From 45570786c60d2e8eecb5888320532c4f5ee2d9612ca4e37f302fd6234bd3db2c Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 19 May 2020 11:46:11 +0000 Subject: [PATCH] sssd-2.3.0 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=233 --- ...fo-with-AI_CANONNAME-to-find-the-FQD.patch | 114 --- ...uild-failure-against-samba-4.12.0rc1.patch | 53 -- ...-computer-lookup-failure-when-sam-cn.patch | 45 - sssd-2.2.3.tar.gz | 3 - sssd-2.2.3.tar.gz.asc | 11 - sssd-2.3.0.tar.gz | 3 + sssd-2.3.0.tar.gz.asc | 11 + sssd-gpo_host_security_filter-2.2.2.patch | 809 ------------------ sssd.changes | 23 + sssd.spec | 19 +- 10 files changed, 44 insertions(+), 1047 deletions(-) delete mode 100644 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch delete mode 100644 0001-Fix-build-failure-against-samba-4.12.0rc1.patch delete mode 100644 0001-Resolve-computer-lookup-failure-when-sam-cn.patch delete mode 100644 sssd-2.2.3.tar.gz delete mode 100644 sssd-2.2.3.tar.gz.asc create mode 100644 sssd-2.3.0.tar.gz create mode 100644 sssd-2.3.0.tar.gz.asc delete mode 100644 sssd-gpo_host_security_filter-2.2.2.patch diff --git a/0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch b/0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch deleted file mode 100644 index 453996d..0000000 --- a/0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 2143c7276c7603520e2575ef6c9d93a5fc031256 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Mon, 13 Jan 2020 13:52:34 +0100 -Subject: [PATCH] AD: use getaddrinfo with AI_CANONNAME to find the FQDN - -In systems where gethostbyname() does not return the FQDN try calling -getaddrinfo(). - -Signed-off-by: Samuel Cabrero - -Reviewed-by: Sumit Bose ---- - src/man/sssd-ad.5.xml | 14 ++++++------ - src/providers/ad/ad_common.c | 42 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 50 insertions(+), 6 deletions(-) - -diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml -index c30e5b9db..23e351fc0 100644 ---- a/src/man/sssd-ad.5.xml -+++ b/src/man/sssd-ad.5.xml -@@ -193,15 +193,17 @@ ad_enabled_domains = sales.example.com, eng.example.com - ad_hostname (string) - - -- Optional. May be set on machines where the -- hostname(5) does not reflect the fully qualified -- name used in the Active Directory domain to -- identify this host. -+ Optional. On machines where the hostname(5) does -+ not reflect the fully qualified name, sssd will try -+ to expand the short name. If it is not possible or -+ the short name should be really used instead, set -+ this parameter explicitly. - - - This field is used to determine the host principal -- in use in the keytab. It must match the hostname -- for which the keytab was issued. -+ in use in the keytab and to perform dynamic DNS -+ updates. It must match the hostname for which the -+ keytab was issued. - - - -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index 51300f5b2..e5fa83595 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -406,6 +406,34 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, - return ad_options; - } - -+static errno_t -+ad_try_to_get_fqdn(const char *hostname, -+ char *buf, -+ size_t buflen) -+{ -+ int ret; -+ struct addrinfo *res; -+ struct addrinfo hints; -+ -+ memset(&hints, 0, sizeof(struct addrinfo)); -+ hints.ai_socktype = SOCK_DGRAM; -+ hints.ai_flags = AI_CANONNAME; -+ -+ ret = getaddrinfo(hostname, NULL, &hints, &res); -+ if (ret != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "getaddrinfo failed: %s\n", -+ gai_strerror(ret)); -+ return ret; -+ } -+ -+ strncpy(buf, res->ai_canonname, buflen); -+ -+ freeaddrinfo(res); -+ -+ return EOK; -+} -+ - errno_t - ad_get_common_options(TALLOC_CTX *mem_ctx, - struct confdb_ctx *cdb, -@@ -421,6 +449,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, - char *realm; - char *ad_hostname; - char hostname[HOST_NAME_MAX + 1]; -+ char fqdn[HOST_NAME_MAX + 1]; - char *case_sensitive_opt; - const char *opt_override; - -@@ -468,6 +497,19 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, - goto done; - } - hostname[HOST_NAME_MAX] = '\0'; -+ -+ if (strchr(hostname, '.') == NULL) { -+ ret = ad_try_to_get_fqdn(hostname, fqdn, sizeof(fqdn)); -+ if (ret == EOK) { -+ DEBUG(SSSDBG_CONF_SETTINGS, -+ "The hostname [%s] has been expanded to FQDN [%s]. " -+ "If sssd should really use the short hostname, please " -+ "set ad_hostname explicitly.\n", hostname, fqdn); -+ strncpy(hostname, fqdn, sizeof(hostname)); -+ hostname[HOST_NAME_MAX] = '\0'; -+ } -+ } -+ - DEBUG(SSSDBG_CONF_SETTINGS, - "Setting ad_hostname to [%s].