From ec865ab0440ee653bb98ee459a48162b287d01f8299a87c85804eb6d479cc9bc Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Mon, 8 Mar 2010 17:24:35 +0000 Subject: [PATCH 01/63] Accepting request 34177 from network:ldap Copy from network:ldap/sssd based on submit request 34177 from user rhafer OBS-URL: https://build.opensuse.org/request/show/34177 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=1 --- ...-detect-endianness-at-configure-time.patch | 27 - baselibs.conf | 4 - ready | 0 sssd-1.0.5.tar.gz | 3 + sssd-1.13.3.tar.gz | 3 - sssd-1.13.3.tar.gz.asc | 7 - sssd.changes | 847 ------------------ sssd.keyring | 34 - sssd.service | 15 - sssd.spec | 788 +++------------- 10 files changed, 140 insertions(+), 1588 deletions(-) delete mode 100644 0001-build-detect-endianness-at-configure-time.patch delete mode 100644 baselibs.conf create mode 100644 ready create mode 100644 sssd-1.0.5.tar.gz delete mode 100644 sssd-1.13.3.tar.gz delete mode 100644 sssd-1.13.3.tar.gz.asc delete mode 100644 sssd.keyring delete mode 100644 sssd.service diff --git a/0001-build-detect-endianness-at-configure-time.patch b/0001-build-detect-endianness-at-configure-time.patch deleted file mode 100644 index 91b6cc8..0000000 --- a/0001-build-detect-endianness-at-configure-time.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 303d096f920801f7b06a7ad406ea83b4cd0219da Mon Sep 17 00:00:00 2001 -From: David Disseldorp -Date: Tue, 6 May 2014 15:56:42 +0200 -Subject: [PATCH] build: detect endianness at configure time - -WORDS_BIGENDIAN, HAVE_BIG_ENDIAN and HAVE_LITTLE_ENDIAN are needed by -Samba. See Samba's byteorder.h header for an example. - -Signed-off-by: David Disseldorp ---- - configure.ac | 3 +++ - 1 file changed, 3 insertions(+) - -Index: sssd-1.13.3/configure.ac -=================================================================== ---- sssd-1.13.3.orig/configure.ac -+++ sssd-1.13.3/configure.ac -@@ -428,6 +428,9 @@ AM_CONDITIONAL([HAVE_DEVSHM], [test -d / - ENABLE_POLKIT_RULES_PATH - AM_CONDITIONAL([HAVE_POLKIT_RULES_D], [test x$HAVE_POLKIT_RULES_D != x]) - -+AC_C_BIGENDIAN([AC_DEFINE(HAVE_BIG_ENDIAN, [1], [whether platform is big endian])], -+ [AC_DEFINE(HAVE_LITTLE_ENDIAN, [1], [whether platform is little endian])]) -+ - abs_build_dir=`pwd` - AC_DEFINE_UNQUOTED([ABS_BUILD_DIR], ["$abs_build_dir"], [Absolute path to the build directory]) - AC_SUBST([abs_builddir], $abs_build_dir) diff --git a/baselibs.conf b/baselibs.conf deleted file mode 100644 index b125802..0000000 --- a/baselibs.conf +++ /dev/null @@ -1,4 +0,0 @@ -sssd - supplements "packageand(sssd:pam-)" - supplements "packageand(sssd:glibc-)" - -/usr/lib(64)?/* diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/sssd-1.0.5.tar.gz b/sssd-1.0.5.tar.gz new file mode 100644 index 0000000..e895b79 --- /dev/null +++ b/sssd-1.0.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f3a8dca78a14b03e1a273fa7cfe5598120b83aa7477ab4c467a7dcd655c9017 +size 2688987 diff --git a/sssd-1.13.3.tar.gz b/sssd-1.13.3.tar.gz deleted file mode 100644 index f7cfd38..0000000 --- a/sssd-1.13.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3fd8fe8e6ee9f50b33eecd1bcccfaa44791f30d4e5f3113ba91457ba5f411f85 -size 4661143 diff --git a/sssd-1.13.3.tar.gz.asc b/sssd-1.13.3.tar.gz.asc deleted file mode 100644 index e88c30a..0000000 --- a/sssd-1.13.3.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlZwc5IACgkQHsardTLnvCXyOgCg20lBb2owmQRYRjPZClBcn9+y -GU4AnR/tg+KqvfA/djm5yoV4/Ys3LA2g -=zefD ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index c2a5831..026aa50 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,850 +1,3 @@ -------------------------------------------------------------------- -Wed Dec 16 14:08:01 UTC 2015 - jengelh@inai.de - -- Update to new maintenance release 1.13.3 -* A bug that prevented user lookups and logins after migration from - winsync to IPA-AD trusts was fixed. -* A bug that prevented the ignore_group_members option from working - correctly in AD provider setups that use a dedicated primary - group (as opposed to a user-private group) was fixed. -* Offline detection and offline login timeouts were improved for AD - users logging in from a domain trusted by an IPA server. -* The AD provider supports setting up autofs_provider=ad . - -------------------------------------------------------------------- -Fri Nov 20 10:39:56 UTC 2015 - jengelh@inai.de - -- Update to new upstream release 1.13.2 -* Initial support for Smart Card authentication was added. -* The PAM prompting was enhanced so that when Two-Factor - Authentication is used, both factors (password and token) can be - entered separately on separate prompts. -* This release supports authenticating againt a KDC proxy. - -------------------------------------------------------------------- -Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com - -- Update to new upstream release 1.13.1 -* Initial support for Smart Card authentication was added. The - feature can be activated with the new pam_cert_auth option. -* The PAM prompting was enhanced so that when Two-Factor - Authentication is used, both factors (password and token) can - be entered separately on separate prompts. At the same time, - only the long-term password is cached, so offline access would - still work using the long term password. -* A new command line tool sss_override is present in this - release. The tools allows to override attributes on the SSSD - side. It's helpful in environment where e.g. some hosts need to - have a different view of POSIX attributes than others. Please - note that the overrides are stored in the cache as well, so - removing the cache will also remove the overrides. -* Several enhancements to the dynamic DNS update code. Notably, - clients that update multiple interfaces work better with this - release. -* This release supports authenticating againt a KDC proxy -* The fail over code was enhanced so that if a trusted domain is - not reachable, only that domain will be marked as inactive but - the backed would stay in online mode. - -------------------------------------------------------------------- -Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de - -- Update to new upstream release 1.13 -* Support for separate prompts when using two-factor authentication -* Added support for one-way trusts between an IPA and Active - Directory environment. (Depends on IPA 4.2) -* The fast memory cache now also supports the initgroups operation. -* The PAM responder is now capable of caching authentication for - configurable period, which might reduce server load in cases - where accounts authenticate very frequently. - Refer to the "cached_auth_timeout" option in sssd.conf(5). -* The Active Directory provider has changed the default value of - the "ad_gpo_access_control" option from permissive to enforcing. - As a consequence, the GPO access control now affects all clients - that set access_provider to ad. In order to restore the previous - behaviour, set ad_gpo_access_control to permissive or use a - different access_provider type. -* Group Policy objects defined in a different AD domain that the - computer object is defined in are now supported. -* Credential caching and Offline authentication are also available - when using two-factor authentication -* The Python bindings are now built for both Python2 and Python3. -* The LDAP bind timeout, StartTLS timeout and password change - timeout are now configurable using the ldap_opt_timeout option. - -------------------------------------------------------------------- -Wed Aug 12 18:20:25 UTC 2015 - jengelh@inai.de - -- Kill unused libsss_sudo-devel solvable. - -------------------------------------------------------------------- -Tue Aug 11 07:41:07 UTC 2015 - hguo@suse.com - -- Obsolete/provide libsss_sudo in sssd main package. - Sudo capability is an integral feature in SSSD and the library - is not supposed to be used separately. - -------------------------------------------------------------------- -Thu Jun 25 16:44:49 UTC 2015 - crrodriguez@opensuse.org - -- sssd.service: add Before= and Wants=nss-user-lookup.target - correct fix for bsc#926961 - -------------------------------------------------------------------- -Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com - -- Update to new upstream release 1.12.5 -* The background refresh tasks now supports refreshing users and - groups as well. See the "refresh_expired_interval" parameter in - the sssd.conf manpage. -* A new option subdomain_inherit was added. -* When an expired account attempts to log in, a configurable - error message can be displayed with sufficient pam_verbosity - setting. See the "pam_account_expired_message" option. -* OpenLDAP ppolicy can be honored even when an alternate login - method (such as SSH key) is used. See the "ldap_access_order" - option. -* A new option :krb5_map_user" was added, allowing the admin to - map UNIX usernames to Kerberos principals. -* BUG FIXES: -* Fixed AD-specific bugs that resulted in the incorrect set of - groups being displayed after the initgroups operation. -* Fixes related to the IPA ID views feature. Setups using this - should update sssd on both IPA servers and clients. -* The AD provider now handles binary GUIDs correctly. -* A bug that prevented the `ignore_group_members` parameter to be - used with the AD provider was fixed. -* The failover code now reads and honors TTL value for SRV - queries as well. -* Race condition between setting the timeout in the back ends and - reading it in the front end during initgroup operation was - fixed. This bug affected applications that perform the - initgroups(3) operation in multiple processes simultaneously. -* Setups that only want to use the domain SSSD is connected to, - but not the autodiscovered trusted domains by setting - `subdomains_provider=none` now work correctly as long as the - domain SID is set manually in the config file. -* In case only "allow" rules are used, the simple access provider - is now able to skip unresolvable groups. -* The GPO access control code now handles situations where user - and computer objects were in different domains. - -------------------------------------------------------------------- -Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com - -- Update to new upstream release 1.12.4 (Changelog highlights following) -* This is mostly a bug fixing release with only minor enhancements - visible to the end user. -* Contains many fixes and enhancements related to the ID views - functionality of FreeIPA servers. -* Several fixes related to retrieving AD group membership in an - IPA-AD trust scenario. -* Fixes a bug where the GPO access control previously didn't work - at all if debugging was enabled in smb.conf. -* SSSD can now be pinned to a particular AD site instead of - autodiscovering the site. -* A regression that caused setting the SELinux context for IPA users - to fail, was fixed. -* Fixed a potential crash caused by a double-free error when an SSSD - service was killed by the monitor process. - -------------------------------------------------------------------- -Mon Feb 16 10:09:18 UTC 2015 - howard@localhost - -- A minor rpmspec cleanup to get rid of five rpmlint warnings -* Remove mentioning of system-wide dbus configuration file from comments. -* Remove traditional init script. -* Remove compatibility for producing packages on older OpenSUSE releases. - -------------------------------------------------------------------- -Thu Jan 8 22:23:42 UTC 2015 - jengelh@inai.de - -- Update to new upstream release 1.12.3 -* SSSD now allows the IPA client to move from one ID view to - another after SSSD restart. -* It is possible to apply ID views to IPA domains as well. - Previous SSSD versions only allowed views to be applied to AD - trusted domains. -* Overriding SSH public keys is supported in this release. -* Move semanage related functions to a separate library. - -------------------------------------------------------------------- -Thu Jan 1 22:01:02 UTC 2015 - meissner@suse.com - -- build with PIE - -------------------------------------------------------------------- -Mon Nov 10 00:37:00 UTC 2014 - Led - -- fix bashism in postun script - -------------------------------------------------------------------- -Thu Oct 30 12:22:06 UTC 2014 - jengelh@inai.de - -- Update to new upstream release 1.12.2 (bugfix release, bnc#900159) -* Fixed a regression where the IPA provider did not fetch User - Private Groups correctly -* An important bug in the GPO access control which resulted in a - wrong principal being used, was fixed. -* Several new options are available for deployments that need to - restrict a certain PAM service from connecting to a certain SSSD - domain. For more details, see the description of - pam_trusted_users and pam_public_domains options in the - sssd.conf(5) man page and the domains option in the pam_sss(8) - man page. -* When SSSD is acting as an IPA client in setup with trusted AD - domains, it is able to return group members or full group - memberships for users from trusted AD domains. -* Support for the "views" feature of IPA. -- Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch - (merged upstream) - -------------------------------------------------------------------- -Sat Oct 11 13:36:48 UTC 2014 - jengelh@inai.de - -- Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch - to workaround bad autoconf invocation - -------------------------------------------------------------------- -Sat Oct 11 00:16:15 UTC 2014 - crrodriguez@opensuse.org - -- 0001-build-detect-endianness-at-configure-time.patch - Correct defective endianness test. - -------------------------------------------------------------------- -Mon Oct 6 13:25:23 UTC 2014 - jengelh@inai.de - -- Update to new upstream release 1.12.1 -* The GPO access control was further enhanced to allow the access - control decisions while offline and map the Windows logon - rights onto Linux PAM services. -* The SSSD now ships a plugin for the rpc.idmapd daemon, - sss_rpcidmapd(5). -* A MIT Kerberos localauth plugin was added to SSSD. This plugin - helps translating principals to user names in IPA-AD trust - scenarios, allowing the krb5.conf configuration to be less - complex. -* A libwbclient plugin implementation is now part of the SSSD. - The main purpose is to map Active Directory users and groups - identified by their SID to POSIX users and groups for the - file-server use-case. -* Active Directory users ca nnow use their User Logon Name to log - in. -* The sss_cache tool was enhanced to allow invalidating the SSH - host keys. -* Groups without full POSIX information can now be used to enroll - group membership (CVE-2014-0249). -* Detection of transition from offline to online state was - improved, resulting in fewer timeouts when SSSD is offline. -* The Active Directory provider now correctly detects Windows - Server 2012 R2. Previous versions would fall back to the slower - non-AD path with 2012 R2. -* Several other bugs related to deployments where SSSD is acting - as an AD client were fixed. - -------------------------------------------------------------------- -Fri Aug 22 15:44:14 UTC 2014 - lchiquitto@suse.com - -- The utility sss_obfuscate uses the Python module pysss, so add a - dependency on python-sssd-config to sssd-tools (bnc#890242) - -------------------------------------------------------------------- -Sun Aug 10 12:20:50 UTC 2014 - jengelh@inai.de - -- Update to new upstream release 1.12.0 -* A new responder, called InfoPipe was added. This responder - provides a public D-Bus interface accessible over the system bus. - In this release, methods for retrieving user attributes and list - of groups were added as well as objects representing SSSD domains - and processes. (The next 1.12.x releases will publish objects - representing users and groups, too.) -* SSSD provides an ID-mapping plugin for cifs-utils so that Windows - SIDs can be mapped onto POSIX IDs and/or names without requiring - Winbind and using the same code as the SSSD uses for identity - information. -* First phase of Group Policy-based access control for the AD - provider was added. At the moment, the gpo-ldap component that - downloads the list of GPOs that apply for the specific client has - been implemented as well as the gpo-smb component that retrieves - the group policy files and determines the access control check - results based on those files. Future improvements will focus on - storing the GPO policies as local files and mapping the Windows - logon rights onto Linux PAM services. -* Added a new library called sss_sifp that provides a simple - synchronous API for communication with our new InfoPipe responder - over the system bus. -- Remove 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch - (merged upstream) -- Provide "rcsssd" in systemd environments -- Ensure sssd is always startable by removing /var/lib/sss/db/*.ldb - on package installation so as to avoid potentially cache - format incompatibility which would cause sssd to exit - -------------------------------------------------------------------- -Thu Jun 12 14:18:30 UTC 2014 - ckornacker@suse.com - -- fix %postun to not erroneously remove sss pam module - -------------------------------------------------------------------- -Tue May 27 16:56:42 UTC 2014 - crrodriguez@opensuse.org - -- Switch to libnl-3 so we can get rid of libnl-1. - -------------------------------------------------------------------- -Sat May 24 14:36:43 UTC 2014 - jengelh@inai.de - -- Redo 0001-build-detect-endianness-at-configure-time.patch to be -p1 -- Add 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch - to resolve runtime loading problems - (http://lists.opensuse.org/opensuse-factory/2014-05/msg00181.html ) - -------------------------------------------------------------------- -Tue May 13 11:11:59 UTC 2014 - varkoly@suse.com - -- bnc#877457 - 78 Configuration file /usr/lib/systemd/system/sssd.service is marked executable. - Please remove executable permission bits. - -------------------------------------------------------------------- -Tue May 6 14:01:29 UTC 2014 - ddiss@suse.com - -- Detect endianness at configure time, for use by Samba's byteorder.h header; - (bnc#876544). - + 0001-build-detect-endianness-at-configure-time.patch - -------------------------------------------------------------------- -Tue Apr 29 10:00:57 UTC 2014 - varkoly@suse.com - -- Update to new upstream release 1.11.5.1 - * sssd crashes after upgrade from 1.11.4 to 1.11.5 when using a samba4 domain - * SSSD pam module accepts usernames with leading spaces - * [RFE] Expose the list of trusted domains to IPA - * If both IPA and LDAP are set up with enumeration on, two enum tasks are running - * sssd.conf man pages don't list a configuration option. - * Make SSSD compilable on systems with non-standard paths to krb5 includes - * [freebsd] pam_sss: add ignore_unknown_user option - * MAN: Remove misleading memberof example from ldap_access_filter example - * not retrieving homedirs of AD users with posix attributes - * Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - * Check IPA idranges before saving them to the cache - * Evaluate usage of sudo LDAP provider together with the AD provider - * Setting int option to 0 yields the default value - * ipa-server-mode: Use lower-case user name component in home dir path - * SSSD Does not cache SELinux map from FreeIPA correctly - * IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in - * sssd fails to handle expired passwords when OTP is used - * Add another Kerberos error code to trigger IPA password migration - * Double OK when starting the service - * SSSD should create the SELinux mapping file with format expected by pam_selinux - * Valgrind: Invalid read of int while processing netgroup - * other subdomains are unavailable when joined to a subdomain in the ad forest - * Error during password change - * configure time variables not expanded when running ./configure - * RHEL7 IPA selinuxusermap hbac rule not always matching - -------------------------------------------------------------------- -Fri Mar 7 15:18:34 UTC 2014 - jengelh@inai.de - -- Update to new upstream release 1.11.4 -* The simple access provider supports specifying users and groups - using their NetBIOS domain name (such as DOMAIN\username) -* Support for enumerating users and groups from trusted AD domains - was added to the AD provider -* The Active Directory site discovery was made more robust for - configurations which use multiple trusted domains -* Several bugs in the LDAP provider that affected setups which - mapped Windows SIDs to POSIX IDs were fixed -* The SSSD is now able to use One Time Password (OTP) - authentication configured on an IPA server. - -------------------------------------------------------------------- -Fri Dec 20 21:54:58 UTC 2013 - jengelh@inai.de - -- Update to new upstream release 1.11.3 -* The AD provider is able to resolve group memberships for groups - with Global and Universal scope -* The initgroups (get groups for user) operation for users from - trusted AD domains was made more reliable by reading the required - tokenGroups attribute from LDAP instead of Global Catalog -* A new option ad_enable_gc was added to the AD provider. This - option allows the administrator to force SSSD to talk to LDAP - port only and never try the Global Catalog -* The AD provider is now able to leverage the tokenGroups attribute - even when POSIX attributes are used, providing better performance - during logins. -* A memory leak in the NSS responder that affected long-lived - clients that requested netgroup data was fixed -- Remove sssd-ldflags.diff (merged upstream) - -------------------------------------------------------------------- -Thu Nov 28 16:51:39 UTC 2013 - ckornacker@suse.com - -- Migrate deprecated krb5_kdcip variable to krb5_server (bnc#851048) - -------------------------------------------------------------------- -Fri Nov 1 22:12:03 UTC 2013 - jengelh@inai.de - -- Update to new upstream release 1.11.2 -* A new option ad_access_filter was added. This option allows the - administrator to easily configure LDAP search filter that the users - logging in must match in order to be granted access. -* The Kerberos provider will no longer try to create public - directories when evaluating the krb5_ccachedir option. -- Remove 0005-implicit-decl.diff (merged upstream) - -------------------------------------------------------------------- -Tue Sep 3 21:12:37 UTC 2013 - jengelh@inai.de - -- Update to new upstream release 1.11.0 -* The sudo integration was made more robust. SSSD is now able to - gracefully handle situations where it is not able to resolve the - client host name or sudo rules have multiple name attributes. -* Several nested group membership bugs were fixed -* The PAC responder was made more robust and efficient, modifying - existing cache entries instead of always recreating them. -* The Kerberos provider now supports the new KEYRING ccache type. -- Remove sssd-no-ldb-check.diff, now implemented through a - configure argument --disable-ldb-version-check - -------------------------------------------------------------------- -Sun Jun 16 16:11:42 UTC 2013 - jengelh@inai.de - -- Explicitly formulate SASL BuildRequires - -------------------------------------------------------------------- -Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de - -- Update to new upstream release 1.9.5 -* Includes a fix for CVE-2013-0287: A simple access provider flaw - prevents intended ACL use when SSSD is configured as an Active - Directory client. -* Fixed spurious password expiration warning that was printed on - login with the Kerberos back end. -* A new option ldap_rfc2307_fallback_to_local_users was added. If - this option is set to true, SSSD is be able to resolve local - group members of LDAP groups. -* Fixed an indexing bug that prevented the contents of autofs maps - from being returned to the automounter deamon in case the map - contained a large number of entries. -* Several fixes for safer handling of Kerberos credential caches - for cases where the ccache is set to be stored in a DIR: type. -- Remove Provide-a-be_get_account_info_send-function.patch, - Add-unit-tests-for-simple-access-test-by-groups.patch, - Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch, - Resolve-GIDs-in-the-simple-access-provider.patch - (CVE-2013-0287 material is in upstream), - sssd-sysdb-binary-attrs.diff (merged upstream) - -------------------------------------------------------------------- -Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de - -- Implement signature verification - -------------------------------------------------------------------- -Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com - -- Fixed security issue: CVE-2013-0287 (bnc#809153): - When SSSD is configured as an Active Directory client by using - the new Active Directory provider or equivalent configuration - of the LDAP provider, the Simple Access Provider does not - handle access control correctly. If any groups are specified - with the simple_deny_groups option, the group members are - permitted access. New patches: - * Provide-a-be_get_account_info_send-function.patch - * Add-unit-tests-for-simple-access-test-by-groups.patch - * Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch - * Resolve-GIDs-in-the-simple-access-provider.patch - -------------------------------------------------------------------- -Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de - -- Resolve user retrieval problems when encountering binary data - in LDAP attributes (bnc#806078), - added sssd-sysdb-binary-attrs.diff -- Added sssd-no-ldb-check.diff so that SSSD continues to start - even after an LDB update. - -------------------------------------------------------------------- -Fri Feb 8 10:31:52 UTC 2013 - rhafer@suse.com - -- fix package name in baselibs.conf (bnc#796423) - -------------------------------------------------------------------- -Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com - -- update to 1.9.4 (bnc#801036): - * A security bug assigned CVE-2013-0219 was fixed - TOCTOU race - conditions when creating or removing home directories for users - in local domain - * A security bug assigned CVE-2013-0220 was fixed - out-of-bounds - reads in autofs and ssh responder - * The sssd_pam responder processes pending requests after - reconnect - * A serious memory leak in the NSS responder was fixed - * Requests that were processing group entries with DNs pointing - out of any configured search bases were not terminated - correctly, causing long timeouts - * Kerberos tickets are correctly renewed even after SSSD daemon - restart - * Multiple fixes related to SUDO integration, in particular - fixing functionality when the sssd back end process was - changing its online/offline status - * The pwd_exp_warning option was fixed to function as documented - in the manual page -- refreshed sssd-ldflags.diff to apply cleanly - -------------------------------------------------------------------- -Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com - -- Removed left-over "Requires" for no longer existing sssd-client - subpackage. -- New patch: sssd-ldflags.diff to fix link failures due to erroneous - LDFLAGS usage - -------------------------------------------------------------------- -Thu Dec 6 10:38:59 UTC 2012 - rhafer@suse.com - -- Switch back to using libcrypto instead of mozilla-nss as it seems - to be supported upstream again, cf. - https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010202.html -- Cleanup PAM configuration after uninstalling sssd (bnc#788328) - -------------------------------------------------------------------- -Thu Dec 6 09:05:29 UTC 2012 - jengelh@inai.de - -- Update to new upstream release 1.9.3 -* Many fixes related to deployments where the SSSD is running as - a client of IPA server with trust relation established with an - Active Directory server -* Multiple fixes related to correct reporting of group - memberships, especially in setups that use nested groups -* Fixed a bug that prevented upgrade from the 1.8 series if the - cache contained nested groups before the upgrade -* Restarting the responders is more robust for cases where the - machine is under heavy load during back end restart -* The default_shell option can now be also set per-domain in - addition to global setting. - -------------------------------------------------------------------- -Sat Nov 10 00:27:06 UTC 2012 - jengelh@inai.de - -- Update to new upstream release 1.9.2 -* Users or groups from trusted domains can be retrieved by UID or - GID as well -* Several fixes that mitigate file descriptor leak during logins -* SSH host keys are also removed from the cache after being - removed from the server -* Fix intermittent crash in responders if the responder was - shutting down while requests were still pending -* Catch an error condition that might have caused a tight loop in - the sssd_nss process while refreshing expired enumeration request -* Fixed memory hierarchy of subdomains discovery requests that - caused use-after-free access bugs -* The krb5_child and ldap_child processes can print libkrb5 tracing - information in the debug logs - -------------------------------------------------------------------- -Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de - -- Update to new upstream release 1.8.93 (1.9.0~beta3) -* Add native support for autofs to the IPA provider -* Support for id mapping when connecting to Active Directory -* Support for handling very large (> 1500 users) groups in - Active Directory -* Add a new fast in-memory cache to speed up lookups of cached data - on repeated requests -* Add support for the Kerberos DIR cache for storing multiple TGTs - automatically -* Add a new PAC responder for dealing with cross-realm Kerberos - trusts -* Terminate idle connections to the NSS and PAM responders - -------------------------------------------------------------------- -Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de - -- Update to new upstream release 1.8.3 -* LDAP: Handle situations where the RootDSE is not available - anonymously -* LDAP: Fix regression for users using non-standard LDAP attributes - for user information -- Switch from openssl to mozilla-nss, as this is the officially - supported crypto integration - -------------------------------------------------------------------- -Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com - -- Fix build error on SLES 11 builds - -------------------------------------------------------------------- -Mon Apr 9 21:45:45 PDT 2012 - ben.kevan@gmail.com - -- Add suse_version condition for glib over libunistring for - SLES 11 SP2. -- Update to new upstream release 1.8.2 -* Fix for GSSAPI binds when the keytab contains unrelated - principals -* Workarounds added for LDAP servers with unreadable RootDSE - -------------------------------------------------------------------- -Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com - -- Update to new upstream release 1.8.1 -* Resolve issue where we could enter an infinite loop trying to - connect to an auth server - -------------------------------------------------------------------- - -Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de - -- Update to new upstream release 1.8.0 -* Support for the service map in NSS -* Support for setting default SELinux user context from FreeIPA -* Support for retrieving SSH user and host keys from LDAP -* Support for caching autofs LDAP requests -* Support for caching SUDO rules -* Include the IPA AutoFS provider -* Fixed several memory-corruption bugs -* Fixed a regression in the proxy provider - -------------------------------------------------------------------- -Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de - -- Fixed systemd related packaging issues (bnc#724157) -- fixed build on older openSUSE releases - -------------------------------------------------------------------- -Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de - -- Resolve "have choice for libnl-devel: - libnl-1_1-devel libnl3-devel" - -------------------------------------------------------------------- -Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de - -- Fixed typos in configure args -- Cherry-picked password policy fixes from 1.5 branch (bnc#705768) -- switched to fd-leak fix cherry-picked from 1.5 branch -- Add /usr/sbin to the search path to make configure find nscd - (bnc#709747) - -------------------------------------------------------------------- -Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de - -- Add patches to fix an fd leak in sssd_pam - -------------------------------------------------------------------- -Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de - -- Update to new upstream release 1.5.11 -* Support for overriding home directory, shell and primary GID - locally -* Properly honor TTL values from SRV record lookups -* Support non-POSIX groups in nested group chains (for RFC2307bis - LDAP servers) -* Properly escape IPv6 addresses in the failover code -* Do not crash if inotify fails (e.g. resource exhaustion) -- Remove redundant %clean section; delete .la files more - efficiently - -------------------------------------------------------------------- -Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de - -- Update to 1.5.8: - * Support for the LDAP paging control - * Support for multiple DNS servers for name resolution - * Fixes for several group membership bugs - * Fixes for rare crash bugs - -------------------------------------------------------------------- -Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de - -- Update to 1.5.7 - * A flaw was found in the handling of cached passwords when - kerberos renewal tickets is enabled. Due to a bug, the cached - password was overwritten with a (moderately) predictable - filename, which could allow a user to authenticate as someone - else if they knew the name of the cache file (bnc#691135, - CVE-2011-1758) -- Changes in 1.5.6: - * Fixed a serious memory leak in the memberOf plugin - * Fixed a regression with the negative cache that caused it to be - essentially nonfunctional - * Fixed an issue where the user's full name would sometimes be - removed from the cache - * Fixed an issue with password changes in the kerberos provider - not working with kpasswd - -------------------------------------------------------------------- -Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de - -- Update to 1.5.5 - * Fixes for several crash bugs - * LDAP group lookups will no longer abort if there is a - zero-length member attribute - * Add automatic fallback to 'cn' if the 'gecos' attribute does not - exist - -------------------------------------------------------------------- -Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de - -- Should build in SLE-11-SP1 now - -------------------------------------------------------------------- -Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de - -- Updated to 1.5.4 - * Fixes for Active Directory when not all users and groups have - POSIX attributes - * Fixes for handling users and groups that have name aliases - (aliases are ignored) - * Fix group memberships after initgroups in the IPA provider - -------------------------------------------------------------------- -Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de - -- Updated to 1.5.3 - * Support for libldb >= 1.0.0 - * Proper detection of manpage translations - * Changes between 1.5.1 and 1.5.2 - * Fixes for support of FreeIPA v2 - * Fixes for failover if DNS entries change - * Improved sss_obfuscate tool with better interactive mode - * Fix several crash bugs - * Don't attempt to use START_TLS over SSL. Some LDAP servers - can't handle this - * Delete users from the local cache if initgroups calls return - 'no such user' (previously only worked for getpwnam/getpwuid) - * Use new Transifex.net translations - * Better support for automatic TGT renewal (now survives - restart) - * Netgroup fixes - -------------------------------------------------------------------- -Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de - -- Updated to 1.5.1 - * Vast performance improvements when enumerate = true - * All PAM actions will now perform a forced initgroups lookup - instead of just a user information lookup This guarantees that - all group information is available to other providers, such as - the simple provider. - * For backwards-compatibility, DNS lookups will also fall back to - trying the SSSD domain name as a DNS discovery domain. - * Support for more password expiration policies in LDAP - - 389 Directory Server - - FreeIPA - - ActiveDirectory - * Support for ldap_tls_{cert,key,cipher_suite} config options - * Assorted bugfixes - -------------------------------------------------------------------- -Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de - -- /var/lib/sss/pubconf was missing (bnc#665442) - -------------------------------------------------------------------- -Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de - -- It was possible to make sssd hang forever inside a loop in the - PAM responder by sending a carefully crafted packet to sssd. - This could be exploited by a local attacker to crash sssd and - prevent other legitimate users from logging into the system. - (bnc#660481, CVE-2010-4341) - -------------------------------------------------------------------- -Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de - -- Own /etc/systemd directories to fix build. - -------------------------------------------------------------------- -Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com - -- install systemd service file - -------------------------------------------------------------------- -Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com - -- Updated to 1.4.1 - * Add support for netgroups to the LDAP and proxy providers - * Fixes a minor bug with UIDs/GIDs >= 2^31 - * Fixes a segfault in the kerberos provider - * Fixes a segfault in the NSS responder if a data provider crashes - * Correctly use sdap_netgroup_search_base - * the utility libraries libpath_utils1, libpath_utils-devel, - libref_array1 and libref_array-devel moved to their own - separate upstream project (ding-libs) - * Performance improvements made to group processing of RFC2307 - LDAP servers - * Fixed nested group issues with RFC2307bis LDAP servers without - a memberOf plugin - * Manpage reviewed and updated - -------------------------------------------------------------------- -Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com - -- remove hard coded python version - -------------------------------------------------------------------- -Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com - -- No dependencies on %{release} - -------------------------------------------------------------------- -Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com - -- Updated to 1.3.1 - * Fixes to the HBAC backend for obsolete or removed HBAC entries - * Improvements to log messages around TLS and GSSAPI for LDAP - * Support for building in environments using --as-needed LDFLAGS - * Vast performance improvement for initgroups on RFC2307 LDAP servers - * Long-running SSSD clients (e.g. GDM) will now reconnect properly to the - daemon if SSSD is restarted - * Rewrote the internal LDB cache API. As a synchronous API it is now faster - to access and easier to work with - * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider - - We now handle failover situations much more reliably than we did - previously - - We also will now monitor the GSSAPI kerberos ticket and automatically - renew it when appropriate, instead of waiting for a connection to fail - * Support for netlink now allows us to more quickly detect situations - where we may have come online - * New option "dns_discovery_domain" allows better configuration for - using SRV records for failover -- New subpackages: libpath_utils1, libpath_utils-devel, libref_array1 - and libref_array-devel - -------------------------------------------------------------------- -Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com - -- Package pam- and nss-Modules as baselibs -- cleaned up file list and dependencies -- fixed init script dependencies - -------------------------------------------------------------------- -Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com - -- Updated to 1.1.0 - * Support for IPv6 - * Support for LDAP referrals - * Offline failed login counter - * Fix for the long-standing cache cleanup performance issues - * libini_config, libcollection, libdhash, libref_array and - libpath_utils are now built as shared libraries for general - consumption (libref_array and libpath_utils are currently not - packaged, as no component in sssd links against them) - * Users get feedback from PAM if they authenticated offline - * Native local backend now has a utility to show nested memberships - (sss_groupshow) - * New "simple" access provider for easy restriction of users -- Backported libcrypto support from master to avoid Mozilla NSS - dependency -- Backported password policy improvments for LDAP provider from - master - -------------------------------------------------------------------- -Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com - -- use logfiles for debug messages by default - ------------------------------------------------------------------- Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com diff --git a/sssd.keyring b/sssd.keyring deleted file mode 100644 index cbd1779..0000000 --- a/sssd.keyring +++ /dev/null @@ -1,34 +0,0 @@ -pub 1024D/32E7BC25 2007-02-02 -uid Jakub Hrozek -sub 2048g/132DCA21 2007-02-02 - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.19 (GNU/Linux) - -mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MU -XQDAKJM7MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0 -R+OiWh8d7ChCG6riv/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWX -qZoZrm4lPlBZQltfhzdmvn8D/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjg -q9Knn4sE9lnGjtG4RCYMT2Sideognk9Ah5nWOGynwta6cluCEqlF6ORJPKpAeqG1 -a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/XtMoHSSyPi/Xum6R+jwISv7n -TMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlSB6tAqN0G7VL6AFcs -iOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KNtbnCrhS+ -Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv -emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iF8EExECACAFAkXDdfUCGwMGCwkIBwMC -BBUCCAMEFgIDAQIeAQIXgAAKCRAexqt1Mue8JSHBAKCjYF/HshYkJ8pSZTilLO0y -bMWOFwCYlOqF7icGVDFT42W3CoqLfgajCrkCDQRFw3YAEAgAuqo0FxH1XtdOi/qW -6v+tWdqYHLj/f0Voqj1cbpS+cODNTaX1/Xf4Jnv6vm4lOG5gIkqD1e5UCpG5pDJv -MkrpY0lYRr5RGoC29tHZYXfEBVEkdhuU7ZTSQRaoitK5TSwjOj5aKvFSHEjMrCWc -GSUajECQkRHwZb3HK2wqqBWrJjjjPtj+5cQg+sKp7Zp6xU3iZlMoVfdYi/zGenum -Cp5SMm8CZZ5gcsNZhjItkTww5K//N6Kz41oMYyHlgh029JD0LHPgKacP3KeEEDzS -DEx/SSEF4zD/EfLDHehga/n0ZisNmxdxue/BI2Lm7qqGNDtV+qa17pIJ6fPfafbS -AKYatwAECwf/SuMkZN36UDsoOn06qIrYi5JBss3sOfheJEnqUIEO0JCpyb+fqisd -qoTJM0G5gFpCvuZOACpzzVv0WjhlMIyPl/7UuP4KYI6LGqAARqNxsHT7FNxT0Uv6 -QR8fGPQqVdFLFBd66EBL9PnOt3RDYwtJlD9cMNUNpzWEXjJ3RCk0lZF2eljpPlu0 -Or53OuiommnhmcmjxR5gvMf4pLqURhEZ2U0ylRiTiTIk0YyIASsDnAf0BClFXz4i -4qSD6jJloKorRC7Mu87xi1DG4ML+FYC/2d53I8OqHBRhtNUt/GbcthsHDxFq5iVp -NxwDAX1vr65PWv98pvTMnJmjIDhfgwJMdIhJBBgRAgAJBQJFw3YAAhsMAAoJEB7G -q3Uy57wllOcAoKkHB3lDFWlUNcSLdRCQxfsCCy7zAJ9GLSU2G0HR+hQVMi2ONorE -i/EyTA== -=nO6v ------END PGP PUBLIC KEY BLOCK----- diff --git a/sssd.service b/sssd.service deleted file mode 100644 index 0aa0e74..0000000 --- a/sssd.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=System Security Services Daemon -Before=nss-user-lookup.target -Wants=nss-user-lookup.target - -[Service] -EnvironmentFile=-/etc/sysconfig/sssd -ExecStart=/usr/sbin/sssd -D -f -# These two should be used with traditional UNIX forking daemons -# consult systemd.service(5) for more details -Type=forking -PIDFile=/var/run/sssd.pid - -[Install] -WantedBy=multi-user.target diff --git a/sssd.spec b/sssd.spec index fe3c7e0..b0ccbde 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # -# spec file for package sssd +# spec file for package sssd (Version 1.0.5) # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,73 +16,50 @@ # + Name: sssd -Version: 1.13.3 -Release: 0 -Summary: System Security Services Daemon -License: GPL-3.0+ and LGPL-3.0+ +Version: 1.0.5 +Release: 1 Group: System/Daemons +Summary: System Security Services Daemon +# The entire source code is GPLv3+ except replace/ which is LGPLv3+ +License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ - -#Git-Clone: git://git.fedorahosted.org/sssd -Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz -Source2: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz.asc -Source3: baselibs.conf -Source4: sssd.service -Source5: %name.keyring +Source0: %{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build -Patch1: 0001-build-detect-endianness-at-configure-time.patch -%define servicename sssd -%define sssdstatedir %_localstatedir/lib/sss -%define dbpath %sssdstatedir/db -%define pipepath %sssdstatedir/pipes -%define pubconfpath %sssdstatedir/pubconf +### Patches ### -BuildRequires: autoconf >= 2.59 +### Dependencies ### +%define servicename sssd +%define sssdstatedir %{_localstatedir}/lib/sss +%define dbpath %{sssdstatedir}/db +%define pipepath %{sssdstatedir}/pipes + +### Build Dependencies ### + +BuildRequires: autoconf BuildRequires: automake -BuildRequires: bind-utils -BuildRequires: cifs-utils-devel -BuildRequires: cyrus-sasl-devel -BuildRequires: docbook-xsl-stylesheets -BuildRequires: krb5-devel >= 1.12 -BuildRequires: libsmbclient-devel BuildRequires: libtool -BuildRequires: libxml2-tools -BuildRequires: libxslt-tools -BuildRequires: nscd +BuildRequires: m4 +BuildRequires: popt-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: libtdb-devel +BuildRequires: libldb-devel +BuildRequires: dbus-1-devel BuildRequires: openldap2-devel BuildRequires: pam-devel -BuildRequires: pkg-config >= 0.21 +BuildRequires: pkg-config +BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nspr-devel +BuildRequires: pcre-devel +BuildRequires: libxslt +BuildRequires: libxml2 +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel +BuildRequires: libcares-devel BuildRequires: python-devel -BuildRequires: python3-devel -BuildRequires: systemd-rpm-macros -BuildRequires: pkgconfig(augeas) >= 1.0.0 -BuildRequires: pkgconfig(collection) >= 0.5.1 -BuildRequires: pkgconfig(dbus-1) >= 1.0.0 -BuildRequires: pkgconfig(dhash) >= 0.4.2 -BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 1.1.0 -BuildRequires: pkgconfig(ldb) >= 0.9.2 -BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) -BuildRequires: pkgconfig(libnfsidmap) -BuildRequires: pkgconfig(libnl-3.0) >= 3.0 -BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 -BuildRequires: pkgconfig(libpcre) >= 7 -BuildRequires: pkgconfig(libsystemd-login) -BuildRequires: pkgconfig(ndr_nbt) -BuildRequires: pkgconfig(popt) -BuildRequires: pkgconfig(python) -BuildRequires: pkgconfig(talloc) -BuildRequires: pkgconfig(tdb) >= 1.1.3 -BuildRequires: pkgconfig(tevent) -%{?systemd_requires} -Requires: sssd-ldap = %version-%release -Requires(postun): pam-config -Provides: libsss_sudo = %version-%release -Provides: sssd-client = %version-%release -Obsoletes: libsss_sudo < %version-%release %description Provides a set of daemons to manage access to remote directories and @@ -91,638 +68,147 @@ the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. -%package ad -Summary: The ActiveDirectory backend plugin for sssd -License: GPL-3.0+ +%package ipa-provider +License: GPLv3+ and LGPLv3+ +Summary: FreeIPA provider plugin for sssd Group: System/Daemons -Requires: %name-krb5-common = %version +Requires: sssd = %{version} -%description ad -Provides the Active Directory back end that the SSSD can utilize to -fetch identity data from and authenticate against an Active Directory -server. - -%package dbus -Summary: The D-Bus responder of sssd -License: GPL-3.0+ -Group: System/Base -Requires: %name = %version - -%description dbus -Provides the D-Bus responder of sssd, called InfoPipe, which allows -information from sssd to be transmitted over the system bus. - -%package ipa -Summary: FreeIPA backend plugin for sssd -License: GPL-3.0+ -Group: System/Daemons -Requires: %name = %version -Requires: %name-krb5-common = %version-%release -Obsoletes: %name-ipa-provider < %version-%release -Provides: %name-ipa-provider = %version-%release - -%description ipa -Provides the IPA back end that the SSSD can utilize to fetch identity -data from and authenticate against an IPA server. - -%package krb5 -Summary: The Kerberos authentication backend plugin for sssd -License: GPL-3.0+ -Group: System/Daemons -Requires: %name-krb5-common = %version-%release - -%description krb5 -Provides the Kerberos back end that the SSSD can utilize authenticate -against a Kerberos server. - -%package krb5-common -Summary: SSSD helpers needed for Kerberos and GSSAPI authentication -License: GPL-3.0+ -Group: System/Daemons - -%description krb5-common -Provides helper processes that the LDAP and Kerberos back ends can -use for Kerberos user or host authentication. - -%package ldap -Summary: The LDAP backend plugin for sssd -License: GPL-3.0+ -Group: System/Daemons -Requires: %name-krb5-common = %version-%release - -%description ldap -Provides the LDAP back end that the SSSD can utilize to fetch -identity data from and authenticate against an LDAP server. - -%package proxy -Summary: The proxy backend plugin for sssd -License: GPL-3.0+ -Group: System/Daemons - -%description proxy -Provides the proxy back end which can be used to wrap an existing NSS -and/or PAM modules to leverage SSSD caching. +%description ipa-provider +This package provide the FreeIPA provider plugin for the System Security +Services Daemon (sssd). %package tools +License: GPLv3+ and LGPLv3+ Summary: Commandline tools for sssd -License: GPL-3.0+ and LGPL-3.0+ Group: System/Management -Requires: python-sssd-config = %version -Requires: sssd = %version -%py_requires +Requires: sssd = %{version} %description tools The packages contains commandline tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). -%package wbclient -Summary: SSSD's implementation of the Winbind pipe protocol -License: LGPL-3.0+ -Group: System/Libraries - -%description wbclient -libwbclient is a plugin for the Samba client, though it has been -implemented as a regular shared library requested via DT_NEEDED. - -sssd-wbclient implements the libwbclient API for Samba daemons and -utilities. The main purpose is to map Active Directory users and -groups identified by their SID to POSIX users and groups identified -by their POSIX UIDs and GIDs respectively. - -%package wbclient-devel -Summary: Development files for SSSD winbind -License: LGPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: %name-wbclient = %version - -%description wbclient-devel -sssd-wbclient implements the libwbclient API for Samba daemons and -utilities. The main purpose is to map Active Directory users and -groups identified by their SID to POSIX users and groups identified -by their POSIX UIDs and GIDs respectively. - -%package -n libipa_hbac0 -Summary: FreeIPA HBAC Evaluator library -License: LGPL-3.0+ -Group: System/Libraries - -%description -n libipa_hbac0 -Utility library to validate FreeIPA HBAC rules for authorization -requests. - -%package -n libipa_hbac-devel -Summary: Development files for the FreeIPA HBAC Evaluator library -License: LGPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: libipa_hbac0 = %version - -%description -n libipa_hbac-devel -Utility library to validate FreeIPA HBAC rules for authorization -requests. - -%package -n libnfsidmap-sss -Summary: Library to allow communication between libnfsidmap and SSSD -License: GPL-3.0+ -Group: System/Libraries -Supplements: packageand(nfsidmap:sssd-client) - -%description -n libnfsidmap-sss -A utility library to allow communication between libnfsidmap and SSSD. - -%package -n libsss_idmap0 -Summary: FreeIPA ID mapping library -License: LGPL-3.0+ -Group: System/Libraries - -%description -n libsss_idmap0 -A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. - -%package -n libsss_idmap-devel -Summary: Development files for the FreeIPA idmap library -License: LGPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: libsss_idmap0 = %version - -%description -n libsss_idmap-devel -A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. - -%package -n libsss_nss_idmap0 -Summary: FreeIPA ID mapping library -License: LGPL-3.0+ -Group: System/Libraries - -%description -n libsss_nss_idmap0 -A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. - -%package -n libsss_nss_idmap-devel -Summary: Development files for the FreeIPA idmap library -License: LGPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: libsss_nss_idmap0 = %version - -%description -n libsss_nss_idmap-devel -A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. - -%package -n libsss_simpleifp0 -Summary: The SSSD D-Bus responder helper library -License: GPL-3.0+ -Group: System/Libraries - -%description -n libsss_simpleifp0 -This subpackage provides a library that simplifies the D-Bus API for -the SSSD InfoPipe responder. - -%package -n libsss_simpleifp-devel -Summary: Development files for the SSSD D-Bus responder helper library -License: GPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: libsss_simpleifp0 = %version - -%description -n libsss_simpleifp-devel -This subpackage provides the development files for sssd's simpleifp, -a library that simplifies the D-Bus API for the SSSD InfoPipe -responder. - -%package -n libsss_sudo -Summary: A library to allow communication between sudo and SSSD -License: LGPL-3.0+ -Group: System/Libraries -Supplements: packageand(sudo:sssd-client) - -%description -n libsss_sudo -A utility library to allow communication between sudo and SSSD. - -%package -n python-ipa_hbac -Summary: Python bindings for the FreeIPA HBAC Evaluator library -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python-ipa_hbac -The python-ipa_hbac package contains the bindings so that libipa_hbac -can be used by Python applications. - -%package -n python3-ipa_hbac -Summary: Python bindings for the FreeIPA HBAC Evaluator library -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python3-ipa_hbac -The python-ipa_hbac package contains the bindings so that libipa_hbac -can be used by Python applications. - -%package -n python-sss-murmur -Summary: Python2 bindings for SSSD Murmur hash function -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python-sss-murmur -This subpackage provides the python2 module for calculating the -Murmur hash version 3. - -%package -n python3-sss-murmur -Summary: Python3 bindings for SSSD Murmur hash function -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python3-sss-murmur -This subpackage provides the python3 module for calculating the -Murmur hash version 3. - -%package -n python-sss_nss_idmap -Summary: Python bindings for libsss_nss_idmap -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python-sss_nss_idmap -The libsss_nss_idmap-python contains the bindings so that -libsss_nss_idmap can be used by Python applications. - -%package -n python3-sss_nss_idmap -Summary: Python bindings for libsss_nss_idmap -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python3-sss_nss_idmap -The libsss_nss_idmap-python contains the bindings so that -libsss_nss_idmap can be used by Python applications. - %package -n python-sssd-config +License: GPLv3+ and LGPLv3+ Summary: Python API for configuring sssd -License: GPL-3.0+ and LGPL-3.0+ Group: Development/Libraries/Python +%{py_requires} %description -n python-sssd-config Provide python module to access and manage configuration of the System Security Services Daemon (sssd). -%package -n python3-sssd-config -Summary: Python API for configuring sssd -License: GPL-3.0+ and LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python3-sssd-config -Provide python module to access and manage configuration of the System -Security Services Daemon (sssd). - %prep %setup -q -%patch -P 1 -p1 %build -%if 0%{?suse_version} < 1210 -# pkgconfig file not present -export LDB_LIBS="-lldb" -export LDB_CFLAGS=" " -export LDB_DIR="%_libdir/ldb" -%else -export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" -%endif - -# help configure find nscd -export PATH="$PATH:/usr/sbin" - -autoreconf -fiv; -export CFLAGS="%optflags -fPIE" -export LDFLAGS="-pie" +export LDB_LIBS="-lldb" +export LDB_CFLAGS="-I/usr/include" %configure \ - --with-crypto=libcrypto \ - --with-db-path="%dbpath" \ - --with-pipe-path="%pipepath" \ - --with-pubconf-path="%pubconfpath" \ - --with-init-dir="%_initrddir" \ - --enable-nsslibdir="/%_lib" \ - --enable-pammoddir="/%_lib/security" \ - --with-ldb-lib-dir="$LDB_DIR" \ - --with-selinux=no \ - --with-os=suse \ - --with-semanage=no \ - --disable-ldb-version-check \ - --disable-pac-responder + --without-tests \ + --with-db-path=%{dbpath} \ + --with-pipe-path=%{pipepath} \ + --with-init-dir=%{_initrddir} \ + --enable-nsslibdir=/%{_lib} \ + --with-ldb-lib-dir=%{_libdir}/ldb \ + --with-selinux=no -make %{?_smp_mflags} all +#make %{?_smp_mflags} +make %install -b="%buildroot"; -make install DESTDIR="$b" +rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT # Copy default sssd.conf file -install -d "$b/%_mandir"/{cs,cs/man8,nl,nl/man8,pt,pt/man8,uk,uk/man1} \ - "$b/%_mandir"/{uk/man5,uk/man8}; -install -d "$b/%_sysconfdir/sssd"; -install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"; -install -d "$b/%_unitdir"; -install -m644 %{S:4} "$b/%_unitdir/sssd.service"; -rm -Rf "$b/%_initddir" -ln -s service "$b/%_sbindir/rcsssd" +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd +install -m600 server/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +install server/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd +ln -sf ../../etc/init.d/sssd $RPM_BUILD_ROOT/usr/sbin/rcsssd -mkdir -p "$b/%sssdstatedir/mc" -mkdir -p "$b/%_sysconfdir/ld.so.conf.d" -cat >"$b/%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf" <<-EOF - %_libdir/%name/modules -EOF -find "$b" -type f -name "*.la" -delete; +# Remove .la files created by libtool +rm -f \ + $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ + $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ + $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ + $RPM_BUILD_ROOT/%{_libdir}/python2.6/site-packages/pysss.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ + $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la -rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1" +%find_lang sss_daemon +%find_lang sss_client +cat sss_client.lang >> sss_daemon.lang -%find_lang %name --all-name +%clean +rm -rf $RPM_BUILD_ROOT -%pre -%service_add_pre sssd.service - -%post -# migrate config variable krb5_kdcip to krb5_server (bnc#851048) -/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf -/sbin/ldconfig -%service_add_post sssd.service - -%preun -%service_del_preun sssd.service - -%postun -if [ "$1" = "0" ]; then - "%_sbindir/pam-config" -d --sss || :; -fi; -/sbin/ldconfig -# Clear caches, which may have an incompatible format afterwards -# (especially, downgrades) -rm -f /var/lib/sss/db/*.ldb -# del_postun includes a try-restart -%service_del_postun sssd.service -%insserv_cleanup - -%post -n libipa_hbac0 -p /sbin/ldconfig -%postun -n libipa_hbac0 -p /sbin/ldconfig -%post -n libsss_idmap0 -p /sbin/ldconfig -%postun -n libsss_idmap0 -p /sbin/ldconfig -%post -n libsss_nss_idmap0 -p /sbin/ldconfig -%postun -n libsss_nss_idmap0 -p /sbin/ldconfig -%post -n libsss_simpleifp0 -p /sbin/ldconfig -%postun -n libsss_simpleifp0 -p /sbin/ldconfig - -%files -f sssd.lang -%defattr(-,root,root) +%files -f sss_daemon.lang +%defattr(-,root,root,-) %doc COPYING -%_unitdir -%_bindir/sss_ssh_* -%_sbindir/sssd -%_sbindir/rcsssd -%dir %_mandir/??/ -%dir %_mandir/??/man[158]/ -%_mandir/??/man1/sss_ssh_* -%_mandir/??/man5/sssd-simple.5* -%_mandir/??/man5/sssd-sudo.5* -%_mandir/??/man5/sssd.conf.5* -%_mandir/??/man8/sssd.8* -%_mandir/man1/sss_ssh_* -%_mandir/man5/sssd-simple.5* -%_mandir/man5/sssd-sudo.5* -%_mandir/man5/sssd.conf.5* -%_mandir/man8/sssd.8* -%dir %_libdir/%name/ -%_libdir/%name/libsss_child* -%_libdir/%name/libsss_cert* -%_libdir/%name/libsss_crypt* -%_libdir/%name/libsss_debug* -%_libdir/%name/libsss_semanage* -%_libdir/%name/libsss_simple* -%_libdir/%name/libsss_util* -%dir %_libdir/%name/modules/ -%_libdir/%name/modules/libsss_autofs.so -%_libdir/libsss_sudo.so -%dir %_libdir/ldb/ -%_libdir/ldb/memberof.so -%dir %_libexecdir/%name/ -%_libexecdir/%name/sssd_autofs -%_libexecdir/%name/sssd_be -%_libexecdir/%name/sssd_nss -%_libexecdir/%name/sssd_pam -%_libexecdir/%name/sssd_ssh -%_libexecdir/%name/sssd_sudo -%_libexecdir/%name/sss_signal -%dir %sssdstatedir -%attr(700,root,root) %dir %dbpath/ -%attr(755,root,root) %dir %pipepath/ -%attr(700,root,root) %dir %pipepath/private/ -%attr(755,root,root) %dir %pubconfpath/ -%attr(755,root,root) %dir %sssdstatedir/mc/ -%attr(700,root,root) %dir %sssdstatedir/keytabs/ -%attr(750,root,root) %dir %_localstatedir/log/%name/ -%dir %_sysconfdir/sssd/ -%config(noreplace) %_sysconfdir/sssd/sssd.conf -%dir %_datadir/%name/ -%_datadir/%name/sssd.api.conf -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-local.conf -%_datadir/%name/sssd.api.d/sssd-simple.conf -# -# sssd-client -# -/%_lib/libnss_sss.so.2 -/%_lib/security/pam_sss.so -%_libdir/cifs-utils/ -%_libdir/krb5/ -%_libdir/%name/modules/sssd_krb5_localauth_plugin.so -%_mandir/??/man8/pam_sss.8* -%_mandir/??/man8/sssd_krb5_locator_plugin.8* -%_mandir/man8/pam_sss.8* -%_mandir/man8/sssd_krb5_locator_plugin.8* - -%files ad -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_ad.so -%dir %_libexecdir/%name/ -%_libexecdir/%name/gpo_child -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-ad.conf -%_mandir/man5/sssd-ad.5* -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/??/man5/sssd-ad.5* - -%files dbus -%defattr(-,root,root) -%dir %_libexecdir/sssd/ -%_libexecdir/sssd/sssd_ifp -%dir %_libdir/sssd/ -%_libdir/sssd/libsss_config.so -%_mandir/man5/sssd-ifp.5* -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/??/man5/sssd-ifp.5* - -%files ipa -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_ipa* -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d -%_datadir/%name/sssd.api.d/sssd-ipa.conf -%_mandir/man5/sssd-ipa.5* -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/??/man5/sssd-ipa.5* - -%files krb5 -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_krb5.so -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-krb5.conf -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/man5/sssd-krb5.5* -%_mandir/??/man5/sssd-krb5.5* - -%files krb5-common -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_krb5_common.so -%dir %_libexecdir/%name/ -%_libexecdir/%name/krb5_child -%_libexecdir/%name/ldap_child - -%files ldap -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_ldap* -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-ldap.conf -%_mandir/man5/sssd-ldap.5* -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/??/man5/sssd-ldap.5* - -%files proxy -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_proxy.so -%dir %_libexecdir/%name/ -%_libexecdir/%name/proxy_child -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-proxy.conf +%{_initrddir}/%{name} +%{_sbindir}/sssd +%{_sbindir}/rcsssd +%{_libexecdir}/%{servicename}/ +%dir %{_libdir}/%{name}/ +%{_libdir}/%{name}/libsss_krb5* +%{_libdir}/%{name}/libsss_ldap* +%{_libdir}/%{name}/libsss_proxy* +%{_libdir}/ldb/memberof.so +%{_libdir}/krb5/plugins/libkrb5/* +%dir %{sssdstatedir} +%attr(700,root,root) %dir %{dbpath} +%attr(755,root,root) %dir %{pipepath} +%attr(700,root,root) %dir %{pipepath}/private +%attr(750,root,root) %dir %{_var}/log/%{name} +%dir %{_sysconfdir}/sssd +%config(noreplace) %{_sysconfdir}/sssd/sssd.conf +%config %{_sysconfdir}/sssd/sssd.api.conf +%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-krb5.conf +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-ldap.conf +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-local.conf +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-proxy.conf +/%{_lib}/libnss_sss.so.2 +/%{_lib}/security/pam_sss.so +%{_mandir}/man5/sssd-krb5.* +%{_mandir}/man5/sssd-ldap.* +%{_mandir}/man5/sssd.conf.* %files tools -%defattr(-,root,root) -%_sbindir/sss_cache -%_sbindir/sss_debuglevel -%_sbindir/sss_groupadd -%_sbindir/sss_groupdel -%_sbindir/sss_groupmod -%_sbindir/sss_groupshow -%_sbindir/sss_seed -%_sbindir/sss_obfuscate -%_sbindir/sss_override -%_sbindir/sss_useradd -%_sbindir/sss_userdel -%_sbindir/sss_usermod -%_sbindir/sss_override -%dir %_mandir/??/man8/ -%_mandir/??/man8/sss_*.8* -%_mandir/man8/sss_*.8* +%defattr(-,root,root,-) +%{_mandir}/man8/* +%{_sbindir}/sss_useradd +%{_sbindir}/sss_userdel +%{_sbindir}/sss_usermod +%{_sbindir}/sss_groupadd +%{_sbindir}/sss_groupdel +%{_sbindir}/sss_groupmod -%files wbclient -%defattr(-,root,root) -%config %_sysconfdir/ld.so.conf.d/sssd-wbclient.conf -%dir %_libdir/sssd/ -%dir %_libdir/sssd/modules/ -%_libdir/sssd/modules/libwbclient.so.* - -%files wbclient-devel -%defattr(-,root,root) -%_includedir/wbclient_sssd.h -%dir %_libdir/sssd/ -%dir %_libdir/sssd/modules/ -%_libdir/sssd/modules/libwbclient.so -%_libdir/pkgconfig/wbclient_sssd.pc - -%files -n libipa_hbac0 -%defattr(-,root,root) -%_libdir/libipa_hbac.so.0* - -%files -n libipa_hbac-devel -%defattr(-,root,root) -%_includedir/ipa_hbac.h -%_libdir/libipa_hbac.so -%_libdir/pkgconfig/ipa_hbac.pc - -%files -n libnfsidmap-sss -%defattr(-,root,root) -%_libdir/libnfsidmap/ -%_mandir/man5/sss_rpcidmapd.5* -%dir %_mandir/??/man5/ -%_mandir/??/man5/sss_rpcidmapd.5* - -%files -n libsss_idmap0 -%defattr(-,root,root) -%_libdir/libsss_idmap.so.0* - -%files -n libsss_idmap-devel -%defattr(-,root,root) -%_includedir/sss_idmap.h -%_libdir/libsss_idmap.so -%_libdir/pkgconfig/sss_idmap.pc - -%files -n libsss_nss_idmap0 -%defattr(-,root,root) -%_libdir/libsss_nss_idmap.so.0* - -%files -n libsss_nss_idmap-devel -%defattr(-,root,root) -%_includedir/sss_nss_idmap.h -%_libdir/libsss_nss_idmap.so -%_libdir/pkgconfig/sss_nss_idmap.pc - -%files -n libsss_simpleifp0 -%defattr(-,root,root) -%_libdir/libsss_simpleifp.so.0* - -%files -n libsss_simpleifp-devel -%defattr(-,root,root) -%_includedir/sss_sifp*.h -%_libdir/libsss_simpleifp.so -%_libdir/pkgconfig/sss_simpleifp.pc - -%files -n python-ipa_hbac -%defattr(-,root,root) -%dir %python_sitearch -%python_sitearch/pyhbac.so - -%files -n python3-ipa_hbac -%defattr(-,root,root) -%dir %python3_sitearch -%python3_sitearch/pyhbac.so - -%files -n python-sss-murmur -%defattr(-,root,root) -%python_sitearch/pysss_murmur.so - -%files -n python3-sss-murmur -%defattr(-,root,root) -%python3_sitearch/pysss_murmur.so - -%files -n python-sss_nss_idmap -%defattr(-,root,root) -%dir %python_sitearch -%python_sitearch/pysss_nss_idmap.so - -%files -n python3-sss_nss_idmap -%defattr(-,root,root) -%dir %python3_sitearch -%python3_sitearch/pysss_nss_idmap.so +%files ipa-provider +%defattr(-,root,root,-) +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-ipa.conf +%{_libdir}/sssd/libsss_ipa* +%{_mandir}/man5/sssd-ipa.* %files -n python-sssd-config -%defattr(-,root,root) -%python_sitearch/pysss.so -%python_sitelib/SSSDConfig* +%defattr(-,root,root,-) +%{python_sitearch}/pysss.so +%{python_sitelib}/*.py* +%{python_sitelib}/*.egg-info -%files -n python3-sssd-config -%defattr(-,root,root) -%python3_sitearch/pysss.so -%python3_sitelib/SSSDConfig* +%post +/sbin/ldconfig + +%preun +%stop_on_removal sssd + +%postun +/sbin/ldconfig +%restart_on_update sssd +%insserv_cleanup %changelog From a771efc41a577f09ba8f43b939b4c3f56a95fdacc3cc8942b91c8676261e0d85 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 18 Mar 2010 15:30:28 +0000 Subject: [PATCH 02/63] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=2 --- ready | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 ready diff --git a/ready b/ready deleted file mode 100644 index 473a0f4..0000000 From f70f20f55b4299f0cbf5b590b42e585a54fe9868fc4f8bb0e1e725b4486d3a5a Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 19 Mar 2010 09:05:35 +0000 Subject: [PATCH 03/63] Accepting request 35172 from network:ldap Copy from network:ldap/sssd based on submit request 35172 from user coolo OBS-URL: https://build.opensuse.org/request/show/35172 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=3 --- ...efault-use-logfiles-for-debug-messages.dif | 24 +++++++++++++++++++ sssd.changes | 5 ++++ sssd.spec | 4 +++- 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 0001-by-default-use-logfiles-for-debug-messages.dif diff --git a/0001-by-default-use-logfiles-for-debug-messages.dif b/0001-by-default-use-logfiles-for-debug-messages.dif new file mode 100644 index 0000000..658fb10 --- /dev/null +++ b/0001-by-default-use-logfiles-for-debug-messages.dif @@ -0,0 +1,24 @@ +From 6a3686dbd6593d1f832231dd3e07fcd03eb9a2e6 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Mon, 8 Mar 2010 14:42:06 +0100 +Subject: [PATCH] by default use logfiles for debug messages + + + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/server/sysv/SUSE/sssd b/server/sysv/SUSE/sssd +index 34fd837..2f98c21 100644 +--- a/server/sysv/SUSE/sssd ++++ b/server/sysv/SUSE/sssd +@@ -29,7 +29,7 @@ PID_FILE=/var/run/sssd.pid + case "$1" in + start) + echo -n "Starting $prog " +- /sbin/startproc $SSSD -D 2>/dev/null ++ /sbin/startproc $SSSD -f -D 2>/dev/null + rc_status -v + ;; + +-- +1.6.4.2 + diff --git a/sssd.changes b/sssd.changes index 026aa50..22304b5 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com + +- use logfiles for debug messages by default + ------------------------------------------------------------------- Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com diff --git a/sssd.spec b/sssd.spec index b0ccbde..2c2cf63 100644 --- a/sssd.spec +++ b/sssd.spec @@ -19,13 +19,14 @@ Name: sssd Version: 1.0.5 -Release: 1 +Release: 2 Group: System/Daemons Summary: System Security Services Daemon # The entire source code is GPLv3+ except replace/ which is LGPLv3+ License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.gz +Patch0: 0001-by-default-use-logfiles-for-debug-messages.