SHA256
1
0
forked from pool/sssd

sssd 2.10.0 (part 2)

This commit is contained in:
Jan Engelhardt 2024-10-16 17:05:53 +02:00
parent 03cfa0ca67
commit d236d87ed8
3 changed files with 146 additions and 58 deletions

View File

@ -0,0 +1,88 @@
From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Wed, 16 Oct 2024 09:55:50 +0200
Subject: [PATCH] sssd: always print path when config object is rejected
References: https://github.com/SSSD/sssd/pull/7649
Observed:
```
Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
```
Expected:
_Well yes, but **which one**_!?
---
src/monitor/monitor.c | 4 ++--
src/util/sss_ini.c | 14 ++++++++------
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index e17b0e416..f67e4446f 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[])
ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false,
&config);
if (ret != EOK) {
- ERROR("Can't read config: '%s'\n", sss_strerror(ret));
+ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret));
sss_log(SSS_LOG_ALERT,
- "Failed to read configuration: '%s'", sss_strerror(ret));
+ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret));
ret = 3;
goto out;
}
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index 7f9824d88..2a611eb8c 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_open(self, config_file, "[sssd]\n");
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "The sss_ini_open failed %s: %d\n",
+ "sss_ini_open on %s failed: %d\n",
config_file,
ret);
return ERR_INI_OPEN_FAILED;
@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_access_check(self);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Permission check on config file failed.\n");
+ "Permission check on config file %s failed: %d\n",
+ config_file, ret);
return ERR_INI_INVALID_PERMISSION;
}
} else {
DEBUG(SSSDBG_CONF_SETTINGS,
- "File %1$s does not exist.\n",
- (config_file ? config_file : "NULL"));
+ "File %s does not exist.\n", config_file);
}
ret = sss_ini_parse(self);
if (ret != EOK) {
sss_ini_config_print_errors(self->error_list);
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
+ config_file, ret);
return ERR_INI_PARSE_FAILED;
}
ret = sss_ini_add_snippets(self, config_dir);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Error while reading configuration directory.\n");
+ "Error while reading configuration directory %s: %d\n",
+ config_dir, ret);
return ERR_INI_ADD_SNIPPETS_FAILED;
}
--
2.47.0

View File

@ -15,6 +15,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
* The default value for ``ldap_id_use_start_tls`` changed from * The default value for ``ldap_id_use_start_tls`` changed from
false to true for improved security. false to true for improved security.
* https://github.com/SSSD/sssd/releases/tag/2.10.0 * https://github.com/SSSD/sssd/releases/tag/2.10.0
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de> Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

