Accepting request 634696 from network:ldap

- Update to new upstream release 2.0.0 OBS-URL: https://build.opensuse.org/request/show/634696 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=90
2018-09-26 12:53:01 +00:00 · 2018-09-26 12:53:01 +00:00 · fa91309b3b
commit fa91309b3b
parent 7a3c999c8b 803f439300
10 changed files with 103 additions and 158 deletions
--- a/0001-SUDO-Create-the-socket-with-stricter-permissions.patch
+++ b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch
@ -1,45 +0,0 @@
-From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Fri, 15 Jun 2018 22:29:34 +0200
-Subject: [PATCH] SUDO: Create the socket with stricter permissions
-
-This patch switches the sudo responder from being created as a public
-responder where the permissions are open and not checked by the sssd
-deaamon to a private socket. In this case, sssd creates the pipes with
-strict permissions (see the umask in the call to create_pipe_fd() in
-set_unix_socket()) and additionaly checks the permissions with every read
-via the tevent integrations (see accept_fd_handler()).
---
- src/responder/sudo/sudosrv.c         | 3 ++-
- src/sysv/systemd/sssd-sudo.socket.in | 1 +
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
-index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
--- a/src/responder/sudo/sudosrv.c
-+++ b/src/responder/sudo/sudosrv.c
-@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
-     sudo_cmds = get_sudo_cmds();
-     ret = sss_process_init(mem_ctx, ev, cdb,
-                            sudo_cmds,
-                           SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
-+                           NULL, -1,                   /* No public socket */
-+                           SSS_SUDO_SOCKET_NAME, -1,   /* Private socket only */
-                            CONFDB_SUDO_CONF_ENTRY,
-                            SSS_SUDO_SBUS_SERVICE_NAME,
-                            SSS_SUDO_SBUS_SERVICE_VERSION,
-diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
-index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
--- a/src/sysv/systemd/sssd-sudo.socket.in
-+++ b/src/sysv/systemd/sssd-sudo.socket.in
-@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
- ListenStream=@pipepath@/sudo
- SocketUser=@SSSD_USER@
- SocketGroup=@SSSD_USER@
-+SocketMode=0600
- 
- [Install]
- WantedBy=sssd.service
-- 
-2.14.3
-
--- a/0002-intg-Do-not-hardcode-nsslibdir.patch
+++ b/0002-intg-Do-not-hardcode-nsslibdir.patch
@ -1,44 +0,0 @@
-From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 12 Jun 2018 19:07:52 +0200
-Subject: [PATCH] intg: Do not hardcode nsslibdir
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This change is needed in order to have make intgcheck-run properly
-running on opensuse systems.
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
-Reviewed-by: Michal Židek <mzidek@redhat.com>
---
- src/tests/intg/Makefile.am  | 1 +
- src/tests/intg/config.py.m4 | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
-index 9c5338261..4bd427669 100644
--- a/src/tests/intg/Makefile.am
-+++ b/src/tests/intg/Makefile.am
-@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
- config.py: config.py.m4
- 	m4 -D "prefix=\`$(prefix)'" \
- 	   -D "sysconfdir=\`$(sysconfdir)'" \
-+	   -D "nsslibdir=\`$(nsslibdir)'" \
- 	   -D "dbpath=\`$(dbpath)'" \
- 	   -D "pidpath=\`$(pidpath)'" \
- 	   -D "logpath=\`$(logpath)'" \
-diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
-index 6e011b692..04f78d869 100644
--- a/src/tests/intg/config.py.m4
-+++ b/src/tests/intg/config.py.m4
-@@ -4,7 +4,7 @@ Build configuration variables.
- 
- PREFIX = "prefix"
- SYSCONFDIR = "sysconfdir"
-NSS_MODULE_DIR = PREFIX + "/lib"
-+NSS_MODULE_DIR = "nsslibdir"
- SSSDCONFDIR = SYSCONFDIR + "/sssd"
- CONF_PATH = SSSDCONFDIR + "/sssd.conf"
- DB_PATH = "dbpath"
--- a/0003-Fix-build-for-1-16-2-version.patch
+++ b/0003-Fix-build-for-1-16-2-version.patch
@ -1,13 +0,0 @@
-diff --git a/Makefile.am b/Makefile.am
-index 9539b3c..8e76a03 100644
--- a/Makefile.am
-+++ b/Makefile.am
-@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \
-     $(TALLOC_LIBS) \
-     $(TEVENT_LIBS) \
-     libsss_crypt.la \
