From e23d738143bb0ff0f72548ed2bc72a52cdf3215380b54650d8f16f32e617594b Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 5 Feb 2021 12:58:17 +0000 Subject: [PATCH 1/4] - Update to release 2.4.1 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=238 --- sssd-2.4.0.tar.gz | 3 --- sssd-2.4.0.tar.gz.asc | 11 ----------- sssd-2.4.1.tar.gz | 3 +++ sssd-2.4.1.tar.gz.asc | 11 +++++++++++ sssd.changes | 19 +++++++++++++++++++ sssd.spec | 10 ++++++---- 6 files changed, 39 insertions(+), 18 deletions(-) delete mode 100644 sssd-2.4.0.tar.gz delete mode 100644 sssd-2.4.0.tar.gz.asc create mode 100644 sssd-2.4.1.tar.gz create mode 100644 sssd-2.4.1.tar.gz.asc diff --git a/sssd-2.4.0.tar.gz b/sssd-2.4.0.tar.gz deleted file mode 100644 index 02de8a8..0000000 --- a/sssd-2.4.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:13d7eeff15e582279f70a3aad32daeb40d3749ec14947a4eded35adce7490cdd -size 7280358 diff --git a/sssd-2.4.0.tar.gz.asc b/sssd-2.4.0.tar.gz.asc deleted file mode 100644 index 3672600..0000000 --- a/sssd-2.4.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAl+ELlgACgkQr/513ehQ -jhLmrQf/XCUpKoYoPm6UiUadZg7ekdju0qMLP469mwMVxp0GirHa3fNQkfnEg6OY -CxuBbD+syRlom33jjmyOudMidmJioycaOgyogMpa+mjHezlrI5fNkX2/8FsUNcqs -qoObYBRwE4moGMq5/Ym/dXD3OFJPRladkWtW14R+0W6otU23buSYVPPAkwZ4/sEo -VK5Un9+I4H7AYCGDCJuvP6zPAaRao94csOSzHUPcyLEltynu9WYYWIDRfmJ+fCjC -q3ul69DnddwiHxpnx/MqxkhlR2enHnJ6286WrIvgccjN1ytdY/LSJQkUxjCKLY/Y -XoakWNKd+Z0oXv8/tP0OhOkP6q0qTA== -=Cm3o ------END PGP SIGNATURE----- diff --git a/sssd-2.4.1.tar.gz b/sssd-2.4.1.tar.gz new file mode 100644 index 0000000..830c041 --- /dev/null +++ b/sssd-2.4.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:63428d3baf7486f0d076ee106f24372738f6172086abf884e7a7320030c39141 +size 7374100 diff --git a/sssd-2.4.1.tar.gz.asc b/sssd-2.4.1.tar.gz.asc new file mode 100644 index 0000000..71840a1 --- /dev/null +++ b/sssd-2.4.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmAdOnQACgkQr/513ehQ +jhI+3wgAv3BdMtXantDdhkdWRBQW6s4abMojspIqONR0aMUrPhy9tMnicoNz/BgV ++hFBN3phoQUSaW+5A817vRQTj7lQxHg8YnqWuk2+T+vMiiB6ZMVsb/49sGk768Ii +oZ/D6rzByW8z/UAzco4CHZiYDNck8Qn+25eE3+/H7NbX4FdTsvt5kzbKY0gU/412 +zfckfHby2D5br6g32qvNwpRHFVJM+oEvhhx0nFVNa40v3Q4T/0GhvWLNloVNKoB9 +9sYYXnDDnFe8+h5PGuaMlFDWrRmpY+GZaZ4G8GQqwh2SXEHh8o9VdDlY4XGychfM +XhK3+ROESutPgjCJVMmiYmNYgpTQdA== +=f9OA +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 2d71122..d34ad02 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt + +- Update to release 2.4.1 + * New PAM module pam_sss_gss for authentication using GSSAPI. + * case_sensitive=Preserving can now be set for trusted domains + with AD and IPA providers. + * krb5_use_subdomain_realm=True can now be used when sub-domain + user principal names have upnSuffixes which are not known in + the parent domain. SSSD will try to send the Kerberos request + directly to a KDC of the sub-domain. + * SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald + output, to avoid issues with PID parsing in rsyslog + (BSD-style forwarder) output. + * Added pam_gssapi_check_upn to enforce authentication only + with principal that can be associated with target user. + * Added pam_gssapi_services to list PAM services that can + authenticate using GSSAPI. + ------------------------------------------------------------------- Mon Oct 12 13:10:26 UTC 2020 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 020ca01..908b8fa 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,15 +18,15 @@ %define _buildshell /bin/bash Name: sssd -Version: 2.4.0 +Version: 2.4.1 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later and LGPL-3.0-or-later Group: System/Daemons URL: https://pagure.io/SSSD/sssd #Git-Clone: https://pagure.io/SSSD/sssd -Source: https://github.com/SSSD/sssd/releases/download/sssd-2_4_0/%name-%version.tar.gz -Source2: https://github.com/SSSD/sssd/releases/download/sssd-2_4_0/%name-%version.tar.gz.asc +Source: https://github.com/SSSD/sssd/releases/download/2.4.1/%name-%version.tar.gz +Source2: https://github.com/SSSD/sssd/releases/download/2.4.1/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring Patch1: krb-noversion.diff @@ -386,7 +386,7 @@ export LDFLAGS="-pie" --disable-ldb-version-check \ --without-secrets \ --without-python2-bindings -make %{?_smp_mflags} all +%make_build all %install # sss_obfuscate is compatible with both python 2 and 3 @@ -579,11 +579,13 @@ rm -f /var/lib/sss/db/*.ldb # /%_lib/libnss_sss.so.2 /%_lib/security/pam_sss.so +/%_lib/security/pam_sss_gss.so %_libdir/cifs-utils/ %_libdir/krb5/ %_libdir/%name/modules/sssd_krb5_localauth_plugin.so %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/??/man8/pam_sss.8* +%_mandir/??/man8/pam_sss_gss.8* %_mandir/man8/pam_sss.8* %_mandir/man8/sssd_krb5_locator_plugin.8* From c5a333080c8c476f1e13693da0eb1dd3d8fbbdf08cfcc6e4a21d096d13a6b682 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 5 Feb 2021 13:38:16 +0000 Subject: [PATCH 2/4] manpage path OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=239 --- sssd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sssd.spec b/sssd.spec index 908b8fa..d7f09f8 100644 --- a/sssd.spec +++ b/sssd.spec @@ -585,8 +585,8 @@ rm -f /var/lib/sss/db/*.ldb %_libdir/%name/modules/sssd_krb5_localauth_plugin.so %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/??/man8/pam_sss.8* -%_mandir/??/man8/pam_sss_gss.8* %_mandir/man8/pam_sss.8* +%_mandir/man8/pam_sss_gss.8* %_mandir/man8/sssd_krb5_locator_plugin.8* %files ad From aa8f5563210362b8ffa6d28f9510f436e370a3da3fd4c70c23624fa52a2c6816 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 19 Feb 2021 18:09:29 +0000 Subject: [PATCH 3/4] - Update to release 2.4.2 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=240 --- sssd-2.4.1.tar.gz | 3 -- sssd-2.4.1.tar.gz.asc | 11 ------- sssd-2.4.2.tar.gz | 3 ++ sssd-2.4.2.tar.gz.asc | 11 +++++++ sssd.changes | 9 ++++++ sssd.spec | 68 +++++++++++++++++++++---------------------- 6 files changed, 57 insertions(+), 48 deletions(-) delete mode 100644 sssd-2.4.1.tar.gz delete mode 100644 sssd-2.4.1.tar.gz.asc create mode 100644 sssd-2.4.2.tar.gz create mode 100644 sssd-2.4.2.tar.gz.asc diff --git a/sssd-2.4.1.tar.gz b/sssd-2.4.1.tar.gz deleted file mode 100644 index 830c041..0000000 --- a/sssd-2.4.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:63428d3baf7486f0d076ee106f24372738f6172086abf884e7a7320030c39141 -size 7374100 diff --git a/sssd-2.4.1.tar.gz.asc b/sssd-2.4.1.tar.gz.asc deleted file mode 100644 index 71840a1..0000000 --- a/sssd-2.4.1.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmAdOnQACgkQr/513ehQ -jhI+3wgAv3BdMtXantDdhkdWRBQW6s4abMojspIqONR0aMUrPhy9tMnicoNz/BgV -+hFBN3phoQUSaW+5A817vRQTj7lQxHg8YnqWuk2+T+vMiiB6ZMVsb/49sGk768Ii -oZ/D6rzByW8z/UAzco4CHZiYDNck8Qn+25eE3+/H7NbX4FdTsvt5kzbKY0gU/412 -zfckfHby2D5br6g32qvNwpRHFVJM+oEvhhx0nFVNa40v3Q4T/0GhvWLNloVNKoB9 -9sYYXnDDnFe8+h5PGuaMlFDWrRmpY+GZaZ4G8GQqwh2SXEHh8o9VdDlY4XGychfM -XhK3+ROESutPgjCJVMmiYmNYgpTQdA== -=f9OA ------END PGP SIGNATURE----- diff --git a/sssd-2.4.2.tar.gz b/sssd-2.4.2.tar.gz new file mode 100644 index 0000000..766eeeb --- /dev/null +++ b/sssd-2.4.