115
sssd.spec
View File

@ -32,6 +32,7 @@ Patch1: krb-noversion.diff
Patch2: harden_sssd-ifp.service.patch Patch2: harden_sssd-ifp.service.patch
Patch3: harden_sssd-kcm.service.patch Patch3: harden_sssd-kcm.service.patch
Patch4: symvers.patch Patch4: symvers.patch
Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
BuildRequires: autoconf >= 2.59 BuildRequires: autoconf >= 2.59
BuildRequires: automake BuildRequires: automake
BuildRequires: bind-utils BuildRequires: bind-utils
@ -53,7 +54,10 @@ BuildRequires: nss_wrapper
BuildRequires: openldap2-devel BuildRequires: openldap2-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pkg-config >= 0.21 BuildRequires: pkg-config >= 0.21
BuildRequires: python3-wheel
BuildRequires: python3-setuptools
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: uid_wrapper BuildRequires: uid_wrapper
BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(augeas) >= 1.0.0
BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(collection) >= 0.5.1
@ -87,8 +91,6 @@ BuildRequires: pkgconfig(talloc)
BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tdb) >= 1.1.3
BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(tevent)
BuildRequires: pkgconfig(uuid) BuildRequires: pkgconfig(uuid)
BuildRequires: python3-wheel
BuildRequires: python3-setuptools
%if 0%{?suse_version} && 0%{?suse_version} < 1600 %if 0%{?suse_version} && 0%{?suse_version} < 1600
# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); # samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
# this conflicts with # this conflicts with
@ -96,6 +98,7 @@ BuildRequires: python3-setuptools
# Package contains just config files, not needed for build. # Package contains just config files, not needed for build.
#!BuildIgnore: libldap-data #!BuildIgnore: libldap-data
%endif %endif
%sysusers_requires
%{?systemd_ordering} %{?systemd_ordering}
Requires: sssd-ldap = %version-%release Requires: sssd-ldap = %version-%release
Requires(postun): pam-config Requires(postun): pam-config
@ -125,11 +128,11 @@ Requires(post): update-alternatives
Requires(postun): update-alternatives Requires(postun): update-alternatives
%description %description
Provides a set of daemons to manage access to remote directories and A set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward authentication mechanisms. sssd provides an NSS and PAM interfaces
the system and a pluggable backend system to connect to multiple different toward the system and a pluggable backend system to connect to
account sources. It is also the basis to provide client auditing and policy multiple different account sources. It is also the basis to provide
services for projects like FreeIPA. client auditing and policy services for projects like FreeIPA.
%package ad %package ad
Summary: The ActiveDirectory backend plugin for sssd Summary: The ActiveDirectory backend plugin for sssd
@ -139,9 +142,8 @@ Requires: %name-krb5-common = %version-%release
Requires: adcli Requires: adcli
%description ad %description ad
Provides the Active Directory back end that the SSSD can utilize to A back-end provider that the SSSD can utilize to fetch identity data
fetch identity data from and authenticate against an Active Directory from, and authenticate with, an Active Directory server.
server.
%package dbus %package dbus
Summary: The D-Bus responder of sssd Summary: The D-Bus responder of sssd
@ -150,7 +152,7 @@ Group: System/Base
Requires: %name = %version Requires: %name = %version
%description dbus %description dbus
Provides the D-Bus responder of sssd, called InfoPipe, which allows D-Bus responder of sssd, called InfoPipe, which allows
information from sssd to be transmitted over the system bus. information from sssd to be transmitted over the system bus.
%package ipa %package ipa
@ -164,8 +166,8 @@ Obsoletes: %name-ipa-provider < %version-%release
Provides: %name-ipa-provider = %version-%release Provides: %name-ipa-provider = %version-%release
%description ipa %description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity A back-end provider that the SSSD can utilize to fetch identity data
data from and authenticate against an IPA server. from, and authenticate with, an IPA server.
%package kcm %package kcm
Summary: SSSD's Kerberos cache manager Summary: SSSD's Kerberos cache manager
@ -184,8 +186,8 @@ Group: System/Daemons
