SHA256
1
0
forked from pool/sssd

Accepting request 1127656 from network:ldap

- Fix spec file for Leap (forwarded request 1127633 from scabrero)

OBS-URL: https://build.opensuse.org/request/show/1127656
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=133
This commit is contained in:
Ana Guerrero 2023-11-20 20:19:04 +00:00 committed by Git OBS Bridge
commit 810e6b4fa1
2 changed files with 85 additions and 26 deletions

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Fri Nov 17 14:52:30 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- Fix spec file for Leap
-------------------------------------------------------------------
Fri Nov 17 12:30:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after
update (bsc#1216865)
- Do not install the KRB5 IDP plugin, it is useless without the
OIDC child
- Drop no longer valid --without-secrets configure switch
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 13 12:48:09 UTC 2023 - Jan Engelhardt <jengelh@inai.de> Mon Nov 13 12:48:09 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
@ -38,6 +52,8 @@ Thu Sep 7 12:07:10 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
non-root user. non-root user.
* New option local_auth_policy is added to control which offline * New option local_auth_policy is added to control which offline
authentication methods will be enabled by SSSD. authentication methods will be enabled by SSSD.
* Fix sssd entering failed state under heavy load by adding
watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283);
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jun 23 14:49:30 UTC 2023 - Jan Engelhardt <jengelh@inai.de> Fri Jun 23 14:49:30 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
@ -48,6 +64,8 @@ Fri Jun 23 14:49:30 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
* A regression where SSSD failed to properly watch for changes * A regression where SSSD failed to properly watch for changes
in ``/etc/resolv.conf`` when it was a symbolic link or was a in ``/etc/resolv.conf`` when it was a symbolic link or was a
relative path, was fixed. relative path, was fixed.
* ldap password policy: return failure if there are no grace logins
left; (bsc#1214434);
------------------------------------------------------------------- -------------------------------------------------------------------
Fri May 5 10:47:41 UTC 2023 - Jan Engelhardt <jengelh@inai.de> Fri May 5 10:47:41 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
@ -82,7 +100,7 @@ Wed Dec 21 19:29:45 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
- Take systemd units off the restart list that have - Take systemd units off the restart list that have
RefuseManualStart=yes [boo#1206592] RefuseManualStart=yes [boo#1206592]
- Add symvers.patch [boo#1206592] - Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166]
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Dec 11 14:17:23 UTC 2022 - Jan Engelhardt <jengelh@inai.de> Sun Dec 11 14:17:23 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
@ -114,6 +132,8 @@ Fri Oct 7 12:05:29 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
level independently. level independently.
* A number of new configuration options are available, * A number of new configuration options are available,
cf. https://sssd.io/release-notes/sssd-2.8.0.html . cf. https://sssd.io/release-notes/sssd-2.8.0.html .
* Fix sdap_access_host No matching host rule found;
(bsc#1202559);
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 1 13:45:36 UTC 2022 - Stefan Schubert <schubi@suse.com> Thu Sep 1 13:45:36 UTC 2022 - Stefan Schubert <schubi@suse.com>
@ -199,6 +219,9 @@ Thu Apr 14 22:43:03 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
* Added support for anonymous PKINIT to get FAST credentials. * Added support for anonymous PKINIT to get FAST credentials.
* SSSD now correctly falls back to UPN search if the user was * SSSD now correctly falls back to UPN search if the user was
not found even with `cache_first = true`. not found even with `cache_first = true`.
* Add 'ldap_ignore_unreadable_references' parameter to skip
unreadable objects referenced by 'member' attributte;
(bsc#1190775); (gh#SSSD/sssd#4893);
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Feb 21 14:50:38 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> Mon Feb 21 14:50:38 UTC 2022 - Callum Farmer <gmbr3@opensuse.org>
@ -276,14 +299,14 @@ Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
* Support of long time deprecated local provider was dropped. * Support of long time deprecated local provider was dropped.