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build ### Patches ### @@ -100,6 +101,7 @@ Security Services Daemon (sssd). %prep %setup -q +%patch0 -p1 %build export LDB_LIBS="-lldb" From eb55f903891ce516a53d02ea84910068bd994a600ea8a4e2b7fe466ce1e2cb64 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 1 Apr 2010 16:01:35 +0000 Subject: [PATCH 04/63] Accepting request 36465 from network:ldap Copy from network:ldap/sssd based on submit request 36465 from user rhafer OBS-URL: https://build.opensuse.org/request/show/36465 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=4 --- ...tion-to-use-libcrypto-instead-of-NSS.patch | 451 ++++++++++++++++++ ...efault-use-logfiles-for-debug-messages.dif | 24 - ...nts-for-LDAP-Password-Policy-support.patch | 415 ++++++++++++++++ 0003-ldap-provider-ld-flags.patch | 29 ++ 0004-init-script-dependencies.patch | 29 ++ baselibs.conf | 4 + sssd-1.0.5.tar.gz | 3 - sssd-1.1.0.tar.gz | 3 + sssd.changes | 28 ++ sssd.spec | 192 +++++++- 10 files changed, 1126 insertions(+), 52 deletions(-) create mode 100644 0001-Added-option-to-use-libcrypto-instead-of-NSS.patch delete mode 100644 0001-by-default-use-logfiles-for-debug-messages.dif create mode 100644 0002-Improvements-for-LDAP-Password-Policy-support.patch create mode 100644 0003-ldap-provider-ld-flags.patch create mode 100644 0004-init-script-dependencies.patch create mode 100644 baselibs.conf delete mode 100644 sssd-1.0.5.tar.gz create mode 100644 sssd-1.1.0.tar.gz diff --git a/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch b/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch new file mode 100644 index 0000000..429adf0 --- /dev/null +++ b/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch @@ -0,0 +1,451 @@ +From bf75a22ffc04dfa0387a1389750b0a1e6d3ac397 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Fri, 26 Mar 2010 15:04:51 +0100 +Subject: [PATCH] Added option to use libcrypto instead of NSS. + +crypto_sha512crypt.c is a clone of nss_sha512crypt.c with the exception that +all usage of NSS and related libraries has been switched to libcrypto. +I renamed nss_sha512crypt.h to sha512crypt.h since it is common to both +crypto_sha512crypt.c and nss_sha512crypt.c. Note that the random number +generator is not seeded manually and thus relies on seeding done +automatically by libcrypto. On some systems without /dev/urandom +seeding may not be performed. +See http://www.openssl.org/docs/crypto/RAND_add.html. +Signed-off-by: George McCollister + +Conflicts: + + server/util/nss_sha512crypt.h + server/util/sha512crypt.h + src/Makefile.am + src/configure.ac + src/util/sha512crypt.h +--- + server/external/crypto.m4 | 13 ++ + server/util/crypto_sha512crypt.c | 382 ++++++++++++++++++++++++++++++++++++++ + server/util/sha512crypt.h | 4 + + 3 files changed, 399 insertions(+), 0 deletions(-) + create mode 100644 server/external/crypto.m4 + create mode 100644 server/util/crypto_sha512crypt.c + create mode 100644 server/util/sha512crypt.h + +diff --git a/server/external/crypto.m4 b/server/external/crypto.m4 +new file mode 100644 +index 0000000..d1bcf40 +--- /dev/null ++++ b/server/external/crypto.m4 +@@ -0,0 +1,13 @@ ++AC_ARG_ENABLE(crypto, ++ [ --enable-crypto Use OpenSSL crypto instead of NSS], ++ [CRYPTO="$enableval"], ++ [CRYPTO="no"] ++) ++ ++if test x$CRYPTO != xyes; then ++ PKG_CHECK_MODULES([NSS],[nss],[have_nss=1],[have_nss=]) ++else ++ PKG_CHECK_MODULES([CRYPTO],[libcrypto],[have_crypto=1],[have_crypto=]) ++fi ++AM_CONDITIONAL([HAVE_NSS], [test x$have_nss != x]) ++AM_CONDITIONAL([HAVE_CRYPTO], [test x$have_crypto != x]) +diff --git a/server/util/crypto_sha512crypt.c b/server/util/crypto_sha512crypt.c +new file mode 100644 +index 0000000..9cd03a1 +--- /dev/null ++++ b/server/util/crypto_sha512crypt.c +@@ -0,0 +1,382 @@ ++/* This file is based on nss_sha512crypt.c which is based on the work of ++ * Ulrich Drepper (http://people.redhat.com/drepper/SHA-crypt.txt). ++ * ++ * libcrypto is used to provide SHA512 and random number generation. ++ * (http://www.openssl.org/docs/crypto/crypto.html). ++ * ++ * Sumit Bose ++ * George McCollister ++ */ ++/* SHA512-based Unix crypt implementation. ++ Released into the Public Domain by Ulrich Drepper . */ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "util/util.h" ++ ++#include ++#include ++ ++/* Define our magic string to mark salt for SHA512 "encryption" replacement. */ ++const char sha512_salt_prefix[] = "$6$"; ++#define SALT_PREF_SIZE (sizeof(sha512_salt_prefix) - 1) ++ ++/* Prefix for optional rounds specification. */ ++const char sha512_rounds_prefix[] = "rounds="; ++#define ROUNDS_SIZE (sizeof(sha512_rounds_prefix) - 1) ++ ++#define SALT_LEN_MAX 16 ++#define ROUNDS_DEFAULT 5000 ++#define ROUNDS_MIN 1000 ++#define ROUNDS_MAX 999999999 ++ ++/* Table with characters for base64 transformation. */ ++const char b64t[64] = ++ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; ++ ++/* base64 conversion function */ ++static inline void b64_from_24bit(char **dest, size_t *len, size_t n, ++ uint8_t b2, uint8_t b1, uint8_t b0) ++{ ++ uint32_t w; ++ size_t i; ++ ++ if (*len < n) n = *len; ++ ++ w = (b2 << 16) | (b1 << 8) | b0; ++ for (i = 0; i < n; i++) { ++ (*dest)[i] = b64t[w & 0x3f]; ++ w >>= 6; ++ } ++ ++ *len -= i; ++ *dest += i; ++} ++ ++#define PTR_2_INT(x) ((x) - ((__typeof__ (x)) NULL)) ++#define ALIGN64 __alignof__(uint64_t) ++ ++static int sha512_crypt_r(const char *key, ++ const char *salt, ++ char *buffer, size_t buflen) ++{ ++ unsigned char temp_result[64] __attribute__((__aligned__(ALIGN64))); ++ unsigned char alt_result[64] __attribute__((__aligned__(ALIGN64))); ++ size_t rounds = ROUNDS_DEFAULT; ++ bool rounds_custom = false; ++ EVP_MD_CTX alt_ctx; ++ EVP_MD_CTX ctx; ++ size_t salt_len; ++ size_t key_len; ++ size_t cnt; ++ char *copied_salt = NULL; ++ char *copied_key = NULL; ++ char *p_bytes = NULL; ++ char *s_bytes = NULL; ++ int p1, p2, p3, pt, n; ++ unsigned int part; ++ char *cp, *tmp; ++ int ret; ++ ++ /* Find beginning of salt string. The prefix should normally always be ++ * present. Just in case it is not. */ ++ if (strncmp(salt, sha512_salt_prefix, SALT_PREF_SIZE) == 0) { ++ /* Skip salt prefix. */ ++ salt += SALT_PREF_SIZE; ++ } ++ ++ if (strncmp(salt, sha512_rounds_prefix, ROUNDS_SIZE) == 0) { ++ unsigned long int srounds; ++ const char *num; ++ char *endp; ++ ++ num = salt + ROUNDS_SIZE; ++ srounds = strtoul(num, &endp, 10); ++ if (*endp == '$') { ++ salt = endp + 1; ++ if (srounds < ROUNDS_MIN) srounds = ROUNDS_MIN; ++ if (srounds > ROUNDS_MAX) srounds = ROUNDS_MAX; ++ rounds = srounds; ++ rounds_custom = true; ++ } ++ } ++ ++ salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); ++ key_len = strlen(key); ++ ++ if ((PTR_2_INT(key) % ALIGN64) != 0) { ++ tmp = (char *)alloca(key_len + ALIGN64); ++ key = copied_key = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, key, key_len); ++ } ++ ++ if (PTR_2_INT(salt) % ALIGN64 != 0) { ++ tmp = (char *)alloca(salt_len + ALIGN64); ++ salt = copied_salt = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, salt, salt_len); ++ } ++ ++ EVP_MD_CTX_init(&ctx); ++ ++ EVP_MD_CTX_init(&alt_ctx); ++ ++ /* Prepare for the real work. */ ++ if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) { ++ ret = EIO; ++ goto done; ++ } ++ ++ /* Add the key string. */ ++ EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); ++ ++ /* The last part is the salt string. This must be at most 16 ++ * characters and it ends at the first `$' character (for ++ * compatibility with existing implementations). */ ++ EVP_DigestUpdate(&ctx, (const unsigned char *)salt, salt_len); ++ ++ ++ /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. ++ * The final result will be added to the first context. */ ++ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { ++ ret = EIO; ++ goto done; ++ } ++ ++ /* Add key. */ ++ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); ++ ++ /* Add salt. */ ++ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len); ++ ++ /* Add key again. */ ++ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); ++ ++ /* Now get result of this (64 bytes) and add it to the other context. */ ++ EVP_DigestFinal_ex(&alt_ctx, alt_result, &part); ++ ++ /* Add for any character in the key one byte of the alternate sum. */ ++ for (cnt = key_len; cnt > 64; cnt -= 64) { ++ EVP_DigestUpdate(&ctx, alt_result, 64); ++ } ++ EVP_DigestUpdate(&ctx, alt_result, cnt); ++ ++ /* Take the binary representation of the length of the key and for every ++ * 1 add the alternate sum, for every 0 the key. */ ++ for (cnt = key_len; cnt > 0; cnt >>= 1) { ++ if ((cnt & 1) != 0) { ++ EVP_DigestUpdate(&ctx, alt_result, 64); ++ } else { ++ EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); ++ } ++ } ++ ++ /* Create intermediate result. */ ++ EVP_DigestFinal_ex(&ctx, alt_result, &part); ++ ++ /* Start computation of P byte sequence. */ ++ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { ++ ret = EIO; ++ goto done; ++ } ++ ++ /* For every character in the password add the entire password. */ ++ for (cnt = 0; cnt < key_len; cnt++) { ++ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); ++ } ++ ++ /* Finish the digest. */ ++ EVP_DigestFinal_ex(&alt_ctx, temp_result, &part); ++ ++ /* Create byte sequence P. */ ++ cp = p_bytes = alloca(key_len); ++ for (cnt = key_len; cnt >= 64; cnt -= 64) { ++ cp = mempcpy(cp, temp_result, 64); ++ } ++ memcpy(cp, temp_result, cnt); ++ ++ /* Start computation of S byte sequence. */ ++ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { ++ ret = EIO; ++ goto done; ++ } ++ ++ /* For every character in the password add the entire salt. */ ++ for (cnt = 0; cnt < 16 + alt_result[0]; cnt++) { ++ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len); ++ } ++ ++ /* Finish the digest. */ ++ EVP_DigestFinal_ex(&alt_ctx, temp_result, &part); ++ ++ /* Create byte sequence S. */ ++ cp = s_bytes = alloca(salt_len); ++ for (cnt = salt_len; cnt >= 64; cnt -= 64) { ++ cp = mempcpy(cp, temp_result, 64); ++ } ++ memcpy(cp, temp_result, cnt); ++ ++ /* Repeatedly run the collected hash value through SHA512 to burn CPU cycles. */ ++ for (cnt = 0; cnt < rounds; cnt++) { ++ ++ if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) { ++ ret = EIO; ++ goto done; ++ } ++ ++ /* Add key or last result. */ ++ if ((cnt & 1) != 0) { ++ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); ++ } else { ++ EVP_DigestUpdate(&ctx, alt_result, 64); ++ } ++ ++ /* Add salt for numbers not divisible by 3. */ ++ if (cnt % 3 != 0) { ++ EVP_DigestUpdate(&ctx, (const unsigned char *)s_bytes, salt_len); ++ } ++ ++ /* Add key for numbers not divisible by 7. */ ++ if (cnt % 7 != 0) { ++ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); ++ } ++ ++ /* Add key or last result. */ ++ if ((cnt & 1) != 0) { ++ EVP_DigestUpdate(&ctx, alt_result, 64); ++ } else { ++ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); ++ } ++ ++ /* Create intermediate result. */ ++ EVP_DigestFinal_ex(&ctx, alt_result, &part); ++ } ++ ++ /* Now we can construct the result string. ++ * It consists of three parts. */ ++ if (buflen <= SALT_PREF_SIZE) { ++ ret = ERANGE; ++ goto done; ++ } ++ ++ cp = __stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); ++ buflen -= SALT_PREF_SIZE; ++ ++ if (rounds_custom) { ++ n = snprintf(cp, buflen, "%s%zu$", ++ sha512_rounds_prefix, rounds); ++ if (n < 0 || n >= buflen) { ++ ret = ERANGE; ++ goto done; ++ } ++ cp += n; ++ buflen -= n; ++ } ++ ++ if (buflen <= salt_len + 1) { ++ ret = ERANGE; ++ goto done; ++ } ++ cp = __stpncpy(cp, salt, salt_len); ++ *cp++ = '$'; ++ buflen -= salt_len + 1; ++ ++ /* fuzzyfill the base 64 string */ ++ p1 = 0; ++ p2 = 21; ++ p3 = 42; ++ for (n = 0; n < 21; n++) { ++ b64_from_24bit(&cp, &buflen, 4, alt_result[p1], alt_result[p2], alt_result[p3]); ++ if (buflen == 0) { ++ ret = ERANGE; ++ goto done; ++ } ++ pt = p1; ++ p1 = p2 + 1; ++ p2 = p3 + 1; ++ p3 = pt + 1; ++ } ++ /* 64th and last byte */ ++ b64_from_24bit(&cp, &buflen, 2, 0, 0, alt_result[p3]); ++ if (buflen == 0) { ++ ret = ERANGE; ++ goto done; ++ } ++ ++ *cp = '\0'; ++ ret = EOK; ++ ++done: ++ /* Clear the buffer for the intermediate result so that people attaching ++ * to processes or reading core dumps cannot get any information. We do it ++ * in this way to clear correct_words[] inside the SHA512 implementation ++ * as well. */ ++ EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_cleanup(&alt_ctx); ++ if (p_bytes) memset(p_bytes, '\0', key_len); ++ if (s_bytes) memset(s_bytes, '\0', salt_len); ++ if (copied_key) memset(copied_key, '\0', key_len); ++ if (copied_salt) memset(copied_salt, '\0', salt_len); ++ memset(temp_result, '\0', sizeof(temp_result)); ++ ++ return ret; ++} ++ ++int s3crypt_sha512(TALLOC_CTX *memctx, ++ const char *key, const char *salt, char **_hash) ++{ ++ char *hash; ++ int hlen = (sizeof (sha512_salt_prefix) - 1 ++ + sizeof (sha512_rounds_prefix) + 9 + 1 ++ + strlen (salt) + 1 + 86 + 1); ++ int ret; ++ ++ hash = talloc_size(memctx, hlen); ++ if (!hash) return ENOMEM; ++ ++ ret = sha512_crypt_r(key, salt, hash, hlen); ++ if (ret) return ret; ++ ++ *_hash = hash; ++ return ret; ++} ++ ++#define SALT_RAND_LEN 12 ++ ++int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt) ++{ ++ uint8_t rb[SALT_RAND_LEN]; ++ char *salt, *cp; ++ size_t slen; ++ int ret; ++ ++ salt = talloc_size(memctx, SALT_LEN_MAX + 1); ++ if (!salt) { ++ return ENOMEM; ++ } ++ ++ ret = RAND_bytes(rb, SALT_RAND_LEN); ++ if (ret == 0) { ++ return EIO; ++ } ++ ++ slen = SALT_LEN_MAX; ++ cp = salt; ++ b64_from_24bit(&cp, &slen, 4, rb[0], rb[1], rb[2]); ++ b64_from_24bit(&cp, &slen, 4, rb[3], rb[4], rb[5]); ++ b64_from_24bit(&cp, &slen, 4, rb[6], rb[7], rb[8]); ++ b64_from_24bit(&cp, &slen, 4, rb[9], rb[10], rb[11]); ++ *cp = '\0'; ++ ++ *_salt = salt; ++ ++ return EOK; ++} ++ +diff --git a/server/util/sha512crypt.h b/server/util/sha512crypt.h +new file mode 100644 +index 0000000..5512c5d +--- /dev/null ++++ b/server/util/sha512crypt.h +@@ -0,0 +1,4 @@ ++ ++int s3crypt_sha512(TALLOC_CTX *mmectx, ++ const char *key, const char *salt, char **_hash); ++int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt); +-- +1.7.0.2 + diff --git a/0001-by-default-use-logfiles-for-debug-messages.dif b/0001-by-default-use-logfiles-for-debug-messages.dif deleted file mode 100644 index 658fb10..0000000 --- a/0001-by-default-use-logfiles-for-debug-messages.dif +++ /dev/null @@ -1,24 +0,0 @@ -From 6a3686dbd6593d1f832231dd3e07fcd03eb9a2e6 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Mon, 8 Mar 2010 14:42:06 +0100 -Subject: [PATCH] by default use logfiles for debug messages - - - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/server/sysv/SUSE/sssd b/server/sysv/SUSE/sssd -index 34fd837..2f98c21 100644 ---- a/server/sysv/SUSE/sssd -+++ b/server/sysv/SUSE/sssd -@@ -29,7 +29,7 @@ PID_FILE=/var/run/sssd.pid - case "$1" in - start) - echo -n "Starting $prog " -- /sbin/startproc $SSSD -D 2>/dev/null -+ /sbin/startproc $SSSD -f -D 2>/dev/null - rc_status -v - ;; - --- -1.6.4.2 - diff --git a/0002-Improvements-for-LDAP-Password-Policy-support.patch b/0002-Improvements-for-LDAP-Password-Policy-support.patch new file mode 100644 index 0000000..c155afe --- /dev/null +++ b/0002-Improvements-for-LDAP-Password-Policy-support.patch @@ -0,0 +1,415 @@ +From 536c01cf9a04573c2351542fe00973e1538014a5 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Fri, 12 Mar 2010 10:54:40 +0100 +Subject: [PATCH] Improvements for LDAP Password Policy support + +Display warnings about remaining grace logins and password +expiration to the user, when LDAP Password Policies are used. + +Improved detection if LDAP Password policies are supported by +LDAP Server. +--- + src/providers/ldap/ldap_auth.c | 52 +++++++++++++++++- + src/providers/ldap/sdap.h | 5 ++ + src/providers/ldap/sdap_async.h | 6 ++- + src/providers/ldap/sdap_async_connection.c | 53 +++++++++++++++---- + src/sss_client/pam_sss.c | 82 ++++++++++++++++++++++++++++ + src/sss_client/sss_cli.h | 23 ++++++--- + 6 files changed, 201 insertions(+), 20 deletions(-) + +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 5228703..8c77e3a 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -7,6 +7,7 @@ + Sumit Bose + + Copyright (C) 2008 Red Hat ++ Copyright (C) 2010, rhafer@suse.de, Novell Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -135,6 +136,39 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now, + return EOK; + } + ++static errno_t check_pwexpire_ldap(struct pam_data *pd, ++ struct sdap_ppolicy_data *ppolicy, ++ enum sdap_result *result) ++{ ++ if (ppolicy->grace > 0 || ppolicy->expire > 0) { ++ uint32_t *data; ++ uint32_t *ptr; ++ ++ data = talloc_size(pd, 2* sizeof(uint32_t)); ++ if (data == NULL) { ++ DEBUG(1, ("talloc_size failed.\n")); ++ return ENOMEM; ++ } ++ ++ ptr = data; ++ if (ppolicy->grace > 0) { ++ *ptr = SSS_PAM_USER_INFO_GRACE_LOGIN; ++ ptr++; ++ *ptr = ppolicy->grace; ++ } else if (ppolicy->expire > 0) { ++ *ptr = SSS_PAM_USER_INFO_EXPIRE_WARN; ++ ptr++; ++ *ptr = ppolicy->expire; ++ } ++ ++ pam_add_response(pd, SSS_PAM_USER_INFO, 2* sizeof(uint32_t), ++ (uint8_t*)data); ++ } ++ ++ *result = SDAP_AUTH_SUCCESS; ++ return EOK; ++} ++ + static errno_t string_to_shadowpw_days(const char *s, long *d) + { + long l; +@@ -569,8 +603,15 @@ static void auth_bind_user_done(struct tevent_req *subreq) + struct auth_state *state = tevent_req_data(req, + struct auth_state); + int ret; +- +- ret = sdap_auth_recv(subreq, &state->result); ++ struct sdap_ppolicy_data *ppolicy; ++ ++ ret = sdap_auth_recv(subreq, state, &state->result, &ppolicy); ++ if (ppolicy != NULL) { ++ DEBUG(9,("Found ppolicy data, " ++ "assuming LDAP password policies are active.\n")); ++ state->pw_expire_type = PWEXPIRE_LDAP_PASSWORD_POLICY; ++ state->pw_expire_data = ppolicy; ++ } + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); +@@ -960,6 +1001,13 @@ static void sdap_pam_auth_done(struct tevent_req *req) + } + break; + case PWEXPIRE_LDAP_PASSWORD_POLICY: ++ ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result); ++ if (ret != EOK) { ++ DEBUG(1, ("check_pwexpire_ldap failed.\n")); ++ state->pd->pam_status = PAM_SYSTEM_ERR; ++ goto done; ++ } ++ break; + case PWEXPIRE_NONE: + break; + default: +diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h +index 007185f..f0e345e 100644 +--- a/src/providers/ldap/sdap.h ++++ b/src/providers/ldap/sdap.h +@@ -85,6 +85,11 @@ struct sdap_service { + char *uri; + }; + ++struct sdap_ppolicy_data { ++ int grace; ++ int expire; ++}; ++ + #define SYSDB_SHADOWPW_LASTCHANGE "shadowLastChange" + #define SYSDB_SHADOWPW_MIN "shadowMin" + #define SYSDB_SHADOWPW_MAX "shadowMax" +diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h +index 3c52d23..888df6b 100644 +--- a/src/providers/ldap/sdap_async.h ++++ b/src/providers/ldap/sdap_async.h +@@ -76,7 +76,11 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + const char *user_dn, + const char *authtok_type, + struct dp_opt_blob authtok); +-int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result); ++ ++int sdap_auth_recv(struct tevent_req *req, ++ TALLOC_CTX *memctx, ++ enum sdap_result *result, ++ struct sdap_ppolicy_data **ppolicy); + + struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, + struct tevent_context *ev, +diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c +index 586733f..f8c6956 100644 +--- a/src/providers/ldap/sdap_async_connection.c ++++ b/src/providers/ldap/sdap_async_connection.c +@@ -4,6 +4,7 @@ + Async LDAP Helper routines + + Copyright (C) Simo Sorce - 2009 ++ Copyright (C) 2010, rhafer@suse.de, Novell Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -278,6 +279,7 @@ struct simple_bind_state { + struct sdap_op *op; + + struct sdap_msg *reply; ++ struct sdap_ppolicy_data *ppolicy; + int result; + }; + +@@ -401,6 +403,7 @@ static void simple_bind_done(struct sdap_op *op, + + if (response_controls == NULL) { + DEBUG(5, ("Server returned no controls.\n")); ++ state->ppolicy = NULL; + } else { + for (c = 0; response_controls[c] != NULL; c++) { + DEBUG(9, ("Server returned control [%s].\n", +@@ -420,12 +423,30 @@ static void simple_bind_done(struct sdap_op *op, + DEBUG(7, ("Password Policy Response: expire [%d] grace [%d] " + "error [%s].\n", pp_expire, pp_grace, + ldap_passwordpolicy_err2txt(pp_error))); +- +- if ((state->result == LDAP_SUCCESS && +- (pp_error == PP_changeAfterReset || pp_grace > 0)) || +- (state->result == LDAP_INVALID_CREDENTIALS && +- pp_error == PP_passwordExpired ) ) { +- DEBUG(4, ("User must set a new password.\n")); ++ state->ppolicy = talloc(state, struct sdap_ppolicy_data); ++ if (state->ppolicy == NULL) { ++ DEBUG(1, ("talloc failed.\n")); ++ ret = ENOMEM; ++ goto done; ++ } ++ state->ppolicy->grace = pp_grace; ++ state->ppolicy->expire = pp_expire; ++ if (state->result == LDAP_SUCCESS) { ++ if (pp_error == PP_changeAfterReset) { ++ DEBUG(4, ("Password was reset. " ++ "User must set a new password.\n")); ++ state->result = LDAP_X_SSSD_PASSWORD_EXPIRED; ++ } else if (pp_grace > 0) { ++ DEBUG(4, ("Password expired. " ++ "[%d] grace logins remaining.\n", pp_grace)); ++ } else if (pp_expire > 0) { ++ DEBUG(4, ("Password will expire in [%d] seconds.\n", ++ pp_expire)); ++ } ++ } else if (state->result == LDAP_INVALID_CREDENTIALS && ++ pp_error == PP_passwordExpired) { ++ DEBUG(4, ++ ("Password expired user must set a new password.\n")); + state->result = LDAP_X_SSSD_PASSWORD_EXPIRED; + } + } +@@ -446,7 +467,10 @@ done: + } + } + +-static int simple_bind_recv(struct tevent_req *req, int *ldaperr) ++static int simple_bind_recv(struct tevent_req *req, ++ TALLOC_CTX *memctx, ++ int *ldaperr, ++ struct sdap_ppolicy_data **ppolicy) + { + struct simple_bind_state *state = tevent_req_data(req, + struct simple_bind_state); +@@ -455,6 +479,7 @@ static int simple_bind_recv(struct tevent_req *req, int *ldaperr) + TEVENT_REQ_RETURN_ON_ERROR(req); + + *ldaperr = state->result; ++ *ppolicy = talloc_steal(memctx, state->ppolicy); + return EOK; + } + +@@ -704,6 +729,7 @@ int sdap_kinit_recv(struct tevent_req *req, enum sdap_result *result) + struct sdap_auth_state { + const char *user_dn; + struct berval pw; ++ struct sdap_ppolicy_data *ppolicy; + + int result; + bool is_sasl; +@@ -766,8 +792,9 @@ static void sdap_auth_done(struct tevent_req *subreq) + + if (state->is_sasl) { + ret = sasl_bind_recv(subreq, &state->result); ++ state->ppolicy = NULL; + } else { +- ret = simple_bind_recv(subreq, &state->result); ++ ret = simple_bind_recv(subreq, state, &state->result, &state->ppolicy); + } + if (ret != EOK) { + tevent_req_error(req, ret); +@@ -777,7 +804,10 @@ static void sdap_auth_done(struct tevent_req *subreq) + tevent_req_done(req); + } + +-int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result) ++int sdap_auth_recv(struct tevent_req *req, ++ TALLOC_CTX *memctx, ++ enum sdap_result *result, ++ struct sdap_ppolicy_data **ppolicy) + { + struct sdap_auth_state *state = tevent_req_data(req, + struct sdap_auth_state); +@@ -785,6 +815,9 @@ int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result) + *result = SDAP_ERROR; + TEVENT_REQ_RETURN_ON_ERROR(req); + ++ if (ppolicy != NULL) { ++ *ppolicy = talloc_steal(memctx, state->ppolicy); ++ } + switch (state->result) { + case LDAP_SUCCESS: + *result = SDAP_AUTH_SUCCESS; +@@ -1078,7 +1111,7 @@ static void sdap_cli_auth_done(struct tevent_req *subreq) + enum sdap_result result; + int ret; + +- ret = sdap_auth_recv(subreq, &result); ++ ret = sdap_auth_recv(subreq, NULL, &result, NULL); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index 2ba6f15..07ed4e7 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -3,6 +3,7 @@ + Sumit Bose + + Copyright (C) 2009 Red Hat ++ Copyright (C) 2010, rhafer@suse.de, Novell Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by +@@ -436,6 +437,81 @@ static int user_info_offline_auth(pam_handle_t *pamh, size_t buflen, + return PAM_SUCCESS; + } + ++static int user_info_grace_login(pam_handle_t *pamh, ++ size_t buflen, ++ uint8_t *buf) ++{ ++ int ret; ++ uint32_t grace; ++ char user_msg[256]; ++ ++ if (buflen != 2* sizeof(uint32_t)) { ++ D(("User info response data has the wrong size")); ++ return PAM_BUF_ERR; ++ } ++ memcpy(&grace, buf + sizeof(uint32_t), sizeof(uint32_t)); ++ ret = snprintf(user_msg, sizeof(user_msg), ++ _("Your password has expired. " ++ "You have %d grace login(s) remaining."), ++ grace); ++ if (ret < 0 || ret >= sizeof(user_msg)) { ++ D(("snprintf failed.")); ++ return PAM_SYSTEM_ERR; ++ } ++ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); ++ ++ if (ret != PAM_SUCCESS) { ++ D(("do_pam_conversation failed.")); ++ return PAM_SYSTEM_ERR; ++ } ++ ++ return PAM_SUCCESS; ++} ++ ++#define MINSEC 60 ++#define HOURSEC (60*MINSEC) ++#define DAYSEC (24*HOURSEC) ++static int user_info_expire_warn(pam_handle_t *pamh, ++ size_t buflen, ++ uint8_t *buf) ++{ ++ int ret; ++ uint32_t expire; ++ char user_msg[256]; ++ const char* unit="second(s)"; ++ ++ if (buflen != 2* sizeof(uint32_t)) { ++ D(("User info response data has the wrong size")); ++ return PAM_BUF_ERR; ++ } ++ memcpy(&expire, buf + sizeof(uint32_t), sizeof(uint32_t)); ++ if (expire >= DAYSEC) { ++ expire /= DAYSEC; ++ unit = "day(s)"; ++ } else if (expire >= HOURSEC) { ++ expire /= HOURSEC; ++ unit = "hour(s)"; ++ } else if (expire >= MINSEC) { ++ expire /= MINSEC; ++ unit = "minute(s)"; ++ } ++ ++ ret = snprintf(user_msg, sizeof(user_msg), ++ _("Your password will expire in %d %s."), expire, unit); ++ if (ret < 0 || ret >= sizeof(user_msg)) { ++ D(("snprintf failed.")); ++ return PAM_SYSTEM_ERR; ++ } ++ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); ++ ++ if (ret != PAM_SUCCESS) { ++ D(("do_pam_conversation failed.")); ++ return PAM_SYSTEM_ERR; ++ } ++ ++ return PAM_SUCCESS; ++} ++ + static int user_info_offline_auth_delayed(pam_handle_t *pamh, size_t buflen, + uint8_t *buf) + { +@@ -563,6 +639,12 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen, + case SSS_PAM_USER_INFO_OFFLINE_AUTH: + ret = user_info_offline_auth(pamh, buflen, buf); + break; ++ case SSS_PAM_USER_INFO_GRACE_LOGIN: ++ ret = user_info_grace_login(pamh, buflen, buf); ++ break; ++ case SSS_PAM_USER_INFO_EXPIRE_WARN: ++ ret = user_info_expire_warn(pamh, buflen, buf); ++ break; + case SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED: + ret = user_info_offline_auth_delayed(pamh, buflen, buf); + break; +diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h +index 2edd158..f387265 100644 +--- a/src/sss_client/sss_cli.h ++++ b/src/sss_client/sss_cli.h +@@ -377,13 +377,22 @@ enum user_info_type { + * possible to change the password while + * the system is offline. This message + * is generated by the PAM responder. */ +- SSS_PAM_USER_INFO_CHPASS_ERROR /**< Tell the user that a password change +- * failed and optionally give a reason. +- * @param Size of the message as unsigned +- * 32-bit integer value. A value of 0 +- * indicates that no message is following. +- * @param String with the specified +- * length. */ ++ SSS_PAM_USER_INFO_CHPASS_ERROR, /**< Tell the user that a password change ++ * failed and optionally give a reason. ++ * @param Size of the message as unsigned ++ * 32-bit integer value. A value of 0 ++ * indicates that no message is following. ++ * @param String with the specified ++ * length. */ ++ SSS_PAM_USER_INFO_GRACE_LOGIN, /**< Warn the user that the password is ++ * expired and inform about the remaining ++ * number of grace logins. ++ * @param The number of remaining grace ++ * logins as uint32_t */ ++ SSS_PAM_USER_INFO_EXPIRE_WARN /**< Warn the user that the password will ++ * expire soon. ++ * @param Number of seconds before the user's ++ * password will expire. */ + }; + /** + * @} +-- +1.7.0.2 + diff --git a/0003-ldap-provider-ld-flags.patch b/0003-ldap-provider-ld-flags.patch new file mode 100644 index 0000000..087ae76 --- /dev/null +++ b/0003-ldap-provider-ld-flags.patch @@ -0,0 +1,29 @@ +From 840bb425fe0cb6f4904d5610ffd1fdfd9eed235d Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Wed, 31 Mar 2010 10:40:13 +0200 +Subject: [PATCH] ldap provider ld flags + +The LDAP provider needs to be linked against libdhash +--- + src/Makefile.am | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 6d46cda..6f14eee 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -717,9 +717,11 @@ libsss_ldap_la_SOURCES = \ + util/sss_krb5.c + libsss_ldap_la_CFLAGS = \ + $(AM_CFLAGS) \ ++ $(DHASH_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(KRB5_CFLAGS) + libsss_ldap_la_LIBADD = \ ++ $(DHASH_LIBS) \ + $(OPENLDAP_LIBS) \ + $(KRB5_LIBS) + libsss_ldap_la_LDFLAGS = \ +-- +1.7.0.2 + diff --git a/0004-init-script-dependencies.patch b/0004-init-script-dependencies.patch new file mode 100644 index 0000000..326a9c2 --- /dev/null +++ b/0004-init-script-dependencies.patch @@ -0,0 +1,29 @@ +From b9090cb4d12147267a4fb1ad9bb74bb226bcbe34 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Wed, 31 Mar 2010 12:21:21 +0200 +Subject: [PATCH] init script dependencies + +--- + src/sysv/SUSE/sssd | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sysv/SUSE/sssd b/src/sysv/SUSE/sssd +index 2f98c21..262ecde 100644 +--- a/src/sysv/SUSE/sssd ++++ b/src/sysv/SUSE/sssd +@@ -1,10 +1,10 @@ + #!/bin/sh + ### BEGIN INIT INFO + # Provides: sssd +-# Required-Start: $remote_fs $time ++# Required-Start: $network $remote_fs $time + # Should-Start: $syslog + # Should-Stop: $syslog +-# Required-Stop: $remote_fs ++# Required-Stop: $network $remote_fs $time + # Default-Start: 3 5 + # Default-Stop: 0 1 2 4 6 + # Short-Description: System Security Services Daemon +-- +1.7.0.2 + diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..22e0a35 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,4 @@ +sssd + supplements "packageand(sssd:pam-)" + supplements "packageand(sssd:glibc-)" + -/usr/lib(64)?/* diff --git a/sssd-1.0.5.tar.gz b/sssd-1.0.5.tar.gz deleted file mode 100644 index e895b79..0000000 --- a/sssd-1.0.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2f3a8dca78a14b03e1a273fa7cfe5598120b83aa7477ab4c467a7dcd655c9017 -size 2688987 diff --git a/sssd-1.1.0.tar.gz b/sssd-1.1.0.tar.gz new file mode 100644 index 0000000..8d8f9d4 --- /dev/null +++ b/sssd-1.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b7805445f2f04505c26186d112bf3c53f6fd0e374a7ded476bfc1185b7c13be +size 2838565 diff --git a/sssd.changes b/sssd.changes index 22304b5..2cf79d0 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com + +- Package pam- and nss-Modules as baselibs +- cleaned up file list and dependencies +- fixed init script dependencies + +------------------------------------------------------------------- +Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com + +- Updated to 1.1.0 + * Support for IPv6 + * Support for LDAP referrals + * Offline failed login counter + * Fix for the long-standing cache cleanup performance issues + * libini_config, libcollection, libdhash, libref_array and + libpath_utils are now built as shared libraries for general + consumption (libref_array and libpath_utils are currently not + packaged, as no component in sssd links against them) + * Users get feedback from PAM if they authenticated offline + * Native local backend now has a utility to show nested memberships + (sss_groupshow) + * New "simple" access provider for easy restriction of users +- Backported libcrypto support from master to avoid Mozilla NSS + dependency +- Backported password policy improvments for LDAP provider from + master + ------------------------------------------------------------------- Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com diff --git a/sssd.spec b/sssd.spec index 2c2cf63..e7725ef 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,5 +1,5 @@ # -# spec file for package sssd (Version 1.0.5) +# spec file for package sssd (Version 1.1.0) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,18 +18,25 @@ Name: sssd -Version: 1.0.5 -Release: 2 +Version: 1.1.0 +Release: 1 Group: System/Daemons Summary: System Security Services Daemon -# The entire source code is GPLv3+ except replace/ which is LGPLv3+ License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.gz -Patch0: 0001-by-default-use-logfiles-for-debug-messages.dif +Source1: baselibs.conf +Patch1: 0001-Added-option-to-use-libcrypto-instead-of-NSS.patch +Patch2: 0002-Improvements-for-LDAP-Password-Policy-support.patch +Patch3: 0003-ldap-provider-ld-flags.patch +Patch4: 0004-init-script-dependencies.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -### Patches ### +%define dhash_version 0.4.0 +%define path_utils_version 0.2.0 +%define collection_version 0.4.0 +%define ini_config_version 0.4.0 +%define refarray_version 0.1.0 ### Dependencies ### %define servicename sssd @@ -38,7 +45,6 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define pipepath %{sssdstatedir}/pipes ### Build Dependencies ### - BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -52,8 +58,6 @@ BuildRequires: dbus-1-devel BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config -BuildRequires: mozilla-nss-devel -BuildRequires: mozilla-nspr-devel BuildRequires: pcre-devel BuildRequires: libxslt BuildRequires: libxml2 @@ -99,11 +103,84 @@ Group: Development/Libraries/Python Provide python module to access and manage configuration of the System Security Services Daemon (sssd). +%package -n libdhash1 +Summary: Dynamic hash table +Group: Development/Libraries/C and C++ +Version: %{dhash_version} +Release: 1 +License: LGPLv3+ + +%description -n libdhash1 +A hash table which will dynamically resize to achieve optimal storage & access +time properties + +%package -n libdhash-devel +Summary: Development files for libdhash +Group: Development/Libraries/C and C++ +Version: %{dhash_version} +Release: 1 +Requires: libdhash1 = %{dhash_version} +License: LGPLv3+ + +%description -n libdhash-devel +A hash table which will dynamically resize to achieve optimal storage & access +time properties + +%package -n libcollection1 +Summary: Collection data-type for C +Group: Development/Libraries/C and C++ +Version: %{collection_version} +Release: 1 +License: LGPLv3+ + +%description -n libcollection1 +A data-type to collect data in a heirarchical structure for easy iteration +and serialization + +%package -n libcollection-devel +Summary: Development files for libcollection +Group: Development/Libraries/C and C++ +Version: %{collection_version} +Release: 1 +Requires: libcollection1 = %{collection_version} +License: LGPLv3+ + +%description -n libcollection-devel +A data-type to collect data in a heirarchical structure for easy iteration +and serialization + +%package -n libini_config1 +Summary: INI file parser for C +Group: Development/Libraries/C and C++ +Version: %{ini_config_version} +Release: 1 +License: LGPLv3+ + +%description -n libini_config1 +Library to process config files in INI format into a libcollection data +structure + +%package -n libini_config-devel +Summary: Development files for libini_config +Group: Development/Libraries/C and C++ +Version: %{ini_config_version} +Release: 1 +Requires: libini_config1 = %{ini_config_version} +License: LGPLv3+ + +%description -n libini_config-devel +Library to process config files in INI format into a libcollection data +structure + %prep %setup -q -%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build +autoreconf export LDB_LIBS="-lldb" export LDB_CFLAGS="-I/usr/include" %configure \ @@ -112,6 +189,7 @@ export LDB_CFLAGS="-I/usr/include" --with-pipe-path=%{pipepath} \ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ + --enable-cryptp=yes \ --with-ldb-lib-dir=%{_libdir}/ldb \ --with-selinux=no @@ -124,41 +202,82 @@ rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT # Copy default sssd.conf file -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd -install -m600 server/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf -install server/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd +install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sssd +install -m600 src/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +install src/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd ln -sf ../../etc/init.d/sssd $RPM_BUILD_ROOT/usr/sbin/rcsssd # Remove .la files created by libtool rm -f \ $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ + $RPM_BUILD_ROOT/%{_libdir}/*.la \ $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ $RPM_BUILD_ROOT/%{_libdir}/python2.6/site-packages/pysss.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la +rm $RPM_BUILD_ROOT/%{_libdir}/*.a %find_lang sss_daemon -%find_lang sss_client -cat sss_client.lang >> sss_daemon.lang +#%find_lang sss_client +#cat sss_client.lang >> sss_daemon.lang + +install -d $RPM_BUILD_ROOT/%{_docdir}/dhash +mv $RPM_BUILD_ROOT/%{_datarootdir}/doc/dhash/* $RPM_BUILD_ROOT/%{_docdir}/dhash + +# remove currently unused libraries +rm -f \ + $RPM_BUILD_ROOT/%{_libdir}/libref_array.* \ + $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/ref_array.pc \ + $RPM_BUILD_ROOT/%{_prefix}/include/ref_array*.h \ + $RPM_BUILD_ROOT/%{_libdir}/libpath_utils.* \ + $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/path_utils.pc \ + $RPM_BUILD_ROOT/%{_prefix}/include/path_utils.h %clean rm -rf $RPM_BUILD_ROOT +%post -p /sbin/ldconfig + +%preun +%stop_on_removal sssd + +%postun +/sbin/ldconfig +%restart_on_update sssd +%insserv_cleanup + +%post -n libdhash1 -p /sbin/ldconfig + +%postun -n libdhash1 -p /sbin/ldconfig + +%post -n libcollection1 -p /sbin/ldconfig + +%postun -n libcollection1 -p /sbin/ldconfig + +%post -n libini_config1 -p /sbin/ldconfig + +%postun -n libini_config1 -p /sbin/ldconfig + %files -f sss_daemon.lang %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} %{_sbindir}/sssd %{_sbindir}/rcsssd -%{_libexecdir}/%{servicename}/ -%dir %{_libdir}/%{name}/ +%dir %{_libdir}/%{name} +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/sss* +%{_libexecdir}/%{name}/*_child +%{_libexecdir}/%{name}/upgrade_config.py %{_libdir}/%{name}/libsss_krb5* %{_libdir}/%{name}/libsss_ldap* %{_libdir}/%{name}/libsss_proxy* +%{_libdir}/%{name}/libsss_simple* %{_libdir}/ldb/memberof.so %{_libdir}/krb5/plugins/libkrb5/* %dir %{sssdstatedir} @@ -174,10 +293,12 @@ rm -rf $RPM_BUILD_ROOT %config %{_sysconfdir}/sssd/sssd.api.d/sssd-ldap.conf %config %{_sysconfdir}/sssd/sssd.api.d/sssd-local.conf %config %{_sysconfdir}/sssd/sssd.api.d/sssd-proxy.conf +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-simple.conf /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so %{_mandir}/man5/sssd-krb5.* %{_mandir}/man5/sssd-ldap.* +%{_mandir}/man5/sssd-simple.* %{_mandir}/man5/sssd.conf.* %files tools @@ -189,6 +310,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/sss_groupadd %{_sbindir}/sss_groupdel %{_sbindir}/sss_groupmod +%{_sbindir}/sss_groupshow %files ipa-provider %defattr(-,root,root,-) @@ -202,15 +324,35 @@ rm -rf $RPM_BUILD_ROOT %{python_sitelib}/*.py* %{python_sitelib}/*.egg-info -%post -/sbin/ldconfig +%files -n libdhash1 +%defattr(-,root,root,-) +%{_libdir}/libdhash.so.* -%preun -%stop_on_removal sssd +%files -n libdhash-devel +%defattr(-,root,root,-) +%{_libdir}/libdhash.so +%{_libdir}/pkgconfig/dhash.pc +%{_prefix}/include/dhash.h +%doc %{_docdir}/dhash -%postun -/sbin/ldconfig -%restart_on_update sssd -%insserv_cleanup +%files -n libini_config1 +%defattr(-,root,root,-) +%{_libdir}/libini_config.so.* + +%files -n libini_config-devel +%defattr(-,root,root,-) +%{_libdir}/libini_config.so +%{_libdir}/pkgconfig/ini_config.pc +%{_prefix}/include/ini_config.h + +%files -n libcollection1 +%defattr(-,root,root,-) +%{_libdir}/libcollection.so.* + +%files -n libcollection-devel +%defattr(-,root,root,-) +%{_libdir}/libcollection.so +%{_libdir}/pkgconfig/collection.pc +%{_prefix}/include/collection*.h %changelog From a5131e6cda850822d25b7a7ad52d7e0ee823ab1e5195cb425936a4427a40b2e2 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 3 Sep 2010 14:48:38 +0000 Subject: [PATCH 05/63] Accepting request 47051 from network:ldap Copy from network:ldap/sssd based on submit request 47051 from user rhafer OBS-URL: https://build.opensuse.org/request/show/47051 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=7 --- ...tion-to-use-libcrypto-instead-of-NSS.patch | 451 ------------------ ...nts-for-LDAP-Password-Policy-support.patch | 415 ---------------- 0003-ldap-provider-ld-flags.patch | 29 -- 0004-init-script-dependencies.patch | 29 -- sssd-1.1.0.tar.gz | 3 - sssd-1.3.1.tar.bz2 | 3 + sssd.changes | 29 ++ sssd.spec | 137 ++++-- 8 files changed, 129 insertions(+), 967 deletions(-) delete mode 100644 0001-Added-option-to-use-libcrypto-instead-of-NSS.patch delete mode 100644 0002-Improvements-for-LDAP-Password-Policy-support.patch delete mode 100644 0003-ldap-provider-ld-flags.patch delete mode 100644 0004-init-script-dependencies.patch delete mode 100644 sssd-1.1.0.tar.gz create mode 100644 sssd-1.3.1.tar.bz2 diff --git a/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch b/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch deleted file mode 100644 index 429adf0..0000000 --- a/0001-Added-option-to-use-libcrypto-instead-of-NSS.patch +++ /dev/null @@ -1,451 +0,0 @@ -From bf75a22ffc04dfa0387a1389750b0a1e6d3ac397 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Fri, 26 Mar 2010 15:04:51 +0100 -Subject: [PATCH] Added option to use libcrypto instead of NSS. - -crypto_sha512crypt.c is a clone of nss_sha512crypt.c with the exception that -all usage of NSS and related libraries has been switched to libcrypto. -I renamed nss_sha512crypt.h to sha512crypt.h since it is common to both -crypto_sha512crypt.c and nss_sha512crypt.c. Note that the random number -generator is not seeded manually and thus relies on seeding done -automatically by libcrypto. On some systems without /dev/urandom -seeding may not be performed. -See http://www.openssl.org/docs/crypto/RAND_add.html. -Signed-off-by: George McCollister - -Conflicts: - - server/util/nss_sha512crypt.h - server/util/sha512crypt.h - src/Makefile.am - src/configure.ac - src/util/sha512crypt.h ---- - server/external/crypto.m4 | 13 ++ - server/util/crypto_sha512crypt.c | 382 ++++++++++++++++++++++++++++++++++++++ - server/util/sha512crypt.h | 4 + - 3 files changed, 399 insertions(+), 0 deletions(-) - create mode 100644 server/external/crypto.m4 - create mode 100644 server/util/crypto_sha512crypt.c - create mode 100644 server/util/sha512crypt.h - -diff --git a/server/external/crypto.m4 b/server/external/crypto.m4 -new file mode 100644 -index 0000000..d1bcf40 ---- /dev/null -+++ b/server/external/crypto.m4 -@@ -0,0 +1,13 @@ -+AC_ARG_ENABLE(crypto, -+ [ --enable-crypto Use OpenSSL crypto instead of NSS], -+ [CRYPTO="$enableval"], -+ [CRYPTO="no"] -+) -+ -+if test x$CRYPTO != xyes; then -+ PKG_CHECK_MODULES([NSS],[nss],[have_nss=1],[have_nss=]) -+else -+ PKG_CHECK_MODULES([CRYPTO],[libcrypto],[have_crypto=1],[have_crypto=]) -+fi -+AM_CONDITIONAL([HAVE_NSS], [test x$have_nss != x]) -+AM_CONDITIONAL([HAVE_CRYPTO], [test x$have_crypto != x]) -diff --git a/server/util/crypto_sha512crypt.c b/server/util/crypto_sha512crypt.c -new file mode 100644 -index 0000000..9cd03a1 ---- /dev/null -+++ b/server/util/crypto_sha512crypt.c -@@ -0,0 +1,382 @@ -+/* This file is based on nss_sha512crypt.c which is based on the work of -+ * Ulrich Drepper (http://people.redhat.com/drepper/SHA-crypt.txt). -+ * -+ * libcrypto is used to provide SHA512 and random number generation. -+ * (http://www.openssl.org/docs/crypto/crypto.html). -+ * -+ * Sumit Bose -+ * George McCollister -+ */ -+/* SHA512-based Unix crypt implementation. -+ Released into the Public Domain by Ulrich Drepper . */ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "util/util.h" -+ -+#include -+#include -+ -+/* Define our magic string to mark salt for SHA512 "encryption" replacement. */ -+const char sha512_salt_prefix[] = "$6$"; -+#define SALT_PREF_SIZE (sizeof(sha512_salt_prefix) - 1) -+ -+/* Prefix for optional rounds specification. */ -+const char sha512_rounds_prefix[] = "rounds="; -+#define ROUNDS_SIZE (sizeof(sha512_rounds_prefix) - 1) -+ -+#define SALT_LEN_MAX 16 -+#define ROUNDS_DEFAULT 5000 -+#define ROUNDS_MIN 1000 -+#define ROUNDS_MAX 999999999 -+ -+/* Table with characters for base64 transformation. */ -+const char b64t[64] = -+ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; -+ -+/* base64 conversion function */ -+static inline void b64_from_24bit(char **dest, size_t *len, size_t n, -+ uint8_t b2, uint8_t b1, uint8_t b0) -+{ -+ uint32_t w; -+ size_t i; -+ -+ if (*len < n) n = *len; -+ -+ w = (b2 << 16) | (b1 << 8) | b0; -+ for (i = 0; i < n; i++) { -+ (*dest)[i] = b64t[w & 0x3f]; -+ w >>= 6; -+ } -+ -+ *len -= i; -+ *dest += i; -+} -+ -+#define PTR_2_INT(x) ((x) - ((__typeof__ (x)) NULL)) -+#define ALIGN64 __alignof__(uint64_t) -+ -+static int sha512_crypt_r(const char *key, -+ const char *salt, -+ char *buffer, size_t buflen) -+{ -+ unsigned char temp_result[64] __attribute__((__aligned__(ALIGN64))); -+ unsigned char alt_result[64] __attribute__((__aligned__(ALIGN64))); -+ size_t rounds = ROUNDS_DEFAULT; -+ bool rounds_custom = false; -+ EVP_MD_CTX alt_ctx; -+ EVP_MD_CTX ctx; -+ size_t salt_len; -+ size_t key_len; -+ size_t cnt; -+ char *copied_salt = NULL; -+ char *copied_key = NULL; -+ char *p_bytes = NULL; -+ char *s_bytes = NULL; -+ int p1, p2, p3, pt, n; -+ unsigned int part; -+ char *cp, *tmp; -+ int ret; -+ -+ /* Find beginning of salt string. The prefix should normally always be -+ * present. Just in case it is not. */ -+ if (strncmp(salt, sha512_salt_prefix, SALT_PREF_SIZE) == 0) { -+ /* Skip salt prefix. */ -+ salt += SALT_PREF_SIZE; -+ } -+ -+ if (strncmp(salt, sha512_rounds_prefix, ROUNDS_SIZE) == 0) { -+ unsigned long int srounds; -+ const char *num; -+ char *endp; -+ -+ num = salt + ROUNDS_SIZE; -+ srounds = strtoul(num, &endp, 10); -+ if (*endp == '$') { -+ salt = endp + 1; -+ if (srounds < ROUNDS_MIN) srounds = ROUNDS_MIN; -+ if (srounds > ROUNDS_MAX) srounds = ROUNDS_MAX; -+ rounds = srounds; -+ rounds_custom = true; -+ } -+ } -+ -+ salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); -+ key_len = strlen(key); -+ -+ if ((PTR_2_INT(key) % ALIGN64) != 0) { -+ tmp = (char *)alloca(key_len + ALIGN64); -+ key = copied_key = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, key, key_len); -+ } -+ -+ if (PTR_2_INT(salt) % ALIGN64 != 0) { -+ tmp = (char *)alloca(salt_len + ALIGN64); -+ salt = copied_salt = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, salt, salt_len); -+ } -+ -+ EVP_MD_CTX_init(&ctx); -+ -+ EVP_MD_CTX_init(&alt_ctx); -+ -+ /* Prepare for the real work. */ -+ if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* Add the key string. */ -+ EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); -+ -+ /* The last part is the salt string. This must be at most 16 -+ * characters and it ends at the first `$' character (for -+ * compatibility with existing implementations). */ -+ EVP_DigestUpdate(&ctx, (const unsigned char *)salt, salt_len); -+ -+ -+ /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. -+ * The final result will be added to the first context. */ -+ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* Add key. */ -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ -+ /* Add salt. */ -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len); -+ -+ /* Add key again. */ -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ -+ /* Now get result of this (64 bytes) and add it to the other context. */ -+ EVP_DigestFinal_ex(&alt_ctx, alt_result, &part); -+ -+ /* Add for any character in the key one byte of the alternate sum. */ -+ for (cnt = key_len; cnt > 64; cnt -= 64) { -+ EVP_DigestUpdate(&ctx, alt_result, 64); -+ } -+ EVP_DigestUpdate(&ctx, alt_result, cnt); -+ -+ /* Take the binary representation of the length of the key and for every -+ * 1 add the alternate sum, for every 0 the key. */ -+ for (cnt = key_len; cnt > 0; cnt >>= 1) { -+ if ((cnt & 1) != 0) { -+ EVP_DigestUpdate(&ctx, alt_result, 64); -+ } else { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len); -+ } -+ } -+ -+ /* Create intermediate result. */ -+ EVP_DigestFinal_ex(&ctx, alt_result, &part); -+ -+ /* Start computation of P byte sequence. */ -+ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* For every character in the password add the entire password. */ -+ for (cnt = 0; cnt < key_len; cnt++) { -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len); -+ } -+ -+ /* Finish the digest. */ -+ EVP_DigestFinal_ex(&alt_ctx, temp_result, &part); -+ -+ /* Create byte sequence P. */ -+ cp = p_bytes = alloca(key_len); -+ for (cnt = key_len; cnt >= 64; cnt -= 64) { -+ cp = mempcpy(cp, temp_result, 64); -+ } -+ memcpy(cp, temp_result, cnt); -+ -+ /* Start computation of S byte sequence. */ -+ if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* For every character in the password add the entire salt. */ -+ for (cnt = 0; cnt < 16 + alt_result[0]; cnt++) { -+ EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len); -+ } -+ -+ /* Finish the digest. */ -+ EVP_DigestFinal_ex(&alt_ctx, temp_result, &part); -+ -+ /* Create byte sequence S. */ -+ cp = s_bytes = alloca(salt_len); -+ for (cnt = salt_len; cnt >= 64; cnt -= 64) { -+ cp = mempcpy(cp, temp_result, 64); -+ } -+ memcpy(cp, temp_result, cnt); -+ -+ /* Repeatedly run the collected hash value through SHA512 to burn CPU cycles. */ -+ for (cnt = 0; cnt < rounds; cnt++) { -+ -+ if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) { -+ ret = EIO; -+ goto done; -+ } -+ -+ /* Add key or last result. */ -+ if ((cnt & 1) != 0) { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ } else { -+ EVP_DigestUpdate(&ctx, alt_result, 64); -+ } -+ -+ /* Add salt for numbers not divisible by 3. */ -+ if (cnt % 3 != 0) { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)s_bytes, salt_len); -+ } -+ -+ /* Add key for numbers not divisible by 7. */ -+ if (cnt % 7 != 0) { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ } -+ -+ /* Add key or last result. */ -+ if ((cnt & 1) != 0) { -+ EVP_DigestUpdate(&ctx, alt_result, 64); -+ } else { -+ EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len); -+ } -+ -+ /* Create intermediate result. */ -+ EVP_DigestFinal_ex(&ctx, alt_result, &part); -+ } -+ -+ /* Now we can construct the result string. -+ * It consists of three parts. */ -+ if (buflen <= SALT_PREF_SIZE) { -+ ret = ERANGE; -+ goto done; -+ } -+ -+ cp = __stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); -+ buflen -= SALT_PREF_SIZE; -+ -+ if (rounds_custom) { -+ n = snprintf(cp, buflen, "%s%zu$", -+ sha512_rounds_prefix, rounds); -+ if (n < 0 || n >= buflen) { -+ ret = ERANGE; -+ goto done; -+ } -+ cp += n; -+ buflen -= n; -+ } -+ -+ if (buflen <= salt_len + 1) { -+ ret = ERANGE; -+ goto done; -+ } -+ cp = __stpncpy(cp, salt, salt_len); -+ *cp++ = '$'; -+ buflen -= salt_len + 1; -+ -+ /* fuzzyfill the base 64 string */ -+ p1 = 0; -+ p2 = 21; -+ p3 = 42; -+ for (n = 0; n < 21; n++) { -+ b64_from_24bit(&cp, &buflen, 4, alt_result[p1], alt_result[p2], alt_result[p3]); -+ if (buflen == 0) { -+ ret = ERANGE; -+ goto done; -+ } -+ pt = p1; -+ p1 = p2 + 1; -+ p2 = p3 + 1; -+ p3 = pt + 1; -+ } -+ /* 64th and last byte */ -+ b64_from_24bit(&cp, &buflen, 2, 0, 0, alt_result[p3]); -+ if (buflen == 0) { -+ ret = ERANGE; -+ goto done; -+ } -+ -+ *cp = '\0'; -+ ret = EOK; -+ -+done: -+ /* Clear the buffer for the intermediate result so that people attaching -+ * to processes or reading core dumps cannot get any information. We do it -+ * in this way to clear correct_words[] inside the SHA512 implementation -+ * as well. */ -+ EVP_MD_CTX_cleanup(&ctx); -+ EVP_MD_CTX_cleanup(&alt_ctx); -+ if (p_bytes) memset(p_bytes, '\0', key_len); -+ if (s_bytes) memset(s_bytes, '\0', salt_len); -+ if (copied_key) memset(copied_key, '\0', key_len); -+ if (copied_salt) memset(copied_salt, '\0', salt_len); -+ memset(temp_result, '\0', sizeof(temp_result)); -+ -+ return ret; -+} -+ -+int s3crypt_sha512(TALLOC_CTX *memctx, -+ const char *key, const char *salt, char **_hash) -+{ -+ char *hash; -+ int hlen = (sizeof (sha512_salt_prefix) - 1 -+ + sizeof (sha512_rounds_prefix) + 9 + 1 -+ + strlen (salt) + 1 + 86 + 1); -+ int ret; -+ -+ hash = talloc_size(memctx, hlen); -+ if (!hash) return ENOMEM; -+ -+ ret = sha512_crypt_r(key, salt, hash, hlen); -+ if (ret) return ret; -+ -+ *_hash = hash; -+ return ret; -+} -+ -+#define SALT_RAND_LEN 12 -+ -+int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt) -+{ -+ uint8_t rb[SALT_RAND_LEN]; -+ char *salt, *cp; -+ size_t slen; -+ int ret; -+ -+ salt = talloc_size(memctx, SALT_LEN_MAX + 1); -+ if (!salt) { -+ return ENOMEM; -+ } -+ -+ ret = RAND_bytes(rb, SALT_RAND_LEN); -+ if (ret == 0) { -+ return EIO; -+ } -+ -+ slen = SALT_LEN_MAX; -+ cp = salt; -+ b64_from_24bit(&cp, &slen, 4, rb[0], rb[1], rb[2]); -+ b64_from_24bit(&cp, &slen, 4, rb[3], rb[4], rb[5]); -+ b64_from_24bit(&cp, &slen, 4, rb[6], rb[7], rb[8]); -+ b64_from_24bit(&cp, &slen, 4, rb[9], rb[10], rb[11]); -+ *cp = '\0'; -+ -+ *_salt = salt; -+ -+ return EOK; -+} -+ -diff --git a/server/util/sha512crypt.h b/server/util/sha512crypt.h -new file mode 100644 -index 0000000..5512c5d ---- /dev/null -+++ b/server/util/sha512crypt.h -@@ -0,0 +1,4 @@ -+ -+int s3crypt_sha512(TALLOC_CTX *mmectx, -+ const char *key, const char *salt, char **_hash); -+int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt); --- -1.7.0.2 - diff --git a/0002-Improvements-for-LDAP-Password-Policy-support.patch b/0002-Improvements-for-LDAP-Password-Policy-support.patch deleted file mode 100644 index c155afe..0000000 --- a/0002-Improvements-for-LDAP-Password-Policy-support.patch +++ /dev/null @@ -1,415 +0,0 @@ -From 536c01cf9a04573c2351542fe00973e1538014a5 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Fri, 12 Mar 2010 10:54:40 +0100 -Subject: [PATCH] Improvements for LDAP Password Policy support - -Display warnings about remaining grace logins and password -expiration to the user, when LDAP Password Policies are used. - -Improved detection if LDAP Password policies are supported by -LDAP Server. ---- - src/providers/ldap/ldap_auth.c | 52 +++++++++++++++++- - src/providers/ldap/sdap.h | 5 ++ - src/providers/ldap/sdap_async.h | 6 ++- - src/providers/ldap/sdap_async_connection.c | 53 +++++++++++++++---- - src/sss_client/pam_sss.c | 82 ++++++++++++++++++++++++++++ - src/sss_client/sss_cli.h | 23 ++++++--- - 6 files changed, 201 insertions(+), 20 deletions(-) - -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 5228703..8c77e3a 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -7,6 +7,7 @@ - Sumit Bose - - Copyright (C) 2008 Red Hat -+ Copyright (C) 2010, rhafer@suse.de, Novell Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -135,6 +136,39 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now, - return EOK; - } - -+static errno_t check_pwexpire_ldap(struct pam_data *pd, -+ struct sdap_ppolicy_data *ppolicy, -+ enum sdap_result *result) -+{ -+ if (ppolicy->grace > 0 || ppolicy->expire > 0) { -+ uint32_t *data; -+ uint32_t *ptr; -+ -+ data = talloc_size(pd, 2* sizeof(uint32_t)); -+ if (data == NULL) { -+ DEBUG(1, ("talloc_size failed.\n")); -+ return ENOMEM; -+ } -+ -+ ptr = data; -+ if (ppolicy->grace > 0) { -+ *ptr = SSS_PAM_USER_INFO_GRACE_LOGIN; -+ ptr++; -+ *ptr = ppolicy->grace; -+ } else if (ppolicy->expire > 0) { -+ *ptr = SSS_PAM_USER_INFO_EXPIRE_WARN; -+ ptr++; -+ *ptr = ppolicy->expire; -+ } -+ -+ pam_add_response(pd, SSS_PAM_USER_INFO, 2* sizeof(uint32_t), -+ (uint8_t*)data); -+ } -+ -+ *result = SDAP_AUTH_SUCCESS; -+ return EOK; -+} -+ - static errno_t string_to_shadowpw_days(const char *s, long *d) - { - long l; -@@ -569,8 +603,15 @@ static void auth_bind_user_done(struct tevent_req *subreq) - struct auth_state *state = tevent_req_data(req, - struct auth_state); - int ret; -- -- ret = sdap_auth_recv(subreq, &state->result); -+ struct sdap_ppolicy_data *ppolicy; -+ -+ ret = sdap_auth_recv(subreq, state, &state->result, &ppolicy); -+ if (ppolicy != NULL) { -+ DEBUG(9,("Found ppolicy data, " -+ "assuming LDAP password policies are active.\n")); -+ state->pw_expire_type = PWEXPIRE_LDAP_PASSWORD_POLICY; -+ state->pw_expire_data = ppolicy; -+ } - talloc_zfree(subreq); - if (ret) { - tevent_req_error(req, ret); -@@ -960,6 +1001,13 @@ static void sdap_pam_auth_done(struct tevent_req *req) - } - break; - case PWEXPIRE_LDAP_PASSWORD_POLICY: -+ ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result); -+ if (ret != EOK) { -+ DEBUG(1, ("check_pwexpire_ldap failed.\n")); -+ state->pd->pam_status = PAM_SYSTEM_ERR; -+ goto done; -+ } -+ break; - case PWEXPIRE_NONE: - break; - default: -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index 007185f..f0e345e 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -85,6 +85,11 @@ struct sdap_service { - char *uri; - }; - -+struct sdap_ppolicy_data { -+ int grace; -+ int expire; -+}; -+ - #define SYSDB_SHADOWPW_LASTCHANGE "shadowLastChange" - #define SYSDB_SHADOWPW_MIN "shadowMin" - #define SYSDB_SHADOWPW_MAX "shadowMax" -diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h -index 3c52d23..888df6b 100644 ---- a/src/providers/ldap/sdap_async.h -+++ b/src/providers/ldap/sdap_async.h -@@ -76,7 +76,11 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, - const char *user_dn, - const char *authtok_type, - struct dp_opt_blob authtok); --int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result); -+ -+int sdap_auth_recv(struct tevent_req *req, -+ TALLOC_CTX *memctx, -+ enum sdap_result *result, -+ struct sdap_ppolicy_data **ppolicy); - - struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - struct tevent_context *ev, -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index 586733f..f8c6956 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -4,6 +4,7 @@ - Async LDAP Helper routines - - Copyright (C) Simo Sorce - 2009 -+ Copyright (C) 2010, rhafer@suse.de, Novell Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -278,6 +279,7 @@ struct simple_bind_state { - struct sdap_op *op; - - struct sdap_msg *reply; -+ struct sdap_ppolicy_data *ppolicy; - int result; - }; - -@@ -401,6 +403,7 @@ static void simple_bind_done(struct sdap_op *op, - - if (response_controls == NULL) { - DEBUG(5, ("Server returned no controls.\n")); -+ state->ppolicy = NULL; - } else { - for (c = 0; response_controls[c] != NULL; c++) { - DEBUG(9, ("Server returned control [%s].\n", -@@ -420,12 +423,30 @@ static void simple_bind_done(struct sdap_op *op, - DEBUG(7, ("Password Policy Response: expire [%d] grace [%d] " - "error [%s].\n", pp_expire, pp_grace, - ldap_passwordpolicy_err2txt(pp_error))); -- -- if ((state->result == LDAP_SUCCESS && -- (pp_error == PP_changeAfterReset || pp_grace > 0)) || -- (state->result == LDAP_INVALID_CREDENTIALS && -- pp_error == PP_passwordExpired ) ) { -- DEBUG(4, ("User must set a new password.\n")); -+ state->ppolicy = talloc(state, struct sdap_ppolicy_data); -+ if (state->ppolicy == NULL) { -+ DEBUG(1, ("talloc failed.\n")); -+ ret = ENOMEM; -+ goto done; -+ } -+ state->ppolicy->grace = pp_grace; -+ state->ppolicy->expire = pp_expire; -+ if (state->result == LDAP_SUCCESS) { -+ if (pp_error == PP_changeAfterReset) { -+ DEBUG(4, ("Password was reset. " -+ "User must set a new password.\n")); -+ state->result = LDAP_X_SSSD_PASSWORD_EXPIRED; -+ } else if (pp_grace > 0) { -+ DEBUG(4, ("Password expired. " -+ "[%d] grace logins remaining.\n", pp_grace)); -+ } else if (pp_expire > 0) { -+ DEBUG(4, ("Password will expire in [%d] seconds.\n", -+ pp_expire)); -+ } -+ } else if (state->result == LDAP_INVALID_CREDENTIALS && -+ pp_error == PP_passwordExpired) { -+ DEBUG(4, -+ ("Password expired user must set a new password.\n")); - state->result = LDAP_X_SSSD_PASSWORD_EXPIRED; - } - } -@@ -446,7 +467,10 @@ done: - } - } - --static int simple_bind_recv(struct tevent_req *req, int *ldaperr) -+static int simple_bind_recv(struct tevent_req *req, -+ TALLOC_CTX *memctx, -+ int *ldaperr, -+ struct sdap_ppolicy_data **ppolicy) - { - struct simple_bind_state *state = tevent_req_data(req, - struct simple_bind_state); -@@ -455,6 +479,7 @@ static int simple_bind_recv(struct tevent_req *req, int *ldaperr) - TEVENT_REQ_RETURN_ON_ERROR(req); - - *ldaperr = state->result; -+ *ppolicy = talloc_steal(memctx, state->ppolicy); - return EOK; - } - -@@ -704,6 +729,7 @@ int sdap_kinit_recv(struct tevent_req *req, enum sdap_result *result) - struct sdap_auth_state { - const char *user_dn; - struct berval pw; -+ struct sdap_ppolicy_data *ppolicy; - - int result; - bool is_sasl; -@@ -766,8 +792,9 @@ static void sdap_auth_done(struct tevent_req *subreq) - - if (state->is_sasl) { - ret = sasl_bind_recv(subreq, &state->result); -+ state->ppolicy = NULL; - } else { -- ret = simple_bind_recv(subreq, &state->result); -+ ret = simple_bind_recv(subreq, state, &state->result, &state->ppolicy); - } - if (ret != EOK) { - tevent_req_error(req, ret); -@@ -777,7 +804,10 @@ static void sdap_auth_done(struct tevent_req *subreq) - tevent_req_done(req); - } - --int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result) -+int sdap_auth_recv(struct tevent_req *req, -+ TALLOC_CTX *memctx, -+ enum sdap_result *result, -+ struct sdap_ppolicy_data **ppolicy) - { - struct sdap_auth_state *state = tevent_req_data(req, - struct sdap_auth_state); -@@ -785,6 +815,9 @@ int sdap_auth_recv(struct tevent_req *req, enum sdap_result *result) - *result = SDAP_ERROR; - TEVENT_REQ_RETURN_ON_ERROR(req); - -+ if (ppolicy != NULL) { -+ *ppolicy = talloc_steal(memctx, state->ppolicy); -+ } - switch (state->result) { - case LDAP_SUCCESS: - *result = SDAP_AUTH_SUCCESS; -@@ -1078,7 +1111,7 @@ static void sdap_cli_auth_done(struct tevent_req *subreq) - enum sdap_result result; - int ret; - -- ret = sdap_auth_recv(subreq, &result); -+ ret = sdap_auth_recv(subreq, NULL, &result, NULL); - talloc_zfree(subreq); - if (ret) { - tevent_req_error(req, ret); -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 2ba6f15..07ed4e7 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -3,6 +3,7 @@ - Sumit Bose - - Copyright (C) 2009 Red Hat -+ Copyright (C) 2010, rhafer@suse.de, Novell Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU Lesser General Public License as published by -@@ -436,6 +437,81 @@ static int user_info_offline_auth(pam_handle_t *pamh, size_t buflen, - return PAM_SUCCESS; - } - -+static int user_info_grace_login(pam_handle_t *pamh, -+ size_t buflen, -+ uint8_t *buf) -+{ -+ int ret; -+ uint32_t grace; -+ char user_msg[256]; -+ -+ if (buflen != 2* sizeof(uint32_t)) { -+ D(("User info response data has the wrong size")); -+ return PAM_BUF_ERR; -+ } -+ memcpy(&grace, buf + sizeof(uint32_t), sizeof(uint32_t)); -+ ret = snprintf(user_msg, sizeof(user_msg), -+ _("Your password has expired. " -+ "You have %d grace login(s) remaining."), -+ grace); -+ if (ret < 0 || ret >= sizeof(user_msg)) { -+ D(("snprintf failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); -+ -+ if (ret != PAM_SUCCESS) { -+ D(("do_pam_conversation failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ return PAM_SUCCESS; -+} -+ -+#define MINSEC 60 -+#define HOURSEC (60*MINSEC) -+#define DAYSEC (24*HOURSEC) -+static int user_info_expire_warn(pam_handle_t *pamh, -+ size_t buflen, -+ uint8_t *buf) -+{ -+ int ret; -+ uint32_t expire; -+ char user_msg[256]; -+ const char* unit="second(s)"; -+ -+ if (buflen != 2* sizeof(uint32_t)) { -+ D(("User info response data has the wrong size")); -+ return PAM_BUF_ERR; -+ } -+ memcpy(&expire, buf + sizeof(uint32_t), sizeof(uint32_t)); -+ if (expire >= DAYSEC) { -+ expire /= DAYSEC; -+ unit = "day(s)"; -+ } else if (expire >= HOURSEC) { -+ expire /= HOURSEC; -+ unit = "hour(s)"; -+ } else if (expire >= MINSEC) { -+ expire /= MINSEC; -+ unit = "minute(s)"; -+ } -+ -+ ret = snprintf(user_msg, sizeof(user_msg), -+ _("Your password will expire in %d %s."), expire, unit); -+ if (ret < 0 || ret >= sizeof(user_msg)) { -+ D(("snprintf failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); -+ -+ if (ret != PAM_SUCCESS) { -+ D(("do_pam_conversation failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ return PAM_SUCCESS; -+} -+ - static int user_info_offline_auth_delayed(pam_handle_t *pamh, size_t buflen, - uint8_t *buf) - { -@@ -563,6 +639,12 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen, - case SSS_PAM_USER_INFO_OFFLINE_AUTH: - ret = user_info_offline_auth(pamh, buflen, buf); - break; -+ case SSS_PAM_USER_INFO_GRACE_LOGIN: -+ ret = user_info_grace_login(pamh, buflen, buf); -+ break; -+ case SSS_PAM_USER_INFO_EXPIRE_WARN: -+ ret = user_info_expire_warn(pamh, buflen, buf); -+ break; - case SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED: - ret = user_info_offline_auth_delayed(pamh, buflen, buf); - break; -diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h -index 2edd158..f387265 100644 ---- a/src/sss_client/sss_cli.h -+++ b/src/sss_client/sss_cli.h -@@ -377,13 +377,22 @@ enum user_info_type { - * possible to change the password while - * the system is offline. This message - * is generated by the PAM responder. */ -- SSS_PAM_USER_INFO_CHPASS_ERROR /**< Tell the user that a password change -- * failed and optionally give a reason. -- * @param Size of the message as unsigned -- * 32-bit integer value. A value of 0 -- * indicates that no message is following. -- * @param String with the specified -- * length. */ -+ SSS_PAM_USER_INFO_CHPASS_ERROR, /**< Tell the user that a password change -+ * failed and optionally give a reason. -+ * @param Size of the message as unsigned -+ * 32-bit integer value. A value of 0 -+ * indicates that no message is following. -+ * @param String with the specified -+ * length. */ -+ SSS_PAM_USER_INFO_GRACE_LOGIN, /**< Warn the user that the password is -+ * expired and inform about the remaining -+ * number of grace logins. -+ * @param The number of remaining grace -+ * logins as uint32_t */ -+ SSS_PAM_USER_INFO_EXPIRE_WARN /**< Warn the user that the password will -+ * expire soon. -+ * @param Number of seconds before the user's -+ * password will expire. */ - }; - /** - * @} --- -1.7.0.2 - diff --git a/0003-ldap-provider-ld-flags.patch b/0003-ldap-provider-ld-flags.patch deleted file mode 100644 index 087ae76..0000000 --- a/0003-ldap-provider-ld-flags.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 840bb425fe0cb6f4904d5610ffd1fdfd9eed235d Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 31 Mar 2010 10:40:13 +0200 -Subject: [PATCH] ldap provider ld flags - -The LDAP provider needs to be linked against libdhash ---- - src/Makefile.am | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 6d46cda..6f14eee 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -717,9 +717,11 @@ libsss_ldap_la_SOURCES = \ - util/sss_krb5.c - libsss_ldap_la_CFLAGS = \ - $(AM_CFLAGS) \ -+ $(DHASH_CFLAGS) \ - $(LDAP_CFLAGS) \ - $(KRB5_CFLAGS) - libsss_ldap_la_LIBADD = \ -+ $(DHASH_LIBS) \ - $(OPENLDAP_LIBS) \ - $(KRB5_LIBS) - libsss_ldap_la_LDFLAGS = \ --- -1.7.0.2 - diff --git a/0004-init-script-dependencies.patch b/0004-init-script-dependencies.patch deleted file mode 100644 index 326a9c2..0000000 --- a/0004-init-script-dependencies.patch +++ /dev/null @@ -1,29 +0,0 @@ -From b9090cb4d12147267a4fb1ad9bb74bb226bcbe34 Mon Sep 17 00:00:00 2001 -From: Ralf Haferkamp -Date: Wed, 31 Mar 2010 12:21:21 +0200 -Subject: [PATCH] init script dependencies - ---- - src/sysv/SUSE/sssd | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sysv/SUSE/sssd b/src/sysv/SUSE/sssd -index 2f98c21..262ecde 100644 ---- a/src/sysv/SUSE/sssd -+++ b/src/sysv/SUSE/sssd -@@ -1,10 +1,10 @@ - #!/bin/sh - ### BEGIN INIT INFO - # Provides: sssd --# Required-Start: $remote_fs $time -+# Required-Start: $network $remote_fs $time - # Should-Start: $syslog - # Should-Stop: $syslog --# Required-Stop: $remote_fs -+# Required-Stop: $network $remote_fs $time - # Default-Start: 3 5 - # Default-Stop: 0 1 2 4 6 - # Short-Description: System Security Services Daemon --- -1.7.0.2 - diff --git a/sssd-1.1.0.tar.gz b/sssd-1.1.0.tar.gz deleted file mode 100644 index 8d8f9d4..0000000 --- a/sssd-1.1.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6b7805445f2f04505c26186d112bf3c53f6fd0e374a7ded476bfc1185b7c13be -size 2838565 diff --git a/sssd-1.3.1.tar.bz2 b/sssd-1.3.1.tar.bz2 new file mode 100644 index 0000000..176823c --- /dev/null +++ b/sssd-1.3.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3be81ad8a17c76f7a9269b7ddc14abd4f41d04db10f49a34771c300b6b6bfa82 +size 2264583 diff --git a/sssd.changes b/sssd.changes index 2cf79d0..0af1b01 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com + +- No dependencies on %{release} + +------------------------------------------------------------------- +Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com + +- Updated to 1.3.1 + * Fixes to the HBAC backend for obsolete or removed HBAC entries + * Improvements to log messages around TLS and GSSAPI for LDAP + * Support for building in environments using --as-needed LDFLAGS + * Vast performance improvement for initgroups on RFC2307 LDAP servers + * Long-running SSSD clients (e.g. GDM) will now reconnect properly to the + daemon if SSSD is restarted + * Rewrote the internal LDB cache API. As a synchronous API it is now faster + to access and easier to work with + * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider + - We now handle failover situations much more reliably than we did + previously + - We also will now monitor the GSSAPI kerberos ticket and automatically + renew it when appropriate, instead of waiting for a connection to fail + * Support for netlink now allows us to more quickly detect situations + where we may have come online + * New option "dns_discovery_domain" allows better configuration for + using SRV records for failover +- New subpackages: libpath_utils1, libpath_utils-devel, libref_array1 + and libref_array-devel + ------------------------------------------------------------------- Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com diff --git a/sssd.spec b/sssd.spec index e7725ef..a144182 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,5 +1,5 @@ # -# spec file for package sssd (Version 1.1.0) +# spec file for package sssd (Version 1.3.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,24 +18,20 @@ Name: sssd -Version: 1.1.0 +Version: 1.3.1 Release: 1 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ -Source0: %{name}-%{version}.tar.gz +Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch1: 0001-Added-option-to-use-libcrypto-instead-of-NSS.patch -Patch2: 0002-Improvements-for-LDAP-Password-Policy-support.patch -Patch3: 0003-ldap-provider-ld-flags.patch -Patch4: 0004-init-script-dependencies.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define dhash_version 0.4.0 %define path_utils_version 0.2.0 -%define collection_version 0.4.0 -%define ini_config_version 0.4.0 +%define collection_version 0.5.0 +%define ini_config_version 0.6.0 %define refarray_version 0.1.0 ### Dependencies ### @@ -54,17 +50,20 @@ BuildRequires: libtalloc-devel BuildRequires: libtevent-devel BuildRequires: libtdb-devel BuildRequires: libldb-devel +BuildRequires: libxslt +BuildRequires: libxml2 +BuildRequires: libcares-devel +BuildRequires: libnl-devel BuildRequires: dbus-1-devel BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config BuildRequires: pcre-devel -BuildRequires: libxslt -BuildRequires: libxml2 BuildRequires: docbook-xsl-stylesheets BuildRequires: krb5-devel -BuildRequires: libcares-devel BuildRequires: python-devel +BuildRequires: bind-utils +BuildRequires: nscd %description Provides a set of daemons to manage access to remote directories and @@ -107,7 +106,7 @@ Security Services Daemon (sssd). Summary: Dynamic hash table Group: Development/Libraries/C and C++ Version: %{dhash_version} -Release: 1 +Release: 4 License: LGPLv3+ %description -n libdhash1 @@ -118,7 +117,7 @@ time properties Summary: Development files for libdhash Group: Development/Libraries/C and C++ Version: %{dhash_version} -Release: 1 +Release: 4 Requires: libdhash1 = %{dhash_version} License: LGPLv3+ @@ -126,14 +125,14 @@ License: LGPLv3+ A hash table which will dynamically resize to achieve optimal storage & access time properties -%package -n libcollection1 +%package -n libcollection2 Summary: Collection data-type for C Group: Development/Libraries/C and C++ Version: %{collection_version} Release: 1 License: LGPLv3+ -%description -n libcollection1 +%description -n libcollection2 A data-type to collect data in a heirarchical structure for easy iteration and serialization @@ -142,21 +141,21 @@ Summary: Development files for libcollection Group: Development/Libraries/C and C++ Version: %{collection_version} Release: 1 -Requires: libcollection1 = %{collection_version} +Requires: libcollection2 = %{collection_version} License: LGPLv3+ %description -n libcollection-devel A data-type to collect data in a heirarchical structure for easy iteration and serialization -%package -n libini_config1 +%package -n libini_config2 Summary: INI file parser for C Group: Development/Libraries/C and C++ Version: %{ini_config_version} Release: 1 License: LGPLv3+ -%description -n libini_config1 +%description -n libini_config2 Library to process config files in INI format into a libcollection data structure @@ -165,19 +164,57 @@ Summary: Development files for libini_config Group: Development/Libraries/C and C++ Version: %{ini_config_version} Release: 1 -Requires: libini_config1 = %{ini_config_version} +Requires: libini_config2 = %{ini_config_version} License: LGPLv3+ %description -n libini_config-devel Library to process config files in INI format into a libcollection data structure +%package -n libpath_utils1 +Summary: Filesystem Path Utilities +Group: Development/Libraries/C and C++ +Version: %{path_utils_version} +Release: 1 +License: LGPLv3+ + +%description -n libpath_utils1 +Utility functions to manipulate filesystem pathnames + +%package -n libpath_utils-devel +Summary: Development files for libpath_utils +Group: Development/Libraries/C and C++ +Version: %{path_utils_version} +Release: 1 +Requires: libpath_utils1 = %{path_utils_version} +License: LGPLv3+ + +%description -n libpath_utils-devel +Utility functions to manipulate filesystem pathnames + +%package -n libref_array1 +Summary: A refcounted array for C +Group: Development/Libraries/C and C++ +Version: %{refarray_version} +Release: 1 +License: LGPLv3+ + +%description -n libref_array1 +A dynamically-growing, reference-counted array + +%package -n libref_array-devel +Summary: Development files for libref_array +Group: Development/Libraries/C and C++ +Version: %{refarray_version} +Release: 1 +Requires: libref_array1 = %{refarray_version} +License: LGPLv3+ + +%description -n libref_array-devel +A dynamically-growing, reference-counted array + %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 %build autoreconf @@ -191,7 +228,8 @@ export LDB_CFLAGS="-I/usr/include" --enable-nsslibdir=/%{_lib} \ --enable-cryptp=yes \ --with-ldb-lib-dir=%{_libdir}/ldb \ - --with-selinux=no + --with-selinux=no \ + --with-semanage=no #make %{?