diff --git a/sssd-2.4.0.tar.gz b/sssd-2.4.0.tar.gz deleted file mode 100644 index 02de8a8..0000000 --- a/sssd-2.4.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:13d7eeff15e582279f70a3aad32daeb40d3749ec14947a4eded35adce7490cdd -size 7280358 diff --git a/sssd-2.4.0.tar.gz.asc b/sssd-2.4.0.tar.gz.asc deleted file mode 100644 index 3672600..0000000 --- a/sssd-2.4.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAl+ELlgACgkQr/513ehQ -jhLmrQf/XCUpKoYoPm6UiUadZg7ekdju0qMLP469mwMVxp0GirHa3fNQkfnEg6OY -CxuBbD+syRlom33jjmyOudMidmJioycaOgyogMpa+mjHezlrI5fNkX2/8FsUNcqs -qoObYBRwE4moGMq5/Ym/dXD3OFJPRladkWtW14R+0W6otU23buSYVPPAkwZ4/sEo -VK5Un9+I4H7AYCGDCJuvP6zPAaRao94csOSzHUPcyLEltynu9WYYWIDRfmJ+fCjC -q3ul69DnddwiHxpnx/MqxkhlR2enHnJ6286WrIvgccjN1ytdY/LSJQkUxjCKLY/Y -XoakWNKd+Z0oXv8/tP0OhOkP6q0qTA== -=Cm3o ------END PGP SIGNATURE----- diff --git a/sssd-2.4.2.tar.gz b/sssd-2.4.2.tar.gz new file mode 100644 index 0000000..766eeeb --- /dev/null +++ b/sssd-2.4.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:51d12cb38f1134c18a07ded3a5ebfb8d4661613ac00dc029d53d2b496836a6a2 +size 7402483 diff --git a/sssd-2.4.2.tar.gz.asc b/sssd-2.4.2.tar.gz.asc new file mode 100644 index 0000000..2a4d501 --- /dev/null +++ b/sssd-2.4.2.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmAv4LcACgkQr/513ehQ +jhI+mwgAoTOywo4dBpHlXDWyyBZ0TQAbrCGiRXMIN/Aj4Z+eiOWnAQgFj35lQWsN +b479EulLm5FESNXi589NA+QgMMjYojSPMalZPp9GcZAP+utik/Zyqh/XnA3HnHaS +QkORz2IbLEJhAQwlnwrAO6PpQEjkDuM96K4Edkdla1v0AmQCWVjN9U6oZxypEisk +umr2zDUzYGi6XVh98pEcd2SThvsObBlkzz9NNrC+TN9zXytnZXe1Rf2yZ+MI1+7R +MoxN+Pn/a9itUT/Y8cllgHkc/8i2x1jRkl4e2ERJpqQoPQa74n7mPHrt0T8fwBOo +SDKd7OeaqC+D1ACTPDmqTWr6WRIh0w== +=YihF +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 2d71122..032eaab 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Fri Feb 19 17:30:58 UTC 2021 - Jan Engelhardt + +- Update to release 2.4.2 + * Default value of "user" config option was fixed into + accordance with man page, i.e. default is "root". + * pam_sss_gss now support authentication indicators to further + harden the authentication. + +------------------------------------------------------------------- +Fri Feb 12 15:55:37 UTC 2021 - Dominique Leuenberger + +- Pass --with-pid-path=%{_rundir} to configure: adjust rundir + according the distro settings, i.e. /run on modern systems. + Eliminates a systemd warning like this one in the journal: + Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13: + PIDFile= references a path below legacy directory /var/run/, + updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly. + +------------------------------------------------------------------- +Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt + +- Update to release 2.4.1 + * New PAM module pam_sss_gss for authentication using GSSAPI. + * case_sensitive=Preserving can now be set for trusted domains + with AD and IPA providers. + * krb5_use_subdomain_realm=True can now be used when sub-domain + user principal names have upnSuffixes which are not known in + the parent domain. SSSD will try to send the Kerberos request + directly to a KDC of the sub-domain. + * SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald + output, to avoid issues with PID parsing in rsyslog + (BSD-style forwarder) output. + * Added pam_gssapi_check_upn to enforce authentication only + with principal that can be associated with target user. + * Added pam_gssapi_services to list PAM services that can + authenticate using GSSAPI. + ------------------------------------------------------------------- Mon Oct 12 13:10:26 UTC 2020 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 020ca01..7ab5828 100644 --- a/sssd.spec +++ b/sssd.spec @@ -15,18 +15,17 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # -%define _buildshell /bin/bash Name: sssd -Version: 2.4.0 +Version: 2.4.