Accepting request 259244 from network:ldap

- Update to new upstream release 1.12.2 (bugfix release, bnc#900159)
* Fixed a regression where the IPA provider did not fetch User
  Private Groups correctly
* An important bug in the GPO access control which resulted in a
  wrong principal being used, was fixed.
* Several new options are available for deployments that need to
  restrict a certain PAM service from connecting to a certain SSSD
  domain. For more details, see the description of
  pam_trusted_users and pam_public_domains options in the
  sssd.conf(5) man page and the domains option in the pam_sss(8)
  man page.
* When SSSD is acting as an IPA client in setup with trusted AD
  domains, it is able to return group members or full group
  memberships for users from trusted AD domains.
* Support for the "views" feature of IPA.
- Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch
  (merged upstream)

- Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch
  to workaround bad autoconf invocation

- 0001-build-detect-endianness-at-configure-time.patch 
  Correct defective endianness test.

- Update to new upstream release 1.12.1
* The GPO access control was further enhanced to allow the access
  control decisions while offline and map the Windows logon
  rights onto Linux PAM services.
* The SSSD now ships a plugin for the rpc.idmapd daemon,
  sss_rpcidmapd(5).

OBS-URL: https://build.opensuse.org/request/show/259244
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=60

0001-build-detect-endianness-at-configure-time.patch

@@ -11,20 +11,14 @@ Signed-off-by: David Disseldorp <ddiss@samba.org>
  configure.ac |    7 +++++++
  1 file changed, 7 insertions(+)
 
-Index: sssd-1.11.5.1/configure.ac
-===================================================================
---- sssd-1.11.5.1.orig/configure.ac
-+++ sssd-1.11.5.1/configure.ac
-@@ -301,6 +301,13 @@ AM_CHECK_CMOCKA
+--- sssd-1.12.1.orig/configure.ac
++++ sssd-1.12.1/configure.ac
+@@ -322,6 +322,9 @@ AM_CHECK_CMOCKA
  
  AM_CONDITIONAL([HAVE_DEVSHM], [test -d /dev/shm])
  
-+AC_C_BIGENDIAN
-+if test x$WORDS_BIGENDIAN != x; then
-+    AC_DEFINE(HAVE_BIG_ENDIAN, 1, [whether platform is big endian])
-+else
-+    AC_DEFINE(HAVE_LITTLE_ENDIAN, 1, [whether platform is little endian])
-+fi
++AC_C_BIGENDIAN([AC_DEFINE(HAVE_BIG_ENDIAN, [1], [whether platform is big endian])], 
++               [AC_DEFINE(HAVE_LITTLE_ENDIAN, [1], [whether platform is little endian])])
 +
  abs_build_dir=`pwd`
  AC_DEFINE_UNQUOTED([ABS_BUILD_DIR], ["$abs_build_dir"], [Absolute path to the build directory])

sssd-1.12.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d536471fbc4d4b9948adfb751b7a9df3405ddfbc58274d73adc0c997c91c6472
-size 3968855

sssd-1.12.0.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlO9gK0ACgkQHsardTLnvCVxmACg1tRelGxCTMeHLjDkHAonfQzG
-bz4AoL7RQa1oHlGtazWSzoMrambqy621
-=noRD
------END PGP SIGNATURE-----

sssd-1.12.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:55a06a191b2e2506b23f80cf3d15f58b8d94d1f5a1bc5dc77ccf010c0eaafa5d
+size 4149084

sssd-1.12.2.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAlRFH8kACgkQHsardTLnvCXMOACeKY1jciw1hTsvG/aOYK3h0+N1
+1/QAniL6o+Rhb0HReZPsMGYlQv41MI2C
+=chdM
+-----END PGP SIGNATURE-----

