SHA256
1
0
forked from pool/sssd
sssd/sssd.spec

949 lines
30 KiB
RPMSpec
Raw Normal View History

#
# spec file for package sssd
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: sssd
2024-10-15 15:33:24 +02:00
Version: 2.10.0
Release: 0
Summary: System Security Services Daemon
License: GPL-3.0-or-later AND LGPL-3.0-or-later
Group: System/Daemons
URL: https://github.com/SSSD/sssd
#Git-Clone: https://github.com/SSSD/sssd
Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
Source3: baselibs.conf
Source5: %name.keyring
Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch
Patch5: 0001-INI-relax-config-files-checks.patch
Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch
Patch11: krb-noversion.diff
Patch12: harden_sssd-ifp.service.patch
Patch13: harden_sssd-kcm.service.patch
Patch14: symvers.patch
BuildRequires: autoconf >= 2.59
BuildRequires: automake
BuildRequires: bind-utils
BuildRequires: check-devel
BuildRequires: cifs-utils-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: docbook-xsl-stylesheets
BuildRequires: krb5-devel >= 1.12
BuildRequires: libcmocka-devel
%if 0%{?suse_version} >= 1600
BuildRequires: libsubid-devel
%endif
BuildRequires: libtool
BuildRequires: libunistring-devel
BuildRequires: libxml2-tools
BuildRequires: libxslt-tools
BuildRequires: nscd
BuildRequires: nss_wrapper
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pkg-config >= 0.21
2024-10-16 17:05:53 +02:00
BuildRequires: python3-wheel
BuildRequires: python3-setuptools
BuildRequires: systemd-rpm-macros
2024-10-16 17:05:53 +02:00
BuildRequires: sysuser-tools
BuildRequires: uid_wrapper
BuildRequires: pkgconfig(augeas) >= 1.0.0
BuildRequires: pkgconfig(collection) >= 0.5.1
BuildRequires: pkgconfig(dbus-1) >= 1.0.0
BuildRequires: pkgconfig(dhash) >= 0.4.2
BuildRequires: pkgconfig(glib-2.0)
2024-10-15 15:33:24 +02:00
BuildRequires: pkgconfig(ini_config) >= 1.3
BuildRequires: pkgconfig(jansson)
2024-08-30 11:37:19 +02:00
BuildRequires: pkgconfig(ldb) >= 1.2.0
2024-10-15 15:33:24 +02:00
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libcares)
2024-10-15 15:33:24 +02:00
BuildRequires: pkgconfig(libcrypto) >= 1.0.1
%if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(libcurl)
%endif
2024-08-30 11:37:19 +02:00
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libnfsidmap)
BuildRequires: pkgconfig(libnl-3.0) >= 3.0
BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0
BuildRequires: pkgconfig(libpcre2-8)
%if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(libsemanage)
%endif
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(ndr_krb5pac)
BuildRequires: pkgconfig(ndr_nbt)
BuildRequires: pkgconfig(p11-kit-1) >= 0.23.3
BuildRequires: pkgconfig(popt)
BuildRequires: pkgconfig(python3)
BuildRequires: pkgconfig(smbclient)
BuildRequires: pkgconfig(talloc)
BuildRequires: pkgconfig(tdb) >= 1.1.3
BuildRequires: pkgconfig(tevent)
BuildRequires: pkgconfig(uuid)
