sssd 2.10.0 (part 2)
This commit is contained in:
parent
03cfa0ca67
commit
d236d87ed8
@ -0,0 +1,88 @@
|
||||
From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Engelhardt <jengelh@inai.de>
|
||||
Date: Wed, 16 Oct 2024 09:55:50 +0200
|
||||
Subject: [PATCH] sssd: always print path when config object is rejected
|
||||
References: https://github.com/SSSD/sssd/pull/7649
|
||||
|
||||
Observed:
|
||||
|
||||
```
|
||||
Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
|
||||
Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
|
||||
Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
|
||||
```
|
||||
|
||||
Expected:
|
||||
|
||||
_Well yes, but **which one**_!?
|
||||
---
|
||||
src/monitor/monitor.c | 4 ++--
|
||||
src/util/sss_ini.c | 14 ++++++++------
|
||||
2 files changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index e17b0e416..f67e4446f 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[])
|
||||
ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false,
|
||||
&config);
|
||||
if (ret != EOK) {
|
||||
- ERROR("Can't read config: '%s'\n", sss_strerror(ret));
|
||||
+ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret));
|
||||
sss_log(SSS_LOG_ALERT,
|
||||
- "Failed to read configuration: '%s'", sss_strerror(ret));
|
||||
+ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret));
|
||||
ret = 3;
|
||||
goto out;
|
||||
}
|
||||
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
|
||||
index 7f9824d88..2a611eb8c 100644
|
||||
--- a/src/util/sss_ini.c
|
||||
+++ b/src/util/sss_ini.c
|
||||
@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
|
||||
ret = sss_ini_open(self, config_file, "[sssd]\n");
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "The sss_ini_open failed %s: %d\n",
|
||||
+ "sss_ini_open on %s failed: %d\n",
|
||||
config_file,
|
||||
ret);
|
||||
return ERR_INI_OPEN_FAILED;
|
||||
@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
|
||||
ret = sss_ini_access_check(self);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Permission check on config file failed.\n");
|
||||
+ "Permission check on config file %s failed: %d\n",
|
||||
+ config_file, ret);
|
||||
return ERR_INI_INVALID_PERMISSION;
|
||||
}
|
||||
} else {
|
||||
DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
- "File %1$s does not exist.\n",
|
||||
- (config_file ? config_file : "NULL"));
|
||||
+ "File %s does not exist.\n", config_file);
|
||||
}
|
||||
|
||||
ret = sss_ini_parse(self);
|
||||
if (ret != EOK) {
|
||||
sss_ini_config_print_errors(self->error_list);
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
|
||||
+ config_file, ret);
|
||||
return ERR_INI_PARSE_FAILED;
|
||||
}
|
||||
|
||||
ret = sss_ini_add_snippets(self, config_dir);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Error while reading configuration directory.\n");
|
||||
+ "Error while reading configuration directory %s: %d\n",
|
||||
+ config_dir, ret);
|
||||
return ERR_INI_ADD_SNIPPETS_FAILED;
|
||||
}
|
||||
|
||||
--
|
||||
2.47.0
|
||||
|
@ -15,6 +15,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
||||
* The default value for ``ldap_id_use_start_tls`` changed from
|
||||
false to true for improved security.
|
||||
* https://github.com/SSSD/sssd/releases/tag/2.10.0
|
||||
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
107
sssd.spec
107
sssd.spec
@ -32,6 +32,7 @@ Patch1: krb-noversion.diff
|
||||
Patch2: harden_sssd-ifp.service.patch
|
||||
Patch3: harden_sssd-kcm.service.patch
|
||||
Patch4: symvers.patch
|
||||
Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
|
||||
BuildRequires: autoconf >= 2.59
|
||||
BuildRequires: automake
|
||||
BuildRequires: bind-utils
|
||||
@ -53,7 +54,10 @@ BuildRequires: nss_wrapper
|
||||
BuildRequires: openldap2-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkg-config >= 0.21
|
||||
BuildRequires: python3-wheel
|
||||
BuildRequires: python3-setuptools
|
||||
BuildRequires: systemd-rpm-macros
|
||||
BuildRequires: sysuser-tools
|
||||
BuildRequires: uid_wrapper
|
||||
BuildRequires: pkgconfig(augeas) >= 1.0.0
|
||||
BuildRequires: pkgconfig(collection) >= 0.5.1
|
||||
@ -87,8 +91,6 @@ BuildRequires: pkgconfig(talloc)
|
||||
BuildRequires: pkgconfig(tdb) >= 1.1.3
|
||||
BuildRequires: pkgconfig(tevent)
|
||||
BuildRequires: pkgconfig(uuid)
