Fix changelog

ERROR: '' is not a date (sssd.changes:1851)
Please fix with your own tools or try /usr/lib/obs/service/source_validators/helpers/fix_changelog

Signed-off-by: Samuel Cabrero <scabrero@suse.com>

0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch

@@ -0,0 +1,49 @@
+From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 10 Oct 2025 12:57:40 +0200
+Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a client is joined to AD or IPA SSSD's localauth plugin can handle
+the mapping of Kerberos principals to local accounts. In case it cannot
+map the Kerberos principals libkrb5 is currently configured to fall back
+to the default localauth plugins 'default', 'rule', 'names',
+'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
+All plugins except 'an2ln' require some explicit configuration by either
+the administrator or the local user. To avoid some unexpected mapping is
+done by the 'an2ln' plugin this patch disables it in the configuration
+snippets for SSSD's localauth plugin.
+
+Resolves: https://github.com/SSSD/sssd/issues/8021
+
+:relnote: After startup SSSD already creates a Kerberos configuration
+ snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
+ if the AD or IPA providers are used. This enables SSSD's localauth plugin.
+ Starting with this release the an2ln plugin is disabled in the
+ configuration snippet as well. If this file or its content are included in
+ the Kerberos configuration it will fix CVE-2025-11561.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
+---
+ src/util/domain_info_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index edaf967e1..5c1f05018 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -751,6 +751,7 @@ done:
+ #define LOCALAUTH_PLUGIN_CONFIG \
+ "[plugins]\n" \
+ " localauth = {\n" \
++"  disable = an2ln\n" \
+ "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
+ " }\n"
+ 
+-- 
+2.51.1
+

sssd.changes

@@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Tue Nov 18 11:15:49 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Install file in krb5.conf.d to include sssd krb5 config snippets;
+  (bsc#1244325);
+- Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561);
+  (bsc#1251827); Add patch
+  0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
+
+-------------------------------------------------------------------
+Tue Mar 25 17:42:38 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Add python3-setuptools build dependency
+- Drop nscd build dependency
+
+-------------------------------------------------------------------
+Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Migrate away from update-alternatives, replaced by package
+  conflicts; (bsc#1235789); (bsc#1216739);
+
+-------------------------------------------------------------------
+Tue Oct  1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Update filelists involving memberof.so and idmap/sss.so to
+  avoid gobbling up one file into multiple sssd subpackages.
+  (Between samba-4.20 and 4.21, %ldbdir changes from
+  /usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now
+  `%_libdir/samba` is a bit too broad.)
+
+-------------------------------------------------------------------
+Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
+
+- Fix spec file for openSUSE ALP and SUSE SLFO, where the
+  python3_fix_shebang_path RPM macro is not available
+
+-------------------------------------------------------------------
+Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
+
+- Revert the change dropping the default configuration file. If
+  /usr/etc exists will be installed there, otherwise in /etc.
+  (bsc#1226157);
+
 -------------------------------------------------------------------
 Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 
@@ -1805,7 +1848,6 @@ Wed Apr  4 16:13:33 PDT 2012 - ben.kevan@gmail.com
   connect to an auth server
 
 -------------------------------------------------------------------
-
 Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
 
 - Update to new upstream release 1.8.0

sssd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package sssd
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,7 @@ Patch1:         krb-noversion.diff
 Patch2:         harden_sssd-ifp.service.patch
 Patch3:         harden_sssd-kcm.service.patch
 Patch4:         symvers.patch
+Patch5:         0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -48,7 +49,6 @@ BuildRequires:  libtool
 BuildRequires:  libunistring-devel
 BuildRequires:  libxml2-tools
 BuildRequires:  libxslt-tools
-BuildRequires:  nscd
 BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
@@ -86,6 +86,14 @@ BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
 BuildRequires:  pkgconfig(uuid)
+BuildRequires:  python3-setuptools
+%if 0%{?suse_version} && 0%{?suse_version} < 1600
+# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
+# this conflicts with
+# openldap2-devel pulls libldap2 wants libldap-data(-2.6)
+# Package contains just config files, not needed for build.
+#!BuildIgnore: libldap-data
+%endif
 %{?systemd_ordering}
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
@@ -103,16 +111,8 @@ Obsoletes:      sssd-common < %version-%release
 %define gpocachepath	%sssdstatedir/gpo_cache
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
 
-# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
-# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
-# * cifs-utils one is the default (priority 20)
-# * installing SSSD should NOT switch to SSSD plugin (priority 10)
 %define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
 %define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
-%define cifs_idmap_name         cifs-idmap-plugin
-%define cifs_idmap_priority     10
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -225,6 +225,23 @@ Group:          System/Libraries
 The idmap_sss module provides a way for Winbind to call SSSD to map
 UIDs/GIDs and SIDs.
 