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:51d12cb38f1134c18a07ded3a5ebfb8d4661613ac00dc029d53d2b496836a6a2 +size 7402483 diff --git a/sssd-2.4.2.tar.gz.asc b/sssd-2.4.2.tar.gz.asc new file mode 100644 index 0000000..2a4d501 --- /dev/null +++ b/sssd-2.4.2.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmAv4LcACgkQr/513ehQ +jhI+mwgAoTOywo4dBpHlXDWyyBZ0TQAbrCGiRXMIN/Aj4Z+eiOWnAQgFj35lQWsN +b479EulLm5FESNXi589NA+QgMMjYojSPMalZPp9GcZAP+utik/Zyqh/XnA3HnHaS +QkORz2IbLEJhAQwlnwrAO6PpQEjkDuM96K4Edkdla1v0AmQCWVjN9U6oZxypEisk +umr2zDUzYGi6XVh98pEcd2SThvsObBlkzz9NNrC+TN9zXytnZXe1Rf2yZ+MI1+7R +MoxN+Pn/a9itUT/Y8cllgHkc/8i2x1jRkl4e2ERJpqQoPQa74n7mPHrt0T8fwBOo +SDKd7OeaqC+D1ACTPDmqTWr6WRIh0w== +=YihF +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index d34ad02..0391473 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Feb 19 17:30:58 UTC 2021 - Jan Engelhardt + +- Update to release 2.4.2 + * Default value of "user" config option was fixed into + accordance with man page, i.e. default is "root". + * pam_sss_gss now support authentication indicators to further + harden the authentication. + ------------------------------------------------------------------- Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index d7f09f8..73091a1 100644 --- a/sssd.spec +++ b/sssd.spec @@ -15,18 +15,17 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # -%define _buildshell /bin/bash Name: sssd -Version: 2.4.1 +Version: 2.4.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later and LGPL-3.0-or-later Group: System/Daemons URL: https://pagure.io/SSSD/sssd #Git-Clone: https://pagure.io/SSSD/sssd -Source: https://github.com/SSSD/sssd/releases/download/2.4.1/%name-%version.tar.gz -Source2: https://github.com/SSSD/sssd/releases/download/2.4.1/%name-%version.tar.gz.asc +Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz +Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring Patch1: krb-noversion.diff @@ -395,48 +394,37 @@ sed -i -e 's:%_bindir/python:%_bindir/python3:' src/tools/sss_obfuscate %make_install b="%buildroot" -# Copy default sssd.conf file -install -d "$b/%_mandir"/{cs,cs/man8,nl,nl/man8,pt,pt/man8,uk,uk/man1} \ - "$b/%_mandir"/{uk/man5,uk/man8} -install -d "$b/%_sysconfdir/sssd" +#for i in cs cs/man8 nl nl/man8 pt pt/man8 uk uk/man1 uk/man5 uk/man8; do +# mkdir -p "$b/%_mandir/$i" +#done +# Copy some defaults +mkdir -p "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d" install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" -install -d "$b/%_sysconfdir/sssd/conf.d" install -d "$b/%_unitdir" - -# Copy default logrotate file install -d "$b/%_sysconfdir/logrotate.d" install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd" rm -Rfv "$b/%_initddir" -ln -sfv service "$b/%_sbindir/rcsssd" -ln -sfv service "$b/%_sbindir/rcsssd-autofs" -ln -sfv service "$b/%_sbindir/rcsssd-ifp" -ln -sfv service "$b/%_sbindir/rcsssd-nss" -ln -sfv service "$b/%_sbindir/rcsssd-pac" -ln -sfv service "$b/%_sbindir/rcsssd-pam" -ln -sfv service "$b/%_sbindir/rcsssd-ssh" -ln -sfv service "$b/%_sbindir/rcsssd-sudo" - mkdir -pv "$b/%sssdstatedir/mc" find "$b" -type f -name "*.la" -print -delete -rm -Rfv "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug" %find_lang %name --all-name %check # sss_config-tests fails -make %{?