-+    libsss_child.la \
-     libsss_debug.la \
-     libsss_certmap.la \
-     $(NULL)
-
--- a/sssd-1.16.2.tar.gz
+++ b/sssd-1.16.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c
-size 6174144
--- a/sssd-1.16.2.tar.gz.asc
+++ b/sssd-1.16.2.tar.gz.asc
@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh
-fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8
-=U4k5
-----END PGP SIGNATURE-----
--- a/sssd-2.0.0.tar.gz
+++ b/sssd-2.0.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:77569d00dd516e7eba1bfcc2ae562647068d7d16e283e8b3fc4f1e03fc899586
+size 6263376
--- a/sssd-2.0.0.tar.gz.asc
+++ b/sssd-2.0.0.tar.gz.asc
@ -0,0 +1,10 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAABAgAGBQJbcd4JAAoJEHDBRgYiUL36ZpUH/0R46OWssuYR7gVSoh1UWZdA
+Gg/uPN5iSo0hq6mjU/w7inGb5GxTnbj8WQXo8466EUw98NDTTc7NMLScy83bsb1i
+MIk4eXxm0c5lsRuIFCS+3qtakZtYyjDk+8v6BqRARFFPE9R4j8Cb1BOUurgoMDTg
+IE75AP+QHTxdrPQ/xj4PQcdIZ6qimeztD1IJDrb7hValyMfqs9XHsamXsQwRrfEV
+l0U3eUlsX0vegrQwEG8iOQt4v0cr9jMCahgSnvNZotqiyHUr5VLH901OSZzwPly6
+8+BAp9mnNZ2lG5pqFEXOsI1kmQ5hnXDFu1OcIedkKHdBRMqNZC3ip0k8ow3fbAk=
+=K92m
+-----END PGP SIGNATURE-----
--- a/sssd.changes
+++ b/sssd.changes
@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Fri Sep  7 18:52:18 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to new upstream release 2.0.0
+  * The Python API for managing users and groups in local domains
+    (id_provider=local) was removed completely. The local
+    provider (id_provider=local) and the command line tools to
+    manage users and groups in the local domains, such as
+    sss_useradd is not built anymore.
+  * The LDAP provider had a special-case branch for evaluating
+    group memberships with the RFC2307bis schema when group
+    nesting was explicitly disabled. This codepath is removed.
+  * The "ldap_sudo_include_regexp" option changed its default
+    value from true to false. Wildcards in the sudoHost LDAP
+    attribute are no longer evaluated. This was costly to
+    evaluate on the LDAP server side and at the same time rarely
+    used.
+  * The list of PAM services which are allowed to authenticate
+    using a Smart Card is now configurable using a new option
+    pam_p11_allowed_services.
+
+-------------------------------------------------------------------
+Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
+
+- Update to upstream release 1.16.3
+  * New Features:
+  * kdcinfo files for informing krb5 about discovered KDCs are
+    now also generated for trusted domains in setups that use
+    id_provider=ad and IPA masters in a trust relationship with
+    an AD domain.
+  * The Kerberlos locator plugin can now process multiple
+    address if SSSD generates more than one. A
+  * Bug fixes:
+  * Fixed information leak due to incorrect permissions on
+    /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
+  * Cached password are now stored with a salt. Old ones will be
+    regenerated on next authentication, and the auth server needs
+    to be reachable for that.
+  * The sss_ssh proces leaked file descriptors when converting
+    more than one X.509 certificate to an SSH public key.
+  * The PAC responder is now able to process Domain Local in case
+    the PAC uses SID compression (Windows Server 2012+).
+  * Address the issue that some versions of OpenSSH would close
+    the pipe towards sss_ssh_authorizedkeys when the matching key
+    is found before the rest of the output is read.
+  * User lookups no longer fail if user's e-mail address
+    conflicts with another user's fully qualified name.
+  * The override_shell and override_homedir options are no longer
+    applied to entries from the files domain.
+  * The grace logins with an expired password when authenticating
+    against certain newer versions of the 389DS/RHDS LDAP server
+    did not work.
+- Removed patches that are included upstream now:
+  0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
+  0002-intg-Do-not-hardcode-nsslibdir.patch,
+  0003-Fix-build-for-1-16-2-version.patch
+
 -------------------------------------------------------------------
 Sun Jul  1 12:44:00 UTC 2018 - ckowalczyk@suse.com

