From 3a117daca5cbd4589559ca0130173cde7d9ea73ba13cd0e575b6b806bd348491 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 16 Oct 2024 16:29:57 +0000 Subject: [PATCH] [info=03cfa0ca67c32d9aa59b740572efe4b06c350b3529fdc9dd7d46e7501d8cd398] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=322 --- .gitattributes | 23 + .gitignore | 1 + _scmsync.obsinfo | 4 + baselibs.conf | 6 + build.specials.obscpio | 3 + harden_sssd-ifp.service.patch | 24 + harden_sssd-kcm.service.patch | 28 + krb-noversion.diff | 20 + sssd-2.10.0.tar.gz | 3 + sssd-2.10.0.tar.gz.asc | 16 + sssd-2.9.5.tar.gz | 3 + sssd-2.9.5.tar.gz.asc | 16 + sssd.changes | 2133 +++++++++++++++++++++++++++++++++ sssd.keyring | 75 ++ sssd.spec | 903 ++++++++++++++ symvers.patch | 181 +++ 16 files changed, 3439 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _scmsync.obsinfo create mode 100644 baselibs.conf create mode 100644 build.specials.obscpio create mode 100644 harden_sssd-ifp.service.patch create mode 100644 harden_sssd-kcm.service.patch create mode 100644 krb-noversion.diff create mode 100644 sssd-2.10.0.tar.gz create mode 100644 sssd-2.10.0.tar.gz.asc create mode 100644 sssd-2.9.5.tar.gz create mode 100644 sssd-2.9.5.tar.gz.asc create mode 100644 sssd.changes create mode 100644 sssd.keyring create mode 100644 sssd.spec create mode 100644 symvers.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo new file mode 100644 index 0000000..f012edb --- /dev/null +++ b/_scmsync.obsinfo @@ -0,0 +1,4 @@ +mtime: 1728999204 +commit: 03cfa0ca67c32d9aa59b740572efe4b06c350b3529fdc9dd7d46e7501d8cd398 +url: https://src.opensuse.org/jengelh/sssd +revision: master diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..d35a1bc --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,6 @@ +sssd + supplements "packageand(sssd:pam-)" + supplements "packageand(sssd:glibc-)" + -/usr/lib(64)?/* + obsoletes "sssd-common- < " + provides "sssd-common- = " diff --git a/build.specials.obscpio b/build.specials.obscpio new file mode 100644 index 0000000..5e5e765 --- /dev/null +++ b/build.specials.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7109a449ccc8eb4902df46ec34f884b03ad903a916ee172b319361ee93e47ad7 +size 256 diff --git a/harden_sssd-ifp.service.patch b/harden_sssd-ifp.service.patch new file mode 100644 index 0000000..250a49f --- /dev/null +++ b/harden_sssd-ifp.service.patch @@ -0,0 +1,24 @@ +Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in +=================================================================== +--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in ++++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in +@@ -5,6 +5,19 @@ After=sssd.service + BindsTo=sssd.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ + Type=dbus diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch new file mode 100644 index 0000000..6526831 --- /dev/null +++ b/harden_sssd-kcm.service.patch @@ -0,0 +1,28 @@ +--- + src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +=================================================================== +--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +@@ -8,6 +8,19 @@ After=sssd-kcm.socket + Also=sssd-kcm.socket + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf diff --git a/krb-noversion.diff b/krb-noversion.diff new file mode 100644 index 0000000..3dea2c2 --- /dev/null +++ b/krb-noversion.diff @@ -0,0 +1,20 @@ +From: Jan Engelhardt +Date: 2019-02-15 17:20:47.842813210 +0100 + +Remove versions checks that need updating every iteration. +--- + src/external/pac_responder.m4 | 1 + + 1 file changed, 1 insertion(+) + +Index: sssd-2.0.0/src/external/pac_responder.m4 +=================================================================== +--- sssd-2.0.0.orig/src/external/pac_responder.m4 ++++ sssd-2.0.0/src/external/pac_responder.m4 +@@ -11,6 +11,7 @@ then + AC_MSG_CHECKING(for supported MIT krb5 version) + KRB5_VERSION="`$KRB5_CONFIG --version`" + case $KRB5_VERSION in ++ *|\ + Kerberos\ 5\ release\ 1.9* | \ + Kerberos\ 5\ release\ 1.10* | \ + Kerberos\ 5\ release\ 1.11* | \ diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz new file mode 100644 index 0000000..38e2605 --- /dev/null +++ b/sssd-2.10.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d +size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc new file mode 100644 index 0000000..3783730 --- /dev/null +++ b/sssd-2.10.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP +Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 +wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 +cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 +nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 +MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe +HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V +kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW +gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo +D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ +qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT +PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= +=mJVY +-----END PGP SIGNATURE----- diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz new file mode 100644 index 0000000..09b8ff1 --- /dev/null +++ b/sssd-2.9.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3 +size 8001964 diff --git a/sssd-2.9.5.tar.gz.asc b/sssd-2.9.5.tar.gz.asc new file mode 100644 index 0000000..05b00fc --- /dev/null +++ b/sssd-2.9.5.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP +Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf +SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu +oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f +v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er +zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ +Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav +l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi +T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ +eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED +mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH +d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek= +=pY7t +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes new file mode 100644 index 0000000..9e67996 --- /dev/null +++ b/sssd.changes @@ -0,0 +1,2133 @@ +------------------------------------------------------------------- +Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.0 + * The ``sssctl cache-upgrade`` command was removed. SSSD + performs automatic upgrades at startup when needed. + * Support of ``enumeration`` feature (i.e. ability to list all + users/groups using ``getent passwd/group`` without argument) + for AD/IPA providers is deprecated and might be removed in + further releases. + * The new tool ``sss_ssh_knownhosts`` can be used with ssh's + ``KnownHostsCommand`` configuration option to retrieve the + host's public keys from a remote server (FreeIPA, LDAP, + etc.). It replaces ```sss_ssh_knownhostsproxy``. + * The default value for ``ldap_id_use_start_tls`` changed from + false to true for improved