_smp_mflags} check || : +%make_build check || : %pre -%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%global services sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_add_pre %services %post /sbin/ldconfig # migrate config variable krb5_kdcip to krb5_server (bnc#851048) /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf -%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_add_post %services %preun -%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_preun %services %postun /sbin/ldconfig @@ -447,7 +435,7 @@ fi # (especially, downgrades) rm -f /var/lib/sss/db/*.ldb # del_postun includes a try-restart -%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_postun %services %post -n libsss_certmap0 -p /sbin/ldconfig %postun -n libsss_certmap0 -p /sbin/ldconfig @@ -472,6 +460,18 @@ rm -f /var/lib/sss/db/*.ldb %postun dbus %service_del_postun sssd-ifp.service +%pre kcm +%service_add_pre sssd-kcm.service sssd-kcm.socket + +%post kcm +%service_add_post sssd-kcm.service sssd-kcm.socket + +%preun kcm +%service_del_preun sssd-kcm.service sssd-kcm.socket + +%postun kcm +%service_del_postun sssd-kcm.service sssd-kcm.socket + %files -f sssd.lang %license COPYING %_unitdir/sssd.service @@ -491,13 +491,13 @@ rm -f /var/lib/sss/db/*.ldb %_bindir/sss_ssh_* %_sbindir/sssctl %_sbindir/sssd -%_sbindir/rcsssd -%_sbindir/rcsssd-autofs -%_sbindir/rcsssd-nss -%_sbindir/rcsssd-pac -%_sbindir/rcsssd-pam -%_sbindir/rcsssd-ssh -%_sbindir/rcsssd-sudo +#%_sbindir/rcsssd +#%_sbindir/rcsssd-autofs +#%_sbindir/rcsssd-nss +#%_sbindir/rcsssd-pac +#%_sbindir/rcsssd-pam +#%_sbindir/rcsssd-ssh +#%_sbindir/rcsssd-sudo %dir %_mandir/??/ %dir %_mandir/??/man[158]/ %_mandir/??/man1/sss_ssh_* @@ -611,7 +611,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_mandir/??/man5/ %_mandir/??/man5/sssd-ifp.5* %_unitdir/sssd-ifp.service -%_sbindir/rcsssd-ifp +#%_sbindir/rcsssd-ifp %config %_sysconfdir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service From bf4ece58e7b4d53a07c1d798221605362ac402596701f3117c6082f39b5118a9 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 19 Feb 2021 18:34:39 +0000 Subject: [PATCH 4/4] apply 871491 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=241 --- sssd.changes | 10 ++++++++++ sssd.spec | 1 + 2 files changed, 11 insertions(+) diff --git a/sssd.changes b/sssd.changes index 0391473..032eaab 100644 --- a/sssd.changes +++ b/sssd.changes @@ -7,6 +7,16 @@ Fri Feb 19 17:30:58 UTC 2021 - Jan Engelhardt * pam_sss_gss now support authentication indicators to further harden the authentication. +------------------------------------------------------------------- +Fri Feb 12 15:55:37 UTC 2021 - Dominique Leuenberger + +- Pass --with-pid-path=%{_rundir} to configure: adjust rundir + according the distro settings, i.e. /run on modern systems. + Eliminates a systemd warning like this one in the journal: + Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13: + PIDFile= references a path below legacy directory /var/run/, + updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly. + ------------------------------------------------------------------- Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 73091a1..7ab5828 100644 --- a/sssd.spec +++ b/sssd.spec @@ -376,6 +376,7 @@ export LDFLAGS="-pie" --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ + --with-pid-path="%_rundir" \ --enable-nsslibdir="/%_lib" \ --enable-pammoddir="/%_lib/security" \ --with-ldb-lib-dir="$LDB_DIR" \