From 77a4f94e7715f05770e59eda25e67b5a2ff8be3a8ebf43d783efaef3dc93a948 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 31 Aug 2018 11:12:24 +0000 Subject: [PATCH 1/4] Accepting request 632454 from home:kbabioch:branches:network:ldap - Update to upstream release 1.16.3 OBS-URL: https://build.opensuse.org/request/show/632454 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=206 --- ...the-socket-with-stricter-permissions.patch | 45 ------------- 0002-intg-Do-not-hardcode-nsslibdir.patch | 44 ------------- 0003-Fix-build-for-1-16-2-version.patch | 13 ---- sssd-1.16.2.tar.gz | 3 - sssd-1.16.2.tar.gz.asc | 6 -- sssd-1.16.3.tar.gz | 3 + sssd-1.16.3.tar.gz.asc | 10 +++ sssd.changes | 66 +++++++++++++++++++ sssd.spec | 8 +-- 9 files changed, 80 insertions(+), 118 deletions(-) delete mode 100644 0001-SUDO-Create-the-socket-with-stricter-permissions.patch delete mode 100644 0002-intg-Do-not-hardcode-nsslibdir.patch delete mode 100644 0003-Fix-build-for-1-16-2-version.patch delete mode 100644 sssd-1.16.2.tar.gz delete mode 100644 sssd-1.16.2.tar.gz.asc create mode 100644 sssd-1.16.3.tar.gz create mode 100644 sssd-1.16.3.tar.gz.asc diff --git a/0001-SUDO-Create-the-socket-with-stricter-permissions.patch b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch deleted file mode 100644 index 17aa40f..0000000 --- a/0001-SUDO-Create-the-socket-with-stricter-permissions.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Fri, 15 Jun 2018 22:29:34 +0200 -Subject: [PATCH] SUDO: Create the socket with stricter permissions - -This patch switches the sudo responder from being created as a public -responder where the permissions are open and not checked by the sssd -deaamon to a private socket. In this case, sssd creates the pipes with -strict permissions (see the umask in the call to create_pipe_fd() in -set_unix_socket()) and additionaly checks the permissions with every read -via the tevent integrations (see accept_fd_handler()). ---- - src/responder/sudo/sudosrv.c | 3 ++- - src/sysv/systemd/sssd-sudo.socket.in | 1 + - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c -index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644 ---- a/src/responder/sudo/sudosrv.c -+++ b/src/responder/sudo/sudosrv.c -@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, - sudo_cmds = get_sudo_cmds(); - ret = sss_process_init(mem_ctx, ev, cdb, - sudo_cmds, -- SSS_SUDO_SOCKET_NAME, -1, NULL, -1, -+ NULL, -1, /* No public socket */ -+ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */ - CONFDB_SUDO_CONF_ENTRY, - SSS_SUDO_SBUS_SERVICE_NAME, - SSS_SUDO_SBUS_SERVICE_VERSION, -diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in -index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644 ---- a/src/sysv/systemd/sssd-sudo.socket.in -+++ b/src/sysv/systemd/sssd-sudo.socket.in -@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo - ListenStream=@pipepath@/sudo - SocketUser=@SSSD_USER@ - SocketGroup=@SSSD_USER@ -+SocketMode=0600 - - [Install] - WantedBy=sssd.service --- -2.14.3 - diff --git a/0002-intg-Do-not-hardcode-nsslibdir.patch b/0002-intg-Do-not-hardcode-nsslibdir.patch deleted file mode 100644 index 08f8543..0000000 --- a/0002-intg-Do-not-hardcode-nsslibdir.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 12 Jun 2018 19:07:52 +0200 -Subject: [PATCH] intg: Do not hardcode nsslibdir -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This change is needed in order to have make intgcheck-run properly -running on opensuse systems. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Chris Kowalczyk -Reviewed-by: Michal Židek ---- - src/tests/intg/Makefile.am | 1 + - src/tests/intg/config.py.m4 | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am -index 9c5338261..4bd427669 100644 ---- a/src/tests/intg/Makefile.am -+++ b/src/tests/intg/Makefile.am -@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile - config.py: config.py.m4 - m4 -D "prefix=\`$(prefix)'" \ - -D "sysconfdir=\`$(sysconfdir)'" \ -+ -D "nsslibdir=\`$(nsslibdir)'" \ - -D "dbpath=\`$(dbpath)'" \ - -D "pidpath=\`$(pidpath)'" \ - -D "logpath=\`$(logpath)'" \ -diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4 -index 6e011b692..04f78d869 100644 ---- a/src/tests/intg/config.py.m4 -+++ b/src/tests/intg/config.py.m4 -@@ -4,7 +4,7 @@ Build configuration variables. - - PREFIX = "prefix" - SYSCONFDIR = "sysconfdir" --NSS_MODULE_DIR = PREFIX + "/lib" -+NSS_MODULE_DIR = "nsslibdir" - SSSDCONFDIR = SYSCONFDIR + "/sssd" - CONF_PATH = SSSDCONFDIR + "/sssd.conf" - DB_PATH = "dbpath" diff --git a/0003-Fix-build-for-1-16-2-version.patch b/0003-Fix-build-for-1-16-2-version.patch deleted file mode 100644 index 9903e33..0000000 --- a/0003-Fix-build-for-1-16-2-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/Makefile.am b/Makefile.am -index 9539b3c..8e76a03 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \ - $(TALLOC_LIBS) \ - $(TEVENT_LIBS) \ - libsss_crypt.la \ -+ libsss_child.la \ - libsss_debug.la \ - libsss_certmap.la \ - $(NULL) - diff --git a/sssd-1.16.2.tar.gz b/sssd-1.16.2.tar.gz deleted file mode 100644 index b93018f..0000000 --- a/sssd-1.16.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c -size 6174144 diff --git a/sssd-1.16.2.tar.gz.asc b/sssd-1.16.2.tar.gz.asc deleted file mode 100644 index 7440ddd..0000000 --- a/sssd-1.16.2.tar.gz.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh -fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8 -=U4k5 ------END PGP SIGNATURE----- diff --git a/sssd-1.16.3.tar.gz b/sssd-1.16.3.tar.gz new file mode 100644 index 0000000..ab7017d --- /dev/null +++ b/sssd-1.16.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4 +size 6217114 diff --git a/sssd-1.16.3.tar.gz.asc b/sssd-1.16.3.tar.gz.asc new file mode 100644 index 0000000..b107df9 --- /dev/null +++ b/sssd-1.16.3.tar.gz.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEcBAABAgAGBQJbcDdwAAoJEHDBRgYiUL36CW0H/2gGY35HxXQNiufErxIMT3/9 +8Uq5EqTOYUlmScijvT3J1AXPg5Sw/KP65cBSOaZYNyzzBcr8GwaM19y3/WInFA5z +tWTHfAmVusIvLijmWmfw9qGY6X8386S2g+wbTn7WsMYb0Spt8K2l+OgQDIq7sIx5 +iSPfICt/HgESBkC0YEsaVq5S4kQLS6w3pJEclkwoj22jl831FHlVmQ8K2G369/Iz +YycSYK7qXWvs8YSzsihA3zvjGT9v2vZQWamE5gkHlXZEPkJYIR3ant7Ziux4zIrA +n/fuIWZCWu/gR4jtg3vmrcRVLnOo1ukqdrDmE4v/CiJrvS/H4McCZUhiUaXQ9Us= +=Fx4X +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 94e109f..2ddc347 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,69 @@ +------------------------------------------------------------------- +Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com + +- Update to upstream release 1.16.3 + +New Features + +- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were + discovered for a Kerberos realm used to be only generated for the joined + domain, not the trusted domains. Starting with this release, the kdcinfo files + are generated automatically also for trusted domains in setups that use + id_provider=ad and IPA masters in a trust relationship with an AD domain. + +- The SSSD Kerberos locator plugin which processes the kdcinfo files and + actually tells libkrb5 about the available KDCs can now process multiple + address if SSSD generates more than one. At the moment, this feature is only + used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) + manual page for more information about the