_smp_mflags} make @@ -229,15 +267,6 @@ rm $RPM_BUILD_ROOT/%{_libdir}/*.a install -d $RPM_BUILD_ROOT/%{_docdir}/dhash mv $RPM_BUILD_ROOT/%{_datarootdir}/doc/dhash/* $RPM_BUILD_ROOT/%{_docdir}/dhash -# remove currently unused libraries -rm -f \ - $RPM_BUILD_ROOT/%{_libdir}/libref_array.* \ - $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/ref_array.pc \ - $RPM_BUILD_ROOT/%{_prefix}/include/ref_array*.h \ - $RPM_BUILD_ROOT/%{_libdir}/libpath_utils.* \ - $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/path_utils.pc \ - $RPM_BUILD_ROOT/%{_prefix}/include/path_utils.h - %clean rm -rf $RPM_BUILD_ROOT @@ -255,13 +284,21 @@ rm -rf $RPM_BUILD_ROOT %postun -n libdhash1 -p /sbin/ldconfig -%post -n libcollection1 -p /sbin/ldconfig +%post -n libcollection2 -p /sbin/ldconfig -%postun -n libcollection1 -p /sbin/ldconfig +%postun -n libcollection2 -p /sbin/ldconfig -%post -n libini_config1 -p /sbin/ldconfig +%post -n libini_config2 -p /sbin/ldconfig -%postun -n libini_config1 -p /sbin/ldconfig +%postun -n libini_config2 -p /sbin/ldconfig + +%post -n libpath_utils1 -p /sbin/ldconfig + +%postun -n libpath_utils1 -p /sbin/ldconfig + +%post -n libref_array1 -p /sbin/ldconfig + +%postun -n libref_array1 -p /sbin/ldconfig %files -f sss_daemon.lang %defattr(-,root,root,-) @@ -335,7 +372,7 @@ rm -rf $RPM_BUILD_ROOT %{_prefix}/include/dhash.h %doc %{_docdir}/dhash -%files -n libini_config1 +%files -n libini_config2 %defattr(-,root,root,-) %{_libdir}/libini_config.so.* @@ -345,7 +382,7 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/ini_config.pc %{_prefix}/include/ini_config.h -%files -n libcollection1 +%files -n libcollection2 %defattr(-,root,root,-) %{_libdir}/libcollection.so.* @@ -355,4 +392,24 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/collection.pc %{_prefix}/include/collection*.h +%files -n libpath_utils1 +%defattr(-,root,root,-) +%{_libdir}/libpath_utils.so.* + +%files -n libpath_utils-devel +%defattr(-,root,root,-) +%{_libdir}/libpath_utils.so +%{_libdir}/pkgconfig/path_utils.pc +%{_prefix}/include/path_utils*.h + +%files -n libref_array1 +%defattr(-,root,root,-) +%{_libdir}/libref_array.so.* + +%files -n libref_array-devel +%defattr(-,root,root,-) +%{_libdir}/libref_array.so +%{_libdir}/pkgconfig/ref_array.pc +%{_prefix}/include/ref_array*.h + %changelog From 85bd4f9ceffc5c9f76809cadfa391191e1a97566aee1e09abc18faff990b1d63 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 17 Sep 2010 23:33:16 +0000 Subject: [PATCH 06/63] Accepting request 48186 from network:ldap Copy from network:ldap/sssd based on submit request 48186 from user rhafer OBS-URL: https://build.opensuse.org/request/show/48186 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=8 --- sssd.changes | 5 +++++ sssd.spec | 24 ++++++++++++------------ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/sssd.changes b/sssd.changes index 0af1b01..ada4e70 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com + +- remove hard coded python version + ------------------------------------------------------------------- Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com diff --git a/sssd.spec b/sssd.spec index a144182..3f541cc 100644 --- a/sssd.spec +++ b/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 1.3.1 -Release: 1 +Release: 2 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ @@ -106,7 +106,7 @@ Security Services Daemon (sssd). Summary: Dynamic hash table Group: Development/Libraries/C and C++ Version: %{dhash_version} -Release: 4 +Release: 5 License: LGPLv3+ %description -n libdhash1 @@ -117,7 +117,7 @@ time properties Summary: Development files for libdhash Group: Development/Libraries/C and C++ Version: %{dhash_version} -Release: 4 +Release: 5 Requires: libdhash1 = %{dhash_version} License: LGPLv3+ @@ -129,7 +129,7 @@ time properties Summary: Collection data-type for C Group: Development/Libraries/C and C++ Version: %{collection_version} -Release: 1 +Release: 2 License: LGPLv3+ %description -n libcollection2 @@ -140,7 +140,7 @@ and serialization Summary: Development files for libcollection Group: Development/Libraries/C and C++ Version: %{collection_version} -Release: 1 +Release: 2 Requires: libcollection2 = %{collection_version} License: LGPLv3+ @@ -152,7 +152,7 @@ and serialization Summary: INI file parser for C Group: Development/Libraries/C and C++ Version: %{ini_config_version} -Release: 1 +Release: 2 License: LGPLv3+ %description -n libini_config2 @@ -163,7 +163,7 @@ structure Summary: Development files for libini_config Group: Development/Libraries/C and C++ Version: %{ini_config_version} -Release: 1 +Release: 2 Requires: libini_config2 = %{ini_config_version} License: LGPLv3+ @@ -175,7 +175,7 @@ structure Summary: Filesystem Path Utilities Group: Development/Libraries/C and C++ Version: %{path_utils_version} -Release: 1 +Release: 2 License: LGPLv3+ %description -n libpath_utils1 @@ -185,7 +185,7 @@ Utility functions to manipulate filesystem pathnames Summary: Development files for libpath_utils Group: Development/Libraries/C and C++ Version: %{path_utils_version} -Release: 1 +Release: 2 Requires: libpath_utils1 = %{path_utils_version} License: LGPLv3+ @@ -196,7 +196,7 @@ Utility functions to manipulate filesystem pathnames Summary: A refcounted array for C Group: Development/Libraries/C and C++ Version: %{refarray_version} -Release: 1 +Release: 2 License: LGPLv3+ %description -n libref_array1 @@ -206,7 +206,7 @@ A dynamically-growing, reference-counted array Summary: Development files for libref_array Group: Development/Libraries/C and C++ Version: %{refarray_version} -Release: 1 +Release: 2 Requires: libref_array1 = %{refarray_version} License: LGPLv3+ @@ -251,7 +251,7 @@ rm -f \ $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ $RPM_BUILD_ROOT/%{_libdir}/*.la \ $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ - $RPM_BUILD_ROOT/%{_libdir}/python2.6/site-packages/pysss.la \ + $RPM_BUILD_ROOT/%{_libdir}/python*/site-packages/pysss.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ From c0397aa96120ac35ebcd033d1bdd7a21aa44a7850dcecfb85532f6f0110a47f8 Mon Sep 17 00:00:00 2001 From: Ruediger Oertel Date: Thu, 18 Nov 2010 15:58:43 +0000 Subject: [PATCH 07/63] Accepting request 53189 from network:ldap Accepted submit request 53189 from user rhafer OBS-URL: https://build.opensuse.org/request/show/53189 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=9 --- sssd-1.3.1.tar.bz2 | 3 - sssd-1.4.1.tar.bz2 | 3 + sssd.changes | 18 ++++ sssd.spec | 216 +++------------------------------------------ 4 files changed, 34 insertions(+), 206 deletions(-) delete mode 100644 sssd-1.3.1.tar.bz2 create mode 100644 sssd-1.4.1.tar.bz2 diff --git a/sssd-1.3.1.tar.bz2 b/sssd-1.3.1.tar.bz2 deleted file mode 100644 index 176823c..0000000 --- a/sssd-1.3.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3be81ad8a17c76f7a9269b7ddc14abd4f41d04db10f49a34771c300b6b6bfa82 -size 2264583 diff --git a/sssd-1.4.1.tar.bz2 b/sssd-1.4.1.tar.bz2 new file mode 100644 index 0000000..a2cf1b3 --- /dev/null +++ b/sssd-1.4.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9819769fdbb3003c4c2c3cb2d55cb5ec1de9d1196ee0cbe7e44be4485b6e1fa2 +size 796262 diff --git a/sssd.changes b/sssd.changes index ada4e70..dd41395 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com + +- Updated to 1.4.1 + * Add support for netgroups to the LDAP and proxy providers + * Fixes a minor bug with UIDs/GIDs >= 2^31 + * Fixes a segfault in the kerberos provider + * Fixes a segfault in the NSS responder if a data provider crashes + * Correctly use sdap_netgroup_search_base + * the utility libraries libpath_utils1, libpath_utils-devel, + libref_array1 and libref_array-devel moved to their own + separate upstream project (ding-libs) + * Performance improvements made to group processing of RFC2307 + LDAP servers + * Fixed nested group issues with RFC2307bis LDAP servers without + a memberOf plugin + * Manpage reviewed and updated + ------------------------------------------------------------------- Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com diff --git a/sssd.spec b/sssd.spec index 3f541cc..c48464d 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ Name: sssd -Version: 1.3.1 +Version: 1.4.1 Release: 2 Group: System/Daemons Summary: System Security Services Daemon @@ -28,12 +28,6 @@ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define dhash_version 0.4.0 -%define path_utils_version 0.2.0 -%define collection_version 0.5.0 -%define ini_config_version 0.6.0 -%define refarray_version 0.1.0 - ### Dependencies ### %define servicename sssd %define sssdstatedir %{_localstatedir}/lib/sss @@ -64,6 +58,11 @@ BuildRequires: krb5-devel BuildRequires: python-devel BuildRequires: bind-utils BuildRequires: nscd +BuildRequires: libpath_utils-devel +BuildRequires: libdhash-devel +BuildRequires: libini_config-devel +BuildRequires: libcollection-devel +BuildRequires: libref_array-devel %description Provides a set of daemons to manage access to remote directories and @@ -102,123 +101,12 @@ Group: Development/Libraries/Python Provide python module to access and manage configuration of the System Security Services Daemon (sssd). -%package -n libdhash1 -Summary: Dynamic hash table -Group: Development/Libraries/C and C++ -Version: %{dhash_version} -Release: 5 -License: LGPLv3+ - -%description -n libdhash1 -A hash table which will dynamically resize to achieve optimal storage & access -time properties - -%package -n libdhash-devel -Summary: Development files for libdhash -Group: Development/Libraries/C and C++ -Version: %{dhash_version} -Release: 5 -Requires: libdhash1 = %{dhash_version} -License: LGPLv3+ - -%description -n libdhash-devel -A hash table which will dynamically resize to achieve optimal storage & access -time properties - -%package -n libcollection2 -Summary: Collection data-type for C -Group: Development/Libraries/C and C++ -Version: %{collection_version} -Release: 2 -License: LGPLv3+ - -%description -n libcollection2 -A data-type to collect data in a heirarchical structure for easy iteration -and serialization - -%package -n libcollection-devel -Summary: Development files for libcollection -Group: Development/Libraries/C and C++ -Version: %{collection_version} -Release: 2 -Requires: libcollection2 = %{collection_version} -License: LGPLv3+ - -%description -n libcollection-devel -A data-type to collect data in a heirarchical structure for easy iteration -and serialization - -%package -n libini_config2 -Summary: INI file parser for C -Group: Development/Libraries/C and C++ -Version: %{ini_config_version} -Release: 2 -License: LGPLv3+ - -%description -n libini_config2 -Library to process config files in INI format into a libcollection data -structure - -%package -n libini_config-devel -Summary: Development files for libini_config -Group: Development/Libraries/C and C++ -Version: %{ini_config_version} -Release: 2 -Requires: libini_config2 = %{ini_config_version} -License: LGPLv3+ - -%description -n libini_config-devel -Library to process config files in INI format into a libcollection data -structure - -%package -n libpath_utils1 -Summary: Filesystem Path Utilities -Group: Development/Libraries/C and C++ -Version: %{path_utils_version} -Release: 2 -License: LGPLv3+ - -%description -n libpath_utils1 -Utility functions to manipulate filesystem pathnames - -%package -n libpath_utils-devel -Summary: Development files for libpath_utils -Group: Development/Libraries/C and C++ -Version: %{path_utils_version} -Release: 2 -Requires: libpath_utils1 = %{path_utils_version} -License: LGPLv3+ - -%description -n libpath_utils-devel -Utility functions to manipulate filesystem pathnames - -%package -n libref_array1 -Summary: A refcounted array for C -Group: Development/Libraries/C and C++ -Version: %{refarray_version} -Release: 2 -License: LGPLv3+ - -%description -n libref_array1 -A dynamically-growing, reference-counted array - -%package -n libref_array-devel -Summary: Development files for libref_array -Group: Development/Libraries/C and C++ -Version: %{refarray_version} -Release: 2 -Requires: libref_array1 = %{refarray_version} -License: LGPLv3+ - -%description -n libref_array-devel -A dynamically-growing, reference-counted array - %prep %setup -q %build autoreconf -export LDB_LIBS="-lldb" +export LDB_LIBS="-lldb" export LDB_CFLAGS="-I/usr/include" %configure \ --without-tests \ @@ -226,13 +114,13 @@ export LDB_CFLAGS="-I/usr/include" --with-pipe-path=%{pipepath} \ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ + --enable-pammoddir=/%{_lib}/security \ --enable-cryptp=yes \ --with-ldb-lib-dir=%{_libdir}/ldb \ --with-selinux=no \ + --with-so=suse \ --with-semanage=no - -#make %{?_smp_mflags} -make +make %{?jobs:-j%jobs} %install rm -rf $RPM_BUILD_ROOT @@ -258,14 +146,7 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la - -rm $RPM_BUILD_ROOT/%{_libdir}/*.a -%find_lang sss_daemon -#%find_lang sss_client -#cat sss_client.lang >> sss_daemon.lang - -install -d $RPM_BUILD_ROOT/%{_docdir}/dhash -mv $RPM_BUILD_ROOT/%{_datarootdir}/doc/dhash/* $RPM_BUILD_ROOT/%{_docdir}/dhash +%find_lang sssd %clean rm -rf $RPM_BUILD_ROOT @@ -280,27 +161,7 @@ rm -rf $RPM_BUILD_ROOT %restart_on_update sssd %insserv_cleanup -%post -n libdhash1 -p /sbin/ldconfig - -%postun -n libdhash1 -p /sbin/ldconfig - -%post -n libcollection2 -p /sbin/ldconfig - -%postun -n libcollection2 -p /sbin/ldconfig - -%post -n libini_config2 -p /sbin/ldconfig - -%postun -n libini_config2 -p /sbin/ldconfig - -%post -n libpath_utils1 -p /sbin/ldconfig - -%postun -n libpath_utils1 -p /sbin/ldconfig - -%post -n libref_array1 -p /sbin/ldconfig - -%postun -n libref_array1 -p /sbin/ldconfig - -%files -f sss_daemon.lang +%files -f sssd.lang %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} @@ -310,7 +171,6 @@ rm -rf $RPM_BUILD_ROOT %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/sss* %{_libexecdir}/%{name}/*_child -%{_libexecdir}/%{name}/upgrade_config.py %{_libdir}/%{name}/libsss_krb5* %{_libdir}/%{name}/libsss_ldap* %{_libdir}/%{name}/libsss_proxy* @@ -348,6 +208,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/sss_groupdel %{_sbindir}/sss_groupmod %{_sbindir}/sss_groupshow +%attr(0755,root,root) %{_sbindir}/sss_obfuscate %files ipa-provider %defattr(-,root,root,-) @@ -361,55 +222,4 @@ rm -rf $RPM_BUILD_ROOT %{python_sitelib}/*.py* %{python_sitelib}/*.egg-info -%files -n libdhash1 -%defattr(-,root,root,-) -%{_libdir}/libdhash.so.* - -%files -n libdhash-devel -%defattr(-,root,root,-) -%{_libdir}/libdhash.so -%{_libdir}/pkgconfig/dhash.pc -%{_prefix}/include/dhash.h -%doc %{_docdir}/dhash - -%files -n libini_config2 -%defattr(-,root,root,-) -%{_libdir}/libini_config.so.* - -%files -n libini_config-devel -%defattr(-,root,root,-) -%{_libdir}/libini_config.so -%{_libdir}/pkgconfig/ini_config.pc -%{_prefix}/include/ini_config.h - -%files -n libcollection2 -%defattr(-,root,root,-) -%{_libdir}/libcollection.so.* - -%files -n libcollection-devel -%defattr(-,root,root,-) -%{_libdir}/libcollection.so -%{_libdir}/pkgconfig/collection.pc -%{_prefix}/include/collection*.h - -%files -n libpath_utils1 -%defattr(-,root,root,-) -%{_libdir}/libpath_utils.so.* - -%files -n libpath_utils-devel -%defattr(-,root,root,-) -%{_libdir}/libpath_utils.so -%{_libdir}/pkgconfig/path_utils.pc -%{_prefix}/include/path_utils*.h - -%files -n libref_array1 -%defattr(-,root,root,-) -%{_libdir}/libref_array.so.* - -%files -n libref_array-devel -%defattr(-,root,root,-) -%{_libdir}/libref_array.so -%{_libdir}/pkgconfig/ref_array.pc -%{_prefix}/include/ref_array*.h - %changelog From 6d3da3c229b4065bb0e485d9a6db47970d55efda1d2af5f5457d2e1affc9f4c6 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 18 Nov 2010 15:58:55 +0000 Subject: [PATCH 08/63] Autobuild autoformatter for 53189 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=10 --- sssd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sssd.spec b/sssd.spec index c48464d..3f12c67 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,5 +1,5 @@ # -# spec file for package sssd (Version 1.3.1) +# spec file for package sssd (Version 1.4.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,7 +19,7 @@ Name: sssd Version: 1.4.1 -Release: 2 +Release: 1 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ From 176cc18db5c647990b7d65679af64085997b784a94267d03bf1c6fedd643e274 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 30 Nov 2010 16:15:49 +0000 Subject: [PATCH 09/63] Accepting request 53972 from network:ldap Accepted submit request 53972 from user rhafer OBS-URL: https://build.opensuse.org/request/show/53972 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=11 --- sssd.changes | 5 +++++ sssd.spec | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/sssd.changes b/sssd.changes index dd41395..c238b85 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com + +- install systemd service file + ------------------------------------------------------------------- Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com diff --git a/sssd.spec b/sssd.spec index 3f12c67..eeec95a 100644 --- a/sssd.spec +++ b/sssd.spec @@ -120,7 +120,7 @@ export LDB_CFLAGS="-I/usr/include" --with-selinux=no \ --with-so=suse \ --with-semanage=no -make %{?jobs:-j%jobs} +make %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT @@ -131,6 +131,8 @@ make install DESTDIR=$RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sssd install -m600 src/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf install src/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd +install -d $RPM_BUILD_ROOT/%{_sysconfdir}/systemd/system +install src/sysv/systemd/sssd.service $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/sssd.service ln -sf ../../etc/init.d/sssd $RPM_BUILD_ROOT/usr/sbin/rcsssd # Remove .la files created by libtool @@ -165,6 +167,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} +%config %{_sysconfdir}/systemd/system/sssd.service %{_sbindir}/sssd %{_sbindir}/rcsssd %dir %{_libdir}/%{name} From 217ef42d026e0bf40d71febed4a2114c7e1f1cda17a7c56a8c05164cae0cbb78 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 30 Nov 2010 16:15:55 +0000 Subject: [PATCH 10/63] Autobuild autoformatter for 53972 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=12 --- sssd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sssd.spec b/sssd.spec index eeec95a..da0e323 100644 --- a/sssd.spec +++ b/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 1.4.1 -Release: 1 +Release: 2 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ From 4bf729e396592bbd3aa69022e4d70a3629bee9a0687db984530e523be8207642 Mon Sep 17 00:00:00 2001 From: Berthold Gunreben Date: Fri, 7 Jan 2011 12:16:57 +0000 Subject: [PATCH 11/63] Accepting request 57059 from network:ldap Accepted submit request 57059 from user rhafer OBS-URL: https://build.opensuse.org/request/show/57059 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=13 --- sssd.changes | 5 +++++ sssd.spec | 2 ++ 2 files changed, 7 insertions(+) diff --git a/sssd.changes b/sssd.changes index c238b85..63a8a33 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de + +- Own /etc/systemd directories to fix build. + ------------------------------------------------------------------- Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com diff --git a/sssd.spec b/sssd.spec index da0e323..6aeb94a 100644 --- a/sssd.spec +++ b/sssd.spec @@ -167,6 +167,8 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} +%dir %{_sysconfdir}/systemd +%dir %{_sysconfdir}/systemd/system %config %{_sysconfdir}/systemd/system/sssd.service %{_sbindir}/sssd %{_sbindir}/rcsssd From 7870487812a16e700836c0da5d3c2a712d5563467027dcd48166a0739c83c638 Mon Sep 17 00:00:00 2001 From: Berthold Gunreben Date: Fri, 7 Jan 2011 12:17:04 +0000 Subject: [PATCH 12/63] Autobuild autoformatter for 57059 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=14 --- sssd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sssd.spec b/sssd.spec index 6aeb94a..565033b 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd (Version 1.4.1) # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ Name: sssd Version: 1.4.1 -Release: 2 +Release: 3 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ From 82709f946f16954a14537d7d13be82f7d19bd7ddb2b202489a8dfce64c2e2db3 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 18 Jan 2011 11:05:24 +0000 Subject: [PATCH 13/63] Accepting request 58672 from network:ldap Accepted submit request 58672 from user rhafer OBS-URL: https://build.opensuse.org/request/show/58672 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=15 --- ...ate-user-supplied-size-of-data-items.patch | 269 ++++++++++++++++++ ...eck-to-SAFEALIGN_COPY_-_CHECK-macros.patch | 32 +++ sssd.changes | 9 + sssd.spec | 4 + 4 files changed, 314 insertions(+) create mode 100644 0001-Validate-user-supplied-size-of-data-items.patch create mode 100644 0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch diff --git a/0001-Validate-user-supplied-size-of-data-items.patch b/0001-Validate-user-supplied-size-of-data-items.patch new file mode 100644 index 0000000..8355e83 --- /dev/null +++ b/0001-Validate-user-supplied-size-of-data-items.patch @@ -0,0 +1,269 @@ +From af93a65bebb1f007eecbeabd07b7ae8b7cc276c9 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 6 Dec 2010 21:18:50 +0100 +Subject: Validate user supplied size of data items + +Specially crafted packages might lead to an integer overflow and the +parsing of the input buffer might not continue as expected. This issue +was identified by Sebastian Krahmer . + +bnc#660481 +CVE-2010-4341 + +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 7bfd0f2..f4fe4f7 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -33,18 +33,15 @@ + + static void pam_reply(struct pam_auth_req *preq); + +-static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_t *body, size_t blen, size_t *c) { +- uint32_t data_size; ++static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, ++ size_t data_size, uint8_t *body, size_t blen, ++ size_t *c) { + +- if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL; +- +- memcpy(&data_size, &body[*c], sizeof(uint32_t)); +- *c += sizeof(uint32_t); +- if (data_size < sizeof(uint32_t) || (*c)+(data_size) > blen) return EINVAL; ++ if (data_size < sizeof(uint32_t) || *c+data_size > blen || ++ SIZE_T_OVERFLOW(*c, data_size)) return EINVAL; + *size = data_size - sizeof(uint32_t); + +- memcpy(type, &body[*c], sizeof(uint32_t)); +- *c += sizeof(uint32_t); ++ SAFEALIGN_COPY_UINT32_CHECK(type, &body[*c], blen, c); + + *tok = body+(*c); + +@@ -53,15 +50,11 @@ static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_ + return EOK; + } + +-static int extract_string(char **var, uint8_t *body, size_t blen, size_t *c) { +- uint32_t size; ++static int extract_string(char **var, size_t size, uint8_t *body, size_t blen, ++ size_t *c) { + uint8_t *str; + +- if (blen-(*c) < sizeof(uint32_t)+1) return EINVAL; +- +- memcpy(&size, &body[*c], sizeof(uint32_t)); +- *c += sizeof(uint32_t); +- if (*c+size > blen) return EINVAL; ++ if (*c+size > blen || SIZE_T_OVERFLOW(*c, size)) return EINVAL; + + str = body+(*c); + +@@ -74,16 +67,13 @@ static int extract_string(char **var, uint8_t *body, size_t blen, size_t *c) { + return EOK; + } + +-static int extract_uint32_t(uint32_t *var, uint8_t *body, size_t blen, size_t *c) { +- uint32_t size; +- +- if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL; ++static int extract_uint32_t(uint32_t *var, size_t size, uint8_t *body, ++ size_t blen, size_t *c) { + +- memcpy(&size, &body[*c], sizeof(uint32_t)); +- *c += sizeof(uint32_t); ++ if (size != sizeof(uint32_t) || *c+size > blen || SIZE_T_OVERFLOW(*c, size)) ++ return EINVAL; + +- memcpy(var, &body[*c], sizeof(uint32_t)); +- *c += sizeof(uint32_t); ++ SAFEALIGN_COPY_UINT32_CHECK(var, &body[*c], blen, c); + + return EOK; + } +@@ -108,59 +98,66 @@ static int pam_parse_in_data_v2(struct sss_names_ctx *snctx, + + c = sizeof(uint32_t); + do { +- memcpy(&type, &body[c], sizeof(uint32_t)); +- c += sizeof(uint32_t); +- if (c > blen) return EINVAL; +- +- switch(type) { +- case SSS_PAM_ITEM_USER: +- ret = extract_string(&pam_user, body, blen, &c); +- if (ret != EOK) return ret; +- +- ret = sss_parse_name(pd, snctx, pam_user, +- &pd->domain, &pd->user); +- if (ret != EOK) return ret; +- break; +- case SSS_PAM_ITEM_SERVICE: +- ret = extract_string(&pd->service, body, blen, &c); +- if (ret != EOK) return ret; +- break; +- case SSS_PAM_ITEM_TTY: +- ret = extract_string(&pd->tty, body, blen, &c); +- if (ret != EOK) return ret; +- break; +- case SSS_PAM_ITEM_RUSER: +- ret = extract_string(&pd->ruser, body, blen, &c); +- if (ret != EOK) return ret; +- break; +- case SSS_PAM_ITEM_RHOST: +- ret = extract_string(&pd->rhost, body, blen, &c); +- if (ret != EOK) return ret; +- break; +- case SSS_PAM_ITEM_CLI_PID: +- ret = extract_uint32_t(&pd->cli_pid, +- body, blen, &c); +- if (ret != EOK) return ret; +- break; +- case SSS_PAM_ITEM_AUTHTOK: +- ret = extract_authtok(&pd->authtok_type, &pd->authtok_size, +- &pd->authtok, body, blen, &c); +- if (ret != EOK) return ret; +- break; +- case SSS_PAM_ITEM_NEWAUTHTOK: +- ret = extract_authtok(&pd->newauthtok_type, +- &pd->newauthtok_size, +- &pd->newauthtok, body, blen, &c); +- if (ret != EOK) return ret; +- break; +- case SSS_END_OF_PAM_REQUEST: +- if (c != blen) return EINVAL; +- break; +- default: +- DEBUG(1,("Ignoring unknown data type [%d].\n", type)); +- size = ((uint32_t *)&body[c])[0]; +- c += size+sizeof(uint32_t); ++ SAFEALIGN_COPY_UINT32_CHECK(&type, &body[c], blen, &c); ++ ++ if (type == SSS_END_OF_PAM_REQUEST) { ++ if (c != blen) return EINVAL; ++ } else { ++ SAFEALIGN_COPY_UINT32_CHECK(&size, &body[c], blen, &c); ++ /* the uint32_t end maker SSS_END_OF_PAM_REQUEST does not count to ++ * the remaining buffer */ ++ if (size > (blen - c - sizeof(uint32_t))) { ++ DEBUG(1, ("Invalid data size.\n")); ++ return EINVAL; ++ } ++ ++ switch(type) { ++ case SSS_PAM_ITEM_USER: ++ ret = extract_string(&pam_user, size, body, blen, &c); ++ if (ret != EOK) return ret; ++ ++ ret = sss_parse_name(pd, snctx, pam_user, ++ &pd->domain, &pd->user); ++ if (ret != EOK) return ret; ++ break; ++ case SSS_PAM_ITEM_SERVICE: ++ ret = extract_string(&pd->service, size, body, blen, &c); ++ if (ret != EOK) return ret; ++ break; ++ case SSS_PAM_ITEM_TTY: ++ ret = extract_string(&pd->tty, size, body, blen, &c); ++ if (ret != EOK) return ret; ++ break; ++ case SSS_PAM_ITEM_RUSER: ++ ret = extract_string(&pd->ruser, size, body, blen, &c); ++ if (ret != EOK) return ret; ++ break; ++ case SSS_PAM_ITEM_RHOST: ++ ret = extract_string(&pd->rhost, size, body, blen, &c); ++ if (ret != EOK) return ret; ++ break; ++ case SSS_PAM_ITEM_CLI_PID: ++ ret = extract_uint32_t(&pd->cli_pid, size, ++ body, blen, &c); ++ if (ret != EOK) return ret; ++ break; ++ case SSS_PAM_ITEM_AUTHTOK: ++ ret = extract_authtok(&pd->authtok_type, &pd->authtok_size, ++ &pd->authtok, size, body, blen, &c); ++ if (ret != EOK) return ret; ++ break; ++ case SSS_PAM_ITEM_NEWAUTHTOK: ++ ret = extract_authtok(&pd->newauthtok_type, ++ &pd->newauthtok_size, ++ &pd->newauthtok, size, body, blen, &c); ++ if (ret != EOK) return ret; ++ break; ++ default: ++ DEBUG(1,("Ignoring unknown data type [%d].\n", type)); ++ c += size; ++ } + } ++ + } while(c < blen); + + if (pd->user == NULL || *pd->user == '\0') return EINVAL; +@@ -231,6 +228,7 @@ static int pam_parse_in_data(struct sss_names_ctx *snctx, + + start += sizeof(uint32_t); + pd->authtok_size = (int) body[start]; ++ if (pd->authtok_size >= blen) return EINVAL; + + start += sizeof(uint32_t); + end = start + pd->authtok_size; +@@ -250,6 +248,7 @@ static int pam_parse_in_data(struct sss_names_ctx *snctx, + + start += sizeof(uint32_t); + pd->newauthtok_size = (int) body[start]; ++ if (pd->newauthtok_size >= blen) return EINVAL; + + start += sizeof(uint32_t); + end = start + pd->newauthtok_size; +diff --git a/src/tests/util-tests.c b/src/tests/util-tests.c +index bfc48bb..328ae23 100644 +--- a/src/tests/util-tests.c ++++ b/src/tests/util-tests.c +@@ -175,6 +175,20 @@ START_TEST(test_diff_string_lists) + } + END_TEST + ++START_TEST(test_size_t_overflow) ++{ ++ fail_unless(!SIZE_T_OVERFLOW(1, 1), "unexpected overflow"); ++ fail_unless(!SIZE_T_OVERFLOW(SIZE_T_MAX, 0), "unexpected overflow"); ++ fail_unless(!SIZE_T_OVERFLOW(SIZE_T_MAX-10, 10), "unexpected overflow"); ++ fail_unless(SIZE_T_OVERFLOW(SIZE_T_MAX, 1), "overflow not detected"); ++ fail_unless(SIZE_T_OVERFLOW(SIZE_T_MAX, SIZE_T_MAX), ++ "overflow not detected"); ++ fail_unless(SIZE_T_OVERFLOW(SIZE_T_MAX, ULLONG_MAX), ++ "overflow not detected"); ++ fail_unless(SIZE_T_OVERFLOW(SIZE_T_MAX, -10), "overflow not detected"); ++} ++END_TEST ++ + Suite *util_suite(void) + { + Suite *s = suite_create("util"); +@@ -182,6 +196,7 @@ Suite *util_suite(void) + TCase *tc_util = tcase_create("util"); + + tcase_add_test (tc_util, test_diff_string_lists); ++ tcase_add_test (tc_util, test_size_t_overflow); + tcase_set_timeout(tc_util, 60); + + suite_add_tcase (s, tc_util); +diff --git a/src/util/util.h b/src/util/util.h +index e93f6f8..7c35550 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -169,6 +169,11 @@ errno_t set_debug_file_from_fd(const int fd); + #define OUT_OF_ID_RANGE(id, min, max) \ + (id == 0 || (min && (id < min)) || (max && (id > max))) + ++#define SIZE_T_MAX ((size_t) -1) ++ ++#define SIZE_T_OVERFLOW(current, add) \ ++ (((size_t)(add)) > (SIZE_T_MAX - ((size_t)(current)))) ++ + static inline void + safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) + { +-- +1.7.3.2 + diff --git a/0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch b/0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch new file mode 100644 index 0000000..c92a90f --- /dev/null +++ b/0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch @@ -0,0 +1,32 @@ +From bfac6031ab075834183c9f18b28363d11b99e44a Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 7 Dec 2010 17:01:04 +0100 +Subject: Add overflow check to SAFEALIGN_COPY_*_CHECK macros + +CVE-2010-4341 +bnc#660481 + +diff --git a/src/util/util.h b/src/util/util.h +index 7c35550..50c5fe2 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -207,12 +207,14 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) + SAFEALIGN_SET_VALUE(dest, value, uint16_t, pctr) + + #define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \ +- if ((*(pctr) + sizeof(uint32_t)) > (len)) return EINVAL; \ ++ if ((*(pctr) + sizeof(uint32_t)) > (len) || \ ++ SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) return EINVAL; \ + safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \ + } while(0) + + #define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \ +- if ((*(pctr) + sizeof(int32_t)) > (len)) return EINVAL; \ ++ if ((*(pctr) + sizeof(int32_t)) > (len) || \ ++ SIZE_T_OVERFLOW(*(pctr), sizeof(int32_t))) return EINVAL; \ + safealign_memcpy(dest, src, sizeof(int32_t), pctr); \ + } while(0) + +-- +1.7.3.2 + diff --git a/sssd.changes b/sssd.changes index 63a8a33..c0a8fb9 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de + +- It was possible to make sssd hang forever inside a loop in the + PAM responder by sending a carefully crafted packet to sssd. + This could be exploited by a local attacker to crash sssd and + prevent other legitimate users from logging into the system. + (bnc#660481, CVE-2010-4341) + ------------------------------------------------------------------- Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de diff --git a/sssd.spec b/sssd.spec index 565033b..81c211a 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,6 +26,8 @@ License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf +Patch0: 0001-Validate-user-supplied-size-of-data-items.patch +Patch1: 0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build ### Dependencies ### @@ -103,6 +105,8 @@ Security Services Daemon (sssd). %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build autoreconf From 53921a1f19a9415ea9ad22b14b9a2886748ca15423c06c052abe9995b6f13b71 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 18 Jan 2011 11:05:50 +0000 Subject: [PATCH 14/63] Autobuild autoformatter for 58672 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=16 --- sssd.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sssd.spec b/sssd.spec index 81c211a..96173ff 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,5 +1,5 @@ # -# spec file for package sssd (Version 1.4.1) +# spec file for package sssd # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,7 +19,7 @@ Name: sssd Version: 1.4.1 -Release: 3 +Release: 4 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ From 923578e06fc6a72608516202466822c0d3441534126ceaf586d84e6365948ae2 Mon Sep 17 00:00:00 2001 From: Lars Vogdt Date: Mon, 24 Jan 2011 14:56:50 +0000 Subject: [PATCH 15/63] Accepting request 58728 from network:ldap Accepted submit request 58728 from user rhafer OBS-URL: https://build.opensuse.org/request/show/58728 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=17 --- sssd.changes | 5 +++++ sssd.spec | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/sssd.changes b/sssd.changes index c0a8fb9..e202a37 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de + +- /var/lib/sss/pubconf was missing (bnc#665442) + ------------------------------------------------------------------- Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index 96173ff..bb2a693 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,11 +30,11 @@ Patch0: 0001-Validate-user-supplied-size-of-data-items.patch Patch1: 0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -### Dependencies ### %define servicename sssd %define sssdstatedir %{_localstatedir}/lib/sss %define dbpath %{sssdstatedir}/db %define pipepath %{sssdstatedir}/pipes +%define pubconfpath %{sssdstatedir}/pubconf ### Build Dependencies ### BuildRequires: autoconf @@ -116,6 +116,7 @@ export LDB_CFLAGS="-I/usr/include" --without-tests \ --with-db-path=%{dbpath} \ --with-pipe-path=%{pipepath} \ + --with-pubconf-path=%{pubconfpath} \ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ --enable-pammoddir=/%{_lib}/security \ @@ -190,6 +191,7 @@ rm -rf $RPM_BUILD_ROOT %attr(700,root,root) %dir %{dbpath} %attr(755,root,root) %dir %{pipepath} %attr(700,root,root) %dir %{pipepath}/private +%attr(755,root,root) %dir %{pubconfpath} %attr(750,root,root) %dir %{_var}/log/%{name} %dir %{_sysconfdir}/sssd %config(noreplace) %{_sysconfdir}/sssd/sssd.conf From c680f930791293e3f12fbf12638e96c0b0be1c67c87a2fdd615d46734f231123 Mon Sep 17 00:00:00 2001 From: Lars Vogdt Date: Mon, 24 Jan 2011 14:57:00 +0000 Subject: [PATCH 16/63] Autobuild autoformatter for 58728 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=18 --- sssd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sssd.spec b/sssd.spec index bb2a693..73e2227 100644 --- a/sssd.spec +++ b/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 1.4.1 -Release: 4 +Release: 5 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ From 6a2b6b525462c8d75cc131b7e4a62b76f6cab616e17e88b8f0b4bb65aa55fb6c Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Wed, 9 Mar 2011 09:32:53 +0000 Subject: [PATCH 17/63] Accepting request 63646 from network:ldap Accepted submit request 63646 from user rhafer OBS-URL: https://build.opensuse.org/request/show/63646 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=20 --- ...ate-user-supplied-size-of-data-items.patch | 269 ------------------ ...eck-to-SAFEALIGN_COPY_-_CHECK-macros.patch | 32 --- sssd-1.4.1.tar.bz2 | 3 - sssd-1.5.1.tar.bz2 | 3 + sssd.changes | 18 ++ sssd.spec | 14 +- 6 files changed, 29 insertions(+), 310 deletions(-) delete mode 100644 0001-Validate-user-supplied-size-of-data-items.patch delete mode 100644 0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch delete mode 100644 sssd-1.4.1.tar.bz2 create mode 100644 sssd-1.5.1.tar.bz2 diff --git a/0001-Validate-user-supplied-size-of-data-items.patch b/0001-Validate-user-supplied-size-of-data-items.patch deleted file mode 100644 index 8355e83..0000000 --- a/0001-Validate-user-supplied-size-of-data-items.patch +++ /dev/null @@ -1,269 +0,0 @@ -From af93a65bebb1f007eecbeabd07b7ae8b7cc276c9 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 6 Dec 2010 21:18:50 +0100 -Subject: Validate user supplied size of data items - -Specially crafted packages might lead to an integer overflow and the -parsing of the input buffer might not continue as expected. This issue -was identified by Sebastian Krahmer . - -bnc#660481 -CVE-2010-4341 - -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 7bfd0f2..f4fe4f7 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -33,18 +33,15 @@ - - static void pam_reply(struct pam_auth_req *preq); - --static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_t *body, size_t blen, size_t *c) { -- uint32_t data_size; -+static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, -+ size_t data_size, uint8_t *body, size_t blen, -+ size_t *c) { - -- if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL; -- -- memcpy(&data_size, &body[*c], sizeof(uint32_t)); -- *c += sizeof(uint32_t); -- if (data_size < sizeof(uint32_t) || (*c)+(data_size) > blen) return EINVAL; -+ if (data_size < sizeof(uint32_t) || *c+data_size > blen || -+ SIZE_T_OVERFLOW(*c, data_size)) return EINVAL; - *size = data_size - sizeof(uint32_t); - -- memcpy(type, &body[*c], sizeof(uint32_t)); -- *c += sizeof(uint32_t); -+ SAFEALIGN_COPY_UINT32_CHECK(type, &body[*c], blen, c); - - *tok = body+(*c); - -@@ -53,15 +50,11 @@ static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_ - return EOK; - } - --static int extract_string(char **var, uint8_t *body, size_t blen, size_t *c) { -- uint32_t size; -+static int extract_string(char **var, size_t size, uint8_t *body, size_t blen, -+ size_t *c) { - uint8_t *str; - -- if (blen-(*c) < sizeof(uint32_t)+1) return EINVAL; -- -- memcpy(&size, &body[*c], sizeof(uint32_t)); -- *c += sizeof(uint32_t); -- if (*c+size > blen) return EINVAL; -+ if (*c+size > blen || SIZE_T_OVERFLOW(*c, size)) return EINVAL; - - str = body+(*c); - -@@ -74,16 +67,13 @@ static int extract_string(char **var, uint8_t *body, size_t blen, size_t *c) { - return EOK; - } - --static int extract_uint32_t(uint32_t *var, uint8_t *body, size_t blen, size_t *c) { -- uint32_t size; -- -- if (blen-(*c) < 2*sizeof(uint32_t)) return EINVAL; -+static int extract_uint32_t(uint32_t *var, size_t size, uint8_t *body, -+ size_t blen, size_t *c) { - -- memcpy(&size, &body[*c], sizeof(uint32_t)); -- *c += sizeof(uint32_t); -+ if (size != sizeof(uint32_t) || *c+size > blen || SIZE_T_OVERFLOW(*c, size)) -+ return EINVAL; - -- memcpy(var, &body[*c], sizeof(uint32_t)); -- *c += sizeof(uint32_t); -+ SAFEALIGN_COPY_UINT32_CHECK(var, &body[*c], blen, c); - - return EOK; - } -@@ -108,59 +98,66 @@ static int pam_parse_in_data_v2(struct sss_names_ctx *snctx, - - c = sizeof(uint32_t); - do { -- memcpy(&type, &body[c], sizeof(uint32_t)); -- c += sizeof(uint32_t); -- if (c > blen) return EINVAL; -- -- switch(type) { -- case SSS_PAM_ITEM_USER: -- ret = extract_string(&pam_user, body, blen, &c); -- if (ret != EOK) return ret; -- -- ret = sss_parse_name(pd, snctx, pam_user, -- &pd->domain, &pd->user); -- if (ret != EOK) return ret; -- break; -- case SSS_PAM_ITEM_SERVICE: -- ret = extract_string(&pd->service, body, blen, &c); -- if (ret != EOK) return ret; -- break; -- case SSS_PAM_ITEM_TTY: -- ret = extract_string(&pd->tty, body, blen, &c); -- if (ret != EOK) return ret; -- break; -- case SSS_PAM_ITEM_RUSER: -- ret = extract_string(&pd->ruser, body, blen, &c); -- if (ret != EOK) return ret; -- break; -- case SSS_PAM_ITEM_RHOST: -- ret = extract_string(&pd->rhost, body, blen, &c); -- if (ret != EOK) return ret; -- break; -- case SSS_PAM_ITEM_CLI_PID: -- ret = extract_uint32_t(&pd->cli_pid, -- body, blen, &c); -- if (ret != EOK) return ret; -- break; -- case SSS_PAM_ITEM_AUTHTOK: -- ret = extract_authtok(&pd->authtok_type, &pd->authtok_size, -- &pd->authtok, body, blen, &c); -- if (ret != EOK) return ret; -- break; -- case SSS_PAM_ITEM_NEWAUTHTOK: -- ret = extract_authtok(&pd->newauthtok_type, -- &pd->newauthtok_size, -- &pd->newauthtok, body, blen, &c); -- if (ret != EOK) return ret; -- break; -- case SSS_END_OF_PAM_REQUEST: -- if (c != blen) return EINVAL; -- break; -- default: -- DEBUG(1,("Ignoring unknown data type [%d].\n", type)); -- size = ((uint32_t *)&body[c])[0]; -- c += size+sizeof(uint32_t); -+ SAFEALIGN_COPY_UINT32_CHECK(&type, &body[c], blen, &c); -+ -+ if (type == SSS_END_OF_PAM_REQUEST) { -+ if (c != blen) return EINVAL; -+ } else { -+ SAFEALIGN_COPY_UINT32_CHECK(&size, &body[c], blen, &c); -+ /* the uint32_t end maker SSS_END_OF_PAM_REQUEST does not count to -+ * the remaining buffer */ -+ if (size > (blen - c - sizeof(uint32_t))) { -+ DEBUG(1, ("Invalid data size.\n")); -+ return EINVAL; -+ } -+ -+ switch(type) { -+ case SSS_PAM_ITEM_USER: -+ ret = extract_string(&pam_user, size, body, blen, &c); -+ if (ret != EOK) return ret; -+ -+ ret = sss_parse_name(pd, snctx, pam_user, -+ &pd->domain, &pd->user); -+ if (ret != EOK) return ret; -+ break; -+ case SSS_PAM_ITEM_SERVICE: -+ ret = extract_string(&pd->service, size, body, blen, &c); -+ if (ret != EOK) return ret; -+ break; -+ case SSS_PAM_ITEM_TTY: -+ ret = extract_string(&pd->tty, size, body, blen, &c); -+ if (ret != EOK) return ret; -+ break; -+ case SSS_PAM_ITEM_RUSER: -+ ret = extract_string(&pd->ruser, size, body, blen, &c); -+ if (ret != EOK) return ret; -+ break; -+ case SSS_PAM_ITEM_RHOST: -+ ret = extract_string(&pd->rhost, size, body, blen, &c); -+ if (ret != EOK) return ret; -+ break; -+ case SSS_PAM_ITEM_CLI_PID: -+ ret = extract_uint32_t(&pd->cli_pid, size, -+ body, blen, &c); -+ if (ret != EOK) return ret; -+ break; -+ case SSS_PAM_ITEM_AUTHTOK: -+ ret = extract_authtok(&pd->authtok_type, &pd->authtok_size, -+ &pd->authtok, size, body, blen, &c); -+ if (ret != EOK) return ret; -+ break; -+ case SSS_PAM_ITEM_NEWAUTHTOK: -+ ret = extract_authtok(&pd->newauthtok_type, -+ &pd->newauthtok_size, -+ &pd->newauthtok, size, body, blen, &c); -+ if (ret != EOK) return ret; -+ break; -+ default: -+ DEBUG(1,("Ignoring unknown data type [%d].\n", type)); -+ c += size; -+ } - } -+ - } while(c < blen); - - if (pd->user == NULL || *pd->user == '\0') return EINVAL; -@@ -231,6 +228,7 @@ static int pam_parse_in_data(struct sss_names_ctx *snctx, - - start += sizeof(uint32_t); - pd->authtok_size = (int) body[start]; -+ if (pd->authtok_size >= blen) return EINVAL; - - start += sizeof(uint32_t); - end = start + pd->authtok_size; -@@ -250,6 +248,7 @@ static int pam_parse_in_data(struct sss_names_ctx *snctx, - - start += sizeof(uint32_t); - pd->newauthtok_size = (int) body[start]; -+ if (pd->newauthtok_size >= blen) return EINVAL; - - start += sizeof(uint32_t); - end = start + pd->newauthtok_size; -diff --git a/src/tests/util-tests.c b/src/tests/util-tests.c -index bfc48bb..328ae23 100644 ---- a/src/tests/util-tests.c -+++ b/src/tests/util-tests.c -@@ -175,6 +175,20 @@ START_TEST(test_diff_string_lists) - } - END_TEST - -+START_TEST(test_size_t_overflow) -+{ -+ fail_unless(!SIZE_T_OVERFLOW(1, 1), "unexpected overflow"); -+ fail_unless(!SIZE_T_OVERFLOW(SIZE_T_MAX, 0), "unexpected overflow"); -+ fail_unless(!SIZE_T_OVERFLOW(SIZE_T_MAX-10, 10), "unexpected overflow"); -+ fail_unless(SIZE_T_OVERFLOW(SIZE_T_MAX, 1), "overflow not detected"); -+ fail_unless(SIZE_T_OVERFLOW(SIZE_T_MAX, SIZE_T_MAX), -+ "overflow not detected"); -+ fail_unless(SIZE_T_OVERFLOW(SIZE_T_MAX, ULLONG_MAX), -+ "overflow not detected"); -+ fail_unless(SIZE_T_OVERFLOW(SIZE_T_MAX, -10), "overflow not detected"); -+} -+END_TEST -+ - Suite *util_suite(void) - { - Suite *s = suite_create("util"); -@@ -182,6 +196,7 @@ Suite *util_suite(void) - TCase *tc_util = tcase_create("util"); - - tcase_add_test (tc_util, test_diff_string_lists); -+ tcase_add_test (tc_util, test_size_t_overflow); - tcase_set_timeout(tc_util, 60); - - suite_add_tcase (s, tc_util); -diff --git a/src/util/util.h b/src/util/util.h -index e93f6f8..7c35550 100644 ---- a/src/util/util.h -+++ b/src/util/util.h -@@ -169,6 +169,11 @@ errno_t set_debug_file_from_fd(const int fd); - #define OUT_OF_ID_RANGE(id, min, max) \ - (id == 0 || (min && (id < min)) || (max && (id > max))) - -+#define SIZE_T_MAX ((size_t) -1) -+ -+#define SIZE_T_OVERFLOW(current, add) \ -+ (((size_t)(add)) > (SIZE_T_MAX - ((size_t)(current)))) -+ - static inline void - safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) - { --- -1.7.3.2 - diff --git a/0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch b/0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch deleted file mode 100644 index c92a90f..0000000 --- a/0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch +++ /dev/null @@ -1,32 +0,0 @@ -From bfac6031ab075834183c9f18b28363d11b99e44a Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 7 Dec 2010 17:01:04 +0100 -Subject: Add overflow check to SAFEALIGN_COPY_*_CHECK macros - -CVE-2010-4341 -bnc#660481 - -diff --git a/src/util/util.h b/src/util/util.h -index 7c35550..50c5fe2 100644 ---- a/src/util/util.h -+++ b/src/util/util.h -@@ -207,12 +207,14 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) - SAFEALIGN_SET_VALUE(dest, value, uint16_t, pctr) - - #define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \ -- if ((*(pctr) + sizeof(uint32_t)) > (len)) return EINVAL; \ -+ if ((*(pctr) + sizeof(uint32_t)) > (len) || \ -+ SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) return EINVAL; \ - safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \ - } while(0) - - #define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \ -- if ((*(pctr) + sizeof(int32_t)) > (len)) return EINVAL; \ -+ if ((*(pctr) + sizeof(int32_t)) > (len) || \ -+ SIZE_T_OVERFLOW(*(pctr), sizeof(int32_t))) return EINVAL; \ - safealign_memcpy(dest, src, sizeof(int32_t), pctr); \ - } while(0) - --- -1.7.3.2 - diff --git a/sssd-1.4.1.tar.bz2 b/sssd-1.4.1.tar.bz2 deleted file mode 100644 index a2cf1b3..0000000 --- a/sssd-1.4.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9819769fdbb3003c4c2c3cb2d55cb5ec1de9d1196ee0cbe7e44be4485b6e1fa2 -size 796262 diff --git a/sssd-1.5.1.tar.bz2 b/sssd-1.5.1.tar.bz2 new file mode 100644 index 0000000..271ac59 --- /dev/null +++ b/sssd-1.5.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c39b6749a19a61da74aa4801f332429a27c0604c49d6541e4bd512fad5a9a7f +size 866097 diff --git a/sssd.changes b/sssd.changes index e202a37..0fb280d 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.1 + * Vast performance improvements when enumerate = true + * All PAM actions will now perform a forced initgroups lookup + instead of just a user information lookup This guarantees that + all group information is available to other providers, such as + the simple provider. + * For backwards-compatibility, DNS lookups will also fall back to + trying the SSSD domain name as a DNS discovery domain. + * Support for more password expiration policies in LDAP + - 389 Directory Server + - FreeIPA + - ActiveDirectory + * Support for ldap_tls_{cert,key,cipher_suite} config options + * Assorted bugfixes + ------------------------------------------------------------------- Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index 73e2227..19638b4 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ Name: sssd -Version: 1.4.1 +Version: 1.5.1 Release: 5 Group: System/Daemons Summary: System Security Services Daemon @@ -26,8 +26,6 @@ License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch0: 0001-Validate-user-supplied-size-of-data-items.patch -Patch1: 0002-Add-overflow-check-to-SAFEALIGN_COPY_-_CHECK-macros.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -105,8 +103,6 @@ Security Services Daemon (sssd). %prep %setup -q -%patch0 -p1 -%patch1 -p1 %build autoreconf @@ -153,7 +149,7 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la -%find_lang sssd +%find_lang %{name} --all-name %clean rm -rf $RPM_BUILD_ROOT @@ -211,7 +207,13 @@ rm -rf $RPM_BUILD_ROOT %files tools %defattr(-,root,root,-) +%dir %{_mandir}/cs +%dir %{_mandir}/cs/man8 +%dir %{_mandir}/uk +%dir %{_mandir}/uk/man8 %{_mandir}/man8/* +%{_mandir}/cs/man8/* +%{_mandir}/uk/man8/* %{_sbindir}/sss_useradd %{_sbindir}/sss_userdel %{_sbindir}/sss_usermod From b01ce20ac3f7aa60f6a68074e7f6d54a49434feea13e489c9f1132a957465800 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Wed, 9 Mar 2011 09:33:03 +0000 Subject: [PATCH 18/63] Autobuild autoformatter for 63646 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=21 --- sssd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sssd.spec b/sssd.spec index 19638b4..d5ae7f5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 1.5.1 -Release: 5 +Release: 1 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ From 364cb880259c02595cac230421a7627cdbba5ad763c613d15fed6353b9fa5300 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Thu, 24 Mar 2011 16:36:37 +0000 Subject: [PATCH 19/63] Accepting request 65144 from network:ldap Accepted submit request 65144 from user licensedigger OBS-URL: https://build.opensuse.org/request/show/65144 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=22 --- sssd-1.5.1.tar.bz2 | 3 --- sssd-1.5.3.tar.bz2 | 3 +++ sssd.changes | 20 ++++++++++++++++++++ sssd.spec | 11 ++++++++++- 4 files changed, 33 insertions(+), 4 deletions(-) delete mode 100644 sssd-1.5.1.tar.bz2 create mode 100644 sssd-1.5.3.tar.bz2 diff --git a/sssd-1.5.1.tar.bz2 b/sssd-1.5.1.tar.bz2 deleted file mode 100644 index 271ac59..0000000 --- a/sssd-1.5.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3c39b6749a19a61da74aa4801f332429a27c0604c49d6541e4bd512fad5a9a7f -size 866097 diff --git a/sssd-1.5.3.tar.bz2 b/sssd-1.5.3.tar.bz2 new file mode 100644 index 0000000..04209dc --- /dev/null +++ b/sssd-1.5.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:26e872eb6261a5eb0fb1c0fee0f9b4c92ce7c5a68afb4c7e7289788bc4fb728b +size 901733 diff --git a/sssd.changes b/sssd.changes index 0fb280d..a82413b 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.3 + * Support for libldb >= 1.0.0 + * Proper detection of manpage translations + * Changes between 1.5.1 and 1.5.2 + * Fixes for support of FreeIPA v2 + * Fixes for failover if DNS entries change + * Improved sss_obfuscate tool with better interactive mode + * Fix several crash bugs + * Don't attempt to use START_TLS over SSL. Some LDAP servers + can't handle this + * Delete users from the local cache if initgroups calls return + 'no such user' (previously only worked for getpwnam/getpwuid) + * Use new Transifex.net translations + * Better support for automatic TGT renewal (now survives + restart) + * Netgroup fixes + ------------------------------------------------------------------- Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index d5ae7f5..9011bb7 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ Name: sssd -Version: 1.5.1 +Version: 1.5.3 Release: 1 Group: System/Daemons Summary: System Security Services Daemon @@ -200,10 +200,13 @@ rm -rf $RPM_BUILD_ROOT %config %{_sysconfdir}/sssd/sssd.api.d/sssd-simple.conf /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so +%dir %{_mandir}/uk +%dir %{_mandir}/uk/man5 %{_mandir}/man5/sssd-krb5.* %{_mandir}/man5/sssd-ldap.* %{_mandir}/man5/sssd-simple.* %{_mandir}/man5/sssd.conf.* +%{_mandir}/uk/man5/sssd.conf.* %files tools %defattr(-,root,root,-) @@ -211,9 +214,15 @@ rm -rf $RPM_BUILD_ROOT %dir %{_mandir}/cs/man8 %dir %{_mandir}/uk %dir %{_mandir}/uk/man8 +%dir %{_mandir}/es +%dir %{_mandir}/es/man8 +%dir %{_mandir}/nl +%dir %{_mandir}/nl/man8 %{_mandir}/man8/* %{_mandir}/cs/man8/* %{_mandir}/uk/man8/* +%{_mandir}/es/man8/* +%{_mandir}/nl/man8/* %{_sbindir}/sss_useradd %{_sbindir}/sss_userdel %{_sbindir}/sss_usermod From 168622e1b3035f4878eeb8f6413fd5ffe49b530f1389d8957bbf32e7b5f2b036 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Wed, 30 Mar 2011 07:30:27 +0000 Subject: [PATCH 20/63] Accepting request 65504 from network:ldap Accepted submit request 65504 from user coolo OBS-URL: https://build.opensuse.org/request/show/65504 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=23 --- sssd-1.5.3.tar.bz2 | 3 --- sssd-1.5.4.tar.bz2 | 3 +++ sssd.changes | 10 ++++++++++ sssd.spec | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) delete mode 100644 sssd-1.5.3.tar.bz2 create mode 100644 sssd-1.5.4.tar.bz2 diff --git a/sssd-1.5.3.tar.bz2 b/sssd-1.5.3.tar.bz2 deleted file mode 100644 index 04209dc..0000000 --- a/sssd-1.5.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:26e872eb6261a5eb0fb1c0fee0f9b4c92ce7c5a68afb4c7e7289788bc4fb728b -size 901733 diff --git a/sssd-1.5.4.tar.bz2 b/sssd-1.5.4.tar.bz2 new file mode 100644 index 0000000..b9ced6d --- /dev/null +++ b/sssd-1.5.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:83e3c3cc49780087e6d3e54306bcc991c3e81944dae2eb7883dad6dbbf3b933d +size 1291491 diff --git a/sssd.changes b/sssd.changes index a82413b..427bef7 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.4 + * Fixes for Active Directory when not all users and groups have + POSIX attributes + * Fixes for handling users and groups that have name aliases + (aliases are ignored) + * Fix group memberships after initgroups in the IPA provider + ------------------------------------------------------------------- Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index 9011bb7..f96fa37 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ Name: sssd -Version: 1.5.3 +Version: 1.5.4 Release: 1 Group: System/Daemons Summary: System Security Services Daemon From cb080cb6988b290de0873c01438bd7c48518df25b32f0b0f2c519ef8fd9bb34c Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 14 Apr 2011 13:04:56 +0000 Subject: [PATCH 21/63] Accepting request 67284 from network:ldap Accepted submit request 67284 from user coolo OBS-URL: https://build.opensuse.org/request/show/67284 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=24 --- sssd-1.5.4.tar.bz2 | 3 --- sssd-1.5.5.tar.bz2 | 3 +++ sssd.changes | 15 +++++++++++++++ sssd.spec | 20 +++++++++++++++++++- 4 files changed, 37 insertions(+), 4 deletions(-) delete mode 100644 sssd-1.5.4.tar.bz2 create mode 100644 sssd-1.5.5.tar.bz2 diff --git a/sssd-1.5.4.tar.bz2 b/sssd-1.5.4.tar.bz2 deleted file mode 100644 index b9ced6d..0000000 --- a/sssd-1.5.4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:83e3c3cc49780087e6d3e54306bcc991c3e81944dae2eb7883dad6dbbf3b933d -size 1291491 diff --git a/sssd-1.5.5.tar.bz2 b/sssd-1.5.5.tar.bz2 new file mode 100644 index 0000000..c3eb4ea --- /dev/null +++ b/sssd-1.5.5.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c55e2676839d8991a6287038c63deccf95123562842958df99011c30bd05408 +size 1292470 diff --git a/sssd.changes b/sssd.changes index 427bef7..2158f93 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de + +- Update to 1.5.5 + * Fixes for several crash bugs + * LDAP group lookups will no longer abort if there is a + zero-length member attribute + * Add automatic fallback to 'cn' if the 'gecos' attribute does not + exist + +------------------------------------------------------------------- +Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de + +- Should build in SLE-11-SP1 now + ------------------------------------------------------------------- Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index f96fa37..e1eba1f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ Name: sssd -Version: 1.5.4 +Version: 1.5.5 Release: 1 Group: System/Daemons Summary: System Security Services Daemon @@ -34,6 +34,12 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define pipepath %{sssdstatedir}/pipes %define pubconfpath %{sssdstatedir}/pubconf +# SLES11 doesn't know the python_* macros +%if %suse_version <= 1110 +%define python_sitelib %py_sitedir +%define python_sitearch %py_sitedir +%endif + ### Build Dependencies ### BuildRequires: autoconf BuildRequires: automake @@ -149,6 +155,18 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la + +%if %suse_version <= 1110 +# remove some unsupported languages, sssd does not contain +# translations for these anyway +rm -rf \ + $RPM_BUILD_ROOT/usr/share/locale/fa_IR \ + $RPM_BUILD_ROOT/usr/share/locale/ja_JP \ + $RPM_BUILD_ROOT/usr/share/locale/lt_LT \ + $RPM_BUILD_ROOT/usr/share/locale/ta_IN \ + $RPM_BUILD_ROOT/usr/share/locale/vi_VN +%endif + %find_lang %{name} --all-name %clean From 6d19541da019527a08d24028fb6a76c6e10734285663d954ba2b5532e262f529 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Wed, 4 May 2011 12:46:07 +0000 Subject: [PATCH 22/63] Accepting request 69547 from network:ldap Update to 1.5.7 (bnc#691135) (forwarded request 69546 from rhafer) OBS-URL: https://build.opensuse.org/request/show/69547 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=25 --- sssd-1.5.5.tar.bz2 | 3 --- sssd-1.5.7.tar.bz2 | 3 +++ sssd.changes | 19 +++++++++++++++++++ sssd.spec | 2 +- 4 files changed, 23 insertions(+), 4 deletions(-) delete mode 100644 sssd-1.5.5.tar.bz2 create mode 100644 sssd-1.5.7.tar.bz2 diff --git a/sssd-1.5.5.tar.bz2 b/sssd-1.5.5.tar.bz2 deleted file mode 100644 index c3eb4ea..0000000 --- a/sssd-1.5.5.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8c55e2676839d8991a6287038c63deccf95123562842958df99011c30bd05408 -size 1292470 diff --git a/sssd-1.5.7.tar.bz2 b/sssd-1.5.7.tar.bz2 new file mode 100644 index 0000000..50626c1 --- /dev/null +++ b/sssd-1.5.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9f5170467fe38b6bdeb40a3a27f40577c624c17c93c5b659f1018256b545781b +size 1340038 diff --git a/sssd.changes b/sssd.changes index 2158f93..552e75c 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de + +- Update to 1.5.7 + * A flaw was found in the handling of cached passwords when + kerberos renewal tickets is enabled. Due to a bug, the cached + password was overwritten with a (moderately) predictable + filename, which could allow a user to authenticate as someone + else if they knew the name of the cache file (bnc#691135, + CVE-2011-1758) +- Changes in 1.5.6: + * Fixed a serious memory leak in the memberOf plugin + * Fixed a regression with the negative cache that caused it to be + essentially nonfunctional + * Fixed an issue where the user's full name would sometimes be + removed from the cache + * Fixed an issue with password changes in the kerberos provider + not working with kpasswd + ------------------------------------------------------------------- Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index e1eba1f..66652c7 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ Name: sssd -Version: 1.5.5 +Version: 1.5.7 Release: 1 Group: System/Daemons Summary: System Security Services Daemon From 989d9d09896fa62caf2260b972cc5c457ed07414e4eef9b40b492286a84ba215 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Mon, 20 Jun 2011 09:12:10 +0000 Subject: [PATCH 23/63] Accepting request 74007 from network:ldap update to 1.5.8 (forwarded request 72853 from rhafer) OBS-URL: https://build.opensuse.org/request/show/74007 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=26 --- sssd-1.5.7.tar.bz2 | 3 --- sssd-1.5.8.tar.bz2 | 3 +++ sssd.changes | 9 +++++++++ sssd.spec | 2 +- 4 files changed, 13 insertions(+), 4 deletions(-) delete mode 100644 sssd-1.5.7.tar.bz2 create mode 100644 sssd-1.5.8.tar.bz2 diff --git a/sssd-1.5.7.tar.bz2 b/sssd-1.5.7.tar.bz2 deleted file mode 100644 index 50626c1..0000000 --- a/sssd-1.5.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9f5170467fe38b6bdeb40a3a27f40577c624c17c93c5b659f1018256b545781b -size 1340038 diff --git a/sssd-1.5.8.tar.bz2 b/sssd-1.5.8.tar.bz2 new file mode 100644 index 0000000..a421385 --- /dev/null +++ b/sssd-1.5.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:92df8c504a198cf8272d6bef6afef176d2cfa709737373c18ed296709756744c +size 1345632 diff --git a/sssd.changes b/sssd.changes index 552e75c..caa824c 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de + +- Update to 1.5.8: + * Support for the LDAP paging control + * Support for multiple DNS servers for name resolution + * Fixes for several group membership bugs + * Fixes for rare crash bugs + ------------------------------------------------------------------- Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index 66652c7..0f4cf2a 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ Name: sssd -Version: 1.5.7 +Version: 1.5.8 Release: 1 Group: System/Daemons Summary: System Security Services Daemon From 063ac872098be9ba58bb2ae132e2bb71211c7e1af3ceb85faa981848494b9d24 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Thu, 28 Jul 2011 14:52:37 +0000 Subject: [PATCH 24/63] Accepting request 77337 from network:ldap update to 1.5.11 OBS-URL: https://build.opensuse.org/request/show/77337 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=27 --- sssd-1.5.11.tar.bz2 | 3 +++ sssd-1.5.8.tar.bz2 | 3 --- sssd.changes | 14 ++++++++++++++ sssd.spec | 20 ++------------------ 4 files changed, 19 insertions(+), 21 deletions(-) create mode 100644 sssd-1.5.11.tar.bz2 delete mode 100644 sssd-1.5.8.tar.bz2 diff --git a/sssd-1.5.11.tar.bz2 b/sssd-1.5.11.tar.bz2 new file mode 100644 index 0000000..de4bb56 --- /dev/null +++ b/sssd-1.5.11.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:08291561197651ebe3ebee9ca993ebdcebdfe4fb10a0bab3f72ea75f21363e34 +size 1353669 diff --git a/sssd-1.5.8.tar.bz2 b/sssd-1.5.8.tar.bz2 deleted file mode 100644 index a421385..0000000 --- a/sssd-1.5.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:92df8c504a198cf8272d6bef6afef176d2cfa709737373c18ed296709756744c -size 1345632 diff --git a/sssd.changes b/sssd.changes index caa824c..c18bd02 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.5.11 +* Support for overriding home directory, shell and primary GID + locally +* Properly honor TTL values from SRV record lookups +* Support non-POSIX groups in nested group chains (for RFC2307bis + LDAP servers) +* Properly escape IPv6 addresses in the failover code +* Do not crash if inotify fails (e.g. resource exhaustion) +- Remove redundant %clean section; delete .la files more + efficiently + ------------------------------------------------------------------- Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index 0f4cf2a..e5b0d6c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,7 +18,7 @@ Name: sssd -Version: 1.5.8 +Version: 1.5.11 Release: 1 Group: System/Daemons Summary: System Security Services Daemon @@ -130,8 +130,6 @@ export LDB_CFLAGS="-I/usr/include" make %{?_smp_mflags} %install -rm -rf $RPM_BUILD_ROOT - make install DESTDIR=$RPM_BUILD_ROOT # Copy default sssd.conf file @@ -143,18 +141,7 @@ install src/sysv/systemd/sssd.service $RPM_BUILD_ROOT%{_sysconfdir}/systemd/syst ln -sf ../../etc/init.d/sssd $RPM_BUILD_ROOT/usr/sbin/rcsssd # Remove .la files created by libtool -rm -f \ - $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ - $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ - $RPM_BUILD_ROOT/%{_libdir}/*.la \ - $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ - $RPM_BUILD_ROOT/%{_libdir}/python*/site-packages/pysss.la \ - $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ - $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ - $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ - $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ - $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \ - $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la +find "%buildroot" -type f -name "*.la" -delete; %if %suse_version <= 1110 # remove some unsupported languages, sssd does not contain @@ -218,13 +205,10 @@ rm -rf $RPM_BUILD_ROOT %config %{_sysconfdir}/sssd/sssd.api.d/sssd-simple.conf /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so -%dir %{_mandir}/uk -%dir %{_mandir}/uk/man5 %{_mandir}/man5/sssd-krb5.* %{_mandir}/man5/sssd-ldap.* %{_mandir}/man5/sssd-simple.* %{_mandir}/man5/sssd.conf.* -%{_mandir}/uk/man5/sssd.conf.* %files tools %defattr(-,root,root,-) From 38f473b96f67f7949ef2f6307dc0012d2744a6e961ffe3aa95ab40e33f8849a8 Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Tue, 2 Aug 2011 11:56:12 +0000 Subject: [PATCH 25/63] Accepting request 77656 from network:ldap bnc#705768,bnc#709747 (forwarded request 77655 from rhafer) OBS-URL: https://build.opensuse.org/request/show/77656 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=28 --- ...lient-avoid-leaking-file-descriptors.patch | 53 +++++++++++++++++++ ...-control-unconditionally-during-bind.patch | 42 +++++++++++++++ ...cide-when-an-expiration-warning-is-w.patch | 33 ++++++++++++ sssd.changes | 14 +++++ sssd.spec | 13 +++-- 5 files changed, 152 insertions(+), 3 deletions(-) create mode 100644 0001-sss_client-avoid-leaking-file-descriptors.patch create mode 100644 0002-Request-password-control-unconditionally-during-bind.patch create mode 100644 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch diff --git a/0001-sss_client-avoid-leaking-file-descriptors.patch b/0001-sss_client-avoid-leaking-file-descriptors.patch new file mode 100644 index 0000000..46aaa28 --- /dev/null +++ b/0001-sss_client-avoid-leaking-file-descriptors.patch @@ -0,0 +1,53 @@ +From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 28 Jul 2011 15:15:26 -0400 +Subject: sss_client: avoid leaking file descriptors + +If a pam or nss module is dlcolse()d and unloaded we were leaking +the file descriptor used to communicate to sssd in the process. + +Make sure the fucntion used to close the socket file descriptor is +called on dlclose() + +Silence autoconf 2.28 warnings (Patch by Jakub Hrozek) + +diff --git a/configure.ac b/configure.ac +index 84b83eb..c0b7f8f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h]) + + AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) + ++AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], ++ sss_client_cv_attribute_destructor, ++ [AC_COMPILE_IFELSE( ++ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])], ++ sss_client_cv_attribute_destructor=yes) ++ ]) ++ ++if test x"$sss_client_cv_attribute_destructor" = xyes ; then ++ AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, ++ [whether compiler supports __attribute__((destructor))]) ++fi ++ + PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) + if test x$have_check = x; then + AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite]) +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index c17629a..5f6af41 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -55,6 +55,9 @@ + int sss_cli_sd = -1; /* the sss client socket descriptor */ + struct stat sss_cli_sb; /* the sss client stat buffer */ + ++#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR ++__attribute__((destructor)) ++#endif + static void sss_cli_close_socket(void) + { + if (sss_cli_sd != -1) { +-- +1.7.3.4 + diff --git a/0002-Request-password-control-unconditionally-during-bind.patch b/0002-Request-password-control-unconditionally-during-bind.patch new file mode 100644 index 0000000..9992abf --- /dev/null +++ b/0002-Request-password-control-unconditionally-during-bind.patch @@ -0,0 +1,42 @@ +From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 1 Aug 2011 15:22:53 +0200 +Subject: Request password control unconditionally during bind + +https://fedorahosted.org/sssd/ticket/940 + +diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c +index cab3657..9d543ec 100644 +--- a/src/providers/ldap/sdap_async_connection.c ++++ b/src/providers/ldap/sdap_async_connection.c +@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + state->user_dn = user_dn; + state->pw = pw; + +- ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, +- 0, NULL, 0, &ctrls[0]); ++ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, ++ 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { +- DEBUG(1, ("sdap_control_create failed to create " ++ DEBUG(1, ("sss_ldap_control_create failed to create " + "Password Policy control.\n")); + goto fail; + } +@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request, + sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH); + + if (sasl_mech == NULL) { +- ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, +- 0, NULL, 0, &ctrls[0]); ++ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, ++ 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { +- DEBUG(1, ("sdap_control_create failed to create " ++ DEBUG(1, ("sss_ldap_control_create failed to create " + "Password Policy control.\n")); + goto done; + } +-- +1.7.3.4 + diff --git a/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch b/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch new file mode 100644 index 0000000..753b96c --- /dev/null +++ b/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch @@ -0,0 +1,33 @@ +From d0bf20038fddf5ad296287fb16bc80082088b770 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Mon, 1 Aug 2011 10:48:06 -0400 +Subject: Allow LDAP to decide when an expiration warning is warranted + +Previously, we were only displaying expiration warnings if the +password was going to expire within a day. We'll allow LDAP to +make this decision (by whether it passes us the expiration time). + +In the future, we can add an option to clamp this down to a +shorter period if the local admin prefers it. + +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 3c9d760..7fcf985 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -409,9 +409,10 @@ static errno_t filter_responses(struct confdb_ctx *cdb, + } + memcpy(&expire_warn, resp->data + sizeof(uint32_t), + sizeof(uint32_t)); +- if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) { +- resp->do_not_send_to_client = true; +- } ++ /* TODO: Add an option to limit the display of the ++ * expiration warning to a specified number of ++ * days (e.g. 14) ++ */ + break; + default: + DEBUG(7, ("User info type [%d] not filtered.