config variable krb5_kdcip to krb5_server (bnc#851048) -/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf +if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then + /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" +fi %service_add_post sssd.service # install SSSD cifs-idmap plugin as an alternative @@ -469,10 +502,12 @@ fi %postun -n libsss_idmap0 -p /sbin/ldconfig %post -n libsss_nss_idmap0 -p /sbin/ldconfig %postun -n libsss_nss_idmap0 -p /sbin/ldconfig +%if 0%{?suse_version} < 1600 %post -n libsss_simpleifp0 -p /sbin/ldconfig %postun -n libsss_simpleifp0 -p /sbin/ldconfig +%endif -%triggerun -- %{name} < %{version}-%{release} +%triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. # Clear caches when downgrading the package, which may have an # incompatible format afterwards preventing the daemon from startup. @@ -495,20 +530,6 @@ fi %pre kcm %service_add_pre sssd-kcm.service sssd-kcm.socket -%if 0%{?suse_version} > 1500 -# Prepare for migration to /usr/etc; save any old .rpmsave -for i in logrotate.d/sssd ; do - test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: -done -%endif - -%if 0%{?suse_version} > 1500 -%posttrans -# Migration to /usr/etc, restore just created .rpmsave -for i in logrotate.d/sssd pam.d/sssd-shadowutils ; do - test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: -done -%endif %post kcm %service_add_post sssd-kcm.service sssd-kcm.socket @@ -519,6 +540,44 @@ done %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket +%pretrans +# Migrate sssd.service from sssd-common to sssd +systemctl is-enabled sssd.service > /dev/null +if [ $? -eq 0 ]; then +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-enabled +fi +systemctl is-active sssd.service > /dev/null +if [ $? -eq 0 ]; then +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-active +fi + +%posttrans +%if %{?_distconfdir:1} +# Migration to /usr/etc, restore just created .rpmsave +for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do + test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : +done +%endif +# Migrate sssd.service from sssd-common to sssd +if [ -e /run/systemd/rpm/sssd-was-enabled ]; then +systemctl is-enabled sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service +fi +rm /run/systemd/rpm/sssd-was-enabled +fi +if [ -e /run/systemd/rpm/sssd-was-active ]; then +systemctl is-active sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service +fi +rm /run/systemd/rpm/sssd-was-active +fi + %files -f sssd.lang %license COPYING %_unitdir/sssd.service @@ -537,12 +596,17 @@ done %_unitdir/sssd-sudo.service %_bindir/sss_ssh_* %_sbindir/sssd +%if 0%{?suse_version} < 1600 +%_sbindir/rcsssd +%endif %dir %_mandir/??/ %dir %_mandir/??/man[158]/ %_mandir/??/man1/sss_ssh_* %_mandir/??/man5/sss-certmap.5* %_mandir/??/man5/sssd-ad.5* +%if 0%{?suse_version} < 1600 %_mandir/??/man5/sssd-files.5* +%endif %_mandir/??/man5/sssd-ldap-attributes.5* %_mandir/??/man5/sssd-session-recording.5* %_mandir/??/man5/sssd-simple.5* @@ -553,7 +617,9 @@ done %_mandir/??