Requires: %name-krb5-common = %version-%release Requires: %name-krb5-common = %version-%release
%description krb5 %description krb5
Provides the Kerberos back end that the SSSD can utilize authenticate A back-end provider that the SSSD can utilize to authenticate against
against a Kerberos server. a Kerberos server.
%package krb5-common %package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
@ -204,8 +206,8 @@ Group: System/Daemons
Requires: %name-krb5-common = %version-%release Requires: %name-krb5-common = %version-%release
%description ldap %description ldap
Provides the LDAP back end that the SSSD can utilize to fetch A back-end provider that the SSSD can utilize to fetch identity data
identity data from and authenticate against an LDAP server. from, and authenticate with, an LDAP server.
%package proxy %package proxy
Summary: The proxy backend plugin for sssd Summary: The proxy backend plugin for sssd
@ -213,8 +215,8 @@ License: GPL-3.0-or-later
Group: System/Daemons Group: System/Daemons
%description proxy %description proxy
Provides the proxy back end which can be used to wrap an existing NSS A back-end provider which can be used to wrap existing NSS and/or PAM
and/or PAM modules to leverage SSSD caching. modules to leverage SSSD caching. (This can replace nscd.)
%package tools %package tools
Summary: Commandline tools for sssd Summary: Commandline tools for sssd
@ -224,7 +226,7 @@ Requires: python3-sssd-config = %version-%release
Requires: sssd = %version Requires: sssd = %version
%description tools %description tools
The packages contains commandline tools for managing users and groups using The packages contains command-line tools for managing users and groups using
the "local" id provider of the System Security Services Daemon (sssd). the "local" id provider of the System Security Services Daemon (sssd).
%package winbind-idmap %package winbind-idmap
@ -241,7 +243,7 @@ License: LGPL-3.0-or-later
Group: System/Libraries Group: System/Libraries
%description -n libsss_certmap0 %description -n libsss_certmap0
A utility library for FreeIPA to map certs. A utility library for FreeIPA to map certificates.
%package -n libsss_certmap-devel %package -n libsss_certmap-devel
Summary: Development files for the FreeIPA certmap library Summary: Development files for the FreeIPA certmap library
@ -250,7 +252,7 @@ Group: Development/Libraries/C and C++
Requires: libsss_certmap0 = %version Requires: libsss_certmap0 = %version
%description -n libsss_certmap-devel %description -n libsss_certmap-devel
A utility library for FreeIPA to map certs. A utility library for FreeIPA to map certificates.
%package -n libipa_hbac0 %package -n libipa_hbac0
Summary: FreeIPA HBAC Evaluator library Summary: FreeIPA HBAC Evaluator library
@ -314,7 +316,6 @@ Requires: libsss_nss_idmap0 = %version
%description -n libsss_nss_idmap-devel %description -n libsss_nss_idmap-devel
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%if 0%{?suse_version} < 1600
%package -n libsss_simpleifp0 %package -n libsss_simpleifp0
Summary: The SSSD D-Bus responder helper library Summary: The SSSD D-Bus responder helper library
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -337,7 +338,6 @@ Requires: libsss_simpleifp0 = %version
This subpackage provides the development files for sssd's simpleifp, This subpackage provides the development files for sssd's simpleifp,
a library that simplifies the D-Bus API for the SSSD InfoPipe a library that simplifies the D-Bus API for the SSSD InfoPipe
responder. responder.
%endif
%package -n libsss_sudo %package -n libsss_sudo
Summary: A library to allow communication between sudo and SSSD Summary: A library to allow communication between sudo and SSSD
@ -423,7 +423,7 @@ autoreconf -fiv
%make_build all %make_build all
%install %install
# sss_obfuscate is compatible with both python 2 and 3 # sss_obfuscate is compatible with both Python 2 and 3
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
%make_install dbuspolicydir=%_datadir/dbus-1/system.d %make_install dbuspolicydir=%_datadir/dbus-1/system.d
b="%buildroot" b="%buildroot"
@ -457,21 +457,26 @@ find "$b" -type f -name "*.la" -print -delete
%find_lang %name --all-name %find_lang %name --all-name
# dummy target for cifs-idmap-plugin # dummy target for cifs-idmap-plugin
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
%python3_fix_shebang %python3_fix_shebang