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later and LGPL-3.0-or-later Group: System/Daemons URL: https://pagure.io/SSSD/sssd #Git-Clone: https://pagure.io/SSSD/sssd -Source: https://github.com/SSSD/sssd/releases/download/sssd-2_4_0/%name-%version.tar.gz -Source2: https://github.com/SSSD/sssd/releases/download/sssd-2_4_0/%name-%version.tar.gz.asc +Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz +Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring Patch1: krb-noversion.diff @@ -377,6 +376,7 @@ export LDFLAGS="-pie" --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ + --with-pid-path="%_rundir" \ --enable-nsslibdir="/%_lib" \ --enable-pammoddir="/%_lib/security" \ --with-ldb-lib-dir="$LDB_DIR" \ @@ -386,7 +386,7 @@ export LDFLAGS="-pie" --disable-ldb-version-check \ --without-secrets \ --without-python2-bindings -make %{?_smp_mflags} all +%make_build all %install # sss_obfuscate is compatible with both python 2 and 3 @@ -395,48 +395,37 @@ sed -i -e 's:%_bindir/python:%_bindir/python3:' src/tools/sss_obfuscate %make_install b="%buildroot" -# Copy default sssd.conf file -install -d "$b/%_mandir"/{cs,cs/man8,nl,nl/man8,pt,pt/man8,uk,uk/man1} \ - "$b/%_mandir"/{uk/man5,uk/man8} -install -d "$b/%_sysconfdir/sssd" +#for i in cs cs/man8 nl nl/man8 pt pt/man8 uk uk/man1 uk/man5 uk/man8; do +# mkdir -p "$b/%_mandir/$i" +#done +# Copy some defaults +mkdir -p "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d" install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" -install -d "$b/%_sysconfdir/sssd/conf.d" install -d "$b/%_unitdir" - -# Copy default logrotate file install -d "$b/%_sysconfdir/logrotate.d" install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd" rm -Rfv "$b/%_initddir" -ln -sfv service "$b/%_sbindir/rcsssd" -ln -sfv service "$b/%_sbindir/rcsssd-autofs" -ln -sfv service "$b/%_sbindir/rcsssd-ifp" -ln -sfv service "$b/%_sbindir/rcsssd-nss" -ln -sfv service "$b/%_sbindir/rcsssd-pac" -ln -sfv service "$b/%_sbindir/rcsssd-pam" -ln -sfv service "$b/%_sbindir/rcsssd-ssh" -ln -sfv service "$b/%_sbindir/rcsssd-sudo" - mkdir -pv "$b/%sssdstatedir/mc" find "$b" -type f -name "*.la" -print -delete -rm -Rfv "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug" %find_lang %name --all-name %check # sss_config-tests fails -make %{?_smp_mflags} check || : +%make_build check || : %pre -%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%global services sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_add_pre %services %post /sbin/ldconfig # migrate config variable krb5_kdcip to krb5_server (bnc#851048) /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf -%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_add_post %services %preun -%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_preun %services %postun /sbin/ldconfig @@ -447,7 +436,7 @@ fi # (especially, downgrades) rm -f /var/lib/sss/db/*.ldb # del_postun includes a try-restart -%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_postun %services %post -n libsss_certmap0 -p /sbin/ldconfig %postun -n libsss_certmap0 -p /sbin/ldconfig @@ -472,6 +461,18 @@ rm -f /var/lib/sss/db/*.ldb %postun dbus %service_del_postun sssd-ifp.service +%pre kcm +%service_add_pre sssd-kcm.service sssd-kcm.socket + +%post kcm +%service_add_post sssd-kcm.service sssd-kcm.socket + +%preun kcm +%service_del_preun sssd-kcm.service sssd-kcm.socket + +%postun kcm +%service_del_postun sssd-kcm.service sssd-kcm.socket + %files -f sssd.lang %license COPYING %_unitdir/sssd.service @@ -491,13 +492,13 @@ rm -f /var/lib/sss/db/*.ldb %_bindir/sss_ssh_* %_sbindir/sssctl %_sbindir/sssd -%_sbindir/rcsssd -%_sbindir/rcsssd-autofs -%_sbindir/rcsssd-nss -%_sbindir/rcsssd-pac -%_sbindir/rcsssd-pam -%_sbindir/rcsssd-ssh -%_sbindir/rcsssd-sudo +#%_sbindir/rcsssd +#%_sbindir/rcsssd-autofs +#%_sbindir/rcsssd-nss +#%_sbindir/rcsssd-pac +#%_sbindir/rcsssd-pam +#%_sbindir/rcsssd-ssh +#%_sbindir/rcsssd-sudo %dir %_mandir/??/ %dir %_mandir/??/man[158]/ %_mandir/??/man1/sss_ssh_* @@ -579,12 +580,14 @@ rm -f /var/lib/sss/db/*.ldb # /%_lib/libnss_sss.so.2 /%_lib/security/pam_sss.so +/%_lib/security/pam_sss_gss.so %_libdir/cifs-utils/ %_libdir/krb5/ %_libdir/%name/modules/sssd_krb5_localauth_plugin.so %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/??/man8/pam_sss.8* %_mandir/man8/pam_sss.8* +%_mandir/man8/pam_sss_gss.8* %_mandir/man8/sssd_krb5_locator_plugin.8* %files ad @@ -609,7 +612,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_mandir/??/man5/ %_mandir/??/man5/sssd-ifp.5* %_unitdir/sssd-ifp.service -%_sbindir/rcsssd-ifp +#%_sbindir/rcsssd-ifp %config %_sysconfdir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service