\n")); +-- +1.7.3.4 + diff --git a/sssd.changes b/sssd.changes index c18bd02..91b622d 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de + +- Fixed typos in configure args +- Cherry-picked password policy fixes from 1.5 branch (bnc#705768) +- switched to fd-leak fix cherry-picked from 1.5 branch +- Add /usr/sbin to the search path to make configure find nscd + (bnc#709747) + +------------------------------------------------------------------- +Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de + +- Add patches to fix an fd leak in sssd_pam + ------------------------------------------------------------------- Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de diff --git a/sssd.spec b/sssd.spec index e5b0d6c..7dff9a5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,6 +26,9 @@ License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf +Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch +Patch2: 0002-Request-password-control-unconditionally-during-bind.patch +Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -109,23 +112,27 @@ Security Services Daemon (sssd). %prep %setup -q +%patch -P 1 -P 2 -P 3 -p1 %build autoreconf export LDB_LIBS="-lldb" export LDB_CFLAGS="-I/usr/include" + +# help configure find nscd +export PATH=$PATH:/usr/sbin/ + %configure \ - --without-tests \ --with-db-path=%{dbpath} \ --with-pipe-path=%{pipepath} \ --with-pubconf-path=%{pubconfpath} \ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ --enable-pammoddir=/%{_lib}/security \ - --enable-cryptp=yes \ + --enable-crypto=yes \ --with-ldb-lib-dir=%{_libdir}/ldb \ --with-selinux=no \ - --with-so=suse \ + --with-os=suse \ --with-semanage=no make %{?_smp_mflags} From e3d3bd725a4648ef4792db721a3ce2bd5b6cf50bdf2c91f1eea13adf61ff098e Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Tue, 2 Aug 2011 11:56:20 +0000 Subject: [PATCH 26/63] Autobuild autoformatter for 77656 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=29 --- sssd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sssd.spec b/sssd.spec index 7dff9a5..43bf933 100644 --- a/sssd.spec +++ b/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 1.5.11 -Release: 1 +Release: 2 Group: System/Daemons Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ From cc263243162aec18d43e98c9d227616b8c54beaa8cd31989d4fa567c50397adc Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Fri, 23 Sep 2011 08:34:13 +0000 Subject: [PATCH 27/63] Accepting request 84406 from network:ldap - Resolve "have choice for libnl-devel: libnl-1_1-devel libnl3-devel" (forwarded request 84313 from jengelh) OBS-URL: https://build.opensuse.org/request/show/84406 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=30 --- sssd.changes | 6 ++++++ sssd.spec | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/sssd.changes b/sssd.changes index 91b622d..b3992db 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de + +- Resolve "have choice for libnl-devel: + libnl-1_1-devel libnl3-devel" + ------------------------------------------------------------------- Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index 43bf933..388f8ae 100644 --- a/sssd.spec +++ b/sssd.spec @@ -56,7 +56,7 @@ BuildRequires: libldb-devel BuildRequires: libxslt BuildRequires: libxml2 BuildRequires: libcares-devel -BuildRequires: libnl-devel +BuildRequires: libnl-1_1-devel BuildRequires: dbus-1-devel BuildRequires: openldap2-devel BuildRequires: pam-devel From 87e725348b044a460e07bf5f447656167e174a029c127a616c1ea61ef165a9eb Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 21 Oct 2011 14:41:08 +0000 Subject: [PATCH 28/63] Accepting request 88734 from network:ldap bnc#724157 (forwarded request 88733 from rhafer) OBS-URL: https://build.opensuse.org/request/show/88734 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=32 --- sssd.changes | 6 ++++++ sssd.spec | 40 +++++++++++++++++++++++++++++++++------- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/sssd.changes b/sssd.changes index b3992db..1c89c43 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de + +- Fixed systemd related packaging issues (bnc#724157) +- fixed build on older openSUSE releases + ------------------------------------------------------------------- Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de diff --git a/sssd.spec b/sssd.spec index 388f8ae..eb156cd 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,6 +30,9 @@ Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch Patch2: 0002-Request-password-control-unconditionally-during-bind.patch Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +%if %suse_version > 1140 +%{?systemd_requires} +%endif %define servicename sssd %define sssdstatedir %{_localstatedir}/lib/sss @@ -56,7 +59,6 @@ BuildRequires: libldb-devel BuildRequires: libxslt BuildRequires: libxml2 BuildRequires: libcares-devel -BuildRequires: libnl-1_1-devel BuildRequires: dbus-1-devel BuildRequires: openldap2-devel BuildRequires: pam-devel @@ -72,6 +74,12 @@ BuildRequires: libdhash-devel BuildRequires: libini_config-devel BuildRequires: libcollection-devel BuildRequires: libref_array-devel +%if %suse_version > 1140 +BuildRequires: systemd +BuildRequires: libnl-1_1-devel +%else +BuildRequires: libnl-devel +%endif %description Provides a set of daemons to manage access to remote directories and @@ -143,8 +151,10 @@ make install DESTDIR=$RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sssd install -m600 src/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf install src/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd -install -d $RPM_BUILD_ROOT/%{_sysconfdir}/systemd/system -install src/sysv/systemd/sssd.service $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/sssd.service +%if %suse_version > 1140 +install -d $RPM_BUILD_ROOT/%{_unitdir} +install src/sysv/systemd/sssd.service $RPM_BUILD_ROOT/%{_unitdir}/sssd.service +%endif ln -sf ../../etc/init.d/sssd $RPM_BUILD_ROOT/usr/sbin/rcsssd # Remove .la files created by libtool @@ -166,23 +176,39 @@ rm -rf \ %clean rm -rf $RPM_BUILD_ROOT -%post -p /sbin/ldconfig +%if %suse_version > 1140 + +%pre +%service_add_pre sssd.service +%endif + +%post +/sbin/ldconfig +%if %suse_version > 1140 +%service_add_post sssd.service +%endif %preun %stop_on_removal sssd +%if %suse_version > 1140 +%service_del_preun sssd.service +%endif %postun /sbin/ldconfig %restart_on_update sssd %insserv_cleanup +%if %suse_version > 1140 +%service_del_postun sssd.service +%endif %files -f sssd.lang %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} -%dir %{_sysconfdir}/systemd -%dir %{_sysconfdir}/systemd/system -%config %{_sysconfdir}/systemd/system/sssd.service +%if %suse_version > 1140 +%{_unitdir}/sssd.service +%endif %{_sbindir}/sssd %{_sbindir}/rcsssd %dir %{_libdir}/%{name} From 9ba31e8e5d2fabfd6f39b826d69e8f32dc05718704b61539468f7ad4b66213b1 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 6 Dec 2011 18:05:47 +0000 Subject: [PATCH 29/63] replace license with spdx.org variant OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=33 --- sssd.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sssd.spec b/sssd.spec index eb156cd..4ea61d9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -22,7 +22,7 @@ Version: 1.5.11 Release: 2 Group: System/Daemons Summary: System Security Services Daemon -License: GPLv3+ and LGPLv3+ +License: GPL-3.0+ and LGPL-3.0+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf @@ -89,7 +89,7 @@ account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. %package ipa-provider -License: GPLv3+ and LGPLv3+ +License: GPL-3.0+ and LGPL-3.0+ Summary: FreeIPA provider plugin for sssd Group: System/Daemons Requires: sssd = %{version} @@ -99,7 +99,7 @@ This package provide the FreeIPA provider plugin for the System Security Services Daemon (sssd). %package tools -License: GPLv3+ and LGPLv3+ +License: GPL-3.0+ and LGPL-3.0+ Summary: Commandline tools for sssd Group: System/Management Requires: sssd = %{version} @@ -109,7 +109,7 @@ The packages contains commandline tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package -n python-sssd-config -License: GPLv3+ and LGPLv3+ +License: GPL-3.0+ and LGPL-3.0+ Summary: Python API for configuring sssd Group: Development/Libraries/Python %{py_requires} From f89c93439acf972ef4371b4db77b59dccde7c3626b885642d069b4b9d47a9178 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 20 Mar 2012 10:35:54 +0000 Subject: [PATCH 30/63] Accepting request 109517 from network:ldap - Update to new upstream release 1.8.0 * Support for the service map in NSS * Support for setting default SELinux user context from FreeIPA * Support for retrieving SSH user and host keys from LDAP * Support for caching autofs LDAP requests * Support for caching SUDO rules * Include the IPA AutoFS provider * Fixed several memory-corruption bugs * Fixed a regression in the proxy provider (forwarded request 108828 from rhafer) OBS-URL: https://build.opensuse.org/request/show/109517 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=34 --- ...lient-avoid-leaking-file-descriptors.patch | 53 ----- ...-control-unconditionally-during-bind.patch | 42 ---- 0004-avoid-hard-crypto-dep.diff | 40 ++++ 0005-implicit-decl.diff | 28 +++ sssd-1.5.11.tar.bz2 | 3 - sssd-1.8.0.tar.bz2 | 3 + sssd.changes | 13 ++ sssd.spec | 207 +++++++++++------- 8 files changed, 214 insertions(+), 175 deletions(-) delete mode 100644 0001-sss_client-avoid-leaking-file-descriptors.patch delete mode 100644 0002-Request-password-control-unconditionally-during-bind.patch create mode 100644 0004-avoid-hard-crypto-dep.diff create mode 100644 0005-implicit-decl.diff delete mode 100644 sssd-1.5.11.tar.bz2 create mode 100644 sssd-1.8.0.tar.bz2 diff --git a/0001-sss_client-avoid-leaking-file-descriptors.patch b/0001-sss_client-avoid-leaking-file-descriptors.patch deleted file mode 100644 index 46aaa28..0000000 --- a/0001-sss_client-avoid-leaking-file-descriptors.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 28 Jul 2011 15:15:26 -0400 -Subject: sss_client: avoid leaking file descriptors - -If a pam or nss module is dlcolse()d and unloaded we were leaking -the file descriptor used to communicate to sssd in the process. - -Make sure the fucntion used to close the socket file descriptor is -called on dlclose() - -Silence autoconf 2.28 warnings (Patch by Jakub Hrozek) - -diff --git a/configure.ac b/configure.ac -index 84b83eb..c0b7f8f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h]) - - AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) - -+AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], -+ sss_client_cv_attribute_destructor, -+ [AC_COMPILE_IFELSE( -+ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])], -+ sss_client_cv_attribute_destructor=yes) -+ ]) -+ -+if test x"$sss_client_cv_attribute_destructor" = xyes ; then -+ AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, -+ [whether compiler supports __attribute__((destructor))]) -+fi -+ - PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) - if test x$have_check = x; then - AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite]) -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index c17629a..5f6af41 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -55,6 +55,9 @@ - int sss_cli_sd = -1; /* the sss client socket descriptor */ - struct stat sss_cli_sb; /* the sss client stat buffer */ - -+#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR -+__attribute__((destructor)) -+#endif - static void sss_cli_close_socket(void) - { - if (sss_cli_sd != -1) { --- -1.7.3.4 - diff --git a/0002-Request-password-control-unconditionally-during-bind.patch b/0002-Request-password-control-unconditionally-during-bind.patch deleted file mode 100644 index 9992abf..0000000 --- a/0002-Request-password-control-unconditionally-during-bind.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 1 Aug 2011 15:22:53 +0200 -Subject: Request password control unconditionally during bind - -https://fedorahosted.org/sssd/ticket/940 - -diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c -index cab3657..9d543ec 100644 ---- a/src/providers/ldap/sdap_async_connection.c -+++ b/src/providers/ldap/sdap_async_connection.c -@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, - state->user_dn = user_dn; - state->pw = pw; - -- ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, -- 0, NULL, 0, &ctrls[0]); -+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, -+ 0, NULL, 0, &ctrls[0]); - if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { -- DEBUG(1, ("sdap_control_create failed to create " -+ DEBUG(1, ("sss_ldap_control_create failed to create " - "Password Policy control.\n")); - goto fail; - } -@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request, - sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH); - - if (sasl_mech == NULL) { -- ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, -- 0, NULL, 0, &ctrls[0]); -+ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, -+ 0, NULL, 0, &ctrls[0]); - if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { -- DEBUG(1, ("sdap_control_create failed to create " -+ DEBUG(1, ("sss_ldap_control_create failed to create " - "Password Policy control.\n")); - goto done; - } --- -1.7.3.4 - diff --git a/0004-avoid-hard-crypto-dep.diff b/0004-avoid-hard-crypto-dep.diff new file mode 100644 index 0000000..9710e7f --- /dev/null +++ b/0004-avoid-hard-crypto-dep.diff @@ -0,0 +1,40 @@ +From: Jan Engelhardt +Date: 2012-03-11 21:45:34.708782973 +0100 + +build: restore libcrypto support in the autotools files. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=802169 + +--- + configure.ac | 1 + + src/external/crypto.m4 | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +Index: sssd-1.8.0/configure.ac +=================================================================== +--- sssd-1.8.0.orig/configure.ac ++++ sssd-1.8.0/configure.ac +@@ -210,6 +210,7 @@ if test x$HAVE_SYSTEMD_UNIT != x; then + fi + + AM_CHECK_NSS ++AM_CHECK_LIBCRYPTO + AM_CONDITIONAL([HAVE_NSS], [test x"$NSS_CFLAGS" != x]) + + AC_CHECK_HEADERS([sys/inotify.h]) +Index: sssd-1.8.0/src/external/crypto.m4 +=================================================================== +--- sssd-1.8.0.orig/src/external/crypto.m4 ++++ sssd-1.8.0/src/external/crypto.m4 +@@ -1,9 +1,9 @@ + AC_DEFUN([AM_CHECK_NSS], +- [PKG_CHECK_MODULES([NSS],[nss]) ++ [PKG_CHECK_MODULES([NSS],[nss],[:],[:]) + AC_DEFINE_UNQUOTED(HAVE_NSS, 1, [Build with NSS crypto back end]) + ]) + + AC_DEFUN([AM_CHECK_LIBCRYPTO], +- [PKG_CHECK_MODULES([CRYPTO],[libcrypto]) ++ [PKG_CHECK_MODULES([CRYPTO],[libcrypto],[:],[:]) + AC_DEFINE_UNQUOTED(HAVE_LIBCRYPTO, 1, [Build with libcrypt crypto back end]) + ]) diff --git a/0005-implicit-decl.diff b/0005-implicit-decl.diff new file mode 100644 index 0000000..01ebb41 --- /dev/null +++ b/0005-implicit-decl.diff @@ -0,0 +1,28 @@ +From: Jan Engelhardt +Date: 2012-03-11 23:31:50.889566758 +0100 + +build: resolve compiler warnings about implicitly-defined functions + +crypto_sha512crypt.c: In function 'sha512_crypt_r': +crypto_sha512crypt.c:200:9: warning: implicit declaration of + function 'mempcpy' [-Wimplicit-function-declaration] +crypto_sha512crypt.c:200:14: warning: incompatible implicit + declaration of built-in function 'mempcpy' [enabled by default] +crypto_sha512crypt.c:221:14: warning: incompatible implicit + declaration of built-in function 'mempcpy' [enabled by default] +--- + src/util/crypto/libcrypto/crypto_sha512crypt.c | 1 + + 1 file changed, 1 insertion(+) + +Index: sssd-1.8.0/src/util/crypto/libcrypto/crypto_sha512crypt.c +=================================================================== +--- sssd-1.8.0.orig/src/util/crypto/libcrypto/crypto_sha512crypt.c ++++ sssd-1.8.0/src/util/crypto/libcrypto/crypto_sha512crypt.c +@@ -10,6 +10,7 @@ + /* SHA512-based Unix crypt implementation. + Released into the Public Domain by Ulrich Drepper . */ + ++#define _GNU_SOURCE 1 /* mempcpy */ + #include + #include + #include diff --git a/sssd-1.5.11.tar.bz2 b/sssd-1.5.11.tar.bz2 deleted file mode 100644 index de4bb56..0000000 --- a/sssd-1.5.11.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:08291561197651ebe3ebee9ca993ebdcebdfe4fb10a0bab3f72ea75f21363e34 -size 1353669 diff --git a/sssd-1.8.0.tar.bz2 b/sssd-1.8.0.tar.bz2 new file mode 100644 index 0000000..77d917e --- /dev/null +++ b/sssd-1.8.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09f5e6d9f4ab7f7ad8d2cbe818f22de416963d62b995d030ecfdd34c55e56059 +size 1733496 diff --git a/sssd.changes b/sssd.changes index 1c89c43..743805a 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.8.0 +* Support for the service map in NSS +* Support for setting default SELinux user context from FreeIPA +* Support for retrieving SSH user and host keys from LDAP +* Support for caching autofs LDAP requests +* Support for caching SUDO rules +* Include the IPA AutoFS provider +* Fixed several memory-corruption bugs +* Fixed a regression in the proxy provider + ------------------------------------------------------------------- Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de diff --git a/sssd.spec b/sssd.spec index 4ea61d9..e743bab 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -14,23 +14,20 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - - - Name: sssd -Version: 1.5.11 -Release: 2 -Group: System/Daemons +Version: 1.8.0 +Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ +Group: System/Daemons Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch -Patch2: 0002-Request-password-control-unconditionally-during-bind.patch Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch +Patch4: 0004-avoid-hard-crypto-dep.diff +Patch5: 0005-implicit-decl.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if %suse_version > 1140 +%if %suse_version >= 1210 %{?systemd_requires} %endif @@ -47,38 +44,53 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %endif ### Build Dependencies ### +%if 0%{?suse_version} >= 1210 +BuildRequires: pkgconfig(collection) >= 0.5.1 +BuildRequires: pkgconfig(dbus-1) +BuildRequires: pkgconfig(dhash) >= 0.4.2 +BuildRequires: pkgconfig(ini_config) >= 0.6.1 +BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(libcares) +BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libnl-1) >= 1.1 +BuildRequires: pkgconfig(libpcre) >= 7 +BuildRequires: pkgconfig(popt) +BuildRequires: pkgconfig(python) +BuildRequires: pkgconfig(talloc) +BuildRequires: pkgconfig(tdb) >= 1.1.3 +BuildRequires: pkgconfig(tevent) +%else +BuildRequires: dbus-1-devel +BuildRequires: libcares-devel +BuildRequires: libcollection-devel >= 0.5.1 +BuildRequires: libdhash-devel >= 0.4.2 +BuildRequires: libini_config-devel >= 0.6.1 +BuildRequires: libldb-devel >= 0.9.2 +BuildRequires: libnl-devel >= 1.1 +BuildRequires: libopenssl-devel +BuildRequires: libtalloc-devel +BuildRequires: libtdb-devel >= 1.1.3 +BuildRequires: libtevent-devel +BuildRequires: pcre-devel >= 7 +BuildRequires: popt-devel +BuildRequires: python-devel +%endif BuildRequires: autoconf BuildRequires: automake +BuildRequires: bind-utils +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel BuildRequires: libtool -BuildRequires: m4 -BuildRequires: popt-devel -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -BuildRequires: libtdb-devel -BuildRequires: libldb-devel -BuildRequires: libxslt +BuildRequires: libunistring-devel +# wants: xmllint, xsltproc BuildRequires: libxml2 -BuildRequires: libcares-devel -BuildRequires: dbus-1-devel +BuildRequires: libxslt +BuildRequires: nscd BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config -BuildRequires: pcre-devel -BuildRequires: docbook-xsl-stylesheets -BuildRequires: krb5-devel -BuildRequires: python-devel -BuildRequires: bind-utils -BuildRequires: nscd -BuildRequires: libpath_utils-devel -BuildRequires: libdhash-devel -BuildRequires: libini_config-devel -BuildRequires: libcollection-devel -BuildRequires: libref_array-devel -%if %suse_version > 1140 +%if %suse_version >= 1210 BuildRequires: systemd -BuildRequires: libnl-1_1-devel -%else -BuildRequires: libnl-devel %endif %description @@ -89,8 +101,8 @@ account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. %package ipa-provider -License: GPL-3.0+ and LGPL-3.0+ Summary: FreeIPA provider plugin for sssd +License: GPL-3.0+ and LGPL-3.0+ Group: System/Daemons Requires: sssd = %{version} @@ -99,8 +111,8 @@ This package provide the FreeIPA provider plugin for the System Security Services Daemon (sssd). %package tools -License: GPL-3.0+ and LGPL-3.0+ Summary: Commandline tools for sssd +License: GPL-3.0+ and LGPL-3.0+ Group: System/Management Requires: sssd = %{version} @@ -108,9 +120,38 @@ Requires: sssd = %{version} The packages contains commandline tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). -%package -n python-sssd-config +%package -n libipa_hbac0 +Summary: FreeIPA HBAC Evaluator library +License: LGPL-3.0+ +Group: System/Libraries + +%description -n libipa_hbac0 +Utility library to validate FreeIPA HBAC rules for authorization +requests. + +%package -n libipa_hbac-devel +Summary: Development files for the FreeIPA HBAC Evaluator library +License: LGPL-3.0+ +Group: Development/Libraries/C and C++ +Requires: libipa_hbac0 = %version + +%description -n libipa_hbac-devel +Utility library to validate FreeIPA HBAC rules for authorization +requests. + +%package -n python-ipa_hbac +Summary: Python bindings for the FreeIPA HBAC Evaluator library License: GPL-3.0+ and LGPL-3.0+ +Group: Development/Libraries/Python +%py_requires + +%description -n python-ipa_hbac +The python-ipa_hbac package contains the bindings so that libipa_hbac +can be used by Python applications. + +%package -n python-sssd-config Summary: Python API for configuring sssd +License: GPL-3.0+ and LGPL-3.0+ Group: Development/Libraries/Python %{py_requires} @@ -120,15 +161,21 @@ Security Services Daemon (sssd). %prep %setup -q -%patch -P 1 -P 2 -P 3 -p1 +%patch -P 3 -P 4 -P 5 -p1 %build autoreconf +%if 0%{?suse_version} < 1210 +# pkgconfig file not present export LDB_LIBS="-lldb" -export LDB_CFLAGS="-I/usr/include" +export LDB_CFLAGS=" " +export LDB_DIR="%_libdir/ldb" +%else +export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" +%endif # help configure find nscd -export PATH=$PATH:/usr/sbin/ +export PATH="$PATH:/usr/sbin" %configure \ --with-db-path=%{dbpath} \ @@ -137,8 +184,7 @@ export PATH=$PATH:/usr/sbin/ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ --enable-pammoddir=/%{_lib}/security \ - --enable-crypto=yes \ - --with-ldb-lib-dir=%{_libdir}/ldb \ + --with-ldb-lib-dir="$LDB_DIR" \ --with-selinux=no \ --with-os=suse \ --with-semanage=no @@ -149,9 +195,9 @@ make install DESTDIR=$RPM_BUILD_ROOT # Copy default sssd.conf file install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sssd -install -m600 src/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +install -m600 src/examples/sssd-example.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf install src/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd -%if %suse_version > 1140 +%if %suse_version >= 1210 install -d $RPM_BUILD_ROOT/%{_unitdir} install src/sysv/systemd/sssd.service $RPM_BUILD_ROOT/%{_unitdir}/sssd.service %endif @@ -173,10 +219,7 @@ rm -rf \ %find_lang %{name} --all-name -%clean -rm -rf $RPM_BUILD_ROOT - -%if %suse_version > 1140 +%if %suse_version >= 1210 %pre %service_add_pre sssd.service @@ -184,13 +227,13 @@ rm -rf $RPM_BUILD_ROOT %post /sbin/ldconfig -%if %suse_version > 1140 +%if %suse_version >= 1210 %service_add_post sssd.service %endif %preun %stop_on_removal sssd -%if %suse_version > 1140 +%if %suse_version >= 1210 %service_del_preun sssd.service %endif @@ -198,15 +241,19 @@ rm -rf $RPM_BUILD_ROOT /sbin/ldconfig %restart_on_update sssd %insserv_cleanup -%if %suse_version > 1140 +%if %suse_version >= 1210 %service_del_postun sssd.service %endif +%post -n libipa_hbac0 -p /sbin/ldconfig + +%postun -n libipa_hbac0 -p /sbin/ldconfig + %files -f sssd.lang %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} -%if %suse_version > 1140 +%if %suse_version >= 1210 %{_unitdir}/sssd.service %endif %{_sbindir}/sssd @@ -229,35 +276,23 @@ rm -rf $RPM_BUILD_ROOT %attr(750,root,root) %dir %{_var}/log/%{name} %dir %{_sysconfdir}/sssd %config(noreplace) %{_sysconfdir}/sssd/sssd.conf -%config %{_sysconfdir}/sssd/sssd.api.conf -%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-krb5.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-ldap.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-local.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-proxy.conf -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-simple.conf /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so %{_mandir}/man5/sssd-krb5.* %{_mandir}/man5/sssd-ldap.* %{_mandir}/man5/sssd-simple.* %{_mandir}/man5/sssd.conf.* +%_datadir/sssd +%exclude %_datadir/sssd/sssd.api.d/sssd-ipa.conf %files tools %defattr(-,root,root,-) -%dir %{_mandir}/cs -%dir %{_mandir}/cs/man8 -%dir %{_mandir}/uk -%dir %{_mandir}/uk/man8 -%dir %{_mandir}/es -%dir %{_mandir}/es/man8 -%dir %{_mandir}/nl -%dir %{_mandir}/nl/man8 -%{_mandir}/man8/* -%{_mandir}/cs/man8/* -%{_mandir}/uk/man8/* -%{_mandir}/es/man8/* -%{_mandir}/nl/man8/* +%_mandir/man8/* +%dir %_mandir/?? +%dir %_mandir/??/man* +%_mandir/??/man8/* +%{_sbindir}/sss_cache +%{_sbindir}/sss_debuglevel %{_sbindir}/sss_useradd %{_sbindir}/sss_userdel %{_sbindir}/sss_usermod @@ -269,14 +304,32 @@ rm -rf $RPM_BUILD_ROOT %files ipa-provider %defattr(-,root,root,-) -%config %{_sysconfdir}/sssd/sssd.api.d/sssd-ipa.conf +%dir %_datadir/sssd +%dir %_datadir/sssd/sssd.api.d +%_datadir/sssd/sssd.api.d/sssd-ipa.conf %{_libdir}/sssd/libsss_ipa* %{_mandir}/man5/sssd-ipa.* +%files -n libipa_hbac0 +%defattr(-,root,root) +%_libdir/libipa_hbac.so.0* + +%files -n libipa_hbac-devel +%defattr(-,root,root) +%_includedir/ipa_hbac.h +%_libdir/libipa_hbac.so +%_libdir/pkgconfig/ipa_hbac.pc + +%files -n python-ipa_hbac +%defattr(-,root,root) +%python_sitearch/pyhbac.so + %files -n python-sssd-config -%defattr(-,root,root,-) -%{python_sitearch}/pysss.so -%{python_sitelib}/*.py* -%{python_sitelib}/*.egg-info +%defattr(-,root,root) +%python_sitearch/pysss.so +%python_sitelib/SSSDConfig*.py* +%python_sitelib/SSSDConfig*.egg-info +%python_sitelib/ipachangeconf.py* +%python_sitelib/sssd_upgrade_config.py* %changelog From 1ccad662ca4bcab5d8cf71b63780c7f40ed4a1928ce3446f847c71adc5762e60 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 23 Apr 2012 07:18:24 +0000 Subject: [PATCH 31/63] Accepting request 114418 from network:ldap - Update to new upstream release 1.8.2 OBS-URL: https://build.opensuse.org/request/show/114418 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=35 --- sssd-1.8.0.tar.bz2 | 3 -- sssd-1.8.2.tar.gz | 3 ++ sssd.changes | 23 ++++++++++++ sssd.spec | 87 ++++++++++++++++++++++++++++++++++------------ 4 files changed, 91 insertions(+), 25 deletions(-) delete mode 100644 sssd-1.8.0.tar.bz2 create mode 100644 sssd-1.8.2.tar.gz diff --git a/sssd-1.8.0.tar.bz2 b/sssd-1.8.0.tar.bz2 deleted file mode 100644 index 77d917e..0000000 --- a/sssd-1.8.0.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:09f5e6d9f4ab7f7ad8d2cbe818f22de416963d62b995d030ecfdd34c55e56059 -size 1733496 diff --git a/sssd-1.8.2.tar.gz b/sssd-1.8.2.tar.gz new file mode 100644 index 0000000..30f3af1 --- /dev/null +++ b/sssd-1.8.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:59231dbe76f53b4d2ae026419940c5afceb3307a221648226bc661ce8b871575 +size 2128880 diff --git a/sssd.changes b/sssd.changes index 743805a..d56caf6 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,4 +1,27 @@ ------------------------------------------------------------------- +Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com + +- Fix build error on SLES 11 builds + +------------------------------------------------------------------- +Mon Apr 9 21:45:45 PDT 2012 - ben.kevan@gmail.com + +- Add suse_version condition for glib over libunistring for + SLES 11 SP2. +- Update to new upstream release 1.8.2 +* Fix for GSSAPI binds when the keytab contains unrelated + principals +* Workarounds added for LDAP servers with unreadable RootDSE + +------------------------------------------------------------------- +Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com + +- Update to new upstream release 1.8.1 +* Resolve issue where we could enter an infinite loop trying to + connect to an auth server + +------------------------------------------------------------------- + Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de - Update to new upstream release 1.8.0 diff --git a/sssd.spec b/sssd.spec index e743bab..939efc9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -14,22 +14,22 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + + Name: sssd -Version: 1.8.0 +Version: 1.8.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ Group: System/Daemons Url: https://fedorahosted.org/sssd/ -Source0: %{name}-%{version}.tar.bz2 + +Source0: %{name}-%{version}.tar.gz Source1: baselibs.conf Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch Patch4: 0004-avoid-hard-crypto-dep.diff Patch5: 0005-implicit-decl.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if %suse_version >= 1210 -%{?systemd_requires} -%endif %define servicename sssd %define sssdstatedir %{_localstatedir}/lib/sss @@ -81,16 +81,26 @@ BuildRequires: bind-utils BuildRequires: docbook-xsl-stylesheets BuildRequires: krb5-devel BuildRequires: libtool +%if 0%{?suse_version} >= 1140 BuildRequires: libunistring-devel -# wants: xmllint, xsltproc +%else +# SLES 11 SP2 does not have libunistring +BuildRequires: glib2-devel +%endif +%if 0%{?suse_version} >= 1220 +BuildRequires: libxml2-tools +BuildRequires: libxslt-tools +%else BuildRequires: libxml2 BuildRequires: libxslt +%endif BuildRequires: nscd BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config %if %suse_version >= 1210 BuildRequires: systemd +%{?systemd_requires} %endif %description @@ -187,17 +197,31 @@ export PATH="$PATH:/usr/sbin" --with-ldb-lib-dir="$LDB_DIR" \ --with-selinux=no \ --with-os=suse \ +%if 0%{?sles_version} == 11 + --with-unicode-lib=glib2 \ +%endif --with-semanage=no -make %{?_smp_mflags} + +make %{?_smp_mflags} all %install make install DESTDIR=$RPM_BUILD_ROOT # Copy default sssd.conf file +install -d %{buildroot}%{_mandir}/cs +install -d %{buildroot}%{_mandir}/cs/man8 +install -d %{buildroot}%{_mandir}/nl +install -d %{buildroot}%{_mandir}/nl/man8 +install -d %{buildroot}%{_mandir}/pt +install -d %{buildroot}%{_mandir}/pt/man8 +install -d %{buildroot}%{_mandir}/uk +install -d %{buildroot}%{_mandir}/uk/man1 +install -d %{buildroot}%{_mandir}/uk/man5 +install -d %{buildroot}%{_mandir}/uk/man8 install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sssd install -m600 src/examples/sssd-example.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf install src/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd -%if %suse_version >= 1210 +%if 0%{?_unitdir:1} install -d $RPM_BUILD_ROOT/%{_unitdir} install src/sysv/systemd/sssd.service $RPM_BUILD_ROOT/%{_unitdir}/sssd.service %endif @@ -219,21 +243,20 @@ rm -rf \ %find_lang %{name} --all-name -%if %suse_version >= 1210 - +%if 0%{?_unitdir:1} %pre %service_add_pre sssd.service %endif %post /sbin/ldconfig -%if %suse_version >= 1210 +%if 0%{?_unitdir:1} %service_add_post sssd.service %endif %preun %stop_on_removal sssd -%if %suse_version >= 1210 +%if 0%{?_unitdir:1} %service_del_preun sssd.service %endif @@ -241,7 +264,7 @@ rm -rf \ /sbin/ldconfig %restart_on_update sssd %insserv_cleanup -%if %suse_version >= 1210 +%if 0%{?_unitdir:1} %service_del_postun sssd.service %endif @@ -253,13 +276,31 @@ rm -rf \ %defattr(-,root,root,-) %doc COPYING %{_initrddir}/%{name} -%if %suse_version >= 1210 +%if 0%{?_unitdir:1} %{_unitdir}/sssd.service %endif %{_sbindir}/sssd %{_sbindir}/rcsssd %dir %{_libdir}/%{name} %dir %{_libexecdir}/%{name} +%dir %{_mandir}/cs +%dir %{_mandir}/cs/man8 +%dir %{_mandir}/nl +%dir %{_mandir}/nl/man8 +%dir %{_mandir}/pt +%dir %{_mandir}/pt/man8 +%dir %{_mandir}/uk +%dir %{_mandir}/uk/man1 +%dir %{_mandir}/uk/man5 +%dir %{_mandir}/uk/man8 +%{_mandir}/??/man?/* +%{_mandir}/man5/sssd-krb5.5* +%{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man5/sssd-simple.5* +%{_mandir}/man8/sssd.8* +%{_mandir}/man5/sssd.conf.5.gz +%{_mandir}/man8/pam_sss.8.gz +%{_mandir}/man8/sssd_krb5_locator_plugin.8.gz %{_libexecdir}/%{name}/sss* %{_libexecdir}/%{name}/*_child %{_libdir}/%{name}/libsss_krb5* @@ -278,19 +319,11 @@ rm -rf \ %config(noreplace) %{_sysconfdir}/sssd/sssd.conf /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so -%{_mandir}/man5/sssd-krb5.* -%{_mandir}/man5/sssd-ldap.* -%{_mandir}/man5/sssd-simple.* -%{_mandir}/man5/sssd.conf.* %_datadir/sssd %exclude %_datadir/sssd/sssd.api.d/sssd-ipa.conf %files tools %defattr(-,root,root,-) -%_mandir/man8/* -%dir %_mandir/?? -%dir %_mandir/??/man* -%_mandir/??/man8/* %{_sbindir}/sss_cache %{_sbindir}/sss_debuglevel %{_sbindir}/sss_useradd @@ -300,6 +333,16 @@ rm -rf \ %{_sbindir}/sss_groupdel %{_sbindir}/sss_groupmod %{_sbindir}/sss_groupshow +%{_mandir}/man8/sss_groupadd.8* +%{_mandir}/man8/sss_groupdel.8* +%{_mandir}/man8/sss_groupmod.8* +%{_mandir}/man8/sss_groupshow.8* +%{_mandir}/man8/sss_useradd.8* +%{_mandir}/man8/sss_userdel.8* +%{_mandir}/man8/sss_usermod.8* +%{_mandir}/man8/sss_obfuscate.8* +%{_mandir}/man8/sss_cache.8* +%{_mandir}/man8/sss_debuglevel.8* %attr(0755,root,root) %{_sbindir}/sss_obfuscate %files ipa-provider From de55c4b1c3126a7ca7d7dd0c9d8ba03747f83973d4a8e894c2dc6de16617d34d Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 14 May 2012 14:21:59 +0000 Subject: [PATCH 32/63] Accepting request 120747 from network:ldap - Update to new upstream release 1.8.3 * LDAP: Handle situations where the RootDSE is not available anonymously * LDAP: Fix regression for users using non-standard LDAP attributes for user information - Switch from openssl to mozilla-nss, as this is the officially supported crypto integration (forwarded request 120746 from jengelh) OBS-URL: https://build.opensuse.org/request/show/120747 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=36 --- 0004-avoid-hard-crypto-dep.diff | 40 --------------------------------- libdl.diff | 29 ++++++++++++++++++++++++ sssd-1.8.2.tar.gz | 3 --- sssd-1.8.3.tar.gz | 3 +++ sssd-1.8.3.tar.gz.asc | 7 ++++++ sssd.changes | 11 +++++++++ sssd.spec | 15 +++++++------ 7 files changed, 58 insertions(+), 50 deletions(-) delete mode 100644 0004-avoid-hard-crypto-dep.diff create mode 100644 libdl.diff delete mode 100644 sssd-1.8.2.tar.gz create mode 100644 sssd-1.8.3.tar.gz create mode 100644 sssd-1.8.3.tar.gz.asc diff --git a/0004-avoid-hard-crypto-dep.diff b/0004-avoid-hard-crypto-dep.diff deleted file mode 100644 index 9710e7f..0000000 --- a/0004-avoid-hard-crypto-dep.diff +++ /dev/null @@ -1,40 +0,0 @@ -From: Jan Engelhardt -Date: 2012-03-11 21:45:34.708782973 +0100 - -build: restore libcrypto support in the autotools files. - -References: https://bugzilla.redhat.com/show_bug.cgi?id=802169 - ---- - configure.ac | 1 + - src/external/crypto.m4 | 4 ++-- - 2 files changed, 3 insertions(+), 2 deletions(-) - -Index: sssd-1.8.0/configure.ac -=================================================================== ---- sssd-1.8.0.orig/configure.ac -+++ sssd-1.8.0/configure.ac -@@ -210,6 +210,7 @@ if test x$HAVE_SYSTEMD_UNIT != x; then - fi - - AM_CHECK_NSS -+AM_CHECK_LIBCRYPTO - AM_CONDITIONAL([HAVE_NSS], [test x"$NSS_CFLAGS" != x]) - - AC_CHECK_HEADERS([sys/inotify.h]) -Index: sssd-1.8.0/src/external/crypto.m4 -=================================================================== ---- sssd-1.8.0.orig/src/external/crypto.m4 -+++ sssd-1.8.0/src/external/crypto.m4 -@@ -1,9 +1,9 @@ - AC_DEFUN([AM_CHECK_NSS], -- [PKG_CHECK_MODULES([NSS],[nss]) -+ [PKG_CHECK_MODULES([NSS],[nss],[:],[:]) - AC_DEFINE_UNQUOTED(HAVE_NSS, 1, [Build with NSS crypto back end]) - ]) - - AC_DEFUN([AM_CHECK_LIBCRYPTO], -- [PKG_CHECK_MODULES([CRYPTO],[libcrypto]) -+ [PKG_CHECK_MODULES([CRYPTO],[libcrypto],[:],[:]) - AC_DEFINE_UNQUOTED(HAVE_LIBCRYPTO, 1, [Build with libcrypt crypto back end]) - ]) diff --git a/libdl.diff b/libdl.diff new file mode 100644 index 0000000..e362504 --- /dev/null +++ b/libdl.diff @@ -0,0 +1,29 @@ +From: Jan Engelhardt +Date: 2012-05-11 19:34:50.087905211 +0200 + +build: resolve link failure + +libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wl,--version-script -Wl,./src/providers/sssd_be.exports -o sssd_be src/providers/data_provider_be.o src/providers/data_provider_fo.o src/providers/data_provider_opts.o src/providers/data_provider_callbacks.o src/providers/fail_over.o src/resolv/async_resolv.o -Wl,--export-dynamic -lpam -lcares ./.libs/libsss_util.a -ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config -lcollection -ldhash -llber -lldap -ltdb -lunistring -lcrypto +/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: src/providers/data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' +/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line +/lib64/libdl.so.2: could not read symbols: Invalid operation +collect2: error: ld returned 1 exit status +make[2]: *** [sssd_be] Error 1 + +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: sssd-1.8.3/Makefile.am +=================================================================== +--- sssd-1.8.3.orig/Makefile.am ++++ sssd-1.8.3/Makefile.am +@@ -547,7 +547,7 @@ sssd_be_SOURCES = \ + src/providers/data_provider_callbacks.c \ + $(SSSD_FAILOVER_OBJ) + sssd_be_LDADD = \ +- $(SSSD_LIBS) \ ++ -ldl $(SSSD_LIBS) \ + $(CARES_LIBS) \ + libsss_util.la + sssd_be_LDFLAGS = \ diff --git a/sssd-1.8.2.tar.gz b/sssd-1.8.2.tar.gz deleted file mode 100644 index 30f3af1..0000000 --- a/sssd-1.8.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:59231dbe76f53b4d2ae026419940c5afceb3307a221648226bc661ce8b871575 -size 2128880 diff --git a/sssd-1.8.3.tar.gz b/sssd-1.8.3.tar.gz new file mode 100644 index 0000000..6e0f1fa --- /dev/null +++ b/sssd-1.8.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:75ca9465db5816804fe58e250450cb08867e1d1d8557c21ca731230cd80747e3 +size 2156262 diff --git a/sssd-1.8.3.tar.gz.asc b/sssd-1.8.3.tar.gz.asc new file mode 100644 index 0000000..24a7a20 --- /dev/null +++ b/sssd-1.8.3.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (GNU/Linux) + +iEYEABECAAYFAk+iz+UACgkQeiVVYja6o6MakgCeJ8poAGhQPPOTFGFQcr3sCHI/ +sv0An2lI/FR2R4+6iltEeaXZCqdvbetY +=iKbt +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index d56caf6..5cc7db0 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.8.3 +* LDAP: Handle situations where the RootDSE is not available + anonymously +* LDAP: Fix regression for users using non-standard LDAP attributes + for user information +- Switch from openssl to mozilla-nss, as this is the officially + supported crypto integration + ------------------------------------------------------------------- Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com diff --git a/sssd.spec b/sssd.spec index 939efc9..d399920 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,18 +17,19 @@ Name: sssd -Version: 1.8.2 +Version: 1.8.3 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ Group: System/Daemons Url: https://fedorahosted.org/sssd/ -Source0: %{name}-%{version}.tar.gz -Source1: baselibs.conf +Source: https://fedorahosted.org/released/sssd/%name-%version.tar.gz +Source2: https://fedorahosted.org/released/sssd/%name-%version.tar.gz.asc +Source3: baselibs.conf Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch -Patch4: 0004-avoid-hard-crypto-dep.diff Patch5: 0005-implicit-decl.diff +Patch6: libdl.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -51,9 +52,9 @@ BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(ini_config) >= 0.6.1 BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) BuildRequires: pkgconfig(libnl-1) >= 1.1 BuildRequires: pkgconfig(libpcre) >= 7 +BuildRequires: pkgconfig(nss) BuildRequires: pkgconfig(popt) BuildRequires: pkgconfig(python) BuildRequires: pkgconfig(talloc) @@ -67,10 +68,10 @@ BuildRequires: libdhash-devel >= 0.4.2 BuildRequires: libini_config-devel >= 0.6.1 BuildRequires: libldb-devel >= 0.9.2 BuildRequires: libnl-devel >= 1.1 -BuildRequires: libopenssl-devel BuildRequires: libtalloc-devel BuildRequires: libtdb-devel >= 1.1.3 BuildRequires: libtevent-devel +BuildRequires: mozilla-nss-devel BuildRequires: pcre-devel >= 7 BuildRequires: popt-devel BuildRequires: python-devel @@ -171,7 +172,7 @@ Security Services Daemon (sssd). %prep %setup -q -%patch -P 3 -P 4 -P 5 -p1 +%patch -P 3 -P 5 -P 6 -p1 %build autoreconf From 58c23689428a99c9e5c2fa1960e44d0f697f7ad9746e3b6eea087e45143a3831 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 17 Sep 2012 12:10:56 +0000 Subject: [PATCH 33/63] Accepting request 134092 from network:ldap Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/134092 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=38 --- ...cide-when-an-expiration-warning-is-w.patch | 33 --------- libdl.diff | 29 -------- sssd-1.8.3.tar.gz | 3 - sssd-1.8.3.tar.gz.asc | 7 -- sssd-1.8.93.tar.xz | 3 + sssd.changes | 16 ++++ sssd.spec | 73 +++++++++++-------- 7 files changed, 62 insertions(+), 102 deletions(-) delete mode 100644 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch delete mode 100644 libdl.diff delete mode 100644 sssd-1.8.3.tar.gz delete mode 100644 sssd-1.8.3.tar.gz.asc create mode 100644 sssd-1.8.93.tar.xz diff --git a/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch b/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch deleted file mode 100644 index 753b96c..0000000 --- a/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d0bf20038fddf5ad296287fb16bc80082088b770 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Mon, 1 Aug 2011 10:48:06 -0400 -Subject: Allow LDAP to decide when an expiration warning is warranted - -Previously, we were only displaying expiration warnings if the -password was going to expire within a day. We'll allow LDAP to -make this decision (by whether it passes us the expiration time). - -In the future, we can add an option to clamp this down to a -shorter period if the local admin prefers it. - -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 3c9d760..7fcf985 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -409,9 +409,10 @@ static errno_t filter_responses(struct confdb_ctx *cdb, - } - memcpy(&expire_warn, resp->data + sizeof(uint32_t), - sizeof(uint32_t)); -- if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) { -- resp->do_not_send_to_client = true; -- } -+ /* TODO: Add an option to limit the display of the -+ * expiration warning to a specified number of -+ * days (e.g. 14) -+ */ - break; - default: - DEBUG(7, ("User info type [%d] not filtered.\n")); --- -1.7.3.4 - diff --git a/libdl.diff b/libdl.diff deleted file mode 100644 index e362504..0000000 --- a/libdl.diff +++ /dev/null @@ -1,29 +0,0 @@ -From: Jan Engelhardt -Date: 2012-05-11 19:34:50.087905211 +0200 - -build: resolve link failure - -libtool: link: gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -Wl,--version-script -Wl,./src/providers/sssd_be.exports -o sssd_be src/providers/data_provider_be.o src/providers/data_provider_fo.o src/providers/data_provider_opts.o src/providers/data_provider_callbacks.o src/providers/fail_over.o src/resolv/async_resolv.o -Wl,--export-dynamic -lpam -lcares ./.libs/libsss_util.a -ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config -lcollection -ldhash -llber -lldap -ltdb -lunistring -lcrypto -/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: src/providers/data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' -/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: note: 'dlsym@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so try adding it to the linker command line -/lib64/libdl.so.2: could not read symbols: Invalid operation -collect2: error: ld returned 1 exit status -make[2]: *** [sssd_be] Error 1 - ---- - Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: sssd-1.8.3/Makefile.am -=================================================================== ---- sssd-1.8.3.orig/Makefile.am -+++ sssd-1.8.3/Makefile.am -@@ -547,7 +547,7 @@ sssd_be_SOURCES = \ - src/providers/data_provider_callbacks.c \ - $(SSSD_FAILOVER_OBJ) - sssd_be_LDADD = \ -- $(SSSD_LIBS) \ -+ -ldl $(SSSD_LIBS) \ - $(CARES_LIBS) \ - libsss_util.la - sssd_be_LDFLAGS = \ diff --git a/sssd-1.8.3.tar.gz b/sssd-1.8.3.tar.gz deleted file mode 100644 index 6e0f1fa..0000000 --- a/sssd-1.8.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:75ca9465db5816804fe58e250450cb08867e1d1d8557c21ca731230cd80747e3 -size 2156262 diff --git a/sssd-1.8.3.tar.gz.asc b/sssd-1.8.3.tar.gz.asc deleted file mode 100644 index 24a7a20..0000000 --- a/sssd-1.8.3.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.12 (GNU/Linux) - -iEYEABECAAYFAk+iz+UACgkQeiVVYja6o6MakgCeJ8poAGhQPPOTFGFQcr3sCHI/ -sv0An2lI/FR2R4+6iltEeaXZCqdvbetY -=iKbt ------END PGP SIGNATURE----- diff --git a/sssd-1.8.93.tar.xz b/sssd-1.8.93.tar.xz new file mode 100644 index 0000000..df18eaf --- /dev/null +++ b/sssd-1.8.93.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d0577b6f27ea68ba164b701d84628c380bc82275b546fd20a624cfb752fd3e40 +size 1141600 diff --git a/sssd.changes b/sssd.changes index 5cc7db0..0c9366d 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.8.93 (1.9.0~beta3) +* Add native support for autofs to the IPA provider +* Support for id mapping when connecting to Active Directory +* Support for handling very large (> 1500 users) groups in + Active Directory +* Add a new fast in-memory cache to speed up lookups of cached data + on repeated requests +* Add support for the Kerberos DIR cache for storing multiple TGTs + automatically +* Add a new PAC responder for dealing with cross-realm Kerberos + trusts +* Terminate idle connections to the NSS and PAM responders + ------------------------------------------------------------------- Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index d399920..3585e30 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,20 +17,19 @@ Name: sssd -Version: 1.8.3 +Version: 1.8.93 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ Group: System/Daemons Url: https://fedorahosted.org/sssd/ -Source: https://fedorahosted.org/released/sssd/%name-%version.tar.gz -Source2: https://fedorahosted.org/released/sssd/%name-%version.tar.gz.asc +#Git-Clone: git://git.fedorahosted.org/sssd +Source: %name-%version.tar.xz Source3: baselibs.conf -Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch Patch5: 0005-implicit-decl.diff -Patch6: libdl.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: xz %define servicename sssd %define sssdstatedir %{_localstatedir}/lib/sss @@ -44,11 +43,16 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define python_sitearch %py_sitedir %endif -### Build Dependencies ### +#BuildRequires: autoconf >= 2.59, automake, libtool +BuildRequires: bind-utils +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel +BuildRequires: pkgconfig >= 0.21 %if 0%{?suse_version} >= 1210 BuildRequires: pkgconfig(collection) >= 0.5.1 -BuildRequires: pkgconfig(dbus-1) +BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dhash) >= 0.4.2 +BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(ini_config) >= 0.6.1 BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) @@ -61,7 +65,8 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) %else -BuildRequires: dbus-1-devel +BuildRequires: dbus-1-devel >= 1.0.0 +BuildRequires: glib2-devel BuildRequires: libcares-devel BuildRequires: libcollection-devel >= 0.5.1 BuildRequires: libdhash-devel >= 0.4.2 @@ -76,18 +81,6 @@ BuildRequires: pcre-devel >= 7 BuildRequires: popt-devel BuildRequires: python-devel %endif -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: bind-utils -BuildRequires: docbook-xsl-stylesheets -BuildRequires: krb5-devel -BuildRequires: libtool -%if 0%{?suse_version} >= 1140 -BuildRequires: libunistring-devel -%else -# SLES 11 SP2 does not have libunistring -BuildRequires: glib2-devel -%endif %if 0%{?suse_version} >= 1220 BuildRequires: libxml2-tools BuildRequires: libxslt-tools @@ -150,6 +143,23 @@ Requires: libipa_hbac0 = %version Utility library to validate FreeIPA HBAC rules for authorization requests. +%package -n libsss_idmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0+ +Group: System/Libraries + +%description -n libsss_idmap0 +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%package -n libsss_idmap-devel +Summary: Development files for the FreeIPA idmap library +License: LGPL-3.0+ +Group: Development/Libraries/C and C++ +Requires: libsss_idmap0 = %version + +%description -n libsss_idmap-devel +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + %package -n python-ipa_hbac Summary: Python bindings for the FreeIPA HBAC Evaluator library License: GPL-3.0+ and LGPL-3.0+ @@ -172,10 +182,9 @@ Security Services Daemon (sssd). %prep %setup -q -%patch -P 3 -P 5 -P 6 -p1 +%patch -P 5 -p1 %build -autoreconf %if 0%{?suse_version} < 1210 # pkgconfig file not present export LDB_LIBS="-lldb" @@ -198,15 +207,12 @@ export PATH="$PATH:/usr/sbin" --with-ldb-lib-dir="$LDB_DIR" \ --with-selinux=no \ --with-os=suse \ -%if 0%{?sles_version} == 11 - --with-unicode-lib=glib2 \ -%endif --with-semanage=no make %{?_smp_mflags} all %install -make install DESTDIR=$RPM_BUILD_ROOT +make install DESTDIR="%buildroot" # Copy default sssd.conf file install -d %{buildroot}%{_mandir}/cs @@ -364,6 +370,16 @@ rm -rf \ %_libdir/libipa_hbac.so %_libdir/pkgconfig/ipa_hbac.pc +%files -n libsss_idmap0 +%defattr(-,root,root) +%_libdir/libsss_idmap.so.0* + +%files -n libsss_idmap-devel +%defattr(-,root,root) +%_includedir/sss_idmap.h +%_libdir/libsss_idmap.so +%_libdir/pkgconfig/sss_idmap.pc + %files -n python-ipa_hbac %defattr(-,root,root) %python_sitearch/pyhbac.so @@ -371,9 +387,6 @@ rm -rf \ %files -n python-sssd-config %defattr(-,root,root) %python_sitearch/pysss.so -%python_sitelib/SSSDConfig*.py* -%python_sitelib/SSSDConfig*.egg-info -%python_sitelib/ipachangeconf.py* -%python_sitelib/sssd_upgrade_config.py* +%python_sitelib/SSSDConfig* %changelog From bdbc02d5db3b97bad03bf9fb12f296fd4c0e842d64edd5bb482ba5a077a01293 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 17 Dec 2012 08:38:59 +0000 Subject: [PATCH 34/63] Accepting request 145201 from network:ldap update to 1.9.3 OBS-URL: https://build.opensuse.org/request/show/145201 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=39 --- 0005-implicit-decl.diff | 12 +- baselibs.conf | 2 +- sssd-1.8.93.tar.xz | 3 - sssd-1.9.3.tar.xz | 3 + sssd-ldflags.diff | 158 +++++++++++++++++++++++++ sssd.changes | 50 ++++++++ sssd.spec | 256 ++++++++++++++++++++++------------------ 7 files changed, 359 insertions(+), 125 deletions(-) delete mode 100644 sssd-1.8.93.tar.xz create mode 100644 sssd-1.9.3.tar.xz create mode 100644 sssd-ldflags.diff diff --git a/0005-implicit-decl.diff b/0005-implicit-decl.diff index 01ebb41..88cf672 100644 --- a/0005-implicit-decl.diff +++ b/0005-implicit-decl.diff @@ -14,13 +14,13 @@ crypto_sha512crypt.c:221:14: warning: incompatible implicit src/util/crypto/libcrypto/crypto_sha512crypt.c | 1 + 1 file changed, 1 insertion(+) -Index: sssd-1.8.0/src/util/crypto/libcrypto/crypto_sha512crypt.c +Index: sssd-1.9.2/src/util/crypto/libcrypto/crypto_sha512crypt.c =================================================================== ---- sssd-1.8.0.orig/src/util/crypto/libcrypto/crypto_sha512crypt.c -+++ sssd-1.8.0/src/util/crypto/libcrypto/crypto_sha512crypt.c -@@ -10,6 +10,7 @@ - /* SHA512-based Unix crypt implementation. - Released into the Public Domain by Ulrich Drepper . */ +--- sssd-1.9.2.orig/src/util/crypto/libcrypto/crypto_sha512crypt.c ++++ sssd-1.9.2/src/util/crypto/libcrypto/crypto_sha512crypt.c +@@ -12,6 +12,7 @@ + + #include "config.h" +#define _GNU_SOURCE 1 /* mempcpy */ #include diff --git a/baselibs.conf b/baselibs.conf index 22e0a35..5149f91 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,4 +1,4 @@ -sssd +sssd-client supplements "packageand(sssd:pam-)" supplements "packageand(sssd:glibc-)" -/usr/lib(64)?/* diff --git a/sssd-1.8.93.tar.xz b/sssd-1.8.93.tar.xz deleted file mode 100644 index df18eaf..0000000 --- a/sssd-1.8.93.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d0577b6f27ea68ba164b701d84628c380bc82275b546fd20a624cfb752fd3e40 -size 1141600 diff --git a/sssd-1.9.3.tar.xz b/sssd-1.9.3.tar.xz new file mode 100644 index 0000000..facfca1 --- /dev/null +++ b/sssd-1.9.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:123aa0bd6c2c7276f04f3c4dd7681f0d08cd0c186fd61288bb454c7e2840d4ad +size 1252232 diff --git a/sssd-ldflags.diff b/sssd-ldflags.diff new file mode 100644 index 0000000..da7a141 --- /dev/null +++ b/sssd-ldflags.diff @@ -0,0 +1,158 @@ +From: Jan Engelhardt +Date: 2012-11-10 01:36:37.022064770 +0100 + +build: fix link failure because of wrong use of LDFLAGS + + ld: src/sss_client/sss_ssh_authorizedkeys-common.o: undefined + reference to symbol 'pthread_mutexattr_setrobust@@GLIBC_2.12' + +For the i'th time, +http://stackoverflow.com/questions/4241683/linker-flags-in-wrong-place + +The patch fixes the location of library names, and also adds them +to two program which need them. + +--- + Makefile.am | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +Index: sssd-1.9.3/Makefile.am +=================================================================== +--- sssd-1.9.3.orig/Makefile.am ++++ sssd-1.9.3/Makefile.am +@@ -531,7 +531,8 @@ libipa_hbac_la_SOURCES = \ + src/providers/ipa/hbac_evaluator.c \ + src/util/sss_utf8.c + libipa_hbac_la_LDFLAGS = \ +- -version-info 0:1:0 \ ++ -version-info 0:1:0 ++libipa_hbac_la_LIBADD = \ + $(UNICODE_LIBS) + + dist_pkgconfig_DATA += src/lib/idmap/sss_idmap.pc +@@ -645,11 +646,11 @@ sssd_be_LDADD = \ + -ldl \ + $(SSSD_LIBS) \ + $(CARES_LIBS) \ ++ $(PAM_LIBS) \ + libsss_util.la + sssd_be_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/providers/sssd_be.exports \ +- -export-dynamic \ +- $(PAM_LIBS) ++ -export-dynamic + + if BUILD_PYTHON_BINDINGS + sss_obfuscate_pythondir = $(sbindir) +@@ -750,7 +751,7 @@ sss_sudo_cli_SOURCES = \ + src/sss_client/sudo/sss_sudo_response.c \ + src/sss_client/sudo_testcli/sudo_testcli.c + sss_sudo_cli_CFLAGS = $(AM_CFLAGS) +-sss_sudo_cli_LDFLAGS = $(CLIENT_LIBS) ++sss_sudo_cli_LDADD = $(CLIENT_LIBS) + endif + + if BUILD_SSH +@@ -760,8 +761,8 @@ sss_ssh_authorizedkeys_SOURCES = \ + src/sss_client/ssh/sss_ssh_authorizedkeys.c + sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS) + sss_ssh_authorizedkeys_LDADD = \ ++ $(CLIENT_LIBS) \ + libsss_util.la +-sss_ssh_authorizedkeys_LDFLAGS = $(CLIENT_LIBS) + + sss_ssh_knownhostsproxy_SOURCES = \ + src/sss_client/common.c \ +@@ -769,8 +770,8 @@ sss_ssh_knownhostsproxy_SOURCES = \ + src/sss_client/ssh/sss_ssh_knownhostsproxy.c + sss_ssh_knownhostsproxy_CFLAGS = $(AM_CFLAGS) + sss_ssh_knownhostsproxy_LDADD = \ ++ $(CLIENT_LIBS) \ + libsss_util.la +-sss_ssh_knownhostsproxy_LDFLAGS = $(CLIENT_LIBS) + endif + + ################# +@@ -1127,14 +1128,14 @@ noinst_PROGRAMS += autofs_test_client + endif + + pam_test_client_SOURCES = src/sss_client/pam_test_client.c +-pam_test_client_LDFLAGS = -lpam -lpam_misc ++pam_test_client_LDADD = -lpam -lpam_misc + + if BUILD_AUTOFS + autofs_test_client_SOURCES = src/sss_client/autofs/autofs_test_client.c \ + src/sss_client/autofs/sss_autofs.c \ + src/sss_client/common.c + autofs_test_client_CFLAGS = $(AM_CFLAGS) +-autofs_test_client_LDFLAGS = -lpopt $(CLIENT_LIBS) ++autofs_test_client_LDADD = -lpopt $(CLIENT_LIBS) + endif + + #################### +@@ -1156,10 +1157,11 @@ libnss_sss_la_SOURCES = \ + src/sss_client/nss_mc_group.c \ + src/sss_client/nss_mc.h + libnss_sss_la_LDFLAGS = \ +- $(CLIENT_LIBS) \ + -module \ + -version-info 2:0:0 \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports ++libnss_sss_la_LIBADD = \ ++ $(CLIENT_LIBS) + + pamlib_LTLIBRARIES = pam_sss.la + pam_sss_la_SOURCES = \ +@@ -1170,11 +1172,12 @@ pam_sss_la_SOURCES = \ + src/sss_client/sss_pam_macros.h + + pam_sss_la_LDFLAGS = \ +- $(CLIENT_LIBS) \ +- -lpam \ + -module \ + -avoid-version \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports ++pam_sss_la_LIBADD = \ ++ $(CLIENT_LIBS) \ ++ -lpam + + if BUILD_SUDO + +@@ -1185,8 +1188,9 @@ libsss_sudo_la_SOURCES = \ + src/sss_client/sudo/sss_sudo.c \ + src/sss_client/sudo/sss_sudo.h \ + src/sss_client/sudo/sss_sudo_private.h ++libsss_sudo_la_LIBADD = \ ++ $(CLIENT_LIBS) + libsss_sudo_la_LDFLAGS = \ +- $(CLIENT_LIBS) \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_sudo.exports \ + -module \ + -avoid-version +@@ -1206,10 +1210,11 @@ libsss_autofs_la_SOURCES = \ + src/sss_client/autofs/sss_autofs_private.h + + libsss_autofs_la_LDFLAGS = \ +- $(CLIENT_LIBS) \ + -module \ + -avoid-version \ + -Wl,--version-script,$(srcdir)/src/sss_client/autofs/sss_autofs.exports ++libsss_autofs_la_LIBADD = \ ++ $(CLIENT_LIBS) + endif + + dist_noinst_DATA += \ +@@ -1528,10 +1533,11 @@ sssd_pac_plugin_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) + sssd_pac_plugin_la_LDFLAGS = \ +- $(CLIENT_LIBS) \ +- -lkrb5 \ + -avoid-version \ + -module ++sssd_pac_plugin_la_LIBADD = \ ++ $(CLIENT_LIBS) \ ++ -lkrb5 + + if BUILD_PYTHON_BINDINGS + pysss_la_SOURCES = \ diff --git a/sssd.changes b/sssd.changes index 0c9366d..184d8f6 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,53 @@ +------------------------------------------------------------------- +Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com + +- Removed left-over "Requires" for no longer existing sssd-client + subpackage. +- New patch: sssd-ldflags.diff to fix link failures due to erroneous + LDFLAGS usage + +------------------------------------------------------------------- +Thu Dec 6 10:38:59 UTC 2012 - rhafer@suse.com + +- Switch back to using libcrypto instead of mozilla-nss as it seems + to be supported upstream again, cf. + https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010202.html +- Cleanup PAM configuration after uninstalling sssd (bnc#788328) + +------------------------------------------------------------------- +Thu Dec 6 09:05:29 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.9.3 +* Many fixes related to deployments where the SSSD is running as + a client of IPA server with trust relation established with an + Active Directory server +* Multiple fixes related to correct reporting of group + memberships, especially in setups that use nested groups +* Fixed a bug that prevented upgrade from the 1.8 series if the + cache contained nested groups before the upgrade +* Restarting the responders is more robust for cases where the + machine is under heavy load during back end restart +* The default_shell option can now be also set per-domain in + addition to global setting. + +------------------------------------------------------------------- +Sat Nov 10 00:27:06 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.9.2 +* Users or groups from trusted domains can be retrieved by UID or + GID as well +* Several fixes that mitigate file descriptor leak during logins +* SSH host keys are also removed from the cache after being + removed from the server +* Fix intermittent crash in responders if the responder was + shutting down while requests were still pending +* Catch an error condition that might have caused a tight loop in + the sssd_nss process while refreshing expired enumeration request +* Fixed memory hierarchy of subdomains discovery requests that + caused use-after-free access bugs +* The krb5_child and ldap_child processes can print libkrb5 tracing + information in the debug logs + ------------------------------------------------------------------- Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index 3585e30..41b19e8 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,25 +17,26 @@ Name: sssd -Version: 1.8.93 +Version: 1.9.3 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ Group: System/Daemons Url: https://fedorahosted.org/sssd/ +Requires(postun): pam-config #Git-Clone: git://git.fedorahosted.org/sssd Source: %name-%version.tar.xz Source3: baselibs.conf -Patch5: 0005-implicit-decl.diff +Patch1: 0005-implicit-decl.diff +Patch2: sssd-ldflags.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: xz %define servicename sssd -%define sssdstatedir %{_localstatedir}/lib/sss -%define dbpath %{sssdstatedir}/db -%define pipepath %{sssdstatedir}/pipes -%define pubconfpath %{sssdstatedir}/pubconf +%define sssdstatedir %_localstatedir/lib/sss +%define dbpath %sssdstatedir/db +%define pipepath %sssdstatedir/pipes +%define pubconfpath %sssdstatedir/pubconf # SLES11 doesn't know the python_* macros %if %suse_version <= 1110 @@ -43,10 +44,12 @@ BuildRequires: xz %define python_sitearch %py_sitedir %endif -#BuildRequires: autoconf >= 2.59, automake, libtool +BuildRequires: autoconf >= 2.59 +BuildRequires: automake BuildRequires: bind-utils BuildRequires: docbook-xsl-stylesheets BuildRequires: krb5-devel +BuildRequires: libtool BuildRequires: pkgconfig >= 0.21 %if 0%{?suse_version} >= 1210 BuildRequires: pkgconfig(collection) >= 0.5.1 @@ -58,7 +61,7 @@ BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libnl-1) >= 1.1 BuildRequires: pkgconfig(libpcre) >= 7 -BuildRequires: pkgconfig(nss) +BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(popt) BuildRequires: pkgconfig(python) BuildRequires: pkgconfig(talloc) @@ -73,10 +76,10 @@ BuildRequires: libdhash-devel >= 0.4.2 BuildRequires: libini_config-devel >= 0.6.1 BuildRequires: libldb-devel >= 0.9.2 BuildRequires: libnl-devel >= 1.1 +BuildRequires: libopenssl-devel BuildRequires: libtalloc-devel BuildRequires: libtdb-devel >= 1.1.3 BuildRequires: libtevent-devel -BuildRequires: mozilla-nss-devel BuildRequires: pcre-devel >= 7 BuildRequires: popt-devel BuildRequires: python-devel @@ -96,6 +99,7 @@ BuildRequires: pkg-config BuildRequires: systemd %{?systemd_requires} %endif +BuildRequires: xz %description Provides a set of daemons to manage access to remote directories and @@ -108,7 +112,7 @@ services for projects like FreeIPA. Summary: FreeIPA provider plugin for sssd License: GPL-3.0+ and LGPL-3.0+ Group: System/Daemons -Requires: sssd = %{version} +Requires: sssd = %version %description ipa-provider This package provide the FreeIPA provider plugin for the System Security @@ -118,7 +122,7 @@ Services Daemon (sssd). Summary: Commandline tools for sssd License: GPL-3.0+ and LGPL-3.0+ Group: System/Management -Requires: sssd = %{version} +Requires: sssd = %version %description tools The packages contains commandline tools for managing users and groups using @@ -160,6 +164,18 @@ Requires: libsss_idmap0 = %version %description -n libsss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. +%package -n libsss_sudo +Summary: A library to allow communication between sudo and SSSD +License: LGPL-3.0+ +Group: System/Libraries +Provides: libsss_sudo-devel = %version-%release +Obsoletes: libsss_sudo-devel < %version-%release +# No provides: true obsolete. +Obsoletes: libsss_sudo1 + +%description -n libsss_sudo +A utility library to allow communication between sudo and SSSD. + %package -n python-ipa_hbac Summary: Python bindings for the FreeIPA HBAC Evaluator library License: GPL-3.0+ and LGPL-3.0+ @@ -174,7 +190,7 @@ can be used by Python applications. Summary: Python API for configuring sssd License: GPL-3.0+ and LGPL-3.0+ Group: Development/Libraries/Python -%{py_requires} +%py_requires %description -n python-sssd-config Provide python module to access and manage configuration of the System @@ -182,7 +198,7 @@ Security Services Daemon (sssd). %prep %setup -q -%patch -P 5 -p1 +%patch -P 1 -P 2 -p1 %build %if 0%{?suse_version} < 1210 @@ -197,13 +213,15 @@ export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" # help configure find nscd export PATH="$PATH:/usr/sbin" +autoreconf -fi; %configure \ - --with-db-path=%{dbpath} \ - --with-pipe-path=%{pipepath} \ - --with-pubconf-path=%{pubconfpath} \ - --with-init-dir=%{_initrddir} \ - --enable-nsslibdir=/%{_lib} \ - --enable-pammoddir=/%{_lib}/security \ + --with-crypto=libcrypto \ + --with-db-path="%dbpath" \ + --with-pipe-path="%pipepath" \ + --with-pubconf-path="%pubconfpath" \ + --with-init-dir="%_initrddir" \ + --enable-nsslibdir="/%_lib" \ + --enable-pammoddir="/%_lib/security" \ --with-ldb-lib-dir="$LDB_DIR" \ --with-selinux=no \ --with-os=suse \ @@ -212,43 +230,30 @@ export PATH="$PATH:/usr/sbin" make %{?_smp_mflags} all %install -make install DESTDIR="%buildroot" +b="%buildroot"; +make install DESTDIR="$b" # Copy default sssd.conf file -install -d %{buildroot}%{_mandir}/cs -install -d %{buildroot}%{_mandir}/cs/man8 -install -d %{buildroot}%{_mandir}/nl -install -d %{buildroot}%{_mandir}/nl/man8 -install -d %{buildroot}%{_mandir}/pt -install -d %{buildroot}%{_mandir}/pt/man8 -install -d %{buildroot}%{_mandir}/uk -install -d %{buildroot}%{_mandir}/uk/man1 -install -d %{buildroot}%{_mandir}/uk/man5 -install -d %{buildroot}%{_mandir}/uk/man8 -install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sssd -install -m600 src/examples/sssd-example.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf -install src/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd +install -d "$b/%_mandir"/{cs,cs/man8,nl,nl/man8,pt,pt/man8,uk,uk/man1} \ + "$b/%_mandir"/{uk/man5,uk/man8}; +install -d "$b/%_sysconfdir/sssd"; +install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"; +install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd"; %if 0%{?_unitdir:1} -install -d $RPM_BUILD_ROOT/%{_unitdir} -install src/sysv/systemd/sssd.service $RPM_BUILD_ROOT/%{_unitdir}/sssd.service +install -d "$b/%_unitdir"; +install src/sysv/systemd/sssd.service "$b/%_unitdir/sssd.service"; %endif -ln -sf ../../etc/init.d/sssd $RPM_BUILD_ROOT/usr/sbin/rcsssd +ln -sf ../../etc/init.d/sssd $b/usr/sbin/rcsssd -# Remove .la files created by libtool -find "%buildroot" -type f -name "*.la" -delete; +find "$b" -type f -name "*.la" -delete; %if %suse_version <= 1110 # remove some unsupported languages, sssd does not contain # translations for these anyway -rm -rf \ - $RPM_BUILD_ROOT/usr/share/locale/fa_IR \ - $RPM_BUILD_ROOT/usr/share/locale/ja_JP \ - $RPM_BUILD_ROOT/usr/share/locale/lt_LT \ - $RPM_BUILD_ROOT/usr/share/locale/ta_IN \ - $RPM_BUILD_ROOT/usr/share/locale/vi_VN +rm -Rf "$b/usr/share/locale"/{fa_IR,ja_JP,lt_LT,ta_IN,vi_VN} %endif -%find_lang %{name} --all-name +%find_lang %name --all-name %if 0%{?_unitdir:1} %pre @@ -274,91 +279,106 @@ rm -rf \ %if 0%{?_unitdir:1} %service_del_postun sssd.service %endif +if [ "$1" == "0" ]; then + "%_sbindir/pam-config" -d --sss || :; +fi; -%post -n libipa_hbac0 -p /sbin/ldconfig - +%post -n libipa_hbac0 -p /sbin/ldconfig %postun -n libipa_hbac0 -p /sbin/ldconfig +%post -n libsss_idmap0 -p /sbin/ldconfig +%postun -n libsss_idmap0 -p /sbin/ldconfig %files -f sssd.lang -%defattr(-,root,root,-) +%defattr(-,root,root) %doc COPYING -%{_initrddir}/%{name} +%_initrddir/%name %if 0%{?_unitdir:1} -%{_unitdir}/sssd.service +%_unitdir %endif -%{_sbindir}/sssd -%{_sbindir}/rcsssd -%dir %{_libdir}/%{name} -%dir %{_libexecdir}/%{name} -%dir %{_mandir}/cs -%dir %{_mandir}/cs/man8 -%dir %{_mandir}/nl -%dir %{_mandir}/nl/man8 -%dir %{_mandir}/pt -%dir %{_mandir}/pt/man8 -%dir %{_mandir}/uk -%dir %{_mandir}/uk/man1 -%dir %{_mandir}/uk/man5 -%dir %{_mandir}/uk/man8 -%{_mandir}/??/man?/* -%{_mandir}/man5/sssd-krb5.5* -%{_mandir}/man5/sssd-ldap.5* -%{_mandir}/man5/sssd-simple.5* -%{_mandir}/man8/sssd.8* -%{_mandir}/man5/sssd.conf.5.gz -%{_mandir}/man8/pam_sss.8.gz -%{_mandir}/man8/sssd_krb5_locator_plugin.8.gz -%{_libexecdir}/%{name}/sss* -%{_libexecdir}/%{name}/*_child -%{_libdir}/%{name}/libsss_krb5* -%{_libdir}/%{name}/libsss_ldap* -%{_libdir}/%{name}/libsss_proxy* -%{_libdir}/%{name}/libsss_simple* -%{_libdir}/ldb/memberof.so -%{_libdir}/krb5/plugins/libkrb5/* -%dir %{sssdstatedir} -%attr(700,root,root) %dir %{dbpath} -%attr(755,root,root) %dir %{pipepath} -%attr(700,root,root) %dir %{pipepath}/private -%attr(755,root,root) %dir %{pubconfpath} -%attr(750,root,root) %dir %{_var}/log/%{name} -%dir %{_sysconfdir}/sssd -%config(noreplace) %{_sysconfdir}/sssd/sssd.conf -/%{_lib}/libnss_sss.so.2 -/%{_lib}/security/pam_sss.so +%_bindir/sss_ssh_* +%_sbindir/sssd +%_sbindir/rcsssd +%dir %_libdir/%name +%dir %_libexecdir/%name +%dir %_mandir/cs +%dir %_mandir/cs/man8 +%dir %_mandir/nl +%dir %_mandir/nl/man8 +%dir %_mandir/pt +%dir %_mandir/pt/man8 +%dir %_mandir/uk +%dir %_mandir/uk/man1 +%dir %_mandir/uk/man5 +%dir %_mandir/uk/man8 +%_mandir/??/man?/* +%_mandir/man1/sss_ssh_* +%_mandir/man5/sssd-ad.5* +%_mandir/man5/sssd-krb5.5* +%_mandir/man5/sssd-ldap.5* +%_mandir/man5/sssd-simple.5* +%_mandir/man5/sssd-sudo.5* +%_mandir/man8/sssd.8* +%_mandir/man5/sssd.conf.5.gz +%_libexecdir/%name/sss* +%_libexecdir/%name/*_child +%_libdir/%name/libsss_ad.so +%_libdir/%name/libsss_krb5* +%_libdir/%name/libsss_ldap* +%_libdir/%name/libsss_proxy* +%_libdir/%name/libsss_simple* +%_libdir/%name/modules +%_libdir/ldb/memberof.so +%dir %sssdstatedir +%attr(700,root,root) %dir %dbpath +%attr(755,root,root) %dir %pipepath +%attr(700,root,root) %dir %pipepath/private +%attr(755,root,root) %dir %pubconfpath +%attr(750,root,root) %dir %_localstatedir/log/%name +%dir %_sysconfdir/sssd +%config(noreplace) %_sysconfdir/sssd/sssd.conf %_datadir/sssd %exclude %_datadir/sssd/sssd.api.d/sssd-ipa.conf +# +# client side +# +/%_lib/libnss_sss.so.2 +/%_lib/security/pam_sss.so +%_libdir/krb5/plugins/libkrb5/* +%_mandir/man8/pam_sss.8.gz +%_mandir/man8/sssd_krb5_locator_plugin.8.gz %files tools -%defattr(-,root,root,-) -%{_sbindir}/sss_cache -%{_sbindir}/sss_debuglevel -%{_sbindir}/sss_useradd -%{_sbindir}/sss_userdel -%{_sbindir}/sss_usermod -%{_sbindir}/sss_groupadd -%{_sbindir}/sss_groupdel -%{_sbindir}/sss_groupmod -%{_sbindir}/sss_groupshow -%{_mandir}/man8/sss_groupadd.8* -%{_mandir}/man8/sss_groupdel.8* -%{_mandir}/man8/sss_groupmod.8* -%{_mandir}/man8/sss_groupshow.8* -%{_mandir}/man8/sss_useradd.8* -%{_mandir}/man8/sss_userdel.8* -%{_mandir}/man8/sss_usermod.8* -%{_mandir}/man8/sss_obfuscate.8* -%{_mandir}/man8/sss_cache.8* -%{_mandir}/man8/sss_debuglevel.8* -%attr(0755,root,root) %{_sbindir}/sss_obfuscate +%defattr(-,root,root) +%_sbindir/sss_cache +%_sbindir/sss_debuglevel +%_sbindir/sss_groupadd +%_sbindir/sss_groupdel +%_sbindir/sss_groupmod +%_sbindir/sss_groupshow +%_sbindir/sss_seed +%_sbindir/sss_useradd +%_sbindir/sss_userdel +%_sbindir/sss_usermod +%_mandir/man8/sss_groupadd.8* +%_mandir/man8/sss_groupdel.8* +%_mandir/man8/sss_groupmod.8* +%_mandir/man8/sss_groupshow.8* +%_mandir/man8/sss_seed.8* +%_mandir/man8/sss_useradd.8* +%_mandir/man8/sss_userdel.8* +%_mandir/man8/sss_usermod.8* +%_mandir/man8/sss_obfuscate.8* +%_mandir/man8/sss_cache.8* +%_mandir/man8/sss_debuglevel.8* +%attr(0755,root,root) %_sbindir/sss_obfuscate %files ipa-provider -%defattr(-,root,root,-) +%defattr(-,root,root) %dir %_datadir/sssd %dir %_datadir/sssd/sssd.api.d %_datadir/sssd/sssd.api.d/sssd-ipa.conf -%{_libdir}/sssd/libsss_ipa* -%{_mandir}/man5/sssd-ipa.* +%_libdir/sssd/libsss_ipa* +%_mandir/man5/sssd-ipa.* %files -n libipa_hbac0 %defattr(-,root,root) @@ -380,6 +400,11 @@ rm -rf \ %_libdir/libsss_idmap.so %_libdir/pkgconfig/sss_idmap.pc +%files -n libsss_sudo +%defattr(-,root,root) +%_includedir/sss_sudo.h +%_libdir/libsss_sudo.so + %files -n python-ipa_hbac %defattr(-,root,root) %python_sitearch/pyhbac.so @@ -387,6 +412,7 @@ rm -rf \ %files -n python-sssd-config %defattr(-,root,root) %python_sitearch/pysss.so +%python_sitearch/pysss_murmur.so %python_sitelib/SSSDConfig* %changelog From 4b29847f3a84112195e731b06d2da3770036664df26e849d4bd861712c9a1229 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 8 Feb 2013 06:18:02 +0000 Subject: [PATCH 35/63] Accepting request 151849 from network:ldap update to 1.9.4 (bnc#801036) OBS-URL: https://build.opensuse.org/request/show/151849 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=41 --- sssd-1.9.3.tar.xz | 3 --- sssd-1.9.4.tar.xz | 3 +++ sssd-ldflags.diff | 28 ++++++++++++++-------------- sssd.changes | 24 ++++++++++++++++++++++++ sssd.spec | 4 ++-- 5 files changed, 43 insertions(+), 19 deletions(-) delete mode 100644 sssd-1.9.3.tar.xz create mode 100644 sssd-1.9.4.tar.xz diff --git a/sssd-1.9.3.tar.xz b/sssd-1.9.3.tar.xz deleted file mode 100644 index facfca1..0000000 --- a/sssd-1.9.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:123aa0bd6c2c7276f04f3c4dd7681f0d08cd0c186fd61288bb454c7e2840d4ad -size 1252232 diff --git a/sssd-1.9.4.tar.xz b/sssd-1.9.4.tar.xz new file mode 100644 index 0000000..68b367c --- /dev/null +++ b/sssd-1.9.