--- a/sssd.keyring
+++ b/sssd.keyring
@ -1,34 +1,29 @@
-pub   1024D/32E7BC25 2007-02-02
-uid                  Jakub Hrozek <jhrozek@redhat.com>
-sub   2048g/132DCA21 2007-02-02
-
+pub  2048R/2250BDFA 2018-08-12 Jakub Hrozek <jhrozek@redhat.com>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.19 (GNU/Linux)
+Version: SKS 1.1.6
+Comment: Hostname: pgp.mit.edu

-mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MU
-XQDAKJM7MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0
-R+OiWh8d7ChCG6riv/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWX
-qZoZrm4lPlBZQltfhzdmvn8D/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjg
-q9Knn4sE9lnGjtG4RCYMT2Sideognk9Ah5nWOGynwta6cluCEqlF6ORJPKpAeqG1
-a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/XtMoHSSyPi/Xum6R+jwISv7n
-TMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlSB6tAqN0G7VL6AFcs
-iOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KNtbnCrhS+
-Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv
-emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iF8EExECACAFAkXDdfUCGwMGCwkIBwMC
-BBUCCAMEFgIDAQIeAQIXgAAKCRAexqt1Mue8JSHBAKCjYF/HshYkJ8pSZTilLO0y
-bMWOFwCYlOqF7icGVDFT42W3CoqLfgajCrkCDQRFw3YAEAgAuqo0FxH1XtdOi/qW
-6v+tWdqYHLj/f0Voqj1cbpS+cODNTaX1/Xf4Jnv6vm4lOG5gIkqD1e5UCpG5pDJv
-MkrpY0lYRr5RGoC29tHZYXfEBVEkdhuU7ZTSQRaoitK5TSwjOj5aKvFSHEjMrCWc
-GSUajECQkRHwZb3HK2wqqBWrJjjjPtj+5cQg+sKp7Zp6xU3iZlMoVfdYi/zGenum
-Cp5SMm8CZZ5gcsNZhjItkTww5K//N6Kz41oMYyHlgh029JD0LHPgKacP3KeEEDzS
-DEx/SSEF4zD/EfLDHehga/n0ZisNmxdxue/BI2Lm7qqGNDtV+qa17pIJ6fPfafbS
-AKYatwAECwf/SuMkZN36UDsoOn06qIrYi5JBss3sOfheJEnqUIEO0JCpyb+fqisd
-qoTJM0G5gFpCvuZOACpzzVv0WjhlMIyPl/7UuP4KYI6LGqAARqNxsHT7FNxT0Uv6
-QR8fGPQqVdFLFBd66EBL9PnOt3RDYwtJlD9cMNUNpzWEXjJ3RCk0lZF2eljpPlu0
-Or53OuiommnhmcmjxR5gvMf4pLqURhEZ2U0ylRiTiTIk0YyIASsDnAf0BClFXz4i
-4qSD6jJloKorRC7Mu87xi1DG4ML+FYC/2d53I8OqHBRhtNUt/GbcthsHDxFq5iVp
-NxwDAX1vr65PWv98pvTMnJmjIDhfgwJMdIhJBBgRAgAJBQJFw3YAAhsMAAoJEB7G
-q3Uy57wllOcAoKkHB3lDFWlUNcSLdRCQxfsCCy7zAJ9GLSU2G0HR+hQVMi2ONorE
-i/EyTA==
-=nO6v
+mQENBFtwK6cBCADYyh4mnEJ7DTKIHsONfEYBJM+OTaRG4DeRIyApnEjxxTLugUBUBUQ/lDAI
+BPDqoB661AAj0b0G2aI6JHlZaxE+npHtxKzulJHPfLs7IbIi7xdHutT3CKEBSKkKabSwgKWz
+wd1B91HXBttAzGKBBPxTE63UeZKSAlpvuO69K9WM5J1qZmkEiwxtJssLoyeZjFiOVK4aRq8F
+qm2O8n56Kz0r8TEkb3bNLr1N1Uq3KlAklX3run0uInjjZAw0V3rTBMHBrE/wsjccnBYp5eDE
+6Ff8NxhD28BqIPQp6NMjsZPVJODo03HdN+y7p+p/ca3XV8X7hG2eF0SNGkuhb7I1D+KPABEB
+AAG0IUpha3ViIEhyb3playA8amhyb3pla0ByZWRoYXQuY29tPokBOAQTAQIAIgUCW3ArpwIb
+AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQcMFGBiJQvfop3AgAtSyZmkDq5mZm0aw2
+IPboKXLlbaihofsOEewvkc6BjaDNgrSZKwBrdlFv5SVYvue7e/Jl985/bAqbSyM+LWdk77of
+/SVfGQJAWya+nmQegP2GQm9FNFdTcOHpUGUJbxEw0uLOo7r1RDnp7GdwmprzF8XMptI5mRWS
+pxo3c9oFZ8Y1HI2Uz8jyvMN4DD/X9HGNvxGeLv7D3Jz3oDy3O5kLpqH6rDQOiVSCUdw3mjZc
+iqT3QLcT8PZo49/20NqcTgRekWc4mZIuUrqABlzDNzPAr28is2dZ7k0cyOM6p/o7nU6TdDdT
+h7fdRfUp4GWVsXng7r6TKIYqMbKjbnsdi85qm7kBDQRbcCunAQgAzsipKSdm6+/T0Lms24vK
+2j4xxeBn/CfIAu0HGdeJxUhumSLW5pb8/QjxDp6ooDnxODbagSTYlBb5DQIVu4OkRPspdtPs
+qI6ZX92NdeIHbSTAHyj1M7me9TZ/Y1CqcvxYRnjLbI4CH9Kvi5BuMLMk+MirRjDivJgph1Gr
+rwL7NwLXMWX1bm/252ytal4Fw4ZN0CnDmwCCu2TxWvwfYxtNZ5XgDW5qY62594+nPoCmZR+F
+8UuDlRS2tnKC7nyiWilb4+6iNbKL7yWqZt/l0WChIRAbxBzTR4uxk5Mfe3yhhujEgid3PZwK
+OE67YQ5qaYfUOIaWs8nlgf19twL1hfKggwARAQABiQEfBBgBAgAJBQJbcCunAhsMAAoJEHDB
+RgYiUL36HYwH/1j8b6ZMymcxe3DLvcXy7PJWJL5Tn2xhHaUlWONcXYY922gDH+qk12SjHDES
+sEXGU/4nt9ktoiFeRX4KiFHi84znHBF3PqacriMApCueX/HZHOL45VxoUNEqYK33t8MfPsXc
+qaJa2FQznHaSgpMP27DmsJYlANEcMeDEM4jZKYc9L7l7Jz8WlsyYHR8aqfu4NLXXSsUSUNyQ
+PfiUH91djow08X65Rwv+sAABDGQH66oPf45UWIwn54K7iigK+s2j60H68mqYymb1CerDrw6b
+4K3BCsHqalllAeLCsTqn6nVsHF7V6I99dSG3Ij6DK/AYsuWjrJZ1AMpNHgU63CtybUo=
+=uiHO
 -----END PGP PUBLIC KEY BLOCK-----
--- a/sssd.spec
+++ b/sssd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package sssd
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@


