From ec865ab0440ee653bb98ee459a48162b287d01f8299a87c85804eb6d479cc9bc Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Mon, 8 Mar 2010 17:24:35 +0000 Subject: [PATCH] Accepting request 34177 from network:ldap Copy from network:ldap/sssd based on submit request 34177 from user rhafer OBS-URL: https://build.opensuse.org/request/show/34177 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=1 --- ...-detect-endianness-at-configure-time.patch | 27 - baselibs.conf | 4 - ready | 0 sssd-1.0.5.tar.gz | 3 + sssd-1.13.3.tar.gz | 3 - sssd-1.13.3.tar.gz.asc | 7 - sssd.changes | 847 ------------------ sssd.keyring | 34 - sssd.service | 15 - sssd.spec | 788 +++------------- 10 files changed, 140 insertions(+), 1588 deletions(-) delete mode 100644 0001-build-detect-endianness-at-configure-time.patch delete mode 100644 baselibs.conf create mode 100644 ready create mode 100644 sssd-1.0.5.tar.gz delete mode 100644 sssd-1.13.3.tar.gz delete mode 100644 sssd-1.13.3.tar.gz.asc delete mode 100644 sssd.keyring delete mode 100644 sssd.service diff --git a/0001-build-detect-endianness-at-configure-time.patch b/0001-build-detect-endianness-at-configure-time.patch deleted file mode 100644 index 91b6cc8..0000000 --- a/0001-build-detect-endianness-at-configure-time.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 303d096f920801f7b06a7ad406ea83b4cd0219da Mon Sep 17 00:00:00 2001 -From: David Disseldorp -Date: Tue, 6 May 2014 15:56:42 +0200 -Subject: [PATCH] build: detect endianness at configure time - -WORDS_BIGENDIAN, HAVE_BIG_ENDIAN and HAVE_LITTLE_ENDIAN are needed by -Samba. See Samba's byteorder.h header for an example. - -Signed-off-by: David Disseldorp ---- - configure.ac | 3 +++ - 1 file changed, 3 insertions(+) - -Index: sssd-1.13.3/configure.ac -=================================================================== ---- sssd-1.13.3.orig/configure.ac -+++ sssd-1.13.3/configure.ac -@@ -428,6 +428,9 @@ AM_CONDITIONAL([HAVE_DEVSHM], [test -d / - ENABLE_POLKIT_RULES_PATH - AM_CONDITIONAL([HAVE_POLKIT_RULES_D], [test x$HAVE_POLKIT_RULES_D != x]) - -+AC_C_BIGENDIAN([AC_DEFINE(HAVE_BIG_ENDIAN, [1], [whether platform is big endian])], -+ [AC_DEFINE(HAVE_LITTLE_ENDIAN, [1], [whether platform is little endian])]) -+ - abs_build_dir=`pwd` - AC_DEFINE_UNQUOTED([ABS_BUILD_DIR], ["$abs_build_dir"], [Absolute path to the build directory]) - AC_SUBST([abs_builddir], $abs_build_dir) diff --git a/baselibs.conf b/baselibs.conf deleted file mode 100644 index b125802..0000000 --- a/baselibs.conf +++ /dev/null @@ -1,4 +0,0 @@ -sssd - supplements "packageand(sssd:pam-)" - supplements "packageand(sssd:glibc-)" - -/usr/lib(64)?/* diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/sssd-1.0.5.tar.gz b/sssd-1.0.5.tar.gz new file mode 100644 index 0000000..e895b79 --- /dev/null +++ b/sssd-1.0.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f3a8dca78a14b03e1a273fa7cfe5598120b83aa7477ab4c467a7dcd655c9017 +size 2688987 diff --git a/sssd-1.13.3.tar.gz b/sssd-1.13.3.tar.gz deleted file mode 100644 index f7cfd38..0000000 --- a/sssd-1.13.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3fd8fe8e6ee9f50b33eecd1bcccfaa44791f30d4e5f3113ba91457ba5f411f85 -size 4661143 diff --git a/sssd-1.13.3.tar.gz.asc b/sssd-1.13.3.tar.gz.asc deleted file mode 100644 index e88c30a..0000000 --- a/sssd-1.13.3.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlZwc5IACgkQHsardTLnvCXyOgCg20lBb2owmQRYRjPZClBcn9+y -GU4AnR/tg+KqvfA/djm5yoV4/Ys3LA2g -=zefD ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index c2a5831..026aa50 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,850 +1,3 @@ -------------------------------------------------------------------- -Wed Dec 16 14:08:01 UTC 2015 - jengelh@inai.de - -- Update to new maintenance release 1.13.3 -* A bug that prevented user lookups and logins after migration from - winsync to IPA-AD trusts was fixed. -* A bug that prevented the ignore_group_members option from working - correctly in AD provider setups that use a dedicated primary - group (as opposed to a user-private group) was fixed. -* Offline detection and offline login timeouts were improved for AD - users logging in from a domain trusted by an IPA server. -* The AD provider supports setting up autofs_provider=ad . - -------------------------------------------------------------------- -Fri Nov 20 10:39:56 UTC 2015 - jengelh@inai.de - -- Update to new upstream release 1.13.2 -* Initial support for Smart Card authentication was added. -* The PAM prompting was enhanced so that when Two-Factor - Authentication is used, both factors (password and token) can be - entered separately on separate prompts. -* This release supports authenticating againt a KDC proxy. - -------------------------------------------------------------------- -Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com - -- Update to new upstream release 1.13.1 -* Initial support for Smart Card authentication was added. The - feature can be activated with the new pam_cert_auth option. -* The PAM prompting was enhanced so that when Two-Factor - Authentication is used, both factors (password and token) can - be entered separately on separate prompts. At the same time, - only the long-term password is cached, so offline access would - still work using the long term password. -* A new command line tool sss_override is present in this - release. The tools allows to override attributes on the SSSD - side. It's helpful in environment where e.g. some hosts need to - have a different view of POSIX attributes than others. Please - note that the overrides are stored in the cache as well, so - removing the cache will also remove the overrides. -* Several enhancements to the dynamic DNS update code. Notably, - clients that update multiple interfaces work better with this - release. -* This release supports authenticating againt a KDC proxy -* The fail over code was enhanced so that if a trusted domain is - not reachable, only that domain will be marked as inactive but - the backed would stay in online mode. - -------------------------------------------------------------------- -Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de - -- Update to new upstream release 1.13 -* Support for separate prompts when using two-factor authentication -* Added support for one-way trusts between an IPA and Active - Directory environment. (Depends on IPA 4.2) -* The fast memory cache now also supports the initgroups operation. -* The PAM responder is now capable of caching authentication for - configurable period, which might reduce server load in cases - where accounts authenticate very frequently. - Refer to the "cached_auth_timeout" option in sssd.conf(5). -* The Active Directory provider has changed the default value of - the "ad_gpo_access_control" option from permissive to enforcing. - As a consequence, the GPO access control now affects all clients - that set access_provider to ad. In order to restore the previous - behaviour, set ad_gpo_access_control to permissive or use a - different access_provider type. -* Group Policy objects defined in a different AD domain that the - computer object is defined in are now supported. -* Credential caching and Offline authentication are also available - when using two-factor authentication -* The Python bindings are now built for both Python2 and Python3. -* The LDAP bind timeout, StartTLS timeout and password change - timeout are now configurable using the ldap_opt_timeout option. - -------------------------------------------------------------------- -Wed Aug 12 18:20:25 UTC 2015 - jengelh@inai.de - -- Kill unused libsss_sudo-devel solvable. - -------------------------------------------------------------------- -Tue Aug 11 07:41:07 UTC 2015 - hguo@suse.com - -- Obsolete/provide libsss_sudo in sssd main package. - Sudo capability is an integral feature in SSSD and the library - is not supposed to be used separately. - -------------------------------------------------------------------- -Thu Jun 25 16:44:49 UTC 2015 - crrodriguez@opensuse.org - -- sssd.service: add Before= and Wants=nss-user-lookup.target - correct fix for bsc#926961 - -------------------------------------------------------------------- -Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com - -- Update to new upstream release 1.12.5 -* The background refresh tasks now supports refreshing users and - groups as well. See the "refresh_expired_interval" parameter in - the sssd.conf manpage. -* A new option subdomain_inherit was