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:269fdac3b77a03f7f3eaffde50461086bd79515f7c94376930d36f6c72d89375 +size 1337380 diff --git a/sssd-ldflags.diff b/sssd-ldflags.diff index da7a141..4ac562c 100644 --- a/sssd-ldflags.diff +++ b/sssd-ldflags.diff @@ -16,11 +16,11 @@ to two program which need them. Makefile.am | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) -Index: sssd-1.9.3/Makefile.am +Index: sssd-1.9.4/Makefile.am =================================================================== ---- sssd-1.9.3.orig/Makefile.am -+++ sssd-1.9.3/Makefile.am -@@ -531,7 +531,8 @@ libipa_hbac_la_SOURCES = \ +--- sssd-1.9.4.orig/Makefile.am ++++ sssd-1.9.4/Makefile.am +@@ -537,7 +537,8 @@ libipa_hbac_la_SOURCES = \ src/providers/ipa/hbac_evaluator.c \ src/util/sss_utf8.c libipa_hbac_la_LDFLAGS = \ @@ -30,7 +30,7 @@ Index: sssd-1.9.3/Makefile.am $(UNICODE_LIBS) dist_pkgconfig_DATA += src/lib/idmap/sss_idmap.pc -@@ -645,11 +646,11 @@ sssd_be_LDADD = \ +@@ -651,11 +652,11 @@ sssd_be_LDADD = \ -ldl \ $(SSSD_LIBS) \ $(CARES_LIBS) \ @@ -44,7 +44,7 @@ Index: sssd-1.9.3/Makefile.am if BUILD_PYTHON_BINDINGS sss_obfuscate_pythondir = $(sbindir) -@@ -750,7 +751,7 @@ sss_sudo_cli_SOURCES = \ +@@ -771,7 +772,7 @@ sss_sudo_cli_SOURCES = \ src/sss_client/sudo/sss_sudo_response.c \ src/sss_client/sudo_testcli/sudo_testcli.c sss_sudo_cli_CFLAGS = $(AM_CFLAGS) @@ -53,7 +53,7 @@ Index: sssd-1.9.3/Makefile.am endif if BUILD_SSH -@@ -760,8 +761,8 @@ sss_ssh_authorizedkeys_SOURCES = \ +@@ -781,8 +782,8 @@ sss_ssh_authorizedkeys_SOURCES = \ src/sss_client/ssh/sss_ssh_authorizedkeys.c sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS) sss_ssh_authorizedkeys_LDADD = \ @@ -63,7 +63,7 @@ Index: sssd-1.9.3/Makefile.am sss_ssh_knownhostsproxy_SOURCES = \ src/sss_client/common.c \ -@@ -769,8 +770,8 @@ sss_ssh_knownhostsproxy_SOURCES = \ +@@ -790,8 +791,8 @@ sss_ssh_knownhostsproxy_SOURCES = \ src/sss_client/ssh/sss_ssh_knownhostsproxy.c sss_ssh_knownhostsproxy_CFLAGS = $(AM_CFLAGS) sss_ssh_knownhostsproxy_LDADD = \ @@ -73,7 +73,7 @@ Index: sssd-1.9.3/Makefile.am endif ################# -@@ -1127,14 +1128,14 @@ noinst_PROGRAMS += autofs_test_client +@@ -1149,14 +1150,14 @@ noinst_PROGRAMS += autofs_test_client endif pam_test_client_SOURCES = src/sss_client/pam_test_client.c @@ -90,7 +90,7 @@ Index: sssd-1.9.3/Makefile.am endif #################### -@@ -1156,10 +1157,11 @@ libnss_sss_la_SOURCES = \ +@@ -1178,10 +1179,11 @@ libnss_sss_la_SOURCES = \ src/sss_client/nss_mc_group.c \ src/sss_client/nss_mc.h libnss_sss_la_LDFLAGS = \ @@ -103,7 +103,7 @@ Index: sssd-1.9.3/Makefile.am pamlib_LTLIBRARIES = pam_sss.la pam_sss_la_SOURCES = \ -@@ -1170,11 +1172,12 @@ pam_sss_la_SOURCES = \ +@@ -1192,11 +1194,12 @@ pam_sss_la_SOURCES = \ src/sss_client/sss_pam_macros.h pam_sss_la_LDFLAGS = \ @@ -118,7 +118,7 @@ Index: sssd-1.9.3/Makefile.am if BUILD_SUDO -@@ -1185,8 +1188,9 @@ libsss_sudo_la_SOURCES = \ +@@ -1207,8 +1210,9 @@ libsss_sudo_la_SOURCES = \ src/sss_client/sudo/sss_sudo.c \ src/sss_client/sudo/sss_sudo.h \ src/sss_client/sudo/sss_sudo_private.h @@ -129,7 +129,7 @@ Index: sssd-1.9.3/Makefile.am -Wl,--version-script,$(srcdir)/src/sss_client/sss_sudo.exports \ -module \ -avoid-version -@@ -1206,10 +1210,11 @@ libsss_autofs_la_SOURCES = \ +@@ -1228,10 +1232,11 @@ libsss_autofs_la_SOURCES = \ src/sss_client/autofs/sss_autofs_private.h libsss_autofs_la_LDFLAGS = \ @@ -142,7 +142,7 @@ Index: sssd-1.9.3/Makefile.am endif dist_noinst_DATA += \ -@@ -1528,10 +1533,11 @@ sssd_pac_plugin_la_CFLAGS = \ +@@ -1550,10 +1555,11 @@ sssd_pac_plugin_la_CFLAGS = \ $(AM_CFLAGS) \ $(KRB5_CFLAGS) sssd_pac_plugin_la_LDFLAGS = \ diff --git a/sssd.changes b/sssd.changes index 184d8f6..38e8f0c 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com + +- update to 1.9.4 (bnc#801036): + * A security bug assigned CVE-2013-0219 was fixed - TOCTOU race + conditions when creating or removing home directories for users + in local domain + * A security bug assigned CVE-2013-0220 was fixed - out-of-bounds + reads in autofs and ssh responder + * The sssd_pam responder processes pending requests after + reconnect + * A serious memory leak in the NSS responder was fixed + * Requests that were processing group entries with DNs pointing + out of any configured search bases were not terminated + correctly, causing long timeouts + * Kerberos tickets are correctly renewed even after SSSD daemon + restart + * Multiple fixes related to SUDO integration, in particular + fixing functionality when the sssd back end process was + changing its online/offline status + * The pwd_exp_warning option was fixed to function as documented + in the manual page +- refreshed sssd-ldflags.diff to apply cleanly + ------------------------------------------------------------------- Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com diff --git a/sssd.spec b/sssd.spec index 41b19e8..32f4533 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: sssd -Version: 1.9.3 +Version: 1.9.4 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ From 5a9b95048f5020ab4427e77b4f559581d0e2c654c9e6749513833af607ccf7d4 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 8 Feb 2013 13:45:16 +0000 Subject: [PATCH 36/63] Accepting request 154891 from network:ldap bnc#796423 OBS-URL: https://build.opensuse.org/request/show/154891 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=42 --- baselibs.conf | 2 +- sssd.changes | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/baselibs.conf b/baselibs.conf index 5149f91..22e0a35 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,4 +1,4 @@ -sssd-client +sssd supplements "packageand(sssd:pam-)" supplements "packageand(sssd:glibc-)" -/usr/lib(64)?/* diff --git a/sssd.changes b/sssd.changes index 38e8f0c..fe7c513 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Feb 8 10:31:52 UTC 2013 - rhafer@suse.com + +- fix package name in baselibs.conf (bnc#796423) + ------------------------------------------------------------------- Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com From 0d7e32d3cc277deb7b49f23d7b72a050614db29120ad625d43e777ddc37df322 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 5 Mar 2013 05:50:14 +0000 Subject: [PATCH 37/63] Accepting request 157216 from network:ldap Factory only - Resolve user retrieval problems when encountering binary data in LDAP attributes (bnc#806078), OBS-URL: https://build.opensuse.org/request/show/157216 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=43 --- sssd-no-ldb-check.diff | 28 ++++++++++ sssd-sysdb-binary-attrs.diff | 102 +++++++++++++++++++++++++++++++++++ sssd.changes | 9 ++++ sssd.spec | 4 +- 4 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 sssd-no-ldb-check.diff create mode 100644 sssd-sysdb-binary-attrs.diff diff --git a/sssd-no-ldb-check.diff b/sssd-no-ldb-check.diff new file mode 100644 index 0000000..e216a19 --- /dev/null +++ b/sssd-no-ldb-check.diff @@ -0,0 +1,28 @@ +From: Jan Engelhardt +Date: 2013-02-21 09:09:59.418801298 +0100 +Upstream: no + +Whenever ldb has a version number update, memberof.so aborts sssd +loading. Arguably, LDB has not made any ABI stability promises +says +http://lists.fedorahosted.org/pipermail/sssd-devel/2013-February/013686.html +but they are at least trying to, by keeping some versioned symbols. +So, let's try this here for openSUSE. + +--- + src/ldb_modules/memberof.c | 3 --- + 1 file changed, 3 deletions(-) + +Index: sssd-1.9.4/src/ldb_modules/memberof.c +=================================================================== +--- sssd-1.9.4.orig/src/ldb_modules/memberof.c ++++ sssd-1.9.4/src/ldb_modules/memberof.c +@@ -4570,8 +4570,5 @@ const struct ldb_module_ops ldb_memberof + + int ldb_init_module(const char *version) + { +-#ifdef LDB_MODULE_CHECK_VERSION +- LDB_MODULE_CHECK_VERSION(version); +-#endif + return ldb_register_module(&ldb_memberof_module_ops); + } diff --git a/sssd-sysdb-binary-attrs.diff b/sssd-sysdb-binary-attrs.diff new file mode 100644 index 0000000..6075737 --- /dev/null +++ b/sssd-sysdb-binary-attrs.diff @@ -0,0 +1,102 @@ +From 3229c2107e4645240cfc4aa5d262e5330c356a49 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Thu, 21 Feb 2013 13:12:25 +0100 +Subject: [PATCH] sysdb: try dealing with binary-content attributes + +I have here a LDAP user entry which has this attribute + + loginAllowedTimeMap:: + AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA + +In the function sysdb_attrs_add_string(), called from +sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is +the wrong thing to do. The result of strlen is then used to populate +the .v_length member of a struct ldb_val - and this will set it to +zero in this case. (There is also the problem that there may not be +a '\0' at all in the blob.) + +Subsequently, .v_length being 0 makes ldb_modify(), called from +sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End +result is that users do not get stored in the sysdb, and programs like +`id` or `getent ...` show incomplete information. + +The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave +fine, but that may not mean that is the absolute lower boundary of +introduction of the problem. +--- + src/db/sysdb.c | 10 ++++++++++ + src/db/sysdb.h | 2 ++ + src/providers/ldap/sdap.c | 7 +++---- + src/providers/ldap/sdap_async.c | 4 ++-- + 4 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/src/db/sysdb.c b/src/db/sysdb.c +index e7524f4..7c34791 100644 +--- a/src/db/sysdb.c ++++ b/src/db/sysdb.c +@@ -512,6 +512,16 @@ int sysdb_attrs_add_string(struct sysdb_attrs *attrs, + return sysdb_attrs_add_val(attrs, name, &v); + } + ++int sysdb_attrs_add_mem(struct sysdb_attrs *attrs, const char *name, ++ const void *mem, size_t size) ++{ ++ struct ldb_val v; ++ ++ v.data = discard_const(mem); ++ v.length = size; ++ return sysdb_attrs_add_val(attrs, name, &v); ++} ++ + int sysdb_attrs_add_bool(struct sysdb_attrs *attrs, + const char *name, bool value) + { +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index fff97a8..23cbbb0 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -250,6 +250,8 @@ int sysdb_attrs_add_val(struct sysdb_attrs *attrs, + const char *name, const struct ldb_val *val); + int sysdb_attrs_add_string(struct sysdb_attrs *attrs, + const char *name, const char *str); ++int sysdb_attrs_add_mem(struct sysdb_attrs *, const char *, ++ const void *, size_t); + int sysdb_attrs_add_bool(struct sysdb_attrs *attrs, + const char *name, bool value); + int sysdb_attrs_add_long(struct sysdb_attrs *attrs, +diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c +index 371121b..988f27d 100644 +--- a/src/providers/ldap/sdap.c ++++ b/src/providers/ldap/sdap.c +@@ -474,10 +474,9 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx, + for (i=0; dval->vals[i].bv_val; i++) { + DEBUG(9, ("Dereferenced attribute value: %s\n", + dval->vals[i].bv_val)); +- v.data = (uint8_t *) dval->vals[i].bv_val; +- v.length = dval->vals[i].bv_len; +- +- ret = sysdb_attrs_add_val(res[mi]->attrs, name, &v); ++ ret = sysdb_attrs_add_mem(res[mi]->attrs, name, ++ dval->vals[i].bv_val, ++ dval->vals[i].bv_len); + if (ret) goto done; + } + } +diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c +index 84497b7..b7d9839 100644 +--- a/src/providers/ldap/sdap_async.c ++++ b/src/providers/ldap/sdap_async.c +@@ -2226,8 +2226,8 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs, + DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding %s [%s] to attributes " + "of [%s].\n", desc, el->values[i].data, objname)); + +- ret = sysdb_attrs_add_string(attrs, attr_name, +- (const char *) el->values[i].data); ++ ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data, ++ el->values[i].length); + if (ret) { + return ret; + } +-- +1.7.10.4 + diff --git a/sssd.changes b/sssd.changes index fe7c513..9b75a64 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de + +- Resolve user retrieval problems when encountering binary data + in LDAP attributes (bnc#806078), + added sssd-sysdb-binary-attrs.diff +- Added sssd-no-ldb-check.diff so that SSSD continues to start + even after an LDB update. + ------------------------------------------------------------------- Fri Feb 8 10:31:52 UTC 2013 - rhafer@suse.com diff --git a/sssd.spec b/sssd.spec index 32f4533..e6ae108 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,6 +30,8 @@ Source: %name-%version.tar.xz Source3: baselibs.conf Patch1: 0005-implicit-decl.diff Patch2: sssd-ldflags.diff +Patch3: sssd-no-ldb-check.diff +Patch4: sssd-sysdb-binary-attrs.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -198,7 +200,7 @@ Security Services Daemon (sssd). %prep %setup -q -%patch -P 1 -P 2 -p1 +%patch -P 1 -P 2 -P 3 -P 4 -p1 %build %if 0%{?suse_version} < 1210 From 9ba0639961c0ab2eb1f88b348564ebdd43de210c0f6354ad85bd8427c7098d77 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Thu, 21 Mar 2013 09:40:29 +0000 Subject: [PATCH 38/63] Accepting request 160208 from network:ldap CVE-2013-0287 (bnc#809153) (forwarded request 160207 from rhafer) OBS-URL: https://build.opensuse.org/request/show/160208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=44 --- ...sts-for-simple-access-test-by-groups.patch | 414 +++++ ...ain-in-DP-if-UNIT_TESTING-is-defined.patch | 41 + ...-a-be_get_account_info_send-function.patch | 237 +++ ...e-GIDs-in-the-simple-access-provider.patch | 1624 +++++++++++++++++ sssd.changes | 15 + sssd.spec | 8 +- 6 files changed, 2338 insertions(+), 1 deletion(-) create mode 100644 Add-unit-tests-for-simple-access-test-by-groups.patch create mode 100644 Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch create mode 100644 Provide-a-be_get_account_info_send-function.patch create mode 100644 Resolve-GIDs-in-the-simple-access-provider.patch diff --git a/Add-unit-tests-for-simple-access-test-by-groups.patch b/Add-unit-tests-for-simple-access-test-by-groups.patch new file mode 100644 index 0000000..dcf284f --- /dev/null +++ b/Add-unit-tests-for-simple-access-test-by-groups.patch @@ -0,0 +1,414 @@ +From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 3 Mar 2013 21:43:44 +0100 +Subject: Add unit tests for simple access test by groups + +I realized that the current unit tests for the simple access provider +only tested the user directives. To have a baseline and be able to +detect new bugs in the upcoming patch, I implemented unit tests for the +group lists, too. +(cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b) +--- + src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++----- + 1 file changed, 253 insertions(+), 32 deletions(-) + +diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c +index c61814e..577c6d3 100644 +--- a/src/tests/simple_access-tests.c ++++ b/src/tests/simple_access-tests.c +@@ -30,39 +30,152 @@ + #include "providers/simple/simple_access.h" + #include "tests/common.h" + ++#define TESTS_PATH "tests_simple_access" ++#define TEST_CONF_FILE "tests_conf.ldb" ++ + const char *ulist_1[] = {"u1", "u2", NULL}; ++const char *glist_1[] = {"g1", "g2", NULL}; ++ ++struct simple_test_ctx *test_ctx = NULL; ++ ++struct simple_test_ctx { ++ struct sysdb_ctx *sysdb; ++ struct confdb_ctx *confdb; + +-struct simple_ctx *ctx = NULL; ++ struct simple_ctx *ctx; ++}; + + void setup_simple(void) + { +- fail_unless(ctx == NULL, "Simple context already initialized."); +- ctx = talloc_zero(NULL, struct simple_ctx); +- fail_unless(ctx != NULL, "Cannot create simple context."); +- +- ctx->domain = talloc_zero(ctx, struct sss_domain_info); +- fail_unless(ctx != NULL, "Cannot create domain in simple context."); +- ctx->domain->case_sensitive = true; ++ errno_t ret; ++ char *conf_db; ++ const char *val[2]; ++ val[1] = NULL; ++ ++ /* Create tests directory if it doesn't exist */ ++ /* (relative to current dir) */ ++ ret = mkdir(TESTS_PATH, 0775); ++ fail_if(ret == -1 && errno != EEXIST, ++ "Could not create %s directory", TESTS_PATH); ++ ++ fail_unless(test_ctx == NULL, "Simple context already initialized."); ++ test_ctx = talloc_zero(NULL, struct simple_test_ctx); ++ fail_unless(test_ctx != NULL, "Cannot create simple test context."); ++ ++ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); ++ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context."); ++ ++ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); ++ fail_if(conf_db == NULL, "Out of memory, aborting!"); ++ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db)); ++ ++ /* Connect to the conf db */ ++ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); ++ fail_if(ret != EOK, "Could not initialize connection to the confdb"); ++ ++ val[0] = "LOCAL"; ++ ret = confdb_add_param(test_ctx->confdb, true, ++ "config/sssd", "domains", val); ++ fail_if(ret != EOK, "Could not initialize domains placeholder"); ++ ++ val[0] = "local"; ++ ret = confdb_add_param(test_ctx->confdb, true, ++ "config/domain/LOCAL", "id_provider", val); ++ fail_if(ret != EOK, "Could not initialize provider"); ++ ++ val[0] = "TRUE"; ++ ret = confdb_add_param(test_ctx->confdb, true, ++ "config/domain/LOCAL", "enumerate", val); ++ fail_if(ret != EOK, "Could not initialize LOCAL domain"); ++ ++ val[0] = "TRUE"; ++ ret = confdb_add_param(test_ctx->confdb, true, ++ "config/domain/LOCAL", "cache_credentials", val); ++ fail_if(ret != EOK, "Could not initialize LOCAL domain"); ++ ++ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local", ++ TESTS_PATH, ++ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb); ++ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret); ++ test_ctx->ctx->domain->case_sensitive = true; + } + + void teardown_simple(void) + { + int ret; +- fail_unless(ctx != NULL, "Simple context already freed."); +- ret = talloc_free(ctx); +- ctx = NULL; ++ fail_unless(test_ctx != NULL, "Simple context already freed."); ++ ret = talloc_free(test_ctx); ++ test_ctx = NULL; + fail_unless(ret == 0, "Connot free simple context."); + } + ++void setup_simple_group(void) ++{ ++ errno_t ret; ++ ++ setup_simple(); ++ ++ /* Add test users u1 and u2 that would be members of test groups ++ * g1 and g2 respectively */ ++ ret = sysdb_store_user(test_ctx->ctx->sysdb, ++ "u1", NULL, 123, 0, "u1", "/home/u1", ++ "/bin/bash", NULL, NULL, NULL, -1, 0); ++ fail_if(ret != EOK, "Could not add u1"); ++ ++ ret = sysdb_store_user(test_ctx->ctx->sysdb, ++ "u2", NULL, 456, 0, "u1", "/home/u1", ++ "/bin/bash", NULL, NULL, NULL, -1, 0); ++ fail_if(ret != EOK, "Could not add u2"); ++ ++ ret = sysdb_store_user(test_ctx->ctx->sysdb, ++ "u3", NULL, 789, 0, "u1", "/home/u1", ++ "/bin/bash", NULL, NULL, NULL, -1, 0); ++ fail_if(ret != EOK, "Could not add u3"); ++ ++ ret = sysdb_add_group(test_ctx->ctx->sysdb, ++ "g1", 321, NULL, 0, 0); ++ fail_if(ret != EOK, "Could not add g1"); ++ ++ ret = sysdb_add_group(test_ctx->ctx->sysdb, ++ "g2", 654, NULL, 0, 0); ++ fail_if(ret != EOK, "Could not add g2"); ++ ++ ret = sysdb_add_group_member(test_ctx->ctx->sysdb, ++ "g1", "u1", SYSDB_MEMBER_USER); ++ fail_if(ret != EOK, "Could not add u1 to g1"); ++ ++ ret = sysdb_add_group_member(test_ctx->ctx->sysdb, ++ "g2", "u2", SYSDB_MEMBER_USER); ++ fail_if(ret != EOK, "Could not add u2 to g2"); ++} ++ ++void teardown_simple_group(void) ++{ ++ errno_t ret; ++ ++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0); ++ fail_if(ret != EOK, "Could not delete u1"); ++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0); ++ fail_if(ret != EOK, "Could not delete u2"); ++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0); ++ fail_if(ret != EOK, "Could not delete u3"); ++ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0); ++ fail_if(ret != EOK, "Could not delete g1"); ++ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0); ++ fail_if(ret != EOK, "Could not delete g2"); ++ ++ teardown_simple(); ++} ++ + START_TEST(test_both_empty) + { + int ret; + bool access_granted = false; + +- ctx->allow_users = NULL; +- ctx->deny_users = NULL; ++ test_ctx->ctx->allow_users = NULL; ++ test_ctx->ctx->deny_users = NULL; + +- ret = simple_access_check(ctx, "u1", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "while both lists are empty."); +@@ -74,15 +187,15 @@ START_TEST(test_allow_empty) + int ret; + bool access_granted = true; + +- ctx->allow_users = NULL; +- ctx->deny_users = discard_const(ulist_1); ++ test_ctx->ctx->allow_users = NULL; ++ test_ctx->ctx->deny_users = discard_const(ulist_1); + +- ret = simple_access_check(ctx, "u1", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while user is in deny list."); + +- ret = simple_access_check(ctx, "u3", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "while user is not in deny list."); +@@ -94,15 +207,15 @@ START_TEST(test_deny_empty) + int ret; + bool access_granted = false; + +- ctx->allow_users = discard_const(ulist_1); +- ctx->deny_users = NULL; ++ test_ctx->ctx->allow_users = discard_const(ulist_1); ++ test_ctx->ctx->deny_users = NULL; + +- ret = simple_access_check(ctx, "u1", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "while user is in allow list."); + +- ret = simple_access_check(ctx, "u3", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while user is not in allow list."); +@@ -114,15 +227,15 @@ START_TEST(test_both_set) + int ret; + bool access_granted = false; + +- ctx->allow_users = discard_const(ulist_1); +- ctx->deny_users = discard_const(ulist_1); ++ test_ctx->ctx->allow_users = discard_const(ulist_1); ++ test_ctx->ctx->deny_users = discard_const(ulist_1); + +- ret = simple_access_check(ctx, "u1", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while user is in deny list."); + +- ret = simple_access_check(ctx, "u3", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while user is not in allow list."); +@@ -134,18 +247,18 @@ START_TEST(test_case) + int ret; + bool access_granted = false; + +- ctx->allow_users = discard_const(ulist_1); +- ctx->deny_users = NULL; ++ test_ctx->ctx->allow_users = discard_const(ulist_1); ++ test_ctx->ctx->deny_users = NULL; + +- ret = simple_access_check(ctx, "U1", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "for user with different case " + "in case-sensitive domain"); + +- ctx->domain->case_sensitive = false; ++ test_ctx->ctx->domain->case_sensitive = false; + +- ret = simple_access_check(ctx, "U1", &access_granted); ++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "for user with different case " +@@ -153,11 +266,95 @@ START_TEST(test_case) + } + END_TEST + ++START_TEST(test_group_allow_empty) ++{ ++ int ret; ++ bool access_granted = true; ++ ++ test_ctx->ctx->allow_groups = NULL; ++ test_ctx->ctx->deny_groups = discard_const(glist_1); ++ ++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); ++ fail_unless(ret == EOK, "access_simple_check failed."); ++ fail_unless(access_granted == false, "Access granted " ++ "while group is in deny list."); ++ ++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); ++ fail_unless(ret == EOK, "access_simple_check failed."); ++ fail_unless(access_granted == true, "Access denied " ++ "while group is not in deny list."); ++} ++END_TEST ++ ++START_TEST(test_group_deny_empty) ++{ ++ int ret; ++ bool access_granted = false; ++ ++ test_ctx->ctx->allow_groups = discard_const(glist_1); ++ test_ctx->ctx->deny_groups = NULL; ++ ++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); ++ fail_unless(ret == EOK, "access_simple_check failed."); ++ fail_unless(access_granted == true, "Access denied " ++ "while group is in allow list."); ++ ++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); ++ fail_unless(ret == EOK, "access_simple_check failed."); ++ fail_unless(access_granted == false, "Access granted " ++ "while group is not in allow list."); ++} ++END_TEST ++ ++START_TEST(test_group_both_set) ++{ ++ int ret; ++ bool access_granted = false; ++ ++ test_ctx->ctx->allow_groups = discard_const(ulist_1); ++ test_ctx->ctx->deny_groups = discard_const(ulist_1); ++ ++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); ++ fail_unless(ret == EOK, "access_simple_check failed."); ++ fail_unless(access_granted == false, "Access granted " ++ "while group is in deny list."); ++ ++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); ++ fail_unless(ret == EOK, "access_simple_check failed."); ++ fail_unless(access_granted == false, "Access granted " ++ "while group is not in allow list."); ++} ++END_TEST ++ ++START_TEST(test_group_case) ++{ ++ int ret; ++ bool access_granted = false; ++ ++ test_ctx->ctx->allow_groups = discard_const(ulist_1); ++ test_ctx->ctx->deny_groups = NULL; ++ ++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); ++ fail_unless(ret == EOK, "access_simple_check failed."); ++ fail_unless(access_granted == false, "Access granted " ++ "for group with different case " ++ "in case-sensitive domain"); ++ ++ test_ctx->ctx->domain->case_sensitive = false; ++ ++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); ++ fail_unless(ret == EOK, "access_simple_check failed."); ++ fail_unless(access_granted == true, "Access denied " ++ "for group with different case " ++ "in case-insensitive domain"); ++} ++END_TEST ++ + Suite *access_simple_suite (void) + { + Suite *s = suite_create("access_simple"); + +- TCase *tc_allow_deny = tcase_create("allow/deny"); ++ TCase *tc_allow_deny = tcase_create("user allow/deny"); + tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple); + tcase_add_test(tc_allow_deny, test_both_empty); + tcase_add_test(tc_allow_deny, test_allow_empty); +@@ -166,6 +363,15 @@ Suite *access_simple_suite (void) + tcase_add_test(tc_allow_deny, test_case); + suite_add_tcase(s, tc_allow_deny); + ++ TCase *tc_grp_allow_deny = tcase_create("group allow/deny"); ++ tcase_add_checked_fixture(tc_grp_allow_deny, ++ setup_simple_group, teardown_simple_group); ++ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty); ++ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty); ++ tcase_add_test(tc_grp_allow_deny, test_group_both_set); ++ tcase_add_test(tc_grp_allow_deny, test_group_case); ++ suite_add_tcase(s, tc_grp_allow_deny); ++ + return s; + } + +@@ -174,6 +380,7 @@ int main(int argc, const char *argv[]) + int opt; + poptContext pc; + int number_failed; ++ int ret; + + struct poptOption long_options[] = { + POPT_AUTOHELP +@@ -205,6 +412,20 @@ int main(int argc, const char *argv[]) + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed(sr); + srunner_free(sr); ++ ++ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE); ++ if (ret != EOK) { ++ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", ++ errno, strerror(errno)); ++ return EXIT_FAILURE; ++ } ++ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE); ++ if (ret != EOK) { ++ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", ++ errno, strerror(errno)); ++ return EXIT_FAILURE; ++ } ++ + return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE); + } + +-- +1.8.1.4 + diff --git a/Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch b/Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch new file mode 100644 index 0000000..d66871b --- /dev/null +++ b/Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch @@ -0,0 +1,41 @@ +From 8dfcfe629db83eb58dd6613aa174222cb853afb1 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 4 Mar 2013 16:37:04 +0100 +Subject: Do not compile main() in DP if UNIT_TESTING is defined + +The simple access provider unit tests now need to link against the Data +Provider when they start using the be_file_account_request() function. +But then we would start having conflicts as at least the main() +functions would clash. + +If UNIT_TESTING is defined, then the data_provider_be.c module does not +contain the main() function and can be linked against directly from +another module that contains its own main() function +(cherry picked from commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb) +--- + src/providers/data_provider_be.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index f85a04d..33590ae 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -2651,6 +2651,7 @@ fail: + return ret; + } + ++#ifndef UNIT_TESTING + int main(int argc, const char *argv[]) + { + int opt; +@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[]) + + return 0; + } ++#endif + + static int data_provider_res_init(DBusMessage *message, + struct sbus_connection *conn) +-- +1.8.1.4 + diff --git a/Provide-a-be_get_account_info_send-function.patch b/Provide-a-be_get_account_info_send-function.patch new file mode 100644 index 0000000..5e75c49 --- /dev/null +++ b/Provide-a-be_get_account_info_send-function.patch @@ -0,0 +1,237 @@ +From 455737c0b4b0c1bfeed54f2e27e397ce403acbca Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 22 Feb 2013 11:01:38 +0100 +Subject: Provide a be_get_account_info_send function + +In order to resolve group names in the simple access provider we need to +contact the Data Provider in a generic fashion from the access provider. +We can't call any particular implementation (like sdap_generic_send()) +because we have no idea what kind of provider is configured as the +id_provider. + +This patch splits introduces the be_file_account_request() function into +the data_provider_be module and makes it public. + +A future patch should make the be_get_account_info function use the +be_get_account_info_send function. +(cherry picked from commit b63830b142053f99bfe954d4be5a2b0f68ce3a93) +--- + src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++----- + src/providers/dp_backend.h | 15 ++++ + 2 files changed, 149 insertions(+), 19 deletions(-) + +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index b261bf8..f85a04d 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req) + } + + static errno_t ++be_file_account_request(struct be_req *be_req, struct be_acct_req *ar) ++{ ++ errno_t ret; ++ struct be_ctx *be_ctx = be_req->be_ctx; ++ ++ be_req->req_data = ar; ++ ++ /* see if we need a pre request call, only done for initgroups for now */ ++ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) { ++ ret = be_initgroups_prereq(be_req); ++ if (ret) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed")); ++ return ret; ++ } ++ } ++ ++ /* process request */ ++ ret = be_file_request(be_ctx, be_req, ++ be_ctx->bet_info[BET_ID].bet_ops->handler); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request")); ++ return ret; ++ } ++ ++ return EOK; ++} ++ ++static errno_t + split_name_extended(TALLOC_CTX *mem_ctx, + const char *filter, + char **name, +@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx, + return EOK; + } + ++static void ++be_get_account_info_done(struct be_req *be_req, ++ int dp_err, int dp_ret, ++ const char *errstr); ++ ++struct be_get_account_info_state { ++ int err_maj; ++ int err_min; ++ const char *err_msg; ++}; ++ ++struct tevent_req * ++be_get_account_info_send(TALLOC_CTX *mem_ctx, ++ struct tevent_context *ev, ++ struct be_client *becli, ++ struct be_ctx *be_ctx, ++ struct be_acct_req *ar) ++{ ++ struct tevent_req *req; ++ struct be_get_account_info_state *state; ++ struct be_req *be_req; ++ errno_t ret; ++ ++ req = tevent_req_create(mem_ctx, &state, ++ struct be_get_account_info_state); ++ if (!req) return NULL; ++ ++ be_req = talloc_zero(mem_ctx, struct be_req); ++ if (be_req == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ be_req->becli = becli; ++ be_req->be_ctx = be_ctx; ++ be_req->fn = be_get_account_info_done; ++ be_req->pvt = req; ++ ++ ret = be_file_account_request(be_req, ar); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ return req; ++ ++done: ++ tevent_req_error(req, ret); ++ tevent_req_post(req, ev); ++ return req; ++} ++ ++static void ++be_get_account_info_done(struct be_req *be_req, ++ int dp_err, int dp_ret, ++ const char *errstr) ++{ ++ struct tevent_req *req; ++ struct be_get_account_info_state *state; ++ ++ req = talloc_get_type(be_req->pvt, struct tevent_req); ++ state = tevent_req_data(req, struct be_get_account_info_state); ++ ++ state->err_maj = dp_err; ++ state->err_min = dp_ret; ++ if (errstr) { ++ state->err_msg = talloc_strdup(state, errstr); ++ if (state->err_msg == NULL) { ++ talloc_free(be_req); ++ tevent_req_error(req, ENOMEM); ++ return; ++ } ++ } ++ ++ talloc_free(be_req); ++ tevent_req_done(req); ++} ++ ++errno_t be_get_account_info_recv(struct tevent_req *req, ++ TALLOC_CTX *mem_ctx, ++ int *_err_maj, ++ int *_err_min, ++ const char **_err_msg) ++{ ++ struct be_get_account_info_state *state; ++ ++ state = tevent_req_data(req, struct be_get_account_info_state); ++ ++ TEVENT_REQ_RETURN_ON_ERROR(req); ++ ++ if (_err_maj) { ++ *_err_maj = state->err_maj; ++ } ++ ++ if (_err_min) { ++ *_err_min = state->err_min; ++ } ++ ++ if (_err_msg) { ++ *_err_msg = talloc_steal(mem_ctx, state->err_msg); ++ } ++ ++ return EOK; ++} ++ + static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn) + { + struct be_acct_req *req; +@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con + goto done; + } + +- be_req->req_data = req; +- + if ((attr_type != BE_ATTR_CORE) && + (attr_type != BE_ATTR_MEM) && + (attr_type != BE_ATTR_ALL)) { +@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con + goto done; + } + +- /* see if we need a pre request call, only done for initgroups for now */ +- if ((type & 0xFF) == BE_REQ_INITGROUPS) { +- ret = be_initgroups_prereq(be_req); +- if (ret) { +- err_maj = DP_ERR_FATAL; +- err_min = ret; +- err_msg = "Prerequest failed"; +- goto done; +- } +- } +- +- /* process request */ +- +- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data, +- be_req, +- becli->bectx->bet_info[BET_ID].bet_ops->handler); ++ ret = be_file_account_request(be_req, req); + if (ret != EOK) { + err_maj = DP_ERR_FATAL; + err_min = ret; +- err_msg = "Failed to file request"; ++ err_msg = "Cannot file account request"; + goto done; + } + +diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h +index 58a9b74..743b6f4 100644 +--- a/src/providers/dp_backend.h ++++ b/src/providers/dp_backend.h +@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx, + const char *service_name); + + void reset_fo(struct be_ctx *be_ctx); ++ ++/* Request account information */ ++struct tevent_req * ++be_get_account_info_send(TALLOC_CTX *mem_ctx, ++ struct tevent_context *ev, ++ struct be_client *becli, ++ struct be_ctx *be_ctx, ++ struct be_acct_req *ar); ++ ++errno_t be_get_account_info_recv(struct tevent_req *req, ++ TALLOC_CTX *mem_ctx, ++ int *_err_maj, ++ int *_err_min, ++ const char **_err_msg); ++ + #endif /* __DP_BACKEND_H___ */ +-- +1.8.1.4 + diff --git a/Resolve-GIDs-in-the-simple-access-provider.patch b/Resolve-GIDs-in-the-simple-access-provider.patch new file mode 100644 index 0000000..91e09a4 --- /dev/null +++ b/Resolve-GIDs-in-the-simple-access-provider.patch @@ -0,0 +1,1624 @@ +From ba1193c7b950a3849e04e28e60d83eece5ee49bc Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sat, 23 Feb 2013 10:44:54 +0100 +Subject: Resolve GIDs in the simple access provider + +Changes the simple access provider's interface to be asynchronous. When +the simple access provider encounters a group that has gid, but no +meaningful name, it attempts to resolve the name using the +be_file_account_request function. + +Some providers (like the AD provider) might perform initgroups +without resolving the group names. In order for the simple access +provider to work correctly, we need to resolve the groups before +performing the access check. In AD provider, the situation is +even more tricky b/c the groups HAVE name, but their name +attribute is set to SID and they are set as non-POSIX +(cherry picked from commit 8b8019fe3dd1564fba657e219ec20ff816c7ffdb) +--- + Makefile.am | 17 +- + src/providers/simple/simple_access.c | 228 ++------- + src/providers/simple/simple_access.h | 11 +- + src/providers/simple/simple_access_check.c | 723 +++++++++++++++++++++++++++++ + src/tests/simple_access-tests.c | 361 ++++++++++---- + 5 files changed, 1033 insertions(+), 307 deletions(-) + create mode 100644 src/providers/simple/simple_access_check.c + +diff --git a/Makefile.am b/Makefile.am +index dda090d..223431d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1008,14 +1008,22 @@ ad_ldap_opt_tests_LDADD = \ + simple_access_tests_SOURCES = \ + src/tests/simple_access-tests.c \ + src/tests/common.c \ +- src/providers/simple/simple_access.c ++ src/providers/simple/simple_access_check.c \ ++ src/providers/data_provider_be.c \ ++ src/providers/data_provider_fo.c \ ++ src/providers/data_provider_callbacks.c \ ++ $(SSSD_FAILOVER_OBJ) + simple_access_tests_CFLAGS = \ + $(AM_CFLAGS) \ +- $(CHECK_CFLAGS) ++ $(CHECK_CFLAGS) \ ++ -DUNIT_TESTING + simple_access_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(CARES_LIBS) \ + $(CHECK_LIBS) \ +- libsss_util.la ++ $(PAM_LIBS) \ ++ libsss_util.la \ ++ libsss_test_common.la + + util_tests_SOURCES = \ + src/tests/util-tests.c +@@ -1347,7 +1355,8 @@ libsss_proxy_la_LDFLAGS = \ + -module + + libsss_simple_la_SOURCES = \ +- src/providers/simple/simple_access.c ++ src/providers/simple/simple_access.c \ ++ src/providers/simple/simple_access_check.c + libsss_simple_la_CFLAGS = \ + $(AM_CFLAGS) + libsss_simple_la_LIBADD = \ +diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c +index 70d1f07..d53a04b 100644 +--- a/src/providers/simple/simple_access.c ++++ b/src/providers/simple/simple_access.c +@@ -35,227 +35,52 @@ + #define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups" + #define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups" + +-errno_t simple_access_check(struct simple_ctx *ctx, const char *username, +- bool *access_granted) +-{ +- int i, j; +- errno_t ret; +- TALLOC_CTX *tmp_ctx = NULL; +- const char *user_attrs[] = { SYSDB_MEMBEROF, +- SYSDB_GIDNUM, +- NULL }; +- const char *group_attrs[] = { SYSDB_NAME, +- NULL }; +- struct ldb_message *msg; +- struct ldb_message_element *el; +- char **groups; +- const char *primary_group; +- gid_t gid; +- bool matched; +- bool cs = ctx->domain->case_sensitive; +- +- *access_granted = false; +- +- /* First, check whether the user is in the allowed users list */ +- if (ctx->allow_users != NULL) { +- for(i = 0; ctx->allow_users[i] != NULL; i++) { +- if (sss_string_equal(cs, username, ctx->allow_users[i])) { +- DEBUG(9, ("User [%s] found in allow list, access granted.\n", +- username)); +- +- /* Do not return immediately on explicit allow +- * We need to make sure none of the user's groups +- * are denied. +- */ +- *access_granted = true; +- } +- } +- } else if (!ctx->allow_groups) { +- /* If neither allow rule is in place, we'll assume allowed +- * unless a deny rule disables us below. +- */ +- *access_granted = true; +- } ++static void simple_access_check(struct tevent_req *req); + +- /* Next check whether this user has been specifically denied */ +- if (ctx->deny_users != NULL) { +- for(i = 0; ctx->deny_users[i] != NULL; i++) { +- if (sss_string_equal(cs, username, ctx->deny_users[i])) { +- DEBUG(9, ("User [%s] found in deny list, access denied.\n", +- username)); +- +- /* Return immediately on explicit denial */ +- *access_granted = false; +- return EOK; +- } +- } +- } ++void simple_access_handler(struct be_req *be_req) ++{ ++ struct be_ctx *be_ctx = be_req->be_ctx; ++ struct pam_data *pd; ++ struct tevent_req *req; ++ struct simple_ctx *ctx; + +- if (!ctx->allow_groups && !ctx->deny_groups) { +- /* There are no group restrictions, so just return +- * here with whatever we've decided. +- */ +- return EOK; +- } ++ pd = talloc_get_type(be_req->req_data, struct pam_data); + +- /* Now get a list of this user's groups and check those against the +- * simple_allow_groups list. +- */ +- tmp_ctx = talloc_new(NULL); +- if (!tmp_ctx) { +- ret = ENOMEM; +- goto done; +- } ++ pd->pam_status = PAM_SYSTEM_ERR; + +- ret = sysdb_search_user_by_name(tmp_ctx, ctx->sysdb, +- username, user_attrs, &msg); +- if (ret != EOK) { +- DEBUG(1, ("Could not look up username [%s]: [%d][%s]\n", +- username, ret, strerror(ret))); ++ if (pd->cmd != SSS_PAM_ACCT_MGMT) { ++ DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd)); ++ pd->pam_status = PAM_MODULE_UNKNOWN; + goto done; + } + +- /* Construct a list of the user's groups */ +- el = ldb_msg_find_element(msg, SYSDB_MEMBEROF); +- if (el && el->num_values) { +- /* Get the groups from the memberOf entries +- * Allocate the array with room for both the NULL +- * terminator and the primary group +- */ +- groups = talloc_array(tmp_ctx, char *, el->num_values + 2); +- if (!groups) { +- ret = ENOMEM; +- goto done; +- } +- +- for (j = 0; j < el->num_values; j++) { +- ret = sysdb_group_dn_name( +- ctx->sysdb, tmp_ctx, +- (char *)el->values[j].data, +- &groups[j]); +- if (ret != EOK) { +- goto done; +- } +- } +- } else { +- /* User is not a member of any groups except primary */ +- groups = talloc_array(tmp_ctx, char *, 2); +- if (!groups) { +- ret = ENOMEM; +- goto done; +- } +- j = 0; +- } ++ ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, ++ struct simple_ctx); + +- /* Get the user's primary group */ +- gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0); +- if (!gid) { +- ret = EINVAL; ++ req = simple_access_check_send(be_req, be_ctx->ev, ctx, pd->user); ++ if (!req) { ++ pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } +- talloc_zfree(msg); +- +- ret = sysdb_search_group_by_gid(tmp_ctx, ctx->sysdb, +- gid, group_attrs, &msg); +- if (ret != EOK) { +- DEBUG(1, ("Could not look up primary group [%lu]: [%d][%s]\n", +- gid, ret, strerror(ret))); +- /* We have to treat this as non-fatal, because the primary +- * group may be local to the machine and not available in +- * our ID provider. +- */ +- } else { +- primary_group = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); +- if (!primary_group) { +- ret = EINVAL; +- goto done; +- } +- +- groups[j] = talloc_strdup(tmp_ctx, primary_group); +- if (!groups[j]) { +- ret = ENOMEM; +- goto done; +- } +- j++; +- +- talloc_zfree(msg); +- } +- +- groups[j] = NULL; +- +- /* Now process allow and deny group rules +- * If access was already granted above, we'll skip +- * this redundant rule check +- */ +- if (ctx->allow_groups && !*access_granted) { +- matched = false; +- for (i = 0; ctx->allow_groups[i]; i++) { +- for(j = 0; groups[j]; j++) { +- if (sss_string_equal(cs, groups[j], ctx->allow_groups[i])) { +- matched = true; +- break; +- } +- } +- +- /* If any group has matched, we can skip out on the +- * processing early +- */ +- if (matched) { +- *access_granted = true; +- break; +- } +- } +- } +- +- /* Finally, process the deny group rules */ +- if (ctx->deny_groups) { +- matched = false; +- for (i = 0; ctx->deny_groups[i]; i++) { +- for(j = 0; groups[j]; j++) { +- if (sss_string_equal(cs, groups[j], ctx->deny_groups[i])) { +- matched = true; +- break; +- } +- } +- +- /* If any group has matched, we can skip out on the +- * processing early +- */ +- if (matched) { +- *access_granted = false; +- break; +- } +- } +- } +- +- ret = EOK; ++ tevent_req_set_callback(req, simple_access_check, be_req); ++ return; + + done: +- talloc_free(tmp_ctx); +- return ret; ++ be_req->fn(be_req, DP_ERR_OK, pd->pam_status, NULL); + } + +-void simple_access_handler(struct be_req *be_req) ++static void simple_access_check(struct tevent_req *req) + { +- int ret; + bool access_granted = false; ++ errno_t ret; + struct pam_data *pd; +- struct simple_ctx *ctx; ++ struct be_req *be_req; + ++ be_req = tevent_req_callback_data(req, struct be_req); + pd = talloc_get_type(be_req->req_data, struct pam_data); + +- pd->pam_status = PAM_SYSTEM_ERR; +- +- if (pd->cmd != SSS_PAM_ACCT_MGMT) { +- DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd)); +- pd->pam_status = PAM_MODULE_UNKNOWN; +- goto done; +- } +- +- ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, +- struct simple_ctx); +- +- ret = simple_access_check(ctx, pd->user, &access_granted); ++ ret = simple_access_check_recv(req, &access_granted); ++ talloc_free(req); + if (ret != EOK) { + pd->pam_status = PAM_SYSTEM_ERR; + goto done; +@@ -290,6 +115,7 @@ int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops, + + ctx->sysdb = bectx->sysdb; + ctx->domain = bectx->domain; ++ ctx->be_ctx = bectx; + + /* Users */ + ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path, +diff --git a/src/providers/simple/simple_access.h b/src/providers/simple/simple_access.h +index abcf61a..1de9d89 100644 +--- a/src/providers/simple/simple_access.h ++++ b/src/providers/simple/simple_access.h +@@ -29,6 +29,7 @@ + struct simple_ctx { + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; ++ struct be_ctx *be_ctx; + + char **allow_users; + char **deny_users; +@@ -36,6 +37,12 @@ struct simple_ctx { + char **deny_groups; + }; + +-errno_t simple_access_check(struct simple_ctx *ctx, const char *username, +- bool *access_granted); ++struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx, ++ struct tevent_context *ev, ++ struct simple_ctx *ctx, ++ const char *username); ++ ++errno_t simple_access_check_recv(struct tevent_req *req, ++ bool *access_granted); ++ + #endif /* __SIMPLE_ACCESS_H__ */ +diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c +new file mode 100644 +index 0000000..a9e8f63 +--- /dev/null ++++ b/src/providers/simple/simple_access_check.c +@@ -0,0 +1,723 @@ ++/* ++ SSSD ++ ++ Simple access control ++ ++ Copyright (C) Sumit Bose 2010 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "providers/dp_backend.h" ++#include "providers/simple/simple_access.h" ++#include "util/sss_utf8.h" ++#include "db/sysdb.h" ++ ++static bool ++is_posix(const struct ldb_message *group) ++{ ++ const char *val; ++ ++ val = ldb_msg_find_attr_as_string(group, SYSDB_POSIX, NULL); ++ if (!val || /* Groups are posix by default */ ++ strcasecmp(val, "TRUE") == 0) { ++ return true; ++ } ++ ++ return false; ++} ++ ++/* Returns EOK if the result is definitive, EAGAIN if only partial result ++ */ ++static errno_t ++simple_check_users(struct simple_ctx *ctx, const char *username, ++ bool *access_granted) ++{ ++ int i; ++ bool cs = ctx->domain->case_sensitive; ++ ++ /* First, check whether the user is in the allowed users list */ ++ if (ctx->allow_users != NULL) { ++ for(i = 0; ctx->allow_users[i] != NULL; i++) { ++ if (sss_string_equal(cs, username, ctx->allow_users[i])) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ ("User [%s] found in allow list, access granted.\n", ++ username)); ++ ++ /* Do not return immediately on explicit allow ++ * We need to make sure none of the user's groups ++ * are denied. ++ */ ++ *access_granted = true; ++ } ++ } ++ } else if (!ctx->allow_groups) { ++ /* If neither allow rule is in place, we'll assume allowed ++ * unless a deny rule disables us below. ++ */ ++ DEBUG(SSSDBG_TRACE_LIBS, ++ ("No allow rule, assumuing allow unless explicitly denied\n")); ++ *access_granted = true; ++ } ++ ++ /* Next check whether this user has been specifically denied */ ++ if (ctx->deny_users != NULL) { ++ for(i = 0; ctx->deny_users[i] != NULL; i++) { ++ if (sss_string_equal(cs, username, ctx->deny_users[i])) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ ("User [%s] found in deny list, access denied.\n", ++ username)); ++ ++ /* Return immediately on explicit denial */ ++ *access_granted = false; ++ return EOK; ++ } ++ } ++ } ++ ++ return EAGAIN; ++} ++ ++static errno_t ++simple_check_groups(struct simple_ctx *ctx, const char *username, ++ const char **group_names, bool *access_granted) ++{ ++ bool matched; ++ int i, j; ++ bool cs = ctx->domain->case_sensitive; ++ ++ /* Now process allow and deny group rules ++ * If access was already granted above, we'll skip ++ * this redundant rule check ++ */ ++ if (ctx->allow_groups && !*access_granted) { ++ matched = false; ++ for (i = 0; ctx->allow_groups[i]; i++) { ++ for(j = 0; group_names[j]; j++) { ++ if (sss_string_equal(cs, group_names[j], ctx->allow_groups[i])) { ++ matched = true; ++ break; ++ } ++ } ++ ++ /* If any group has matched, we can skip out on the ++ * processing early ++ */ ++ if (matched) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ ("Group [%s] found in allow list, access granted.\n", ++ group_names[j])); ++ *access_granted = true; ++ break; ++ } ++ } ++ } ++ ++ /* Finally, process the deny group rules */ ++ if (ctx->deny_groups) { ++ matched = false; ++ for (i = 0; ctx->deny_groups[i]; i++) { ++ for(j = 0; group_names[j]; j++) { ++ if (sss_string_equal(cs, group_names[j], ctx->deny_groups[i])) { ++ matched = true; ++ break; ++ } ++ } ++ ++ /* If any group has matched, we can skip out on the ++ * processing early ++ */ ++ if (matched) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ ("Group [%s] found in deny list, access denied.\n", ++ group_names[j])); ++ *access_granted = false; ++ break; ++ } ++ } ++ } ++ ++ return EOK; ++} ++ ++struct simple_resolve_group_state { ++ gid_t gid; ++ struct simple_ctx *ctx; ++ ++ const char *name; ++}; ++ ++static errno_t ++simple_resolve_group_check(struct simple_resolve_group_state *state); ++static void simple_resolve_group_done(struct tevent_req *subreq); ++ ++static struct tevent_req * ++simple_resolve_group_send(TALLOC_CTX *mem_ctx, ++ struct tevent_context *ev, ++ struct simple_ctx *ctx, ++ gid_t gid) ++{ ++ errno_t ret; ++ struct tevent_req *req; ++ struct tevent_req *subreq; ++ struct simple_resolve_group_state *state; ++ struct be_acct_req *ar; ++ ++ req = tevent_req_create(mem_ctx, &state, ++ struct simple_resolve_group_state); ++ if (!req) return NULL; ++ ++ state->gid = gid; ++ state->ctx = ctx; ++ ++ /* First check if the group was updated already. If it was (maybe its ++ * parent was updated first), then just shortcut */ ++ ret = simple_resolve_group_check(state); ++ if (ret == EOK) { ++ DEBUG(SSSDBG_TRACE_LIBS, ("Group already updated\n")); ++ ret = EOK; ++ goto done; ++ } else if (ret != EAGAIN) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Cannot check if group was already updated\n")); ++ goto done; ++ } ++ /* EAGAIN - still needs update */ ++ ++ ar = talloc(state, struct be_acct_req); ++ if (!ar) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ar->entry_type = BE_REQ_GROUP; ++ ar->attr_type = BE_ATTR_CORE; ++ ar->filter_type = BE_FILTER_IDNUM; ++ ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid); ++ ar->domain = talloc_strdup(ar, ctx->domain->name); ++ if (!ar->domain || !ar->filter_value) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ subreq = be_get_account_info_send(state, ev, NULL, ctx->be_ctx, ar); ++ if (!subreq) { ++ ret = ENOMEM; ++ goto done; ++ } ++ tevent_req_set_callback(subreq, simple_resolve_group_done, req); ++ ++ return req; ++ ++done: ++ if (ret == EOK) { ++ tevent_req_done(req); ++ } else { ++ tevent_req_error(req, ret); ++ } ++ tevent_req_post(req, ev); ++ return req; ++} ++ ++static errno_t ++simple_resolve_group_check(struct simple_resolve_group_state *state) ++{ ++ errno_t ret; ++ struct ldb_message *group; ++ const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX, ++ SYSDB_GIDNUM, NULL }; ++ ++ /* Check the cache by GID again and fetch the name */ ++ ret = sysdb_search_group_by_gid(state, state->ctx->domain->sysdb, ++ state->gid, group_attrs, &group); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Could not look up group by gid [%lu]: [%d][%s]\n", ++ state->gid, ret, strerror(ret))); ++ return ret; ++ } ++ ++ state->name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); ++ if (!state->name) { ++ DEBUG(SSSDBG_OP_FAILURE, ("No group name\n")); ++ return ENOENT; ++ } ++ ++ if (is_posix(group) == false) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ ("The group is still non-POSIX\n")); ++ return EAGAIN; ++ } ++ ++ DEBUG(SSSDBG_TRACE_LIBS, ("Got POSIX group\n")); ++ return EOK; ++} ++ ++static void simple_resolve_group_done(struct tevent_req *subreq) ++{ ++ struct tevent_req *req; ++ struct simple_resolve_group_state *state; ++ int err_maj; ++ int err_min; ++ errno_t ret; ++ const char *err_msg; ++ ++ req = tevent_req_callback_data(subreq, struct tevent_req); ++ state = tevent_req_data(req, struct simple_resolve_group_state); ++ ++ ret = be_get_account_info_recv(subreq, state, ++ &err_maj, &err_min, &err_msg); ++ talloc_zfree(subreq); ++ if (ret) { ++ DEBUG(SSSDBG_OP_FAILURE, ("be_get_account_info_recv failed\n")); ++ tevent_req_error(req, ret); ++ return; ++ } ++ ++ if (err_maj) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ ("Cannot refresh data from DP: %u,%u: %s\n", ++ err_maj, err_min, err_msg)); ++ tevent_req_error(req, EIO); ++ return; ++ } ++ ++ /* Check the cache by GID again and fetch the name */ ++ ret = simple_resolve_group_check(state); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ("Refresh failed\n")); ++ tevent_req_error(req, ret); ++ return; ++ } ++ ++ tevent_req_done(req); ++} ++ ++static errno_t ++simple_resolve_group_recv(struct tevent_req *req, ++ TALLOC_CTX *mem_ctx, ++ const char **name) ++{ ++ struct simple_resolve_group_state *state; ++ ++ state = tevent_req_data(req, struct simple_resolve_group_state); ++ ++ TEVENT_REQ_RETURN_ON_ERROR(req); ++ ++ *name = talloc_strdup(mem_ctx, state->name); ++ return EOK; ++} ++ ++struct simple_check_groups_state { ++ struct tevent_context *ev; ++ struct simple_ctx *ctx; ++ ++ gid_t *lookup_gids; ++ size_t num_gids; ++ size_t giter; ++ ++ const char **group_names; ++ size_t num_names; ++}; ++ ++static void simple_check_get_groups_next(struct tevent_req *subreq); ++ ++static errno_t ++simple_check_get_groups_primary(struct simple_check_groups_state *state, ++ gid_t gid); ++static errno_t ++simple_check_process_group(struct simple_check_groups_state *state, ++ struct ldb_message *group); ++ ++static struct tevent_req * ++simple_check_get_groups_send(TALLOC_CTX *mem_ctx, ++ struct tevent_context *ev, ++ struct simple_ctx *ctx, ++ const char *username) ++{ ++ errno_t ret; ++ struct tevent_req *req; ++ struct tevent_req *subreq; ++ struct simple_check_groups_state *state; ++ const char *attrs[] = { SYSDB_NAME, SYSDB_POSIX, SYSDB_GIDNUM, NULL }; ++ size_t group_count; ++ struct ldb_message *user; ++ struct ldb_message **groups; ++ int i; ++ gid_t gid; ++ char *cname; ++ ++ req = tevent_req_create(mem_ctx, &state, ++ struct simple_check_groups_state); ++ if (!req) return NULL; ++ ++ state->ev = ev; ++ state->ctx = ctx; ++ ++ cname = sss_get_cased_name(state, username, ctx->domain->case_sensitive); ++ if (!cname) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", cname)); ++ ++ ret = sysdb_search_user_by_name(state, ctx->domain->sysdb, ++ cname, attrs, &user); ++ if (ret == ENOENT) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", cname)); ++ goto done; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Could not look up username [%s]: [%d][%s]\n", ++ username, ret, strerror(ret))); ++ goto done; ++ } ++ ++ ret = sysdb_asq_search(state, ctx->domain->sysdb, ++ user->dn, NULL, SYSDB_MEMBEROF, ++ attrs, &group_count, &groups); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ DEBUG(SSSDBG_TRACE_FUNC, ++ ("User %s is a member of %d supplemental groups\n", ++ cname, group_count)); ++ ++ /* One extra space for terminator, one extra space for private group */ ++ state->group_names = talloc_zero_array(state, const char *, group_count + 2); ++ state->lookup_gids = talloc_zero_array(state, gid_t, group_count + 2); ++ if (!state->group_names || !state->lookup_gids) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ for (i=0; i < group_count; i++) { ++ /* Some providers (like the AD provider) might perform initgroups ++ * without resolving the group names. In order for the simple access ++ * provider to work correctly, we need to resolve the groups before ++ * performing the access check. In AD provider, the situation is ++ * even more tricky b/c the groups HAVE name, but their name ++ * attribute is set to SID and they are set as non-POSIX ++ */ ++ ret = simple_check_process_group(state, groups[i]); ++ if (ret != EOK) { ++ goto done; ++ } ++ } ++ ++ gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0); ++ if (!gid) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", cname)); ++ ret = EINVAL; ++ goto done; ++ } ++ ++ ret = simple_check_get_groups_primary(state, gid); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ if (state->num_gids == 0) { ++ /* If all groups could have been resolved by name, we are ++ * done ++ */ ++ DEBUG(SSSDBG_TRACE_FUNC, ("All groups had name attribute\n")); ++ ret = EOK; ++ goto done; ++ } ++ ++ DEBUG(SSSDBG_TRACE_FUNC, ("Need to resolve %d groups\n", state->num_gids)); ++ state->giter = 0; ++ subreq = simple_resolve_group_send(req, state->ev, state->ctx, ++ state->lookup_gids[state->giter]); ++ if (!subreq) { ++ ret = ENOMEM; ++ goto done; ++ } ++ tevent_req_set_callback(subreq, simple_check_get_groups_next, req); ++ ++ return req; ++ ++done: ++ if (ret == EOK) { ++ tevent_req_done(req); ++ } else { ++ tevent_req_error(req, ret); ++ } ++ tevent_req_post(req, ev); ++ return req; ++} ++ ++static void simple_check_get_groups_next(struct tevent_req *subreq) ++{ ++ struct tevent_req *req = ++ tevent_req_callback_data(subreq, struct tevent_req); ++ struct simple_check_groups_state *state = ++ tevent_req_data(req, struct simple_check_groups_state); ++ errno_t ret; ++ ++ ret = simple_resolve_group_recv(subreq, state->group_names, ++ &state->group_names[state->num_names]); ++ talloc_zfree(subreq); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Could not resolve name of group with GID %llu\n", ++ state->lookup_gids[state->giter])); ++ tevent_req_error(req, ret); ++ return; ++ } ++ ++ state->num_names++; ++ state->giter++; ++ ++ if (state->giter < state->num_gids) { ++ subreq = simple_resolve_group_send(req, state->ev, state->ctx, ++ state->lookup_gids[state->giter]); ++ if (!subreq) { ++ tevent_req_error(req, ENOMEM); ++ return; ++ } ++ tevent_req_set_callback(subreq, simple_check_get_groups_next, req); ++ return; ++ } ++ ++ DEBUG(SSSDBG_TRACE_INTERNAL, ("All groups resolved. Done.\n")); ++ tevent_req_done(req); ++} ++ ++static errno_t ++simple_check_process_group(struct simple_check_groups_state *state, ++ struct ldb_message *group) ++{ ++ const char *name; ++ gid_t gid; ++ bool posix; ++ ++ posix = is_posix(group); ++ name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); ++ gid = ldb_msg_find_attr_as_uint64(group, SYSDB_GIDNUM, 0); ++ ++ /* With the current sysdb layout, every group has a name */ ++ if (name == NULL) { ++ return EINVAL; ++ } ++ ++ if (gid == 0) { ++ if (posix == true) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ("POSIX group without GID\n")); ++ return EINVAL; ++ } ++ ++ /* Non-posix group with a name. Still can be used for access ++ * control as the name should point to the real name, no SID ++ */ ++ state->group_names[state->num_names] = talloc_strdup(state->group_names, ++ name); ++ if (!state->group_names[state->num_names]) { ++ return ENOMEM; ++ } ++ DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding group %s\n", name)); ++ state->num_names++; ++ return EOK; ++ } ++ ++ /* Here are only groups with a name and gid. POSIX group can already ++ * be used, non-POSIX groups can be resolved */ ++ if (posix) { ++ state->group_names[state->num_names] = talloc_strdup(state->group_names, ++ name); ++ if (!state->group_names[state->num_names]) { ++ return ENOMEM; ++ } ++ DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding group %s\n", name)); ++ state->num_names++; ++ return EOK; ++ } ++ ++ /* Non-posix group with a GID. Needs resolving */ ++ state->lookup_gids[state->num_gids] = gid; ++ DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding GID %llu\n", gid)); ++ state->num_gids++; ++ return EOK; ++} ++ ++static errno_t ++simple_check_get_groups_primary(struct simple_check_groups_state *state, ++ gid_t gid) ++{ ++ errno_t ret; ++ const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX, ++ SYSDB_GIDNUM, NULL }; ++ struct ldb_message *msg; ++ ++ ret = sysdb_search_group_by_gid(state, state->ctx->domain->sysdb, ++ gid, group_attrs, &msg); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Could not look up primary group [%lu]: [%d][%s]\n", ++ gid, ret, strerror(ret))); ++ /* We have to treat this as non-fatal, because the primary ++ * group may be local to the machine and not available in ++ * our ID provider. ++ */ ++ } else { ++ ret = simple_check_process_group(state, msg); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ("Cannot process primary group\n")); ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ ++static errno_t ++simple_check_get_groups_recv(struct tevent_req *req, ++ TALLOC_CTX *mem_ctx, ++ const char ***_group_names) ++{ ++ struct simple_check_groups_state *state; ++ ++ state = tevent_req_data(req, struct simple_check_groups_state); ++ ++ TEVENT_REQ_RETURN_ON_ERROR(req); ++ ++ *_group_names = talloc_steal(mem_ctx, state->group_names); ++ return EOK; ++} ++ ++struct simple_access_check_state { ++ bool access_granted; ++ struct simple_ctx *ctx; ++ const char *username; ++ ++ const char **group_names; ++}; ++ ++static void simple_access_check_done(struct tevent_req *subreq); ++ ++struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx, ++ struct tevent_context *ev, ++ struct simple_ctx *ctx, ++ const char *username) ++{ ++ errno_t ret; ++ struct tevent_req *req; ++ struct tevent_req *subreq; ++ struct simple_access_check_state *state; ++ ++ req = tevent_req_create(mem_ctx, &state, ++ struct simple_access_check_state); ++ if (!req) return NULL; ++ ++ state->access_granted = false; ++ state->ctx = ctx; ++ state->username = talloc_strdup(state, username); ++ if (!state->username) { ++ ret = ENOMEM; ++ goto immediate; ++ } ++ ++ DEBUG(SSSDBG_FUNC_DATA, ("Simple access check for %s\n", username)); ++ ++ ret = simple_check_users(ctx, username, &state->access_granted); ++ if (ret != EAGAIN) { ++ /* Both access denied and an error */ ++ goto immediate; ++ } ++ ++ if (!ctx->allow_groups && !ctx->deny_groups) { ++ /* There are no group restrictions, so just return ++ * here with whatever we've decided. ++ */ ++ DEBUG(SSSDBG_TRACE_LIBS, ("No group restrictions, end request\n")); ++ ret = EOK; ++ goto immediate; ++ } ++ ++ /* The group names might not be available. Fire a request to ++ * gather them. In most cases, the request will just shortcut ++ */ ++ subreq = simple_check_get_groups_send(state, ev, ctx, username); ++ if (!subreq) { ++ ret = EIO; ++ goto immediate; ++ } ++ tevent_req_set_callback(subreq, simple_access_check_done, req); ++ ++ return req; ++ ++immediate: ++ if (ret == EOK) { ++ tevent_req_done(req); ++ } else { ++ tevent_req_error(req, ret); ++ } ++ tevent_req_post(req, ev); ++ return req; ++} ++ ++ ++static void simple_access_check_done(struct tevent_req *subreq) ++{ ++ struct tevent_req *req = ++ tevent_req_callback_data(subreq, struct tevent_req); ++ struct simple_access_check_state *state = ++ tevent_req_data(req, struct simple_access_check_state); ++ errno_t ret; ++ ++ /* We know the names now. Run the check. */ ++ ret = simple_check_get_groups_recv(subreq, state, &state->group_names); ++ talloc_zfree(subreq); ++ if (ret == ENOENT) { ++ /* If the user wasn't found, just shortcut */ ++ state->access_granted = false; ++ tevent_req_done(req); ++ return; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ ("Could not collect groups of user %s\n", state->username)); ++ tevent_req_error(req, ret); ++ return; ++ } ++ ++ ret = simple_check_groups(state->ctx, state->username, ++ state->group_names, &state->access_granted); ++ if (ret != EOK) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ ++ /* Now just return whatever we decided */ ++ DEBUG(SSSDBG_TRACE_INTERNAL, ("Group check done\n")); ++ tevent_req_done(req); ++} ++ ++errno_t simple_access_check_recv(struct tevent_req *req, bool *access_granted) ++{ ++ struct simple_access_check_state *state = ++ tevent_req_data(req, struct simple_access_check_state); ++ ++ TEVENT_REQ_RETURN_ON_ERROR(req); ++ ++ DEBUG(SSSDBG_TRACE_LIBS, ++ ("Access %sgranted\n", state->access_granted ? "" : "not ")); ++ if (access_granted) { ++ *access_granted = state->access_granted; ++ } ++ ++ return EOK; ++} +diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c +index 577c6d3..ab2612d 100644 +--- a/src/tests/simple_access-tests.c ++++ b/src/tests/simple_access-tests.c +@@ -27,6 +27,7 @@ + #include + + #include "confdb/confdb.h" ++#include "db/sysdb_private.h" + #include "providers/simple/simple_access.h" + #include "tests/common.h" + +@@ -35,16 +36,40 @@ + + const char *ulist_1[] = {"u1", "u2", NULL}; + const char *glist_1[] = {"g1", "g2", NULL}; ++const char *glist_1_case[] = {"G1", "G2", NULL}; + + struct simple_test_ctx *test_ctx = NULL; + + struct simple_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; ++ struct tevent_context *ev; ++ bool done; ++ int error; + ++ bool access_granted; + struct simple_ctx *ctx; + }; + ++static int test_loop(struct simple_test_ctx *tctx) ++{ ++ while (!tctx->done) ++ tevent_loop_once(tctx->ev); ++ ++ return tctx->error; ++} ++ ++static void simple_access_check_done(struct tevent_req *req) ++{ ++ struct simple_test_ctx *tctx = ++ tevent_req_callback_data(req, struct simple_test_ctx); ++ ++ ++ tctx->error = simple_access_check_recv(req, &tctx->access_granted); ++ talloc_free(req); ++ tctx->done = true; ++} ++ + void setup_simple(void) + { + errno_t ret; +@@ -52,19 +77,22 @@ void setup_simple(void) + const char *val[2]; + val[1] = NULL; + +- /* Create tests directory if it doesn't exist */ +- /* (relative to current dir) */ +- ret = mkdir(TESTS_PATH, 0775); +- fail_if(ret == -1 && errno != EEXIST, +- "Could not create %s directory", TESTS_PATH); +- + fail_unless(test_ctx == NULL, "Simple context already initialized."); + test_ctx = talloc_zero(NULL, struct simple_test_ctx); + fail_unless(test_ctx != NULL, "Cannot create simple test context."); + ++ test_ctx->ev = tevent_context_init(test_ctx); ++ fail_unless(test_ctx->ev != NULL, "Cannot create tevent context."); ++ + test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); + fail_unless(test_ctx->ctx != NULL, "Cannot create simple context."); + ++ /* Create tests directory if it doesn't exist */ ++ /* (relative to current dir) */ ++ ret = mkdir(TESTS_PATH, 0775); ++ fail_if(ret == -1 && errno != EEXIST, ++ "Could not create %s directory", TESTS_PATH); ++ + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + fail_if(conf_db == NULL, "Out of memory, aborting!"); + DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db)); +@@ -98,6 +126,7 @@ void setup_simple(void) + &test_ctx->ctx->domain, &test_ctx->ctx->sysdb); + fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret); + test_ctx->ctx->domain->case_sensitive = true; ++ test_ctx->ctx->sysdb->mpg = false; /* Simulate an LDAP domain better */ + } + + void teardown_simple(void) +@@ -117,18 +146,22 @@ void setup_simple_group(void) + + /* Add test users u1 and u2 that would be members of test groups + * g1 and g2 respectively */ ++ ret = sysdb_add_group(test_ctx->ctx->sysdb, ++ "pvt", 999, NULL, 0, 0); ++ fail_if(ret != EOK, "Could not add private group"); ++ + ret = sysdb_store_user(test_ctx->ctx->sysdb, +- "u1", NULL, 123, 0, "u1", "/home/u1", ++ "u1", NULL, 123, 999, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u1"); + + ret = sysdb_store_user(test_ctx->ctx->sysdb, +- "u2", NULL, 456, 0, "u1", "/home/u1", ++ "u2", NULL, 456, 999, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u2"); + + ret = sysdb_store_user(test_ctx->ctx->sysdb, +- "u3", NULL, 789, 0, "u1", "/home/u1", ++ "u3", NULL, 789, 999, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u3"); + +@@ -163,190 +196,317 @@ void teardown_simple_group(void) + fail_if(ret != EOK, "Could not delete g1"); + ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0); + fail_if(ret != EOK, "Could not delete g2"); ++ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "pvt", 0); ++ fail_if(ret != EOK, "Could not delete pvt"); + + teardown_simple(); + } + + START_TEST(test_both_empty) + { +- int ret; +- bool access_granted = false; ++ struct tevent_req *req; + + test_ctx->ctx->allow_users = NULL; + test_ctx->ctx->deny_users = NULL; + +- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == true, "Access denied " +- "while both lists are empty."