Kerberos locator plugin. + +- On IPA clients, the AD DCs or the AD site which should be used to + authenticate users can now be listed in a subdomain section. Please see the + feature design page or the section “trusted domains configuration” for more + details. + +Notable bug fixes + +- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read + anyone else’s sudo rules. This was considered an information leak and + assigned CVE-2018-10852 (bsc#1098377) +- The 1.16.2 release was storing the cached passwords without a salt prefix + string. This bug was fixed in this release, but any password hashes generated + by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is + that upgrade from 1.16.2 to 1.16.3 should be done when the authentication + server is reachable so that the first authentication after the upgrade fix the + cached password. +- The sss_ssh proces leaked file descriptors when converting more than one x509 + certificate to SSH public key +- SSSD, when configured with id_provider=ad was using too expensive LDAP search + to find out whether the required POSIX attributes were replicated to the + Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which + is much more effective +- The PAC responder is now able to process Domain Local in case the PAC uses + SID compression. Typicaly this is the case with Windows Server 2012 and newer +- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys + when the matching key is found before the rest of the output is read. The + sss_ssh_authorizedkeys helper was not handling this behaviour well and would + exit with SIGPIPE, which also meant the public key authentication failed +- User lookups no longer fail if user’s e-mail address conflicts with another + user’s fully qualified name +- The override_shell and override_homedir options are no longer applied to + entries from the files domain. +- Several bugs related to the FleetCommander integration were fixed +- The grace logins with an expired password when authenticating against certain + newer versions of the 389DS/RHDS LDAP server did not work +- Whitespace around netgroup triple separator is now stripped +- The sss_ssh_knownhostproxy utility can now print the host key without + proxying the connection. +- Due to an overly restrictive check, the fast in-memory cache was sometimes + skipped, which caused a high load on the sssd_nss process + +Removed patches that are included upstream now: + +- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch +- 0002-intg-Do-not-hardcode-nsslibdir.patch +- 0003-Fix-build-for-1-16-2-version.patch + ------------------------------------------------------------------- Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com diff --git a/sssd.spec b/sssd.spec index 7adfc7e..5c66d09 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.16.2 +Version: 1.16.3 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -31,9 +31,6 @@ Source3: baselibs.conf Source4: sssd.service Source5: %name.keyring BuildRoot: %_tmppath/%name-%version-build -Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch -Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch -Patch3: 0003-Fix-build-for-1-16-2-version.