+%package cifs-idmap-plugin
+Summary:        The sssd idmap plugin for cifs.idmap
+Group:          System/Libraries
+# Conflict as per https://bugzilla.suse.com/1235789
+Provides:       cifs-idmap-plugin
+Conflicts:      cifs-idmap-plugin
+
+%description cifs-idmap-plugin
+The cifs.idmap(8) userspace helper relies on a plugin to handle the
+ID mapping. This package contains the ID mapping plugin that will use
+sssd.
+
+In SUSE systems, only one such plugin can be installed at a time
+(either the one from sssd, or from cifs-utils).
+Without the plugin, file objects in a mounted share have UID/GID of
+the original mounting process.
+
 %package -n libsss_certmap0
 Summary:        FreeIPA ID mapping library
 License:        LGPL-3.0-or-later
@@ -382,8 +399,6 @@ Security Services Daemon (sssd).
 %autosetup -p1
 
 %build
-# help configure find nscd
-export PATH="$PATH:/usr/sbin"
 
 autoreconf -fiv
 %configure \
@@ -420,6 +435,13 @@ perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
 b="%buildroot"
 
 # Copy some defaults
+%if "%{?_distconfdir}" != ""
+install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
+install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
+%else
+install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
+install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d"
+%endif
 install -d "$b/%_unitdir"
 %if 0%{?suse_version} > 1500
 install -d "$b/%_distconfdir/logrotate.d"
@@ -441,12 +463,15 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
-ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
+mkdir -p %{buildroot}%{_sysconfdir}/cifs-utils
+ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
+
 %python3_fix_shebang
-%if %{suse_version} >= 1600
-%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/
-%endif
+%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
+
+mkdir -pv "$b/%_sysconfdir/krb5.conf.d"
+ln -sv %_datadir/%name/krb5-snippets/enable_sssd_conf_dir \
+       "$b/%_sysconfdir/krb5.conf.d/enable_sssd_conf_dir"
 
 %check
 # sss_config-tests fails
@@ -454,10 +479,12 @@ ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
 
 %pre
 %service_add_pre sssd.service
+%if "%{?_distconfdir}" != ""
 # Prepare for migration to /usr/etc; save any old .rpmsave
 for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
-	test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
+	test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
 done
+%endif
 
 %post
 /sbin/ldconfig
@@ -467,9 +494,6 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 fi
 %service_add_post sssd.service
 
-# install SSSD cifs-idmap plugin as an alternative
-update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
-
 %preun
 %service_del_preun sssd.service
 
@@ -481,9 +505,6 @@ fi
 # del_postun includes a try-restart
 %service_del_postun sssd.service
 
-if [ ! -f "%cifs_idmap_lib" ]; then
-	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
-fi
 
 %post   -n libsss_certmap0 -p /sbin/ldconfig
 %postun -n libsss_certmap0 -p /sbin/ldconfig
@@ -545,10 +566,12 @@ touch /run/systemd/rpm/sssd-was-active
 fi
 
 %posttrans
+%if "%{?_distconfdir}" != ""
 # Migration to /usr/etc, restore just created .rpmsave
 for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do
-	test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
+	test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || :
 done
+%endif
 # Migrate sssd.service from sssd-common to sssd
 if [ -e /run/systemd/rpm/sssd-was-enabled ]; then
 systemctl is-enabled sssd.service > /dev/null
@@ -657,6 +680,15 @@ fi
 %attr(755,root,root) %dir %sssdstatedir/mc/
 %attr(700,root,root) %dir %sssdstatedir/keytabs/
 %attr(750,root,root) %dir %_localstatedir/log/%name/
+%if "%{?_distconfdir}" != ""
+%dir %_distconfdir/sssd/
+%%dir %_distconfdir/sssd/conf.d
+%config(noreplace) %_distconfdir/sssd/sssd.conf
+%else
+%dir %_sysconfdir/sssd/
+%%dir %_sysconfdir/sssd/conf.d
+%config(noreplace) %_sysconfdir/sssd/sssd.conf
+%endif
 %if 0%{?suse_version} > 1500
 %_distconfdir/logrotate.d/sssd
 %_pam_vendordir/sssd-shadowutils
@@ -695,12 +727,7 @@ fi
 %_mandir/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
-# cifs idmap plugin
-%dir %_sysconfdir/cifs-utils
-%cifs_idmap_plugin
-%dir %_libdir/cifs-utils
-%cifs_idmap_lib
-%ghost %_sysconfdir/alternatives/%cifs_idmap_name
+
 
 %files ad
 %dir %_libdir/%name/
@@ -751,7 +778,6 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5.so
 %dir %_datadir/%name/
-%exclude %_datadir/%name/krb5-snippets/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-krb5.conf
 %dir %_mandir/??/
@@ -760,11 +786,16 @@ fi
 %_mandir/??/man5/sssd-krb5.5*
 
 %files krb5-common
+%dir %pubconfpath/krb5.include.d
+%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
 %_libexecdir/%name/krb5_child
 %_libexecdir/%name/ldap_child
+%dir %{_datadir}/sssd/krb5-snippets
+%_datadir/%name/krb5-snippets/enable_sssd_conf_dir
+%exclude %_datadir/%name/krb5-snippets/sssd_enable_idp
 
 %files ldap
 %dir %_libdir/%name/
@@ -802,9 +833,16 @@ fi
 %python3_sitelib/sssd/
 
 %files winbind-idmap
-%_libdir/samba/
+%dir %_libdir/samba/
+%_libdir/samba/idmap/
 %_mandir/man8/idmap_sss.8*
 
+%files cifs-idmap-plugin
+%dir %_sysconfdir/cifs-utils
+%cifs_idmap_plugin
+%dir %_libdir/cifs-utils
+%cifs_idmap_lib
+
 %files -n libipa_hbac0
 %_libdir/libipa_hbac.so.0*