 Name:           sssd
-Version:        1.16.2
+Version:        2.0.0
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0+ and LGPL-3.0+
@ -31,9 +31,6 @@ Source3:        baselibs.conf
 Source4:        sssd.service
 Source5:        %name.keyring
 BuildRoot:      %_tmppath/%name-%version-build
-Patch1:         0001-SUDO-Create-the-socket-with-stricter-permissions.patch
-Patch2:         0002-intg-Do-not-hardcode-nsslibdir.patch
-Patch3:         0003-Fix-build-for-1-16-2-version.patch

 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
@ -62,6 +59,8 @@ BuildRequires:  libcmocka-devel
 BuildRequires:  nss_wrapper
 BuildRequires:  uid_wrapper
 BuildRequires:  check-devel
+BuildRequires:  python
+BuildRequires:  python-xml
 BuildRequires:  pkgconfig(augeas) >= 1.0.0
 BuildRequires:  pkgconfig(collection) >= 0.5.1
 BuildRequires:  pkgconfig(dbus-1) >= 1.0.0
@ -367,9 +366,6 @@ Security Services Daemon (sssd).

 %prep
 %setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1

 %build
 %if 0%{?suse_version} < 1210
@ -483,7 +479,6 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_mandir/??/
 %dir %_mandir/??/man[158]/
 %_mandir/??/man1/sss_ssh_*
-%_mandir/??/man5/sssd-simple.5*
 %_mandir/??/man5/sssd-sudo.5*
 %_mandir/??/man8/sssd.8*
 %_mandir/??/man5/sss-certmap.5.gz
@ -507,12 +502,15 @@ rm -f /var/lib/sss/db/*.ldb
 %_mandir/man8/sssd.8*
 %dir %_libdir/%name/
 %_libdir/%name/conf/
+%_libdir/%name/libifp_iface*
 %_libdir/%name/libsss_child*
 %_libdir/%name/libsss_cert*
 %_libdir/%name/libsss_crypt*
 %_libdir/%name/libsss_debug*
 %_libdir/%name/libsss_files*
+%_libdir/%name/libsss_iface*
 %_libdir/%name/libsss_semanage*
+%_libdir/%name/libsss_sbus*
 %_libdir/%name/libsss_simple*
 %_libdir/%name/libsss_util*
 %dir %_libdir/%name/modules/
@ -644,16 +642,9 @@ rm -f /var/lib/sss/db/*.ldb
 %defattr(-,root,root)
 %_sbindir/sss_cache
 %_sbindir/sss_debuglevel
-%_sbindir/sss_groupadd
-%_sbindir/sss_groupdel
-%_sbindir/sss_groupmod
-%_sbindir/sss_groupshow
 %_sbindir/sss_seed
 %_sbindir/sss_obfuscate
 %_sbindir/sss_override
-%_sbindir/sss_useradd
-%_sbindir/sss_userdel
-%_sbindir/sss_usermod
 %dir %_mandir/??/man8/
 %_mandir/??/man8/sss_*.8*
 %_mandir/man8/sss_*.8*