2024-09-25 21:38:18 +02:00
%if 0%{?suse_version} && 0%{?suse_version} < 1600
# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
# this conflicts with
# openldap2-devel pulls libldap2 wants libldap-data(-2.6)
# Package contains just config files, not needed for build.
#!BuildIgnore: libldap-data
%endif
2024-10-16 17:05:53 +02:00
%sysusers_requires
%{?systemd_ordering}
2024-08-30 11:37:19 +02:00
Requires(post): permissions
Requires(verify): permissions
Requires: sssd-ldap = %version-%release
Requires(postun): pam-config
Provides: libsss_sudo = %version-%release
Provides: sssd-client = %version-%release
Obsoletes: libsss_sudo < %version-%release
Provides: sssd-common = %version-%release
Obsoletes: sssd-common < %version-%release
2024-08-30 11:37:19 +02:00
%global sssd_user sssd
%define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss
%define dbpath %sssdstatedir/db
%define pipepath %sssdstatedir/pipes
%define pubconfpath %sssdstatedir/pubconf
%define gpocachepath %sssdstatedir/gpo_cache
2024-08-30 11:37:19 +02:00
%define keytabdir %sssdstatedir/keytabs
%define mcpath %sssdstatedir/mc
%define ldbdir %(pkg-config ldb --variable=modulesdir)
2024-08-30 11:37:19 +02:00
%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
2024-09-25 21:38:18 +02:00
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
# * cifs-utils one is the default (priority 20)
# * installing SSSD should NOT switch to SSSD plugin (priority 10)
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
%define cifs_idmap_name cifs-idmap-plugin
%define cifs_idmap_priority 10
Requires(post): update-alternatives
Requires(postun): update-alternatives
%description
2024-10-16 17:05:53 +02:00
A set of daemons to manage access to remote directories and
authentication mechanisms. sssd provides an NSS and PAM interfaces
toward the system and a pluggable backend system to connect to
multiple different account sources. It is also the basis to provide
client auditing and policy services for projects like FreeIPA.
%package ad
Summary: The ActiveDirectory backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
Requires: %name-krb5-common = %version-%release
Requires: adcli
%description ad
2024-10-16 17:05:53 +02:00
A back-end provider that the SSSD can utilize to fetch identity data
from, and authenticate with, an Active Directory server.
%package dbus
Summary: The D-Bus responder of sssd
License: GPL-3.0-or-later
Group: System/Base
Requires: %name = %version
%description dbus
2024-10-16 17:05:53 +02:00
D-Bus responder of sssd, called InfoPipe, which allows
information from sssd to be transmitted over the system bus.
%package ipa
Summary: FreeIPA backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
Requires: %name = %version
Requires: %name-ad = %version-%release
Requires: %name-krb5-common = %version-%release
Obsoletes: %name-ipa-provider < %version-%release
Provides: %name-ipa-provider = %version-%release
%description ipa
2024-10-16 17:05:53 +02:00
A back-end provider that the SSSD can utilize to fetch identity data
from, and authenticate with, an IPA server.
%package kcm
Summary: SSSD's Kerberos cache manager
License: GPL-3.0-or-later
Group: System/Daemons
Requires: sssd = %version-%release
%description kcm
KCM is a process that stores, tracks and manages Kerberos credential
caches.
%package krb5
Summary: The Kerberos authentication backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
Requires: %name-krb5-common = %version-%release
%description krb5
2024-10-16 17:05:53 +02:00
A back-end provider that the SSSD can utilize to authenticate against
a Kerberos server.
%package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPL-3.0-or-later
Group: System/Daemons
Requires: cyrus-sasl-gssapi
2024-08-30 11:37:19 +02:00
Requires(post): permissions
Requires(verify): permissions
%description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can
use for Kerberos user or host authentication.
%package ldap
Summary: The LDAP backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
Requires: %name-krb5-common = %version-%release
%description ldap
2024-10-16 17:05:53 +02:00
A back-end provider that the SSSD can utilize to fetch identity data
from, and authenticate with, an LDAP server.
%package proxy
Summary: The proxy backend plugin for sssd
License: GPL-3.0-or-later
Group: System/Daemons
%description proxy
2024-10-16 17:05:53 +02:00
A back-end provider which can be used to wrap existing NSS and/or PAM
modules to leverage SSSD caching. (This can replace nscd.)
%package tools
Summary: Commandline tools for sssd
License: GPL-3.0-or-later AND LGPL-3.0-or-later
Group: System/Management
Requires: python3-sssd-config = %version-%release
Requires: sssd = %version
%description tools
2024-10-16 17:05:53 +02:00
The packages contains command-line tools for managing users and groups using
the "local" id provider of the System Security Services Daemon (sssd).
%package winbind-idmap
Summary: The sss idmap backend for Winbind
Group: System/Libraries
%description winbind-idmap
The idmap_sss module provides a way for Winbind to call SSSD to map
UIDs/GIDs and SIDs.
%package -n libsss_certmap0
Summary: FreeIPA ID mapping library
License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libsss_certmap0
2024-10-16 17:05:53 +02:00
A utility library for FreeIPA to map certificates.