|
||||
BuildRequires: python3-wheel
|
||||
BuildRequires: python3-setuptools
|
||||
%if 0%{?suse_version} && 0%{?suse_version} < 1600
|
||||
# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
|
||||
# this conflicts with
|
||||
@ -96,6 +98,7 @@ BuildRequires: python3-setuptools
|
||||
# Package contains just config files, not needed for build.
|
||||
#!BuildIgnore: libldap-data
|
||||
%endif
|
||||
%sysusers_requires
|
||||
%{?systemd_ordering}
|
||||
Requires: sssd-ldap = %version-%release
|
||||
Requires(postun): pam-config
|
||||
@ -125,11 +128,11 @@ Requires(post): update-alternatives
|
||||
Requires(postun): update-alternatives
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
authentication mechanisms. It provides an NSS and PAM interface toward
|
||||
the system and a pluggable backend system to connect to multiple different
|
||||
account sources. It is also the basis to provide client auditing and policy
|
||||
services for projects like FreeIPA.
|
||||
A set of daemons to manage access to remote directories and
|
||||
authentication mechanisms. sssd provides an NSS and PAM interfaces
|
||||
toward the system and a pluggable backend system to connect to
|
||||
multiple different account sources. It is also the basis to provide
|
||||
client auditing and policy services for projects like FreeIPA.
|
||||
|
||||
%package ad
|
||||
Summary: The ActiveDirectory backend plugin for sssd
|
||||
@ -139,9 +142,8 @@ Requires: %name-krb5-common = %version-%release
|
||||
Requires: adcli
|
||||
|
||||
%description ad
|
||||
Provides the Active Directory back end that the SSSD can utilize to
|
||||
fetch identity data from and authenticate against an Active Directory
|
||||
server.
|
||||
A back-end provider that the SSSD can utilize to fetch identity data
|
||||
from, and authenticate with, an Active Directory server.
|
||||
|
||||
%package dbus
|
||||
Summary: The D-Bus responder of sssd
|
||||
@ -150,7 +152,7 @@ Group: System/Base
|
||||
Requires: %name = %version
|
||||
|
||||
%description dbus
|
||||
Provides the D-Bus responder of sssd, called InfoPipe, which allows
|
||||
D-Bus responder of sssd, called InfoPipe, which allows
|
||||
information from sssd to be transmitted over the system bus.
|
||||
|
||||
%package ipa
|
||||
@ -164,8 +166,8 @@ Obsoletes: %name-ipa-provider < %version-%release
|
||||
Provides: %name-ipa-provider = %version-%release
|
||||
|
||||
%description ipa
|
||||
Provides the IPA back end that the SSSD can utilize to fetch identity
|
||||
data from and authenticate against an IPA server.
|
||||
A back-end provider that the SSSD can utilize to fetch identity data
|
||||
from, and authenticate with, an IPA server.
|
||||
|
||||
%package kcm
|
||||
Summary: SSSD's Kerberos cache manager
|
||||
@ -184,8 +186,8 @@ Group: System/Daemons
|
||||
Requires: %name-krb5-common = %version-%release
|
||||
|
||||
%description krb5
|
||||
Provides the Kerberos back end that the SSSD can utilize authenticate
|
||||
against a Kerberos server.
|
||||
A back-end provider that the SSSD can utilize to authenticate against
|
||||
a Kerberos server.
|
||||
|
||||
%package krb5-common
|
||||
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
|
||||
@ -204,8 +206,8 @@ Group: System/Daemons
|
||||
Requires: %name-krb5-common = %version-%release
|
||||
|
||||
%description ldap
|
||||
Provides the LDAP back end that the SSSD can utilize to fetch
|
||||
identity data from and authenticate against an LDAP server.
|
||||
A back-end provider that the SSSD can utilize to fetch identity data
|
||||
from, and authenticate with, an LDAP server.