\n", hostname); - ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname); --- -2.25.1 - diff --git a/0001-Fix-build-failure-against-samba-4.12.0rc1.patch b/0001-Fix-build-failure-against-samba-4.12.0rc1.patch deleted file mode 100644 index f5560d7..0000000 --- a/0001-Fix-build-failure-against-samba-4.12.0rc1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 24 Jan 2020 15:17:39 +0100 -Subject: [PATCH] Fix build failure against samba 4.12.0rc1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The ndr_pull_get_switch() function was dropped, but it was just a wrapper -around the ndr_token_peek() function, so we can use this approach on both -old and new versions of libndr. - -Signed-off-by: Stephen Gallagher - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index d57303349..8f405aa62 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, - union security_ace_object_type *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); -@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, - union security_ace_object_inherited_type *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); -@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, - union security_ace_object_ctr *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); --- -2.25.1 - diff --git a/0001-Resolve-computer-lookup-failure-when-sam-cn.patch b/0001-Resolve-computer-lookup-failure-when-sam-cn.patch deleted file mode 100644 index d154375..0000000 --- a/0001-Resolve-computer-lookup-failure-when-sam-cn.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0ea7661eeb7783c45d7f0ec9d19d99ce9fe407cf Mon Sep 17 00:00:00 2001 -From: David Mulder -Date: Fri, 10 Jan 2020 18:21:05 +0000 -Subject: [PATCH] Resolve computer lookup failure when sam!=cn -References: jsc#SLE-9298 -Upstream: submitted - ---- - src/providers/ad/ad_gpo.c | 11 ++--------- - 1 file changed, 2 insertions(+), 9 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 90e1909f8..6dd850cc9 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -1947,7 +1947,6 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) - struct sysdb_attrs **reply; - const char *target_dn = NULL; - uint32_t uac; -- char *filter = NULL; - char *domain_dn; - const char *attrs[] = {AD_AT_SID, NULL}; - struct ldb_message *msg; -@@ -2050,16 +2049,10 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) - goto done; - } - -- filter = talloc_asprintf(subreq, SYSDB_COMP_FILTER, state->ad_hostname); -- if (!filter) { -- ret = ENOMEM; -- goto done; -- } -- - subreq = sdap_get_generic_send(state, state->ev, state->opts, - sdap_id_op_handle(state->sdap_op), -- domain_dn, LDAP_SCOPE_SUBTREE, -- filter, attrs, NULL, 0, -+ state->target_dn, LDAP_SCOPE_BASE, -+ "(&)", attrs, NULL, 0, - state->timeout, - false); - --- -2.24.0 - diff --git a/sssd-2.2.3.tar.gz b/sssd-2.2.3.tar.gz deleted file mode 100644 index ccffd9a..0000000 --- a/sssd-2.2.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:11565446290e7432dbd208c4db02fcb42ab17e853d8ba4f994af9a9c57bbbb11 -size 6894302 diff --git a/sssd-2.2.3.tar.gz.asc b/sssd-2.2.3.tar.gz.asc deleted file mode 100644 index c2da9bd..0000000 --- a/sssd-2.2.3.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEFvJCKUiOc2BIlSc3uogAD+Y5gnIFAl3i6dIACgkQuogAD+Y5 -gnLovgf/QSNThIaVkCIC6doJNncuIaJuuu+GkihXe+4K6xHgksbMR7C7GyIEqxJQ -Dy2UAzH4FMUzbBoBwb9kW6Du2nt+9Rp2dVz/H/lmgNlKgX3siOVFJ4rwlCD3bJUi -eay5t9GTTQAUzpM1N1HdQPGk0ErT0mI77d3GLr7L8S64/SFI4aai58+T/VIRlbMQ -0t/BGo1yo4Ss97u9SrC62DSfev7Rl8mmdTMlJIYU2UAjEVYtJm5TViUDGy44eh+V -HM1l6EpMSGvEVrr6ALm4VNNntCjs37GJxyGrXFqljjs+tiBFpZT+5ENQl/X2RBsT -tRSZpATPjmRoYhLyqgPqLuAg5tXtaw== -=UpXd ------END PGP SIGNATURE----- diff --git a/sssd-2.3.0.tar.gz b/sssd-2.3.0.tar.gz new file mode 100644 index 0000000..b3498f0 --- /dev/null +++ b/sssd-2.3.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f755a105433399fff0f5788ee04795e07299b9d7bf976d02c4910cb6dcbe3a99 +size 6797766 diff --git a/sssd-2.3.0.tar.gz.asc b/sssd-2.3.0.tar.gz.asc new file mode 100644 index 0000000..c24c0b7 --- /dev/null +++ b/sssd-2.3.0.