/man8/sssd.8* %_mandir/man1/sss_ssh_* %_mandir/man5/sss-certmap.5* +%if 0%{?suse_version} < 1600 %_mandir/man5/sssd-files.5* +%endif %_mandir/man5/sssd-ldap-attributes.5* %_mandir/man5/sssd-session-recording.5* %_mandir/man5/sssd-simple.5* @@ -567,7 +633,9 @@ done %_libdir/%name/libsss_cert* %_libdir/%name/libsss_crypt* %_libdir/%name/libsss_debug* +%if 0%{?suse_version} < 1600 %_libdir/%name/libsss_files* +%endif %_libdir/%name/libsss_iface* %_libdir/%name/libsss_semanage* %_libdir/%name/libsss_sbus* @@ -585,10 +653,11 @@ done %_libexecdir/%name/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo -%_libexecdir/%name/sss_analyze %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders +%if 0%{?suse_version} >= 1600 %_libexecdir/%name/selinux_child +%endif %dir %sssdstatedir %attr(700,root,root) %dir %dbpath/ %attr(755,root,root) %dir %pipepath/ @@ -599,8 +668,15 @@ done %attr(755,root,root) %dir %sssdstatedir/mc/ %attr(700,root,root) %dir %sssdstatedir/keytabs/ %attr(750,root,root) %dir %_localstatedir/log/%name/ +%if %{?_distconfdir:1} +%dir %_distconfdir/sssd/ +%%dir %_distconfdir/sssd/conf.d +%config(noreplace) %_distconfdir/sssd/sssd.conf +%else %dir %_sysconfdir/sssd/ +%%dir %_sysconfdir/sssd/conf.d %config(noreplace) %_sysconfdir/sssd/sssd.conf +%endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd %_pam_vendordir/sssd-shadowutils @@ -608,13 +684,17 @@ done %config(noreplace) %_sysconfdir/logrotate.d/sssd %config(noreplace) %_pam_confdir/sssd-shadowutils %endif -%dir %_sysconfdir/sssd/conf.d %dir %_datadir/%name/ %_datadir/%name/cfg_rules.ini %_datadir/%name/sssd.api.conf %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-simple.conf +%if 0%{?suse_version} < 1600 %_datadir/%name/sssd.api.d/sssd-files.conf +%else +%exclude %_mandir/*/*/sssd-files.5.gz +%endif +%doc src/examples/sssd.conf # # sssd-client # @@ -623,8 +703,10 @@ done %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ %_libdir/%name/modules/sssd_krb5_localauth_plugin.so -%_libdir/%name/modules/sssd_krb5_idp_plugin.so +%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so +%if 0%{?suse_version} >= 1600 %_libdir/libsubid_sss.so +%endif %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/??/man8/pam_sss.8* %_mandir/??/man8/pam_sss_gss.8* @@ -689,7 +771,7 @@ done %dir %_libdir/%name/ %_libdir/%name/libsss_krb5.so %dir %_datadir/%name/ -%_datadir/%name/krb5-snippets/ +%exclude %_datadir/%name/krb5-snippets/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-krb5.conf %dir %_mandir/??/ @@ -731,6 +813,7 @@ done %_sbindir/sss_seed %_sbindir/sss_obfuscate %_sbindir/sss_override +%_libexecdir/%name/sss_analyze %dir %_mandir/??/man8/ %_mandir/??/man8/sssctl.8* %_mandir/??/man8/sss_*.8* @@ -780,6 +863,7 @@ done %_libdir/libsss_nss_idmap.so %_libdir/pkgconfig/sss_nss_idmap.pc +%if 0%{?suse_version} < 1600 %files -n libsss_simpleifp0 %_libdir/libsss_simpleifp.so.0* @@ -787,6 +871,7 @@ done %_includedir/sss_sifp*.h %_libdir/libsss_simpleifp.so %_libdir/pkgconfig/sss_simpleifp.pc +%endif %files -n python3-ipa_hbac %dir %python3_sitearch diff --git a/symvers.patch b/symvers.patch index a80d511..ab19be6 100644 --- a/symvers.patch +++ b/symvers.patch @@ -15,11 +15,11 @@ the system only has libsss_util.so(-2.8.2) at this point. Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) -Index: sssd-2.8.2/Makefile.am +Index: sssd-2.9.2/Makefile.am =================================================================== ---- sssd-2.8.2.orig/Makefile.am -+++ sssd-2.8.2/Makefile.am -@@ -941,7 +941,11 @@ libsss_debug_la_SOURCES = \ +--- sssd-2.9.2.orig/Makefile.am ++++ sssd-2.9.2/Makefile.am +@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ @@ -32,7 +32,7 @@ Index: sssd-2.8.2/Makefile.am pkglib_LTLIBRARIES += libsss_child.la libsss_child_la_SOURCES = src/util/child_common.c -@@ -951,7 +955,8 @@ libsss_child_la_LIBADD = \ +@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ $(DHASH_LIBS) \ libsss_debug.la \ $(NULL) @@ -42,7 +42,7 @@ Index: sssd-2.8.2/Makefile.am pkglib_LTLIBRARIES += libsss_crypt.la -@@ -990,7 +995,8 @@ libsss_crypt_la_LIBADD = \ +@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_crypt_la_LDFLAGS = \ @@ -52,7 +52,7 @@ Index: sssd-2.8.2/Makefile.am pkglib_LTLIBRARIES += libsss_cert.la -@@ -1015,8 +1021,9 @@ libsss_cert_la_LIBADD = \ +@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_cert_la_LDFLAGS = \ @@ -63,7 +63,7 @@ Index: sssd-2.8.2/Makefile.am generate-sbus-code: $(builddir)/sbus_generate.sh $(abs_srcdir) -@@ -1117,8 +1124,9 @@ libsss_sbus_la_CFLAGS = \ +@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_sbus_la_LDFLAGS = \ @@ -74,7 +74,7 @@ Index: sssd-2.8.2/Makefile.am pkglib_LTLIBRARIES += libsss_sbus_sync.la libsss_sbus_sync_la_SOURCES = \ -@@ -1153,8 +1161,9 @@ libsss_sbus_sync_la_CFLAGS = \ +@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ $(UNICODE_LIBS) \ $(NULL) libsss_sbus_sync_la_LDFLAGS = \ @@ -85,7 +85,7 @@ Index: sssd-2.8.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface.la libsss_iface_la_SOURCES = \ -@@ -1183,8 +1192,9 @@ libsss_iface_la_CFLAGS = \ +@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_la_LDFLAGS = \ @@ -96,7 +96,7 @@ Index: sssd-2.8.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface_sync.la libsss_iface_sync_la_SOURCES = \ -@@ -1211,8 +1221,9 @@ libsss_iface_sync_la_CFLAGS = \ +@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_sync_la_LDFLAGS = \ @@ -107,17 +107,17 @@ Index: sssd-2.8.2/Makefile.am pkglib_LTLIBRARIES += libsss_util.la libsss_util_la_SOURCES = \ -@@ -1303,7 +1314,8 @@ endif - if BUILD_SYSTEMTAP - libsss_util_la_LIBADD += stap_generated_probes.lo - endif +@@ -1322,7 +1333,8 @@ endif + if BUILD_PASSKEY + libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c + endif # BUILD_PASSKEY -libsss_util_la_LDFLAGS = -avoid-version +libsss_util_la_LDFLAGS = -avoid-version ${symv} +EXTRA_libsss_util_la_DEPENDENCIES = x.sym pkglib_LTLIBRARIES += libsss_semanage.la libsss_semanage_la_CFLAGS = \ -@@ -1322,7 +1334,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ +@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ endif libsss_semanage_la_LDFLAGS = \ @@ -127,7 +127,7 @@ Index: sssd-2.8.2/Makefile.am SSSD_INTERNAL_LTLIBS = \ libsss_util.la \ -@@ -1338,7 +1351,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ +@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ $(NULL) pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc @@ -136,7 +136,7 @@ Index: sssd-2.8.2/Makefile.am libipa_hbac_la_SOURCES = \ src/lib/ipa_hbac/hbac_evaluator.c \ src/util/sss_utf8.c -@@ -1664,8 +1677,9 @@ libifp_iface_la_CFLAGS = \ +@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_la_LDFLAGS = \ @@ -147,7 +147,7 @@ Index: sssd-2.8.2/Makefile.am pkglib_LTLIBRARIES += libifp_iface_sync.la libifp_iface_sync_la_SOURCES = \ -@@ -1690,8 +1704,9 @@ libifp_iface_sync_la_CFLAGS = \ +@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_sync_la_LDFLAGS = \ @@ -158,7 +158,7 @@ Index: sssd-2.8.2/Makefile.am sssd_ifp_SOURCES = \ src/responder/ifp/ifpsrv.c \ -@@ -4196,8 +4211,9 @@ libsss_ldap_common_la_LIBADD = \ +@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_ldap_common_la_LDFLAGS = \ @@ -169,7 +169,7 @@ Index: sssd-2.8.2/Makefile.am if BUILD_SYSTEMTAP libsss_ldap_common_la_LIBADD += stap_generated_probes.lo endif -@@ -4254,7 +4270,8 @@ libsss_krb5_common_la_LIBADD = \ +@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_krb5_common_la_LDFLAGS = \