%package -n libsss_certmap-devel
Summary: Development files for the FreeIPA certmap library
License: LGPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libsss_certmap0 = %version
%description -n libsss_certmap-devel
2024-10-16 17:05:53 +02:00
A utility library for FreeIPA to map certificates.
%package -n libipa_hbac0
Summary: FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libipa_hbac0
Utility library to validate FreeIPA HBAC rules for authorization
requests.
%package -n libipa_hbac-devel
Summary: Development files for the FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libipa_hbac0 = %version
%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization
requests.
%package -n libnfsidmap-sss
Summary: Library to allow communication between libnfsidmap and SSSD
License: GPL-3.0-or-later
Group: System/Libraries
Supplements: (nfsidmap and sssd-client)
%description -n libnfsidmap-sss
A utility library to allow communication between libnfsidmap and SSSD.
%package -n libsss_idmap0
Summary: FreeIPA ID mapping library
License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libsss_idmap0
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%package -n libsss_idmap-devel
Summary: Development files for the FreeIPA idmap library
License: LGPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libsss_idmap0 = %version
%description -n libsss_idmap-devel
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%package -n libsss_nss_idmap0
Summary: FreeIPA ID mapping library
License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libsss_nss_idmap0
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%package -n libsss_nss_idmap-devel
Summary: Development files for the FreeIPA idmap library
License: LGPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libsss_nss_idmap0 = %version
%description -n libsss_nss_idmap-devel
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%package -n libsss_simpleifp0
Summary: The SSSD D-Bus responder helper library
License: GPL-3.0-or-later
Group: System/Libraries
# Even though sssd has obsoleted simpleifp, the plan here is to retain ABI
# compatibility with the existing SUSE 15.x product line. ...at least, until
# sssd completely removes SIFP from source.
%description -n libsss_simpleifp0
This subpackage provides a library that simplifies the D-Bus API for
the SSSD InfoPipe responder.
%package -n libsss_simpleifp-devel
Summary: Development files for the SSSD D-Bus responder helper library
License: GPL-3.0-or-later
Group: Development/Libraries/C and C++
Requires: libsss_simpleifp0 = %version
%description -n libsss_simpleifp-devel
This subpackage provides the development files for sssd's simpleifp,
a library that simplifies the D-Bus API for the SSSD InfoPipe
responder.
%package -n libsss_sudo
Summary: A library to allow communication between sudo and SSSD
License: LGPL-3.0-or-later
Group: System/Libraries
Supplements: (sudo and sssd-client)
%description -n libsss_sudo
A utility library to allow communication between sudo and SSSD.
%package -n python3-ipa_hbac
Summary: Python bindings for the FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Group: Development/Libraries/Python
Requires: python3
%description -n python3-ipa_hbac
The python-ipa_hbac package contains the bindings so that libipa_hbac
can be used by Python applications.
%package -n python3-sss-murmur
Summary: Python3 bindings for SSSD Murmur hash function
License: LGPL-3.0-or-later
Group: Development/Libraries/Python
Requires: python3
%description -n python3-sss-murmur
This subpackage provides the python3 module for calculating the
Murmur hash version 3.
%package -n python3-sss_nss_idmap
Summary: Python bindings for libsss_nss_idmap
License: LGPL-3.0-or-later
Group: Development/Libraries/Python
Requires: python3
%description -n python3-sss_nss_idmap
The libsss_nss_idmap-python contains the bindings so that
libsss_nss_idmap can be used by Python applications.
%package -n python3-sssd-config
Summary: Python API for configuring sssd
License: GPL-3.0-or-later AND LGPL-3.0-or-later
Group: Development/Libraries/Python
Requires: python3
%description -n python3-sssd-config
Provide python module to access and manage configuration of the System
Security Services Daemon (sssd).