security. + * https://github.com/SSSD/sssd/releases/tag/2.10.0 + +------------------------------------------------------------------- +Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt + +- Update filelists involving memberof.so and idmap/sss.so to + avoid gobbling up one file into multiple sssd subpackages. + (Between samba-4.20 and 4.21, %ldbdir changes from + /usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now + `%_libdir/samba` is a bit too broad.) + +------------------------------------------------------------------- +Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero + +- Fix spec file for openSUSE ALP and SUSE SLFO, where the + python3_fix_shebang_path RPM macro is not available + +------------------------------------------------------------------- +Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero + +- Revert the change dropping the default configuration file. If + /usr/etc exists will be installed there, otherwise in /etc. + (bsc#1226157); + +------------------------------------------------------------------- +Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt + +- Update to release 2.9.5 + * Added failover_primary_timout configuration option. This can + be used to configure how often SSSD tries to reconnect to a + primary server after a successful connection to a backup + server. This was previously hardcoded to 31 seconds which is + kept as the default value. + +------------------------------------------------------------------- +Fri Mar 8 12:49:59 UTC 2024 - pgajdos@suse.com + +- remove dependency on /usr/bin/python3 using + %python3_fix_shebang_path macro, [bsc#1212476] + +------------------------------------------------------------------- +Fri Jan 12 14:02:10 UTC 2024 - Jan Engelhardt + +- Update to release 2.9.4 + * Fixes a crash when PAM passkey processing incorrectly handles + non-passkey data. + * Fixed group membership handling when members are coming from + different forest domains and using ldap token groups is + prohibited. + * Files provider was erroneously taking into consideration + ``local_auth_policy`` config option, thus breaking smartcard + authentication of local user in setups that did not explicitly + specify this option. This is now fixed. + +------------------------------------------------------------------- +Tue Nov 21 09:43:57 UTC 2023 - Samuel Cabrero + +- Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714); + * Remove package sssd-common, merged into sssd + * Continue building deprecated files provider and infopipe + responder + * Disable selinux and semanage + * Provide rcsssd shortcut + +------------------------------------------------------------------- +Fri Nov 17 14:52:30 UTC 2023 - Samuel Cabrero + +- Fix spec file for Leap + +------------------------------------------------------------------- +Fri Nov 17 12:30:33 UTC 2023 - Samuel Cabrero + +- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after + update (bsc#1216865) +- Do not install the KRB5 IDP plugin, it is useless without the + OIDC child +- Drop no longer valid --without-secrets configure switch + +------------------------------------------------------------------- +Mon Nov 13 12:48:09 UTC 2023 - Jan Engelhardt + +- Update to release 2.9.3 + * The proxy provider is now able to handle certificate mapping + and matching rules and users handled by the proxy provider can + be configured for local Smartcard authentication. Besides the + mapping rule local Smartcard authentication should be enabled + with the `local_auth_policy` option in the backend and with + `pam_cert_auth` in the PAM responder. + +------------------------------------------------------------------- +Thu Nov 2 16:09:55 UTC 2023 - Jan Engelhardt + +- Offer the sssd.conf template as %doc (for examples, do actually + see the "Examples" section of the sssd.conf(5) manpage) + +------------------------------------------------------------------- +Tue Oct 31 15:20:37 UTC 2023 - Samuel Cabrero + +- Update dependencies to require the same subpackages version and + release +- Fix /usr/etc migration fragment in wrong "%pre kcm" instead of + "%pre" +- Move sss_analyze to sssd-tools package + +------------------------------------------------------------------- +Tue Oct 31 11:04:57 UTC 2023 - Jan Engelhardt + +- Default config is unworkable, just stop installing it altogether + [boo#1216739] + +------------------------------------------------------------------- +Thu Sep 7 12:07:10 UTC 2023 - Jan Engelhardt + +- Update to release 2.9.2 + * sssctl cert-show and cert-show cert-eval-rule can now be run as + non-root user. + * New option local_auth_policy is added to control which offline + authentication methods will be enabled by SSSD. + * Fix sssd entering failed state under heavy load by adding + watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283); + Drop SLE patch 0001-sssd-watchdog.patch + +------------------------------------------------------------------- +Fri Jun 23 14:49:30 UTC 2023 - Jan Engelhardt + +- Update to relese 2.9.1 + * A regression was fixed that prevented autofs lookups to + function correctly when cache_first is set to True. + * A regression where SSSD failed to properly watch for changes + in ``/etc/resolv.conf`` when it was a symbolic link or was a + relative path, was fixed. + * ldap password policy: return failure if there are no grace logins + left; (bsc#1214434); Drop SLE patch + 0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch + +------------------------------------------------------------------- +Fri May 5 10:47:41 UTC 2023 - Jan Engelhardt + +- Update to release 2.9 + * The sss_simpleifp library is deprecated (and for openSUSE, + already removed) + * The "Files provider" (i.e. id_provider = files) is deprecated + (and for openSUSE, already removed) + * SSSD will no longer warn about changed defaults when using + ldap_schema = rfc2307 and default autofs mapping. + * New passkey functionality, which will allow the use of FIDO2 + compliant devices to authenticate a centrally managed user + locally. + * Add support for ldapi:// URLs to allow connections to local + LDAP servers. + * NSS IDMAP has two new methods: getsidbyusername and + getsidbygroupname. + +------------------------------------------------------------------- +Thu Jan 26 15:23:54 UTC 2023 - Callum Farmer + +- Move dbus-1 system.d file to /usr (bsc#1207586) + +------------------------------------------------------------------- +Tue Jan 3 12:01:41 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +------------------------------------------------------------------- +Wed Dec 21 19:29:45 UTC 2022 - Jan Engelhardt + +- Take systemd units off the restart list that have + RefuseManualStart=yes [boo#1206592] +- Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166] + +------------------------------------------------------------------- +Sun Dec 11 14:17:23 UTC 2022 - Jan Engelhardt + +- Update to release 2.8.2 + * New mapping template for serial number, subject key id, SID, + certificate hashes and DN components are added to + libsss_certmap. + +------------------------------------------------------------------- +Fri Nov 4 12:28:27 UTC 2022 - Jan Engelhardt + +- Update to release 2.8.1 + * A regression when running sss_cache when no SSSD domain is + enabled would produce a syslog critical message was fixed. + +------------------------------------------------------------------- +Fri Oct 7 12:05:29 UTC 2022 - Jan Engelhardt + +- Update to release 2.8.0 + * Introduced the dbus function + org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, + limit) listing upto limit users matching the filter + attr=value. + * sssctl is now able to create, list and delete indexes on the + local caches. Indexes are useful for the new D-Bus + ListByAttr() function. + * sssctl is now able to read and set each component's debug + level independently. + * A number of new configuration options are available, + cf. https://sssd.io/release-notes/sssd-2.8.0.html . + * Fix sdap_access_host No matching host rule found; + (bsc#1202559); Drop SLE patch + 0001-Fix-sdap_access_host-No-matching-host-rule-found.patch + * Accept krb5 1.20 for building the PAC plugin; Drop SLE patch + 0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch + +------------------------------------------------------------------- +Thu Sep 1 13:45:36 UTC 2022 - Stefan Schubert + +- Migration to /usr/etc: Saving user changed configuration files + in /etc and restoring them while an RPM update. + +------------------------------------------------------------------- +Fri Aug 26 20:54:33 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.4 + * Lock-free client support will be only built if libc provides + pthread_key_create() and pthread_once(). For glibc this means + version 2.34+. + +------------------------------------------------------------------- +Mon Jul 4 12:11:11 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.3 + * All SSSD client libraries (nss, pam, etc) won't serialize + requests anymore by default, i.e. requests from multiple + threads can be executed in parallel. Old behavior + (serialization) can be enabled by setting environment + variable "SSS_LOCKFREE" to "NO". + +------------------------------------------------------------------- +Tue Jun 21 10:19:54 UTC 2022 - Stefan Schubert + +- Removed %config flag for files in /usr directory. + +------------------------------------------------------------------- +Tue Jun 21 06:43:27 UTC 2022 - Stefan Schubert + +- Moved logrotate files from user-specific directory /etc/logrotate.d + to vendor-specific directory /usr/etc/logrotate.d. + +------------------------------------------------------------------- +Wed Jun 15 11:28:35 UTC 2022 - Samuel Cabrero + +- Use pam rpm macros to avoid hardcoding the directory names; + (bsc#1191047); +- Do not take ownership of %_pam_confdir directory, it is owned by + pam package + +------------------------------------------------------------------- +Mon Jun 13 14:48:28 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.2 + * A sssd-2.7.1 regression preventing successful authentication of + IPA users was fixed. + * Default value of pac_check changed to check_upn, + check_upn_dns_info_ex (for AD and IPA provider). + +------------------------------------------------------------------- +Thu Jun 2 15:24:57 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.1 + * SSSD can now handle multi-valued RDNs if a unique name must + be determined with the help of the RDN. + * A regression in pam_sss_gss module causing a failure if + KRB5CCNAME environment variable was not set was fixed. + * New option `implicit_pac_responder` to control if the PAC + responder is started for the IPA and AD providers; the + default is true. + * New option `krb5_check_pac` to control the PAC validation + behavior. + * Multiple `crl_file` arguments can be used in the + `certificate_verification` option. + +------------------------------------------------------------------- +Mon May 16 21:49:38 UTC 2022 - Jan Engelhardt + +- Enable subid_sss + +------------------------------------------------------------------- +Thu Apr 14 22:43:03 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.0 + * Better default for IPA/AD re_expression. Tunning for group + names containing '@' is no longer needed. + * A new debug level is added to show statistical and + performance data. + * Added support for anonymous PKINIT to get FAST credentials. + * SSSD now correctly falls back to UPN search if the user was + not found even with `cache_first = true`. + * Add 'ldap_ignore_unreadable_references' parameter to skip + unreadable objects referenced by 'member' attributte; + (bsc#1190775); (gh#SSSD/sssd#4893); Drop SLE patch + 0001-ldap-ignore-unreadable-references.patch + +------------------------------------------------------------------- +Mon Feb 21 14:50:38 UTC 2022 - Callum Farmer + +- Enable selinux support +- Update Supplements to new format + +------------------------------------------------------------------- +Wed Feb 9 13:17:30 UTC 2022 - Samuel Cabrero + +- Remove caches only when performing a package downgrade. The sssd + daemon takes care of upgrading the database format when necessary + (bsc#1195552) + +------------------------------------------------------------------- +Tue Jan 25 11:32:10 UTC 2022 - Jan Engelhardt + +- Update to release 2.6.3 + * A regression introduced in sssd-2.6.2 in the IPA provider + that prevented users from login was fixed. Access control + always denied access because the selinux_child returned an + unexpected reply. + * A critical regression that prevented authentication of users + via AD and IPA providers was fixed. LDAP port was reused for + Kerberos communication and this provider would send + incomprehensible information to this port. + * When authenticating AD users, backtrace was triggered even + though everything was working correctly. This was caused by a + search in the global catalog. Servers from the global catalog + are filtered out of the list before writing the KDC info + file. With this fix, SSSD does not attempt to write to the + KDC info file when performing a GC lookup. + +------------------------------------------------------------------- +Mon Jan 17 17:27:40 UTC 2022 - Jan Engelhardt + +- Upgrade LDB_DIR shell variable to %ldbdir macro. + +------------------------------------------------------------------- +Tue Jan 11 18:04:46 UTC 2022 - Samuel Cabrero + +- Remove libsmbclient-devel BuildRequires in favor of + pkgconfig(smbclient) + +------------------------------------------------------------------- +Thu Dec 23 14:52:55 UTC 2021 - Jan Engelhardt + +- Update to release 2.6.2 + * Quick log out and log in did not correctly refresh user's + initgroups in no_session PAM schema due to lingering systemd + processes. + +------------------------------------------------------------------- +Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_sssd-ifp.service.patch + * harden_sssd-kcm.service.patch + +------------------------------------------------------------------- +Tue Nov 9 15:35:58 UTC 2021 - Jan Engelhardt + +- Update to release 2.6.1 + * New infopipe method FindByValidCertificate(). + * The default value of the "ssh_hash_known_hosts" setting was + changed to false for the sake of consistency with OpenSSH + that does not hash host names by default. + +------------------------------------------------------------------- +Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt + +- Update to release 2.6.0 + * Support of legacy json format for ccaches was dropped. + * Support of long time deprecated secrets responder was dropped. + * Support of long time deprecated local provider was dropped. + * The sssctl command was vulnerable to shell command injection + via the logs-fetch and cache-expire subcommands, + which was fixed; (CVE-2021-3621); (bsc#1189492); Drop SLE patch + 0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch + * Basic support of user's 'subuid and subgid ranges' for IPA + provider and corresponding plugin for shadow-utils were added. + +------------------------------------------------------------------- +Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt + +- Update to release 2.5.2; (jsc#SLE-17763); + * originalADgidNumber attribute in the SSSD cache is now indexed. + * Add new config option fallback_to_nss. + +------------------------------------------------------------------- +Tue Jun 8 16:35:25 UTC 2021 - Jan Engelhardt + +- Update to release 2.5.1 + * auto_private_groups option can be set centrally through ID + range setting in IPA (see ipa idrange commands family). This + feature requires SSSD update on both client and server. This + feature also requires freeipa 4.9.4 and newer. + * Fix getsidbyname issues with IPA users with a user-private-group. + * Default value of ldap_sudo_random_offset changed to 0 + (disabled). This makes sure that sudo rules are available as + soon as possible after SSSD start in default configuration. + +------------------------------------------------------------------- +Mon May 10 13:58:04 UTC 2021 - Jan Engelhardt + +- Update to release 2.5.0 + * Added support for automatic renewal of renewable TGTs that + are stored in KCM ccache. This can be enabled by setting + tgt_renewal = true. See the sssd-kcm man page for more + details. This feature requires MIT Kerberos + krb5-1.19-0.beta2.3 or higher. + * Backround sudo periodic tasks (smart and full refresh) periods are + now extended by a random offset to spread the load on the server in + environments with many clients. + * Completing a sudo full refresh now postpones the smart refresh by + ldap_sudo_smart_refresh_interval value. This ensure that the smart + refresh is not run too soon after a successful full refresh. + * If debug_backtrace_enabled is set to true then on any error all prior + debug messages (to some limit) are printed even if debug_level is set + to low value. + * Besides trusted domains known by the forest root, trusted domains known + by the local domain are used as well. + * New configuration option offline_timeout_random_offset to control random + factor in backend probing interval when SSSD is in offline mode. + * ad_gpo_implicit_deny is now respected even if there are no + applicable GPOs present. + * During the IPA subdomains request a failure in reading a single specific + configuration option is not considered fatal and the request will + continue. + * Unknown IPA id-range types are not considered as an error + +------------------------------------------------------------------- +Tue Apr 6 12:08:29 UTC 2021 - Samuel Cabrero + +- Move sssctl command from sssd to sssd-tools package; (bsc#1184289); + +------------------------------------------------------------------- +Thu Apr 1 15:08:14 UTC 2021 - jeffm@suse.com + +- Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285). + +------------------------------------------------------------------- +Tue Feb 23 12:43:38 UTC 2021 - Aurelien Aptel + +- Make cifs-idmap plugin (cifs_idmap_sss.so) use update-alternatives + mechanism to be able to switch between cifs-utils and sssd; + (bsc#1182682). + +------------------------------------------------------------------- +Fri Feb 19 17:30:58 UTC 2021 - Jan Engelhardt + +- Update to release 2.4.2 + * Default value of "user" config option was fixed into + accordance with man page, i.e. default is "root". + * pam_sss_gss now support authentication indicators to further + harden the authentication. + +------------------------------------------------------------------- +Fri Feb 12 15:55:37 UTC 2021 - Dominique Leuenberger + +- Pass --with-pid-path=%{_rundir} to configure: adjust rundir + according the distro settings, i.e. /run on modern systems. + Eliminates a systemd warning like this one in the journal: + Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13: + PIDFile= references a path below legacy directory /var/run/, + updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly. + +------------------------------------------------------------------- +Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt + +- Update to release 2.4.1 + * New PAM module pam_sss_gss for authentication using GSSAPI. + * case_sensitive=Preserving can now be set for trusted domains + with AD and IPA providers. + * krb5_use_subdomain_realm=True can now be used when sub-domain + user principal names have upnSuffixes which are not known in + the parent domain. SSSD will try to send the Kerberos request + directly to a KDC of the sub-domain. + * SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald + output, to avoid issues with PID parsing in rsyslog + (BSD-style forwarder) output. + * Added pam_gssapi_check_upn to enforce authentication only + with principal that can be associated with target user. + * Added pam_gssapi_services to list PAM services that can + authenticate using GSSAPI. + * Create timestamp attribute in cache objects if missing; + (bsc#1182637); + +------------------------------------------------------------------- +Mon Oct 12 13:10:26 UTC 2020 - Jan Engelhardt + +- Update to release 2.4.0 + * Session recording can now exclude specific users or groups + when scope is set to all (see exclude_users and + exclude_groups options). + * Active Directory provider now sends CLDAP pings over UDP + protocol to Domain Controllers in parallel to determine site + and forest to speed up server discovery. + +------------------------------------------------------------------- +Mon Aug 10 12:55:05 UTC 2020 - Jan Engelhardt + +- Build sssd's KCM. + +------------------------------------------------------------------- +Fri Jul 24 16:57:58 UTC 2020 - Jan Engelhardt + +- Update to release 2.3.1 + * Domains can be now explicitly enabled or disabled using + enable option in domain section. This can be especially used + in configuration snippets. + * New configuration options memcache_size_passwd, + memcache_size_group, memcache_size_initgroups that can be + used to control memory cache size. + * Fixed several regressions in GPO processing introduced in + sssd-2.3.0 + * Fixed regression in PAM responder: failures