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -367,9 +364,6 @@ Security Services Daemon (sssd). %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 %build %if 0%{?suse_version} < 1210 From c5d8619327b1ca5ffbd1e341776c69ea37720296941c63c9b74fedb316a7194f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 31 Aug 2018 11:20:00 +0000 Subject: [PATCH 2/4] Compact overly long changelog, wrap to 66 cols as demanded OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=207 --- sssd.changes | 92 ++++++++++++++++++---------------------------------- 1 file changed, 31 insertions(+), 61 deletions(-) diff --git a/sssd.changes b/sssd.changes index 2ddc347..102ddc1 100644 --- a/sssd.changes +++ b/sssd.changes @@ -2,67 +2,37 @@ Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com - Update to upstream release 1.16.3 - -New Features - -- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were - discovered for a Kerberos realm used to be only generated for the joined - domain, not the trusted domains. Starting with this release, the kdcinfo files - are generated automatically also for trusted domains in setups that use - id_provider=ad and IPA masters in a trust relationship with an AD domain. - -- The SSSD Kerberos locator plugin which processes the kdcinfo files and - actually tells libkrb5 about the available KDCs can now process multiple - address if SSSD generates more than one. At the moment, this feature is only - used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) - manual page for more information about the Kerberos locator plugin. - -- On IPA clients, the AD DCs or the AD site which should be used to - authenticate users can now be listed in a subdomain section. Please see the - feature design page or the section “trusted domains configuration” for more - details. - -Notable bug fixes - -- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read - anyone else’s sudo rules. This was considered an information leak and - assigned CVE-2018-10852 (bsc#1098377) -- The 1.16.2 release was storing the cached passwords without a salt prefix - string. This bug was fixed in this release, but any password hashes generated - by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is - that upgrade from 1.16.2 to 1.16.3 should be done when the authentication - server is reachable so that the first authentication after the upgrade fix the - cached password. -- The sss_ssh proces leaked file descriptors when converting more than one x509 - certificate to SSH public key -- SSSD, when configured with id_provider=ad was using too expensive LDAP search - to find out whether the required POSIX attributes were replicated to the - Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which - is much more effective -- The PAC responder is now able to process Domain Local in case the PAC uses - SID compression. Typicaly this is the case with Windows Server 2012 and newer -- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys - when the matching key is found before the rest of the output is read. The - sss_ssh_authorizedkeys helper was not handling this behaviour well and would - exit with SIGPIPE, which also meant the public key authentication failed -- User lookups no longer fail if user’s e-mail address conflicts with another - user’s fully qualified name -- The override_shell and override_homedir options are no longer applied to - entries from the files domain. -- Several bugs related to the FleetCommander integration were fixed -- The grace logins with an expired password when authenticating against certain - newer versions of the 389DS/RHDS LDAP server did not work -- Whitespace around netgroup triple separator is now stripped -- The sss_ssh_knownhostproxy utility can now print the host key without - proxying the connection. -- Due to an overly restrictive check, the fast in-memory cache was sometimes - skipped, which caused a high load on the sssd_nss process - -Removed patches that are included upstream now: - -- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch -- 0002-intg-Do-not-hardcode-nsslibdir.patch -- 