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == true, ++ "Access denied while both lists are empty."); + } + END_TEST + + START_TEST(test_allow_empty) + { +- int ret; +- bool access_granted = true; ++ struct tevent_req *req; + + test_ctx->ctx->allow_users = NULL; + test_ctx->ctx->deny_users = discard_const(ulist_1); + +- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "while user is in deny list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted while user is in deny list."); + +- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == true, "Access denied " +- "while user is not in deny list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u3"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == true, ++ "Access denied while user is not in deny list."); + } + END_TEST + + START_TEST(test_deny_empty) + { +- int ret; +- bool access_granted = false; ++ struct tevent_req *req; + + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = NULL; + +- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == true, "Access denied " +- "while user is in allow list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == true, ++ "Access denied while user is in allow list."); + +- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "while user is not in allow list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u3"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted while user is not in allow list."); + } + END_TEST + + START_TEST(test_both_set) + { +- int ret; +- bool access_granted = false; ++ struct tevent_req *req; + + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = discard_const(ulist_1); + +- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "while user is in deny list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted while user is in deny list."); + +- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "while user is not in allow list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u3"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted while user is not in allow list."); + } + END_TEST + + START_TEST(test_case) + { +- int ret; +- bool access_granted = false; ++ struct tevent_req *req; + + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = NULL; + +- ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "for user with different case " +- "in case-sensitive domain"); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "U1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted for user with different case " ++ "in case-sensitive domain"); + + test_ctx->ctx->domain->case_sensitive = false; + +- ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == true, "Access denied " +- "for user with different case " +- "in case-insensitive domain"); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "U1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == true, ++ "Access denied for user with different case " ++ "in case-sensitive domain"); ++} ++END_TEST ++ ++START_TEST(test_unknown_user) ++{ ++ struct tevent_req *req; ++ ++ test_ctx->ctx->allow_users = discard_const(ulist_1); ++ test_ctx->ctx->deny_users = NULL; ++ ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "foo"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted for user not present in domain"); + } + END_TEST + ++ + START_TEST(test_group_allow_empty) + { +- int ret; +- bool access_granted = true; ++ struct tevent_req *req; + + test_ctx->ctx->allow_groups = NULL; + test_ctx->ctx->deny_groups = discard_const(glist_1); + +- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "while group is in deny list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; + +- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == true, "Access denied " +- "while group is not in deny list."); ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted while group is in deny list."); ++ ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u3"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == true, ++ "Access denied while group is not in deny list."); + } + END_TEST + + START_TEST(test_group_deny_empty) + { +- int ret; +- bool access_granted = false; ++ struct tevent_req *req; + + test_ctx->ctx->allow_groups = discard_const(glist_1); + test_ctx->ctx->deny_groups = NULL; + +- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == true, "Access denied " +- "while group is in allow list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; + +- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "while group is not in allow list."); ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == true, ++ "Access denied while user is in allow list."); ++ ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u3"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted while user is not in allow list."); + } + END_TEST + + START_TEST(test_group_both_set) + { +- int ret; +- bool access_granted = false; ++ struct tevent_req *req; + + test_ctx->ctx->allow_groups = discard_const(ulist_1); + test_ctx->ctx->deny_groups = discard_const(ulist_1); + +- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "while group is in deny list."); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; + +- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "while group is not in allow list."); ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted while user is in deny list."); ++ ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "u3"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted while user is not in allow list."); + } + END_TEST + + START_TEST(test_group_case) + { +- int ret; +- bool access_granted = false; ++ struct tevent_req *req; + +- test_ctx->ctx->allow_groups = discard_const(ulist_1); ++ test_ctx->ctx->allow_groups = discard_const(glist_1_case); + test_ctx->ctx->deny_groups = NULL; + +- ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == false, "Access granted " +- "for group with different case " +- "in case-sensitive domain"); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "U1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == false, ++ "Access granted for user with different case " ++ "in case-sensitive domain"); + + test_ctx->ctx->domain->case_sensitive = false; + +- ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); +- fail_unless(ret == EOK, "access_simple_check failed."); +- fail_unless(access_granted == true, "Access denied " +- "for group with different case " +- "in case-insensitive domain"); ++ req = simple_access_check_send(test_ctx, test_ctx->ev, ++ test_ctx->ctx, "U1"); ++ fail_unless(test_ctx != NULL, "Cannot create request\n"); ++ tevent_req_set_callback(req, simple_access_check_done, test_ctx); ++ ++ test_loop(test_ctx); ++ test_ctx->done = false; ++ ++ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); ++ fail_unless(test_ctx->access_granted == true, ++ "Access denied for user with different case " ++ "in case-sensitive domain"); + } + END_TEST + +@@ -361,6 +521,7 @@ Suite *access_simple_suite (void) + tcase_add_test(tc_allow_deny, test_deny_empty); + tcase_add_test(tc_allow_deny, test_both_set); + tcase_add_test(tc_allow_deny, test_case); ++ tcase_add_test(tc_allow_deny, test_unknown_user); + suite_add_tcase(s, tc_allow_deny); + + TCase *tc_grp_allow_deny = tcase_create("group allow/deny"); +-- +1.8.1.4 + diff --git a/sssd.changes b/sssd.changes index 9b75a64..c4cbf0f 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com + +- Fixed security issue: CVE-2013-0287 (bnc#809153): + When SSSD is configured as an Active Directory client by using + the new Active Directory provider or equivalent configuration + of the LDAP provider, the Simple Access Provider does not + handle access control correctly. If any groups are specified + with the simple_deny_groups option, the group members are + permitted access. New patches: + * Provide-a-be_get_account_info_send-function.patch + * Add-unit-tests-for-simple-access-test-by-groups.patch + * Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch + * Resolve-GIDs-in-the-simple-access-provider.patch + ------------------------------------------------------------------- Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index e6ae108..d7103db 100644 --- a/sssd.spec +++ b/sssd.spec @@ -32,6 +32,12 @@ Patch1: 0005-implicit-decl.diff Patch2: sssd-ldflags.diff Patch3: sssd-no-ldb-check.diff Patch4: sssd-sysdb-binary-attrs.diff +# Fixes for CVE-2013-0287 (will be part of 1.9.5) when released +Patch5: Provide-a-be_get_account_info_send-function.patch +Patch6: Add-unit-tests-for-simple-access-test-by-groups.patch +Patch7: Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch +Patch8: Resolve-GIDs-in-the-simple-access-provider.patch +# End Fixed for CVE-2013-0287 BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -200,7 +206,7 @@ Security Services Daemon (sssd). %prep %setup -q -%patch -P 1 -P 2 -P 3 -P 4 -p1 +%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1 %build %if 0%{?suse_version} < 1210 From b514a157b2e74237f43881841cb1bc0659f5ed1c71b2b61af2731bf91f05a4a1 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 16 Apr 2013 04:58:44 +0000 Subject: [PATCH 39/63] Accepting request 163793 from network:ldap Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/163793 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=45 --- sssd-1.9.4.tar.gz | 3 +++ sssd-1.9.4.tar.gz.asc | 7 +++++++ sssd-1.9.4.tar.xz | 3 --- sssd.changes | 5 +++++ sssd.keyring | 34 ++++++++++++++++++++++++++++++++++ sssd.spec | 8 ++++++-- 6 files changed, 55 insertions(+), 5 deletions(-) create mode 100644 sssd-1.9.4.tar.gz create mode 100644 sssd-1.9.4.tar.gz.asc delete mode 100644 sssd-1.9.4.tar.xz create mode 100644 sssd.keyring diff --git a/sssd-1.9.4.tar.gz b/sssd-1.9.4.tar.gz new file mode 100644 index 0000000..c3139c3 --- /dev/null +++ b/sssd-1.9.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:20e39d7c5d89e217b5301f7e75360eb869ac1889701755a598fb3fbed923f4b4 +size 3050325 diff --git a/sssd-1.9.4.tar.gz.asc b/sssd-1.9.4.tar.gz.asc new file mode 100644 index 0000000..a2e92ae --- /dev/null +++ b/sssd-1.9.4.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.13 (GNU/Linux) + +iEYEABECAAYFAlEG6DYACgkQHsardTLnvCXjrgCeMSfawp5NaaIu82GDZOq7EMxL +tqwAmgN3gn9e7y6AzeSBdYCCcPAyLLFo +=hHxo +-----END PGP SIGNATURE----- diff --git a/sssd-1.9.4.tar.xz b/sssd-1.9.4.tar.xz deleted file mode 100644 index 68b367c..0000000 --- a/sssd-1.9.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:269fdac3b77a03f7f3eaffde50461086bd79515f7c94376930d36f6c72d89375 -size 1337380 diff --git a/sssd.changes b/sssd.changes index c4cbf0f..bcb412c 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de + +- Implement signature verification + ------------------------------------------------------------------- Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com diff --git a/sssd.keyring b/sssd.keyring new file mode 100644 index 0000000..cbd1779 --- /dev/null +++ b/sssd.keyring @@ -0,0 +1,34 @@ +pub 1024D/32E7BC25 2007-02-02 +uid Jakub Hrozek +sub 2048g/132DCA21 2007-02-02 + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MU +XQDAKJM7MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0 +R+OiWh8d7ChCG6riv/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWX +qZoZrm4lPlBZQltfhzdmvn8D/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjg +q9Knn4sE9lnGjtG4RCYMT2Sideognk9Ah5nWOGynwta6cluCEqlF6ORJPKpAeqG1 +a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/XtMoHSSyPi/Xum6R+jwISv7n +TMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlSB6tAqN0G7VL6AFcs +iOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KNtbnCrhS+ +Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv +emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iF8EExECACAFAkXDdfUCGwMGCwkIBwMC +BBUCCAMEFgIDAQIeAQIXgAAKCRAexqt1Mue8JSHBAKCjYF/HshYkJ8pSZTilLO0y +bMWOFwCYlOqF7icGVDFT42W3CoqLfgajCrkCDQRFw3YAEAgAuqo0FxH1XtdOi/qW +6v+tWdqYHLj/f0Voqj1cbpS+cODNTaX1/Xf4Jnv6vm4lOG5gIkqD1e5UCpG5pDJv +MkrpY0lYRr5RGoC29tHZYXfEBVEkdhuU7ZTSQRaoitK5TSwjOj5aKvFSHEjMrCWc +GSUajECQkRHwZb3HK2wqqBWrJjjjPtj+5cQg+sKp7Zp6xU3iZlMoVfdYi/zGenum +Cp5SMm8CZZ5gcsNZhjItkTww5K//N6Kz41oMYyHlgh029JD0LHPgKacP3KeEEDzS +DEx/SSEF4zD/EfLDHehga/n0ZisNmxdxue/BI2Lm7qqGNDtV+qa17pIJ6fPfafbS +AKYatwAECwf/SuMkZN36UDsoOn06qIrYi5JBss3sOfheJEnqUIEO0JCpyb+fqisd +qoTJM0G5gFpCvuZOACpzzVv0WjhlMIyPl/7UuP4KYI6LGqAARqNxsHT7FNxT0Uv6 +QR8fGPQqVdFLFBd66EBL9PnOt3RDYwtJlD9cMNUNpzWEXjJ3RCk0lZF2eljpPlu0 +Or53OuiommnhmcmjxR5gvMf4pLqURhEZ2U0ylRiTiTIk0YyIASsDnAf0BClFXz4i +4qSD6jJloKorRC7Mu87xi1DG4ML+FYC/2d53I8OqHBRhtNUt/GbcthsHDxFq5iVp +NxwDAX1vr65PWv98pvTMnJmjIDhfgwJMdIhJBBgRAgAJBQJFw3YAAhsMAAoJEB7G +q3Uy57wllOcAoKkHB3lDFWlUNcSLdRCQxfsCCy7zAJ9GLSU2G0HR+hQVMi2ONorE +i/EyTA== +=nO6v +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sssd.spec b/sssd.spec index d7103db..5a76e53 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,7 +26,8 @@ Url: https://fedorahosted.org/sssd/ Requires(postun): pam-config #Git-Clone: git://git.fedorahosted.org/sssd -Source: %name-%version.tar.xz +Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz +Source2: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz.asc Source3: baselibs.conf Patch1: 0005-implicit-decl.diff Patch2: sssd-ldflags.diff @@ -107,7 +108,9 @@ BuildRequires: pkg-config BuildRequires: systemd %{?systemd_requires} %endif -BuildRequires: xz +%if %suse_version >= 1230 +BuildRequires: gpg-offline +%endif %description Provides a set of daemons to manage access to remote directories and @@ -205,6 +208,7 @@ Provide python module to access and manage configuration of the System Security Services Daemon (sssd). %prep +%{?gpg_verify: %gpg_verify %{S:2}} %setup -q %patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1 From 665ac5a713699b15f022008f46a3d9f64259c7095ea75a20888c0615678ef449 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 13 May 2013 13:39:41 +0000 Subject: [PATCH 40/63] Accepting request 174889 from network:ldap Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/174889 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=46 --- ...sts-for-simple-access-test-by-groups.patch | 414 ----- ...ain-in-DP-if-UNIT_TESTING-is-defined.patch | 41 - ...-a-be_get_account_info_send-function.patch | 237 --- ...e-GIDs-in-the-simple-access-provider.patch | 1624 ----------------- sssd-1.9.4.tar.gz | 3 - sssd-1.9.4.tar.gz.asc | 7 - sssd-1.9.5.tar.gz | 3 + sssd-1.9.5.tar.gz.asc | 7 + sssd-sysdb-binary-attrs.diff | 102 -- sssd.changes | 24 + sssd.spec | 13 +- 11 files changed, 37 insertions(+), 2438 deletions(-) delete mode 100644 Add-unit-tests-for-simple-access-test-by-groups.patch delete mode 100644 Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch delete mode 100644 Provide-a-be_get_account_info_send-function.patch delete mode 100644 Resolve-GIDs-in-the-simple-access-provider.patch delete mode 100644 sssd-1.9.4.tar.gz delete mode 100644 sssd-1.9.4.tar.gz.asc create mode 100644 sssd-1.9.5.tar.gz create mode 100644 sssd-1.9.5.tar.gz.asc delete mode 100644 sssd-sysdb-binary-attrs.diff diff --git a/Add-unit-tests-for-simple-access-test-by-groups.patch b/Add-unit-tests-for-simple-access-test-by-groups.patch deleted file mode 100644 index dcf284f..0000000 --- a/Add-unit-tests-for-simple-access-test-by-groups.patch +++ /dev/null @@ -1,414 +0,0 @@ -From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Sun, 3 Mar 2013 21:43:44 +0100 -Subject: Add unit tests for simple access test by groups - -I realized that the current unit tests for the simple access provider -only tested the user directives. To have a baseline and be able to -detect new bugs in the upcoming patch, I implemented unit tests for the -group lists, too. -(cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b) ---- - src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++----- - 1 file changed, 253 insertions(+), 32 deletions(-) - -diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c -index c61814e..577c6d3 100644 ---- a/src/tests/simple_access-tests.c -+++ b/src/tests/simple_access-tests.c -@@ -30,39 +30,152 @@ - #include "providers/simple/simple_access.h" - #include "tests/common.h" - -+#define TESTS_PATH "tests_simple_access" -+#define TEST_CONF_FILE "tests_conf.ldb" -+ - const char *ulist_1[] = {"u1", "u2", NULL}; -+const char *glist_1[] = {"g1", "g2", NULL}; -+ -+struct simple_test_ctx *test_ctx = NULL; -+ -+struct simple_test_ctx { -+ struct sysdb_ctx *sysdb; -+ struct confdb_ctx *confdb; - --struct simple_ctx *ctx = NULL; -+ struct simple_ctx *ctx; -+}; - - void setup_simple(void) - { -- fail_unless(ctx == NULL, "Simple context already initialized."); -- ctx = talloc_zero(NULL, struct simple_ctx); -- fail_unless(ctx != NULL, "Cannot create simple context."); -- -- ctx->domain = talloc_zero(ctx, struct sss_domain_info); -- fail_unless(ctx != NULL, "Cannot create domain in simple context."); -- ctx->domain->case_sensitive = true; -+ errno_t ret; -+ char *conf_db; -+ const char *val[2]; -+ val[1] = NULL; -+ -+ /* Create tests directory if it doesn't exist */ -+ /* (relative to current dir) */ -+ ret = mkdir(TESTS_PATH, 0775); -+ fail_if(ret == -1 && errno != EEXIST, -+ "Could not create %s directory", TESTS_PATH); -+ -+ fail_unless(test_ctx == NULL, "Simple context already initialized."); -+ test_ctx = talloc_zero(NULL, struct simple_test_ctx); -+ fail_unless(test_ctx != NULL, "Cannot create simple test context."); -+ -+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); -+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context."); -+ -+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); -+ fail_if(conf_db == NULL, "Out of memory, aborting!"); -+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db)); -+ -+ /* Connect to the conf db */ -+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); -+ fail_if(ret != EOK, "Could not initialize connection to the confdb"); -+ -+ val[0] = "LOCAL"; -+ ret = confdb_add_param(test_ctx->confdb, true, -+ "config/sssd", "domains", val); -+ fail_if(ret != EOK, "Could not initialize domains placeholder"); -+ -+ val[0] = "local"; -+ ret = confdb_add_param(test_ctx->confdb, true, -+ "config/domain/LOCAL", "id_provider", val); -+ fail_if(ret != EOK, "Could not initialize provider"); -+ -+ val[0] = "TRUE"; -+ ret = confdb_add_param(test_ctx->confdb, true, -+ "config/domain/LOCAL", "enumerate", val); -+ fail_if(ret != EOK, "Could not initialize LOCAL domain"); -+ -+ val[0] = "TRUE"; -+ ret = confdb_add_param(test_ctx->confdb, true, -+ "config/domain/LOCAL", "cache_credentials", val); -+ fail_if(ret != EOK, "Could not initialize LOCAL domain"); -+ -+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local", -+ TESTS_PATH, -+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb); -+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret); -+ test_ctx->ctx->domain->case_sensitive = true; - } - - void teardown_simple(void) - { - int ret; -- fail_unless(ctx != NULL, "Simple context already freed."); -- ret = talloc_free(ctx); -- ctx = NULL; -+ fail_unless(test_ctx != NULL, "Simple context already freed."); -+ ret = talloc_free(test_ctx); -+ test_ctx = NULL; - fail_unless(ret == 0, "Connot free simple context."); - } - -+void setup_simple_group(void) -+{ -+ errno_t ret; -+ -+ setup_simple(); -+ -+ /* Add test users u1 and u2 that would be members of test groups -+ * g1 and g2 respectively */ -+ ret = sysdb_store_user(test_ctx->ctx->sysdb, -+ "u1", NULL, 123, 0, "u1", "/home/u1", -+ "/bin/bash", NULL, NULL, NULL, -1, 0); -+ fail_if(ret != EOK, "Could not add u1"); -+ -+ ret = sysdb_store_user(test_ctx->ctx->sysdb, -+ "u2", NULL, 456, 0, "u1", "/home/u1", -+ "/bin/bash", NULL, NULL, NULL, -1, 0); -+ fail_if(ret != EOK, "Could not add u2"); -+ -+ ret = sysdb_store_user(test_ctx->ctx->sysdb, -+ "u3", NULL, 789, 0, "u1", "/home/u1", -+ "/bin/bash", NULL, NULL, NULL, -1, 0); -+ fail_if(ret != EOK, "Could not add u3"); -+ -+ ret = sysdb_add_group(test_ctx->ctx->sysdb, -+ "g1", 321, NULL, 0, 0); -+ fail_if(ret != EOK, "Could not add g1"); -+ -+ ret = sysdb_add_group(test_ctx->ctx->sysdb, -+ "g2", 654, NULL, 0, 0); -+ fail_if(ret != EOK, "Could not add g2"); -+ -+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb, -+ "g1", "u1", SYSDB_MEMBER_USER); -+ fail_if(ret != EOK, "Could not add u1 to g1"); -+ -+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb, -+ "g2", "u2", SYSDB_MEMBER_USER); -+ fail_if(ret != EOK, "Could not add u2 to g2"); -+} -+ -+void teardown_simple_group(void) -+{ -+ errno_t ret; -+ -+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0); -+ fail_if(ret != EOK, "Could not delete u1"); -+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0); -+ fail_if(ret != EOK, "Could not delete u2"); -+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0); -+ fail_if(ret != EOK, "Could not delete u3"); -+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0); -+ fail_if(ret != EOK, "Could not delete g1"); -+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0); -+ fail_if(ret != EOK, "Could not delete g2"); -+ -+ teardown_simple(); -+} -+ - START_TEST(test_both_empty) - { - int ret; - bool access_granted = false; - -- ctx->allow_users = NULL; -- ctx->deny_users = NULL; -+ test_ctx->ctx->allow_users = NULL; -+ test_ctx->ctx->deny_users = NULL; - -- ret = simple_access_check(ctx, "u1", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "while both lists are empty."); -@@ -74,15 +187,15 @@ START_TEST(test_allow_empty) - int ret; - bool access_granted = true; - -- ctx->allow_users = NULL; -- ctx->deny_users = discard_const(ulist_1); -+ test_ctx->ctx->allow_users = NULL; -+ test_ctx->ctx->deny_users = discard_const(ulist_1); - -- ret = simple_access_check(ctx, "u1", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while user is in deny list."); - -- ret = simple_access_check(ctx, "u3", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "while user is not in deny list."); -@@ -94,15 +207,15 @@ START_TEST(test_deny_empty) - int ret; - bool access_granted = false; - -- ctx->allow_users = discard_const(ulist_1); -- ctx->deny_users = NULL; -+ test_ctx->ctx->allow_users = discard_const(ulist_1); -+ test_ctx->ctx->deny_users = NULL; - -- ret = simple_access_check(ctx, "u1", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "while user is in allow list."); - -- ret = simple_access_check(ctx, "u3", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while user is not in allow list."); -@@ -114,15 +227,15 @@ START_TEST(test_both_set) - int ret; - bool access_granted = false; - -- ctx->allow_users = discard_const(ulist_1); -- ctx->deny_users = discard_const(ulist_1); -+ test_ctx->ctx->allow_users = discard_const(ulist_1); -+ test_ctx->ctx->deny_users = discard_const(ulist_1); - -- ret = simple_access_check(ctx, "u1", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while user is in deny list."); - -- ret = simple_access_check(ctx, "u3", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "while user is not in allow list."); -@@ -134,18 +247,18 @@ START_TEST(test_case) - int ret; - bool access_granted = false; - -- ctx->allow_users = discard_const(ulist_1); -- ctx->deny_users = NULL; -+ test_ctx->ctx->allow_users = discard_const(ulist_1); -+ test_ctx->ctx->deny_users = NULL; - -- ret = simple_access_check(ctx, "U1", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == false, "Access granted " - "for user with different case " - "in case-sensitive domain"); - -- ctx->domain->case_sensitive = false; -+ test_ctx->ctx->domain->case_sensitive = false; - -- ret = simple_access_check(ctx, "U1", &access_granted); -+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); - fail_unless(ret == EOK, "access_simple_check failed."); - fail_unless(access_granted == true, "Access denied " - "for user with different case " -@@ -153,11 +266,95 @@ START_TEST(test_case) - } - END_TEST - -+START_TEST(test_group_allow_empty) -+{ -+ int ret; -+ bool access_granted = true; -+ -+ test_ctx->ctx->allow_groups = NULL; -+ test_ctx->ctx->deny_groups = discard_const(glist_1); -+ -+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -+ fail_unless(ret == EOK, "access_simple_check failed."); -+ fail_unless(access_granted == false, "Access granted " -+ "while group is in deny list."); -+ -+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -+ fail_unless(ret == EOK, "access_simple_check failed."); -+ fail_unless(access_granted == true, "Access denied " -+ "while group is not in deny list."); -+} -+END_TEST -+ -+START_TEST(test_group_deny_empty) -+{ -+ int ret; -+ bool access_granted = false; -+ -+ test_ctx->ctx->allow_groups = discard_const(glist_1); -+ test_ctx->ctx->deny_groups = NULL; -+ -+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -+ fail_unless(ret == EOK, "access_simple_check failed."); -+ fail_unless(access_granted == true, "Access denied " -+ "while group is in allow list."); -+ -+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -+ fail_unless(ret == EOK, "access_simple_check failed."); -+ fail_unless(access_granted == false, "Access granted " -+ "while group is not in allow list."); -+} -+END_TEST -+ -+START_TEST(test_group_both_set) -+{ -+ int ret; -+ bool access_granted = false; -+ -+ test_ctx->ctx->allow_groups = discard_const(ulist_1); -+ test_ctx->ctx->deny_groups = discard_const(ulist_1); -+ -+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -+ fail_unless(ret == EOK, "access_simple_check failed."); -+ fail_unless(access_granted == false, "Access granted " -+ "while group is in deny list."); -+ -+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -+ fail_unless(ret == EOK, "access_simple_check failed."); -+ fail_unless(access_granted == false, "Access granted " -+ "while group is not in allow list."); -+} -+END_TEST -+ -+START_TEST(test_group_case) -+{ -+ int ret; -+ bool access_granted = false; -+ -+ test_ctx->ctx->allow_groups = discard_const(ulist_1); -+ test_ctx->ctx->deny_groups = NULL; -+ -+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); -+ fail_unless(ret == EOK, "access_simple_check failed."); -+ fail_unless(access_granted == false, "Access granted " -+ "for group with different case " -+ "in case-sensitive domain"); -+ -+ test_ctx->ctx->domain->case_sensitive = false; -+ -+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); -+ fail_unless(ret == EOK, "access_simple_check failed."); -+ fail_unless(access_granted == true, "Access denied " -+ "for group with different case " -+ "in case-insensitive domain"); -+} -+END_TEST -+ - Suite *access_simple_suite (void) - { - Suite *s = suite_create("access_simple"); - -- TCase *tc_allow_deny = tcase_create("allow/deny"); -+ TCase *tc_allow_deny = tcase_create("user allow/deny"); - tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple); - tcase_add_test(tc_allow_deny, test_both_empty); - tcase_add_test(tc_allow_deny, test_allow_empty); -@@ -166,6 +363,15 @@ Suite *access_simple_suite (void) - tcase_add_test(tc_allow_deny, test_case); - suite_add_tcase(s, tc_allow_deny); - -+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny"); -+ tcase_add_checked_fixture(tc_grp_allow_deny, -+ setup_simple_group, teardown_simple_group); -+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty); -+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty); -+ tcase_add_test(tc_grp_allow_deny, test_group_both_set); -+ tcase_add_test(tc_grp_allow_deny, test_group_case); -+ suite_add_tcase(s, tc_grp_allow_deny); -+ - return s; - } - -@@ -174,6 +380,7 @@ int main(int argc, const char *argv[]) - int opt; - poptContext pc; - int number_failed; -+ int ret; - - struct poptOption long_options[] = { - POPT_AUTOHELP -@@ -205,6 +412,20 @@ int main(int argc, const char *argv[]) - srunner_run_all(sr, CK_ENV); - number_failed = srunner_ntests_failed(sr); - srunner_free(sr); -+ -+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE); -+ if (ret != EOK) { -+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", -+ errno, strerror(errno)); -+ return EXIT_FAILURE; -+ } -+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE); -+ if (ret != EOK) { -+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", -+ errno, strerror(errno)); -+ return EXIT_FAILURE; -+ } -+ - return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE); - } - --- -1.8.1.4 - diff --git a/Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch b/Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch deleted file mode 100644 index d66871b..0000000 --- a/Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 8dfcfe629db83eb58dd6613aa174222cb853afb1 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 4 Mar 2013 16:37:04 +0100 -Subject: Do not compile main() in DP if UNIT_TESTING is defined - -The simple access provider unit tests now need to link against the Data -Provider when they start using the be_file_account_request() function. -But then we would start having conflicts as at least the main() -functions would clash. - -If UNIT_TESTING is defined, then the data_provider_be.c module does not -contain the main() function and can be linked against directly from -another module that contains its own main() function -(cherry picked from commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb) ---- - src/providers/data_provider_be.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c -index f85a04d..33590ae 100644 ---- a/src/providers/data_provider_be.c -+++ b/src/providers/data_provider_be.c -@@ -2651,6 +2651,7 @@ fail: - return ret; - } - -+#ifndef UNIT_TESTING - int main(int argc, const char *argv[]) - { - int opt; -@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[]) - - return 0; - } -+#endif - - static int data_provider_res_init(DBusMessage *message, - struct sbus_connection *conn) --- -1.8.1.4 - diff --git a/Provide-a-be_get_account_info_send-function.patch b/Provide-a-be_get_account_info_send-function.patch deleted file mode 100644 index 5e75c49..0000000 --- a/Provide-a-be_get_account_info_send-function.patch +++ /dev/null @@ -1,237 +0,0 @@ -From 455737c0b4b0c1bfeed54f2e27e397ce403acbca Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Fri, 22 Feb 2013 11:01:38 +0100 -Subject: Provide a be_get_account_info_send function - -In order to resolve group names in the simple access provider we need to -contact the Data Provider in a generic fashion from the access provider. -We can't call any particular implementation (like sdap_generic_send()) -because we have no idea what kind of provider is configured as the -id_provider. - -This patch splits introduces the be_file_account_request() function into -the data_provider_be module and makes it public. - -A future patch should make the be_get_account_info function use the -be_get_account_info_send function. -(cherry picked from commit b63830b142053f99bfe954d4be5a2b0f68ce3a93) ---- - src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++----- - src/providers/dp_backend.h | 15 ++++ - 2 files changed, 149 insertions(+), 19 deletions(-) - -diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c -index b261bf8..f85a04d 100644 ---- a/src/providers/data_provider_be.c -+++ b/src/providers/data_provider_be.c -@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req) - } - - static errno_t -+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar) -+{ -+ errno_t ret; -+ struct be_ctx *be_ctx = be_req->be_ctx; -+ -+ be_req->req_data = ar; -+ -+ /* see if we need a pre request call, only done for initgroups for now */ -+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) { -+ ret = be_initgroups_prereq(be_req); -+ if (ret) { -+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed")); -+ return ret; -+ } -+ } -+ -+ /* process request */ -+ ret = be_file_request(be_ctx, be_req, -+ be_ctx->bet_info[BET_ID].bet_ops->handler); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request")); -+ return ret; -+ } -+ -+ return EOK; -+} -+ -+static errno_t - split_name_extended(TALLOC_CTX *mem_ctx, - const char *filter, - char **name, -@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx, - return EOK; - } - -+static void -+be_get_account_info_done(struct be_req *be_req, -+ int dp_err, int dp_ret, -+ const char *errstr); -+ -+struct be_get_account_info_state { -+ int err_maj; -+ int err_min; -+ const char *err_msg; -+}; -+ -+struct tevent_req * -+be_get_account_info_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct be_client *becli, -+ struct be_ctx *be_ctx, -+ struct be_acct_req *ar) -+{ -+ struct tevent_req *req; -+ struct be_get_account_info_state *state; -+ struct be_req *be_req; -+ errno_t ret; -+ -+ req = tevent_req_create(mem_ctx, &state, -+ struct be_get_account_info_state); -+ if (!req) return NULL; -+ -+ be_req = talloc_zero(mem_ctx, struct be_req); -+ if (be_req == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ be_req->becli = becli; -+ be_req->be_ctx = be_ctx; -+ be_req->fn = be_get_account_info_done; -+ be_req->pvt = req; -+ -+ ret = be_file_account_request(be_req, ar); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ return req; -+ -+done: -+ tevent_req_error(req, ret); -+ tevent_req_post(req, ev); -+ return req; -+} -+ -+static void -+be_get_account_info_done(struct be_req *be_req, -+ int dp_err, int dp_ret, -+ const char *errstr) -+{ -+ struct tevent_req *req; -+ struct be_get_account_info_state *state; -+ -+ req = talloc_get_type(be_req->pvt, struct tevent_req); -+ state = tevent_req_data(req, struct be_get_account_info_state); -+ -+ state->err_maj = dp_err; -+ state->err_min = dp_ret; -+ if (errstr) { -+ state->err_msg = talloc_strdup(state, errstr); -+ if (state->err_msg == NULL) { -+ talloc_free(be_req); -+ tevent_req_error(req, ENOMEM); -+ return; -+ } -+ } -+ -+ talloc_free(be_req); -+ tevent_req_done(req); -+} -+ -+errno_t be_get_account_info_recv(struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ int *_err_maj, -+ int *_err_min, -+ const char **_err_msg) -+{ -+ struct be_get_account_info_state *state; -+ -+ state = tevent_req_data(req, struct be_get_account_info_state); -+ -+ TEVENT_REQ_RETURN_ON_ERROR(req); -+ -+ if (_err_maj) { -+ *_err_maj = state->err_maj; -+ } -+ -+ if (_err_min) { -+ *_err_min = state->err_min; -+ } -+ -+ if (_err_msg) { -+ *_err_msg = talloc_steal(mem_ctx, state->err_msg); -+ } -+ -+ return EOK; -+} -+ - static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn) - { - struct be_acct_req *req; -@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con - goto done; - } - -- be_req->req_data = req; -- - if ((attr_type != BE_ATTR_CORE) && - (attr_type != BE_ATTR_MEM) && - (attr_type != BE_ATTR_ALL)) { -@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con - goto done; - } - -- /* see if we need a pre request call, only done for initgroups for now */ -- if ((type & 0xFF) == BE_REQ_INITGROUPS) { -- ret = be_initgroups_prereq(be_req); -- if (ret) { -- err_maj = DP_ERR_FATAL; -- err_min = ret; -- err_msg = "Prerequest failed"; -- goto done; -- } -- } -- -- /* process request */ -- -- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data, -- be_req, -- becli->bectx->bet_info[BET_ID].bet_ops->handler); -+ ret = be_file_account_request(be_req, req); - if (ret != EOK) { - err_maj = DP_ERR_FATAL; - err_min = ret; -- err_msg = "Failed to file request"; -+ err_msg = "Cannot file account request"; - goto done; - } - -diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h -index 58a9b74..743b6f4 100644 ---- a/src/providers/dp_backend.h -+++ b/src/providers/dp_backend.h -@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx, - const char *service_name); - - void reset_fo(struct be_ctx *be_ctx); -+ -+/* Request account information */ -+struct tevent_req * -+be_get_account_info_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct be_client *becli, -+ struct be_ctx *be_ctx, -+ struct be_acct_req *ar); -+ -+errno_t be_get_account_info_recv(struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ int *_err_maj, -+ int *_err_min, -+ const char **_err_msg); -+ - #endif /* __DP_BACKEND_H___ */ --- -1.8.1.4 - diff --git a/Resolve-GIDs-in-the-simple-access-provider.patch b/Resolve-GIDs-in-the-simple-access-provider.patch deleted file mode 100644 index 91e09a4..0000000 --- a/Resolve-GIDs-in-the-simple-access-provider.patch +++ /dev/null @@ -1,1624 +0,0 @@ -From ba1193c7b950a3849e04e28e60d83eece5ee49bc Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Sat, 23 Feb 2013 10:44:54 +0100 -Subject: Resolve GIDs in the simple access provider - -Changes the simple access provider's interface to be asynchronous. When -the simple access provider encounters a group that has gid, but no -meaningful name, it attempts to resolve the name using the -be_file_account_request function. - -Some providers (like the AD provider) might perform initgroups -without resolving the group names. In order for the simple access -provider to work correctly, we need to resolve the groups before -performing the access check. In AD provider, the situation is -even more tricky b/c the groups HAVE name, but their name -attribute is set to SID and they are set as non-POSIX -(cherry picked from commit 8b8019fe3dd1564fba657e219ec20ff816c7ffdb) ---- - Makefile.am | 17 +- - src/providers/simple/simple_access.c | 228 ++------- - src/providers/simple/simple_access.h | 11 +- - src/providers/simple/simple_access_check.c | 723 +++++++++++++++++++++++++++++ - src/tests/simple_access-tests.c | 361 ++++++++++---- - 5 files changed, 1033 insertions(+), 307 deletions(-) - create mode 100644 src/providers/simple/simple_access_check.c - -diff --git a/Makefile.am b/Makefile.am -index dda090d..223431d 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1008,14 +1008,22 @@ ad_ldap_opt_tests_LDADD = \ - simple_access_tests_SOURCES = \ - src/tests/simple_access-tests.c \ - src/tests/common.c \ -- src/providers/simple/simple_access.c -+ src/providers/simple/simple_access_check.c \ -+ src/providers/data_provider_be.c \ -+ src/providers/data_provider_fo.c \ -+ src/providers/data_provider_callbacks.c \ -+ $(SSSD_FAILOVER_OBJ) - simple_access_tests_CFLAGS = \ - $(AM_CFLAGS) \ -- $(CHECK_CFLAGS) -+ $(CHECK_CFLAGS) \ -+ -DUNIT_TESTING - simple_access_tests_LDADD = \ - $(SSSD_LIBS) \ -+ $(CARES_LIBS) \ - $(CHECK_LIBS) \ -- libsss_util.la -+ $(PAM_LIBS) \ -+ libsss_util.la \ -+ libsss_test_common.la - - util_tests_SOURCES = \ - src/tests/util-tests.c -@@ -1347,7 +1355,8 @@ libsss_proxy_la_LDFLAGS = \ - -module - - libsss_simple_la_SOURCES = \ -- src/providers/simple/simple_access.c -+ src/providers/simple/simple_access.c \ -+ src/providers/simple/simple_access_check.c - libsss_simple_la_CFLAGS = \ - $(AM_CFLAGS) - libsss_simple_la_LIBADD = \ -diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c -index 70d1f07..d53a04b 100644 ---- a/src/providers/simple/simple_access.c -+++ b/src/providers/simple/simple_access.c -@@ -35,227 +35,52 @@ - #define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups" - #define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups" - --errno_t simple_access_check(struct simple_ctx *ctx, const char *username, -- bool *access_granted) --{ -- int i, j; -- errno_t ret; -- TALLOC_CTX *tmp_ctx = NULL; -- const char *user_attrs[] = { SYSDB_MEMBEROF, -- SYSDB_GIDNUM, -- NULL }; -- const char *group_attrs[] = { SYSDB_NAME, -- NULL }; -- struct ldb_message *msg; -- struct ldb_message_element *el; -- char **groups; -- const char *primary_group; -- gid_t gid; -- bool matched; -- bool cs = ctx->domain->case_sensitive; -- -- *access_granted = false; -- -- /* First, check whether the user is in the allowed users list */ -- if (ctx->allow_users != NULL) { -- for(i = 0; ctx->allow_users[i] != NULL; i++) { -- if (sss_string_equal(cs, username, ctx->allow_users[i])) { -- DEBUG(9, ("User [%s] found in allow list, access granted.\n", -- username)); -- -- /* Do not return immediately on explicit allow -- * We need to make sure none of the user's groups -- * are denied. -- */ -- *access_granted = true; -- } -- } -- } else if (!ctx->allow_groups) { -- /* If neither allow rule is in place, we'll assume allowed -- * unless a deny rule disables us below. -- */ -- *access_granted = true; -- } -+static void simple_access_check(struct tevent_req *req); - -- /* Next check whether this user has been specifically denied */ -- if (ctx->deny_users != NULL) { -- for(i = 0; ctx->deny_users[i] != NULL; i++) { -- if (sss_string_equal(cs, username, ctx->deny_users[i])) { -- DEBUG(9, ("User [%s] found in deny list, access denied.\n", -- username)); -- -- /* Return immediately on explicit denial */ -- *access_granted = false; -- return EOK; -- } -- } -- } -+void simple_access_handler(struct be_req *be_req) -+{ -+ struct be_ctx *be_ctx = be_req->be_ctx; -+ struct pam_data *pd; -+ struct tevent_req *req; -+ struct simple_ctx *ctx; - -- if (!ctx->allow_groups && !ctx->deny_groups) { -- /* There are no group restrictions, so just return -- * here with whatever we've decided. -- */ -- return EOK; -- } -+ pd = talloc_get_type(be_req->req_data, struct pam_data); - -- /* Now get a list of this user's groups and check those against the -- * simple_allow_groups list. -- */ -- tmp_ctx = talloc_new(NULL); -- if (!tmp_ctx) { -- ret = ENOMEM; -- goto done; -- } -+ pd->pam_status = PAM_SYSTEM_ERR; - -- ret = sysdb_search_user_by_name(tmp_ctx, ctx->sysdb, -- username, user_attrs, &msg); -- if (ret != EOK) { -- DEBUG(1, ("Could not look up username [%s]: [%d][%s]\n", -- username, ret, strerror(ret))); -+ if (pd->cmd != SSS_PAM_ACCT_MGMT) { -+ DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd)); -+ pd->pam_status = PAM_MODULE_UNKNOWN; - goto done; - } - -- /* Construct a list of the user's groups */ -- el = ldb_msg_find_element(msg, SYSDB_MEMBEROF); -- if (el && el->num_values) { -- /* Get the groups from the memberOf entries -- * Allocate the array with room for both the NULL -- * terminator and the primary group -- */ -- groups = talloc_array(tmp_ctx, char *, el->num_values + 2); -- if (!groups) { -- ret = ENOMEM; -- goto done; -- } -- -- for (j = 0; j < el->num_values; j++) { -- ret = sysdb_group_dn_name( -- ctx->sysdb, tmp_ctx, -- (char *)el->values[j].data, -- &groups[j]); -- if (ret != EOK) { -- goto done; -- } -- } -- } else { -- /* User is not a member of any groups except primary */ -- groups = talloc_array(tmp_ctx, char *, 2); -- if (!groups) { -- ret = ENOMEM; -- goto done; -- } -- j = 0; -- } -+ ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, -+ struct simple_ctx); - -- /* Get the user's primary group */ -- gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0); -- if (!gid) { -- ret = EINVAL; -+ req = simple_access_check_send(be_req, be_ctx->ev, ctx, pd->user); -+ if (!req) { -+ pd->pam_status = PAM_SYSTEM_ERR; - goto done; - } -- talloc_zfree(msg); -- -- ret = sysdb_search_group_by_gid(tmp_ctx, ctx->sysdb, -- gid, group_attrs, &msg); -- if (ret != EOK) { -- DEBUG(1, ("Could not look up primary group [%lu]: [%d][%s]\n", -- gid, ret, strerror(ret))); -- /* We have to treat this as non-fatal, because the primary -- * group may be local to the machine and not available in -- * our ID provider. -- */ -- } else { -- primary_group = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -- if (!primary_group) { -- ret = EINVAL; -- goto done; -- } -- -- groups[j] = talloc_strdup(tmp_ctx, primary_group); -- if (!groups[j]) { -- ret = ENOMEM; -- goto done; -- } -- j++; -- -- talloc_zfree(msg); -- } -- -- groups[j] = NULL; -- -- /* Now process allow and deny group rules -- * If access was already granted above, we'll skip -- * this redundant rule check -- */ -- if (ctx->allow_groups && !*access_granted) { -- matched = false; -- for (i = 0; ctx->allow_groups[i]; i++) { -- for(j = 0; groups[j]; j++) { -- if (sss_string_equal(cs, groups[j], ctx->allow_groups[i])) { -- matched = true; -- break; -- } -- } -- -- /* If any group has matched, we can skip out on the -- * processing early -- */ -- if (matched) { -- *access_granted = true; -- break; -- } -- } -- } -- -- /* Finally, process the deny group rules */ -- if (ctx->deny_groups) { -- matched = false; -- for (i = 0; ctx->deny_groups[i]; i++) { -- for(j = 0; groups[j]; j++) { -- if (sss_string_equal(cs, groups[j], ctx->deny_groups[i])) { -- matched = true; -- break; -- } -- } -- -- /* If any group has matched, we can skip out on the -- * processing early -- */ -- if (matched) { -- *access_granted = false; -- break; -- } -- } -- } -- -- ret = EOK; -+ tevent_req_set_callback(req, simple_access_check, be_req); -+ return; - - done: -- talloc_free(tmp_ctx); -- return ret; -+ be_req->fn(be_req, DP_ERR_OK, pd->pam_status, NULL); - } - --void simple_access_handler(struct be_req *be_req) -+static void simple_access_check(struct tevent_req *req) - { -- int ret; - bool access_granted = false; -+ errno_t ret; - struct pam_data *pd; -- struct simple_ctx *ctx; -+ struct be_req *be_req; - -+ be_req = tevent_req_callback_data(req, struct be_req); - pd = talloc_get_type(be_req->req_data, struct pam_data); - -- pd->pam_status = PAM_SYSTEM_ERR; -- -- if (pd->cmd != SSS_PAM_ACCT_MGMT) { -- DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd)); -- pd->pam_status = PAM_MODULE_UNKNOWN; -- goto done; -- } -- -- ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, -- struct simple_ctx); -- -- ret = simple_access_check(ctx, pd->user, &access_granted); -+ ret = simple_access_check_recv(req, &access_granted); -+ talloc_free(req); - if (ret != EOK) { - pd->pam_status = PAM_SYSTEM_ERR; - goto done; -@@ -290,6 +115,7 @@ int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops, - - ctx->sysdb = bectx->sysdb; - ctx->domain = bectx->domain; -+ ctx->be_ctx = bectx; - - /* Users */ - ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path, -diff --git a/src/providers/simple/simple_access.h b/src/providers/simple/simple_access.h -index abcf61a..1de9d89 100644 ---- a/src/providers/simple/simple_access.h -+++ b/src/providers/simple/simple_access.h -@@ -29,6 +29,7 @@ - struct simple_ctx { - struct sysdb_ctx *sysdb; - struct sss_domain_info *domain; -+ struct be_ctx *be_ctx; - - char **allow_users; - char **deny_users; -@@ -36,6 +37,12 @@ struct simple_ctx { - char **deny_groups; - }; - --errno_t simple_access_check(struct simple_ctx *ctx, const char *username, -- bool *access_granted); -+struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct simple_ctx *ctx, -+ const char *username); -+ -+errno_t simple_access_check_recv(struct tevent_req *req, -+ bool *access_granted); -+ - #endif /* __SIMPLE_ACCESS_H__ */ -diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c -new file mode 100644 -index 0000000..a9e8f63 ---- /dev/null -+++ b/src/providers/simple/simple_access_check.c -@@ -0,0 +1,723 @@ -+/* -+ SSSD -+ -+ Simple access control -+ -+ Copyright (C) Sumit Bose 2010 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "providers/dp_backend.h" -+#include "providers/simple/simple_access.h" -+#include "util/sss_utf8.h" -+#include "db/sysdb.h" -+ -+static bool -+is_posix(const struct ldb_message *group) -+{ -+ const char *val; -+ -+ val = ldb_msg_find_attr_as_string(group, SYSDB_POSIX, NULL); -+ if (!val || /* Groups are posix by default */ -+ strcasecmp(val, "TRUE") == 0) { -+ return true; -+ } -+ -+ return false; -+} -+ -+/* Returns EOK if the result is definitive, EAGAIN if only partial result -+ */ -+static errno_t -+simple_check_users(struct simple_ctx *ctx, const char *username, -+ bool *access_granted) -+{ -+ int i; -+ bool cs = ctx->domain->case_sensitive; -+ -+ /* First, check whether the user is in the allowed users list */ -+ if (ctx->allow_users != NULL) { -+ for(i = 0; ctx->allow_users[i] != NULL; i++) { -+ if (sss_string_equal(cs, username, ctx->allow_users[i])) { -+ DEBUG(SSSDBG_TRACE_LIBS, -+ ("User [%s] found in allow list, access granted.\n", -+ username)); -+ -+ /* Do not return immediately on explicit allow -+ * We need to make sure none of the user's groups -+ * are denied. -+ */ -+ *access_granted = true; -+ } -+ } -+ } else if (!ctx->allow_groups) { -+ /* If neither allow rule is in place, we'll assume allowed -+ * unless a deny rule disables us below. -+ */ -+ DEBUG(SSSDBG_TRACE_LIBS, -+ ("No allow rule, assumuing allow unless explicitly denied\n")); -+ *access_granted = true; -+ } -+ -+ /* Next check whether this user has been specifically denied */ -+ if (ctx->deny_users != NULL) { -+ for(i = 0; ctx->deny_users[i] != NULL; i++) { -+ if (sss_string_equal(cs, username, ctx->deny_users[i])) { -+ DEBUG(SSSDBG_TRACE_LIBS, -+ ("User [%s] found in deny list, access denied.\n", -+ username)); -+ -+ /* Return immediately on explicit denial */ -+ *access_granted = false; -+ return EOK; -+ } -+ } -+ } -+ -+ return EAGAIN; -+} -+ -+static errno_t -+simple_check_groups(struct simple_ctx *ctx, const char *username, -+ const char **group_names, bool *access_granted) -+{ -+ bool matched; -+ int i, j; -+ bool cs = ctx->domain->case_sensitive; -+ -+ /* Now process allow and deny group rules -+ * If access was already granted above, we'll skip -+ * this redundant rule check -+ */ -+ if (ctx->allow_groups && !*access_granted) { -+ matched = false; -+ for (i = 0; ctx->allow_groups[i]; i++) { -+ for(j = 0; group_names[j]; j++) { -+ if (sss_string_equal(cs, group_names[j], ctx->allow_groups[i])) { -+ matched = true; -+ break; -+ } -+ } -+ -+ /* If any group has matched, we can skip out on the -+ * processing early -+ */ -+ if (matched) { -+ DEBUG(SSSDBG_TRACE_LIBS, -+ ("Group [%s] found in allow list, access granted.\n", -+ group_names[j])); -+ *access_granted = true; -+ break; -+ } -+ } -+ } -+ -+ /* Finally, process the deny group rules */ -+ if (ctx->deny_groups) { -+ matched = false; -+ for (i = 0; ctx->deny_groups[i]; i++) { -+ for(j = 0; group_names[j]; j++) { -+ if (sss_string_equal(cs, group_names[j], ctx->deny_groups[i])) { -+ matched = true; -+ break; -+ } -+ } -+ -+ /* If any group has matched, we can skip out on the -+ * processing early -+ */ -+ if (matched) { -+ DEBUG(SSSDBG_TRACE_LIBS, -+ ("Group [%s] found in deny list, access denied.\n", -+ group_names[j])); -+ *access_granted = false; -+ break; -+ } -+ } -+ } -+ -+ return EOK; -+} -+ -+struct simple_resolve_group_state { -+ gid_t gid; -+ struct simple_ctx *ctx; -+ -+ const char *name; -+}; -+ -+static errno_t -+simple_resolve_group_check(struct simple_resolve_group_state *state); -+static void simple_resolve_group_done(struct tevent_req *subreq); -+ -+static struct tevent_req * -+simple_resolve_group_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct simple_ctx *ctx, -+ gid_t gid) -+{ -+ errno_t ret; -+ struct tevent_req *req; -+ struct tevent_req *subreq; -+ struct simple_resolve_group_state *state; -+ struct be_acct_req *ar; -+ -+ req = tevent_req_create(mem_ctx, &state, -+ struct simple_resolve_group_state); -+ if (!req) return NULL; -+ -+ state->gid = gid; -+ state->ctx = ctx; -+ -+ /* First check if the group was updated already. If it was (maybe its -+ * parent was updated first), then just shortcut */ -+ ret = simple_resolve_group_check(state); -+ if (ret == EOK) { -+ DEBUG(SSSDBG_TRACE_LIBS, ("Group already updated\n")); -+ ret = EOK; -+ goto done; -+ } else if (ret != EAGAIN) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Cannot check if group was already updated\n")); -+ goto done; -+ } -+ /* EAGAIN - still needs update */ -+ -+ ar = talloc(state, struct be_acct_req); -+ if (!ar) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ar->entry_type = BE_REQ_GROUP; -+ ar->attr_type = BE_ATTR_CORE; -+ ar->filter_type = BE_FILTER_IDNUM; -+ ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid); -+ ar->domain = talloc_strdup(ar, ctx->domain->name); -+ if (!ar->domain || !ar->filter_value) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ subreq = be_get_account_info_send(state, ev, NULL, ctx->be_ctx, ar); -+ if (!subreq) { -+ ret = ENOMEM; -+ goto done; -+ } -+ tevent_req_set_callback(subreq, simple_resolve_group_done, req); -+ -+ return req; -+ -+done: -+ if (ret == EOK) { -+ tevent_req_done(req); -+ } else { -+ tevent_req_error(req, ret); -+ } -+ tevent_req_post(req, ev); -+ return req; -+} -+ -+static errno_t -+simple_resolve_group_check(struct simple_resolve_group_state *state) -+{ -+ errno_t ret; -+ struct ldb_message *group; -+ const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX, -+ SYSDB_GIDNUM, NULL }; -+ -+ /* Check the cache by GID again and fetch the name */ -+ ret = sysdb_search_group_by_gid(state, state->ctx->domain->sysdb, -+ state->gid, group_attrs, &group); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Could not look up group by gid [%lu]: [%d][%s]\n", -+ state->gid, ret, strerror(ret))); -+ return ret; -+ } -+ -+ state->name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); -+ if (!state->name) { -+ DEBUG(SSSDBG_OP_FAILURE, ("No group name\n")); -+ return ENOENT; -+ } -+ -+ if (is_posix(group) == false) { -+ DEBUG(SSSDBG_TRACE_LIBS, -+ ("The group is still non-POSIX\n")); -+ return EAGAIN; -+ } -+ -+ DEBUG(SSSDBG_TRACE_LIBS, ("Got POSIX group\n")); -+ return EOK; -+} -+ -+static void simple_resolve_group_done(struct tevent_req *subreq) -+{ -+ struct tevent_req *req; -+ struct simple_resolve_group_state *state; -+ int err_maj; -+ int err_min; -+ errno_t ret; -+ const char *err_msg; -+ -+ req = tevent_req_callback_data(subreq, struct tevent_req); -+ state = tevent_req_data(req, struct simple_resolve_group_state); -+ -+ ret = be_get_account_info_recv(subreq, state, -+ &err_maj, &err_min, &err_msg); -+ talloc_zfree(subreq); -+ if (ret) { -+ DEBUG(SSSDBG_OP_FAILURE, ("be_get_account_info_recv failed\n")); -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ if (err_maj) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ ("Cannot refresh data from DP: %u,%u: %s\n", -+ err_maj, err_min, err_msg)); -+ tevent_req_error(req, EIO); -+ return; -+ } -+ -+ /* Check the cache by GID again and fetch the name */ -+ ret = simple_resolve_group_check(state); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, ("Refresh failed\n")); -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ tevent_req_done(req); -+} -+ -+static errno_t -+simple_resolve_group_recv(struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ const char **name) -+{ -+ struct simple_resolve_group_state *state; -+ -+ state = tevent_req_data(req, struct simple_resolve_group_state); -+ -+ TEVENT_REQ_RETURN_ON_ERROR(req); -+ -+ *name = talloc_strdup(mem_ctx, state->name); -+ return EOK; -+} -+ -+struct simple_check_groups_state { -+ struct tevent_context *ev; -+ struct simple_ctx *ctx; -+ -+ gid_t *lookup_gids; -+ size_t num_gids; -+ size_t giter; -+ -+ const char **group_names; -+ size_t num_names; -+}; -+ -+static void simple_check_get_groups_next(struct tevent_req *subreq); -+ -+static errno_t -+simple_check_get_groups_primary(struct simple_check_groups_state *state, -+ gid_t gid); -+static errno_t -+simple_check_process_group(struct simple_check_groups_state *state, -+ struct ldb_message *group); -+ -+static struct tevent_req * -+simple_check_get_groups_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct simple_ctx *ctx, -+ const char *username) -+{ -+ errno_t ret; -+ struct tevent_req *req; -+ struct tevent_req *subreq; -+ struct simple_check_groups_state *state; -+ const char *attrs[] = { SYSDB_NAME, SYSDB_POSIX, SYSDB_GIDNUM, NULL }; -+ size_t group_count; -+ struct ldb_message *user; -+ struct ldb_message **groups; -+ int i; -+ gid_t gid; -+ char *cname; -+ -+ req = tevent_req_create(mem_ctx, &state, -+ struct simple_check_groups_state); -+ if (!req) return NULL; -+ -+ state->ev = ev; -+ state->ctx = ctx; -+ -+ cname = sss_get_cased_name(state, username, ctx->domain->case_sensitive); -+ if (!cname) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", cname)); -+ -+ ret = sysdb_search_user_by_name(state, ctx->domain->sysdb, -+ cname, attrs, &user); -+ if (ret == ENOENT) { -+ DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", cname)); -+ goto done; -+ } else if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Could not look up username [%s]: [%d][%s]\n", -+ username, ret, strerror(ret))); -+ goto done; -+ } -+ -+ ret = sysdb_asq_search(state, ctx->domain->sysdb, -+ user->dn, NULL, SYSDB_MEMBEROF, -+ attrs, &group_count, &groups); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_TRACE_FUNC, -+ ("User %s is a member of %d supplemental groups\n", -+ cname, group_count)); -+ -+ /* One extra space for terminator, one extra space for private group */ -+ state->group_names = talloc_zero_array(state, const char *, group_count + 2); -+ state->lookup_gids = talloc_zero_array(state, gid_t, group_count + 2); -+ if (!state->group_names || !state->lookup_gids) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ for (i=0; i < group_count; i++) { -+ /* Some providers (like the AD provider) might perform initgroups -+ * without resolving the group names. In order for the simple access -+ * provider to work correctly, we need to resolve the groups before -+ * performing the access check. In AD provider, the situation is -+ * even more tricky b/c the groups HAVE name, but their name -+ * attribute is set to SID and they are set as non-POSIX -+ */ -+ ret = simple_check_process_group(state, groups[i]); -+ if (ret != EOK) { -+ goto done; -+ } -+ } -+ -+ gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0); -+ if (!gid) { -+ DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", cname)); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ ret = simple_check_get_groups_primary(state, gid); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ if (state->num_gids == 0) { -+ /* If all groups could have been resolved by name, we are -+ * done -+ */ -+ DEBUG(SSSDBG_TRACE_FUNC, ("All groups had name attribute\n")); -+ ret = EOK; -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_TRACE_FUNC, ("Need to resolve %d groups\n", state->num_gids)); -+ state->giter = 0; -+ subreq = simple_resolve_group_send(req, state->ev, state->ctx, -+ state->lookup_gids[state->giter]); -+ if (!subreq) { -+ ret = ENOMEM; -+ goto done; -+ } -+ tevent_req_set_callback(subreq, simple_check_get_groups_next, req); -+ -+ return req; -+ -+done: -+ if (ret == EOK) { -+ tevent_req_done(req); -+ } else { -+ tevent_req_error(req, ret); -+ } -+ tevent_req_post(req, ev); -+ return req; -+} -+ -+static void simple_check_get_groups_next(struct tevent_req *subreq) -+{ -+ struct tevent_req *req = -+ tevent_req_callback_data(subreq, struct tevent_req); -+ struct simple_check_groups_state *state = -+ tevent_req_data(req, struct simple_check_groups_state); -+ errno_t ret; -+ -+ ret = simple_resolve_group_recv(subreq, state->group_names, -+ &state->group_names[state->num_names]); -+ talloc_zfree(subreq); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Could not resolve name of group with GID %llu\n", -+ state->lookup_gids[state->giter])); -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ state->num_names++; -+ state->giter++; -+ -+ if (state->giter < state->num_gids) { -+ subreq = simple_resolve_group_send(req, state->ev, state->ctx, -+ state->lookup_gids[state->giter]); -+ if (!subreq) { -+ tevent_req_error(req, ENOMEM); -+ return; -+ } -+ tevent_req_set_callback(subreq, simple_check_get_groups_next, req); -+ return; -+ } -+ -+ DEBUG(SSSDBG_TRACE_INTERNAL, ("All groups resolved. Done.\n")); -+ tevent_req_done(req); -+} -+ -+static errno_t -+simple_check_process_group(struct simple_check_groups_state *state, -+ struct ldb_message *group) -+{ -+ const char *name; -+ gid_t gid; -+ bool posix; -+ -+ posix = is_posix(group); -+ name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); -+ gid = ldb_msg_find_attr_as_uint64(group, SYSDB_GIDNUM, 0); -+ -+ /* With the current sysdb layout, every group has a name */ -+ if (name == NULL) { -+ return EINVAL; -+ } -+ -+ if (gid == 0) { -+ if (posix == true) { -+ DEBUG(SSSDBG_CRIT_FAILURE, ("POSIX group without GID\n")); -+ return EINVAL; -+ } -+ -+ /* Non-posix group with a name. Still can be used for access -+ * control as the name should point to the real name, no SID -+ */ -+ state->group_names[state->num_names] = talloc_strdup(state->group_names, -+ name); -+ if (!state->group_names[state->num_names]) { -+ return ENOMEM; -+ } -+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding group %s\n", name)); -+ state->num_names++; -+ return EOK; -+ } -+ -+ /* Here are only groups with a name and gid. POSIX group can already -+ * be used, non-POSIX groups can be resolved */ -+ if (posix) { -+ state->group_names[state->num_names] = talloc_strdup(state->group_names, -+ name); -+ if (!state->group_names[state->num_names]) { -+ return ENOMEM; -+ } -+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding group %s\n", name)); -+ state->num_names++; -+ return EOK; -+ } -+ -+ /* Non-posix group with a GID. Needs resolving */ -+ state->lookup_gids[state->num_gids] = gid; -+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding GID %llu\n", gid)); -+ state->num_gids++; -+ return EOK; -+} -+ -+static errno_t -+simple_check_get_groups_primary(struct simple_check_groups_state *state, -+ gid_t gid) -+{ -+ errno_t ret; -+ const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX, -+ SYSDB_GIDNUM, NULL }; -+ struct ldb_message *msg; -+ -+ ret = sysdb_search_group_by_gid(state, state->ctx->domain->sysdb, -+ gid, group_attrs, &msg); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Could not look up primary group [%lu]: [%d][%s]\n", -+ gid, ret, strerror(ret))); -+ /* We have to treat this as non-fatal, because the primary -+ * group may be local to the machine and not available in -+ * our ID provider. -+ */ -+ } else { -+ ret = simple_check_process_group(state, msg); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, ("Cannot process primary group\n")); -+ return ret; -+ } -+ } -+ -+ return EOK; -+} -+ -+static errno_t -+simple_check_get_groups_recv(struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ const char ***_group_names) -+{ -+ struct simple_check_groups_state *state; -+ -+ state = tevent_req_data(req, struct simple_check_groups_state); -+ -+ TEVENT_REQ_RETURN_ON_ERROR(req); -+ -+ *_group_names = talloc_steal(mem_ctx, state->group_names); -+ return EOK; -+} -+ -+struct simple_access_check_state { -+ bool access_granted; -+ struct simple_ctx *ctx; -+ const char *username; -+ -+ const char **group_names; -+}; -+ -+static void simple_access_check_done(struct tevent_req *subreq); -+ -+struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct simple_ctx *ctx, -+ const char *username) -+{ -+ errno_t ret; -+ struct tevent_req *req; -+ struct tevent_req *subreq; -+ struct simple_access_check_state *state; -+ -+ req = tevent_req_create(mem_ctx, &state, -+ struct simple_access_check_state); -+ if (!req) return NULL; -+ -+ state->access_granted = false; -+ state->ctx = ctx; -+ state->username = talloc_strdup(state, username); -+ if (!state->username) { -+ ret = ENOMEM; -+ goto immediate; -+ } -+ -+ DEBUG(SSSDBG_FUNC_DATA, ("Simple access check for %s\n", username)); -+ -+ ret = simple_check_users(ctx, username, &state->access_granted); -+ if (ret != EAGAIN) { -+ /* Both access denied and an error */ -+ goto immediate; -+ } -+ -+ if (!ctx->allow_groups && !ctx->deny_groups) { -+ /* There are no group restrictions, so just return -+ * here with whatever we've decided. -+ */ -+ DEBUG(SSSDBG_TRACE_LIBS, ("No group restrictions, end request\n")); -+ ret = EOK; -+ goto immediate; -+ } -+ -+ /* The group names might not be available. Fire a request to -+ * gather them. In most cases, the request will just shortcut -+ */ -+ subreq = simple_check_get_groups_send(state, ev, ctx, username); -+ if (!subreq) { -+ ret = EIO; -+ goto immediate; -+ } -+ tevent_req_set_callback(subreq, simple_access_check_done, req); -+ -+ return req; -+ -+immediate: -+ if (ret == EOK) { -+ tevent_req_done(req); -+ } else { -+ tevent_req_error(req, ret); -+ } -+ tevent_req_post(req, ev); -+ return req; -+} -+ -+ -+static void simple_access_check_done(struct tevent_req *subreq) -+{ -+ struct tevent_req *req = -+ tevent_req_callback_data(subreq, struct tevent_req); -+ struct simple_access_check_state *state = -+ tevent_req_data(req, struct simple_access_check_state); -+ errno_t ret; -+ -+ /* We know the names now. Run the check. */ -+ ret = simple_check_get_groups_recv(subreq, state, &state->group_names); -+ talloc_zfree(subreq); -+ if (ret == ENOENT) { -+ /* If the user wasn't found, just shortcut */ -+ state->access_granted = false; -+ tevent_req_done(req); -+ return; -+ } else if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Could not collect groups of user %s\n", state->username)); -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ ret = simple_check_groups(state->ctx, state->username, -+ state->group_names, &state->access_granted); -+ if (ret != EOK) { -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ /* Now just return whatever we decided */ -+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Group check done\n")); -+ tevent_req_done(req); -+} -+ -+errno_t simple_access_check_recv(struct tevent_req *req, bool *access_granted) -+{ -+ struct simple_access_check_state *state = -+ tevent_req_data(req, struct simple_access_check_state); -+ -+ TEVENT_REQ_RETURN_ON_ERROR(req); -+ -+ DEBUG(SSSDBG_TRACE_LIBS, -+ ("Access %sgranted\n", state->access_granted ? "" : "not ")); -+ if (access_granted) { -+ *access_granted = state->access_granted; -+ } -+ -+ return EOK; -+} -diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c -index 577c6d3..ab2612d 100644 ---- a/src/tests/simple_access-tests.c -+++ b/src/tests/simple_access-tests.c -@@ -27,6 +27,7 @@ - #include - - #include "confdb/confdb.h" -+#include "db/sysdb_private.h" - #include "providers/simple/simple_access.h" - #include "tests/common.h" - -@@ -35,16 +36,40 @@ - - const char *ulist_1[] = {"u1", "u2", NULL}; - const char *glist_1[] = {"g1", "g2", NULL}; -+const char *glist_1_case[] = {"G1", "G2", NULL}; - - struct simple_test_ctx *test_ctx = NULL; - - struct simple_test_ctx { - struct sysdb_ctx *sysdb; - struct confdb_ctx *confdb; -+ struct tevent_context *ev; -+ bool done; -+ int error; - -+ bool access_granted; - struct simple_ctx *ctx; - }; - -+static int test_loop(struct simple_test_ctx *tctx) -+{ -+ while (!tctx->done) -+ tevent_loop_once(tctx->ev); -+ -+ return tctx->error; -+} -+ -+static void simple_access_check_done(struct tevent_req *req) -+{ -+ struct simple_test_ctx *tctx = -+ tevent_req_callback_data(req, struct simple_test_ctx); -+ -+ -+ tctx->error = simple_access_check_recv(req, &tctx->access_granted); -+ talloc_free(req); -+ tctx->done = true; -+} -+ - void setup_simple(void) - { - errno_t ret; -@@ -52,19 +77,22 @@ void setup_simple(void) - const char *val[2]; - val[1] = NULL; - -- /* Create tests directory if it doesn't exist */ -- /* (relative to current dir) */ -- ret = mkdir(TESTS_PATH, 0775); -- fail_if(ret == -1 && errno != EEXIST, -- "Could not create %s directory", TESTS_PATH); -- - fail_unless(test_ctx == NULL, "Simple context already initialized."); - test_ctx = talloc_zero(NULL, struct simple_test_ctx); - fail_unless(test_ctx != NULL, "Cannot create simple test context."); - -+ test_ctx->ev = tevent_context_init(test_ctx); -+ fail_unless(test_ctx->ev != NULL, "Cannot create tevent context."); -+ - test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); - fail_unless(test_ctx->ctx != NULL, "Cannot create simple context."); - -+ /* Create tests directory if it doesn't exist */ -+ /* (relative to current dir) */ -+ ret = mkdir(TESTS_PATH, 0775); -+ fail_if(ret == -1 && errno != EEXIST, -+ "Could not create %s directory", TESTS_PATH); -+ - conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); - fail_if(conf_db == NULL, "Out of memory, aborting!"); - DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db)); -@@ -98,6 +126,7 @@ void setup_simple(void) - &test_ctx->ctx->domain, &test_ctx->ctx->sysdb); - fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret); - test_ctx->ctx->domain->case_sensitive = true; -+ test_ctx->ctx->sysdb->mpg = false; /* Simulate an LDAP domain better */ - } - - void teardown_simple(void) -@@ -117,18 +146,22 @@ void setup_simple_group(void) - - /* Add test users u1 and u2 that would be members of test groups - * g1 and g2 respectively */ -+ ret = sysdb_add_group(test_ctx->ctx->sysdb, -+ "pvt", 999, NULL, 0, 0); -+ fail_if(ret != EOK, "Could not add private group"); -+ - ret = sysdb_store_user(test_ctx->ctx->sysdb, -- "u1", NULL, 123, 0, "u1", "/home/u1", -+ "u1", NULL, 123, 999, "u1", "/home/u1", - "/bin/bash", NULL, NULL, NULL, -1, 0); - fail_if(ret != EOK, "Could not add u1"); - - ret = sysdb_store_user(test_ctx->ctx->sysdb, -- "u2", NULL, 456, 0, "u1", "/home/u1", -+ "u2", NULL, 456, 999, "u1", "/home/u1", - "/bin/bash", NULL, NULL, NULL, -1, 0); - fail_if(ret != EOK, "Could not add u2"); - - ret = sysdb_store_user(test_ctx->ctx->sysdb, -- "u3", NULL, 789, 0, "u1", "/home/u1", -+ "u3", NULL, 789, 999, "u1", "/home/u1", - "/bin/bash", NULL, NULL, NULL, -1, 0); - fail_if(ret != EOK, "Could not add u3"); - -@@ -163,190 +196,317 @@ void teardown_simple_group(void) - fail_if(ret != EOK, "Could not delete g1"); - ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0); - fail_if(ret != EOK, "Could not delete g2"); -+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "pvt", 0); -+ fail_if(ret != EOK, "Could not delete pvt"); - - teardown_simple(); - } - - START_TEST(test_both_empty) - { -- int ret; -- bool access_granted = false; -+ struct tevent_req *req; - - test_ctx->ctx->allow_users = NULL; - test_ctx->ctx->deny_users = NULL; - -- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == true, "Access denied " -- "while both lists are empty."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == true, -+ "Access denied while both lists are empty."); - } - END_TEST - - START_TEST(test_allow_empty) - { -- int ret; -- bool access_granted = true; -+ struct tevent_req *req; - - test_ctx->ctx->allow_users = NULL; - test_ctx->ctx->deny_users = discard_const(ulist_1); - -- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "while user is in deny list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted while user is in deny list."); - -- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == true, "Access denied " -- "while user is not in deny list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u3"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == true, -+ "Access denied while user is not in deny list."); - } - END_TEST - - START_TEST(test_deny_empty) - { -- int ret; -- bool access_granted = false; -+ struct tevent_req *req; - - test_ctx->ctx->allow_users = discard_const(ulist_1); - test_ctx->ctx->deny_users = NULL; - -- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == true, "Access denied " -- "while user is in allow list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == true, -+ "Access denied while user is in allow list."); - -- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "while user is not in allow list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u3"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted while user is not in allow list."); - } - END_TEST - - START_TEST(test_both_set) - { -- int ret; -- bool access_granted = false; -+ struct tevent_req *req; - - test_ctx->ctx->allow_users = discard_const(ulist_1); - test_ctx->ctx->deny_users = discard_const(ulist_1); - -- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "while user is in deny list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted while user is in deny list."); - -- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "while user is not in allow list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u3"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted while user is not in allow list."); - } - END_TEST - - START_TEST(test_case) - { -- int ret; -- bool access_granted = false; -+ struct tevent_req *req; - - test_ctx->ctx->allow_users = discard_const(ulist_1); - test_ctx->ctx->deny_users = NULL; - -- ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "for user with different case " -- "in case-sensitive domain"); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "U1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted for user with different case " -+ "in case-sensitive domain"); - - test_ctx->ctx->domain->case_sensitive = false; - -- ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == true, "Access denied " -- "for user with different case " -- "in case-insensitive domain"); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "U1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == true, -+ "Access denied for user with different case " -+ "in case-sensitive domain"); -+} -+END_TEST -+ -+START_TEST(test_unknown_user) -+{ -+ struct tevent_req *req; -+ -+ test_ctx->ctx->allow_users = discard_const(ulist_1); -+ test_ctx->ctx->deny_users = NULL; -+ -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "foo"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted for user not present in domain"); - } - END_TEST - -+ - START_TEST(test_group_allow_empty) - { -- int ret; -- bool access_granted = true; -+ struct tevent_req *req; - - test_ctx->ctx->allow_groups = NULL; - test_ctx->ctx->deny_groups = discard_const(glist_1); - -- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "while group is in deny list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; - -- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == true, "Access denied " -- "while group is not in deny list."); -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted while group is in deny list."); -+ -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u3"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == true, -+ "Access denied while group is not in deny list."); - } - END_TEST - - START_TEST(test_group_deny_empty) - { -- int ret; -- bool access_granted = false; -+ struct tevent_req *req; - - test_ctx->ctx->allow_groups = discard_const(glist_1); - test_ctx->ctx->deny_groups = NULL; - -- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == true, "Access denied " -- "while group is in allow list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; - -- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "while group is not in allow list."); -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == true, -+ "Access denied while user is in allow list."); -+ -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u3"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted while user is not in allow list."); - } - END_TEST - - START_TEST(test_group_both_set) - { -- int ret; -- bool access_granted = false; -+ struct tevent_req *req; - - test_ctx->ctx->allow_groups = discard_const(ulist_1); - test_ctx->ctx->deny_groups = discard_const(ulist_1); - -- ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "while group is in deny list."); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; - -- ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "while group is not in allow list."); -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted while user is in deny list."); -+ -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "u3"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted while user is not in allow list."); - } - END_TEST - - START_TEST(test_group_case) - { -- int ret; -- bool access_granted = false; -+ struct tevent_req *req; - -- test_ctx->ctx->allow_groups = discard_const(ulist_1); -+ test_ctx->ctx->allow_groups = discard_const(glist_1_case); - test_ctx->ctx->deny_groups = NULL; - -- ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == false, "Access granted " -- "for group with different case " -- "in case-sensitive domain"); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "U1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == false, -+ "Access granted for user with different case " -+ "in case-sensitive domain"); - - test_ctx->ctx->domain->case_sensitive = false; - -- ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); -- fail_unless(ret == EOK, "access_simple_check failed."); -- fail_unless(access_granted == true, "Access denied " -- "for group with different case " -- "in case-insensitive domain"); -+ req = simple_access_check_send(test_ctx, test_ctx->ev, -+ test_ctx->ctx, "U1"); -+ fail_unless(test_ctx != NULL, "Cannot create request\n"); -+ tevent_req_set_callback(req, simple_access_check_done, test_ctx); -+ -+ test_loop(test_ctx); -+ test_ctx->done = false; -+ -+ fail_unless(test_ctx->error == EOK, "access_simple_check failed."); -+ fail_unless(test_ctx->access_granted == true, -+ "Access denied for user with different case " -+ "in case-sensitive domain"); - } - END_TEST - -@@ -361,6 +521,7 @@ Suite *access_simple_suite (void) - tcase_add_test(tc_allow_deny, test_deny_empty); - tcase_add_test(tc_allow_deny, test_both_set); - tcase_add_test(tc_allow_deny, test_case); -+ tcase_add_test(tc_allow_deny, test_unknown_user); - suite_add_tcase(s, tc_allow_deny); - - TCase *tc_grp_allow_deny = tcase_create("group allow/deny"); --- -1.8.1.4 - diff --git a/sssd-1.9.4.tar.gz b/sssd-1.9.4.tar.gz deleted file mode 100644 index c3139c3..0000000 --- a/sssd-1.9.