%prep
%autosetup -p1
%build
# help configure find nscd
export PATH="$PATH:/usr/sbin"
autoreconf -fiv
%configure \
--with-db-path="%dbpath" \
--with-pipe-path="%pipepath" \
--with-pubconf-path="%pubconfpath" \
--with-gpo-cache-path="%gpocachepath" \
--with-environment-file="%_sysconfdir/sysconfig/sssd" \
--with-initscript=systemd \
--with-syslog=journald \
2024-08-30 11:37:19 +02:00
--with-pid-path="%_rundir/sssd" \
--enable-pammoddir="%_pam_moduledir" \
--with-ldb-lib-dir="%ldbdir" \
--with-os=suse \
--disable-ldb-version-check \
--without-python2-bindings \
--without-oidc-child \
2024-08-30 11:37:19 +02:00
--with-sssd-user="%sssd_user" \
%if 0%{?suse_version} >= 1600
--with-selinux=yes \
--with-subid
%else
--with-selinux=no \
--with-libsifp \
--with-files-provider
%endif
%make_build all
%install
2024-10-16 17:05:53 +02:00
# sss_obfuscate is compatible with both Python 2 and 3
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
%make_install dbuspolicydir=%_datadir/dbus-1/system.d
b="%buildroot"
# Copy some defaults
%if "%{?_distconfdir}" != ""
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
%else
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d"
%endif
install -d "$b/%_unitdir"
%if 0%{?suse_version} > 1500
install -d "$b/%_distconfdir/logrotate.d"
install -m644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
install -d "$b/%_pam_vendordir"
mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir"
%else
install -d "$b/%_sysconfdir/logrotate.d"
install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
%endif
rm -Rfv "$b/%_initddir"
%if 0%{?suse_version} < 1600
ln -s service "$b/%_sbindir/rcsssd"
%endif
mkdir -pv "$b/%sssdstatedir/mc"
find "$b" -type f -name "*.la" -print -delete
%find_lang %name --all-name
# dummy target for cifs-idmap-plugin
2024-10-16 17:05:53 +02:00
mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
%python3_fix_shebang
%if 0%{?suse_version} > 1600
2024-08-30 11:37:19 +02:00
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
%elif 0%{?suse_version} == 1600
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
2024-10-16 17:05:53 +02:00
sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
%endif
2024-10-16 17:05:53 +02:00
echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
2024-08-30 11:37:19 +02:00
mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
2024-10-16 17:05:53 +02:00
cp -a system-user-sssd.conf "$b/%_sysusersdir/"
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
2024-08-30 11:37:19 +02:00
install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
# should match entry from %%files list
cat >"$b/etc/permissions.d/sssd" <<-EOF
%_libexecdir/sssd/sssd_pam root:sssd 0750
+capabilities cap_dac_read_search=p
%_libexecdir/sssd/selinux_child root:sssd 0750
+capabilities %child_capabilities
%_libexecdir/sssd/krb5_child root:sssd 0750
+capabilities %child_capabilities
%_libexecdir/sssd/ldap_child root:sssd 0750
+capabilities %child_capabilities
EOF
2024-10-16 17:05:53 +02:00
%check
# sss_config-tests fails
%make_build check || :
2024-10-16 17:05:53 +02:00
%pre -f random.pre
2024-08-30 11:37:19 +02:00
%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
%if "%{?_distconfdir}" != ""
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
done
%endif
%post
/sbin/ldconfig
# migrate config variable krb5_kdcip to krb5_server (bnc#851048)
if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
fi
2024-08-30 11:37:19 +02:00
%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
2024-08-30 11:37:19 +02:00
%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid
%tmpfiles_create %name.conf
%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
# install SSSD cifs-idmap plugin as an alternative
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
%preun
2024-08-30 11:37:19 +02:00
%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
%postun
/sbin/ldconfig
2024-10-16 17:05:53 +02:00
if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
"%_sbindir/pam-config" -d --sss || :
fi
# del_postun includes a try-restart
2024-08-30 11:37:19 +02:00
%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
if [ ! -f "%cifs_idmap_lib" ]; then
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
fi
2024-10-16 17:05:53 +02:00
%ldconfig_scriptlets -n libsss_certmap0
%ldconfig_scriptlets -n libipa_hbac0
%ldconfig_scriptlets -n libsss_idmap0
%ldconfig_scriptlets -n libsss_nss_idmap0
%ldconfig_scriptlets -n libsss_simpleifp0
2024-08-30 11:37:19 +02:00
%verifyscript
%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
%triggerun -- %name < %version-%release
# sssd takes care of upgrading the database but it doesn't handle downgrades.
# Clear caches when downgrading the package, which may have an
# incompatible format afterwards preventing the daemon from startup.
if [ "$1" = "1" ] && [ "$2" = "2" ]; then
echo "Package downgrade detected, removing cache files which may have an incompati