* The sssctl command was vulnerable to shell command injection * The sssctl command was vulnerable to shell command injection
via the logs-fetch and cache-expire subcommands, via the logs-fetch and cache-expire subcommands,
which was fixed. which was fixed; (CVE-2021-3621); (bsc#1189492);
* Basic support of user's 'subuid and subgid ranges' for IPA * Basic support of user's 'subuid and subgid ranges' for IPA
provider and corresponding plugin for shadow-utils were added. provider and corresponding plugin for shadow-utils were added.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt <jengelh@inai.de> Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.5.2 - Update to release 2.5.2; (jsc#SLE-17763);
* originalADgidNumber attribute in the SSSD cache is now indexed. * originalADgidNumber attribute in the SSSD cache is now indexed.
* Add new config option fallback_to_nss. * Add new config option fallback_to_nss.
@ -295,8 +318,7 @@ Tue Jun 8 16:35:25 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
range setting in IPA (see ipa idrange commands family). This range setting in IPA (see ipa idrange commands family). This
feature requires SSSD update on both client and server. This feature requires SSSD update on both client and server. This
feature also requires freeipa 4.9.4 and newer. feature also requires freeipa 4.9.4 and newer.
* Fix getsidbyname issues with IPA users with a * Fix getsidbyname issues with IPA users with a user-private-group.
user-private-group.
* Default value of ldap_sudo_random_offset changed to 0 * Default value of ldap_sudo_random_offset changed to 0
(disabled). This makes sure that sudo rules are available as (disabled). This makes sure that sudo rules are available as
soon as possible after SSSD start in default configuration. soon as possible after SSSD start in default configuration.
@ -310,8 +332,25 @@ Mon May 10 13:58:04 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
tgt_renewal = true. See the sssd-kcm man page for more tgt_renewal = true. See the sssd-kcm man page for more
details. This feature requires MIT Kerberos details. This feature requires MIT Kerberos
krb5-1.19-0.beta2.3 or higher. krb5-1.19-0.beta2.3 or higher.
* Backround sudo periodic tasks (smart and full refresh) periods are
now extended by a random offset to spread the load on the server in
environments with many clients.
* Completing a sudo full refresh now postpones the smart refresh by
ldap_sudo_smart_refresh_interval value. This ensure that the smart
refresh is not run too soon after a successful full refresh.
* If debug_backtrace_enabled is set to true then on any error all prior
debug messages (to some limit) are printed even if debug_level is set
to low value.
* Besides trusted domains known by the forest root, trusted domains known
by the local domain are used as well.
* New configuration option offline_timeout_random_offset to control random
factor in backend probing interval when SSSD is in offline mode.
* ad_gpo_implicit_deny is now respected even if there are no * ad_gpo_implicit_deny is now respected even if there are no
applicable GPOs present. applicable GPOs present.
* During the IPA subdomains request a failure in reading a single specific
configuration option is not considered fatal and the request will
continue.
* Unknown IPA id-range types are not considered as an error
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 6 12:08:29 UTC 2021 - Samuel Cabrero <scabrero@suse.de> Tue Apr 6 12:08:29 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
@ -367,6 +406,8 @@ Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
with principal that can be associated with target user. with principal that can be associated with target user.
* Added pam_gssapi_services to list PAM services that can * Added pam_gssapi_services to list PAM services that can
authenticate using GSSAPI. authenticate using GSSAPI.
* Create timestamp attribute in cache objects if missing;
(bsc#1182637);
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Oct 12 13:10:26 UTC 2020 - Jan Engelhardt <jengelh@inai.de> Mon Oct 12 13:10:26 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
@ -400,6 +441,7 @@ Fri Jul 24 16:57:58 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
lookups are no longer considered fatal. lookups are no longer considered fatal.
* Fixed regression in proxy provider: pwfield=x is now default * Fixed regression in proxy provider: pwfield=x is now default
value only for sssd-shadowutils target. value only for sssd-shadowutils target.
* Rotate child debug file descriptors on SIGHUP (bsc#1080156)
- sssd-wbclient is obsolete and no longer shipped - sssd-wbclient is obsolete and no longer shipped
------------------------------------------------------------------- -------------------------------------------------------------------
@ -419,6 +461,9 @@ Tue May 19 11:32:22 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
* SSSD now accepts host entries from GPO's security filter. * SSSD now accepts host entries from GPO's security filter.
* New debug level (0x10000) added for low level LDB messages * New debug level (0x10000) added for low level LDB messages
only (see sssd.conf man page). only (see sssd.conf man page).