0003-Fix-build-for-1-16-2-version.patch + * New Features: + * kdcinfo files for informing krb5 about discovered KDCs are + now also generated for trusted domains in setups that use + id_provider=ad and IPA masters in a trust relationship with + an AD domain. + * The Kerberlos locator plugin can now process multiple + address if SSSD generates more than one. A + * Bug fixes: + * Fixed information leak due to incorrect permissions on + /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377] + * Cached password are now stored with a salt. Old ones will be + regenerated on next authentication, and the auth server needs + to be reachable for that. + * The sss_ssh proces leaked file descriptors when converting + more than one X.509 certificate to an SSH public key. + * The PAC responder is now able to process Domain Local in case + the PAC uses SID compression (Windows Server 2012+). + * Address the issue that some versions of OpenSSH would close + the pipe towards sss_ssh_authorizedkeys when the matching key + is found before the rest of the output is read. + * User lookups no longer fail if user's e-mail address + conflicts with another user's fully qualified name. + * The override_shell and override_homedir options are no longer + applied to entries from the files domain. + * The grace logins with an expired password when authenticating + against certain newer versions of the 389DS/RHDS LDAP server + did not work. +- Removed patches that are included upstream now: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch, + 0002-intg-Do-not-hardcode-nsslibdir.patch, + 0003-Fix-build-for-1-16-2-version.patch ------------------------------------------------------------------- Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com From 298c91a09cd3d610e0a566571fd697dab9e51b096e5f72a247807840ceb2a1f6 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 7 Sep 2018 19:39:51 +0000 Subject: [PATCH 3/4] - Update to new upstream release 2.0.0 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=208 --- sssd-1.16.3.tar.gz | 3 --- sssd-1.16.3.tar.gz.asc | 10 ---------- sssd-2.0.0.tar.gz | 3 +++ sssd-2.0.0.tar.gz.asc | 10 ++++++++++ sssd.changes | 21 +++++++++++++++++++++ sssd.spec | 17 +++++++---------- 6 files changed, 41 insertions(+), 23 deletions(-) delete mode 100644 sssd-1.16.3.tar.gz delete mode 100644 sssd-1.16.3.tar.gz.asc create mode 100644 sssd-2.0.0.tar.gz create mode 100644 sssd-2.0.0.tar.gz.asc diff --git a/sssd-1.16.3.tar.gz b/sssd-1.16.3.tar.gz deleted file mode 100644 index ab7017d..0000000 --- a/sssd-1.16.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4 -size 6217114 diff --git a/sssd-1.16.3.tar.gz.asc b/sssd-1.16.3.tar.gz.asc deleted file mode 100644 index b107df9..0000000 --- a/sssd-1.16.3.tar.gz.asc +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEcBAABAgAGBQJbcDdwAAoJEHDBRgYiUL36CW0H/2gGY35HxXQNiufErxIMT3/9 -8Uq5EqTOYUlmScijvT3J1AXPg5Sw/KP65cBSOaZYNyzzBcr8GwaM19y3/WInFA5z -tWTHfAmVusIvLijmWmfw9qGY6X8386S2g+wbTn7WsMYb0Spt8K2l+OgQDIq7sIx5 -iSPfICt/HgESBkC0YEsaVq5S4kQLS6w3pJEclkwoj22jl831FHlVmQ8K2G369/Iz -YycSYK7qXWvs8YSzsihA3zvjGT9v2vZQWamE5gkHlXZEPkJYIR3ant7Ziux4zIrA -n/fuIWZCWu/gR4jtg3vmrcRVLnOo1ukqdrDmE4v/CiJrvS/H4McCZUhiUaXQ9Us= -=Fx4X ------END PGP SIGNATURE----- diff --git a/sssd-2.0.0.tar.gz b/sssd-2.0.0.tar.gz new file mode 100644 index 0000000..2591175 --- /dev/null +++ b/sssd-2.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:77569d00dd516e7eba1bfcc2ae562647068d7d16e283e8b3fc4f1e03fc899586 +size 6263376 diff --git a/sssd-2.0.0.tar.gz.asc b/sssd-2.0.0.tar.gz.asc new file mode 100644 index 0000000..a446f4f --- /dev/null +++ b/sssd-2.0.0.tar.gz.