%if 0%{?suse_version} > 1600 %if 0%{?suse_version} > 1600
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %python3_fix_shebang_path %buildroot/%_libexecdir/%name/
%elif 0%{?suse_version} == 1600 %elif 0%{?suse_version} == 1600
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
%endif %endif
echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
mkdir -p "$b/%_sysusersdir"
cp -a system-user-sssd.conf "$b/%_sysusersdir/"
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
%check %check
# sss_config-tests fails # sss_config-tests fails
%make_build check || : %make_build check || :
%pre %pre -f random.pre
%service_add_pre sssd.service %service_add_pre sssd.service
%if "%{?_distconfdir}" != "" %if "%{?_distconfdir}" != ""
# Prepare for migration to /usr/etc; save any old .rpmsave # Prepare for migration to /usr/etc; save any old .rpmsave
@ -496,7 +501,7 @@ update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_li
%postun %postun
/sbin/ldconfig /sbin/ldconfig
if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
"%_sbindir/pam-config" -d --sss || : "%_sbindir/pam-config" -d --sss || :
fi fi
# del_postun includes a try-restart # del_postun includes a try-restart
@ -506,18 +511,11 @@ if [ ! -f "%cifs_idmap_lib" ]; then
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
fi fi
%post -n libsss_certmap0 -p /sbin/ldconfig %ldconfig_scriptlets -n libsss_certmap0
%postun -n libsss_certmap0 -p /sbin/ldconfig %ldconfig_scriptlets -n libipa_hbac0
%post -n libipa_hbac0 -p /sbin/ldconfig %ldconfig_scriptlets -n libsss_idmap0
%postun -n libipa_hbac0 -p /sbin/ldconfig %ldconfig_scriptlets -n libsss_nss_idmap0
%post -n libsss_idmap0 -p /sbin/ldconfig %ldconfig_scriptlets -n libsss_simpleifp0
%postun -n libsss_idmap0 -p /sbin/ldconfig
%post -n libsss_nss_idmap0 -p /sbin/ldconfig
%postun -n libsss_nss_idmap0 -p /sbin/ldconfig
%if 0%{?suse_version} < 1600
%post -n libsss_simpleifp0 -p /sbin/ldconfig
%postun -n libsss_simpleifp0 -p /sbin/ldconfig
%endif
%triggerun -- %name < %version-%release %triggerun -- %name < %version-%release
# sssd takes care of upgrading the database but it doesn't handle downgrades. # sssd takes care of upgrading the database but it doesn't handle downgrades.
@ -556,13 +554,13 @@ fi
# Migrate sssd.service from sssd-common to sssd # Migrate sssd.service from sssd-common to sssd
systemctl is-enabled sssd.service > /dev/null systemctl is-enabled sssd.service > /dev/null
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
mkdir -p /run/systemd/rpm/ mkdir -p /run/systemd/rpm/
touch /run/systemd/rpm/sssd-was-enabled touch /run/systemd/rpm/sssd-was-enabled
fi fi
systemctl is-active sssd.service > /dev/null systemctl is-active sssd.service > /dev/null
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
mkdir -p /run/systemd/rpm/ mkdir -p /run/systemd/rpm/
touch /run/systemd/rpm/sssd-was-active touch /run/systemd/rpm/sssd-was-active
fi fi
%posttrans %posttrans
@ -574,20 +572,20 @@ done
%endif %endif
# Migrate sssd.service from sssd-common to sssd # Migrate sssd.service from sssd-common to sssd
if [ -e /run/systemd/rpm/sssd-was-enabled ]; then if [ -e /run/systemd/rpm/sssd-was-enabled ]; then
systemctl is-enabled sssd.service > /dev/null systemctl is-enabled sssd.service >/dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Migrating sssd.service, was enabled" echo "Migrating sssd.service, was enabled"
systemctl enable sssd.service systemctl enable sssd.service
fi fi
rm /run/systemd/rpm/sssd-was-enabled rm /run/systemd/rpm/sssd-was-enabled
fi fi
if [ -e /run/systemd/rpm/sssd-was-active ]; then if [ -e /run/systemd/rpm/sssd-was-active ]; then
systemctl is-active sssd.service > /dev/null systemctl is-active sssd.service >/dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Migrating sssd.service, was active" echo "Migrating sssd.service, was active"
systemctl start sssd.service systemctl start sssd.service
fi fi
rm /run/systemd/rpm/sssd-was-active rm /run/systemd/rpm/sssd-was-active
fi fi
%files -f sssd.lang %files -f sssd.lang
@ -605,6 +603,7 @@ fi
%_unitdir/sssd-ssh.service %_unitdir/sssd-ssh.service
%_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.socket
%_unitdir/sssd-sudo.service %_unitdir/sssd-sudo.service
%_sysusersdir/*sssd*
%_bindir/sss_ssh_* %_bindir/sss_ssh_*
%_sbindir/sssd %_sbindir/sssd
%if 0%{?suse_version} < 1600 %if 0%{?suse_version} < 1600