* Update samba secrets after changing machine password; (jsc#SLE-11503);
* Delete linked local user overrides when deleting a user
(bsc#1133168)
- Drop sssd-gpo_host_security_filter-2.2.2.patch, - Drop sssd-gpo_host_security_filter-2.2.2.patch,
0001-Resolve-computer-lookup-failure-when-sam-cn.patch, 0001-Resolve-computer-lookup-failure-when-sam-cn.patch,
0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged) 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged)
@ -436,11 +481,12 @@ Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
the checks for revoked certificates more flexible if the the checks for revoked certificates more flexible if the
system is offline. system is offline.
* Smart card authentication in polkit is now allowed by default. * Smart card authentication in polkit is now allowed by default.
* Fixes: * Handling of FreeIPA users and groups containing @ sign now works.
* Handling of FreeIPA users and groups containing @ sign now * Issue when autofs was unable to mount shares was fixed.
works.
* SSSD was unable to hande ldap_uri containing URIs with * SSSD was unable to hande ldap_uri containing URIs with
different port numbers, which has been rectified. different port numbers, which has been rectified.
* Fix domain offline after first boot when resolv.conf is a symlink
(bsc#1136139)
- Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch - Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
------------------------------------------------------------------- -------------------------------------------------------------------
@ -509,6 +555,10 @@ Tue Jun 18 08:00:46 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
"GSS-SPNEGO" in addition to "GSSAPI". "GSS-SPNEGO" in addition to "GSSAPI".
* The sssctl tool has two new commands, "cert-show" and * The sssctl tool has two new commands, "cert-show" and
"cert-map". "cert-map".
* Added an option to skip GPOs that have groupPolicyContainers,
unreadable by SSSD (bsc#1124194) (CVE-2018-16838)
* Fix fallback_homedir returning '/' for empty home directories
(CVE-2019-3811) (bsc#1121759)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Apr 26 10:59:25 UTC 2019 - Samuel Cabrero <scabrero@suse.de> Fri Apr 26 10:59:25 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
@ -530,12 +580,16 @@ Sat Mar 16 11:50:58 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
users even if there is not applicable GPO. users even if there is not applicable GPO.
* The dynamic DNS update can now batch DNS updates to include * The dynamic DNS update can now batch DNS updates to include
all address family updates in a single transaction. all address family updates in a single transaction.
* Fix sss_cache spurious error messages when invoked from shadow-utils;
(bsc#1185017);
* Fix building with newer samba versions (bsc#1137876)
* Fix memory leak in nss netgroup enumeration (bsc#1139247);
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Feb 20 16:01:52 UTC 2019 - Samuel Cabrero <scabrero@suse.de> Wed Feb 20 16:01:52 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Install systemd service unit file created from source's template - Install systemd service unit file created from source's template
(bsc#1120852) (bsc#1120852); (bsc#1185185);
- Install logrotate configuration (bsc#1004220) - Install logrotate configuration (bsc#1004220)
- Set journald as system logger - Set journald as system logger
@ -571,6 +625,7 @@ Fri Sep 7 18:52:18 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
* The list of PAM services which are allowed to authenticate * The list of PAM services which are allowed to authenticate
using a Smart Card is now configurable using a new option using a Smart Card is now configurable using a new option
pam_p11_allowed_services. pam_p11_allowed_services.
* Allow defaults sudoRole without sudoUser attribute (bsc#1135247)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
@ -603,6 +658,9 @@ Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
* The grace logins with an expired password when authenticating * The grace logins with an expired password when authenticating
against certain newer versions of the 389DS/RHDS LDAP server against certain newer versions of the 389DS/RHDS LDAP server
did not work. did not work.
* Fix login not possible when email address is duplicated in ldap
attributes (bsc#1149597)
* Strip whitespaces in netgroup triples (bsc#1087320)
- Removed patches that are included upstream now: - Removed patches that are included upstream now:
0001-SUDO-Create-the-socket-with-stricter-permissions.patch, 0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
0002-intg-Do-not-hardcode-nsslibdir.patch, 0002-intg-Do-not-hardcode-nsslibdir.patch,
@ -672,6 +730,10 @@ Bugfixes:
domain resolution order was used (#3740) domain resolution order was used (#3740)
* SSSD start up issue on systems that use the libldb library * SSSD start up issue on systems that use the libldb library
with version 1.4.0 or newer was fixed. with version 1.4.0 or newer was fixed.