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEcBAABAgAGBQJbcd4JAAoJEHDBRgYiUL36ZpUH/0R46OWssuYR7gVSoh1UWZdA +Gg/uPN5iSo0hq6mjU/w7inGb5GxTnbj8WQXo8466EUw98NDTTc7NMLScy83bsb1i +MIk4eXxm0c5lsRuIFCS+3qtakZtYyjDk+8v6BqRARFFPE9R4j8Cb1BOUurgoMDTg +IE75AP+QHTxdrPQ/xj4PQcdIZ6qimeztD1IJDrb7hValyMfqs9XHsamXsQwRrfEV +l0U3eUlsX0vegrQwEG8iOQt4v0cr9jMCahgSnvNZotqiyHUr5VLH901OSZzwPly6 +8+BAp9mnNZ2lG5pqFEXOsI1kmQ5hnXDFu1OcIedkKHdBRMqNZC3ip0k8ow3fbAk= +=K92m +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 102ddc1..183d423 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Fri Sep 7 18:52:18 UTC 2018 - Jan Engelhardt + +- Update to new upstream release 2.0.0 + * The Python API for managing users and groups in local domains + (id_provider=local) was removed completely. The local + provider (id_provider=local) and the command line tools to + manage users and groups in the local domains, such as + sss_useradd is not built anymore. + * The LDAP provider had a special-case branch for evaluating + group memberships with the RFC2307bis schema when group + nesting was explicitly disabled. This codepath is removed. + * The "ldap_sudo_include_regexp" option changed its default + value from true to false. Wildcards in the sudoHost LDAP + attribute are no longer evaluated. This was costly to + evaluate on the LDAP server side and at the same time rarely + used. + * The list of PAM services which are allowed to authenticate + using a Smart Card is now configurable using a new option + pam_p11_allowed_services. + ------------------------------------------------------------------- Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com diff --git a/sssd.spec b/sssd.spec index 5c66d09..12b3629 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: sssd -Version: 1.16.3 +Version: 2.0.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -59,6 +59,8 @@ BuildRequires: libcmocka-devel BuildRequires: nss_wrapper BuildRequires: uid_wrapper BuildRequires: check-devel +BuildRequires: python +BuildRequires: python-xml BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 @@ -477,7 +479,6 @@ rm -f /var/lib/sss/db/*.ldb %dir %_mandir/??/ %dir %_mandir/??/man[158]/ %_mandir/??/man1/sss_ssh_* -%_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-sudo.5* %_mandir/??/man8/sssd.8* %_mandir/??/man5/sss-certmap.5.gz @@ -501,12 +502,15 @@ rm -f /var/lib/sss/db/*.ldb %_mandir/man8/sssd.8* %dir %_libdir/%name/ %_libdir/%name/conf/ +%_libdir/%name/libifp_iface* %_libdir/%name/libsss_child* %_libdir/%name/libsss_cert* %_libdir/%name/libsss_crypt* %_libdir/%name/libsss_debug* %_libdir/%name/libsss_files* +%_libdir/%name/libsss_iface* %_libdir/%name/libsss_semanage* +%_libdir/%name/libsss_sbus* %_libdir/%name/libsss_simple* %_libdir/%name/libsss_util* %dir %_libdir/%name/modules/ @@ -638,16 +642,9 @@ rm -f /var/lib/sss/db/*.ldb %defattr(-,root,root) %_sbindir/sss_cache %_sbindir/sss_debuglevel -%_sbindir/sss_groupadd -%_sbindir/sss_groupdel -%_sbindir/sss_groupmod -%_sbindir/sss_groupshow %_sbindir/sss_seed %_sbindir/sss_obfuscate %_sbindir/sss_override -%_sbindir/sss_useradd -%_sbindir/sss_userdel -%_sbindir/sss_usermod %dir %_mandir/??/man8/ %_mandir/??