added. -* When an expired account attempts to log in, a configurable - error message can be displayed with sufficient pam_verbosity - setting. See the "pam_account_expired_message" option. -* OpenLDAP ppolicy can be honored even when an alternate login - method (such as SSH key) is used. See the "ldap_access_order" - option. -* A new option :krb5_map_user" was added, allowing the admin to - map UNIX usernames to Kerberos principals. -* BUG FIXES: -* Fixed AD-specific bugs that resulted in the incorrect set of - groups being displayed after the initgroups operation. -* Fixes related to the IPA ID views feature. Setups using this - should update sssd on both IPA servers and clients. -* The AD provider now handles binary GUIDs correctly. -* A bug that prevented the `ignore_group_members` parameter to be - used with the AD provider was fixed. -* The failover code now reads and honors TTL value for SRV - queries as well. -* Race condition between setting the timeout in the back ends and - reading it in the front end during initgroup operation was - fixed. This bug affected applications that perform the - initgroups(3) operation in multiple processes simultaneously. -* Setups that only want to use the domain SSSD is connected to, - but not the autodiscovered trusted domains by setting - `subdomains_provider=none` now work correctly as long as the - domain SID is set manually in the config file. -* In case only "allow" rules are used, the simple access provider - is now able to skip unresolvable groups. -* The GPO access control code now handles situations where user - and computer objects were in different domains. - -------------------------------------------------------------------- -Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com - -- Update to new upstream release 1.12.4 (Changelog highlights following) -* This is mostly a bug fixing release with only minor enhancements - visible to the end user. -* Contains many fixes and enhancements related to the ID views - functionality of FreeIPA servers. -* Several fixes related to retrieving AD group membership in an - IPA-AD trust scenario. -* Fixes a bug where the GPO access control previously didn't work - at all if debugging was enabled in smb.conf. -* SSSD can now be pinned to a particular AD site instead of - autodiscovering the site. -* A regression that caused setting the SELinux context for IPA users - to fail, was fixed. -* Fixed a potential crash caused by a double-free error when an SSSD - service was killed by the monitor process. - -------------------------------------------------------------------- -Mon Feb 16 10:09:18 UTC 2015 - howard@localhost - -- A minor rpmspec cleanup to get rid of five rpmlint warnings -* Remove mentioning of system-wide dbus configuration file from comments. -* Remove traditional init script. -* Remove compatibility for producing packages on older OpenSUSE releases. - -------------------------------------------------------------------- -Thu Jan 8 22:23:42 UTC 2015 - jengelh@inai.de - -- Update to new upstream release 1.12.3 -* SSSD now allows the IPA client to move from one ID view to - another after SSSD restart. -* It is possible to apply ID views to IPA domains as well. - Previous SSSD versions only allowed views to be applied to AD - trusted domains. -* Overriding SSH public keys is supported in this release. -* Move semanage related functions to a separate library. - -------------------------------------------------------------------- -Thu Jan 1 22:01:02 UTC 2015 - meissner@suse.com - -- build with PIE - -------------------------------------------------------------------- -Mon Nov 10 00:37:00 UTC 2014 - Led - -- fix bashism in postun script - -------------------------------------------------------------------- -Thu Oct 30 12:22:06 UTC 2014 - jengelh@inai.de - -- Update to new upstream release 1.12.2 (bugfix release, bnc#900159) -* Fixed a regression where the IPA provider did not fetch User - Private Groups correctly -* An important bug in the GPO access control which resulted in a - wrong principal being used, was fixed. -* Several new options are available for deployments that need to - restrict a certain PAM service from connecting to a certain SSSD - domain. For more details, see the description of - pam_trusted_users and pam_public_domains options in the - sssd.conf(5) man page and the domains option in the pam_sss(8) - man page. -* When SSSD is acting as an IPA client in setup with trusted AD - domains, it is able to return group members or full group - memberships for users from trusted AD domains. -* Support for the "views" feature of IPA. -- Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch - (merged upstream) - -------------------------------------------------------------------- -Sat Oct 11 13:36:48 UTC 2014 - jengelh@inai.de - -- Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch - to workaround bad autoconf invocation - -------------------------------------------------------------------- -Sat Oct 11 00:16:15 UTC 2014 - crrodriguez@opensuse.org - -- 0001-build-detect-endianness-at-configure-time.patch - Correct defective endianness test. - -------------------------------------------------------------------- -Mon Oct 6 13:25:23 UTC 2014 - jengelh@inai.de - -- Update to new upstream release 1.12.1 -* The GPO access control was further enhanced to allow the access - control decisions while offline and map the Windows logon - rights onto Linux PAM services. -* The SSSD now ships a plugin for the rpc.idmapd daemon, - sss_rpcidmapd(5). -* A MIT Kerberos localauth plugin was added to SSSD. This plugin - helps translating principals to user names in IPA-AD trust - scenarios, allowing the krb5.conf configuration to be less - complex. -* A libwbclient plugin implementation is now part of the SSSD. - The main purpose is to map Active Directory users and groups - identified by their SID to POSIX users and groups for the - file-server use-case. -* Active Directory users ca nnow use their User Logon Name to log - in. -* The sss_cache tool was enhanced to allow invalidating the SSH - host keys. -* Groups without full POSIX information can now be used to enroll - group membership (CVE-2014-0249). -* Detection of transition from offline to online state was - improved, resulting in fewer timeouts when SSSD is offline. -* The Active Directory provider now correctly detects Windows - Server 2012 R2. Previous versions would fall back to the slower - non-AD path with 2012 R2. -* Several other bugs related to deployments where SSSD is acting - as an AD client were fixed. - -------------------------------------------------------------------- -Fri Aug 22 15:44:14 UTC 2014 - lchiquitto@suse.com - -- The utility sss_obfuscate uses the Python module pysss, so add a - dependency on python-sssd-config to sssd-tools (bnc#890242) - -------------------------------------------------------------------- -Sun Aug 10 12:20:50 UTC 2014 - jengelh@inai.de - -- Update to new upstream release 1.12.0 -* A new responder, called InfoPipe was added. This responder - provides a public D-Bus interface accessible over the system bus. - In this release, methods for retrieving user attributes and list - of groups were added as well as objects representing SSSD domains - and processes. (The next 1.12.x releases will publish objects - representing users and groups, too.) -* SSSD provides an ID-mapping plugin for cifs-utils so that Windows - SIDs can be mapped onto POSIX IDs and/or names without requiring - Winbind and using the same code as the SSSD uses for identity - information. -* First phase of Group Policy-based access control for the AD - provider was added. At the moment, the gpo-ldap component that - downloads the list of GPOs that apply for the specific client has - been implemented as well as the gpo-smb component that retrieves - the group policy files and determines the access control check - results based on those files. Future improvements will focus on - storing the GPO policies as local files and mapping the Windows - logon rights onto Linux PAM services. -* Added a new library called sss_sifp that provides a simple - synchronous API for communication with our new InfoPipe responder - over the system bus. -- Remove 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch - (merged upstream) -- Provide "rcsssd" in systemd environments -- Ensure sssd is always startable by removing /var/lib/sss/db/*.ldb - on package installation so as to avoid potentially cache - format incompatibility which would cause sssd to exit - -------------------------------------------------------------------- -Thu Jun 12 14:18:30 UTC 2014 - ckornacker@suse.com - -- fix %postun to not erroneously remove sss pam module - -------------------------------------------------------------------- -Tue May 27 16:56:42 UTC 2014 - crrodriguez@opensuse.org - -- Switch to libnl-3 so we can get rid of libnl-1. - -------------------------------------------------------------------- -Sat May 24 14:36:43 UTC 2014 - jengelh@inai.de - -- Redo 0001-build-detect-endianness-at-configure-time.patch to be -p1 -- Add 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch - to resolve runtime loading problems - (http://lists.opensuse.org/opensuse-factory/2014-05/msg00181.html ) - -------------------------------------------------------------------- -Tue May 13 11:11:59 UTC 2014 - varkoly@suse.com - -- bnc#877457 - 78 Configuration file /usr/lib/systemd/system/sssd.service is marked executable. - Please remove executable permission bits. - -------------------------------------------------------------------- -Tue May 6 14:01:29 UTC 2014 - ddiss@suse.com - -- Detect endianness at configure time, for use by Samba's byteorder.h header; - (bnc#876544). - + 0001-build-detect-endianness-at-configure-time.patch - -------------------------------------------------------------------- -Tue Apr 29 10:00:57 UTC 2014 - varkoly@suse.com - -- Update to new upstream release 1.11.5.1 - * sssd crashes after upgrade from 1.11.4 to 1.11.5 when using a samba4 domain - * SSSD pam module accepts usernames with leading spaces - * [RFE] Expose the list of trusted domains to IPA - * If both IPA and LDAP are set up with enumeration on, two enum tasks are running - * sssd.conf man pages don't list a configuration option. - * Make SSSD compilable on systems with non-standard paths to krb5 includes - * [freebsd] pam_sss: add ignore_unknown_user option - * MAN: Remove misleading memberof example from ldap_access_filter example - * not retrieving homedirs of AD users with posix attributes - * Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - * Check IPA idranges before saving them to the cache - * Evaluate usage of sudo LDAP provider together with the AD provider - * Setting int option to 0 yields the default value - * ipa-server-mode: Use lower-case user name component in home dir path - * SSSD Does not cache SELinux map from FreeIPA correctly - * IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in - * sssd fails to handle expired passwords when OTP is used - * Add another Kerberos error code to trigger IPA password migration - * Double OK when starting the service - * SSSD should create the SELinux mapping file with format expected by pam_selinux - * Valgrind: Invalid read of int while processing netgroup - * other subdomains are unavailable when joined to a subdomain in the ad forest - * Error during password change - * configure time variables not expanded when running ./configure - * RHEL7 IPA selinuxusermap hbac rule not always matching - -------------------------------------------------------------------- -Fri Mar 7 15:18:34 UTC 2014 - jengelh@inai.de - -- Update to new upstream release 1.11.4 -* The simple access provider supports specifying users and groups - using their NetBIOS domain name (such as DOMAIN\username) -* Support for enumerating users and groups from trusted AD domains - was added to the AD provider -* The Active Directory site discovery was made more robust for - configurations which use multiple trusted domains -* Several bugs in the LDAP provider that affected setups which - mapped Windows SIDs to POSIX IDs were fixed -* The SSSD is now able to use One Time Password (OTP) - authentication configured on an IPA server. - -------------------------------------------------------------------- -Fri Dec 20 21:54:58 UTC 2013 - jengelh@inai.de - -- Update to new upstream release 1.11.3 -* The AD provider is able to resolve group memberships for groups - with Global and Universal scope -* The initgroups (get groups for user) operation for users from - trusted AD domains was made more reliable by reading the required - tokenGroups attribute from LDAP instead of Global Catalog -* A new option ad_enable_gc was added to the AD provider. This - option allows the administrator to force SSSD to talk to LDAP - port only and never try the Global Catalog -* The AD provider is now able to leverage the tokenGroups attribute - even when POSIX attributes are used, providing better performance - during logins. -* A memory leak in the NSS responder that affected long-lived - clients that requested netgroup data was fixed -- Remove sssd-ldflags.diff (merged upstream) - -------------------------------------------------------------------- -Thu Nov 28 16:51:39 UTC 2013 - ckornacker@suse.com - -- Migrate deprecated krb5_kdcip variable to krb5_server (bnc#851048) - -------------------------------------------------------------------- -Fri Nov 1 22:12:03 UTC 2013 - jengelh@inai.de - -- Update to new upstream release 1.11.2 -* A new option ad_access_filter was added. This option allows the - administrator to easily configure LDAP search filter that the users - logging in must match in order to be granted access. -* The Kerberos provider will no longer try to create public - directories when evaluating the krb5_ccachedir option. -- Remove 0005-implicit-decl.diff (merged upstream) - -------------------------------------------------------------------- -Tue Sep 3 21:12:37 UTC 2013 - jengelh@inai.de - -- Update to new upstream release 1.11.0 -* The sudo integration was made more robust. SSSD is now able to - gracefully handle situations where it is not able to resolve the - client host name or sudo rules have multiple name attributes. -* Several nested group membership bugs were fixed -* The PAC responder was made more robust and efficient, modifying - existing cache entries instead of always recreating them. -* The Kerberos provider now supports the new KEYRING ccache type. -- Remove sssd-no-ldb-check.diff, now implemented through a - configure argument --disable-ldb-version-check - -------------------------------------------------------------------- -Sun Jun 16 16:11:42 UTC 2013 - jengelh@inai.de - -- Explicitly formulate SASL BuildRequires - -------------------------------------------------------------------- -Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de - -- Update to new upstream release 1.9.5 -* Includes a fix for CVE-2013-0287: A simple access provider flaw - prevents intended ACL use when SSSD is configured as an Active - Directory client. -* Fixed spurious password expiration warning that was printed on - login with the Kerberos back end. -* A new option ldap_rfc2307_fallback_to_local_users was added. If - this option is set to true, SSSD is be able to resolve local - group members of LDAP groups. -* Fixed an indexing bug that prevented the contents of autofs maps - from being returned to the automounter deamon in case the map - contained a large number of entries. -* Several fixes for safer handling of Kerberos credential caches - for cases where the ccache is set to be stored in a DIR: type. -- Remove Provide-a-be_get_account_info_send-function.patch, - Add-unit-tests-for-simple-access-test-by-groups.patch, - Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch, - Resolve-GIDs-in-the-simple-access-provider.patch - (CVE-2013-0287 material is in upstream), - sssd-sysdb-binary-attrs.diff (merged upstream) - -------------------------------------------------------------------- -Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de - -- Implement signature verification - -------------------------------------------------------------------- -Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com - -- Fixed security issue: CVE-2013-0287 (bnc#809153): - When SSSD is configured as an Active Directory client by using - the new Active Directory provider or equivalent configuration - of the LDAP provider, the Simple Access Provider does not - handle access control correctly. If any groups are specified - with the simple_deny_groups option, the group members are - permitted access. New patches: - * Provide-a-be_get_account_info_send-function.patch - * Add-unit-tests-for-simple-access-test-by-groups.patch - * Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch - * Resolve-GIDs-in-the-simple-access-provider.patch - -------------------------------------------------------------------- -Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de - -- Resolve user retrieval problems when encountering binary data - in LDAP attributes (bnc#806078), - added sssd-sysdb-binary-attrs.diff -- Added sssd-no-ldb-check.diff so that SSSD continues to start - even after an LDB update. - -------------------------------------------------------------------- -Fri Feb 8 10:31:52 UTC 2013 - rhafer@suse.com - -- fix package name in baselibs.conf (bnc#796423) - -------------------------------------------------------------------- -Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com - -- update to 1.9.4 (bnc#801036): - * A security bug assigned CVE-2013-0219 was fixed - TOCTOU race - conditions when creating or removing home directories for users - in local domain - * A security bug assigned CVE-2013-0220 was fixed - out-of-bounds - reads in autofs and ssh responder - * The sssd_pam responder processes pending requests after - reconnect - * A serious memory leak in the NSS responder was fixed - * Requests that were processing group entries with DNs pointing - out of any configured search bases were not terminated - correctly, causing long timeouts - * Kerberos tickets are correctly renewed even after SSSD daemon - restart - * Multiple fixes related to SUDO integration, in particular - fixing functionality when the sssd back end process was - changing its online/offline status - * The pwd_exp_warning option was fixed to function as documented - in the manual page -- refreshed sssd-ldflags.diff to apply cleanly - -------------------------------------------------------------------- -Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com - -- Removed left-over "Requires" for no longer existing sssd-client - subpackage. -- New patch: sssd-ldflags.diff to fix link failures due to erroneous - LDFLAGS usage - -------------------------------------------------------------------- -Thu Dec 6 10:38:59 UTC 2012 - rhafer@suse.com - -- Switch back to using libcrypto instead of mozilla-nss as it seems - to be supported upstream again, cf. - https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010202.html -- Cleanup PAM configuration after uninstalling sssd (bnc#788328) - -------------------------------------------------------------------- -Thu Dec 6 09:05:29 UTC 2012 - jengelh@inai.de - -- Update to new upstream release 1.9.3 -* Many fixes related to deployments where the SSSD is running as - a client of IPA server with trust relation established with an - Active Directory server -* Multiple fixes related to correct reporting of group - memberships, especially in setups that use nested groups -* Fixed a bug that prevented upgrade from the 1.8 series if the - cache contained nested groups before the upgrade -* Restarting the responders is more robust for cases where the - machine is under heavy load during back end restart -* The default_shell option can now be also set per-domain in - addition to global setting. - -------------------------------------------------------------------- -Sat Nov 10 00:27:06 UTC 2012 - jengelh@inai.de - -- Update to new upstream release 1.9.2 -* Users or groups from trusted domains can be retrieved by UID or - GID as well -* Several fixes that mitigate file descriptor leak during logins -* SSH host keys are also removed from the cache after being - removed from the server -* Fix intermittent crash in responders if the responder was - shutting down while requests were still pending -* Catch an error condition that might have caused a tight loop in - the sssd_nss process while refreshing expired enumeration request -* Fixed memory hierarchy of subdomains discovery requests that - caused use-after-free access bugs -* The krb5_child and ldap_child processes can print libkrb5 tracing - information in the debug logs - -------------------------------------------------------------------- -Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de - -- Update to new upstream release 1.8.93 (1.9.0~beta3) -* Add native support for autofs to the IPA provider -* Support for id mapping when connecting to Active Directory -* Support for handling very large (> 1500 users) groups in - Active Directory -* Add a new fast in-memory cache to speed up lookups of cached data - on repeated requests -* Add support for the Kerberos DIR cache for storing multiple TGTs - automatically -* Add a new PAC responder for dealing with cross-realm Kerberos - trusts -* Terminate idle connections to the NSS and PAM responders - -------------------------------------------------------------------- -Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de - -- Update to new upstream release 1.8.3 -* LDAP: Handle situations where the RootDSE is not available - anonymously -* LDAP: Fix regression for users using non-standard LDAP attributes - for user information -- Switch from openssl to mozilla-nss, as this is the officially - supported crypto integration - -------------------------------------------------------------------- -Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com - -- Fix build error on SLES 11 builds - -------------------------------------------------------------------- -Mon Apr 9 21:45:45 PDT 2012 - ben.kevan@gmail.com - -- Add suse_version condition for glib over libunistring for - SLES 11 SP2. -- Update to new upstream release 1.8.2 -* Fix for GSSAPI binds when the keytab contains unrelated - principals -* Workarounds added for LDAP servers with unreadable RootDSE - -------------------------------------------------------------------- -Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com - -- Update to new upstream release 1.8.1 -* Resolve issue where we could enter an infinite loop trying to - connect to an auth server - -------------------------------------------------------------------- - -Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de - -- Update to new upstream release 1.8.0 -* Support for the service map in NSS -* Support for setting default SELinux user context from FreeIPA -* Support for retrieving SSH user and host keys from LDAP -* Support for caching autofs LDAP requests -* Support for caching SUDO rules -* Include the IPA AutoFS provider -* Fixed several memory-corruption bugs -* Fixed a regression in the proxy provider - -------------------------------------------------------------------- -Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de - -- Fixed systemd related packaging issues (bnc#724157) -- fixed build on older openSUSE releases - -------------------------------------------------------------------- -Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de - -- Resolve "have choice for libnl-devel: - libnl-1_1-devel libnl3-devel" - -------------------------------------------------------------------- -Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de - -- Fixed typos in configure args -- Cherry-picked password policy fixes from 1.5 branch (bnc#705768) -- switched to fd-leak fix cherry-picked from 1.5 branch -- Add /usr/sbin to the search path to make configure find nscd - (bnc#709747) - -------------------------------------------------------------------- -Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de - -- Add patches to fix an fd leak in sssd_pam - -------------------------------------------------------------------- -Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de - -- Update to new upstream release 1.5.11 -* Support for overriding home directory, shell and primary GID - locally -* Properly honor TTL values from SRV record lookups -* Support non-POSIX groups in nested group chains (for RFC2307bis - LDAP servers) -* Properly escape IPv6 addresses in the failover code -* Do not crash if inotify fails (e.g. resource exhaustion) -- Remove redundant %clean section; delete .la files more - efficiently - -------------------------------------------------------------------- -Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de - -- Update to 1.5.8: - * Support for the LDAP paging control - * Support for multiple DNS servers for name resolution - * Fixes for several group membership bugs - * Fixes for rare crash bugs - -------------------------------------------------------------------- -Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de - -- Update to 1.5.7 - * A flaw was found in the handling of cached passwords when - kerberos renewal tickets is enabled. Due to a bug, the cached - password was overwritten with a (moderately) predictable - filename, which could allow a user