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:20e39d7c5d89e217b5301f7e75360eb869ac1889701755a598fb3fbed923f4b4 -size 3050325 diff --git a/sssd-1.9.4.tar.gz.asc b/sssd-1.9.4.tar.gz.asc deleted file mode 100644 index a2e92ae..0000000 --- a/sssd-1.9.4.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.13 (GNU/Linux) - -iEYEABECAAYFAlEG6DYACgkQHsardTLnvCXjrgCeMSfawp5NaaIu82GDZOq7EMxL -tqwAmgN3gn9e7y6AzeSBdYCCcPAyLLFo -=hHxo ------END PGP SIGNATURE----- diff --git a/sssd-1.9.5.tar.gz b/sssd-1.9.5.tar.gz new file mode 100644 index 0000000..d7e73fb --- /dev/null +++ b/sssd-1.9.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a377c436901e92d689de811d48e37d88764460e889e47bfddd90626f0a8a015c +size 3106988 diff --git a/sssd-1.9.5.tar.gz.asc b/sssd-1.9.5.tar.gz.asc new file mode 100644 index 0000000..e0c1e92 --- /dev/null +++ b/sssd-1.9.5.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.13 (GNU/Linux) + +iEYEABECAAYFAlF2gY4ACgkQHsardTLnvCW6+QCg4VWHi8mlbi6FQufRtUXOTB2j +5OAAniig5/DUZa/mrzUb+8kteg3nanNS +=3VHJ +-----END PGP SIGNATURE----- diff --git a/sssd-sysdb-binary-attrs.diff b/sssd-sysdb-binary-attrs.diff deleted file mode 100644 index 6075737..0000000 --- a/sssd-sysdb-binary-attrs.diff +++ /dev/null @@ -1,102 +0,0 @@ -From 3229c2107e4645240cfc4aa5d262e5330c356a49 Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Thu, 21 Feb 2013 13:12:25 +0100 -Subject: [PATCH] sysdb: try dealing with binary-content attributes - -I have here a LDAP user entry which has this attribute - - loginAllowedTimeMap:: - AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA - -In the function sysdb_attrs_add_string(), called from -sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is -the wrong thing to do. The result of strlen is then used to populate -the .v_length member of a struct ldb_val - and this will set it to -zero in this case. (There is also the problem that there may not be -a '\0' at all in the blob.) - -Subsequently, .v_length being 0 makes ldb_modify(), called from -sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End -result is that users do not get stored in the sysdb, and programs like -`id` or `getent ...` show incomplete information. - -The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave -fine, but that may not mean that is the absolute lower boundary of -introduction of the problem. ---- - src/db/sysdb.c | 10 ++++++++++ - src/db/sysdb.h | 2 ++ - src/providers/ldap/sdap.c | 7 +++---- - src/providers/ldap/sdap_async.c | 4 ++-- - 4 files changed, 17 insertions(+), 6 deletions(-) - -diff --git a/src/db/sysdb.c b/src/db/sysdb.c -index e7524f4..7c34791 100644 ---- a/src/db/sysdb.c -+++ b/src/db/sysdb.c -@@ -512,6 +512,16 @@ int sysdb_attrs_add_string(struct sysdb_attrs *attrs, - return sysdb_attrs_add_val(attrs, name, &v); - } - -+int sysdb_attrs_add_mem(struct sysdb_attrs *attrs, const char *name, -+ const void *mem, size_t size) -+{ -+ struct ldb_val v; -+ -+ v.data = discard_const(mem); -+ v.length = size; -+ return sysdb_attrs_add_val(attrs, name, &v); -+} -+ - int sysdb_attrs_add_bool(struct sysdb_attrs *attrs, - const char *name, bool value) - { -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index fff97a8..23cbbb0 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -250,6 +250,8 @@ int sysdb_attrs_add_val(struct sysdb_attrs *attrs, - const char *name, const struct ldb_val *val); - int sysdb_attrs_add_string(struct sysdb_attrs *attrs, - const char *name, const char *str); -+int sysdb_attrs_add_mem(struct sysdb_attrs *, const char *, -+ const void *, size_t); - int sysdb_attrs_add_bool(struct sysdb_attrs *attrs, - const char *name, bool value); - int sysdb_attrs_add_long(struct sysdb_attrs *attrs, -diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c -index 371121b..988f27d 100644 ---- a/src/providers/ldap/sdap.c -+++ b/src/providers/ldap/sdap.c -@@ -474,10 +474,9 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx, - for (i=0; dval->vals[i].bv_val; i++) { - DEBUG(9, ("Dereferenced attribute value: %s\n", - dval->vals[i].bv_val)); -- v.data = (uint8_t *) dval->vals[i].bv_val; -- v.length = dval->vals[i].bv_len; -- -- ret = sysdb_attrs_add_val(res[mi]->attrs, name, &v); -+ ret = sysdb_attrs_add_mem(res[mi]->attrs, name, -+ dval->vals[i].bv_val, -+ dval->vals[i].bv_len); - if (ret) goto done; - } - } -diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c -index 84497b7..b7d9839 100644 ---- a/src/providers/ldap/sdap_async.c -+++ b/src/providers/ldap/sdap_async.c -@@ -2226,8 +2226,8 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs, - DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding %s [%s] to attributes " - "of [%s].\n", desc, el->values[i].data, objname)); - -- ret = sysdb_attrs_add_string(attrs, attr_name, -- (const char *) el->values[i].data); -+ ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data, -+ el->values[i].length); - if (ret) { - return ret; - } --- -1.7.10.4 - diff --git a/sssd.changes b/sssd.changes index bcb412c..2f9e68b 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.9.5 +* Includes a fix for CVE-2013-0287: A simple access provider flaw + prevents intended ACL use when SSSD is configured as an Active + Directory client. +* Fixed spurious password expiration warning that was printed on + login with the Kerberos back end. +* A new option ldap_rfc2307_fallback_to_local_users was added. If + this option is set to true, SSSD is be able to resolve local + group members of LDAP groups. +* Fixed an indexing bug that prevented the contents of autofs maps + from being returned to the automounter deamon in case the map + contained a large number of entries. +* Several fixes for safer handling of Kerberos credential caches + for cases where the ccache is set to be stored in a DIR: type. +- Remove Provide-a-be_get_account_info_send-function.patch, + Add-unit-tests-for-simple-access-test-by-groups.patch, + Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch, + Resolve-GIDs-in-the-simple-access-provider.patch + (CVE-2013-0287 material is in upstream), + sssd-sysdb-binary-attrs.diff (merged upstream) + ------------------------------------------------------------------- Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index 5a76e53..b23a9c9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,13 +17,12 @@ Name: sssd -Version: 1.9.4 +Version: 1.9.5 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ Group: System/Daemons Url: https://fedorahosted.org/sssd/ -Requires(postun): pam-config #Git-Clone: git://git.fedorahosted.org/sssd Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz @@ -32,13 +31,6 @@ Source3: baselibs.conf Patch1: 0005-implicit-decl.diff Patch2: sssd-ldflags.diff Patch3: sssd-no-ldb-check.diff -Patch4: sssd-sysdb-binary-attrs.diff -# Fixes for CVE-2013-0287 (will be part of 1.9.5) when released -Patch5: Provide-a-be_get_account_info_send-function.patch -Patch6: Add-unit-tests-for-simple-access-test-by-groups.patch -Patch7: Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch -Patch8: Resolve-GIDs-in-the-simple-access-provider.patch -# End Fixed for CVE-2013-0287 BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -111,6 +103,7 @@ BuildRequires: systemd %if %suse_version >= 1230 BuildRequires: gpg-offline %endif +Requires(postun): pam-config %description Provides a set of daemons to manage access to remote directories and @@ -210,7 +203,7 @@ Security Services Daemon (sssd). %prep %{?gpg_verify: %gpg_verify %{S:2}} %setup -q -%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1 +%patch -P 1 -P 2 -P 3 -p1 %build %if 0%{?suse_version} < 1210 From b6336e2b35d050bedb2e5f80adc35ca205473e5ac0be65e1da9ba11de03c676e Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 17 Jun 2013 08:24:00 +0000 Subject: [PATCH 41/63] Accepting request 179170 from network:ldap - Explicitly formulate SASL BuildRequires OBS-URL: https://build.opensuse.org/request/show/179170 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=47 --- sssd.changes | 5 +++++ sssd.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/sssd.changes b/sssd.changes index 2f9e68b..f244907 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Jun 16 16:11:42 UTC 2013 - jengelh@inai.de + +- Explicitly formulate SASL BuildRequires + ------------------------------------------------------------------- Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index b23a9c9..cd031f8 100644 --- a/sssd.spec +++ b/sssd.spec @@ -48,6 +48,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils +BuildRequires: cyrus-sasl-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: krb5-devel BuildRequires: libtool From 160e975d1abbb34c59b92bbc2d8ce596ce024eb00a0864e0474bf281b64b93f6 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 2 Dec 2013 14:09:06 +0000 Subject: [PATCH 42/63] Accepting request 208276 from network:ldap - Update to new upstream release 1.11.2 OBS-URL: https://build.opensuse.org/request/show/208276 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=49 --- 0005-implicit-decl.diff | 28 ---- sssd-1.11.2.tar.gz | 3 + sssd-1.11.2.tar.gz.asc | 7 + sssd-1.9.5.tar.gz | 3 - sssd-1.9.5.tar.gz.asc | 7 - sssd-ldflags.diff | 205 ++++++++++++++++---------- sssd-no-ldb-check.diff | 28 ---- sssd.changes | 25 ++++ sssd.spec | 311 +++++++++++++++++++++++++++++----------- 9 files changed, 393 insertions(+), 224 deletions(-) delete mode 100644 0005-implicit-decl.diff create mode 100644 sssd-1.11.2.tar.gz create mode 100644 sssd-1.11.2.tar.gz.asc delete mode 100644 sssd-1.9.5.tar.gz delete mode 100644 sssd-1.9.5.tar.gz.asc delete mode 100644 sssd-no-ldb-check.diff diff --git a/0005-implicit-decl.diff b/0005-implicit-decl.diff deleted file mode 100644 index 88cf672..0000000 --- a/0005-implicit-decl.diff +++ /dev/null @@ -1,28 +0,0 @@ -From: Jan Engelhardt -Date: 2012-03-11 23:31:50.889566758 +0100 - -build: resolve compiler warnings about implicitly-defined functions - -crypto_sha512crypt.c: In function 'sha512_crypt_r': -crypto_sha512crypt.c:200:9: warning: implicit declaration of - function 'mempcpy' [-Wimplicit-function-declaration] -crypto_sha512crypt.c:200:14: warning: incompatible implicit - declaration of built-in function 'mempcpy' [enabled by default] -crypto_sha512crypt.c:221:14: warning: incompatible implicit - declaration of built-in function 'mempcpy' [enabled by default] ---- - src/util/crypto/libcrypto/crypto_sha512crypt.c | 1 + - 1 file changed, 1 insertion(+) - -Index: sssd-1.9.2/src/util/crypto/libcrypto/crypto_sha512crypt.c -=================================================================== ---- sssd-1.9.2.orig/src/util/crypto/libcrypto/crypto_sha512crypt.c -+++ sssd-1.9.2/src/util/crypto/libcrypto/crypto_sha512crypt.c -@@ -12,6 +12,7 @@ - - #include "config.h" - -+#define _GNU_SOURCE 1 /* mempcpy */ - #include - #include - #include diff --git a/sssd-1.11.2.tar.gz b/sssd-1.11.2.tar.gz new file mode 100644 index 0000000..adc6574 --- /dev/null +++ b/sssd-1.11.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:40da555ef1d81f0b73aa4e484719f9ca340dc76b7b549761f2ca775ff90b34bc +size 3442072 diff --git a/sssd-1.11.2.tar.gz.asc b/sssd-1.11.2.tar.gz.asc new file mode 100644 index 0000000..f9f6ccb --- /dev/null +++ b/sssd-1.11.2.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.15 (GNU/Linux) + +iEYEABECAAYFAlJxiVwACgkQHsardTLnvCU4CwCfU1uc5bwo9fTZXh4i0KLGp709 +wL4Anil81EFYHIFhnGsCs0L300OQmbGp +=2QGa +-----END PGP SIGNATURE----- diff --git a/sssd-1.9.5.tar.gz b/sssd-1.9.5.tar.gz deleted file mode 100644 index d7e73fb..0000000 --- a/sssd-1.9.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a377c436901e92d689de811d48e37d88764460e889e47bfddd90626f0a8a015c -size 3106988 diff --git a/sssd-1.9.5.tar.gz.asc b/sssd-1.9.5.tar.gz.asc deleted file mode 100644 index e0c1e92..0000000 --- a/sssd-1.9.5.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.13 (GNU/Linux) - -iEYEABECAAYFAlF2gY4ACgkQHsardTLnvCW6+QCg4VWHi8mlbi6FQufRtUXOTB2j -5OAAniig5/DUZa/mrzUb+8kteg3nanNS -=3VHJ ------END PGP SIGNATURE----- diff --git a/sssd-ldflags.diff b/sssd-ldflags.diff index 4ac562c..3229388 100644 --- a/sssd-ldflags.diff +++ b/sssd-ldflags.diff @@ -1,50 +1,107 @@ +From c9b13c7e032fde96cf07c7d298bb7fa65fad220b Mon Sep 17 00:00:00 2001 From: Jan Engelhardt -Date: 2012-11-10 01:36:37.022064770 +0100 - -build: fix link failure because of wrong use of LDFLAGS - - ld: src/sss_client/sss_ssh_authorizedkeys-common.o: undefined - reference to symbol 'pthread_mutexattr_setrobust@@GLIBC_2.12' - -For the i'th time, -http://stackoverflow.com/questions/4241683/linker-flags-in-wrong-place - -The patch fixes the location of library names, and also adds them -to two program which need them. +Date: Fri, 1 Nov 2013 23:01:09 +0100 +Subject: [PATCH] build: fix ordering of linker flags +Libraries MUST be specified in LDADD/LIBADD, not LDFLAGS, because +LDFLAGS appear earlier in the command line and library order is +significant. --- - Makefile.am | 36 +++++++++++++++++++++--------------- - 1 file changed, 21 insertions(+), 15 deletions(-) + Makefile.am | 66 ++++++++++++++++++++++++++++++------------------------------ + 1 file changed, 34 insertions(+), 32 deletions(-) -Index: sssd-1.9.4/Makefile.am +Index: sssd-1.11.2/Makefile.am =================================================================== ---- sssd-1.9.4.orig/Makefile.am -+++ sssd-1.9.4/Makefile.am -@@ -537,7 +537,8 @@ libipa_hbac_la_SOURCES = \ +--- sssd-1.11.2.orig/Makefile.am ++++ sssd-1.11.2/Makefile.am +@@ -600,9 +600,10 @@ dist_pkgconfig_DATA += src/providers/ipa + libipa_hbac_la_SOURCES = \ src/providers/ipa/hbac_evaluator.c \ src/util/sss_utf8.c - libipa_hbac_la_LDFLAGS = \ +-libipa_hbac_la_LDFLAGS = \ - -version-info 0:1:0 \ -+ -version-info 0:1:0 +libipa_hbac_la_LIBADD = \ $(UNICODE_LIBS) ++libipa_hbac_la_LDFLAGS = \ ++ -version-info 0:1:0 dist_pkgconfig_DATA += src/lib/idmap/sss_idmap.pc -@@ -651,11 +652,11 @@ sssd_be_LDADD = \ - -ldl \ - $(SSSD_LIBS) \ - $(CARES_LIBS) \ -+ $(PAM_LIBS) \ - libsss_util.la - sssd_be_LDFLAGS = \ - -Wl,--version-script,$(srcdir)/src/providers/sssd_be.exports \ -- -export-dynamic \ -- $(PAM_LIBS) -+ -export-dynamic + libsss_idmap_la_SOURCES = \ +@@ -617,8 +618,9 @@ libsss_nss_idmap_la_SOURCES = \ + src/sss_client/idmap/sss_nss_idmap.c \ + src/sss_client/common.c \ + src/util/strtonum.c ++libsss_nss_idmap_la_LIBADD = \ ++ $(CLIENT_LIBS) + libsss_nss_idmap_la_LDFLAGS = \ +- $(CLIENT_LIBS) \ + -version-info 0:1:0 - if BUILD_PYTHON_BINDINGS - sss_obfuscate_pythondir = $(sbindir) -@@ -771,7 +772,7 @@ sss_sudo_cli_SOURCES = \ + include_HEADERS = \ +@@ -771,10 +773,9 @@ sss_userdel_SOURCES = \ + $(SSSD_LCL_TOOLS_OBJ) + sss_userdel_LDADD = \ + $(TOOLS_LIBS) \ +- $(SSSD_INTERNAL_LTLIBS) +-sss_userdel_CFLAGS = $(AM_CFLAGS) +-sss_userdel_LDFLAGS = \ ++ $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) ++sss_userdel_CFLAGS = $(AM_CFLAGS) + + sss_groupadd_SOURCES = \ + src/tools/sss_groupadd.c \ +@@ -788,30 +789,27 @@ sss_groupdel_SOURCES = \ + $(SSSD_LCL_TOOLS_OBJ) + sss_groupdel_LDADD = \ + $(TOOLS_LIBS) \ +- $(SSSD_INTERNAL_LTLIBS) +-sss_groupdel_CFLAGS = $(AM_CFLAGS) +-sss_groupdel_LDFLAGS = \ ++ $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) ++sss_groupdel_CFLAGS = $(AM_CFLAGS) + + sss_usermod_SOURCES = \ + src/tools/sss_usermod.c \ + $(SSSD_LCL_TOOLS_OBJ) + sss_usermod_LDADD = \ + $(TOOLS_LIBS) \ +- $(SSSD_INTERNAL_LTLIBS) +-sss_usermod_CFLAGS = $(AM_CFLAGS) +-sss_usermod_LDFLAGS = \ ++ $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) ++sss_usermod_CFLAGS = $(AM_CFLAGS) + + sss_groupmod_SOURCES = \ + src/tools/sss_groupmod.c \ + $(SSSD_LCL_TOOLS_OBJ) + sss_groupmod_LDADD = \ + $(TOOLS_LIBS) \ +- $(SSSD_INTERNAL_LTLIBS) +-sss_groupmod_CFLAGS = $(AM_CFLAGS) +-sss_groupmod_LDFLAGS = \ ++ $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) ++sss_groupmod_CFLAGS = $(AM_CFLAGS) + + sss_groupshow_SOURCES = \ + src/tools/sss_groupshow.c \ +@@ -825,10 +823,9 @@ sss_cache_SOURCES = \ + $(SSSD_LCL_TOOLS_OBJ) + sss_cache_LDADD = \ + $(TOOLS_LIBS) \ +- $(SSSD_INTERNAL_LTLIBS) +-sss_cache_CFLAGS = $(AM_CFLAGS) +-sss_cache_LDFLAGS = \ ++ $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) ++sss_cache_CFLAGS = $(AM_CFLAGS) + + sss_debuglevel_SOURCES = \ + src/tools/sss_debuglevel.c \ +@@ -851,7 +848,7 @@ sss_sudo_cli_SOURCES = \ src/sss_client/sudo/sss_sudo_response.c \ src/sss_client/sudo_testcli/sudo_testcli.c sss_sudo_cli_CFLAGS = $(AM_CFLAGS) @@ -53,27 +110,29 @@ Index: sssd-1.9.4/Makefile.am endif if BUILD_SSH -@@ -781,8 +782,8 @@ sss_ssh_authorizedkeys_SOURCES = \ +@@ -861,8 +858,8 @@ sss_ssh_authorizedkeys_SOURCES = \ src/sss_client/ssh/sss_ssh_authorizedkeys.c sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS) sss_ssh_authorizedkeys_LDADD = \ -+ $(CLIENT_LIBS) \ - libsss_util.la --sss_ssh_authorizedkeys_LDFLAGS = $(CLIENT_LIBS) +- $(SSSD_INTERNAL_LTLIBS) +-sss_ssh_authorizedkeys_LDFLAGS = $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) ++ $(SSSD_INTERNAL_LTLIBS) \ ++ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) sss_ssh_knownhostsproxy_SOURCES = \ src/sss_client/common.c \ -@@ -790,8 +791,8 @@ sss_ssh_knownhostsproxy_SOURCES = \ +@@ -870,8 +867,8 @@ sss_ssh_knownhostsproxy_SOURCES = \ src/sss_client/ssh/sss_ssh_knownhostsproxy.c sss_ssh_knownhostsproxy_CFLAGS = $(AM_CFLAGS) sss_ssh_knownhostsproxy_LDADD = \ -+ $(CLIENT_LIBS) \ - libsss_util.la --sss_ssh_knownhostsproxy_LDFLAGS = $(CLIENT_LIBS) +- $(SSSD_INTERNAL_LTLIBS) +-sss_ssh_knownhostsproxy_LDFLAGS = $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) ++ $(SSSD_INTERNAL_LTLIBS) \ ++ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) endif ################# -@@ -1149,14 +1150,14 @@ noinst_PROGRAMS += autofs_test_client +@@ -1402,7 +1399,7 @@ noinst_PROGRAMS += autofs_test_client endif pam_test_client_SOURCES = src/sss_client/pam_test_client.c @@ -81,44 +140,41 @@ Index: sssd-1.9.4/Makefile.am +pam_test_client_LDADD = -lpam -lpam_misc if BUILD_AUTOFS - autofs_test_client_SOURCES = src/sss_client/autofs/autofs_test_client.c \ - src/sss_client/autofs/sss_autofs.c \ - src/sss_client/common.c + autofs_test_client_SOURCES = \ +@@ -1410,7 +1407,7 @@ autofs_test_client_SOURCES = \ + src/sss_client/autofs/sss_autofs.c \ + src/sss_client/common.c autofs_test_client_CFLAGS = $(AM_CFLAGS) -autofs_test_client_LDFLAGS = -lpopt $(CLIENT_LIBS) +autofs_test_client_LDADD = -lpopt $(CLIENT_LIBS) endif #################### -@@ -1178,10 +1179,11 @@ libnss_sss_la_SOURCES = \ +@@ -1432,8 +1429,9 @@ libnss_sss_la_SOURCES = \ + src/sss_client/nss_mc_passwd.c \ src/sss_client/nss_mc_group.c \ src/sss_client/nss_mc.h ++libnss_sss_la_LIBADD = \ ++ $(CLIENT_LIBS) libnss_sss_la_LDFLAGS = \ - $(CLIENT_LIBS) \ -module \ -version-info 2:0:0 \ -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports -+libnss_sss_la_LIBADD = \ -+ $(CLIENT_LIBS) - - pamlib_LTLIBRARIES = pam_sss.la - pam_sss_la_SOURCES = \ -@@ -1192,11 +1194,12 @@ pam_sss_la_SOURCES = \ +@@ -1446,9 +1444,10 @@ pam_sss_la_SOURCES = \ + src/util/atomic_io.c \ src/sss_client/sss_pam_macros.h - pam_sss_la_LDFLAGS = \ -- $(CLIENT_LIBS) \ +-pam_sss_la_LDFLAGS = \ ++pam_sss_la_LIBADD = \ + $(CLIENT_LIBS) \ - -lpam \ ++ -lpam ++pam_sss_la_LDFLAGS = \ -module \ -avoid-version \ -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports -+pam_sss_la_LIBADD = \ -+ $(CLIENT_LIBS) \ -+ -lpam - - if BUILD_SUDO - -@@ -1207,8 +1210,9 @@ libsss_sudo_la_SOURCES = \ +@@ -1462,8 +1461,9 @@ libsss_sudo_la_SOURCES = \ src/sss_client/sudo/sss_sudo.c \ src/sss_client/sudo/sss_sudo.h \ src/sss_client/sudo/sss_sudo_private.h @@ -129,30 +185,27 @@ Index: sssd-1.9.4/Makefile.am -Wl,--version-script,$(srcdir)/src/sss_client/sss_sudo.exports \ -module \ -avoid-version -@@ -1228,10 +1232,11 @@ libsss_autofs_la_SOURCES = \ +@@ -1480,8 +1480,9 @@ libsss_autofs_la_SOURCES = \ + src/sss_client/autofs/sss_autofs.c \ src/sss_client/autofs/sss_autofs_private.h ++libsss_autofs_la_LIBADD = \ ++ $(CLIENT_LIBS) libsss_autofs_la_LDFLAGS = \ - $(CLIENT_LIBS) \ -module \ -avoid-version \ -Wl,--version-script,$(srcdir)/src/sss_client/autofs/sss_autofs.exports -+libsss_autofs_la_LIBADD = \ -+ $(CLIENT_LIBS) - endif - - dist_noinst_DATA += \ -@@ -1550,10 +1555,11 @@ sssd_pac_plugin_la_CFLAGS = \ +@@ -1831,9 +1832,10 @@ sssd_pac_plugin_la_SOURCES = \ + sssd_pac_plugin_la_CFLAGS = \ $(AM_CFLAGS) \ $(KRB5_CFLAGS) - sssd_pac_plugin_la_LDFLAGS = \ -- $(CLIENT_LIBS) \ +-sssd_pac_plugin_la_LDFLAGS = \ ++sssd_pac_plugin_la_LIBADD = \ + $(CLIENT_LIBS) \ - -lkrb5 \ ++ -lkrb5 ++sssd_pac_plugin_la_LDFLAGS = \ -avoid-version \ -module -+sssd_pac_plugin_la_LIBADD = \ -+ $(CLIENT_LIBS) \ -+ -lkrb5 - if BUILD_PYTHON_BINDINGS - pysss_la_SOURCES = \ diff --git a/sssd-no-ldb-check.diff b/sssd-no-ldb-check.diff deleted file mode 100644 index e216a19..0000000 --- a/sssd-no-ldb-check.diff +++ /dev/null @@ -1,28 +0,0 @@ -From: Jan Engelhardt -Date: 2013-02-21 09:09:59.418801298 +0100 -Upstream: no - -Whenever ldb has a version number update, memberof.so aborts sssd -loading. Arguably, LDB has not made any ABI stability promises -says -http://lists.fedorahosted.org/pipermail/sssd-devel/2013-February/013686.html -but they are at least trying to, by keeping some versioned symbols. -So, let's try this here for openSUSE. - ---- - src/ldb_modules/memberof.c | 3 --- - 1 file changed, 3 deletions(-) - -Index: sssd-1.9.4/src/ldb_modules/memberof.c -=================================================================== ---- sssd-1.9.4.orig/src/ldb_modules/memberof.c -+++ sssd-1.9.4/src/ldb_modules/memberof.c -@@ -4570,8 +4570,5 @@ const struct ldb_module_ops ldb_memberof - - int ldb_init_module(const char *version) - { --#ifdef LDB_MODULE_CHECK_VERSION -- LDB_MODULE_CHECK_VERSION(version); --#endif - return ldb_register_module(&ldb_memberof_module_ops); - } diff --git a/sssd.changes b/sssd.changes index f244907..38cdec5 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Fri Nov 1 22:12:03 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.2 +* A new option ad_access_filter was added. This option allows the + administrator to easily configure LDAP search filter that the users + logging in must match in order to be granted access. +* The Kerberos provider will no longer try to create public + directories when evaluating the krb5_ccachedir option. +- Remove 0005-implicit-decl.diff (merged upstream) + +------------------------------------------------------------------- +Tue Sep 3 21:12:37 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.0 +* The sudo integration was made more robust. SSSD is now able to + gracefully handle situations where it is not able to resolve the + client host name or sudo rules have multiple name attributes. +* Several nested group membership bugs were fixed +* The PAC responder was made more robust and efficient, modifying + existing cache entries instead of always recreating them. +* The Kerberos provider now supports the new KEYRING ccache type. +- Remove sssd-no-ldb-check.diff, now implemented through a + configure argument --disable-ldb-version-check + ------------------------------------------------------------------- Sun Jun 16 16:11:42 UTC 2013 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index cd031f8..90ed7c6 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.9.5 +Version: 1.11.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -28,21 +28,19 @@ Url: https://fedorahosted.org/sssd/ Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz Source2: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz.asc Source3: baselibs.conf -Patch1: 0005-implicit-decl.diff -Patch2: sssd-ldflags.diff -Patch3: sssd-no-ldb-check.diff +Patch1: sssd-ldflags.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define servicename sssd -%define sssdstatedir %_localstatedir/lib/sss -%define dbpath %sssdstatedir/db -%define pipepath %sssdstatedir/pipes -%define pubconfpath %sssdstatedir/pubconf +%define servicename sssd +%define sssdstatedir %_localstatedir/lib/sss +%define dbpath %sssdstatedir/db +%define pipepath %sssdstatedir/pipes +%define pubconfpath %sssdstatedir/pubconf -# SLES11 doesn't know the python_* macros %if %suse_version <= 1110 -%define python_sitelib %py_sitedir -%define python_sitearch %py_sitedir +# SLES11 doesn't know the python_* macros +%define python_sitelib %py_sitedir +%define python_sitearch %py_sitedir %endif BuildRequires: autoconf >= 2.59 @@ -63,6 +61,7 @@ BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libnl-1) >= 1.1 BuildRequires: pkgconfig(libpcre) >= 7 +BuildRequires: pkgconfig(ndr_nbt) BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(popt) BuildRequires: pkgconfig(python) @@ -85,7 +84,9 @@ BuildRequires: libtevent-devel BuildRequires: pcre-devel >= 7 BuildRequires: popt-devel BuildRequires: python-devel +BuildRequires: samba-devel >= 4 %endif +BuildRequires: samba-libs >= 4 %if 0%{?suse_version} >= 1220 BuildRequires: libxml2-tools BuildRequires: libxslt-tools @@ -104,6 +105,7 @@ BuildRequires: systemd %if %suse_version >= 1230 BuildRequires: gpg-offline %endif +Requires: sssd-ldap = %version-%release Requires(postun): pam-config %description @@ -113,15 +115,67 @@ the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. -%package ipa-provider -Summary: FreeIPA provider plugin for sssd -License: GPL-3.0+ and LGPL-3.0+ +%package ad +Summary: The ActiveDirectory backend plugin for sssd +License: GPL-3.0+ Group: System/Daemons -Requires: sssd = %version +Requires: %name-krb5-common = %version -%description ipa-provider -This package provide the FreeIPA provider plugin for the System Security -Services Daemon (sssd). +%description ad +Provides the Active Directory back end that the SSSD can utilize to +fetch identity data from and authenticate against an Active Directory +server. + +%package ipa +Summary: FreeIPA backend plugin for sssd +License: GPL-3.0+ +Group: System/Daemons +Requires: %name = %version +Requires: %name-krb5-common = %version-%release +Obsoletes: %name-ipa-provider < %version-%release +Provides: %name-ipa-provider = %version-%release + +%description ipa +Provides the IPA back end that the SSSD can utilize to fetch identity +data from and authenticate against an IPA server. + +%package krb5 +Summary: The Kerberos authentication backend plugin for sssd +License: GPL-3.0+ +Group: System/Daemons +Requires: %name-krb5-common = %version-%release + +%description krb5 +Provides the Kerberos back end that the SSSD can utilize authenticate +against a Kerberos server. + +%package krb5-common +Summary: SSSD helpers needed for Kerberos and GSSAPI authentication +License: GPL-3.0+ +Group: System/Daemons + +%description krb5-common +Provides helper processes that the LDAP and Kerberos back ends can +use for Kerberos user or host authentication. + +%package ldap +Summary: The LDAP backend plugin for sssd +License: GPL-3.0+ +Group: System/Daemons +Requires: %name-krb5-common = %version-%release + +%description ldap +Provides the LDAP back end that the SSSD can utilize to fetch +identity data from and authenticate against an LDAP server. + +%package proxy +Summary: The proxy backend plugin for sssd +License: GPL-3.0+ +Group: System/Daemons + +%description proxy +Provides the proxy back end which can be used to wrap an existing NSS +and/or PAM modules to leverage SSSD caching. %package tools Summary: Commandline tools for sssd @@ -169,6 +223,23 @@ Requires: libsss_idmap0 = %version %description -n libsss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. +%package -n libsss_nss_idmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0+ +Group: System/Libraries + +%description -n libsss_nss_idmap0 +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%package -n libsss_nss_idmap-devel +Summary: Development files for the FreeIPA idmap library +License: LGPL-3.0+ +Group: Development/Libraries/C and C++ +Requires: libsss_nss_idmap0 = %version + +%description -n libsss_nss_idmap-devel +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD License: LGPL-3.0+ @@ -183,7 +254,7 @@ A utility library to allow communication between sudo and SSSD. %package -n python-ipa_hbac Summary: Python bindings for the FreeIPA HBAC Evaluator library -License: GPL-3.0+ and LGPL-3.0+ +License: LGPL-3.0+ Group: Development/Libraries/Python %py_requires @@ -191,6 +262,16 @@ Group: Development/Libraries/Python The python-ipa_hbac package contains the bindings so that libipa_hbac can be used by Python applications. +%package -n python-sss_nss_idmap +Summary: Python bindings for libsss_nss_idmap +License: LGPL-3.0+ +Group: Development/Libraries/Python +%py_requires + +%description -n python-sss_nss_idmap +The libsss_nss_idmap-python contains the bindings so that +libsss_nss_idmap can be used by Python applications. + %package -n python-sssd-config Summary: Python API for configuring sssd License: GPL-3.0+ and LGPL-3.0+ @@ -204,7 +285,7 @@ Security Services Daemon (sssd). %prep %{?gpg_verify: %gpg_verify %{S:2}} %setup -q -%patch -P 1 -P 2 -P 3 -p1 +%patch -P 1 -p1 %build %if 0%{?suse_version} < 1210 @@ -231,7 +312,9 @@ autoreconf -fi; --with-ldb-lib-dir="$LDB_DIR" \ --with-selinux=no \ --with-os=suse \ - --with-semanage=no + --with-semanage=no \ + --disable-ldb-version-check \ + --disable-pac-responder make %{?_smp_mflags} all @@ -244,12 +327,14 @@ install -d "$b/%_mandir"/{cs,cs/man8,nl,nl/man8,pt,pt/man8,uk,uk/man1} \ "$b/%_mandir"/{uk/man5,uk/man8}; install -d "$b/%_sysconfdir/sssd"; install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"; -install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd"; %if 0%{?_unitdir:1} install -d "$b/%_unitdir"; install src/sysv/systemd/sssd.service "$b/%_unitdir/sssd.service"; +rm -Rf "$b/%_initddir" +%else +install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd"; +ln -sf ../../etc/init.d/sssd "$b/usr/sbin/rcsssd" %endif -ln -sf ../../etc/init.d/sssd $b/usr/sbin/rcsssd find "$b" -type f -name "*.la" -delete; @@ -293,65 +378,128 @@ fi; %postun -n libipa_hbac0 -p /sbin/ldconfig %post -n libsss_idmap0 -p /sbin/ldconfig %postun -n libsss_idmap0 -p /sbin/ldconfig +%post -n libsss_nss_idmap0 -p /sbin/ldconfig +%postun -n libsss_nss_idmap0 -p /sbin/ldconfig %files -f sssd.lang %defattr(-,root,root) %doc COPYING -%_initrddir/%name %if 0%{?_unitdir:1} %_unitdir +%else +%_initrddir/%name +%_sbindir/rcsssd %endif %_bindir/sss_ssh_* %_sbindir/sssd -%_sbindir/rcsssd -%dir %_libdir/%name -%dir %_libexecdir/%name -%dir %_mandir/cs -%dir %_mandir/cs/man8 -%dir %_mandir/nl -%dir %_mandir/nl/man8 -%dir %_mandir/pt -%dir %_mandir/pt/man8 -%dir %_mandir/uk -%dir %_mandir/uk/man1 -%dir %_mandir/uk/man5 -%dir %_mandir/uk/man8 -%_mandir/??/man?/* +%dir %_mandir/??/ +%dir %_mandir/??/man?/ +%_mandir/??/man1/sss_ssh_* +%_mandir/??/man5/sssd-simple.5* +%_mandir/??/man5/sssd-sudo.5* +%_mandir/??/man5/sssd.conf.5* +%_mandir/??/man8/sssd.8* %_mandir/man1/sss_ssh_* -%_mandir/man5/sssd-ad.5* -%_mandir/man5/sssd-krb5.5* -%_mandir/man5/sssd-ldap.5* %_mandir/man5/sssd-simple.5* %_mandir/man5/sssd-sudo.5* +%_mandir/man5/sssd.conf.5* %_mandir/man8/sssd.8* -%_mandir/man5/sssd.conf.5.gz -%_libexecdir/%name/sss* -%_libexecdir/%name/*_child -%_libdir/%name/libsss_ad.so -%_libdir/%name/libsss_krb5* -%_libdir/%name/libsss_ldap* -%_libdir/%name/libsss_proxy* +%dir %_libdir/%name/ +%_libdir/%name/libsss_child* +%_libdir/%name/libsss_crypt* +%_libdir/%name/libsss_debug* %_libdir/%name/libsss_simple* -%_libdir/%name/modules +%_libdir/%name/libsss_util* +%_libdir/%name/modules/ +%dir %_libdir/ldb/ %_libdir/ldb/memberof.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/sssd_* %dir %sssdstatedir -%attr(700,root,root) %dir %dbpath -%attr(755,root,root) %dir %pipepath -%attr(700,root,root) %dir %pipepath/private -%attr(755,root,root) %dir %pubconfpath -%attr(750,root,root) %dir %_localstatedir/log/%name -%dir %_sysconfdir/sssd +%attr(700,root,root) %dir %dbpath/ +%attr(755,root,root) %dir %pipepath/ +%attr(700,root,root) %dir %pipepath/private/ +%attr(755,root,root) %dir %pubconfpath/ +%attr(750,root,root) %dir %_localstatedir/log/%name/ +%dir %_sysconfdir/sssd/ %config(noreplace) %_sysconfdir/sssd/sssd.conf -%_datadir/sssd -%exclude %_datadir/sssd/sssd.api.d/sssd-ipa.conf +%dir %_datadir/%name/ +%_datadir/%name/sssd.api.conf +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-local.conf +%_datadir/%name/sssd.api.d/sssd-simple.conf # -# client side +# sssd-client # /%_lib/libnss_sss.so.2 /%_lib/security/pam_sss.so %_libdir/krb5/plugins/libkrb5/* -%_mandir/man8/pam_sss.8.gz -%_mandir/man8/sssd_krb5_locator_plugin.8.gz +%_mandir/??/man8/pam_sss.8* +%_mandir/??/man8/sssd_krb5_locator_plugin.8* +%_mandir/man8/pam_sss.8* +%_mandir/man8/sssd_krb5_locator_plugin.8* + +%files ad +%defattr(-,root,root) +%dir %_libdir/%name/ +%_libdir/%name/libsss_ad.so +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-ad.conf +%dir %_mandir/??/man5/ +%_mandir/man5/sssd-ad.5* +%_mandir/??/man5/sssd-ad.5* + +%files ipa +%defattr(-,root,root) +%dir %_libdir/%name/ +%_libdir/%name/libsss_ipa* +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d +%_datadir/%name/sssd.api.d/sssd-ipa.conf +%dir %_mandir/??/man5/ +%_mandir/man5/sssd-ipa.5* +%_mandir/??/man5/sssd-ipa.5* + +%files krb5 +%defattr(-,root,root) +%dir %_libdir/%name/ +%_libdir/%name/libsss_krb5.so +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-krb5.conf +%dir %_mandir/??/man5/ +%_mandir/man5/sssd-krb5.5* +%_mandir/??/man5/sssd-krb5.5* + +%files krb5-common +%defattr(-,root,root) +%dir %_libdir/%name/ +%_libdir/%name/libsss_krb5_common.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/krb5_child +%_libexecdir/%name/ldap_child + +%files ldap +%defattr(-,root,root) +%dir %_libdir/%name/ +%_libdir/%name/libsss_ldap* +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-ldap.conf +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ldap.5* +%_mandir/man5/sssd-ldap.5* + +%files proxy +%defattr(-,root,root) +%dir %_libdir/%name/ +%_libdir/%name/libsss_proxy.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/proxy_child +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-proxy.conf %files tools %defattr(-,root,root) @@ -362,29 +510,13 @@ fi; %_sbindir/sss_groupmod %_sbindir/sss_groupshow %_sbindir/sss_seed +%_sbindir/sss_obfuscate %_sbindir/sss_useradd %_sbindir/sss_userdel %_sbindir/sss_usermod -%_mandir/man8/sss_groupadd.8* -%_mandir/man8/sss_groupdel.8* -%_mandir/man8/sss_groupmod.8* -%_mandir/man8/sss_groupshow.8* -%_mandir/man8/sss_seed.8* -%_mandir/man8/sss_useradd.8* -%_mandir/man8/sss_userdel.8* -%_mandir/man8/sss_usermod.8* -%_mandir/man8/sss_obfuscate.8* -%_mandir/man8/sss_cache.8* -%_mandir/man8/sss_debuglevel.8* -%attr(0755,root,root) %_sbindir/sss_obfuscate - -%files ipa-provider -%defattr(-,root,root) -%dir %_datadir/sssd -%dir %_datadir/sssd/sssd.api.d -%_datadir/sssd/sssd.api.d/sssd-ipa.conf -%_libdir/sssd/libsss_ipa* -%_mandir/man5/sssd-ipa.* +%dir %_mandir/??/man8/ +%_mandir/??/man8/sss_*.8* +%_mandir/man8/sss_*.8* %files -n libipa_hbac0 %defattr(-,root,root) @@ -406,15 +538,30 @@ fi; %_libdir/libsss_idmap.so %_libdir/pkgconfig/sss_idmap.pc +%files -n libsss_nss_idmap0 +%defattr(-,root,root) +%_libdir/libsss_nss_idmap.so.0* + +%files -n libsss_nss_idmap-devel +%defattr(-,root,root) +%_includedir/sss_nss_idmap.h +%_libdir/libsss_nss_idmap.so +%_libdir/pkgconfig/sss_nss_idmap.pc + %files -n libsss_sudo %defattr(-,root,root) -%_includedir/sss_sudo.h %_libdir/libsss_sudo.so %files -n python-ipa_hbac %defattr(-,root,root) +%dir %python_sitearch %python_sitearch/pyhbac.so +%files -n python-sss_nss_idmap +%defattr(-,root,root) +%dir %python_sitearch +%python_sitearch/pysss_nss_idmap.so + %files -n python-sssd-config %defattr(-,root,root) %python_sitearch/pysss.so From bd4b78296a471041b7a22c66823fd8a184e584b52d57889cd771efc818e57e03 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Thu, 19 Dec 2013 11:37:19 +0000 Subject: [PATCH 43/63] Accepting request 211391 from network:ldap - Migrate deprecated krb5_kdcip variable to krb5_server (bnc#851048) (forwarded request 208844 from ckornacker) OBS-URL: https://build.opensuse.org/request/show/211391 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=50 --- sssd.changes | 5 +++++ sssd.spec | 3 +++ 2 files changed, 8 insertions(+) diff --git a/sssd.changes b/sssd.changes index 38cdec5..4986c60 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Nov 28 16:51:39 UTC 2013 - ckornacker@suse.com + +- Migrate deprecated krb5_kdcip variable to krb5_server (bnc#851048) + ------------------------------------------------------------------- Fri Nov 1 22:12:03 UTC 2013 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index 90ed7c6..d1e664d 100644 --- a/sssd.spec +++ b/sssd.spec @@ -352,6 +352,9 @@ rm -Rf "$b/usr/share/locale"/{fa_IR,ja_JP,lt_LT,ta_IN,vi_VN} %endif %post +# migrate config variable krb5_kdcip to krb5_server (bnc#851048) +/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf + /sbin/ldconfig %if 0%{?_unitdir:1} %service_add_post sssd.service From 6f9f1da33f5bc8b7d1704534ee18460ad87ff3c7c72bba6ce3c67f3625972541 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 31 Dec 2013 09:58:27 +0000 Subject: [PATCH 44/63] Accepting request 212445 from network:ldap Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/212445 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=51 --- sssd-1.11.2.tar.gz | 3 - sssd-1.11.2.tar.gz.asc | 7 -- sssd-1.11.3.tar.gz | 3 + sssd-1.11.3.tar.gz.asc | 7 ++ sssd-ldflags.diff | 211 ----------------------------------------- sssd.changes | 19 ++++ sssd.spec | 9 +- 7 files changed, 31 insertions(+), 228 deletions(-) delete mode 100644 sssd-1.11.2.tar.gz delete mode 100644 sssd-1.11.2.tar.gz.asc create mode 100644 sssd-1.11.3.tar.gz create mode 100644 sssd-1.11.3.tar.gz.asc delete mode 100644 sssd-ldflags.diff diff --git a/sssd-1.11.2.tar.gz b/sssd-1.11.2.tar.gz deleted file mode 100644 index adc6574..0000000 --- a/sssd-1.11.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:40da555ef1d81f0b73aa4e484719f9ca340dc76b7b549761f2ca775ff90b34bc -size 3442072 diff --git a/sssd-1.11.2.tar.gz.asc b/sssd-1.11.2.tar.gz.asc deleted file mode 100644 index f9f6ccb..0000000 --- a/sssd-1.11.2.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.15 (GNU/Linux) - -iEYEABECAAYFAlJxiVwACgkQHsardTLnvCU4CwCfU1uc5bwo9fTZXh4i0KLGp709 -wL4Anil81EFYHIFhnGsCs0L300OQmbGp -=2QGa ------END PGP SIGNATURE----- diff --git a/sssd-1.11.3.tar.gz b/sssd-1.11.3.tar.gz new file mode 100644 index 0000000..0cefa6d --- /dev/null +++ b/sssd-1.11.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:85b6881aa362d2686f4f5bd28bc61e33fc02fce599d7022e70cea08a3bf281c7 +size 3462928 diff --git a/sssd-1.11.3.tar.gz.asc b/sssd-1.11.3.tar.gz.asc new file mode 100644 index 0000000..27a1dac --- /dev/null +++ b/sssd-1.11.3.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.15 (GNU/Linux) + +iEYEABECAAYFAlKzMroACgkQHsardTLnvCXxSgCdFD/f8rKeBmrkrRgyqRZSXU/H +QfkAoM1o+TwKS2DcYRTdbVbpEQbg6avB +=No1R +-----END PGP SIGNATURE----- diff --git a/sssd-ldflags.diff b/sssd-ldflags.diff deleted file mode 100644 index 3229388..0000000 --- a/sssd-ldflags.diff +++ /dev/null @@ -1,211 +0,0 @@ -From c9b13c7e032fde96cf07c7d298bb7fa65fad220b Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Fri, 1 Nov 2013 23:01:09 +0100 -Subject: [PATCH] build: fix ordering of linker flags - -Libraries MUST be specified in LDADD/LIBADD, not LDFLAGS, because -LDFLAGS appear earlier in the command line and library order is -significant. ---- - Makefile.am | 66 ++++++++++++++++++++++++++++++------------------------------ - 1 file changed, 34 insertions(+), 32 deletions(-) - -Index: sssd-1.11.2/Makefile.am -=================================================================== ---- sssd-1.11.2.orig/Makefile.am -+++ sssd-1.11.2/Makefile.am -@@ -600,9 +600,10 @@ dist_pkgconfig_DATA += src/providers/ipa - libipa_hbac_la_SOURCES = \ - src/providers/ipa/hbac_evaluator.c \ - src/util/sss_utf8.c --libipa_hbac_la_LDFLAGS = \ -- -version-info 0:1:0 \ -+libipa_hbac_la_LIBADD = \ - $(UNICODE_LIBS) -+libipa_hbac_la_LDFLAGS = \ -+ -version-info 0:1:0 - - dist_pkgconfig_DATA += src/lib/idmap/sss_idmap.pc - libsss_idmap_la_SOURCES = \ -@@ -617,8 +618,9 @@ libsss_nss_idmap_la_SOURCES = \ - src/sss_client/idmap/sss_nss_idmap.c \ - src/sss_client/common.c \ - src/util/strtonum.c -+libsss_nss_idmap_la_LIBADD = \ -+ $(CLIENT_LIBS) - libsss_nss_idmap_la_LDFLAGS = \ -- $(CLIENT_LIBS) \ - -version-info 0:1:0 - - include_HEADERS = \ -@@ -771,10 +773,9 @@ sss_userdel_SOURCES = \ - $(SSSD_LCL_TOOLS_OBJ) - sss_userdel_LDADD = \ - $(TOOLS_LIBS) \ -- $(SSSD_INTERNAL_LTLIBS) --sss_userdel_CFLAGS = $(AM_CFLAGS) --sss_userdel_LDFLAGS = \ -+ $(SSSD_INTERNAL_LTLIBS) \ - $(CLIENT_LIBS) -+sss_userdel_CFLAGS = $(AM_CFLAGS) - - sss_groupadd_SOURCES = \ - src/tools/sss_groupadd.c \ -@@ -788,30 +789,27 @@ sss_groupdel_SOURCES = \ - $(SSSD_LCL_TOOLS_OBJ) - sss_groupdel_LDADD = \ - $(TOOLS_LIBS) \ -- $(SSSD_INTERNAL_LTLIBS) --sss_groupdel_CFLAGS = $(AM_CFLAGS) --sss_groupdel_LDFLAGS = \ -+ $(SSSD_INTERNAL_LTLIBS) \ - $(CLIENT_LIBS) -+sss_groupdel_CFLAGS = $(AM_CFLAGS) - - sss_usermod_SOURCES = \ - src/tools/sss_usermod.c \ - $(SSSD_LCL_TOOLS_OBJ) - sss_usermod_LDADD = \ - $(TOOLS_LIBS) \ -- $(SSSD_INTERNAL_LTLIBS) --sss_usermod_CFLAGS = $(AM_CFLAGS) --sss_usermod_LDFLAGS = \ -+ $(SSSD_INTERNAL_LTLIBS) \ - $(CLIENT_LIBS) -+sss_usermod_CFLAGS = $(AM_CFLAGS) - - sss_groupmod_SOURCES = \ - src/tools/sss_groupmod.c \ - $(SSSD_LCL_TOOLS_OBJ) - sss_groupmod_LDADD = \ - $(TOOLS_LIBS) \ -- $(SSSD_INTERNAL_LTLIBS) --sss_groupmod_CFLAGS = $(AM_CFLAGS) --sss_groupmod_LDFLAGS = \ -+ $(SSSD_INTERNAL_LTLIBS) \ - $(CLIENT_LIBS) -+sss_groupmod_CFLAGS = $(AM_CFLAGS) - - sss_groupshow_SOURCES = \ - src/tools/sss_groupshow.c \ -@@ -825,10 +823,9 @@ sss_cache_SOURCES = \ - $(SSSD_LCL_TOOLS_OBJ) - sss_cache_LDADD = \ - $(TOOLS_LIBS) \ -- $(SSSD_INTERNAL_LTLIBS) --sss_cache_CFLAGS = $(AM_CFLAGS) --sss_cache_LDFLAGS = \ -+ $(SSSD_INTERNAL_LTLIBS) \ - $(CLIENT_LIBS) -+sss_cache_CFLAGS = $(AM_CFLAGS) - - sss_debuglevel_SOURCES = \ - src/tools/sss_debuglevel.c \ -@@ -851,7 +848,7 @@ sss_sudo_cli_SOURCES = \ - src/sss_client/sudo/sss_sudo_response.c \ - src/sss_client/sudo_testcli/sudo_testcli.c - sss_sudo_cli_CFLAGS = $(AM_CFLAGS) --sss_sudo_cli_LDFLAGS = $(CLIENT_LIBS) -+sss_sudo_cli_LDADD = $(CLIENT_LIBS) - endif - - if BUILD_SSH -@@ -861,8 +858,8 @@ sss_ssh_authorizedkeys_SOURCES = \ - src/sss_client/ssh/sss_ssh_authorizedkeys.c - sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS) - sss_ssh_authorizedkeys_LDADD = \ -- $(SSSD_INTERNAL_LTLIBS) --sss_ssh_authorizedkeys_LDFLAGS = $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) -+ $(SSSD_INTERNAL_LTLIBS) \ -+ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) - - sss_ssh_knownhostsproxy_SOURCES = \ - src/sss_client/common.c \ -@@ -870,8 +867,8 @@ sss_ssh_knownhostsproxy_SOURCES = \ - src/sss_client/ssh/sss_ssh_knownhostsproxy.c - sss_ssh_knownhostsproxy_CFLAGS = $(AM_CFLAGS) - sss_ssh_knownhostsproxy_LDADD = \ -- $(SSSD_INTERNAL_LTLIBS) --sss_ssh_knownhostsproxy_LDFLAGS = $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) -+ $(SSSD_INTERNAL_LTLIBS) \ -+ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) - endif - - ################# -@@ -1402,7 +1399,7 @@ noinst_PROGRAMS += autofs_test_client - endif - - pam_test_client_SOURCES = src/sss_client/pam_test_client.c --pam_test_client_LDFLAGS = -lpam -lpam_misc -+pam_test_client_LDADD = -lpam -lpam_misc - - if BUILD_AUTOFS - autofs_test_client_SOURCES = \ -@@ -1410,7 +1407,7 @@ autofs_test_client_SOURCES = \ - src/sss_client/autofs/sss_autofs.c \ - src/sss_client/common.c - autofs_test_client_CFLAGS = $(AM_CFLAGS) --autofs_test_client_LDFLAGS = -lpopt $(CLIENT_LIBS) -+autofs_test_client_LDADD = -lpopt $(CLIENT_LIBS) - endif - - #################### -@@ -1432,8 +1429,9 @@ libnss_sss_la_SOURCES = \ - src/sss_client/nss_mc_passwd.c \ - src/sss_client/nss_mc_group.c \ - src/sss_client/nss_mc.h -+libnss_sss_la_LIBADD = \ -+ $(CLIENT_LIBS) - libnss_sss_la_LDFLAGS = \ -- $(CLIENT_LIBS) \ - -module \ - -version-info 2:0:0 \ - -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports -@@ -1446,9 +1444,10 @@ pam_sss_la_SOURCES = \ - src/util/atomic_io.c \ - src/sss_client/sss_pam_macros.h - --pam_sss_la_LDFLAGS = \ -+pam_sss_la_LIBADD = \ - $(CLIENT_LIBS) \ -- -lpam \ -+ -lpam -+pam_sss_la_LDFLAGS = \ - -module \ - -avoid-version \ - -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports -@@ -1462,8 +1461,9 @@ libsss_sudo_la_SOURCES = \ - src/sss_client/sudo/sss_sudo.c \ - src/sss_client/sudo/sss_sudo.h \ - src/sss_client/sudo/sss_sudo_private.h -+libsss_sudo_la_LIBADD = \ -+ $(CLIENT_LIBS) - libsss_sudo_la_LDFLAGS = \ -- $(CLIENT_LIBS) \ - -Wl,--version-script,$(srcdir)/src/sss_client/sss_sudo.exports \ - -module \ - -avoid-version -@@ -1480,8 +1480,9 @@ libsss_autofs_la_SOURCES = \ - src/sss_client/autofs/sss_autofs.c \ - src/sss_client/autofs/sss_autofs_private.h - -+libsss_autofs_la_LIBADD = \ -+ $(CLIENT_LIBS) - libsss_autofs_la_LDFLAGS = \ -- $(CLIENT_LIBS) \ - -module \ - -avoid-version \ - -Wl,--version-script,$(srcdir)/src/sss_client/autofs/sss_autofs.exports -@@ -1831,9 +1832,10 @@ sssd_pac_plugin_la_SOURCES = \ - sssd_pac_plugin_la_CFLAGS = \ - $(AM_CFLAGS) \ - $(KRB5_CFLAGS) --sssd_pac_plugin_la_LDFLAGS = \ -+sssd_pac_plugin_la_LIBADD = \ - $(CLIENT_LIBS) \ -- -lkrb5 \ -+ -lkrb5 -+sssd_pac_plugin_la_LDFLAGS = \ - -avoid-version \ - -module - diff --git a/sssd.changes b/sssd.changes index 4986c60..356816a 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Fri Dec 20 21:54:58 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.3 +* The AD provider is able to resolve group memberships for groups + with Global and Universal scope +* The initgroups (get groups for user) operation for users from + trusted AD domains was made more reliable by reading the required + tokenGroups attribute from LDAP instead of Global Catalog +* A new option ad_enable_gc was added to the AD provider. This + option allows the administrator to force SSSD to talk to LDAP + port only and never try the Global Catalog +* The AD provider is now able to leverage the tokenGroups attribute + even when POSIX attributes are used, providing better performance + during logins. +* A memory leak in the NSS responder that affected long-lived + clients that requested netgroup data was fixed +- Remove sssd-ldflags.diff (merged upstream) + ------------------------------------------------------------------- Thu Nov 28 16:51:39 UTC 2013 - ckornacker@suse.com diff --git a/sssd.spec b/sssd.spec index d1e664d..5623fce 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.11.2 +Version: 1.11.3 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -28,7 +28,6 @@ Url: https://fedorahosted.org/sssd/ Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz Source2: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz.asc Source3: baselibs.conf -Patch1: sssd-ldflags.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -285,7 +284,6 @@ Security Services Daemon (sssd). %prep %{?gpg_verify: %gpg_verify %{S:2}} %setup -q -%patch -P 1 -p1 %build %if 0%{?suse_version} < 1210 @@ -360,16 +358,13 @@ rm -Rf "$b/usr/share/locale"/{fa_IR,ja_JP,lt_LT,ta_IN,vi_VN} %service_add_post sssd.service %endif -%preun -%stop_on_removal sssd %if 0%{?_unitdir:1} +%preun %service_del_preun sssd.service %endif %postun /sbin/ldconfig -%restart_on_update sssd -%insserv_cleanup %if 0%{?_unitdir:1} %service_del_postun sssd.service %endif From 49f6037290ee6df01ec3fe3879f11f91b4e7bf42af87f36d426b1b6403e9b8bf Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 18 Mar 2014 15:21:16 +0000 Subject: [PATCH 45/63] Accepting request 225993 from network:ldap Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/225993 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=52 --- sssd-1.11.3.tar.gz | 3 --- sssd-1.11.3.tar.gz.asc | 7 ------- sssd-1.11.4.tar.gz | 3 +++ sssd-1.11.4.tar.gz.asc | 7 +++++++ sssd.changes | 15 +++++++++++++++ sssd.spec | 4 ++-- 6 files changed, 27 insertions(+), 12 deletions(-) delete mode 100644 sssd-1.11.3.tar.gz delete mode 100644 sssd-1.11.3.tar.gz.asc create mode 100644 sssd-1.11.4.tar.gz create mode 100644 sssd-1.11.4.tar.gz.asc diff --git a/sssd-1.11.3.tar.gz b/sssd-1.11.3.tar.gz deleted file mode 100644 index 0cefa6d..0000000 --- a/sssd-1.11.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:85b6881aa362d2686f4f5bd28bc61e33fc02fce599d7022e70cea08a3bf281c7 -size 3462928 diff --git a/sssd-1.11.3.tar.gz.asc b/sssd-1.11.3.tar.gz.asc deleted file mode 100644 index 27a1dac..0000000 --- a/sssd-1.11.3.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.15 (GNU/Linux) - -iEYEABECAAYFAlKzMroACgkQHsardTLnvCXxSgCdFD/f8rKeBmrkrRgyqRZSXU/H -QfkAoM1o+TwKS2DcYRTdbVbpEQbg6avB -=No1R ------END PGP SIGNATURE----- diff --git a/sssd-1.11.4.tar.gz b/sssd-1.11.4.tar.gz new file mode 100644 index 0000000..3ea066f --- /dev/null +++ b/sssd-1.11.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5bd2642f9f9cdca8eb9243e59bfdfcf7d7d6a60dac01eea7926450b1d59e09f3 +size 3480248 diff --git a/sssd-1.11.4.tar.gz.asc b/sssd-1.11.4.tar.gz.asc new file mode 100644 index 0000000..8b846c5 --- /dev/null +++ b/sssd-1.11.4.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlMCXHcACgkQHsardTLnvCUEnACgxms5JRV+CxPPHvvNxiMaIy/r +sG0AnRKzG0wnYODqVziXRpKF11Hx2aM6 +=4fOu +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 356816a..06960ad 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Fri Mar 7 15:18:34 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.11.4 +* The simple access provider supports specifying users and groups + using their NetBIOS domain name (such as DOMAIN\username) +* Support for enumerating users and groups from trusted AD domains + was added to the AD provider +* The Active Directory site discovery was made more robust for + configurations which use multiple trusted domains +* Several bugs in the LDAP provider that affected setups which + mapped Windows SIDs to POSIX IDs were fixed +* The SSSD is now able to use One Time Password (OTP) + authentication configured on an IPA server. + ------------------------------------------------------------------- Fri Dec 20 21:54:58 UTC 2013 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index 5623fce..2452c4e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: sssd -Version: 1.11.3 +Version: 1.11.4 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ From 064b3f8daafa933a56f660339becd11c17b26920a96b682505e03daf77a6a4bf Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 2 May 2014 07:51:48 +0000 Subject: [PATCH 46/63] Accepting request 231991 from network:ldap - Update to new upstream release 1.11.5.1 * sssd crashes after upgrade from 1.11.4 to 1.11.5 when using a samba4 domain * SSSD pam module accepts usernames with leading spaces * [RFE] Expose the list of trusted domains to IPA * If both IPA and LDAP are set up with enumeration on, two enum tasks are running * sssd.conf man pages don't list a configuration option. * Make SSSD compilable on systems with non-standard paths to krb5 includes * [freebsd] pam_sss: add ignore_unknown_user option * MAN: Remove misleading memberof example from ldap_access_filter example * not retrieving homedirs of AD users with posix attributes * Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes * Check IPA idranges before saving them to the cache * Evaluate usage of sudo LDAP provider together with the AD provider * Setting int option to 0 yields the default value * ipa-server-mode: Use lower-case user name component in home dir path * SSSD Does not cache SELinux map from FreeIPA correctly * IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in * sssd fails to handle expired passwords when OTP is used * Add another Kerberos error code to trigger IPA password migration * Double OK when starting the service * SSSD should create the SELinux mapping file with format expected by pam_selinux * Valgrind: Invalid read of int while processing netgroup * other subdomains are unavailable when joined to a subdomain in the ad forest * Error during password change * configure time variables not expanded when running ./configure * RHEL7 IPA selinuxusermap hbac rule not always matching OBS-URL: https://build.opensuse.org/request/show/231991 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=53 --- sssd-1.11.4.tar.gz | 3 --- sssd-1.11.4.tar.gz.asc | 7 ------- sssd-1.11.5.1.tar.gz | 3 +++ sssd-1.11.5.1.tar.gz.asc | 7 +++++++ sssd.changes | 30 ++++++++++++++++++++++++++++++ sssd.service | 15 +++++++++++++++ sssd.spec | 7 +++++-- 7 files changed, 60 insertions(+), 12 deletions(-) delete mode 100644 sssd-1.11.4.tar.gz delete mode 100644 sssd-1.11.4.tar.gz.asc create mode 100644 sssd-1.11.5.1.tar.gz create mode 100644 sssd-1.11.5.1.tar.gz.asc create mode 100644 sssd.service diff --git a/sssd-1.11.4.tar.gz b/sssd-1.11.4.tar.gz deleted file mode 100644 index 3ea066f..0000000 --- a/sssd-1.11.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5bd2642f9f9cdca8eb9243e59bfdfcf7d7d6a60dac01eea7926450b1d59e09f3 -size 3480248 diff --git a/sssd-1.11.4.tar.gz.asc b/sssd-1.11.4.tar.gz.asc deleted file mode 100644 index 8b846c5..0000000 --- a/sssd-1.11.4.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlMCXHcACgkQHsardTLnvCUEnACgxms5JRV+CxPPHvvNxiMaIy/r -sG0AnRKzG0wnYODqVziXRpKF11Hx2aM6 -=4fOu ------END PGP SIGNATURE----- diff --git a/sssd-1.11.5.1.tar.gz b/sssd-1.11.5.1.tar.gz new file mode 100644 index 0000000..f6e93f2 --- /dev/null +++ b/sssd-1.11.5.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5bf0d564de5193df0fc28df5e156109b32a7a66bc68f0366e06c00bcd68fea1b +size 3511029 diff --git a/sssd-1.11.5.1.tar.gz.asc b/sssd-1.11.5.1.tar.gz.asc new file mode 100644 index 0000000..f6b8a73 --- /dev/null +++ b/sssd-1.11.5.1.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlNIGEUACgkQHsardTLnvCU6hwCg0pveLQy2nicOicGbNg1d7ANp +4PEAn0v0uCRsJLsuANezjLMM2C/uaf6Z +=HFIZ +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 06960ad..5a9f55c 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Tue Apr 29 10:00:57 UTC 2014 - varkoly@suse.com + +- Update to new upstream release 1.11.5.1 + * sssd crashes after upgrade from 1.11.4 to 1.11.5 when using a samba4 domain + * SSSD pam module accepts usernames with leading spaces + * [RFE] Expose the list of trusted domains to IPA + * If both IPA and LDAP are set up with enumeration on, two enum tasks are running + * sssd.conf man pages don't list a configuration option. + * Make SSSD compilable on systems with non-standard paths to krb5 includes + * [freebsd] pam_sss: add ignore_unknown_user option + * MAN: Remove misleading memberof example from ldap_access_filter example + * not retrieving homedirs of AD users with posix attributes + * Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes + * Check IPA idranges before saving them to the cache + * Evaluate usage of sudo LDAP provider together with the AD provider + * Setting int option to 0 yields the default value + * ipa-server-mode: Use lower-case user name component in home dir path + * SSSD Does not cache SELinux map from FreeIPA correctly + * IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in + * sssd fails to handle expired passwords when OTP is used + * Add another Kerberos error code to trigger IPA password migration + * Double OK when starting the service + * SSSD should create the SELinux mapping file with format expected by pam_selinux + * Valgrind: Invalid read of int while processing netgroup + * other subdomains are unavailable when joined to a subdomain in the ad forest + * Error during password change + * configure time variables not expanded when running ./configure + * RHEL7 IPA selinuxusermap hbac rule not always matching + ------------------------------------------------------------------- Fri Mar 7 15:18:34 UTC 2014 - jengelh@inai.de diff --git a/sssd.service b/sssd.service new file mode 100644 index 0000000..ef3c8f4 --- /dev/null +++ b/sssd.service @@ -0,0 +1,15 @@ +[Unit] +Description=System Security Services Daemon +# SSSD will not be started until syslog is +After=syslog.target + +[Service] +EnvironmentFile=-/etc/sysconfig/sssd +ExecStart=/usr/sbin/sssd -D -f +# These two should be used with traditional UNIX forking daemons +# consult systemd.service(5) for more details +Type=forking +PIDFile=/var/run/sssd.pid + +[Install] +WantedBy=multi-user.target diff --git a/sssd.spec b/sssd.spec index 2452c4e..795e11b 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.11.4 +Version: 1.11.5.1 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -28,6 +28,7 @@ Url: https://fedorahosted.org/sssd/ Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz Source2: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz.asc Source3: baselibs.conf +Source4: sssd.service BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -327,7 +328,9 @@ install -d "$b/%_sysconfdir/sssd"; install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"; %if 0%{?_unitdir:1} install -d "$b/%_unitdir"; -install src/sysv/systemd/sssd.service "$b/%_unitdir/sssd.service"; +# Missing service file in 1.11.5.1 +#install src/sysv/systemd/sssd.service "$b/%_unitdir/sssd.service"; +install %{S:4} "$b/%_unitdir/sssd.service"; rm -Rf "$b/%_initddir" %else install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd"; From 5e396627cbee4921631f29b4f0ec206d37ed450ab2e8f47e7741df1bbbff6a10 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 14 May 2014 08:50:28 +0000 Subject: [PATCH 47/63] Accepting request 233707 from network:ldap - bnc#877457 - 78 Configuration file /usr/lib/systemd/system/sssd.service is marked executable. Please remove executable permission bits. - Detect endianness at configure time, for use by Samba's byteorder.h header; (bnc#876544). + 0001-build-detect-endianness-at-configure-time.patch (forwarded request 233706 from varkoly) OBS-URL: https://build.opensuse.org/request/show/233707 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=54 --- ...-detect-endianness-at-configure-time.patch | 34 +++++++++++++++++++ sssd.changes | 13 +++++++ sssd.spec | 4 ++- 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 0001-build-detect-endianness-at-configure-time.patch diff --git a/0001-build-detect-endianness-at-configure-time.patch b/0001-build-detect-endianness-at-configure-time.patch new file mode 100644 index 0000000..6b37a3c --- /dev/null +++ b/0001-build-detect-endianness-at-configure-time.patch @@ -0,0 +1,34 @@ +From 303d096f920801f7b06a7ad406ea83b4cd0219da Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Tue, 6 May 2014 15:56:42 +0200 +Subject: [PATCH] build: detect endianness at configure time + +WORDS_BIGENDIAN, HAVE_BIG_ENDIAN and HAVE_LITTLE_ENDIAN are needed by +Samba. See Samba's byteorder.h header for an example. + +Signed-off-by: David Disseldorp +--- + configure.ac | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git configure.ac configure.ac +index eb7e376..3ed8e69 100644 +--- configure.ac ++++ configure.ac +@@ -309,6 +309,13 @@ AM_CHECK_CMOCKA + + AM_CONDITIONAL([HAVE_DEVSHM], [test -d /dev/shm]) + ++AC_C_BIGENDIAN ++if test x$WORDS_BIGENDIAN != x; then ++ AC_DEFINE(HAVE_BIG_ENDIAN, 1, [whether platform is big endian]) ++else ++ AC_DEFINE(HAVE_LITTLE_ENDIAN, 1, [whether platform is little endian]) ++fi ++ + abs_build_dir=`pwd` + AC_DEFINE_UNQUOTED([ABS_BUILD_DIR], ["$abs_build_dir"], [Absolute path to the build directory]) + AC_SUBST([abs_builddir], $abs_build_dir) +-- +1.8.4.5 + diff --git a/sssd.changes b/sssd.changes index 5a9f55c..c116e68 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue May 13 11:11:59 UTC 2014 - varkoly@suse.com + +- bnc#877457 - 78 Configuration file /usr/lib/systemd/system/sssd.service is marked executable. + Please remove executable permission bits. + +------------------------------------------------------------------- +Tue May 6 14:01:29 UTC 2014 - ddiss@suse.com + +- Detect endianness at configure time, for use by Samba's byteorder.h header; + (bnc#876544). + + 0001-build-detect-endianness-at-configure-time.patch + ------------------------------------------------------------------- Tue Apr 29 10:00:57 UTC 2014 - varkoly@suse.com diff --git a/sssd.spec b/sssd.spec index 795e11b..df67553 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,6 +30,7 @@ Source2: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz.asc Source3: baselibs.conf Source4: sssd.service BuildRoot: %{_tmppath}/%{name}-%{version}-build +Patch1: 0001-build-detect-endianness-at-configure-time.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -285,6 +286,7 @@ Security Services Daemon (sssd). %prep %{?gpg_verify: %gpg_verify %{S:2}} %setup -q +%patch1 -p0 %build %if 0%{?suse_version} < 1210 @@ -330,7 +332,7 @@ install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"; install -d "$b/%_unitdir"; # Missing service file in 1.11.5.1 #install src/sysv/systemd/sssd.service "$b/%_unitdir/sssd.service"; -install %{S:4} "$b/%_unitdir/sssd.service"; +install -m644 %{S:4} "$b/%_unitdir/sssd.service"; rm -Rf "$b/%_initddir" %else install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd"; From 99b86b9153b19e4d339fea1c661168aee10a52971a2d2e4ff628dcd18cf97eaa Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 2 Jun 2014 05:00:11 +0000 Subject: [PATCH 48/63] Accepting request 235585 from network:ldap - Switch to libnl-3 so we can get rid of libnl-1. (forwarded request 235577 from elvigia) OBS-URL: https://build.opensuse.org/request/show/235585 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=55 --- ...ss_ldap_common.so-to-libsss_idmap.so.patch | 48 +++++++++++++++++++ ...-detect-endianness-at-configure-time.patch | 15 +++--- sssd.changes | 13 +++++ sssd.spec | 6 ++- 4 files changed, 71 insertions(+), 11 deletions(-) create mode 100644 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch diff --git a/0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch b/0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch new file mode 100644 index 0000000..b739f47 --- /dev/null +++ b/0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch @@ -0,0 +1,48 @@ +From 7fc27c7a3ccbb6aecb8cf4a4a5f91962028cb897 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 17 Mar 2014 09:07:56 +0100 +Subject: [PATCH] BUILD: Link libsss_ldap_common.so to libsss_idmap.so + +Library libsss_ldap.so does not directly use functions from library +libsss_idmap.so. It only call function sdap_idmap_init (from file sdap_idmap.c) +which is in library libsss_ldap_common.so + +sh-4.2$ nm -D --undefined-only /usr/lib64/sssd/libsss_ldap.so | grep idmap + U sdap_idmap_init + +On the other hand, libsss_ldap_common.so uses functions from libsss_idmap +but it was not linked to libsss_idmap.so. + +sh-4.2$ objdump -p /usr/lib64/sssd/libsss_ldap_common.so | grep idmap +sh-4.2$ echo $? +1 + +Reviewed-by: Jakub Hrozek +Reviewed-by: Simo Sorce +--- + Makefile.am | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: sssd-1.11.5.1/Makefile.am +=================================================================== +--- sssd-1.11.5.1.orig/Makefile.am ++++ sssd-1.11.5.1/Makefile.am +@@ -1618,6 +1618,8 @@ libsss_ldap_common_la_SOURCES = \ + src/providers/ldap/sdap_dyndns.c \ + src/providers/ldap/sdap_refresh.c \ + src/providers/ldap/sdap.c ++libsss_ldap_common_la_LIBADD = \ ++ libsss_idmap.la + libsss_ldap_common_la_LDFLAGS = \ + -avoid-version + +@@ -1675,8 +1677,7 @@ libsss_ldap_la_LIBADD = \ + $(OPENLDAP_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ +- libsss_ldap_common.la \ +- libsss_idmap.la ++ libsss_ldap_common.la + libsss_ldap_la_LDFLAGS = \ + -avoid-version \ + -module diff --git a/0001-build-detect-endianness-at-configure-time.patch b/0001-build-detect-endianness-at-configure-time.patch index 6b37a3c..86c37fd 100644 --- a/0001-build-detect-endianness-at-configure-time.patch +++ b/0001-build-detect-endianness-at-configure-time.patch @@ -8,14 +8,14 @@ Samba. See Samba's byteorder.h header for an example. Signed-off-by: David Disseldorp --- - configure.ac | 7 +++++++ + configure.ac | 7 +++++++ 1 file changed, 7 insertions(+) -diff --git configure.ac configure.ac -index eb7e376..3ed8e69 100644 ---- configure.ac -+++ configure.ac -@@ -309,6 +309,13 @@ AM_CHECK_CMOCKA +Index: sssd-1.11.5.1/configure.ac +=================================================================== +--- sssd-1.11.5.1.orig/configure.ac ++++ sssd-1.11.5.1/configure.ac +@@ -301,6 +301,13 @@ AM_CHECK_CMOCKA AM_CONDITIONAL([HAVE_DEVSHM], [test -d /dev/shm]) @@ -29,6 +29,3 @@ index eb7e376..3ed8e69 100644 abs_build_dir=`pwd` AC_DEFINE_UNQUOTED([ABS_BUILD_DIR], ["$abs_build_dir"], [Absolute path to the build directory]) AC_SUBST([abs_builddir], $abs_build_dir) --- -1.8.4.5 - diff --git a/sssd.changes b/sssd.changes index c116e68..d4077e6 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue May 27 16:56:42 UTC 2014 - crrodriguez@opensuse.org + +- Switch to libnl-3 so we can get rid of libnl-1. + +------------------------------------------------------------------- +Sat May 24 14:36:43 UTC 2014 - jengelh@inai.de + +- Redo 0001-build-detect-endianness-at-configure-time.patch to be -p1 +- Add 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch + to resolve runtime loading problems + (http://lists.opensuse.org/opensuse-factory/2014-05/msg00181.html ) + ------------------------------------------------------------------- Tue May 13 11:11:59 UTC 2014 - varkoly@suse.com diff --git a/sssd.spec b/sssd.spec index df67553..5d1fa88 100644 --- a/sssd.spec +++ b/sssd.spec @@ -31,6 +31,7 @@ Source3: baselibs.conf Source4: sssd.service BuildRoot: %{_tmppath}/%{name}-%{version}-build Patch1: 0001-build-detect-endianness-at-configure-time.patch +Patch2: 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -60,7 +61,8 @@ BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(ini_config) >= 0.6.1 BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libnl-1) >= 1.1 +BuildRequires: pkgconfig(libnl-3.0) >= 3.0 +BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libpcre) >= 7 BuildRequires: pkgconfig(ndr_nbt) BuildRequires: pkgconfig(openssl) @@ -286,7 +288,7 @@ Security Services Daemon (sssd). %prep %{?gpg_verify: %gpg_verify %{S:2}} %setup -q -%patch1 -p0 +%patch -P 1 -P 2 -p1 %build %if 0%{?suse_version} < 1210 From c59e17f4118f1bc259fb911d3509b7a56c3fde61c97ce88616506d1c205d103a Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 25 Jun 2014 04:58:07 +0000 Subject: [PATCH 49/63] Accepting request 238107 from network:ldap - fix %postun to not erroneously remove sss pam module OBS-URL: https://build.opensuse.org/request/show/238107 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=56 --- sssd.changes | 5 +++++ sssd.spec | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/sssd.changes b/sssd.changes index d4077e6..29ced7e 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jun 12 14:18:30 UTC 2014 - ckornacker@suse.com + +- fix %postun to not erroneously remove sss pam module + ------------------------------------------------------------------- Tue May 27 16:56:42 UTC 2014 - crrodriguez@opensuse.org diff --git a/sssd.spec b/sssd.spec index 5d1fa88..250c0c3 100644 --- a/sssd.spec +++ b/sssd.spec @@ -29,6 +29,7 @@ Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz Source2: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz.asc Source3: baselibs.conf Source4: sssd.service +Source5: %name.keyring BuildRoot: %{_tmppath}/%{name}-%{version}-build Patch1: 0001-build-detect-endianness-at-configure-time.patch Patch2: 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch @@ -371,13 +372,13 @@ rm -Rf "$b/usr/share/locale"/{fa_IR,ja_JP,lt_LT,ta_IN,vi_VN} %endif %postun +if [ "$1" == "0" ]; then + "%_sbindir/pam-config" -d --sss || :; +fi; /sbin/ldconfig %if 0%{?_unitdir:1} %service_del_postun sssd.service %endif -if [ "$1" == "0" ]; then - "%_sbindir/pam-config" -d --sss || :; -fi; %post -n libipa_hbac0 -p /sbin/ldconfig %postun -n libipa_hbac0 -p /sbin/ldconfig From f76d88302c9df7d5a08f564793c86b06dde21618e9bb5e7e89c48ceae7e0d91b Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Fri, 15 Aug 2014 07:58:17 +0000 Subject: [PATCH 50/63] Accepting request 244504 from network:ldap - Update to new upstream release 1.12.0 OBS-URL: https://build.opensuse.org/request/show/244504 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=57 --- ...ss_ldap_common.so-to-libsss_idmap.so.patch | 48 --------- sssd-1.11.5.1.tar.gz | 3 - sssd-1.11.5.1.tar.gz.asc | 7 -- sssd-1.12.0.tar.gz | 3 + sssd-1.12.0.tar.gz.asc | 7 ++ sssd.changes | 32 ++++++ sssd.spec | 100 +++++++++++++++--- 7 files changed, 128 insertions(+), 72 deletions(-) delete mode 100644 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch delete mode 100644 sssd-1.11.5.1.tar.gz delete mode 100644 sssd-1.11.5.1.tar.gz.asc create mode 100644 sssd-1.12.0.tar.gz create mode 100644 sssd-1.12.0.tar.gz.asc diff --git a/0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch b/0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch deleted file mode 100644 index b739f47..0000000 --- a/0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 7fc27c7a3ccbb6aecb8cf4a4a5f91962028cb897 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 17 Mar 2014 09:07:56 +0100 -Subject: [PATCH] BUILD: Link libsss_ldap_common.so to libsss_idmap.so - -Library libsss_ldap.so does not directly use functions from library -libsss_idmap.so. It only call function sdap_idmap_init (from file sdap_idmap.c) -which is in library libsss_ldap_common.so - -sh-4.2$ nm -D --undefined-only /usr/lib64/sssd/libsss_ldap.so | grep idmap - U sdap_idmap_init - -On the other hand, libsss_ldap_common.so uses functions from libsss_idmap -but it was not linked to libsss_idmap.so. - -sh-4.2$ objdump -p /usr/lib64/sssd/libsss_ldap_common.so | grep idmap -sh-4.2$ echo $? -1 - -Reviewed-by: Jakub Hrozek -Reviewed-by: Simo Sorce ---- - Makefile.am | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -Index: sssd-1.11.5.1/Makefile.am -=================================================================== ---- sssd-1.11.5.1.orig/Makefile.am -+++ sssd-1.11.5.1/Makefile.am -@@ -1618,6 +1618,8 @@ libsss_ldap_common_la_SOURCES = \ - src/providers/ldap/sdap_dyndns.c \ - src/providers/ldap/sdap_refresh.c \ - src/providers/ldap/sdap.c -+libsss_ldap_common_la_LIBADD = \ -+ libsss_idmap.la - libsss_ldap_common_la_LDFLAGS = \ - -avoid-version - -@@ -1675,8 +1677,7 @@ libsss_ldap_la_LIBADD = \ - $(OPENLDAP_LIBS) \ - $(DHASH_LIBS) \ - $(KRB5_LIBS) \ -- libsss_ldap_common.la \ -- libsss_idmap.la -+ libsss_ldap_common.la - libsss_ldap_la_LDFLAGS = \ - -avoid-version \ - -module diff --git a/sssd-1.11.5.1.tar.gz b/sssd-1.11.5.1.tar.gz deleted file mode 100644 index f6e93f2..0000000 --- a/sssd-1.11.5.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5bf0d564de5193df0fc28df5e156109b32a7a66bc68f0366e06c00bcd68fea1b -size 3511029 diff --git a/sssd-1.11.5.1.tar.gz.asc b/sssd-1.11.5.1.tar.gz.asc deleted file mode 100644 index f6b8a73..0000000 --- a/sssd-1.11.5.1.