|
||||
|
||||
%package proxy
|
||||
Summary: The proxy backend plugin for sssd
|
||||
@ -213,8 +215,8 @@ License: GPL-3.0-or-later
|
||||
Group: System/Daemons
|
||||
|
||||
%description proxy
|
||||
Provides the proxy back end which can be used to wrap an existing NSS
|
||||
and/or PAM modules to leverage SSSD caching.
|
||||
A back-end provider which can be used to wrap existing NSS and/or PAM
|
||||
modules to leverage SSSD caching. (This can replace nscd.)
|
||||
|
||||
%package tools
|
||||
Summary: Commandline tools for sssd
|
||||
@ -224,7 +226,7 @@ Requires: python3-sssd-config = %version-%release
|
||||
Requires: sssd = %version
|
||||
|
||||
%description tools
|
||||
The packages contains commandline tools for managing users and groups using
|
||||
The packages contains command-line tools for managing users and groups using
|
||||
the "local" id provider of the System Security Services Daemon (sssd).
|
||||
|
||||
%package winbind-idmap
|
||||
@ -241,7 +243,7 @@ License: LGPL-3.0-or-later
|
||||
Group: System/Libraries
|
||||
|
||||
%description -n libsss_certmap0
|
||||
A utility library for FreeIPA to map certs.
|
||||
A utility library for FreeIPA to map certificates.
|
||||
|
||||
%package -n libsss_certmap-devel
|
||||
Summary: Development files for the FreeIPA certmap library
|
||||
@ -250,7 +252,7 @@ Group: Development/Libraries/C and C++
|
||||
Requires: libsss_certmap0 = %version
|
||||
|
||||
%description -n libsss_certmap-devel
|
||||
A utility library for FreeIPA to map certs.
|
||||
A utility library for FreeIPA to map certificates.
|
||||
|
||||
%package -n libipa_hbac0
|
||||
Summary: FreeIPA HBAC Evaluator library
|
||||
@ -314,7 +316,6 @@ Requires: libsss_nss_idmap0 = %version
|
||||
%description -n libsss_nss_idmap-devel
|
||||
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
|
||||
|
||||
%if 0%{?suse_version} < 1600
|
||||
%package -n libsss_simpleifp0
|
||||
Summary: The SSSD D-Bus responder helper library
|
||||
License: GPL-3.0-or-later
|
||||
@ -337,7 +338,6 @@ Requires: libsss_simpleifp0 = %version
|
||||
This subpackage provides the development files for sssd's simpleifp,
|
||||
a library that simplifies the D-Bus API for the SSSD InfoPipe
|
||||
responder.
|
||||
%endif
|
||||
|
||||
%package -n libsss_sudo
|
||||
Summary: A library to allow communication between sudo and SSSD
|
||||
@ -423,7 +423,7 @@ autoreconf -fiv
|
||||
%make_build all
|
||||
|
||||
%install
|
||||
# sss_obfuscate is compatible with both python 2 and 3
|
||||
# sss_obfuscate is compatible with both Python 2 and 3
|
||||
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
|
||||
%make_install dbuspolicydir=%_datadir/dbus-1/system.d
|
||||
b="%buildroot"
|
||||
@ -457,21 +457,26 @@ find "$b" -type f -name "*.la" -print -delete
|
||||
%find_lang %name --all-name
|
||||
|
||||
# dummy target for cifs-idmap-plugin
|
||||
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
|
||||
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
|
||||
mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
|
||||
ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
|
||||
%python3_fix_shebang
|
||||
%if 0%{?suse_version} > 1600
|
||||
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/
|
||||
%elif 0%{?suse_version} == 1600
|
||||
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
|
||||
sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
|
||||
sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
|
||||
%endif
|
||||
|
||||
echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
|
||||
mkdir -p "$b/%_sysusersdir"
|
||||
cp -a system-user-sssd.conf "$b/%_sysusersdir/"
|
||||