sssd.changes

@@ -1,3 +1,67 @@
+-------------------------------------------------------------------
+Thu Oct 30 12:22:06 UTC 2014 - jengelh@inai.de
+
+- Update to new upstream release 1.12.2 (bugfix release, bnc#900159)
+* Fixed a regression where the IPA provider did not fetch User
+  Private Groups correctly
+* An important bug in the GPO access control which resulted in a
+  wrong principal being used, was fixed.
+* Several new options are available for deployments that need to
+  restrict a certain PAM service from connecting to a certain SSSD
+  domain. For more details, see the description of
+  pam_trusted_users and pam_public_domains options in the
+  sssd.conf(5) man page and the domains option in the pam_sss(8)
+  man page.
+* When SSSD is acting as an IPA client in setup with trusted AD
+  domains, it is able to return group members or full group
+  memberships for users from trusted AD domains.
+* Support for the "views" feature of IPA.
+- Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch
+  (merged upstream)
+
+-------------------------------------------------------------------
+Sat Oct 11 13:36:48 UTC 2014 - jengelh@inai.de
+
+- Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch
+  to workaround bad autoconf invocation
+
+-------------------------------------------------------------------
+Sat Oct 11 00:16:15 UTC 2014 - crrodriguez@opensuse.org
+
+- 0001-build-detect-endianness-at-configure-time.patch 
+  Correct defective endianness test.
+
+-------------------------------------------------------------------
+Mon Oct  6 13:25:23 UTC 2014 - jengelh@inai.de
+
+- Update to new upstream release 1.12.1
+* The GPO access control was further enhanced to allow the access
+  control decisions while offline and map the Windows logon
+  rights onto Linux PAM services.
+* The SSSD now ships a plugin for the rpc.idmapd daemon,
+  sss_rpcidmapd(5).
+* A MIT Kerberos localauth plugin was added to SSSD. This plugin
+  helps translating principals to user names in IPA-AD trust
+  scenarios, allowing the krb5.conf configuration to be less
+  complex.
+* A libwbclient plugin implementation is now part of the SSSD.
+  The main purpose is to map Active Directory users and groups
+  identified by their SID to POSIX users and groups for the
+  file-server use-case.
+* Active Directory users ca nnow use their User Logon Name to log
+  in.
+* The sss_cache tool was enhanced to allow invalidating the SSH
+  host keys.
+* Groups without full POSIX information can now be used to enroll
+  group membership (CVE-2014-0249).
+* Detection of transition from offline to online state was
+  improved, resulting in fewer timeouts when SSSD is offline.
+* The Active Directory provider now correctly detects Windows
+  Server 2012 R2. Previous versions would fall back to the slower
+  non-AD path with 2012 R2.
+* Several other bugs related to deployments where SSSD is acting
+  as an AD client were fixed.
+
 -------------------------------------------------------------------
 Fri Aug 22 15:44:14 UTC 2014 - lchiquitto@suse.com
 

sssd.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        1.12.0
+Version:        1.12.2
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0+ and LGPL-3.0+
@@ -39,23 +39,29 @@ Patch1:         0001-build-detect-endianness-at-configure-time.patch
 %define pipepath	%sssdstatedir/pipes
 %define pubconfpath	%sssdstatedir/pubconf
 
-%if %suse_version <= 1110
-# SLES11 doesn't know the python_* macros
-%define python_sitelib	%py_sitedir
-%define python_sitearch	%py_sitedir
-%endif
-
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
 BuildRequires:  cifs-utils-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  docbook-xsl-stylesheets
+%if 0%{?suse_version} >= 1320
+BuildRequires:  krb5-devel >= 1.12
+%define have_localauth 1
+%else
 BuildRequires:  krb5-devel
+%define have_localauth 0
+%endif
 BuildRequires:  libsmbclient-devel
 BuildRequires:  libtool
+BuildRequires:  libxml2-tools
+BuildRequires:  libxslt-tools
+BuildRequires:  nscd
+BuildRequires:  openldap2-devel
+BuildRequires:  pam-devel
+BuildRequires:  pkg-config
 BuildRequires:  pkgconfig >= 0.21
-%if 0%{?suse_version} >= 1210
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(augeas) >= 1.0.0
 BuildRequires:  pkgconfig(collection) >= 0.5.1
 BuildRequires:  pkgconfig(dbus-1) >= 1.0.0
@@ -64,54 +70,22 @@ BuildRequires:  pkgconfig(glib-2.0)
 BuildRequires:  pkgconfig(ini_config) >= 1.1.0
 BuildRequires:  pkgconfig(ldb) >= 0.9.2
 BuildRequires:  pkgconfig(libcares)
+BuildRequires:  pkgconfig(libcrypto)
+BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
 BuildRequires:  pkgconfig(libpcre) >= 7
+BuildRequires:  pkgconfig(libsystemd-login)
 BuildRequires:  pkgconfig(ndr_nbt)
-BuildRequires:  pkgconfig(openssl)
 BuildRequires:  pkgconfig(popt)
 BuildRequires:  pkgconfig(python)
 BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
-%else
-BuildRequires:  augeas-devel
-BuildRequires:  dbus-1-devel >= 1.0.0
-BuildRequires:  glib2-devel
-BuildRequires:  libcares-devel
-BuildRequires:  libcollection-devel >= 0.5.1
-BuildRequires:  libdhash-devel >= 0.4.2
-BuildRequires:  libini_config-devel >= 1.1.0
-BuildRequires:  libldb-devel >= 0.9.2
-BuildRequires:  libnl-devel >= 1.1
-BuildRequires:  libopenssl-devel
-BuildRequires:  libtalloc-devel
-BuildRequires:  libtdb-devel >= 1.1.3
-BuildRequires:  libtevent-devel
-BuildRequires:  pcre-devel >= 7
-BuildRequires:  popt-devel
-BuildRequires:  python-devel
-BuildRequires:  samba-devel >= 4
-%endif
-BuildRequires:  samba-libs >= 4
-%if 0%{?suse_version} >= 1220
-BuildRequires:  libxml2-tools
-BuildRequires:  libxslt-tools
-%else
-BuildRequires:  libxml2
-BuildRequires:  libxslt
-%endif
-BuildRequires:  nscd
-BuildRequires:  openldap2-devel
-BuildRequires:  pam-devel
-BuildRequires:  pkg-config
-%if %suse_version >= 1210
-BuildRequires:  systemd-rpm-macros
-BuildRequires:  pkgconfig(libsystemd-login)
 %{?systemd_requires}
-%endif
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
+Provides:       sssd-client = %version-%release
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -203,6 +177,32 @@ Requires:       sssd = %version
 The packages contains commandline tools for managing users and groups using
 the "local" id provider of the System Security Services Daemon (sssd).
 