in cache only + lookups are no longer considered fatal. + * Fixed regression in proxy provider: pwfield=x is now default + value only for sssd-shadowutils target. + * Rotate child debug file descriptors on SIGHUP (bsc#1080156) +- sssd-wbclient is obsolete and no longer shipped + +------------------------------------------------------------------- +Tue May 19 11:32:22 UTC 2020 - Jan Engelhardt + +- Update to release 2.3.0 + * SSSD can now handle hosts and networks nsswitch databases + (see resolve_provider option). + * By default, authentication request only refresh user's + initgroups if it is expired or there is not active user's + session (see pam_initgroups_scheme option). + * OpenSSL is used as default crypto provider, NSS is deprecated. + * The AD provider now defaults to GSS-SPNEGO SASL mechanism + (see ldap_sasl_mech option). + * The AD provider can now be configured to use only ldaps port + (see ad_use_ldaps option). + * SSSD now accepts host entries from GPO's security filter. + * New debug level (0x10000) added for low level LDB messages + only (see sssd.conf man page). + * Update samba secrets after changing machine password; (jsc#SLE-11503); + * Delete linked local user overrides when deleting a user + (bsc#1133168) +- Drop sssd-gpo_host_security_filter-2.2.2.patch, + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch, + 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged) +- Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch + (unapplicable) + +------------------------------------------------------------------- +Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt + +- Update to 2.2.3 + * New features: + * allow_missing_name now treats empty strings the same as + missing names. + * "soft_ocsp" and "soft_crl" options have been added to make + the checks for revoked certificates more flexible if the + system is offline. + * Smart card authentication in polkit is now allowed by default. + * Handling of FreeIPA users and groups containing ‘@’ sign now works. + * Issue when autofs was unable to mount shares was fixed. + * SSSD was unable to hande ldap_uri containing URIs with + different port numbers, which has been rectified. + * Fix domain offline after first boot when resolv.conf is a symlink + (bsc#1136139) +- Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch + +------------------------------------------------------------------- +Mon Mar 16 16:44:23 UTC 2020 - Samuel Cabrero + +- Fix dynamic DNS updates not using FQDN (bsc#1160587); Add + 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch + +------------------------------------------------------------------- +Sun Jan 19 23:54:34 UTC 2020 - Stefan Brüns + +- Remove leftover python2 build dependencies +- Remove python3-devel BuildRequires in favor of pkgconfig(python3) + +------------------------------------------------------------------- +Mon Jan 13 14:40:11 UTC 2020 - David Mulder + +- SSSD GPO host entries are ignored if computer cn does not + match its samaccountname, add + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch; + (jsc#SLE-9298); (bsc#1160688) + +------------------------------------------------------------------- +Thu Jan 02 17:17:00 UTC 2020 - David Mulder + +- SSSD should accept host entries from GPO's security filter, add + sssd-gpo_host_security_filter-2.2.2.patch; (jsc#SLE-9298) + +------------------------------------------------------------------- +Fri Nov 22 13:31:54 UTC 2019 - Samuel Cabrero + +- Install infopipe dbus service (bsc#1106598) +- Add systemd service unit files to manage socket or bus activated responders. +- All responders except infopipe are also managed by a socket unit file. +- Add missing post and postun hooks for libsss_certmap0 package. + +------------------------------------------------------------------- +Thu Nov 21 12:56:28 UTC 2019 - Jan Engelhardt + +- Update to release 2.2.2 + * New options were added which allow sssd-kcm to handle bigger + data. See manual pages for max_ccaches, max_uid_caches and + max_ccache_size. + * SSSD can now automatically refresh cached user data from + subdomains in IPA/AD trust. + * Fixed issue with SSSD hanging when connecting to + non-responsive server with ldaps://. + * SSSD is now restarted by systemd after crashes. + +------------------------------------------------------------------- +Tue Jun 18 08:00:46 UTC 2019 - Jan Engelhardt + +- Update to new upstream release 2.2.0 + * The Kerberos provider can now include more KDC addresses or + host names when writing data for the Kerberos locator plugin. + * The 2FA prompting can now be configured. + * The LDAP authentication provider now allows to use a + different method of changing LDAP passwords using a modify + operation in addition to the default extended operation. + * The "auto_private_groups" configuration option now takes a + new value hybrid. + * A new option "ad_gpo_ignore_unreadable" was added. + * The "cached_auth_timeout" parameter is now inherited by + trusted domains. + * The "ldap_sasl_mech" option now accepts another mechanism + "GSS-SPNEGO" in addition to "GSSAPI". + * The sssctl tool has two new commands, "cert-show" and + "cert-map". + * Added an option to skip GPOs that have groupPolicyContainers, + unreadable by SSSD (bsc#1124194) (CVE-2018-16838) + * Fix fallback_homedir returning '/' for empty home directories + (CVE-2019-3811) (bsc#1121759) + +------------------------------------------------------------------- +Fri Apr 26 10:59:25 UTC 2019 - Samuel Cabrero + +- Create directory to download and cache GPOs (bsc#1132879) + +------------------------------------------------------------------- +Sat Mar 16 11:50:58 UTC 2019 - Jan Engelhardt + +- Update to new upstream release 2.1.0 + * Any provider can now match and map certificates to user + identities. + * pam_sss can now be configured to only perform Smart Card + authentication or return an error if this is not possible. + * pam_sss can also prompt the user to insert a Smart Card if, + during an authentication it is not available. + * A new configuration option ad_gpo_implicit_deny was added. + This option (when set to True) can be used to deny access to + users even if there is not applicable GPO. + * The dynamic DNS update can now batch DNS updates to include + all address family updates in a single transaction. + * Fix sss_cache spurious error messages when invoked from shadow-utils; + (bsc#1185017); + * Fix building with newer samba versions (bsc#1137876) + * Fix memory leak in nss netgroup enumeration (bsc#1139247); + +------------------------------------------------------------------- +Wed Feb 20 16:01:52 UTC 2019 - Samuel Cabrero + +- Install systemd service unit file created from source's template + (bsc#1120852); (bsc#1185185); +- Install logrotate configuration (bsc#1004220) +- Set journald as system logger + +------------------------------------------------------------------- +Fri Feb 15 17:36:22 UTC 2019 - Jan Engelhardt + +- Add krb-noversion.diff so sssd_pac builds even with newer