/man8/sss_*.8* %_mandir/man8/sss_*.8* From 803f439300851c864455d7eedd239e05435dcea9b124eee3f433e433c51a011a Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 10 Sep 2018 09:17:50 +0000 Subject: [PATCH 4/4] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=209 --- sssd.keyring | 57 ++++++++++++++++++++++++---------------------------- 1 file changed, 26 insertions(+), 31 deletions(-) diff --git a/sssd.keyring b/sssd.keyring index cbd1779..b01b32b 100644 --- a/sssd.keyring +++ b/sssd.keyring @@ -1,34 +1,29 @@ -pub 1024D/32E7BC25 2007-02-02 -uid Jakub Hrozek -sub 2048g/132DCA21 2007-02-02 - +pub 2048R/2250BDFA 2018-08-12 Jakub Hrozek -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.19 (GNU/Linux) +Version: SKS 1.1.6 +Comment: Hostname: pgp.mit.edu -mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MU -XQDAKJM7MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0 -R+OiWh8d7ChCG6riv/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWX -qZoZrm4lPlBZQltfhzdmvn8D/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjg -q9Knn4sE9lnGjtG4RCYMT2Sideognk9Ah5nWOGynwta6cluCEqlF6ORJPKpAeqG1 -a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/XtMoHSSyPi/Xum6R+jwISv7n -TMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlSB6tAqN0G7VL6AFcs -iOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KNtbnCrhS+ -Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv -emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iF8EExECACAFAkXDdfUCGwMGCwkIBwMC -BBUCCAMEFgIDAQIeAQIXgAAKCRAexqt1Mue8JSHBAKCjYF/HshYkJ8pSZTilLO0y -bMWOFwCYlOqF7icGVDFT42W3CoqLfgajCrkCDQRFw3YAEAgAuqo0FxH1XtdOi/qW -6v+tWdqYHLj/f0Voqj1cbpS+cODNTaX1/Xf4Jnv6vm4lOG5gIkqD1e5UCpG5pDJv -MkrpY0lYRr5RGoC29tHZYXfEBVEkdhuU7ZTSQRaoitK5TSwjOj5aKvFSHEjMrCWc -GSUajECQkRHwZb3HK2wqqBWrJjjjPtj+5cQg+sKp7Zp6xU3iZlMoVfdYi/zGenum -Cp5SMm8CZZ5gcsNZhjItkTww5K//N6Kz41oMYyHlgh029JD0LHPgKacP3KeEEDzS -DEx/SSEF4zD/EfLDHehga/n0ZisNmxdxue/BI2Lm7qqGNDtV+qa17pIJ6fPfafbS -AKYatwAECwf/SuMkZN36UDsoOn06qIrYi5JBss3sOfheJEnqUIEO0JCpyb+fqisd -qoTJM0G5gFpCvuZOACpzzVv0WjhlMIyPl/7UuP4KYI6LGqAARqNxsHT7FNxT0Uv6 -QR8fGPQqVdFLFBd66EBL9PnOt3RDYwtJlD9cMNUNpzWEXjJ3RCk0lZF2eljpPlu0 -Or53OuiommnhmcmjxR5gvMf4pLqURhEZ2U0ylRiTiTIk0YyIASsDnAf0BClFXz4i -4qSD6jJloKorRC7Mu87xi1DG4ML+FYC/2d53I8OqHBRhtNUt/GbcthsHDxFq5iVp -NxwDAX1vr65PWv98pvTMnJmjIDhfgwJMdIhJBBgRAgAJBQJFw3YAAhsMAAoJEB7G -q3Uy57wllOcAoKkHB3lDFWlUNcSLdRCQxfsCCy7zAJ9GLSU2G0HR+hQVMi2ONorE -i/EyTA== -=nO6v +mQENBFtwK6cBCADYyh4mnEJ7DTKIHsONfEYBJM+OTaRG4DeRIyApnEjxxTLugUBUBUQ/lDAI +BPDqoB661AAj0b0G2aI6JHlZaxE+npHtxKzulJHPfLs7IbIi7xdHutT3CKEBSKkKabSwgKWz +wd1B91HXBttAzGKBBPxTE63UeZKSAlpvuO69K9WM5J1qZmkEiwxtJssLoyeZjFiOVK4aRq8F +qm2O8n56Kz0r8TEkb3bNLr1N1Uq3KlAklX3run0uInjjZAw0V3rTBMHBrE/wsjccnBYp5eDE +6Ff8NxhD28BqIPQp6NMjsZPVJODo03HdN+y7p+p/ca3XV8X7hG2eF0SNGkuhb7I1D+KPABEB +AAG0IUpha3ViIEhyb3playA8amhyb3pla0ByZWRoYXQuY29tPokBOAQTAQIAIgUCW3ArpwIb +AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQcMFGBiJQvfop3AgAtSyZmkDq5mZm0aw2 +IPboKXLlbaihofsOEewvkc6BjaDNgrSZKwBrdlFv5SVYvue7e/Jl985/bAqbSyM+LWdk77of +/SVfGQJAWya+nmQegP2GQm9FNFdTcOHpUGUJbxEw0uLOo7r1RDnp7GdwmprzF8XMptI5mRWS +pxo3c9oFZ8Y1HI2Uz8jyvMN4DD/X9HGNvxGeLv7D3Jz3oDy3O5kLpqH6rDQOiVSCUdw3mjZc +iqT3QLcT8PZo49/20NqcTgRekWc4mZIuUrqABlzDNzPAr28is2dZ7k0cyOM6p/o7nU6TdDdT +h7fdRfUp4GWVsXng7r6TKIYqMbKjbnsdi85qm7kBDQRbcCunAQgAzsipKSdm6+/T0Lms24vK +2j4xxeBn/CfIAu0HGdeJxUhumSLW5pb8/QjxDp6ooDnxODbagSTYlBb5DQIVu4OkRPspdtPs +qI6ZX92NdeIHbSTAHyj1M7me9TZ/Y1CqcvxYRnjLbI4CH9Kvi5BuMLMk+MirRjDivJgph1Gr +rwL7NwLXMWX1bm/252ytal4Fw4ZN0CnDmwCCu2TxWvwfYxtNZ5XgDW5qY62594+nPoCmZR+F +8UuDlRS2tnKC7nyiWilb4+6iNbKL7yWqZt/l0WChIRAbxBzTR4uxk5Mfe3yhhujEgid3PZwK +OE67YQ5qaYfUOIaWs8nlgf19twL1hfKggwARAQABiQEfBBgBAgAJBQJbcCunAhsMAAoJEHDB +RgYiUL36HYwH/1j8b6ZMymcxe3DLvcXy7PJWJL5Tn2xhHaUlWONcXYY922gDH+qk12SjHDES +sEXGU/4nt9ktoiFeRX4KiFHi84znHBF3PqacriMApCueX/HZHOL45VxoUNEqYK33t8MfPsXc +qaJa2FQznHaSgpMP27DmsJYlANEcMeDEM4jZKYc9L7l7Jz8WlsyYHR8aqfu4NLXXSsUSUNyQ +PfiUH91djow08X65Rwv+sAABDGQH66oPf45UWIwn54K7iigK+s2j60H68mqYymb1CerDrw6b +4K3BCsHqalllAeLCsTqn6nVsHF7V6I99dSG3Ij6DK/AYsuWjrJZ1AMpNHgU63CtybUo= +=uiHO -----END PGP PUBLIC KEY BLOCK-----