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAl7DuF4ACgkQr/513ehQ +jhIDgAf/bnoW75HQWBMS6xOEP4ncEVXDjv/0r9tRwXke4xy3HLfMAmvS069fVnHe +dzpAquijN154qE7QArkfJtz8cuZl/IGuLFNp6W5UgVGifGgub4Uai+9wmpsO7Grb +T/bd1d4c/6EYksEtAfLYUnzsmVTcSvIMVvPpPkWbdfoAsbFbkMmi0rZvlxjdMtHl +hsJYsIGZbkugsNkUV5V4xPBz9b87CMbF9F7DikstJPhzlMeXGY9aVVnWlW8X/yMJ +BUmj2BE1jr7G0lLHVVb90tWXYvjCKzq/klxs7CPV7+4X3e3yoxLKz9HyukLx+xCo +Vlwn/XW6xksNeRTUs6S+yL7LKZJ2Sw== +=h1Bc +-----END PGP SIGNATURE----- diff --git a/sssd-gpo_host_security_filter-2.2.2.patch b/sssd-gpo_host_security_filter-2.2.2.patch deleted file mode 100644 index 259a289..0000000 --- a/sssd-gpo_host_security_filter-2.2.2.patch +++ /dev/null @@ -1,809 +0,0 @@ -From dfeedc8ce8c484c317ff16c7460487ee3a1a4dde Mon Sep 17 00:00:00 2001 -From: David Mulder -Date: Fri, 4 Oct 2019 13:04:01 -0600 -Subject: [PATCH 1/5] SSSD should accept host entries from GPO's security - filter -References: jsc#SLE-9298 -Upstream: submitted - -Not accepting host entries in the security filter -creates the need for sub-OU's, each with its own -GPO, otherwise one OU with an assigned GPO would -be sufficient. ---- - Makefile.am | 2 - src/confdb/confdb.c | 11 ++ - src/confdb/confdb.h | 2 - src/config/cfg_rules.ini | 1 - src/db/sysdb_computer.c | 185 ++++++++++++++++++++++++++++++++++++ - src/db/sysdb_computer.h | 51 ++++++++++ - src/man/sssd-ad.5.xml | 7 - - src/man/sssd.conf.5.xml | 13 ++ - src/providers/ad/ad_gpo.c | 208 +++++++++++++++++++++++++++++++++++++++-- - src/providers/ad/ad_gpo_ndr.c | 2 - src/tests/cmocka/test_ad_gpo.c | 33 +++++- - 11 files changed, 495 insertions(+), 20 deletions(-) - create mode 100644 src/db/sysdb_computer.c - create mode 100644 src/db/sysdb_computer.h - -Index: sssd-2.2.3/Makefile.am -=================================================================== ---- sssd-2.2.3.orig/Makefile.am -+++ sssd-2.2.3/Makefile.am -@@ -781,6 +781,7 @@ dist_noinst_HEADERS = \ - src/db/sysdb_services.h \ - src/db/sysdb_ssh.h \ - src/db/sysdb_domain_resolution_order.h \ -+ src/db/sysdb_computer.h \ - src/confdb/confdb.h \ - src/confdb/confdb_private.h \ - src/confdb/confdb_setup.h \ -@@ -1247,6 +1248,7 @@ libsss_util_la_SOURCES = \ - src/db/sysdb_certmap.c \ - src/db/sysdb_domain_resolution_order.c \ - src/util/sss_pam_data.c \ -+ src/db/sysdb_computer.c \ - src/util/util.c \ - src/util/util_ext.c \ - src/util/util_preauth.c \ -Index: sssd-2.2.3/src/confdb/confdb.c -=================================================================== ---- sssd-2.2.3.orig/src/confdb/confdb.c -+++ sssd-2.2.3/src/confdb/confdb.c -@@ -1228,6 +1228,17 @@ static int confdb_get_domain_internal(st - goto done; - } - -+ /* Override the computer timeout, if specified */ -+ ret = get_entry_as_uint32(res->msgs[0], &domain->computer_timeout, -+ CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT, -+ entry_cache_timeout); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Invalid value for [%s]\n", -+ CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT); -+ goto done; -+ } -+ - /* Set refresh_expired_interval, if specified */ - ret = get_entry_as_uint32(res->msgs[0], &domain->refresh_expired_interval, - CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL, -Index: sssd-2.2.3/src/confdb/confdb.h -=================================================================== ---- sssd-2.2.3.orig/src/confdb/confdb.h -+++ sssd-2.2.3/src/confdb/confdb.h -@@ -230,6 +230,7 @@ - #define CONFDB_DOMAIN_AUTOFS_CACHE_TIMEOUT "entry_cache_autofs_timeout" - #define CONFDB_DOMAIN_SUDO_CACHE_TIMEOUT "entry_cache_sudo_timeout" - #define CONFDB_DOMAIN_SSH_HOST_CACHE_TIMEOUT "entry_cache_ssh_host_timeout" -+#define CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT "entry_cache_computer_timeout" - #define CONFDB_DOMAIN_PWD_EXPIRATION_WARNING "pwd_expiration_warning" - #define CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL "refresh_expired_interval" - #define CONFDB_DOMAIN_OFFLINE_TIMEOUT "offline_timeout" -@@ -373,6 +374,7 @@ struct sss_domain_info { - uint32_t autofsmap_timeout; - uint32_t sudo_timeout; - uint32_t ssh_host_timeout; -+ uint32_t computer_timeout; - - uint32_t refresh_expired_interval; - uint32_t subdomain_refresh_interval; -Index: sssd-2.2.3/src/config/cfg_rules.ini -=================================================================== ---- sssd-2.2.3.orig/src/config/cfg_rules.ini -+++ sssd-2.2.3/src/config/cfg_rules.ini -@@ -403,6 +403,7 @@ option = entry_cache_service_timeout - option = entry_cache_autofs_timeout - option = entry_cache_sudo_timeout - option = entry_cache_ssh_host_timeout -+option = entry_cache_computer_timeout - option = refresh_expired_interval - - # Dynamic DNS updates -Index: sssd-2.2.3/src/db/sysdb_computer.c -=================================================================== ---- /dev/null -+++ sssd-2.2.3/src/db/sysdb_computer.c -@@ -0,0 +1,185 @@ -+/* -+ SSSD -+ -+ Authors: -+ Samuel Cabrero -+ David Mulder -+ -+ Copyright (C) 2019 SUSE LINUX GmbH, Nuernberg, Germany. -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include -+ -+#include "db/sysdb.h" -+#include "db/sysdb_private.h" -+#include "db/sysdb_computer.h" -+ -+static errno_t -+sysdb_search_computer(TALLOC_CTX *mem_ctx, -+ struct sss_domain_info *domain, -+ const char *filter, -+ const char **attrs, -+ size_t *_num_hosts, -+ struct ldb_message ***_hosts) -+{ -+ errno_t ret; -+ TALLOC_CTX *tmp_ctx; -+ struct ldb_message **results; -+ size_t num_results; -+ -+ tmp_ctx = talloc_new(NULL); -+ if (!tmp_ctx) { -+ return ENOMEM; -+ } -+ -+ ret = sysdb_search_custom(tmp_ctx, domain, filter, -+ COMPUTERS_SUBDIR, attrs, -+ &num_results, &results); -+ if (ret != EOK && ret != ENOENT) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Error looking up host [%d]: %s\n", -+ ret, strerror(ret)); -+ goto done; -+ } else if (ret == ENOENT) { -+ DEBUG(SSSDBG_TRACE_FUNC, "No such host\n"); -+ *_hosts = NULL; -+ *_num_hosts = 0; -+ goto done; -+ } -+ -+ *_hosts = talloc_steal(mem_ctx, results); -+ *_num_hosts = num_results; -+ ret = EOK; -+ -+done: -+ talloc_free(tmp_ctx); -+ -+ return ret; -+} -+ -+int -+sysdb_get_computer(TALLOC_CTX *mem_ctx, -+ struct sss_domain_info *domain, -+ const char *computer_name, -+ const char **attrs, -+ struct ldb_message **_computer) -+{ -+ TALLOC_CTX *tmp_ctx; -+ errno_t ret; -+ const char *filter; -+ struct ldb_message **hosts; -+ size_t num_hosts; -+ -+ tmp_ctx = talloc_new(NULL); -+ if (!tmp_ctx) { -+ return ENOMEM; -+ } -+ -+ filter = talloc_asprintf(tmp_ctx, SYSDB_COMP_FILTER, computer_name); -+ if (!filter) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = sysdb_search_computer(tmp_ctx, domain, filter, attrs, -+ &num_hosts, &hosts); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ if (num_hosts != 1) { -+ ret = EINVAL; -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Did not find a single host with name %s\n", computer_name); -+ goto done; -+ } -+ -+ *_computer = talloc_steal(mem_ctx, hosts[0]); -+ ret = EOK; -+ -+done: -+ talloc_free(tmp_ctx); -+ -+ return ret; -+} -+ -+int -+sysdb_set_computer(TALLOC_CTX *mem_ctx, -+ struct sss_domain_info *domain, -+ const char *computer_name, -+ const char *sid_str, -+ int cache_timeout, -+ time_t now) -+{ -+ TALLOC_CTX *tmp_ctx; -+ int ret; -+ struct sysdb_attrs *attrs; -+ -+ tmp_ctx = talloc_new(NULL); -+ if (!tmp_ctx) { -+ return ENOMEM; -+ } -+ -+ attrs = sysdb_new_attrs(tmp_ctx); -+ if (!attrs) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, sid_str); -+ if (ret) goto done; -+ -+ ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS, SYSDB_COMPUTER_CLASS); -+ if (ret) goto done; -+ -+ ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, computer_name); -+ if (ret) goto done; -+ -+ /* creation time */ -+ ret = sysdb_attrs_add_time_t(attrs, SYSDB_CREATE_TIME, now); -+ if (ret) goto done; -+ -+ /* Set a cache expire time. There is a periodic task that cleans up -+ * expired entries from the cache even when enumeration is disabled */ -+ ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, -+ cache_timeout ? (now + cache_timeout) : 0); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Could not set sysdb cache expire [%d]: %s\n", -+ ret, strerror(ret)); -+ goto done; -+ } -+ -+ ret = sysdb_store_custom(domain, computer_name, COMPUTERS_SUBDIR, attrs); -+ if (ret) goto done; -+ -+ /* FIXME As a future improvement we have to extend domain enumeration. -+ * When 'enumerate = true' for a domain, sssd starts a periodic task -+ * that brings all users and groups to the cache, cleaning up -+ * stale objects after each run. If enumeration is disabled, the cleanup -+ * task for expired entries is started instead. -+ * -+ * We have to extend the enumeration task to fetch 'computer' -+ * objects as well (see ad_id_enumeration_send, the entry point of the -+ * enumeration task for the id provider). -+ */ -+done: -+ if (ret) { -+ DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, strerror(ret)); -+ } -+ talloc_zfree(tmp_ctx); -+ -+ return ret; -+} -Index: sssd-2.2.3/src/db/sysdb_computer.h -=================================================================== ---- /dev/null -+++ sssd-2.2.3/src/db/sysdb_computer.h -@@ -0,0 +1,51 @@ -+/* -+ SSSD -+ -+ Authors: -+ Samuel Cabrero -+ David Mulder -+ -+ Copyright (C) 2019 SUSE LINUX GmbH, Nuernberg, Germany. -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#ifndef SYSDB_COMPUTERS_H_ -+#define SYSDB_COMPUTERS_H_ -+ -+#include "db/sysdb.h" -+ -+#define COMPUTERS_SUBDIR "computers" -+#define SYSDB_COMPUTER_CLASS "computer" -+#define SYSDB_COMPUTERS_CONTAINER "cn="COMPUTERS_SUBDIR -+#define