to authenticate as someone - else if they knew the name of the cache file (bnc#691135, - CVE-2011-1758) -- Changes in 1.5.6: - * Fixed a serious memory leak in the memberOf plugin - * Fixed a regression with the negative cache that caused it to be - essentially nonfunctional - * Fixed an issue where the user's full name would sometimes be - removed from the cache - * Fixed an issue with password changes in the kerberos provider - not working with kpasswd - -------------------------------------------------------------------- -Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de - -- Update to 1.5.5 - * Fixes for several crash bugs - * LDAP group lookups will no longer abort if there is a - zero-length member attribute - * Add automatic fallback to 'cn' if the 'gecos' attribute does not - exist - -------------------------------------------------------------------- -Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de - -- Should build in SLE-11-SP1 now - -------------------------------------------------------------------- -Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de - -- Updated to 1.5.4 - * Fixes for Active Directory when not all users and groups have - POSIX attributes - * Fixes for handling users and groups that have name aliases - (aliases are ignored) - * Fix group memberships after initgroups in the IPA provider - -------------------------------------------------------------------- -Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de - -- Updated to 1.5.3 - * Support for libldb >= 1.0.0 - * Proper detection of manpage translations - * Changes between 1.5.1 and 1.5.2 - * Fixes for support of FreeIPA v2 - * Fixes for failover if DNS entries change - * Improved sss_obfuscate tool with better interactive mode - * Fix several crash bugs - * Don't attempt to use START_TLS over SSL. Some LDAP servers - can't handle this - * Delete users from the local cache if initgroups calls return - 'no such user' (previously only worked for getpwnam/getpwuid) - * Use new Transifex.net translations - * Better support for automatic TGT renewal (now survives - restart) - * Netgroup fixes - -------------------------------------------------------------------- -Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de - -- Updated to 1.5.1 - * Vast performance improvements when enumerate = true - * All PAM actions will now perform a forced initgroups lookup - instead of just a user information lookup This guarantees that - all group information is available to other providers, such as - the simple provider. - * For backwards-compatibility, DNS lookups will also fall back to - trying the SSSD domain name as a DNS discovery domain. - * Support for more password expiration policies in LDAP - - 389 Directory Server - - FreeIPA - - ActiveDirectory - * Support for ldap_tls_{cert,key,cipher_suite} config options - * Assorted bugfixes - -------------------------------------------------------------------- -Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de - -- /var/lib/sss/pubconf was missing (bnc#665442) - -------------------------------------------------------------------- -Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de - -- It was possible to make sssd hang forever inside a loop in the - PAM responder by sending a carefully crafted packet to sssd. - This could be exploited by a local attacker to crash sssd and - prevent other legitimate users from logging into the system. - (bnc#660481, CVE-2010-4341) - -------------------------------------------------------------------- -Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de - -- Own /etc/systemd directories to fix build. - -------------------------------------------------------------------- -Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com - -- install systemd service file - -------------------------------------------------------------------- -Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com - -- Updated to 1.4.1 - * Add support for netgroups to the LDAP and proxy providers - * Fixes a minor bug with UIDs/GIDs >= 2^31 - * Fixes a segfault in the kerberos provider - * Fixes a segfault in the NSS responder if a data provider crashes - * Correctly use sdap_netgroup_search_base - * the utility libraries libpath_utils1, libpath_utils-devel, - libref_array1 and libref_array-devel moved to their own - separate upstream project (ding-libs) - * Performance improvements made to group processing of RFC2307 - LDAP servers - * Fixed nested group issues with RFC2307bis LDAP servers without - a memberOf plugin - * Manpage reviewed and updated - -------------------------------------------------------------------- -Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com - -- remove hard coded python version - -------------------------------------------------------------------- -Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com - -- No dependencies on %{release} - -------------------------------------------------------------------- -Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com - -- Updated to 1.3.1 - * Fixes to the HBAC backend for obsolete or removed HBAC entries - * Improvements to log messages around TLS and GSSAPI for LDAP - * Support for building in environments using --as-needed LDFLAGS - * Vast performance improvement for initgroups on RFC2307 LDAP servers - * Long-running SSSD clients (e.g. GDM) will now reconnect properly to the - daemon if SSSD is restarted - * Rewrote the internal LDB cache API. As a synchronous API it is now faster - to access and easier to work with - * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider - - We now handle failover situations much more reliably than we did - previously - - We also will now monitor the GSSAPI kerberos ticket and automatically - renew it when appropriate, instead of waiting for a connection to fail - * Support for netlink now allows us to more quickly detect situations - where we may have come online - * New option "dns_discovery_domain" allows better configuration for - using SRV records for failover -- New subpackages: libpath_utils1, libpath_utils-devel, libref_array1 - and libref_array-devel - -------------------------------------------------------------------- -Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com - -- Package pam- and nss-Modules as baselibs -- cleaned up file list and dependencies -- fixed init script dependencies - -------------------------------------------------------------------- -Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com - -- Updated to 1.1.0 - * Support for IPv6 - * Support for LDAP referrals - * Offline failed login counter - * Fix for the long-standing cache cleanup performance issues - * libini_config, libcollection, libdhash, libref_array and - libpath_utils are now built as shared libraries for general - consumption (libref_array and libpath_utils are currently not - packaged, as no component in sssd links against them) - * Users get feedback from PAM if they authenticated offline - * Native local backend now has a utility to show nested memberships - (sss_groupshow) - * New "simple" access provider for easy restriction of users -- Backported libcrypto support from master to avoid Mozilla NSS - dependency -- Backported password policy improvments for LDAP provider from - master - -------------------------------------------------------------------- -Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com - -- use logfiles for debug messages by default - ------------------------------------------------------------------- Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com diff --git a/sssd.keyring b/sssd.keyring deleted file mode 100644 index cbd1779..0000000 --- a/sssd.keyring +++ /dev/null @@ -1,34 +0,0 @@ -pub 1024D/32E7BC25 2007-02-02 -uid Jakub Hrozek -sub 2048g/132DCA21 2007-02-02 - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.19 (GNU/Linux) - -mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MU -XQDAKJM7MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0 -R+OiWh8d7ChCG6riv/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWX -qZoZrm4lPlBZQltfhzdmvn8D/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjg -q9Knn4sE9lnGjtG4RCYMT2Sideognk9Ah5nWOGynwta6cluCEqlF6ORJPKpAeqG1 -a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/XtMoHSSyPi/Xum6R+jwISv7n -TMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlSB6tAqN0G7VL6AFcs -iOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KNtbnCrhS+ -Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv -emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iF8EExECACAFAkXDdfUCGwMGCwkIBwMC -BBUCCAMEFgIDAQIeAQIXgAAKCRAexqt1Mue8JSHBAKCjYF/HshYkJ8pSZTilLO0y -bMWOFwCYlOqF7icGVDFT42W3CoqLfgajCrkCDQRFw3YAEAgAuqo0FxH1XtdOi/qW -6v+tWdqYHLj/f0Voqj1cbpS+cODNTaX1/Xf4Jnv6vm4lOG5gIkqD1e5UCpG5pDJv -MkrpY0lYRr5RGoC29tHZYXfEBVEkdhuU7ZTSQRaoitK5TSwjOj5aKvFSHEjMrCWc -GSUajECQkRHwZb3HK2wqqBWrJjjjPtj+5cQg+sKp7Zp6xU3iZlMoVfdYi/zGenum -Cp5SMm8CZZ5gcsNZhjItkTww5K//N6Kz41oMYyHlgh029JD0LHPgKacP3KeEEDzS -DEx/SSEF4zD/EfLDHehga/n0ZisNmxdxue/BI2Lm7qqGNDtV+qa17pIJ6fPfafbS -AKYatwAECwf/SuMkZN36UDsoOn06qIrYi5JBss3sOfheJEnqUIEO0JCpyb+fqisd -qoTJM0G5gFpCvuZOACpzzVv0WjhlMIyPl/7UuP4KYI6LGqAARqNxsHT7FNxT0Uv6 -QR8fGPQqVdFLFBd66EBL9PnOt3RDYwtJlD9cMNUNpzWEXjJ3RCk0lZF2eljpPlu0 -Or53OuiommnhmcmjxR5gvMf4pLqURhEZ2U0ylRiTiTIk0YyIASsDnAf0BClFXz4i -4qSD6jJloKorRC7Mu87xi1DG4ML+FYC/2d53I8OqHBRhtNUt/GbcthsHDxFq5iVp -NxwDAX1vr65PWv98pvTMnJmjIDhfgwJMdIhJBBgRAgAJBQJFw3YAAhsMAAoJEB7G -q3Uy57wllOcAoKkHB3lDFWlUNcSLdRCQxfsCCy7zAJ9GLSU2G0HR+hQVMi2ONorE -i/EyTA== -=nO6v ------END PGP PUBLIC KEY BLOCK----- diff --git a/sssd.service b/sssd.service deleted file mode 100644 index 0aa0e74..0000000 --- a/sssd.