krb. + +------------------------------------------------------------------- +Mon Oct 1 13:34:56 UTC 2018 - ckowalczyk@suse.com + +- Add dependency to adcli for sssd-ad + (SLE15: fate#326619, bsc#1109849) + (SLE12SP4: fate#326620, bsc#1110121) + +------------------------------------------------------------------- +Fri Sep 7 18:52:18 UTC 2018 - Jan Engelhardt + +- Update to new upstream release 2.0.0 + * The Python API for managing users and groups in local domains + (id_provider=local) was removed completely. The local + provider (id_provider=local) and the command line tools to + manage users and groups in the local domains, such as + sss_useradd is not built anymore. + * The LDAP provider had a special-case branch for evaluating + group memberships with the RFC2307bis schema when group + nesting was explicitly disabled. This codepath is removed. + * The "ldap_sudo_include_regexp" option changed its default + value from true to false. Wildcards in the sudoHost LDAP + attribute are no longer evaluated. This was costly to + evaluate on the LDAP server side and at the same time rarely + used. + * The list of PAM services which are allowed to authenticate + using a Smart Card is now configurable using a new option + pam_p11_allowed_services. + * Allow defaults sudoRole without sudoUser attribute (bsc#1135247) + +------------------------------------------------------------------- +Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com + +- Update to upstream release 1.16.3 + * New Features: + * kdcinfo files for informing krb5 about discovered KDCs are + now also generated for trusted domains in setups that use + id_provider=ad and IPA masters in a trust relationship with + an AD domain. + * The Kerberlos locator plugin can now process multiple + address if SSSD generates more than one. A + * Bug fixes: + * Fixed information leak due to incorrect permissions on + /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377] + * Cached password are now stored with a salt. Old ones will be + regenerated on next authentication, and the auth server needs + to be reachable for that. + * The sss_ssh proces leaked file descriptors when converting + more than one X.509 certificate to an SSH public key. + * The PAC responder is now able to process Domain Local in case + the PAC uses SID compression (Windows Server 2012+). + * Address the issue that some versions of OpenSSH would close + the pipe towards sss_ssh_authorizedkeys when the matching key + is found before the rest of the output is read. + * User lookups no longer fail if user's e-mail address + conflicts with another user's fully qualified name. + * The override_shell and override_homedir options are no longer + applied to entries from the files domain. + * The grace logins with an expired password when authenticating + against certain newer versions of the 389DS/RHDS LDAP server + did not work. + * Fix login not possible when email address is duplicated in ldap + attributes (bsc#1149597) + * Strip whitespaces in netgroup triples (bsc#1087320) +- Removed patches that are included upstream now: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch, + 0002-intg-Do-not-hardcode-nsslibdir.patch, + 0003-Fix-build-for-1-16-2-version.patch + +------------------------------------------------------------------- +Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com + +- Fixed patch name. + +------------------------------------------------------------------- +Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com + +- Introduce patches: + * Create sockets with right permissions: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch + (bsc#1098377, CVE-2018-10852) + * Fix for sssd upstream integration tests + 0002-intg-Do-not-hardcode-nsslibdir.patch + (bsc#1098163) + +------------------------------------------------------------------- +Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com + +- Update to new minor upstream release 1.16.2 +New Features: + * The smart card authentication, or in more general certificate + authentication code now supports OpenSSL in addition to previously + supported NSS (#3489). In addition, the SSH responder can now + return public SSH keys derived from the public keys stored in a + X.509 certificate. Please refer to the ssh_use_certificate_keys + option in the man pages. + * The files provider now supports mirroring multiple passwd or + group files. This enhancement can be used to use the SSSD files + provider instead of the nss_altfiles module +Bugfixes: + * A memory handling issue in the nss_ex interface was fixed. This + bug would manifest in IPA environments with a trusted AD domain + as a crash of the ns-slapd process, because a ns-slapd plugin + loads the nss_ex interface (#3715) + * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633) + * The ad_site override is now honored in GPO code as well (#3646) + * Several potential crashes in the NSS responder’s netgroup code + were fixed (#3679, #3731) + * A potential crash in the autofs responder’s code was fixed (#3752) + * The LDAP provider now supports group renaming (#2653) + * The GPO access control code no longer returns an error if one + of the relevant GPO rules contained no SIDs at all (#3680) + * A memory leak in the IPA provider related to resolving external + AD groups was fixed (#3719) + * Setups that used multiple domains where one of the domains had + its ID space limited using the min_id/max_id options did not + resolve requests by ID properly (#3728) + * Overriding IDs or names did not work correctly when the domain + resolution order was set as well (#3595) + * A version mismatch between certain newer Samba versions (e.g. + those shipped in RHEL-7.5) and the Winbind interface provided + by SSSD was fixed. To further prevent issues like this in the + future, the correct interface is now detected at build time (#3741) + * The files provider no longer returns a qualified name in case + domain resolution order is used (#3743) + * A race condition between evaluating IPA group memberships and + AD group memberships in setups with IPA-AD trusts that would + have manifested as randomly losing IPA group memberships assigned + to an AD user was fixed (#3744) + * Setting an SELinux login label was broken in setups where the + domain resolution order was used (#3740) + * SSSD start up issue on systems that use the libldb library + with version 1.4.0 or newer was fixed. + * Update winbind idmap plugin to support interface version 6 + (jsc#SLE-9819) + * Add a netgroup counter to struct nss_enum_index (bsc#1132657) + * Fix sssd not starting in foreground mode (bsc#1125277) +Introduce a patch: + * Fix build of sssd of 1.16.2 version: + 0003-Fix-build-for-1-16-2-version.patch + (back then called fix-build.patch) + +------------------------------------------------------------------- +Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com + +- Update to new minor upstream release 1.16.1 (fate#323340): + +New Features: + * A new option auto_private_groups was added. If this option is + enabled, SSSD