* Update winbind idmap plugin to support interface version 6
(jsc#SLE-9819)
* Add a netgroup counter to struct nss_enum_index (bsc#1132657)
* Fix sssd not starting in foreground mode (bsc#1125277)
Introduce a patch: Introduce a patch:
* Fix build of sssd of 1.16.2 version: * Fix build of sssd of 1.16.2 version:
0003-Fix-build-for-1-16-2-version.patch 0003-Fix-build-for-1-16-2-version.patch

View File

@ -41,7 +41,9 @@ BuildRequires: cyrus-sasl-devel
BuildRequires: docbook-xsl-stylesheets BuildRequires: docbook-xsl-stylesheets
BuildRequires: krb5-devel >= 1.12 BuildRequires: krb5-devel >= 1.12
BuildRequires: libcmocka-devel BuildRequires: libcmocka-devel
%if 0%{?suse_version} >= 1600
BuildRequires: libsubid-devel BuildRequires: libsubid-devel
%endif
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libunistring-devel BuildRequires: libunistring-devel
BuildRequires: libxml2-tools BuildRequires: libxml2-tools
@ -366,12 +368,13 @@ autoreconf -fiv
--enable-pammoddir="%_pam_moduledir" \ --enable-pammoddir="%_pam_moduledir" \
--with-ldb-lib-dir="%ldbdir" \ --with-ldb-lib-dir="%ldbdir" \
--with-selinux=yes \ --with-selinux=yes \
--with-subid \
--with-os=suse \ --with-os=suse \
--disable-ldb-version-check \ --disable-ldb-version-check \
--without-secrets \
--without-python2-bindings \ --without-python2-bindings \
--without-oidc-child --without-oidc-child \
%if 0%{?suse_version} >= 1600
--with-subid
%endif
%make_build all %make_build all
%install %install
@ -407,14 +410,10 @@ ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
%pre %pre
%service_add_pre sssd.service %service_add_pre sssd.service
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave # Prepare for migration to /usr/etc; save any old .rpmsave
for i in pam.d/sssd-shadowutils logrotate.d/sssd ; do for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
if [ -f "%_sysconfdir/$i.rpmsave" ]; then test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
fi
done done
%endif
%post %post
/sbin/ldconfig /sbin/ldconfig
@ -484,15 +483,11 @@ fi
%postun kcm %postun kcm
%service_del_postun sssd-kcm.service sssd-kcm.socket %service_del_postun sssd-kcm.service sssd-kcm.socket
%if 0%{?suse_version} > 1500
%posttrans %posttrans
# Migration to /usr/etc, restore just created .rpmsave # Migration to /usr/etc, restore just created .rpmsave
for i in logrotate.d/sssd pam.d/sssd-shadowutils ; do for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do
if [ -f "%_sysconfdir/$i.rpmsave" ]; then test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
fi
done done
%endif
%files -f sssd.lang %files -f sssd.lang
%license COPYING %license COPYING
@ -592,8 +587,10 @@ done
%_pam_moduledir/pam_sss_gss.so %_pam_moduledir/pam_sss_gss.so
%_libdir/krb5/ %_libdir/krb5/
%_libdir/%name/modules/sssd_krb5_localauth_plugin.so %_libdir/%name/modules/sssd_krb5_localauth_plugin.so
%_libdir/%name/modules/sssd_krb5_idp_plugin.so %exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
%if 0%{?suse_version} >= 1600
%_libdir/libsubid_sss.so %_libdir/libsubid_sss.so
%endif
%_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/??/man8/sssd_krb5_locator_plugin.8*
%_mandir/??/man8/pam_sss.8* %_mandir/??/man8/pam_sss.8*
%_mandir/??/man8/pam_sss_gss.8* %_mandir/??/man8/pam_sss_gss.8*
@ -658,7 +655,7 @@ done
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_krb5.so %_libdir/%name/libsss_krb5.so
%dir %_datadir/%name/ %dir %_datadir/%name/
%_datadir/%name/krb5-snippets/ %exclude %_datadir/%name/krb5-snippets/
%dir %_datadir/%name/sssd.api.d/ %dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-krb5.conf %_datadir/%name/sssd.api.d/sssd-krb5.conf
%dir %_mandir/??/ %dir %_mandir/??/