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlNIGEUACgkQHsardTLnvCU6hwCg0pveLQy2nicOicGbNg1d7ANp -4PEAn0v0uCRsJLsuANezjLMM2C/uaf6Z -=HFIZ ------END PGP SIGNATURE----- diff --git a/sssd-1.12.0.tar.gz b/sssd-1.12.0.tar.gz new file mode 100644 index 0000000..347fd26 --- /dev/null +++ b/sssd-1.12.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d536471fbc4d4b9948adfb751b7a9df3405ddfbc58274d73adc0c997c91c6472 +size 3968855 diff --git a/sssd-1.12.0.tar.gz.asc b/sssd-1.12.0.tar.gz.asc new file mode 100644 index 0000000..91c9957 --- /dev/null +++ b/sssd-1.12.0.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlO9gK0ACgkQHsardTLnvCVxmACg1tRelGxCTMeHLjDkHAonfQzG +bz4AoL7RQa1oHlGtazWSzoMrambqy621 +=noRD +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 29ced7e..a851ea6 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,35 @@ +------------------------------------------------------------------- +Sun Aug 10 12:20:50 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.0 +* A new responder, called InfoPipe was added. This responder + provides a public D-Bus interface accessible over the system bus. + In this release, methods for retrieving user attributes and list + of groups were added as well as objects representing SSSD domains + and processes. (The next 1.12.x releases will publish objects + representing users and groups, too.) +* SSSD provides an ID-mapping plugin for cifs-utils so that Windows + SIDs can be mapped onto POSIX IDs and/or names without requiring + Winbind and using the same code as the SSSD uses for identity + information. +* First phase of Group Policy-based access control for the AD + provider was added. At the moment, the gpo-ldap component that + downloads the list of GPOs that apply for the specific client has + been implemented as well as the gpo-smb component that retrieves + the group policy files and determines the access control check + results based on those files. Future improvements will focus on + storing the GPO policies as local files and mapping the Windows + logon rights onto Linux PAM services. +* Added a new library called sss_sifp that provides a simple + synchronous API for communication with our new InfoPipe responder + over the system bus. +- Remove 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch + (merged upstream) +- Provide "rcsssd" in systemd environments +- Ensure sssd is always startable by removing /var/lib/sss/db/*.ldb + on package installation so as to avoid potentially cache + format incompatibility which would cause sssd to exit + ------------------------------------------------------------------- Thu Jun 12 14:18:30 UTC 2014 - ckornacker@suse.com diff --git a/sssd.spec b/sssd.spec index 250c0c3..e4b7be0 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.11.5.1 +Version: 1.12.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -32,7 +32,6 @@ Source4: sssd.service Source5: %name.keyring BuildRoot: %{_tmppath}/%{name}-%{version}-build Patch1: 0001-build-detect-endianness-at-configure-time.patch -Patch2: 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -49,17 +48,20 @@ Patch2: 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils +BuildRequires: cifs-utils-devel BuildRequires: cyrus-sasl-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: krb5-devel +BuildRequires: libsmbclient-devel BuildRequires: libtool BuildRequires: pkgconfig >= 0.21 %if 0%{?suse_version} >= 1210 +BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 0.6.1 +BuildRequires: pkgconfig(ini_config) >= 1.1.0 BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 @@ -73,12 +75,13 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) %else +BuildRequires: augeas-devel BuildRequires: dbus-1-devel >= 1.0.0 BuildRequires: glib2-devel BuildRequires: libcares-devel BuildRequires: libcollection-devel >= 0.5.1 BuildRequires: libdhash-devel >= 0.4.2 -BuildRequires: libini_config-devel >= 0.6.1 +BuildRequires: libini_config-devel >= 1.1.0 BuildRequires: libldb-devel >= 0.9.2 BuildRequires: libnl-devel >= 1.1 BuildRequires: libopenssl-devel @@ -103,12 +106,10 @@ BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config %if %suse_version >= 1210 -BuildRequires: systemd +BuildRequires: systemd-rpm-macros +BuildRequires: pkgconfig(libsystemd-login) %{?systemd_requires} %endif -%if %suse_version >= 1230 -BuildRequires: gpg-offline -%endif Requires: sssd-ldap = %version-%release Requires(postun): pam-config @@ -130,6 +131,16 @@ Provides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server. +%package dbus +Summary: The D-Bus responder of sssd +License: GPL-3.0+ +Group: System/Base +Requires: %name = %version + +%description dbus +Provides the D-Bus responder of sssd, called InfoPipe, which allows +information from sssd to be transmitted over the system bus. + %package ipa Summary: FreeIPA backend plugin for sssd License: GPL-3.0+ @@ -244,6 +255,26 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. +%package -n libsss_simpleifp0 +Summary: The SSSD D-Bus responder helper library +License: GPL-3.0+ +Group: System/Libraries + +%description -n libsss_simpleifp0 +This subpackage provides a library that simplifies the D-Bus API for +the SSSD InfoPipe responder. + +%package -n libsss_simpleifp-devel +Summary: Development files for the SSSD D-Bus responder helper library +License: GPL-3.0+ +Group: Development/Libraries/C and C++ +Requires: libsss_simpleifp0 = %version + +%description -n libsss_simpleifp-devel +This subpackage provides the development files for sssd's simpleifp, +a library that simplifies the D-Bus API for the SSSD InfoPipe +responder. + %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD License: LGPL-3.0+ @@ -287,9 +318,8 @@ Provide python module to access and manage configuration of the System Security Services Daemon (sssd). %prep -%{?gpg_verify: %gpg_verify %{S:2}} %setup -q -%patch -P 1 -P 2 -p1 +%patch -P 1 -p1 %build %if 0%{?suse_version} < 1210 @@ -337,6 +367,7 @@ install -d "$b/%_unitdir"; #install src/sysv/systemd/sssd.service "$b/%_unitdir/sssd.service"; install -m644 %{S:4} "$b/%_unitdir/sssd.service"; rm -Rf "$b/%_initddir" +ln -s service "$b/%_sbindir/rcsssd" %else install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd"; ln -sf ../../etc/init.d/sssd "$b/usr/sbin/rcsssd" @@ -350,6 +381,8 @@ find "$b" -type f -name "*.la" -delete; rm -Rf "$b/usr/share/locale"/{fa_IR,ja_JP,lt_LT,ta_IN,vi_VN} %endif +rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1" + %find_lang %name --all-name %if 0%{?_unitdir:1} @@ -360,7 +393,6 @@ rm -Rf "$b/usr/share/locale"/{fa_IR,ja_JP,lt_LT,ta_IN,vi_VN} %post # migrate config variable krb5_kdcip to krb5_server (bnc#851048) /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf - /sbin/ldconfig %if 0%{?_unitdir:1} %service_add_post sssd.service @@ -377,8 +409,15 @@ if [ "$1" == "0" ]; then fi; /sbin/ldconfig %if 0%{?_unitdir:1} +# Clear caches, which may have an incompatible format afterwards +# (especially, downgrades) +rm -f /var/lib/sss/db/*.ldb +# del_postun includes a try-restart %service_del_postun sssd.service +%else +%restart_on_update sssd %endif +%insserv_cleanup %post -n libipa_hbac0 -p /sbin/ldconfig %postun -n libipa_hbac0 -p /sbin/ldconfig @@ -386,6 +425,8 @@ fi; %postun -n libsss_idmap0 -p /sbin/ldconfig %post -n libsss_nss_idmap0 -p /sbin/ldconfig %postun -n libsss_nss_idmap0 -p /sbin/ldconfig +%post -n libsss_simpleifp0 -p /sbin/ldconfig +%postun -n libsss_simpleifp0 -p /sbin/ldconfig %files -f sssd.lang %defattr(-,root,root) @@ -394,10 +435,10 @@ fi; %_unitdir %else %_initrddir/%name -%_sbindir/rcsssd %endif %_bindir/sss_ssh_* %_sbindir/sssd +%_sbindir/rcsssd %dir %_mandir/??/ %dir %_mandir/??/man?/ %_mandir/??/man1/sss_ssh_* @@ -420,7 +461,13 @@ fi; %dir %_libdir/ldb/ %_libdir/ldb/memberof.so %dir %_libexecdir/%name/ -%_libexecdir/%name/sssd_* +%_libexecdir/%name/sssd_autofs +%_libexecdir/%name/sssd_be +%_libexecdir/%name/sssd_nss +%_libexecdir/%name/sssd_pam +%_libexecdir/%name/sssd_ssh +%_libexecdir/%name/sssd_sudo +%_libexecdir/%name/sss_signal %dir %sssdstatedir %attr(700,root,root) %dir %dbpath/ %attr(755,root,root) %dir %pipepath/ @@ -439,7 +486,8 @@ fi; # /%_lib/libnss_sss.so.2 /%_lib/security/pam_sss.so -%_libdir/krb5/plugins/libkrb5/* +%_libdir/cifs-utils/ +%_libdir/krb5/ %_mandir/??/man8/pam_sss.8* %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/man8/pam_sss.8* @@ -449,6 +497,9 @@ fi; %defattr(-,root,root) %dir %_libdir/%name/ %_libdir/%name/libsss_ad.so +%_libdir/%name/libsss_ad_common.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/gpo_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-ad.conf @@ -456,6 +507,17 @@ fi; %_mandir/man5/sssd-ad.5* %_mandir/??/man5/sssd-ad.5* +%files dbus +%defattr(-,root,root) +%dir %_libexecdir/sssd/ +%_libexecdir/sssd/sssd_ifp +%dir %_libdir/sssd/ +%_libdir/sssd/libsss_config.so +%_mandir/man5/sssd-ifp.5* +%_mandir/??/man5/sssd-ifp.5* +#%_sysconfdir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +#%_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service + %files ipa %defattr(-,root,root) %dir %_libdir/%name/ @@ -554,6 +616,16 @@ fi; %_libdir/libsss_nss_idmap.so %_libdir/pkgconfig/sss_nss_idmap.pc +%files -n libsss_simpleifp0 +%defattr(-,root,root) +%_libdir/libsss_simpleifp.so.0* + +%files -n libsss_simpleifp-devel +%defattr(-,root,root) +%_includedir/sss_sifp*.h +%_libdir/libsss_simpleifp.so +%_libdir/pkgconfig/sss_simpleifp.pc + %files -n libsss_sudo %defattr(-,root,root) %_libdir/libsss_sudo.so From b328f85795e30f233e55e8eff06014ad68d2d46023d8cff944f6f1e40a10b5b2 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 25 Aug 2014 09:54:26 +0000 Subject: [PATCH 51/63] Accepting request 245814 from network:ldap - The utility sss_obfuscate uses the Python module pysss, so add a dependency on python-sssd-config to sssd-tools (bnc#890242) (forwarded request 245784 from leonardocf) OBS-URL: https://build.opensuse.org/request/show/245814 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=58 --- sssd.changes | 6 ++++++ sssd.spec | 1 + 2 files changed, 7 insertions(+) diff --git a/sssd.changes b/sssd.changes index a851ea6..74e55c9 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Aug 22 15:44:14 UTC 2014 - lchiquitto@suse.com + +- The utility sss_obfuscate uses the Python module pysss, so add a + dependency on python-sssd-config to sssd-tools (bnc#890242) + ------------------------------------------------------------------- Sun Aug 10 12:20:50 UTC 2014 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index e4b7be0..70bbf35 100644 --- a/sssd.spec +++ b/sssd.spec @@ -196,6 +196,7 @@ and/or PAM modules to leverage SSSD caching. Summary: Commandline tools for sssd License: GPL-3.0+ and LGPL-3.0+ Group: System/Management +Requires: python-sssd-config = %version Requires: sssd = %version %description tools From e3f749a9348094a6d3ef4c2757945761db145d4f214aeedd7f9f8c767a20ce41 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 4 Nov 2014 16:27:34 +0000 Subject: [PATCH 52/63] Accepting request 259244 from network:ldap - Update to new upstream release 1.12.2 (bugfix release, bnc#900159) * Fixed a regression where the IPA provider did not fetch User Private Groups correctly * An important bug in the GPO access control which resulted in a wrong principal being used, was fixed. * Several new options are available for deployments that need to restrict a certain PAM service from connecting to a certain SSSD domain. For more details, see the description of pam_trusted_users and pam_public_domains options in the sssd.conf(5) man page and the domains option in the pam_sss(8) man page. * When SSSD is acting as an IPA client in setup with trusted AD domains, it is able to return group members or full group memberships for users from trusted AD domains. * Support for the "views" feature of IPA. - Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch (merged upstream) - Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch to workaround bad autoconf invocation - 0001-build-detect-endianness-at-configure-time.patch Correct defective endianness test. - Update to new upstream release 1.12.1 * The GPO access control was further enhanced to allow the access control decisions while offline and map the Windows logon rights onto Linux PAM services. * The SSSD now ships a plugin for the rpc.idmapd daemon, sss_rpcidmapd(5). OBS-URL: https://build.opensuse.org/request/show/259244 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=60 --- ...-detect-endianness-at-configure-time.patch | 16 +- sssd-1.12.0.tar.gz | 3 - sssd-1.12.0.tar.gz.asc | 7 - sssd-1.12.2.tar.gz | 3 + sssd-1.12.2.tar.gz.asc | 7 + sssd.changes | 64 ++++++++ sssd.spec | 142 +++++++++++------- 7 files changed, 169 insertions(+), 73 deletions(-) delete mode 100644 sssd-1.12.0.tar.gz delete mode 100644 sssd-1.12.0.tar.gz.asc create mode 100644 sssd-1.12.2.tar.gz create mode 100644 sssd-1.12.2.tar.gz.asc diff --git a/0001-build-detect-endianness-at-configure-time.patch b/0001-build-detect-endianness-at-configure-time.patch index 86c37fd..1a8da77 100644 --- a/0001-build-detect-endianness-at-configure-time.patch +++ b/0001-build-detect-endianness-at-configure-time.patch @@ -11,20 +11,14 @@ Signed-off-by: David Disseldorp configure.ac | 7 +++++++ 1 file changed, 7 insertions(+) -Index: sssd-1.11.5.1/configure.ac -=================================================================== ---- sssd-1.11.5.1.orig/configure.ac -+++ sssd-1.11.5.1/configure.ac -@@ -301,6 +301,13 @@ AM_CHECK_CMOCKA +--- sssd-1.12.1.orig/configure.ac ++++ sssd-1.12.1/configure.ac +@@ -322,6 +322,9 @@ AM_CHECK_CMOCKA AM_CONDITIONAL([HAVE_DEVSHM], [test -d /dev/shm]) -+AC_C_BIGENDIAN -+if test x$WORDS_BIGENDIAN != x; then -+ AC_DEFINE(HAVE_BIG_ENDIAN, 1, [whether platform is big endian]) -+else -+ AC_DEFINE(HAVE_LITTLE_ENDIAN, 1, [whether platform is little endian]) -+fi ++AC_C_BIGENDIAN([AC_DEFINE(HAVE_BIG_ENDIAN, [1], [whether platform is big endian])], ++ [AC_DEFINE(HAVE_LITTLE_ENDIAN, [1], [whether platform is little endian])]) + abs_build_dir=`pwd` AC_DEFINE_UNQUOTED([ABS_BUILD_DIR], ["$abs_build_dir"], [Absolute path to the build directory]) diff --git a/sssd-1.12.0.tar.gz b/sssd-1.12.0.tar.gz deleted file mode 100644 index 347fd26..0000000 --- a/sssd-1.12.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d536471fbc4d4b9948adfb751b7a9df3405ddfbc58274d73adc0c997c91c6472 -size 3968855 diff --git a/sssd-1.12.0.tar.gz.asc b/sssd-1.12.0.tar.gz.asc deleted file mode 100644 index 91c9957..0000000 --- a/sssd-1.12.0.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlO9gK0ACgkQHsardTLnvCVxmACg1tRelGxCTMeHLjDkHAonfQzG -bz4AoL7RQa1oHlGtazWSzoMrambqy621 -=noRD ------END PGP SIGNATURE----- diff --git a/sssd-1.12.2.tar.gz b/sssd-1.12.2.tar.gz new file mode 100644 index 0000000..e2d6d31 --- /dev/null +++ b/sssd-1.12.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55a06a191b2e2506b23f80cf3d15f58b8d94d1f5a1bc5dc77ccf010c0eaafa5d +size 4149084 diff --git a/sssd-1.12.2.tar.gz.asc b/sssd-1.12.2.tar.gz.asc new file mode 100644 index 0000000..0af3ab6 --- /dev/null +++ b/sssd-1.12.2.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlRFH8kACgkQHsardTLnvCXMOACeKY1jciw1hTsvG/aOYK3h0+N1 +1/QAniL6o+Rhb0HReZPsMGYlQv41MI2C +=chdM +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 74e55c9..c3de741 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,67 @@ +------------------------------------------------------------------- +Thu Oct 30 12:22:06 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.2 (bugfix release, bnc#900159) +* Fixed a regression where the IPA provider did not fetch User + Private Groups correctly +* An important bug in the GPO access control which resulted in a + wrong principal being used, was fixed. +* Several new options are available for deployments that need to + restrict a certain PAM service from connecting to a certain SSSD + domain. For more details, see the description of + pam_trusted_users and pam_public_domains options in the + sssd.conf(5) man page and the domains option in the pam_sss(8) + man page. +* When SSSD is acting as an IPA client in setup with trusted AD + domains, it is able to return group members or full group + memberships for users from trusted AD domains. +* Support for the "views" feature of IPA. +- Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch + (merged upstream) + +------------------------------------------------------------------- +Sat Oct 11 13:36:48 UTC 2014 - jengelh@inai.de + +- Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch + to workaround bad autoconf invocation + +------------------------------------------------------------------- +Sat Oct 11 00:16:15 UTC 2014 - crrodriguez@opensuse.org + +- 0001-build-detect-endianness-at-configure-time.patch + Correct defective endianness test. + +------------------------------------------------------------------- +Mon Oct 6 13:25:23 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.1 +* The GPO access control was further enhanced to allow the access + control decisions while offline and map the Windows logon + rights onto Linux PAM services. +* The SSSD now ships a plugin for the rpc.idmapd daemon, + sss_rpcidmapd(5). +* A MIT Kerberos localauth plugin was added to SSSD. This plugin + helps translating principals to user names in IPA-AD trust + scenarios, allowing the krb5.conf configuration to be less + complex. +* A libwbclient plugin implementation is now part of the SSSD. + The main purpose is to map Active Directory users and groups + identified by their SID to POSIX users and groups for the + file-server use-case. +* Active Directory users ca nnow use their User Logon Name to log + in. +* The sss_cache tool was enhanced to allow invalidating the SSH + host keys. +* Groups without full POSIX information can now be used to enroll + group membership (CVE-2014-0249). +* Detection of transition from offline to online state was + improved, resulting in fewer timeouts when SSSD is offline. +* The Active Directory provider now correctly detects Windows + Server 2012 R2. Previous versions would fall back to the slower + non-AD path with 2012 R2. +* Several other bugs related to deployments where SSSD is acting + as an AD client were fixed. + ------------------------------------------------------------------- Fri Aug 22 15:44:14 UTC 2014 - lchiquitto@suse.com diff --git a/sssd.spec b/sssd.spec index 70bbf35..8b1510a 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.12.0 +Version: 1.12.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -39,23 +39,29 @@ Patch1: 0001-build-detect-endianness-at-configure-time.patch %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf -%if %suse_version <= 1110 -# SLES11 doesn't know the python_* macros -%define python_sitelib %py_sitedir -%define python_sitearch %py_sitedir -%endif - BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils BuildRequires: cifs-utils-devel BuildRequires: cyrus-sasl-devel BuildRequires: docbook-xsl-stylesheets +%if 0%{?suse_version} >= 1320 +BuildRequires: krb5-devel >= 1.12 +%define have_localauth 1 +%else BuildRequires: krb5-devel +%define have_localauth 0 +%endif BuildRequires: libsmbclient-devel BuildRequires: libtool +BuildRequires: libxml2-tools +BuildRequires: libxslt-tools +BuildRequires: nscd +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pkg-config BuildRequires: pkgconfig >= 0.21 -%if 0%{?suse_version} >= 1210 +BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 @@ -64,54 +70,22 @@ BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(ini_config) >= 1.1.0 BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) +BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libpcre) >= 7 +BuildRequires: pkgconfig(libsystemd-login) BuildRequires: pkgconfig(ndr_nbt) -BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(popt) BuildRequires: pkgconfig(python) BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) -%else -BuildRequires: augeas-devel -BuildRequires: dbus-1-devel >= 1.0.0 -BuildRequires: glib2-devel -BuildRequires: libcares-devel -BuildRequires: libcollection-devel >= 0.5.1 -BuildRequires: libdhash-devel >= 0.4.2 -BuildRequires: libini_config-devel >= 1.1.0 -BuildRequires: libldb-devel >= 0.9.2 -BuildRequires: libnl-devel >= 1.1 -BuildRequires: libopenssl-devel -BuildRequires: libtalloc-devel -BuildRequires: libtdb-devel >= 1.1.3 -BuildRequires: libtevent-devel -BuildRequires: pcre-devel >= 7 -BuildRequires: popt-devel -BuildRequires: python-devel -BuildRequires: samba-devel >= 4 -%endif -BuildRequires: samba-libs >= 4 -%if 0%{?suse_version} >= 1220 -BuildRequires: libxml2-tools -BuildRequires: libxslt-tools -%else -BuildRequires: libxml2 -BuildRequires: libxslt -%endif -BuildRequires: nscd -BuildRequires: openldap2-devel -BuildRequires: pam-devel -BuildRequires: pkg-config -%if %suse_version >= 1210 -BuildRequires: systemd-rpm-macros -BuildRequires: pkgconfig(libsystemd-login) %{?systemd_requires} -%endif Requires: sssd-ldap = %version-%release Requires(postun): pam-config +Provides: sssd-client = %version-%release %description Provides a set of daemons to manage access to remote directories and @@ -203,6 +177,32 @@ Requires: sssd = %version The packages contains commandline tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). +%package wbclient +Summary: SSSD's implementation of the Winbind pipe protocol +License: LGPL-3.0+ +Group: System/Libraries + +%description wbclient +libwbclient is a plugin for the Samba client, though it has been +implemented as a regular shared library requested via DT_NEEDED. + +sssd-wbclient implements the libwbclient API for Samba daemons and +utilities. The main purpose is to map Active Directory users and +groups identified by their SID to POSIX users and groups identified +by their POSIX UIDs and GIDs respectively. + +%package wbclient-devel +Summary: Development files for SSSD winbind +License: LGPL-3.0+ +Group: Development/Libraries/C and C++ +Requires: %name-wbclient = %version + +%description wbclient-devel +sssd-wbclient implements the libwbclient API for Samba daemons and +utilities. The main purpose is to map Active Directory users and +groups identified by their SID to POSIX users and groups identified +by their POSIX UIDs and GIDs respectively. + %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library License: LGPL-3.0+ @@ -222,6 +222,15 @@ Requires: libipa_hbac0 = %version Utility library to validate FreeIPA HBAC rules for authorization requests. +%package -n libnfsidmap-sss +Summary: Library to allow communication between libnfsidmap and SSSD +License: GPL-3.0+ +Group: System/Libraries +Supplements: packageand(nfsidmap:sssd-client) + +%description -n libnfsidmap-sss +A utility library to allow communication between libnfsidmap and SSSD. + %package -n libsss_idmap0 Summary: FreeIPA ID mapping library License: LGPL-3.0+ @@ -284,6 +293,7 @@ Provides: libsss_sudo-devel = %version-%release Obsoletes: libsss_sudo-devel < %version-%release # No provides: true obsolete. Obsoletes: libsss_sudo1 +Supplements: packageand(sudo:sssd-client) %description -n libsss_sudo A utility library to allow communication between sudo and SSSD. @@ -335,7 +345,7 @@ export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" # help configure find nscd export PATH="$PATH:/usr/sbin" -autoreconf -fi; +autoreconf -fiv; %configure \ --with-crypto=libcrypto \ --with-db-path="%dbpath" \ @@ -374,6 +384,10 @@ install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd"; ln -sf ../../etc/init.d/sssd "$b/usr/sbin/rcsssd" %endif +mkdir -p "$b/%_sysconfdir/ld.so.conf.d" +cat >"$b/%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf" <<-EOF + %_libdir/%name/modules +EOF find "$b" -type f -name "*.la" -delete; %if %suse_version <= 1110 @@ -441,7 +455,7 @@ rm -f /var/lib/sss/db/*.ldb %_sbindir/sssd %_sbindir/rcsssd %dir %_mandir/??/ -%dir %_mandir/??/man?/ +%dir %_mandir/??/man[158]/ %_mandir/??/man1/sss_ssh_* %_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-sudo.5* @@ -458,7 +472,8 @@ rm -f /var/lib/sss/db/*.ldb %_libdir/%name/libsss_debug* %_libdir/%name/libsss_simple* %_libdir/%name/libsss_util* -%_libdir/%name/modules/ +%dir %_libdir/%name/modules/ +%_libdir/%name/modules/libsss_autofs.so %dir %_libdir/ldb/ %_libdir/ldb/memberof.so %dir %_libexecdir/%name/ @@ -489,6 +504,9 @@ rm -f /var/lib/sss/db/*.ldb /%_lib/security/pam_sss.so %_libdir/cifs-utils/ %_libdir/krb5/ +%if %have_localauth +%_libdir/%name/modules/sssd_krb5_localauth_plugin.so +%endif %_mandir/??/man8/pam_sss.8* %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/man8/pam_sss.8* @@ -504,9 +522,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-ad.conf -%dir %_mandir/??/man5/ %_mandir/man5/sssd-ad.5* -%_mandir/??/man5/sssd-ad.5* %files dbus %defattr(-,root,root) @@ -515,6 +531,8 @@ rm -f /var/lib/sss/db/*.ldb %dir %_libdir/sssd/ %_libdir/sssd/libsss_config.so %_mandir/man5/sssd-ifp.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ %_mandir/??/man5/sssd-ifp.5* #%_sysconfdir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf #%_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service @@ -526,9 +544,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d %_datadir/%name/sssd.api.d/sssd-ipa.conf -%dir %_mandir/??/man5/ %_mandir/man5/sssd-ipa.5* -%_mandir/??/man5/sssd-ipa.5* %files krb5 %defattr(-,root,root) @@ -537,6 +553,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-krb5.conf +%dir %_mandir/??/ %dir %_mandir/??/man5/ %_mandir/man5/sssd-krb5.5* %_mandir/??/man5/sssd-krb5.5* @@ -556,9 +573,10 @@ rm -f /var/lib/sss/db/*.ldb %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-ldap.conf +%_mandir/man5/sssd-ldap.5* +%dir %_mandir/??/ %dir %_mandir/??/man5/ %_mandir/??/man5/sssd-ldap.5* -%_mandir/man5/sssd-ldap.5* %files proxy %defattr(-,root,root) @@ -587,6 +605,21 @@ rm -f /var/lib/sss/db/*.ldb %_mandir/??/man8/sss_*.8* %_mandir/man8/sss_*.8* +%files wbclient +%defattr(-,root,root) +%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf +%dir %_libdir/sssd/ +%dir %_libdir/sssd/modules/ +%_libdir/sssd/modules/libwbclient.so.* + +%files wbclient-devel +%defattr(-,root,root) +%_includedir/wbclient_sssd.h +%dir %_libdir/sssd/ +%dir %_libdir/sssd/modules/ +%_libdir/sssd/modules/libwbclient.so +%_libdir/pkgconfig/wbclient_sssd.pc + %files -n libipa_hbac0 %defattr(-,root,root) %_libdir/libipa_hbac.so.0* @@ -597,6 +630,11 @@ rm -f /var/lib/sss/db/*.ldb %_libdir/libipa_hbac.so %_libdir/pkgconfig/ipa_hbac.pc +%files -n libnfsidmap-sss +%defattr(-,root,root) +%_libdir/libnfsidmap/ +%_mandir/man5/sss_rpcidmapd.5* + %files -n libsss_idmap0 %defattr(-,root,root) %_libdir/libsss_idmap.so.0* From d4ec5aab5b6d777d4d653f4560b3932d117796fddb2e2e7844858aea22350f2a Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 17 Dec 2014 18:16:51 +0000 Subject: [PATCH 53/63] Accepting request 265318 from network:ldap Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/265318 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=61 --- sssd.changes | 5 +++++ sssd.spec | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/sssd.changes b/sssd.changes index c3de741..cfbd912 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Nov 10 00:37:00 UTC 2014 - Led + +- fix bashism in postun script + ------------------------------------------------------------------- Thu Oct 30 12:22:06 UTC 2014 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index 8b1510a..b332b32 100644 --- a/sssd.spec +++ b/sssd.spec @@ -419,7 +419,7 @@ rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1" %endif %postun -if [ "$1" == "0" ]; then +if [ "$1" = "0" ]; then "%_sbindir/pam-config" -d --sss || :; fi; /sbin/ldconfig From e374951e2cdf5cc9dfdf35f941c8aaf2b4e2417464383ac53144249b79c82564 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sat, 10 Jan 2015 22:06:57 +0000 Subject: [PATCH 54/63] Accepting request 280513 from network:ldap - Update to new upstream release 1.12.3 OBS-URL: https://build.opensuse.org/request/show/280513 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=62 --- baselibs.conf | 6 +++--- sssd-1.12.2.tar.gz | 3 --- sssd-1.12.2.tar.gz.asc | 7 ------- sssd-1.12.3.tar.gz | 3 +++ sssd-1.12.3.tar.gz.asc | 7 +++++++ sssd.changes | 17 +++++++++++++++++ sssd.spec | 7 +++++-- 7 files changed, 35 insertions(+), 15 deletions(-) delete mode 100644 sssd-1.12.2.tar.gz delete mode 100644 sssd-1.12.2.tar.gz.asc create mode 100644 sssd-1.12.3.tar.gz create mode 100644 sssd-1.12.3.tar.gz.asc diff --git a/baselibs.conf b/baselibs.conf index 22e0a35..b125802 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,4 +1,4 @@ sssd - supplements "packageand(sssd:pam-)" - supplements "packageand(sssd:glibc-)" - -/usr/lib(64)?/* + supplements "packageand(sssd:pam-)" + supplements "packageand(sssd:glibc-)" + -/usr/lib(64)?/* diff --git a/sssd-1.12.2.tar.gz b/sssd-1.12.2.tar.gz deleted file mode 100644 index e2d6d31..0000000 --- a/sssd-1.12.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:55a06a191b2e2506b23f80cf3d15f58b8d94d1f5a1bc5dc77ccf010c0eaafa5d -size 4149084 diff --git a/sssd-1.12.2.tar.gz.asc b/sssd-1.12.2.tar.gz.asc deleted file mode 100644 index 0af3ab6..0000000 --- a/sssd-1.12.2.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlRFH8kACgkQHsardTLnvCXMOACeKY1jciw1hTsvG/aOYK3h0+N1 -1/QAniL6o+Rhb0HReZPsMGYlQv41MI2C -=chdM ------END PGP SIGNATURE----- diff --git a/sssd-1.12.3.tar.gz b/sssd-1.12.3.tar.gz new file mode 100644 index 0000000..a33a6bd --- /dev/null +++ b/sssd-1.12.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5d32c41b7964e3a49e27c8e278daff70f4e1d0171c7f641ffb4e800724cabf42 +size 4198515 diff --git a/sssd-1.12.3.tar.gz.asc b/sssd-1.12.3.tar.gz.asc new file mode 100644 index 0000000..6718431 --- /dev/null +++ b/sssd-1.12.3.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlSuve8ACgkQHsardTLnvCWtlwCfZGbXyMTjWgYK3gBCqEaSj92y +67cAoKZZQEn1+pdNjxgZN+C1J02+2xJz +=X5Ef +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index cfbd912..41a374f 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Thu Jan 8 22:23:42 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.12.3 +* SSSD now allows the IPA client to move from one ID view to + another after SSSD restart. +* It is possible to apply ID views to IPA domains as well. + Previous SSSD versions only allowed views to be applied to AD + trusted domains. +* Overriding SSH public keys is supported in this release. +* Move semanage related functions to a separate library. + +------------------------------------------------------------------- +Thu Jan 1 22:01:02 UTC 2015 - meissner@suse.com + +- build with PIE + ------------------------------------------------------------------- Mon Nov 10 00:37:00 UTC 2014 - Led diff --git a/sssd.spec b/sssd.spec index b332b32..8bed6ac 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: sssd -Version: 1.12.2 +Version: 1.12.3 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -346,6 +346,8 @@ export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" export PATH="$PATH:/usr/sbin" autoreconf -fiv; +export CFLAGS="%optflags -fPIE" +export LDFLAGS="-pie" %configure \ --with-crypto=libcrypto \ --with-db-path="%dbpath" \ @@ -470,6 +472,7 @@ rm -f /var/lib/sss/db/*.ldb %_libdir/%name/libsss_child* %_libdir/%name/libsss_crypt* %_libdir/%name/libsss_debug* +%_libdir/%name/libsss_semanage* %_libdir/%name/libsss_simple* %_libdir/%name/libsss_util* %dir %_libdir/%name/modules/ From 25d29f0bac5a05eaa946588eb7e8ac6d2c501f0d51af24f91a2e4e486dc93c13 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sun, 22 Feb 2015 16:25:31 +0000 Subject: [PATCH 55/63] Accepting request 286742 from network:ldap (forwarded request 286738 from guohouzuo) OBS-URL: https://build.opensuse.org/request/show/286742 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=63 --- sssd-1.12.3.tar.gz | 3 --- sssd-1.12.3.tar.gz.asc | 7 ------- sssd-1.12.4.tar.gz | 3 +++ sssd-1.12.4.tar.gz.asc | 7 +++++++ sssd.changes | 27 ++++++++++++++++++++++++++ sssd.spec | 43 ++---------------------------------------- 6 files changed, 39 insertions(+), 51 deletions(-) delete mode 100644 sssd-1.12.3.tar.gz delete mode 100644 sssd-1.12.3.tar.gz.asc create mode 100644 sssd-1.12.4.tar.gz create mode 100644 sssd-1.12.4.tar.gz.asc diff --git a/sssd-1.12.3.tar.gz b/sssd-1.12.3.tar.gz deleted file mode 100644 index a33a6bd..0000000 --- a/sssd-1.12.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5d32c41b7964e3a49e27c8e278daff70f4e1d0171c7f641ffb4e800724cabf42 -size 4198515 diff --git a/sssd-1.12.3.tar.gz.asc b/sssd-1.12.3.tar.gz.asc deleted file mode 100644 index 6718431..0000000 --- a/sssd-1.12.3.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlSuve8ACgkQHsardTLnvCWtlwCfZGbXyMTjWgYK3gBCqEaSj92y -67cAoKZZQEn1+pdNjxgZN+C1J02+2xJz -=X5Ef ------END PGP SIGNATURE----- diff --git a/sssd-1.12.4.tar.gz b/sssd-1.12.4.tar.gz new file mode 100644 index 0000000..4396546 --- /dev/null +++ b/sssd-1.12.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea3be3a40b20284bd3126481dd0747cd07e39d5ef7ef7026d4902d96fc3e9edf +size 4226841 diff --git a/sssd-1.12.4.tar.gz.asc b/sssd-1.12.4.tar.gz.asc new file mode 100644 index 0000000..cea6482 --- /dev/null +++ b/sssd-1.12.4.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlTk1dAACgkQHsardTLnvCWfnwCg4JrLxP6Jjm9GYlTAqQS5N5cb +ufYAniGjhC+1IBPQVJYiYiCkzjoYDpq3 +=XPd1 +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 41a374f..0add0b0 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,30 @@ +------------------------------------------------------------------- +Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com + +- Update to new upstream release 1.12.4 (Changelog highlights following) +* This is mostly a bug fixing release with only minor enhancements + visible to the end user. +* Contains many fixes and enhancements related to the ID views + functionality of FreeIPA servers. +* Several fixes related to retrieving AD group membership in an + IPA-AD trust scenario. +* Fixes a bug where the GPO access control previously didn't work + at all if debugging was enabled in smb.conf. +* SSSD can now be pinned to a particular AD site instead of + autodiscovering the site. +* A regression that caused setting the SELinux context for IPA users + to fail, was fixed. +* Fixed a potential crash caused by a double-free error when an SSSD + service was killed by the monitor process. + +------------------------------------------------------------------- +Mon Feb 16 10:09:18 UTC 2015 - howard@localhost + +- A minor rpmspec cleanup to get rid of five rpmlint warnings +* Remove mentioning of system-wide dbus configuration file from comments. +* Remove traditional init script. +* Remove compatibility for producing packages on older OpenSUSE releases. + ------------------------------------------------------------------- Thu Jan 8 22:23:42 UTC 2015 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index 8bed6ac..ac3af7f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.12.3 +Version: 1.12.4 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -45,13 +45,7 @@ BuildRequires: bind-utils BuildRequires: cifs-utils-devel BuildRequires: cyrus-sasl-devel BuildRequires: docbook-xsl-stylesheets -%if 0%{?suse_version} >= 1320 BuildRequires: krb5-devel >= 1.12 -%define have_localauth 1 -%else -BuildRequires: krb5-devel -%define have_localauth 0 -%endif BuildRequires: libsmbclient-devel BuildRequires: libtool BuildRequires: libxml2-tools @@ -291,8 +285,6 @@ License: LGPL-3.0+ Group: System/Libraries Provides: libsss_sudo-devel = %version-%release Obsoletes: libsss_sudo-devel < %version-%release -# No provides: true obsolete. -Obsoletes: libsss_sudo1 Supplements: packageand(sudo:sssd-client) %description -n libsss_sudo @@ -374,17 +366,10 @@ install -d "$b/%_mandir"/{cs,cs/man8,nl,nl/man8,pt,pt/man8,uk,uk/man1} \ "$b/%_mandir"/{uk/man5,uk/man8}; install -d "$b/%_sysconfdir/sssd"; install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"; -%if 0%{?_unitdir:1} install -d "$b/%_unitdir"; -# Missing service file in 1.11.5.1 -#install src/sysv/systemd/sssd.service "$b/%_unitdir/sssd.service"; install -m644 %{S:4} "$b/%_unitdir/sssd.service"; rm -Rf "$b/%_initddir" ln -s service "$b/%_sbindir/rcsssd" -%else -install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd"; -ln -sf ../../etc/init.d/sssd "$b/usr/sbin/rcsssd" -%endif mkdir -p "$b/%_sysconfdir/ld.so.conf.d" cat >"$b/%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf" <<-EOF @@ -392,48 +377,32 @@ cat >"$b/%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf" <<-EOF EOF find "$b" -type f -name "*.la" -delete; -%if %suse_version <= 1110 -# remove some unsupported languages, sssd does not contain -# translations for these anyway -rm -Rf "$b/usr/share/locale"/{fa_IR,ja_JP,lt_LT,ta_IN,vi_VN} -%endif - rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1" %find_lang %name --all-name -%if 0%{?_unitdir:1} %pre %service_add_pre sssd.service -%endif %post # migrate config variable krb5_kdcip to krb5_server (bnc#851048) /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf /sbin/ldconfig -%if 0%{?_unitdir:1} %service_add_post sssd.service -%endif -%if 0%{?_unitdir:1} %preun %service_del_preun sssd.service -%endif %postun if [ "$1" = "0" ]; then "%_sbindir/pam-config" -d --sss || :; fi; /sbin/ldconfig -%if 0%{?_unitdir:1} # Clear caches, which may have an incompatible format afterwards # (especially, downgrades) rm -f /var/lib/sss/db/*.ldb # del_postun includes a try-restart %service_del_postun sssd.service -%else -%restart_on_update sssd -%endif %insserv_cleanup %post -n libipa_hbac0 -p /sbin/ldconfig @@ -448,11 +417,7 @@ rm -f /var/lib/sss/db/*.ldb %files -f sssd.lang %defattr(-,root,root) %doc COPYING -%if 0%{?_unitdir:1} %_unitdir -%else -%_initrddir/%name -%endif %_bindir/sss_ssh_* %_sbindir/sssd %_sbindir/rcsssd @@ -507,9 +472,7 @@ rm -f /var/lib/sss/db/*.ldb /%_lib/security/pam_sss.so %_libdir/cifs-utils/ %_libdir/krb5/ -%if %have_localauth %_libdir/%name/modules/sssd_krb5_localauth_plugin.so -%endif %_mandir/??/man8/pam_sss.8* %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/man8/pam_sss.8* @@ -537,8 +500,6 @@ rm -f /var/lib/sss/db/*.ldb %dir %_mandir/??/ %dir %_mandir/??/man5/ %_mandir/??/man5/sssd-ifp.5* -#%_sysconfdir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf -#%_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service %files ipa %defattr(-,root,root) @@ -610,7 +571,7 @@ rm -f /var/lib/sss/db/*.ldb %files wbclient %defattr(-,root,root) -%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf +%config %_sysconfdir/ld.so.conf.d/sssd-wbclient.conf %dir %_libdir/sssd/ %dir %_libdir/sssd/modules/ %_libdir/sssd/modules/libwbclient.so.* From 9b309ac99a0a8c7832b0ea02722facdc7b0bc3c7119128a1392ba0c1df577f59 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 17 Jun 2015 14:16:06 +0000 Subject: [PATCH 56/63] Accepting request 311991 from network:ldap - Update to new upstream release 1.12.5 OBS-URL: https://build.opensuse.org/request/show/311991 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=64 --- sssd-1.12.4.tar.gz | 3 --- sssd-1.12.4.tar.gz.asc | 7 ------- sssd-1.12.5.tar.gz | 3 +++ sssd-1.12.5.tar.gz.asc | 7 +++++++ sssd.changes | 39 +++++++++++++++++++++++++++++++++++++++ sssd.spec | 4 ++-- 6 files changed, 51 insertions(+), 12 deletions(-) delete mode 100644 sssd-1.12.4.tar.gz delete mode 100644 sssd-1.12.4.tar.gz.asc create mode 100644 sssd-1.12.5.tar.gz create mode 100644 sssd-1.12.5.tar.gz.asc diff --git a/sssd-1.12.4.tar.gz b/sssd-1.12.4.tar.gz deleted file mode 100644 index 4396546..0000000 --- a/sssd-1.12.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ea3be3a40b20284bd3126481dd0747cd07e39d5ef7ef7026d4902d96fc3e9edf -size 4226841 diff --git a/sssd-1.12.4.tar.gz.asc b/sssd-1.12.4.tar.gz.asc deleted file mode 100644 index cea6482..0000000 --- a/sssd-1.12.4.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlTk1dAACgkQHsardTLnvCWfnwCg4JrLxP6Jjm9GYlTAqQS5N5cb -ufYAniGjhC+1IBPQVJYiYiCkzjoYDpq3 -=XPd1 ------END PGP SIGNATURE----- diff --git a/sssd-1.12.5.tar.gz b/sssd-1.12.5.tar.gz new file mode 100644 index 0000000..edd0deb --- /dev/null +++ b/sssd-1.12.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:243d8db7c72ecb21aa9db8a09fe9f9b10049dbdb35a1cc2f55e214f21e3ce256 +size 4300869 diff --git a/sssd-1.12.5.tar.gz.asc b/sssd-1.12.5.tar.gz.asc new file mode 100644 index 0000000..7841619 --- /dev/null +++ b/sssd-1.12.5.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlV6uQEACgkQHsardTLnvCWZCwCdEWMU5ry/swLp5y/DGPXp6GkH +4U4AnjTVtz1Vj1R7hyzVKKL6uqsR6kdR +=dk0K +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 0add0b0..1ff7aff 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com + +- Update to new upstream release 1.12.5 +* The background refresh tasks now supports refreshing users and + groups as well. See the "refresh_expired_interval" parameter in + the sssd.conf manpage. +* A new option subdomain_inherit was added. +* When an expired account attempts to log in, a configurable + error message can be displayed with sufficient pam_verbosity + setting. See the "pam_account_expired_message" option. +* OpenLDAP ppolicy can be honored even when an alternate login + method (such as SSH key) is used. See the "ldap_access_order" + option. +* A new option :krb5_map_user" was added, allowing the admin to + map UNIX usernames to Kerberos principals. +* BUG FIXES: +* Fixed AD-specific bugs that resulted in the incorrect set of + groups being displayed after the initgroups operation. +* Fixes related to the IPA ID views feature. Setups using this + should update sssd on both IPA servers and clients. +* The AD provider now handles binary GUIDs correctly. +* A bug that prevented the `ignore_group_members` parameter to be + used with the AD provider was fixed. +* The failover code now reads and honors TTL value for SRV + queries as well. +* Race condition between setting the timeout in the back ends and + reading it in the front end during initgroup operation was + fixed. This bug affected applications that perform the + initgroups(3) operation in multiple processes simultaneously. +* Setups that only want to use the domain SSSD is connected to, + but not the autodiscovered trusted domains by setting + `subdomains_provider=none` now work correctly as long as the + domain SID is set manually in the config file. +* In case only "allow" rules are used, the simple access provider + is now able to skip unresolvable groups. +* The GPO access control code now handles situations where user + and computer objects were in different domains. + ------------------------------------------------------------------- Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com diff --git a/sssd.spec b/sssd.spec index ac3af7f..711e847 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: sssd -Version: 1.12.4 +Version: 1.12.5 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ From bb8c0c8abd84ac7ec201eff75973685687307a5e32cd57351fab0745d79abb50 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 14 Jul 2015 15:20:15 +0000 Subject: [PATCH 57/63] Accepting request 313738 from network:ldap - sssd.service: add Before= and Wants=nss-user-lookup.target correct fix for bsc#926961 (forwarded request 313709 from elvigia) OBS-URL: https://build.opensuse.org/request/show/313738 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=65 --- sssd.changes | 6 ++++++ sssd.service | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sssd.changes b/sssd.changes index 1ff7aff..4f775f8 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jun 25 16:44:49 UTC 2015 - crrodriguez@opensuse.org + +- sssd.service: add Before= and Wants=nss-user-lookup.target + correct fix for bsc#926961 + ------------------------------------------------------------------- Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com diff --git a/sssd.service b/sssd.service index ef3c8f4..0aa0e74 100644 --- a/sssd.service +++ b/sssd.service @@ -1,7 +1,7 @@ [Unit] Description=System Security Services Daemon -# SSSD will not be started until syslog is -After=syslog.target +Before=nss-user-lookup.target +Wants=nss-user-lookup.target [Service] EnvironmentFile=-/etc/sysconfig/sssd From 6e36ec54f1901fe20f52adb3052bf3665d966d879e9869dbef63c5488dfcb734 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 17 Aug 2015 13:33:33 +0000 Subject: [PATCH 58/63] Accepting request 322234 from network:ldap - Kill unused libsss_sudo-devel solvable. - Obsolete/provide libsss_sudo in sssd main package. Sudo capability is an integral feature in SSSD and the library is not supposed to be used separately. OBS-URL: https://build.opensuse.org/request/show/322234 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=66 --- sssd.changes | 12 ++++++++++++ sssd.spec | 9 +++------ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/sssd.changes b/sssd.changes index 4f775f8..9b87fcc 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed Aug 12 18:20:25 UTC 2015 - jengelh@inai.de + +- Kill unused libsss_sudo-devel solvable. + +------------------------------------------------------------------- +Tue Aug 11 07:41:07 UTC 2015 - hguo@suse.com + +- Obsolete/provide libsss_sudo in sssd main package. + Sudo capability is an integral feature in SSSD and the library + is not supposed to be used separately. + ------------------------------------------------------------------- Thu Jun 25 16:44:49 UTC 2015 - crrodriguez@opensuse.org diff --git a/sssd.spec b/sssd.spec index 711e847..e12f20c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -79,7 +79,9 @@ BuildRequires: pkgconfig(tevent) %{?systemd_requires} Requires: sssd-ldap = %version-%release Requires(postun): pam-config +Provides: libsss_sudo = %version-%release Provides: sssd-client = %version-%release +Obsoletes: libsss_sudo < %version-%release %description Provides a set of daemons to manage access to remote directories and @@ -283,8 +285,6 @@ responder. Summary: A library to allow communication between sudo and SSSD License: LGPL-3.0+ Group: System/Libraries -Provides: libsss_sudo-devel = %version-%release -Obsoletes: libsss_sudo-devel < %version-%release Supplements: packageand(sudo:sssd-client) %description -n libsss_sudo @@ -442,6 +442,7 @@ rm -f /var/lib/sss/db/*.ldb %_libdir/%name/libsss_util* %dir %_libdir/%name/modules/ %_libdir/%name/modules/libsss_autofs.so +%_libdir/libsss_sudo.so %dir %_libdir/ldb/ %_libdir/ldb/memberof.so %dir %_libexecdir/%name/ @@ -629,10 +630,6 @@ rm -f /var/lib/sss/db/*.ldb %_libdir/libsss_simpleifp.so %_libdir/pkgconfig/sss_simpleifp.pc -%files -n libsss_sudo -%defattr(-,root,root) -%_libdir/libsss_sudo.so - %files -n python-ipa_hbac %defattr(-,root,root) %dir %python_sitearch From 8f4a9d365b8fc5186abb7e0627ac3471619e6bfe0338f34d38dc291b5caef0bb Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 25 Aug 2015 05:17:27 +0000 Subject: [PATCH 59/63] Accepting request 324711 from network:ldap - Update to new upstream release 1.13 OBS-URL: https://build.opensuse.org/request/show/324711 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=67 --- sssd-1.12.5.tar.gz | 3 -- sssd-1.12.5.tar.gz.asc | 7 --- sssd-1.13.0.tar.gz | 3 ++ sssd-1.13.0.tar.gz.asc | 7 +++ sssd.changes | 26 +++++++++++ sssd.spec | 100 ++++++++++++++++++++++++++++++++++++++--- 6 files changed, 129 insertions(+), 17 deletions(-) delete mode 100644 sssd-1.12.5.tar.gz delete mode 100644 sssd-1.12.5.tar.gz.asc create mode 100644 sssd-1.13.0.tar.gz create mode 100644 sssd-1.13.0.tar.gz.asc diff --git a/sssd-1.12.5.tar.gz b/sssd-1.12.5.tar.gz deleted file mode 100644 index edd0deb..0000000 --- a/sssd-1.12.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:243d8db7c72ecb21aa9db8a09fe9f9b10049dbdb35a1cc2f55e214f21e3ce256 -size 4300869 diff --git a/sssd-1.12.5.tar.gz.asc b/sssd-1.12.5.tar.gz.asc deleted file mode 100644 index 7841619..0000000 --- a/sssd-1.12.5.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlV6uQEACgkQHsardTLnvCWZCwCdEWMU5ry/swLp5y/DGPXp6GkH -4U4AnjTVtz1Vj1R7hyzVKKL6uqsR6kdR -=dk0K ------END PGP SIGNATURE----- diff --git a/sssd-1.13.0.tar.gz b/sssd-1.13.0.tar.gz new file mode 100644 index 0000000..b1b9e61 --- /dev/null +++ b/sssd-1.13.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bd1dd95165bca02a08fbd0ea8ac6aa296bc339798d6c6566aee823c536718a5a +size 4417697 diff --git a/sssd-1.13.0.tar.gz.asc b/sssd-1.13.0.tar.gz.asc new file mode 100644 index 0000000..141d253 --- /dev/null +++ b/sssd-1.13.0.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlWa1YEACgkQHsardTLnvCXJQACgtx+37IBGO6/nBGqBCx5Y/Eye +Su4AoIqcfMtZZnEPC/0D0TMwAGDBhv4i +=N/oh +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 9b87fcc..a49b998 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.13 +* Support for separate prompts when using two-factor authentication +* Added support for one-way trusts between an IPA and Active + Directory environment. (Depends on IPA 4.2) +* The fast memory cache now also supports the initgroups operation. +* The PAM responder is now capable of caching authentication for + configurable period, which might reduce server load in cases + where accounts authenticate very frequently. + Refer to the "cached_auth_timeout" option in sssd.conf(5). +* The Active Directory provider has changed the default value of + the "ad_gpo_access_control" option from permissive to enforcing. + As a consequence, the GPO access control now affects all clients + that set access_provider to ad. In order to restore the previous + behaviour, set ad_gpo_access_control to permissive or use a + different access_provider type. +* Group Policy objects defined in a different AD domain that the + computer object is defined in are now supported. +* Credential caching and Offline authentication are also available + when using two-factor authentication +* The Python bindings are now built for both Python2 and Python3. +* The LDAP bind timeout, StartTLS timeout and password change + timeout are now configurable using the ldap_opt_timeout option. + ------------------------------------------------------------------- Wed Aug 12 18:20:25 UTC 2015 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index e12f20c..4b3b5af 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.12.5 +Version: 1.13.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -53,8 +53,9 @@ BuildRequires: libxslt-tools BuildRequires: nscd BuildRequires: openldap2-devel BuildRequires: pam-devel -BuildRequires: pkg-config -BuildRequires: pkgconfig >= 0.21 +BuildRequires: pkg-config >= 0.21 +BuildRequires: python-devel +BuildRequires: python3-devel BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 @@ -168,6 +169,7 @@ License: GPL-3.0+ and LGPL-3.0+ Group: System/Management Requires: python-sssd-config = %version Requires: sssd = %version +%py_requires %description tools The packages contains commandline tools for managing users and groups using @@ -294,32 +296,74 @@ A utility library to allow communication between sudo and SSSD. Summary: Python bindings for the FreeIPA HBAC Evaluator library License: LGPL-3.0+ Group: Development/Libraries/Python -%py_requires %description -n python-ipa_hbac The python-ipa_hbac package contains the bindings so that libipa_hbac can be used by Python applications. +%package -n python3-ipa_hbac +Summary: Python bindings for the FreeIPA HBAC Evaluator library +License: LGPL-3.0+ +Group: Development/Libraries/Python + +%description -n python3-ipa_hbac +The python-ipa_hbac package contains the bindings so that libipa_hbac +can be used by Python applications. + +%package -n python-sss-murmur +Summary: Python2 bindings for SSSD Murmur hash function +License: LGPL-3.0+ +Group: Development/Libraries/Python + +%description -n python-sss-murmur +This subpackage provides the python2 module for calculating the +Murmur hash version 3. + +%package -n python3-sss-murmur +Summary: Python3 bindings for SSSD Murmur hash function +License: LGPL-3.0+ +Group: Development/Libraries/Python + +%description -n python3-sss-murmur +This subpackage provides the python3 module for calculating the +Murmur hash version 3. + %package -n python-sss_nss_idmap Summary: Python bindings for libsss_nss_idmap License: LGPL-3.0+ Group: Development/Libraries/Python -%py_requires %description -n python-sss_nss_idmap The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can be used by Python applications. +%package -n python3-sss_nss_idmap +Summary: Python bindings for libsss_nss_idmap +License: LGPL-3.0+ +Group: Development/Libraries/Python + +%description -n python3-sss_nss_idmap +The libsss_nss_idmap-python contains the bindings so that +libsss_nss_idmap can be used by Python applications. + %package -n python-sssd-config Summary: Python API for configuring sssd License: GPL-3.0+ and LGPL-3.0+ Group: Development/Libraries/Python -%py_requires %description -n python-sssd-config Provide python module to access and manage configuration of the System Security Services Daemon (sssd). +%package -n python3-sssd-config +Summary: Python API for configuring sssd +License: GPL-3.0+ and LGPL-3.0+ +Group: Development/Libraries/Python + +%description -n python3-sssd-config +Provide python module to access and manage configuration of the System +Security Services Daemon (sssd). + %prep %setup -q %patch -P 1 -p1 @@ -371,6 +415,7 @@ install -m644 %{S:4} "$b/%_unitdir/sssd.service"; rm -Rf "$b/%_initddir" ln -s service "$b/%_sbindir/rcsssd" +mkdir -p "$b/%sssdstatedir/mc" mkdir -p "$b/%_sysconfdir/ld.so.conf.d" cat >"$b/%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf" <<-EOF %_libdir/%name/modules @@ -435,6 +480,7 @@ rm -f /var/lib/sss/db/*.ldb %_mandir/man8/sssd.8* %dir %_libdir/%name/ %_libdir/%name/libsss_child* +%_libdir/%name/libsss_cert* %_libdir/%name/libsss_crypt* %_libdir/%name/libsss_debug* %_libdir/%name/libsss_semanage* @@ -458,6 +504,8 @@ rm -f /var/lib/sss/db/*.ldb %attr(755,root,root) %dir %pipepath/ %attr(700,root,root) %dir %pipepath/private/ %attr(755,root,root) %dir %pubconfpath/ +%attr(755,root,root) %dir %sssdstatedir/mc/ +%attr(700,root,root) %dir %sssdstatedir/keytabs/ %attr(750,root,root) %dir %_localstatedir/log/%name/ %dir %_sysconfdir/sssd/ %config(noreplace) %_sysconfdir/sssd/sssd.conf @@ -490,6 +538,9 @@ rm -f /var/lib/sss/db/*.ldb %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-ad.conf %_mandir/man5/sssd-ad.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ad.5* %files dbus %defattr(-,root,root) @@ -510,6 +561,9 @@ rm -f /var/lib/sss/db/*.ldb %dir %_datadir/%name/sssd.api.d %_datadir/%name/sssd.api.d/sssd-ipa.conf %_mandir/man5/sssd-ipa.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ipa.5* %files krb5 %defattr(-,root,root) @@ -599,6 +653,8 @@ rm -f /var/lib/sss/db/*.ldb %defattr(-,root,root) %_libdir/libnfsidmap/ %_mandir/man5/sss_rpcidmapd.5* +%dir %_mandir/??/man5/ +%_mandir/??/man5/sss_rpcidmapd.5* %files -n libsss_idmap0 %defattr(-,root,root) @@ -633,17 +689,47 @@ rm -f /var/lib/sss/db/*.ldb %files -n python-ipa_hbac %defattr(-,root,root) %dir %python_sitearch +%python_sitearch/_py2hbac.so %python_sitearch/pyhbac.so +%files -n python3-ipa_hbac +%defattr(-,root,root) +%dir %python3_sitearch +%python3_sitearch/_py3hbac.so +%python3_sitearch/pyhbac.so + +%files -n python-sss-murmur +%defattr(-,root,root) +%python_sitearch/_py2sss_murmur.so +%python_sitearch/pysss_murmur.so + +%files -n python3-sss-murmur +%defattr(-,root,root) +%python3_sitearch/_py3sss_murmur.so +%python3_sitearch/pysss_murmur.so + %files -n python-sss_nss_idmap %defattr(-,root,root) %dir %python_sitearch +%python_sitearch/_py2sss_nss_idmap.so %python_sitearch/pysss_nss_idmap.so +%files -n python3-sss_nss_idmap +%defattr(-,root,root) +%dir %python3_sitearch +%python3_sitearch/_py3sss_nss_idmap.so +%python3_sitearch/pysss_nss_idmap.so + %files -n python-sssd-config %defattr(-,root,root) +%python_sitearch/_py2sss.so %python_sitearch/pysss.so -%python_sitearch/pysss_murmur.so %python_sitelib/SSSDConfig* +%files -n python3-sssd-config +%defattr(-,root,root) +%python3_sitearch/_py3sss.so +%python3_sitearch/pysss.so +%python3_sitelib/SSSDConfig* + %changelog From ef2b4f6d18224cf0b3615a8d3151e5f3c4123dc10fb9be7a1574bbb6bd20791e Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 14 Oct 2015 14:40:46 +0000 Subject: [PATCH 60/63] Accepting request 335893 from network:ldap - Update to new upstream release 1.13.1 OBS-URL: https://build.opensuse.org/request/show/335893 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=68 --- sssd-1.13.0.tar.gz | 3 --- sssd-1.13.0.tar.gz.asc | 7 ------- sssd-1.13.1.tar.gz | 3 +++ sssd-1.13.1.tar.gz.asc | 7 +++++++ sssd.changes | 25 +++++++++++++++++++++++++ sssd.spec | 4 ++-- 6 files changed, 37 insertions(+), 12 deletions(-) delete mode 100644 sssd-1.13.0.tar.gz delete mode 100644 sssd-1.13.0.tar.gz.asc create mode 100644 sssd-1.13.1.tar.gz create mode 100644 sssd-1.13.1.tar.gz.asc diff --git a/sssd-1.13.0.tar.gz b/sssd-1.13.0.tar.gz deleted file mode 100644 index b1b9e61..0000000 --- a/sssd-1.13.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bd1dd95165bca02a08fbd0ea8ac6aa296bc339798d6c6566aee823c536718a5a -size 4417697 diff --git a/sssd-1.13.0.tar.gz.asc b/sssd-1.13.0.tar.gz.asc deleted file mode 100644 index 141d253..0000000 --- a/sssd-1.13.0.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlWa1YEACgkQHsardTLnvCXJQACgtx+37IBGO6/nBGqBCx5Y/Eye -Su4AoIqcfMtZZnEPC/0D0TMwAGDBhv4i -=N/oh ------END PGP SIGNATURE----- diff --git a/sssd-1.13.1.tar.gz b/sssd-1.13.1.tar.gz new file mode 100644 index 0000000..74803ec --- /dev/null +++ b/sssd-1.13.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ff6425d455a5cae2359e32c8627832e67b5cc0bbec4081a16d926b6e1b431ae7 +size 4517171 diff --git a/sssd-1.13.1.tar.gz.asc b/sssd-1.13.1.tar.gz.asc new file mode 100644 index 0000000..8be2d3d --- /dev/null +++ b/sssd-1.13.1.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlYLta0ACgkQHsardTLnvCX0lwCgzMl3DT9BbTgcXGcM0Q2AGLUf ++8QAoK5LZJdWZ+HcXC7ZIOTJ0vv9a9FB +=z5ez +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index a49b998..64369e0 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com + +- Update to new upstream release 1.13.1 +* Initial support for Smart Card authentication was added. The + feature can be activated with the new pam_cert_auth option. +* The PAM prompting was enhanced so that when Two-Factor + Authentication is used, both factors (password and token) can + be entered separately on separate prompts. At the same time, + only the long-term password is cached, so offline access would + still work using the long term password. +* A new command line tool sss_override is present in this + release. The tools allows to override attributes on the SSSD + side. It's helpful in environment where e.g. some hosts need to + have a different view of POSIX attributes than others. Please + note that the overrides are stored in the cache as well, so + removing the cache will also remove the overrides. +* Several enhancements to the dynamic DNS update code. Notably, + clients that update multiple interfaces work better with this + release. +* This release supports authenticating againt a KDC proxy +* The fail over code was enhanced so that if a trusted domain is + not reachable, only that domain will be marked as inactive but + the backed would stay in online mode. + ------------------------------------------------------------------- Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index 4b3b5af..98dfc99 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.13.0 +Version: 1.13.1 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -531,7 +531,6 @@ rm -f /var/lib/sss/db/*.ldb %defattr(-,root,root) %dir %_libdir/%name/ %_libdir/%name/libsss_ad.so -%_libdir/%name/libsss_ad_common.so %dir %_libexecdir/%name/ %_libexecdir/%name/gpo_child %dir %_datadir/%name/ @@ -620,6 +619,7 @@ rm -f /var/lib/sss/db/*.ldb %_sbindir/sss_useradd %_sbindir/sss_userdel %_sbindir/sss_usermod +%_sbindir/sss_override %dir %_mandir/??/man8/ %_mandir/??/man8/sss_*.8* %_mandir/man8/sss_*.8* From 3d0b404fb5469faa57bccb82d99568984825f2d253c81db2f1d2cdaa8ee6a830 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 18 Dec 2015 20:51:40 +0000 Subject: [PATCH 61/63] Accepting request 348804 from network:ldap Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/348804 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=69 --- sssd-1.13.1.tar.gz | 3 --- sssd-1.13.1.tar.gz.asc | 7 ------- sssd-1.13.2.tar.gz | 3 +++ sssd-1.13.2.tar.gz.asc | 7 +++++++ sssd.changes | 10 ++++++++++ sssd.spec | 11 ++--------- 6 files changed, 22 insertions(+), 19 deletions(-) delete mode 100644 sssd-1.13.1.tar.gz delete mode 100644 sssd-1.13.1.tar.gz.asc create mode 100644 sssd-1.13.2.tar.gz create mode 100644 sssd-1.13.2.tar.gz.asc diff --git a/sssd-1.13.1.tar.gz b/sssd-1.13.1.tar.gz deleted file mode 100644 index 74803ec..0000000 --- a/sssd-1.13.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ff6425d455a5cae2359e32c8627832e67b5cc0bbec4081a16d926b6e1b431ae7 -size 4517171 diff --git a/sssd-1.13.1.tar.gz.asc b/sssd-1.13.1.tar.gz.asc deleted file mode 100644 index 8be2d3d..0000000 --- a/sssd-1.13.1.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlYLta0ACgkQHsardTLnvCX0lwCgzMl3DT9BbTgcXGcM0Q2AGLUf -+8QAoK5LZJdWZ+HcXC7ZIOTJ0vv9a9FB -=z5ez ------END PGP SIGNATURE----- diff --git a/sssd-1.13.2.tar.gz b/sssd-1.13.2.tar.gz new file mode 100644 index 0000000..e229b3a --- /dev/null +++ b/sssd-1.13.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0914e746adb770a712aa9ccbdc8a4332cb20317fbefa367124e696993dfcf8f0 +size 4641810 diff --git a/sssd-1.13.2.tar.gz.asc b/sssd-1.13.2.tar.gz.asc new file mode 100644 index 0000000..5102f97 --- /dev/null +++ b/sssd-1.13.2.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlZN6VQACgkQHsardTLnvCUm0wCeLdBktjtQbTnZqEOPQOJc9Fwj +tWkAmQE5GN6d3DvKSbuZ55jwUVJTUzt+ +=O4fe +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 64369e0..23a0665 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Nov 20 10:39:56 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.13.2 +* Initial support for Smart Card authentication was added. +* The PAM prompting was enhanced so that when Two-Factor + Authentication is used, both factors (password and token) can be + entered separately on separate prompts. +* This release supports authenticating againt a KDC proxy. + ------------------------------------------------------------------- Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com diff --git a/sssd.spec b/sssd.spec index 98dfc99..bab3bf3 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.13.1 +Version: 1.13.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -616,6 +616,7 @@ rm -f /var/lib/sss/db/*.ldb %_sbindir/sss_groupshow %_sbindir/sss_seed %_sbindir/sss_obfuscate +%_sbindir/sss_override %_sbindir/sss_useradd %_sbindir/sss_userdel %_sbindir/sss_usermod @@ -689,46 +690,38 @@ rm -f /var/lib/sss/db/*.ldb %files -n python-ipa_hbac %defattr(-,root,root) %dir %python_sitearch -%python_sitearch/_py2hbac.so %python_sitearch/pyhbac.so %files -n python3-ipa_hbac %defattr(-,root,root) %dir %python3_sitearch -%python3_sitearch/_py3hbac.so %python3_sitearch/pyhbac.so %files -n python-sss-murmur %defattr(-,root,root) -%python_sitearch/_py2sss_murmur.so %python_sitearch/pysss_murmur.so %files -n python3-sss-murmur %defattr(-,root,root) -%python3_sitearch/_py3sss_murmur.so %python3_sitearch/pysss_murmur.so %files -n python-sss_nss_idmap %defattr(-,root,root) %dir %python_sitearch -%python_sitearch/_py2sss_nss_idmap.so %python_sitearch/pysss_nss_idmap.so %files -n python3-sss_nss_idmap %defattr(-,root,root) %dir %python3_sitearch -%python3_sitearch/_py3sss_nss_idmap.so %python3_sitearch/pysss_nss_idmap.so %files -n python-sssd-config %defattr(-,root,root) -%python_sitearch/_py2sss.so %python_sitearch/pysss.so %python_sitelib/SSSDConfig* %files -n python3-sssd-config %defattr(-,root,root) -%python3_sitearch/_py3sss.so %python3_sitearch/pysss.so %python3_sitelib/SSSDConfig* From 6eefb2d75d5e7159a24f1f8579f19cedbd98f60fc3be1886b1bc5db7f632ebfe Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 4 Jan 2016 08:19:44 +0000 Subject: [PATCH 62/63] Accepting request 350809 from network:ldap Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/350809 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=70 --- ...ild-detect-endianness-at-configure-time.patch | 16 +++++++++------- sssd-1.13.2.tar.gz | 3 --- sssd-1.13.2.tar.gz.asc | 7 ------- sssd-1.13.3.tar.gz | 3 +++ sssd-1.13.3.tar.gz.asc | 7 +++++++ sssd.changes | 13 +++++++++++++ sssd.spec | 2 +- 7 files changed, 33 insertions(+), 18 deletions(-) delete mode 100644 sssd-1.13.2.tar.gz delete mode 100644 sssd-1.13.2.tar.gz.asc create mode 100644 sssd-1.13.3.tar.gz create mode 100644 sssd-1.13.3.tar.gz.asc diff --git a/0001-build-detect-endianness-at-configure-time.patch b/0001-build-detect-endianness-at-configure-time.patch index 1a8da77..91b6cc8 100644 --- a/0001-build-detect-endianness-at-configure-time.patch +++ b/0001-build-detect-endianness-at-configure-time.patch @@ -8,14 +8,16 @@ Samba. See Samba's byteorder.h header for an example. Signed-off-by: David Disseldorp --- - configure.ac | 7 +++++++ - 1 file changed, 7 insertions(+) + configure.ac | 3 +++ + 1 file changed, 3 insertions(+) ---- sssd-1.12.1.orig/configure.ac -+++ sssd-1.12.1/configure.ac -@@ -322,6 +322,9 @@ AM_CHECK_CMOCKA - - AM_CONDITIONAL([HAVE_DEVSHM], [test -d /dev/shm]) +Index: sssd-1.13.3/configure.ac +=================================================================== +--- sssd-1.13.3.orig/configure.ac ++++ sssd-1.13.3/configure.ac +@@ -428,6 +428,9 @@ AM_CONDITIONAL([HAVE_DEVSHM], [test -d / + ENABLE_POLKIT_RULES_PATH + AM_CONDITIONAL([HAVE_POLKIT_RULES_D], [test x$HAVE_POLKIT_RULES_D != x]) +AC_C_BIGENDIAN([AC_DEFINE(HAVE_BIG_ENDIAN, [1], [whether platform is big endian])], + [AC_DEFINE(HAVE_LITTLE_ENDIAN, [1], [whether platform is little endian])]) diff --git a/sssd-1.13.2.tar.gz b/sssd-1.13.2.tar.gz deleted file mode 100644 index e229b3a..0000000 --- a/sssd-1.13.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0914e746adb770a712aa9ccbdc8a4332cb20317fbefa367124e696993dfcf8f0 -size 4641810 diff --git a/sssd-1.13.2.tar.gz.asc b/sssd-1.13.2.tar.gz.asc deleted file mode 100644 index 5102f97..0000000 --- a/sssd-1.13.2.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlZN6VQACgkQHsardTLnvCUm0wCeLdBktjtQbTnZqEOPQOJc9Fwj -tWkAmQE5GN6d3DvKSbuZ55jwUVJTUzt+ -=O4fe ------END PGP SIGNATURE----- diff --git a/sssd-1.13.3.tar.gz b/sssd-1.13.3.tar.gz new file mode 100644 index 0000000..f7cfd38 --- /dev/null +++ b/sssd-1.13.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3fd8fe8e6ee9f50b33eecd1bcccfaa44791f30d4e5f3113ba91457ba5f411f85 +size 4661143 diff --git a/sssd-1.13.3.tar.gz.asc b/sssd-1.13.3.tar.gz.asc new file mode 100644 index 0000000..e88c30a --- /dev/null +++ b/sssd-1.13.3.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlZwc5IACgkQHsardTLnvCXyOgCg20lBb2owmQRYRjPZClBcn9+y +GU4AnR/tg+KqvfA/djm5yoV4/Ys3LA2g +=zefD +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 23a0665..c2a5831 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Dec 16 14:08:01 UTC 2015 - jengelh@inai.de + +- Update to new maintenance release 1.13.3 +* A bug that prevented user lookups and logins after migration from + winsync to IPA-AD trusts was fixed. +* A bug that prevented the ignore_group_members option from working + correctly in AD provider setups that use a dedicated primary + group (as opposed to a user-private group) was fixed. +* Offline detection and offline login timeouts were improved for AD + users logging in from a domain trusted by an IPA server. +* The AD provider supports setting up autofs_provider=ad . + ------------------------------------------------------------------- Fri Nov 20 10:39:56 UTC 2015 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index bab3bf3..fe3c7e0 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.13.2 +Version: 1.13.3 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ From 35e3d42a4618f2a6ff7611efb894fbf71f3ff674a048becb108da14ea0cd6691 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Tue, 5 Jan 2016 13:59:39 +0000 Subject: [PATCH 63/63] Accepting request 352050 from openSUSE:Factory Revert to 1.13.2 - 1.13.3 fails openQA test suite OBS-URL: https://build.opensuse.org/request/show/352050 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=71 --- ...ild-detect-endianness-at-configure-time.patch | 16 +++++++--------- sssd-1.13.2.tar.gz | 3 +++ sssd-1.13.2.tar.gz.asc | 7 +++++++ sssd-1.13.3.tar.gz | 3 --- sssd-1.13.3.tar.gz.asc | 7 ------- sssd.changes | 13 ------------- sssd.spec | 2 +- 7 files changed, 18 insertions(+), 33 deletions(-) create mode 100644 sssd-1.13.2.tar.gz create mode 100644 sssd-1.13.2.tar.gz.asc delete mode 100644 sssd-1.13.3.tar.gz delete mode 100644 sssd-1.13.3.tar.gz.asc diff --git a/0001-build-detect-endianness-at-configure-time.patch b/0001-build-detect-endianness-at-configure-time.patch index 91b6cc8..1a8da77 100644 --- a/0001-build-detect-endianness-at-configure-time.patch +++ b/0001-build-detect-endianness-at-configure-time.patch @@ -8,16 +8,14 @@ Samba. See Samba's byteorder.h header for an example. Signed-off-by: David Disseldorp --- - configure.ac | 3 +++ - 1 file changed, 3 insertions(+) + configure.ac | 7 +++++++ + 1 file changed, 7 insertions(+) -Index: sssd-1.13.3/configure.ac -=================================================================== ---- sssd-1.13.3.orig/configure.ac -+++ sssd-1.13.3/configure.ac -@@ -428,6 +428,9 @@ AM_CONDITIONAL([HAVE_DEVSHM], [test -d / - ENABLE_POLKIT_RULES_PATH - AM_CONDITIONAL([HAVE_POLKIT_RULES_D], [test x$HAVE_POLKIT_RULES_D != x]) +--- sssd-1.12.1.orig/configure.ac ++++ sssd-1.12.1/configure.ac +@@ -322,6 +322,9 @@ AM_CHECK_CMOCKA + + AM_CONDITIONAL([HAVE_DEVSHM], [test -d /dev/shm]) +AC_C_BIGENDIAN([AC_DEFINE(HAVE_BIG_ENDIAN, [1], [whether platform is big endian])], + [AC_DEFINE(HAVE_LITTLE_ENDIAN, [1], [whether platform is little endian])]) diff --git a/sssd-1.13.2.tar.gz b/sssd-1.13.2.tar.gz new file mode 100644 index 0000000..e229b3a --- /dev/null +++ b/sssd-1.13.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0914e746adb770a712aa9ccbdc8a4332cb20317fbefa367124e696993dfcf8f0 +size 4641810 diff --git a/sssd-1.13.2.tar.gz.asc b/sssd-1.13.2.tar.gz.asc new file mode 100644 index 0000000..5102f97 --- /dev/null +++ b/sssd-1.13.2.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlZN6VQACgkQHsardTLnvCUm0wCeLdBktjtQbTnZqEOPQOJc9Fwj +tWkAmQE5GN6d3DvKSbuZ55jwUVJTUzt+ +=O4fe +-----END PGP SIGNATURE----- diff --git a/sssd-1.13.3.tar.gz b/sssd-1.13.3.tar.gz deleted file mode 100644 index f7cfd38..0000000 --- a/sssd-1.13.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3fd8fe8e6ee9f50b33eecd1bcccfaa44791f30d4e5f3113ba91457ba5f411f85 -size 4661143 diff --git a/sssd-1.13.3.tar.gz.asc b/sssd-1.13.3.tar.gz.asc deleted file mode 100644 index e88c30a..0000000 --- a/sssd-1.13.3.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlZwc5IACgkQHsardTLnvCXyOgCg20lBb2owmQRYRjPZClBcn9+y -GU4AnR/tg+KqvfA/djm5yoV4/Ys3LA2g -=zefD ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index c2a5831..23a0665 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,16 +1,3 @@ -------------------------------------------------------------------- -Wed Dec 16 14:08:01 UTC 2015 - jengelh@inai.de - -- Update to new maintenance release 1.13.3 -* A bug that prevented user lookups and logins after migration from - winsync to IPA-AD trusts was fixed. -* A bug that prevented the ignore_group_members option from working - correctly in AD provider setups that use a dedicated primary - group (as opposed to a user-private group) was fixed. -* Offline detection and offline login timeouts were improved for AD - users logging in from a domain trusted by an IPA server. -* The AD provider supports setting up autofs_provider=ad . - ------------------------------------------------------------------- Fri Nov 20 10:39:56 UTC 2015 - jengelh@inai.de diff --git a/sssd.spec b/sssd.spec index fe3c7e0..bab3bf3 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.13.3 +Version: 1.13.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+