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
|
||||
|
||||
%check
|
||||
# sss_config-tests fails
|
||||
%make_build check || :
|
||||
|
||||
%pre
|
||||
%pre -f random.pre
|
||||
%service_add_pre sssd.service
|
||||
%if "%{?_distconfdir}" != ""
|
||||
# Prepare for migration to /usr/etc; save any old .rpmsave
|
||||
@ -496,7 +501,7 @@ update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_li
|
||||
|
||||
%postun
|
||||
/sbin/ldconfig
|
||||
if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
|
||||
if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
|
||||
"%_sbindir/pam-config" -d --sss || :
|
||||
fi
|
||||
# del_postun includes a try-restart
|
||||
@ -506,18 +511,11 @@ if [ ! -f "%cifs_idmap_lib" ]; then
|
||||
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
|
||||
fi
|
||||
|
||||
%post -n libsss_certmap0 -p /sbin/ldconfig
|
||||
%postun -n libsss_certmap0 -p /sbin/ldconfig
|
||||
%post -n libipa_hbac0 -p /sbin/ldconfig
|
||||
%postun -n libipa_hbac0 -p /sbin/ldconfig
|
||||
%post -n libsss_idmap0 -p /sbin/ldconfig
|
||||
%postun -n libsss_idmap0 -p /sbin/ldconfig
|
||||
%post -n libsss_nss_idmap0 -p /sbin/ldconfig
|
||||
%postun -n libsss_nss_idmap0 -p /sbin/ldconfig
|
||||
%if 0%{?suse_version} < 1600
|
||||
%post -n libsss_simpleifp0 -p /sbin/ldconfig
|
||||
%postun -n libsss_simpleifp0 -p /sbin/ldconfig
|
||||
%endif
|
||||
%ldconfig_scriptlets -n libsss_certmap0
|
||||
%ldconfig_scriptlets -n libipa_hbac0
|
||||
%ldconfig_scriptlets -n libsss_idmap0
|
||||
%ldconfig_scriptlets -n libsss_nss_idmap0
|
||||
%ldconfig_scriptlets -n libsss_simpleifp0
|
||||
|
||||
%triggerun -- %name < %version-%release
|
||||
# sssd takes care of upgrading the database but it doesn't handle downgrades.
|
||||
@ -556,13 +554,13 @@ fi
|
||||
# Migrate sssd.service from sssd-common to sssd
|
||||
systemctl is-enabled sssd.service > /dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
mkdir -p /run/systemd/rpm/
|
||||
touch /run/systemd/rpm/sssd-was-enabled
|
||||
mkdir -p /run/systemd/rpm/
|
||||
touch /run/systemd/rpm/sssd-was-enabled
|
||||
fi
|
||||
systemctl is-active sssd.service > /dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
mkdir -p /run/systemd/rpm/
|
||||
touch /run/systemd/rpm/sssd-was-active
|
||||
mkdir -p /run/systemd/rpm/
|
||||
touch /run/systemd/rpm/sssd-was-active
|
||||
fi
|
||||
|
||||
%posttrans
|
||||
@ -574,20 +572,20 @@ done
|
||||
%endif
|
||||
# Migrate sssd.service from sssd-common to sssd
|
||||
if [ -e /run/systemd/rpm/sssd-was-enabled ]; then
|
||||
systemctl is-enabled sssd.service > /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
systemctl is-enabled sssd.service >/dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Migrating sssd.service, was enabled"
|
||||
systemctl enable sssd.service
|
||||
fi
|
||||
rm /run/systemd/rpm/sssd-was-enabled
|
||||
fi
|
||||
rm /run/systemd/rpm/sssd-was-enabled
|
||||
fi
|
||||
if [ -e /run/systemd/rpm/sssd-was-active ]; then
|
||||
systemctl is-active sssd.service > /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
systemctl is-active sssd.service >/dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Migrating sssd.service, was active"
|
||||
systemctl start sssd.service
|
||||
fi
|
||||
rm /run/systemd/rpm/sssd-was-active
|
||||
fi
|
||||
rm /run/systemd/rpm/sssd-was-active
|
||||
fi
|
||||
|
||||
%files -f sssd.lang
|
||||
@ -605,6 +603,7 @@ fi
|
||||
%_unitdir/sssd-ssh.service
|
||||
%_unitdir/sssd-sudo.socket
|
||||
%_unitdir/sssd-sudo.service
|
||||
%_sysusersdir/*sssd*
|
||||
%_bindir/sss_ssh_*
|
||||
%_sbindir/sssd
|
||||
%if 0%{?suse_version} < 1600
|
||||
|
Loading…
Reference in New Issue
Block a user