will automatically create user private groups based + on user’s UID number. The GID number is ignored in this case. + * The SSSD smart card integration now supports a special type of PAM + conversation implemented by GDM which allows the user to select + the appropriate smrt card certificate in GDM. + * A new API for accessing user and group information was added. + This API is similar to the tradiional Name Service Switch API, but + allows the consumer to talk to SSSD directly as well as to + fine-tune the query with e.g. how cache should be evaluated. + * The sssctl command line tool gained a new command access-report, + which can generate who can access the client machine. Currently + only generating the report on an IPA client based on HBAC rules + is supported. + * The hostid provider was moved from the IPA specific code to + the generic LDAP code. This allows SSH host keys to be access by + the generic LDAP provider as well. See the ldap_host_* options in + the sssd-ldap manual page for more details. + * Setting the memcache_timeout option to 0 disabled creating + the memory cache files altogether. This can be useful in cases + there is a bug in the memory cache that needs working around. + +------------------------------------------------------------------- +Tue Apr 24 13:09:35 UTC 2018 - ckowalczyk@suse.com + +- Updated sssd.spec: + The IPA provider depends on AD provider's PAC executable, hence + introducing the package dependency. (bsc#1021441, bsc#1062124) + +------------------------------------------------------------------- +Tue Feb 27 09:24:46 UTC 2018 - hguo@suse.com + +- Remove package descriptions for the python 2 packages that are + no longer distributed: + * python-ipa_hbac + * python-sss-murmur + * python-sss_nss_idmap + * python-sssd-config +- Correct python version dependency of tools package. (bsc#1082108) + +------------------------------------------------------------------- +Mon Dec 4 10:03:59 UTC 2017 - hguo@suse.com + +- Correct dependency of sss_obfuscate command line program. + +------------------------------------------------------------------- +Fri Dec 1 14:35:08 UTC 2017 - hguo@suse.com + +- In an ongoing effort to reduce dependency on python version 2, + the following python libraries are no longer built. Nevertheless + their python3 counterparts remain in place: + * python-ipa_hbac + * python-sss-murmur + * python-sss_nss_idmap + * python-sssd-config + +------------------------------------------------------------------- +Mon Oct 23 16:31:54 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.16.0 + +Security fixes + * This release fixes CVE-2017-12173: Unsanitized input when searching in + local cache database. SSSD stores its cached data in an LDAP like local + database file using libldb. To lookup cached data LDAP search filters + like (objectClass=user)(name=user_name) are used. However, in + sysdb_search_user_by_upn_res(), the input was not sanitized and + allowed to manipulate the search filter for cache lookups. This would + allow a logged in user to discover the password hash of a different user. + +New Features + * SSSD now supports session recording configuration through tlog. This + feature enables recording of everything specific users see or type + during their sessions on a text terminal. For more information, see + the sssd-session-recording(5) manual page. + * SSSD can act as a client agent to deliver + Fleet Commander + policies defined on an IPA server. Fleet Commander provides a + configuration management interface that is controlled centrally and + that covers desktop, applications and network configuration. + * Several new systemtap probes + were added into various locations in SSSD code to assist in + troubleshooting and analyzing performance related issues. Please see the + sssd-systemtap(5) manual page for more information. + * A new LDAP provide access control mechanism that allows to restrict + access based on PAM's rhost data field was added. For more details, + please consult the sssd-ldap(5) manual page, in particular the + options ldap_user_authorized_rhost and the rhost value of + ldap_access_filter. + +------------------------------------------------------------------- +Tue Jul 25 15:46:23 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.15.3 (KCM disabled) + +New Features + * In a setup where an IPA domain trusts an Active Directory domain, + it is now possible to define the domain resolution order + (see http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names). + * Design page - Shortnames in trusted domains + * SSSD ships with a new service called KCM. This service acts as a + storage for Kerberos tickets when "libkrb5" is configured to use + "KCM:" in "krb5.conf". + * Design page - KCM server for SSSD + * NOTE: There are several known issues in the "KCM" responder that + will be handled in the next release. + * Support for user and group resolution through the D-Bus interface and + authentication and/or authorization through the PAM interface even + for setups without UIDs or Windows SIDs present on the LDAP directory + side. This enhancement allows SSSD to be used together with apache + modules to provide + identities for applications + * Design page - Support for non-POSIX users and groups + * SSSD ships a new public library called "libsss_certmap" that allows + a flexible and configurable way of mapping a certificate to a user + identity. + * Design page - Matching and Mapping Certificates + * The Kerberos locator plugin can be disabled using an environment variable + "SSSD_KRB5_LOCATOR_DISABLE". Please refer to the + "sssd_krb5_locator_plugin" manual page for mode details. + * The "sssctl" command line tool supports a new command "user-checks" + that enables the administrator to check whether a certain user should be + allowed or denied access to a certain PAM service. + * The "secrets" responder now forwards requests to a proxy Custodia + back end over a secure channel. + +------------------------------------------------------------------- +Thu Mar 16 13:32:12 UTC 2017 - hguo@suse.com + +- Introduce mandatory runtime requirement "cyrus-sasl-gssapi" to + krb5-common sub-package. Address bsc#1024836. + +------------------------------------------------------------------- +Wed Mar 15 22:18:03 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.15.2 + * It is now possible to configure certain parameters of a + trusted domain in a configuration file sub-section. + * Several issues related to socket-activating the NSS service, + especially if SSSD was configured to use a non-privileged + userm were fixed. The NSS service now does not change the + ownership of its log files to avoid triggering a name-service + lookup while the NSS service is not running yet. + Additionally, the NSS service is started before any other + service to make sure username resolution works and the other + service can resolve the SSSD user correctly. + * A new option "cache_first" allows the administrator to change + the way multiple domains are