SYSDB_TMPL_COMPUTER_BASE SYSDB_COMPUTERS_CONTAINER","SYSDB_DOM_BASE -+#define SYSDB_TMPL_COMPUTER SYSDB_NAME"=%s,"SYSDB_TMPL_COMPUTER_BASE -+#define SYSDB_COMP_FILTER "(&("SYSDB_NAME"=%s)("SYSDB_OBJECTCLASS"="SYSDB_COMPUTER_CLASS"))" -+ -+int -+sysdb_get_computer(TALLOC_CTX *mem_ctx, -+ struct sss_domain_info *domain, -+ const char *computer_name, -+ const char **attrs, -+ struct ldb_message **computer); -+ -+int -+sysdb_set_computer(TALLOC_CTX *mem_ctx, -+ struct sss_domain_info *domain, -+ const char *computer_name, -+ const char *sid_str, -+ int cache_timeout, -+ time_t now); -+ -+#endif /* SYSDB_COMPUTERS_H_ */ -Index: sssd-2.2.3/src/man/sssd-ad.5.xml -=================================================================== ---- sssd-2.2.3.orig/src/man/sssd-ad.5.xml -+++ sssd-2.2.3/src/man/sssd-ad.5.xml -@@ -407,13 +407,6 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.19 - always apply also to the user. - - -- NOTE: The current version of SSSD does not support -- host (computer) entries in the GPO 'Security -- Filtering' list. Only user and group entries are -- supported. Host entries in the list have no -- effect. -- -- - NOTE: If the operation mode is set to enforcing, it - is possible that users that were previously allowed - logon access will now be denied logon access (as -Index: sssd-2.2.3/src/man/sssd.conf.5.xml -=================================================================== ---- sssd-2.2.3.orig/src/man/sssd.conf.5.xml -+++ sssd-2.2.3/src/man/sssd.conf.5.xml -@@ -2244,6 +2244,19 @@ p11_uri = library-description=OpenSC%20s - - - -+ entry_cache_computer_timeout (integer) -+ -+ -+ How many seconds to keep the local computer -+ entry before asking the backend again -+ -+ -+ Default: entry_cache_timeout -+ -+ -+ -+ -+ - refresh_expired_interval (integer) - - -Index: sssd-2.2.3/src/providers/ad/ad_gpo.c -=================================================================== ---- sssd-2.2.3.orig/src/providers/ad/ad_gpo.c -+++ sssd-2.2.3/src/providers/ad/ad_gpo.c -@@ -51,6 +51,7 @@ - #include "util/util_sss_idmap.h" - #include - #include -+#include - - /* == gpo-ldap constants =================================================== */ - -@@ -65,6 +66,7 @@ - #define AD_AT_MACHINE_EXT_NAMES "gPCMachineExtensionNames" - #define AD_AT_FUNC_VERSION "gPCFunctionalityVersion" - #define AD_AT_FLAGS "flags" -+#define AD_AT_SID "objectSid" - - #define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000 - #define UAC_SERVER_TRUST_ACCOUNT 0x00002000 -@@ -654,6 +656,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx, - */ - static errno_t - ad_gpo_ace_includes_client_sid(const char *user_sid, -+ const char *host_sid, - const char **group_sids, - int group_size, - struct dom_sid ace_dom_sid, -@@ -662,6 +665,7 @@ ad_gpo_ace_includes_client_sid(const cha - { - int i = 0; - struct dom_sid *user_dom_sid; -+ struct dom_sid *host_dom_sid; - struct dom_sid *group_dom_sid; - enum idmap_error_code err; - bool included = false; -@@ -679,6 +683,19 @@ ad_gpo_ace_includes_client_sid(const cha - return EOK; - } - -+ err = sss_idmap_sid_to_smb_sid(idmap_ctx, host_sid, &host_dom_sid); -+ if (err != IDMAP_SUCCESS) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); -+ return EFAULT; -+ } -+ -+ included = ad_gpo_dom_sid_equal(&ace_dom_sid, host_dom_sid); -+ sss_idmap_free_smb_sid(idmap_ctx, host_dom_sid); -+ if (included) { -+ *_included = true; -+ return EOK; -+ } -+ - for (i = 0; i < group_size; i++) { - err = sss_idmap_sid_to_smb_sid(idmap_ctx, group_sids[i], &group_dom_sid); - if (err != IDMAP_SUCCESS) { -@@ -728,6 +745,7 @@ ad_gpo_ace_includes_client_sid(const cha - static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace, - struct sss_idmap_ctx *idmap_ctx, - const char *user_sid, -+ const char *host_sid, - const char **group_sids, - int group_size) - { -@@ -741,8 +759,9 @@ static enum ace_eval_status ad_gpo_evalu - return AD_GPO_ACE_NEUTRAL; - } - -- ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, -- ace->trustee, idmap_ctx, &included); -+ ret = ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, -+ group_size, ace->trustee, idmap_ctx, -+ &included); - - if (ret != EOK) { - return AD_GPO_ACE_DENIED; -@@ -786,6 +805,7 @@ static enum ace_eval_status ad_gpo_evalu - static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl, - struct sss_idmap_ctx *idmap_ctx, - const char *user_sid, -+ const char *host_sid, - const char **group_sids, - int group_size, - bool *_dacl_access_allowed) -@@ -810,7 +830,7 @@ static errno_t ad_gpo_evaluate_dacl(stru - for (i = 0; i < dacl->num_aces; i ++) { - ace = &dacl->aces[i]; - -- ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid, -+ ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid, host_sid, - group_sids, group_size); - - switch (ace_status) { -@@ -838,6 +858,7 @@ static errno_t ad_gpo_evaluate_dacl(stru - static errno_t - ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, - const char *user, -+ const char *host_sid, - struct sss_domain_info *domain, - struct sss_idmap_ctx *idmap_ctx, - struct gp_gpo **candidate_gpos, -@@ -927,8 +948,8 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *m - break; - } - -- ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, group_sids, -- group_size, &access_allowed); -+ ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, host_sid, -+ group_sids, group_size, &access_allowed); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, "Could not determine if GPO is applicable\n"); - continue; -@@ -1602,6 +1623,7 @@ struct ad_gpo_access_state { - const char *user; - int gpo_timeout_option; - const char *ad_hostname; -+ const char *host_sid; - const char *target_dn; - struct gp_gpo **dacl_filtered_gpos; - int num_dacl_filtered_gpos; -@@ -1617,6 +1639,7 @@ static void ad_gpo_process_gpo_done(stru - - static errno_t ad_gpo_cse_step(struct tevent_req *req); - static void ad_gpo_cse_done(struct tevent_req *subreq); -+static void ad_gpo_get_host_sid_retrieval_done(struct tevent_req *subreq); - - struct tevent_req * - ad_gpo_access_send(TALLOC_CTX *mem_ctx, -@@ -1924,6 +1947,11 @@ ad_gpo_target_dn_retrieval_done(struct t - struct sysdb_attrs **reply; - const char *target_dn = NULL; - uint32_t uac; -+ char *filter = NULL; -+ char *domain_dn; -+ const char *attrs[] = {AD_AT_SID, NULL}; -+ struct ldb_message *msg; -+ static const char *host_attrs[] = { SYSDB_SID_STR, NULL }; - - req = tevent_req_callback_data(subreq, struct tevent_req); - state = tevent_req_data(req, struct ad_gpo_access_state); -@@ -2008,6 +2036,173 @@ ad_gpo_target_dn_retrieval_done(struct t - goto done; - } - -+ /* Check if computer exists in cache */ -+ ret = sysdb_get_computer(state, state->user_domain, state->ad_hostname, -+ host_attrs, &msg); -+ if (ret == ENOENT) { -+ /* The computer is not in cache so query LDAP server */ -+ /* Convert the domain name into domain DN */ -+ ret = domain_to_basedn(state, state->host_domain->name, &domain_dn); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Cannot convert domain name [%s] to base DN [%d]: %s\n", -+ state->host_domain->name, ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ filter = talloc_asprintf(subreq, SYSDB_COMP_FILTER, state->ad_hostname); -+ if (!filter) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ subreq = sdap_get_generic_send(state, state->ev, state->opts, -+ sdap_id_op_handle(state->sdap_op), -+ domain_dn, LDAP_SCOPE_SUBTREE, -+ filter, attrs, NULL, 0, -+ state->timeout, -+ false); -+ -+ if (subreq == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ tevent_req_set_callback(subreq, ad_gpo_get_host_sid_retrieval_done, req); -+ return; -+ } else if (ret != EOK) { -+ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); -+ goto done; -+ } -+ -+ /* The computer exists in the cache, there is no need to query LDAP. -+ * Store the retrieved host sid from cache in the state to avoid querying -+ * the cache again in ad_gpo_get_sids. -+ */ -+ state->host_sid = ldb_msg_find_attr_as_string(msg, SYSDB_SID_STR, NULL); -+ talloc_steal(state, state->host_sid); -+ -+ subreq = ad_gpo_process_som_send(state, -+ state->ev, -+ state->conn, -+ state->ldb_ctx, -+ state->sdap_op, -+ state->opts, -+ state->access_ctx->ad_options, -+ state->timeout, -+ state->target_dn, -+ state->host_domain->name); -+ if (subreq == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ tevent_req_set_callback(subreq, ad_gpo_process_som_done, req); -+ -+ ret = EOK; -+ -+ done: -+ -+ if (ret != EOK) { -+ tevent_req_error(req, ret); -+ } -+ -+} -+ -+enum ndr_err_code -+ndr_pull_dom_sid(struct ndr_pull *ndr, -+ int ndr_flags, -+ struct dom_sid *r); -+ -+static void ad_gpo_get_host_sid_retrieval_done(struct tevent_req *subreq) -+{ -+ struct tevent_req *req; -+ struct ad_gpo_access_state *state; -+ int ret; -+ int dp_error; -+ size_t reply_count; -+ struct sysdb_attrs **reply; -+ struct ldb_message_element *el = NULL; -+ enum ndr_err_code ndr_err; -+ struct dom_sid host_sid; -+ char *sid_str; -+ -+ req = tevent_req_callback_data(subreq, struct tevent_req); -+ state = tevent_req_data(req, struct ad_gpo_access_state); -+ -+ ret = sdap_get_generic_recv(subreq, state, -+ &reply_count, &reply); -+ talloc_zfree(subreq); -+ -+ if (ret != EOK) { -+ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); -+ -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sdap_get_generic_recv failed: [%d](%s)\n", -+ ret, sss_strerror(ret)); -+ ret = ENOENT; -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ if (reply_count == 0 || !reply) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sdap_get_generic_recv failed to receive host sid\n"); -+ ret = EIO; -+ goto done; -+ } -+ -+ /* reply[0] holds the requested attribute */ -+ ret = sysdb_attrs_get_el(reply[0], AD_AT_SID, &el); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_attrs_get_el failed: [%d](%s)\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ if (el->num_values != 1) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "ad_gpo_get_host_sid_retrieval_done failed: sid not present\n"); -+ ret = EIO; -+ goto done; -+ } -+ -+ /* parse the dom_sid from the ldb blob */ -+ ndr_err = ndr_pull_struct_blob_all((DATA_BLOB*)&(el->values[0]), -+ subreq, &host_sid, -+ (ndr_pull_flags_fn_t)ndr_pull_dom_sid); -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "ndr_pull_struct_blob_all failed: [%d]\n", -+ ndr_err); -+ ret = EIO; -+ goto done; -+ } -+ -+ /* Convert the dom_sid to a sid string */ -+ ret = sss_idmap_smb_sid_to_sid(state->opts->idmap_ctx->map, -+ &host_sid, &sid_str); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sss_idmap_smb_sid_to_sid failed: [%d](%s)\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ state->host_sid = talloc_steal(state, sid_str); -+ -+ /* Put the sid string in the sysdb */ -+ ret = sysdb_set_computer(subreq, state->user_domain, -+ state->ad_hostname, state->host_sid, -+ state->user_domain->computer_timeout, -+ time(NULL)); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_set_computer failed: [%d](%s)\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ - subreq = ad_gpo_process_som_send(state, - state->ev, - state->conn, -@@ -2143,7 +2338,8 @@ ad_gpo_process_gpo_done(struct tevent_re - goto done; - } - -- ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->user_domain, -+ ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->host_sid, -+ state->user_domain, - state->opts->idmap_ctx->map, - candidate_gpos, num_candidate_gpos, - &state->dacl_filtered_gpos, -Index: sssd-2.2.3/src/providers/ad/ad_gpo_ndr.c -=================================================================== ---- sssd-2.2.3.orig/src/providers/ad/ad_gpo_ndr.c -+++ sssd-2.2.3/src/providers/ad/ad_gpo_ndr.c -@@ -248,7 +248,7 @@ ndr_pull_security_ace_object_ctr(struct - return NDR_ERR_SUCCESS; - } - --static enum ndr_err_code -+enum ndr_err_code - ndr_pull_dom_sid(struct ndr_pull *ndr, - int ndr_flags, - struct dom_sid *r) -Index: sssd-2.2.3/src/tests/cmocka/test_ad_gpo.c -=================================================================== ---- sssd-2.2.3.orig/src/tests/cmocka/test_ad_gpo.c -+++ sssd-2.2.3/src/tests/cmocka/test_ad_gpo.c -@@ -267,6 +267,7 @@ void test_populate_gplink_list_malformed - * Test SID-matching logic - */ - static void test_ad_gpo_ace_includes_client_sid(const char *user_sid, -+ const char *host_sid, - const char **group_sids, - int group_size, - struct dom_sid ace_dom_sid, -@@ -286,8 +287,8 @@ static void test_ad_gpo_ace_includes_cli - &idmap_ctx); - assert_int_equal(err, IDMAP_SUCCESS); - -- ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, -- ace_dom_sid, idmap_ctx, -+ ret = ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, -+ group_size, ace_dom_sid, idmap_ctx, - &includes_client_sid); - talloc_free(idmap_ctx); - -@@ -305,13 +306,14 @@ void test_ad_gpo_ace_includes_client_sid - struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}}; - - const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103"; -+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102"; - - int group_size = 2; - const char *group_sids[] = {"S-1-5-21-2-3-4", - "S-1-5-21-2-3-5"}; - -- test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, -- ace_dom_sid, true); -+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, -+ group_size, ace_dom_sid, true); - } - - void test_ad_gpo_ace_includes_client_sid_false(void **state) -@@ -320,13 +322,29 @@ void test_ad_gpo_ace_includes_client_sid - struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}}; - - const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103"; -+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102"; - - int group_size = 2; - const char *group_sids[] = {"S-1-5-21-2-3-5", - "S-1-5-21-2-3-6"}; - -- test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, -- ace_dom_sid, false); -+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, -+ group_size, ace_dom_sid, false); -+} -+ -+void test_ad_gpo_ace_includes_host_sid_true(void **state) -+{ -+ /* ace_dom_sid represents "S-1-5-21-1898687337-2196588786-2775055786-2102" */ -+ struct dom_sid ace_dom_sid = {1, 5, {0, 0, 0, 0, 0, 5}, {21, 1898687337, 2196588786, 2775055786, 2102}}; -+ -+ const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103"; -+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102"; -+ -+ int group_size = 0; -+ const char *group_sids[] = {}; -+ -+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, -+ group_size, ace_dom_sid, true); - } - - int main(int argc, const char *argv[]) -@@ -364,6 +382,9 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false, - ad_gpo_test_setup, - ad_gpo_test_teardown), -+ cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true, -+ ad_gpo_test_setup, -+ ad_gpo_test_teardown), - }; - - /* Set debug level to invalid value so we can decide if -d 0 was used. */ diff --git a/sssd.changes b/sssd.changes index 3a08a9e..09b2798 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue May 19 11:32:22 UTC 2020 - Jan Engelhardt + +- Update to release 2.3.0 + * SSSD can now handle hosts and networks nsswitch databases + (see resolve_provider option). + * By default, authentication request only refresh user's + initgroups if it is expired or there is not active user's + session (see pam_initgroups_scheme option). + * OpenSSL is used as default crypto provider, NSS is deprecated. + * The AD provider now defaults to GSS-SPNEGO SASL mechanism + (see ldap_sasl_mech option). + * The AD provider can now be configured to use only ldaps port + (see ad_use_ldaps option). + * SSSD now accepts host entries from GPO's security filter. + * New debug level (0x10000) added for low level LDB messages + only (see sssd.conf man page). +- Drop sssd-gpo_host_security_filter-2.2.2.patch, + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch, + 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged) +- Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch + (unapplicable) + ------------------------------------------------------------------- Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 550e59f..fa21feb 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,22 +18,18 @@ %define _buildshell /bin/bash Name: sssd -Version: 2.2.3 +Version: 2.3.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later and LGPL-3.0-or-later Group: System/Daemons URL: https://pagure.io/SSSD/sssd #Git-Clone: https://pagure.io/SSSD/sssd -Source: https://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz -Source2: https://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc +Source: https://github.com/SSSD/sssd/releases/download/sssd-2_3_0/%name-%version.tar.gz +Source2: https://github.com/SSSD/sssd/releases/download/sssd-2_3_0/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring Patch1: krb-noversion.diff -Patch2: sssd-gpo_host_security_filter-2.2.2.patch -Patch3: 0001-Resolve-computer-lookup-failure-when-sam-cn.patch -Patch4: 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch -Patch5: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -45,23 +41,23 @@ Patch5: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils +BuildRequires: check-devel BuildRequires: cifs-utils-devel BuildRequires: cyrus-sasl-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: krb5-devel >= 1.12 +BuildRequires: libcmocka-devel BuildRequires: libsmbclient-devel BuildRequires: libtool BuildRequires: libxml2-tools BuildRequires: libxslt-tools BuildRequires: nscd +BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 BuildRequires: systemd-rpm-macros -BuildRequires: libcmocka-devel -BuildRequires: nss_wrapper BuildRequires: uid_wrapper -BuildRequires: check-devel BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 @@ -447,7 +443,7 @@ rm -Rfv "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug" %check # sss_config-tests fails -make %{?_smp_mflags} check ||: +make %{?_smp_mflags} check || : %pre %service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket @@ -606,7 +602,6 @@ rm -f /var/lib/sss/db/*.ldb %_libdir/cifs-utils/ %_libdir/krb5/ %_libdir/%name/modules/sssd_krb5_localauth_plugin.so -%_mandir/??/man8/pam_sss.8* %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/man8/pam_sss.8* %_mandir/man8/sssd_krb5_locator_plugin.8*