+%package wbclient
+Summary:        SSSD's implementation of the Winbind pipe protocol
+License:        LGPL-3.0+
+Group:          System/Libraries
+
+%description wbclient
+libwbclient is a plugin for the Samba client, though it has been
+implemented as a regular shared library requested via DT_NEEDED.
+
+sssd-wbclient implements the libwbclient API for Samba daemons and
+utilities. The main purpose is to map Active Directory users and
+groups identified by their SID to POSIX users and groups identified
+by their POSIX UIDs and GIDs respectively.
+
+%package wbclient-devel
+Summary:        Development files for SSSD winbind
+License:        LGPL-3.0+
+Group:          Development/Libraries/C and C++
+Requires:       %name-wbclient = %version
+
+%description wbclient-devel
+sssd-wbclient implements the libwbclient API for Samba daemons and
+utilities. The main purpose is to map Active Directory users and
+groups identified by their SID to POSIX users and groups identified
+by their POSIX UIDs and GIDs respectively.
+
 %package -n libipa_hbac0
 Summary:        FreeIPA HBAC Evaluator library
 License:        LGPL-3.0+
@@ -222,6 +222,15 @@ Requires:       libipa_hbac0 = %version
 Utility library to validate FreeIPA HBAC rules for authorization
 requests.
 
+%package -n libnfsidmap-sss
+Summary:        Library to allow communication between libnfsidmap and SSSD
+License:        GPL-3.0+
+Group:          System/Libraries
+Supplements:    packageand(nfsidmap:sssd-client)
+
+%description -n libnfsidmap-sss
+A utility library to allow communication between libnfsidmap and SSSD.
+
 %package -n libsss_idmap0
 Summary:        FreeIPA ID mapping library
 License:        LGPL-3.0+
@@ -284,6 +293,7 @@ Provides:       libsss_sudo-devel = %version-%release
 Obsoletes:      libsss_sudo-devel < %version-%release
 # No provides: true obsolete.
 Obsoletes:      libsss_sudo1
+Supplements:    packageand(sudo:sssd-client)
 
 %description -n libsss_sudo
 A utility library to allow communication between sudo and SSSD.
@@ -335,7 +345,7 @@ export LDB_DIR="$(pkg-config ldb --variable=modulesdir)"
 # help configure find nscd
 export PATH="$PATH:/usr/sbin"
 
-autoreconf -fi;
+autoreconf -fiv;
 %configure \
     --with-crypto=libcrypto \
     --with-db-path="%dbpath" \
@@ -374,6 +384,10 @@ install src/sysv/SUSE/sssd "$b/%_sysconfdir/init.d/sssd";
 ln -sf ../../etc/init.d/sssd "$b/usr/sbin/rcsssd"
 %endif
 
+mkdir -p "$b/%_sysconfdir/ld.so.conf.d"
+cat >"$b/%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf" <<-EOF
+	%_libdir/%name/modules
+EOF
 find "$b" -type f -name "*.la" -delete;
 