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=System Security Services Daemon -Before=nss-user-lookup.target -Wants=nss-user-lookup.target - -[Service] -EnvironmentFile=-/etc/sysconfig/sssd -ExecStart=/usr/sbin/sssd -D -f -# These two should be used with traditional UNIX forking daemons -# consult systemd.service(5) for more details -Type=forking -PIDFile=/var/run/sssd.pid - -[Install] -WantedBy=multi-user.target diff --git a/sssd.spec b/sssd.spec index fe3c7e0..b0ccbde 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # -# spec file for package sssd +# spec file for package sssd (Version 1.0.5) # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,73 +16,50 @@ # + Name: sssd -Version: 1.13.3 -Release: 0 -Summary: System Security Services Daemon -License: GPL-3.0+ and LGPL-3.0+ +Version: 1.0.5 +Release: 1 Group: System/Daemons +Summary: System Security Services Daemon +# The entire source code is GPLv3+ except replace/ which is LGPLv3+ +License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ - -#Git-Clone: git://git.fedorahosted.org/sssd -Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz -Source2: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz.asc -Source3: baselibs.conf -Source4: sssd.service -Source5: %name.keyring +Source0: %{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build -Patch1: 0001-build-detect-endianness-at-configure-time.patch -%define servicename sssd -%define sssdstatedir %_localstatedir/lib/sss -%define dbpath %sssdstatedir/db -%define pipepath %sssdstatedir/pipes -%define pubconfpath %sssdstatedir/pubconf +### Patches ### -BuildRequires: autoconf >= 2.59 +### Dependencies ### +%define servicename sssd +%define sssdstatedir %{_localstatedir}/lib/sss +%define dbpath %{sssdstatedir}/db +%define pipepath %{sssdstatedir}/pipes + +### Build Dependencies ### + +BuildRequires: autoconf BuildRequires: automake -BuildRequires: bind-utils -BuildRequires: cifs-utils-devel -BuildRequires: cyrus-sasl-devel -BuildRequires: docbook-xsl-stylesheets -BuildRequires: krb5-devel >= 1.12 -BuildRequires: libsmbclient-devel BuildRequires: libtool -BuildRequires: libxml2-tools -BuildRequires: libxslt-tools -BuildRequires: nscd +BuildRequires: m4 +BuildRequires: popt-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: libtdb-devel +BuildRequires: libldb-devel +BuildRequires: dbus-1-devel BuildRequires: openldap2-devel BuildRequires: pam-devel -BuildRequires: pkg-config >= 0.21 +BuildRequires: pkg-config +BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nspr-devel +BuildRequires: pcre-devel +BuildRequires: libxslt +BuildRequires: libxml2 +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel +BuildRequires: libcares-devel BuildRequires: python-devel -BuildRequires: python3-devel -BuildRequires: systemd-rpm-macros -BuildRequires: pkgconfig(augeas) >= 1.0.0 -BuildRequires: pkgconfig(collection) >= 0.5.1 -BuildRequires: pkgconfig(dbus-1) >= 1.0.0 -BuildRequires: pkgconfig(dhash) >= 0.4.2 -BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 1.1.0 -BuildRequires: pkgconfig(ldb) >= 0.9.2 -BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) -BuildRequires: pkgconfig(libnfsidmap) -BuildRequires: pkgconfig(libnl-3.0) >= 3.0 -BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 -BuildRequires: pkgconfig(libpcre) >= 7 -BuildRequires: pkgconfig(libsystemd-login) -BuildRequires: pkgconfig(ndr_nbt) -BuildRequires: pkgconfig(popt) -BuildRequires: pkgconfig(python) -BuildRequires: pkgconfig(talloc) -BuildRequires: pkgconfig(tdb) >= 1.1.3 -BuildRequires: pkgconfig(tevent) -%{?systemd_requires} -Requires: sssd-ldap = %version-%release -Requires(postun): pam-config -Provides: libsss_sudo = %version-%release -Provides: sssd-client = %version-%release -Obsoletes: libsss_sudo < %version-%release %description Provides a set of daemons to manage access to remote directories and @@ -91,638 +68,147 @@ the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. -%package ad -Summary: The ActiveDirectory backend plugin for sssd -License: GPL-3.0+ +%package ipa-provider +License: GPLv3+ and LGPLv3+ +Summary: FreeIPA provider plugin for sssd Group: System/Daemons -Requires: %name-krb5-common = %version +Requires: sssd = %{version} -%description ad -Provides the Active Directory back end that the SSSD can utilize to -fetch identity data from and authenticate against an Active Directory -server. - -%package dbus -Summary: The D-Bus responder of sssd -License: GPL-3.0+ -Group: System/Base -Requires: %name = %version - -%description dbus -Provides the D-Bus responder of sssd, called InfoPipe, which allows -information from sssd to be transmitted over the system bus. - -%package ipa -Summary: FreeIPA backend plugin for sssd -License: GPL-3.0+ -Group: System/Daemons -Requires: %name = %version -Requires: %name-krb5-common = %version-%release -Obsoletes: %name-ipa-provider < %version-%release -Provides: %name-ipa-provider = %version-%release - -%description ipa -Provides the IPA back end that the SSSD can utilize to fetch identity -data from and authenticate against an IPA server. - -%package krb5 -Summary: The Kerberos authentication backend plugin for sssd -License: GPL-3.0+ -Group: System/Daemons -Requires: %name-krb5-common = %version-%release - -%description krb5 -Provides the Kerberos back end that the SSSD can utilize authenticate -against a Kerberos server. - -%package krb5-common -Summary: SSSD helpers needed for Kerberos and GSSAPI authentication -License: GPL-3.0+ -Group: System/Daemons - -%description krb5-common -Provides helper processes that the LDAP and Kerberos back ends can -use for Kerberos user or host authentication. - -%package ldap -Summary: The LDAP backend plugin for sssd -License: GPL-3.0+ -Group: System/Daemons -Requires: %name-krb5-common = %version-%release - -%description ldap -Provides the LDAP back end that the SSSD can utilize to fetch -identity data from and authenticate against an LDAP server. - -%package proxy -Summary: The proxy backend plugin for sssd -License: GPL-3.0+ -Group: System/Daemons - -%description proxy -Provides the proxy back end which can be used to wrap an existing NSS -and/or PAM modules to leverage SSSD caching. +%description ipa-provider +This package provide the FreeIPA provider plugin for the System Security +Services Daemon (sssd). %package tools +License: GPLv3+ and LGPLv3+ Summary: Commandline tools for sssd -License: GPL-3.0+ and LGPL-3.0+ Group: System/Management -Requires: python-sssd-config = %version -Requires: sssd = %version -%py_requires +Requires: sssd = %{version} %description tools The packages contains commandline tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). -%package wbclient -Summary: SSSD's implementation of the Winbind pipe protocol -License: LGPL-3.0+ -Group: System/Libraries - -%description wbclient -libwbclient is a plugin for the Samba client, though it has been -implemented as a regular shared library requested via DT_NEEDED. - -sssd-wbclient implements the libwbclient API for Samba daemons and -utilities. The main purpose is to map Active Directory users and -groups identified by their SID to POSIX users and groups identified -by their POSIX UIDs and GIDs respectively. - -%package wbclient-devel -Summary: Development files for SSSD winbind -License: LGPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: %name-wbclient = %version - -%description wbclient-devel -sssd-wbclient implements the libwbclient API for Samba daemons and -utilities. The main purpose is to map Active Directory users and -groups identified by their SID to POSIX users and groups identified -by their POSIX UIDs and GIDs respectively. - -%package -n libipa_hbac0 -Summary: FreeIPA HBAC Evaluator library -License: LGPL-3.0+ -Group: System/Libraries - -%description -n libipa_hbac0 -Utility library to validate FreeIPA HBAC rules for authorization -requests. - -%package -n libipa_hbac-devel -Summary: Development files for the FreeIPA HBAC Evaluator library -License: LGPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: libipa_hbac0 = %version - -%description -n libipa_hbac-devel -Utility library to validate FreeIPA HBAC rules for authorization -requests. - -%package -n libnfsidmap-sss -Summary: Library to allow communication between libnfsidmap and SSSD -License: GPL-3.0+ -Group: System/Libraries -Supplements: packageand(nfsidmap:sssd-client) - -%description -n libnfsidmap-sss -A utility library to allow communication between libnfsidmap and SSSD. - -%package -n libsss_idmap0 -Summary: FreeIPA ID mapping library -License: LGPL-3.0+ -Group: System/Libraries - -%description -n libsss_idmap0 -A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. - -%package -n libsss_idmap-devel -Summary: Development files for the FreeIPA idmap library -License: LGPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: libsss_idmap0 = %version - -%description -n libsss_idmap-devel -A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. - -%package -n libsss_nss_idmap0 -Summary: FreeIPA ID mapping library -License: LGPL-3.0+ -Group: System/Libraries - -%description -n libsss_nss_idmap0 -A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. - -%package -n libsss_nss_idmap-devel -Summary: Development files for the FreeIPA idmap library -License: LGPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: libsss_nss_idmap0 = %version - -%description -n libsss_nss_idmap-devel -A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. - -%package -n libsss_simpleifp0 -Summary: The SSSD D-Bus responder helper library -License: GPL-3.0+ -Group: System/Libraries - -%description -n libsss_simpleifp0 -This subpackage provides a library that simplifies the D-Bus API for -the SSSD InfoPipe responder. - -%package -n libsss_simpleifp-devel -Summary: Development files for the SSSD D-Bus responder helper library -License: GPL-3.0+ -Group: Development/Libraries/C and C++ -Requires: libsss_simpleifp0 = %version - -%description -n libsss_simpleifp-devel -This subpackage provides the development files for sssd's simpleifp, -a library that simplifies the D-Bus API for the SSSD InfoPipe -responder. - -%package -n libsss_sudo -Summary: A library to allow communication between sudo and SSSD -License: LGPL-3.0+ -Group: System/Libraries -Supplements: packageand(sudo:sssd-client) - -%description -n libsss_sudo -A utility library to allow communication between sudo and SSSD. - -%package -n python-ipa_hbac -Summary: Python bindings for the FreeIPA HBAC Evaluator library -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python-ipa_hbac -The python-ipa_hbac package contains the bindings so that libipa_hbac -can be used by Python applications. - -%package -n python3-ipa_hbac -Summary: Python bindings for the FreeIPA HBAC Evaluator library -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python3-ipa_hbac -The python-ipa_hbac package contains the bindings so that libipa_hbac -can be used by Python applications. - -%package -n python-sss-murmur -Summary: Python2 bindings for SSSD Murmur hash function -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python-sss-murmur -This subpackage provides the python2 module for calculating the -Murmur hash version 3. - -%package -n python3-sss-murmur -Summary: Python3 bindings for SSSD Murmur hash function -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python3-sss-murmur -This subpackage provides the python3 module for calculating the -Murmur hash version 3. - -%package -n python-sss_nss_idmap -Summary: Python bindings for libsss_nss_idmap -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python-sss_nss_idmap -The libsss_nss_idmap-python contains the bindings so that -libsss_nss_idmap can be used by Python applications. - -%package -n python3-sss_nss_idmap -Summary: Python bindings for libsss_nss_idmap -License: LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python3-sss_nss_idmap -The libsss_nss_idmap-python contains the bindings so that -libsss_nss_idmap can be used by Python applications. - %package -n python-sssd-config +License: GPLv3+ and LGPLv3+ Summary: Python API for configuring sssd -License: GPL-3.0+ and LGPL-3.0+ Group: Development/Libraries/Python +%{py_requires} %description -n python-sssd-config Provide python module to access and manage configuration of the System Security Services Daemon (sssd). -%package -n python3-sssd-config -Summary: Python API for configuring sssd -License: GPL-3.0+ and LGPL-3.0+ -Group: Development/Libraries/Python - -%description -n python3-sssd-config -Provide python module to access and manage configuration of the System -Security Services Daemon (sssd). - %prep %setup -q -%patch -P 1 -p1 %build -%if 0%{?suse_version} < 1210 -# pkgconfig file not present -export LDB_LIBS="-lldb" -export LDB_CFLAGS=" " -export LDB_DIR="%_libdir/ldb" -%else -export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" -%endif - -# help configure find nscd -export PATH="$PATH:/usr/sbin" - -autoreconf -fiv; -export CFLAGS="%optflags -fPIE" -export LDFLAGS="-pie" +export LDB_LIBS="-lldb" +export LDB_CFLAGS="-I/usr/include" %configure \ - --with-crypto=libcrypto \ - --with-db-path="%dbpath" \ - --with-pipe-path="%pipepath" \ - --with-pubconf-path="%pubconfpath" \ - --with-init-dir="%_initrddir" \ - --enable-nsslibdir="/%_lib" \ - --enable-pammoddir="/%_lib/security" \ - --with-ldb-lib-dir="$LDB_DIR" \ - --with-selinux=no \ - --with-os=suse \ - --with-semanage=no \ - --disable-ldb-version-check \ - --disable-pac-responder + --without-tests \ + --with-db-path=%{dbpath} \ + --with-pipe-path=%{pipepath} \ + --with-init-dir=%{_initrddir} \ + --enable-nsslibdir=/%{_lib} \ + --with-ldb-lib-dir=%{_libdir}/ldb \ + --with-selinux=no -make %{?_smp_mflags} all +#make %{?_smp_mflags} +make %install -b="%buildroot"; -make install DESTDIR="$b" +rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT # Copy default sssd.conf file -install -d "$b/%_mandir"/{cs,cs/man8,nl,nl/man8,pt,pt/man8,uk,uk/man1} \ - "$b/%_mandir"/{uk/man5,uk/man8}; -install -d "$b/%_sysconfdir/sssd"; -install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"; -install -d "$b/%_unitdir"; -install -m644 %{S:4} "$b/%_unitdir/sssd.service"; -rm -Rf "$b/%_initddir" -ln -s service "$b/%_sbindir/rcsssd" +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd +install -m600 server/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +install server/sysv/SUSE/sssd $RPM_BUILD_ROOT%{_sysconfdir}/init.d/sssd +ln -sf ../../etc/init.d/sssd $RPM_BUILD_ROOT/usr/sbin/rcsssd -mkdir -p "$b/%sssdstatedir/mc" -mkdir -p "$b/%_sysconfdir/ld.so.conf.d" -cat >"$b/%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf" <<-EOF - %_libdir/%name/modules -EOF -find "$b" -type f -name "*.la" -delete; +# Remove .la files created by libtool +rm -f \ + $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ + $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ + $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ + $RPM_BUILD_ROOT/%{_libdir}/python2.6/site-packages/pysss.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ + $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la -rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1" +%find_lang sss_daemon +%find_lang sss_client +cat sss_client.lang >> sss_daemon.lang -%find_lang %name --all-name +%clean +rm -rf $RPM_BUILD_ROOT -%pre -%service_add_pre sssd.service - -%post -# migrate config variable krb5_kdcip to krb5_server (bnc#851048) -/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf -/sbin/ldconfig -%service_add_post sssd.service - -%preun -%service_del_preun sssd.service - -%postun -if [ "$1" = "0" ]; then - "%_sbindir/pam-config" -d --sss || :; -fi; -/sbin/ldconfig -# Clear caches, which may have an incompatible format afterwards -# (especially, downgrades) -rm -f /var/lib/sss/db/*.ldb -# del_postun includes a try-restart -%service_del_postun sssd.service -%insserv_cleanup - -%post -n libipa_hbac0 -p /sbin/ldconfig -%postun -n libipa_hbac0 -p /sbin/ldconfig -%post -n libsss_idmap0 -p /sbin/ldconfig -%postun -n libsss_idmap0 -p /sbin/ldconfig -%post -n libsss_nss_idmap0 -p /sbin/ldconfig -%postun -n libsss_nss_idmap0 -p /sbin/ldconfig -%post -n libsss_simpleifp0 -p /sbin/ldconfig -%postun -n libsss_simpleifp0 -p /sbin/ldconfig - -%files -f sssd.lang -%defattr(-,root,root) +%files -f sss_daemon.lang +%defattr(-,root,root,-) %doc COPYING -%_unitdir -%_bindir/sss_ssh_* -%_sbindir/sssd -%_sbindir/rcsssd -%dir %_mandir/??