 %if %suse_version <= 1110
@@ -441,7 +455,7 @@ rm -f /var/lib/sss/db/*.ldb
 %_sbindir/sssd
 %_sbindir/rcsssd
 %dir %_mandir/??/
-%dir %_mandir/??/man?/
+%dir %_mandir/??/man[158]/
 %_mandir/??/man1/sss_ssh_*
 %_mandir/??/man5/sssd-simple.5*
 %_mandir/??/man5/sssd-sudo.5*
@@ -458,7 +472,8 @@ rm -f /var/lib/sss/db/*.ldb
 %_libdir/%name/libsss_debug*
 %_libdir/%name/libsss_simple*
 %_libdir/%name/libsss_util*
-%_libdir/%name/modules/
+%dir %_libdir/%name/modules/
+%_libdir/%name/modules/libsss_autofs.so
 %dir %_libdir/ldb/
 %_libdir/ldb/memberof.so
 %dir %_libexecdir/%name/
@@ -489,6 +504,9 @@ rm -f /var/lib/sss/db/*.ldb
 /%_lib/security/pam_sss.so
 %_libdir/cifs-utils/
 %_libdir/krb5/
+%if %have_localauth
+%_libdir/%name/modules/sssd_krb5_localauth_plugin.so
+%endif
 %_mandir/??/man8/pam_sss.8*
 %_mandir/??/man8/sssd_krb5_locator_plugin.8*
 %_mandir/man8/pam_sss.8*
@@ -504,9 +522,7 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-ad.conf
-%dir %_mandir/??/man5/
 %_mandir/man5/sssd-ad.5*
-%_mandir/??/man5/sssd-ad.5*
 
 %files dbus
 %defattr(-,root,root)
@@ -515,6 +531,8 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_libdir/sssd/
 %_libdir/sssd/libsss_config.so
 %_mandir/man5/sssd-ifp.5*
+%dir %_mandir/??/
+%dir %_mandir/??/man5/
 %_mandir/??/man5/sssd-ifp.5*
 #%_sysconfdir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
 #%_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
@@ -526,9 +544,7 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d
 %_datadir/%name/sssd.api.d/sssd-ipa.conf
-%dir %_mandir/??/man5/
 %_mandir/man5/sssd-ipa.5*
-%_mandir/??/man5/sssd-ipa.5*
 
 %files krb5
 %defattr(-,root,root)
@@ -537,6 +553,7 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-krb5.conf
+%dir %_mandir/??/
 %dir %_mandir/??/man5/
 %_mandir/man5/sssd-krb5.5*
 %_mandir/??/man5/sssd-krb5.5*
@@ -556,9 +573,10 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-ldap.conf
+%_mandir/man5/sssd-ldap.5*
+%dir %_mandir/??/
 %dir %_mandir/??/man5/
 %_mandir/??/man5/sssd-ldap.5*
-%_mandir/man5/sssd-ldap.5*
 
 %files proxy
 %defattr(-,root,root)
@@ -587,6 +605,21 @@ rm -f /var/lib/sss/db/*.ldb
 %_mandir/??/man8/sss_*.8*
 %_mandir/man8/sss_*.8*
 
+%files wbclient
+%defattr(-,root,root)
+%_sysconfdir/ld.so.conf.d/sssd-wbclient.conf
+%dir %_libdir/sssd/
+%dir %_libdir/sssd/modules/
+%_libdir/sssd/modules/libwbclient.so.*
+
+%files wbclient-devel
+%defattr(-,root,root)
+%_includedir/wbclient_sssd.h
+%dir %_libdir/sssd/
+%dir %_libdir/sssd/modules/
+%_libdir/sssd/modules/libwbclient.so
+%_libdir/pkgconfig/wbclient_sssd.pc
+
 %files -n libipa_hbac0
 %defattr(-,root,root)
 %_libdir/libipa_hbac.so.0*
@@ -597,6 +630,11 @@ rm -f /var/lib/sss/db/*.ldb
 %_libdir/libipa_hbac.so
 %_libdir/pkgconfig/ipa_hbac.pc
 
+%files -n libnfsidmap-sss
+%defattr(-,root,root)
+%_libdir/libnfsidmap/
+%_mandir/man5/sss_rpcidmapd.5*
+
 %files -n libsss_idmap0
 %defattr(-,root,root)
 %_libdir/libsss_idmap.so.0*