/ -%dir %_mandir/??/man[158]/ -%_mandir/??/man1/sss_ssh_* -%_mandir/??/man5/sssd-simple.5* -%_mandir/??/man5/sssd-sudo.5* -%_mandir/??/man5/sssd.conf.5* -%_mandir/??/man8/sssd.8* -%_mandir/man1/sss_ssh_* -%_mandir/man5/sssd-simple.5* -%_mandir/man5/sssd-sudo.5* -%_mandir/man5/sssd.conf.5* -%_mandir/man8/sssd.8* -%dir %_libdir/%name/ -%_libdir/%name/libsss_child* -%_libdir/%name/libsss_cert* -%_libdir/%name/libsss_crypt* -%_libdir/%name/libsss_debug* -%_libdir/%name/libsss_semanage* -%_libdir/%name/libsss_simple* -%_libdir/%name/libsss_util* -%dir %_libdir/%name/modules/ -%_libdir/%name/modules/libsss_autofs.so -%_libdir/libsss_sudo.so -%dir %_libdir/ldb/ -%_libdir/ldb/memberof.so -%dir %_libexecdir/%name/ -%_libexecdir/%name/sssd_autofs -%_libexecdir/%name/sssd_be -%_libexecdir/%name/sssd_nss -%_libexecdir/%name/sssd_pam -%_libexecdir/%name/sssd_ssh -%_libexecdir/%name/sssd_sudo -%_libexecdir/%name/sss_signal -%dir %sssdstatedir -%attr(700,root,root) %dir %dbpath/ -%attr(755,root,root) %dir %pipepath/ -%attr(700,root,root) %dir %pipepath/private/ -%attr(755,root,root) %dir %pubconfpath/ -%attr(755,root,root) %dir %sssdstatedir/mc/ -%attr(700,root,root) %dir %sssdstatedir/keytabs/ -%attr(750,root,root) %dir %_localstatedir/log/%name/ -%dir %_sysconfdir/sssd/ -%config(noreplace) %_sysconfdir/sssd/sssd.conf -%dir %_datadir/%name/ -%_datadir/%name/sssd.api.conf -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-local.conf -%_datadir/%name/sssd.api.d/sssd-simple.conf -# -# sssd-client -# -/%_lib/libnss_sss.so.2 -/%_lib/security/pam_sss.so -%_libdir/cifs-utils/ -%_libdir/krb5/ -%_libdir/%name/modules/sssd_krb5_localauth_plugin.so -%_mandir/??/man8/pam_sss.8* -%_mandir/??/man8/sssd_krb5_locator_plugin.8* -%_mandir/man8/pam_sss.8* -%_mandir/man8/sssd_krb5_locator_plugin.8* - -%files ad -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_ad.so -%dir %_libexecdir/%name/ -%_libexecdir/%name/gpo_child -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-ad.conf -%_mandir/man5/sssd-ad.5* -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/??/man5/sssd-ad.5* - -%files dbus -%defattr(-,root,root) -%dir %_libexecdir/sssd/ -%_libexecdir/sssd/sssd_ifp -%dir %_libdir/sssd/ -%_libdir/sssd/libsss_config.so -%_mandir/man5/sssd-ifp.5* -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/??/man5/sssd-ifp.5* - -%files ipa -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_ipa* -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d -%_datadir/%name/sssd.api.d/sssd-ipa.conf -%_mandir/man5/sssd-ipa.5* -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/??/man5/sssd-ipa.5* - -%files krb5 -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_krb5.so -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-krb5.conf -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/man5/sssd-krb5.5* -%_mandir/??/man5/sssd-krb5.5* - -%files krb5-common -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_krb5_common.so -%dir %_libexecdir/%name/ -%_libexecdir/%name/krb5_child -%_libexecdir/%name/ldap_child - -%files ldap -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_ldap* -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-ldap.conf -%_mandir/man5/sssd-ldap.5* -%dir %_mandir/??/ -%dir %_mandir/??/man5/ -%_mandir/??/man5/sssd-ldap.5* - -%files proxy -%defattr(-,root,root) -%dir %_libdir/%name/ -%_libdir/%name/libsss_proxy.so -%dir %_libexecdir/%name/ -%_libexecdir/%name/proxy_child -%dir %_datadir/%name/ -%dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-proxy.conf +%{_initrddir}/%{name} +%{_sbindir}/sssd +%{_sbindir}/rcsssd +%{_libexecdir}/%{servicename}/ +%dir %{_libdir}/%{name}/ +%{_libdir}/%{name}/libsss_krb5* +%{_libdir}/%{name}/libsss_ldap* +%{_libdir}/%{name}/libsss_proxy* +%{_libdir}/ldb/memberof.so +%{_libdir}/krb5/plugins/libkrb5/* +%dir %{sssdstatedir} +%attr(700,root,root) %dir %{dbpath} +%attr(755,root,root) %dir %{pipepath} +%attr(700,root,root) %dir %{pipepath}/private +%attr(750,root,root) %dir %{_var}/log/%{name} +%dir %{_sysconfdir}/sssd +%config(noreplace) %{_sysconfdir}/sssd/sssd.conf +%config %{_sysconfdir}/sssd/sssd.api.conf +%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-krb5.conf +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-ldap.conf +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-local.conf +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-proxy.conf +/%{_lib}/libnss_sss.so.2 +/%{_lib}/security/pam_sss.so +%{_mandir}/man5/sssd-krb5.* +%{_mandir}/man5/sssd-ldap.* +%{_mandir}/man5/sssd.conf.* %files tools -%defattr(-,root,root) -%_sbindir/sss_cache -%_sbindir/sss_debuglevel -%_sbindir/sss_groupadd -%_sbindir/sss_groupdel -%_sbindir/sss_groupmod -%_sbindir/sss_groupshow -%_sbindir/sss_seed -%_sbindir/sss_obfuscate -%_sbindir/sss_override -%_sbindir/sss_useradd -%_sbindir/sss_userdel -%_sbindir/sss_usermod -%_sbindir/sss_override -%dir %_mandir/??/man8/ -%_mandir/??/man8/sss_*.8* -%_mandir/man8/sss_*.8* +%defattr(-,root,root,-) +%{_mandir}/man8/* +%{_sbindir}/sss_useradd +%{_sbindir}/sss_userdel +%{_sbindir}/sss_usermod +%{_sbindir}/sss_groupadd +%{_sbindir}/sss_groupdel +%{_sbindir}/sss_groupmod -%files wbclient -%defattr(-,root,root) -%config %_sysconfdir/ld.so.conf.d/sssd-wbclient.conf -%dir %_libdir/sssd/ -%dir %_libdir/sssd/modules/ -%_libdir/sssd/modules/libwbclient.so.* - -%files wbclient-devel -%defattr(-,root,root) -%_includedir/wbclient_sssd.h -%dir %_libdir/sssd/ -%dir %_libdir/sssd/modules/ -%_libdir/sssd/modules/libwbclient.so -%_libdir/pkgconfig/wbclient_sssd.pc - -%files -n libipa_hbac0 -%defattr(-,root,root) -%_libdir/libipa_hbac.so.0* - -%files -n libipa_hbac-devel -%defattr(-,root,root) -%_includedir/ipa_hbac.h -%_libdir/libipa_hbac.so -%_libdir/pkgconfig/ipa_hbac.pc - -%files -n libnfsidmap-sss -%defattr(-,root,root) -%_libdir/libnfsidmap/ -%_mandir/man5/sss_rpcidmapd.5* -%dir %_mandir/??/man5/ -%_mandir/??/man5/sss_rpcidmapd.5* - -%files -n libsss_idmap0 -%defattr(-,root,root) -%_libdir/libsss_idmap.so.0* - -%files -n libsss_idmap-devel -%defattr(-,root,root) -%_includedir/sss_idmap.h -%_libdir/libsss_idmap.so -%_libdir/pkgconfig/sss_idmap.pc - -%files -n libsss_nss_idmap0 -%defattr(-,root,root) -%_libdir/libsss_nss_idmap.so.0* - -%files -n libsss_nss_idmap-devel -%defattr(-,root,root) -%_includedir/sss_nss_idmap.h -%_libdir/libsss_nss_idmap.so -%_libdir/pkgconfig/sss_nss_idmap.pc - -%files -n libsss_simpleifp0 -%defattr(-,root,root) -%_libdir/libsss_simpleifp.so.0* - -%files -n libsss_simpleifp-devel -%defattr(-,root,root) -%_includedir/sss_sifp*.h -%_libdir/libsss_simpleifp.so -%_libdir/pkgconfig/sss_simpleifp.pc - -%files -n python-ipa_hbac -%defattr(-,root,root) -%dir %python_sitearch -%python_sitearch/pyhbac.so - -%files -n python3-ipa_hbac -%defattr(-,root,root) -%dir %python3_sitearch -%python3_sitearch/pyhbac.so - -%files -n python-sss-murmur -%defattr(-,root,root) -%python_sitearch/pysss_murmur.so - -%files -n python3-sss-murmur -%defattr(-,root,root) -%python3_sitearch/pysss_murmur.so - -%files -n python-sss_nss_idmap -%defattr(-,root,root) -%dir %python_sitearch -%python_sitearch/pysss_nss_idmap.so - -%files -n python3-sss_nss_idmap -%defattr(-,root,root) -%dir %python3_sitearch -%python3_sitearch/pysss_nss_idmap.so +%files ipa-provider +%defattr(-,root,root,-) +%config %{_sysconfdir}/sssd/sssd.api.d/sssd-ipa.conf +%{_libdir}/sssd/libsss_ipa* +%{_mandir}/man5/sssd-ipa.* %files -n python-sssd-config -%defattr(-,root,root) -%python_sitearch/pysss.so -%python_sitelib/SSSDConfig* +%defattr(-,root,root,-) +%{python_sitearch}/pysss.so +%{python_sitelib}/*.py* +%{python_sitelib}/*.egg-info -%files -n python3-sssd-config -%defattr(-,root,root) -%python3_sitearch/pysss.so -%python3_sitelib/SSSDConfig* +%post +/sbin/ldconfig + +%preun +%stop_on_removal sssd + +%postun +/sbin/ldconfig +%restart_on_update sssd +%insserv_cleanup %changelog