searched. When this option is + enabled, SSSD will first try to "pin" the requested name or + ID to a domain by searching the entries that are already + cached and contact the domain that contains the cached entry + first. Previously, SSSD would check the cache and the remote + server for each domain. This option brings performance + benefit for setups that use multiple domains (even + auto-discovered trusted domains), especially for ID lookups + that would previously iterate over all domains. Please note + that this option must be enabled with care as the + administrator must ensure that the ID space of domains does + not overlap. + * The SSSD D-Bus interface gained two new methods: + "FindByNameAndCertificate" and "ListByCertificate". These + methods will be used primarily by IPA and + `mod_lookup_identity + to + correctly match multple users who use the same certificate + for Smart Card login. + * A bug where SSSD did not properly sanitize a username with a + newline character in it was fixed. + +------------------------------------------------------------------- +Sat Mar 11 22:34:41 UTC 2017 - jengelh@inai.de + +- Switch *all* URLs after fedorahosted.org retirement + +------------------------------------------------------------------- +Sat Mar 4 19:57:33 UTC 2017 - michael@stroeder.com + +- Updated project URL +- Update to new upstream release 1.15.1 + * Several issues related to starting the SSSD services on-demand via + socket activation were fixed. In particular, it is no longer possible + to have a service started both by sssd and socket-activated. Another + bug which might have caused the responder to start before SSSD started + and cause issues especially on system startup was fixed. + * A new 'files' provider was added. This provider mirrors the contents + of '/etc/passwd' and '/etc/shadow' into the SSSD database. The purpose + of this new provider is to make it possible to use SSSD's interfaces, + such as the D-Bus interface for local users and enable leveraging the + in-memory fast cache for local users as well, as a replacement for `nscd`. + In future, we intend to extend the D-Bus interface to also provide setting + and retrieving additional custom attributes for the files users. + * SSSD now autogenerates a fallback configuration that enables the + files domain if no SSSD configuration exists. This allows distributions + to enable the 'sssd' service when the SSSD package is installed. Please + note that SSSD must be build with the configuration option + '--enable-files-domain' for this functionality to be enabled. + * Support for public-key authentication with Kerberos (PKINIT) was + added. This support will enable users who authenticate with a Smart Card + to obtain a Kerberos ticket during authentication. + +------------------------------------------------------------------- +Sat Feb 18 08:35:13 CET 2017 - kukuk@suse.de + +- Remove obsolete insserv call + +------------------------------------------------------------------- +Wed Feb 8 19:58:55 UTC 2017 - luizluca@gmail.com + +- Added /etc/sssd/conf.d/ for configuration snippets + +------------------------------------------------------------------- +Wed Jan 25 19:25:09 UTC 2017 - michael@stroeder.com + +- Removed 0001-krb5-1.15-build-fix.patch obsoleted by upstream update +- Update to new upstream release 1.15.0 + * SSSD now allows the responders to be activated by the systemd service + manager and exit when idle. This means the services line in sssd.conf is + optional and the responders can be started on-demand, simplifying the sssd + configuration. Please note that this change is backwards-compatible and + the responders listed explicitly in sssd.conf's services line are managed + by sssd in the same manner as in previous releases. Please refer to man + sssd.conf(5) for more information + * The sudo provider is no longer disabled for configurations that do not + explicitly include the sudo responder in the services list. In order to + disable the sudo-related back end code that executes the periodic LDAP + queries, set the sudo_provider to none explicitly + * The watchdog signal handler no longer uses signal-unsafe functions. This + bug was causing a deadlock in case the watchdog was about to kill a + stuck process + * A bug that prevented TLS to be set up correctly on systems where libldap + links with GnuTLS was fixed + * The functionality to alter SSSD configuration through the D-Bus interface + provided by the IFP responder was removed. This functionality was not used to + the best of our knowledge, had no tests and prevented the InfoPipe responder + from running as a non-privileged user. + * A bug that prevented statically-linked applications from using libnss_sss + was fixed by removing dependency on -lpthreads from the libnss_sss library + (please see https://sourceware.org/bugzilla/show_bug.cgi?id=20500 for + an example on why linking with -lpthread from an NSS modules is problematic) + * Previously, SSSD did not ignore GPOs that were missing the + gPCFunctionalityVersion attribute and failed the whole GPO + processing. Starting with this version, the GPOs without the + gPCFunctionalityVersion are skipped. + +------------------------------------------------------------------- +Mon Dec 12 13:36:18 UTC 2016 - dimstar@opensuse.org + +- BuildRequire pkgconfig(libsystemd) instead of + pkgconfig(libsystemd-login): the latter has been deprecated since + systemd 209 and finally removed with systemd 230. + +------------------------------------------------------------------- +Wed Dec 7 10:39:30 UTC 2016 - jengelh@inai.de + +- Add 0001-krb5-1.15-build-fix.patch to unlock building + against future KRB versions. + +------------------------------------------------------------------- +Wed Oct 19 22:21:30 UTC 2016 - michael@stroeder.com + +- Update to new upstream release 1.14.2 + * Several more regressions caused by cache refactoring to use qualified + names internally were fixed, including a regression that prevented the + krb5_map_user option from working correctly. + * A regression when logging in with a smart card using the GDM login manager + was fixed + * SSSD now removes the internal timestamp on startup cache when the + persistent cache is removed. This enables admins to follow their existing + workflow of just removing the persistent cache and start from a fresh slate + * Several fixes to the sssd-secrets responder are present in this release + * A bug in the autofs responder that prevented automounter maps from being + returned when sssd_be was offline was fixed + * A similar bug in the NSS responder that prevented netgroups from being + returned when sssd_be was offline was fixed + * Disabling the netlink integration can now be done with a new option + disable_netlink. Previously, the netlink integration could be disabled with + a sssd command line switch, which is being deprecated in this release. + * The internal watchdog no longer kills sssd processes in case time shifts + during sssd runtime + * The fail over code is able to cope with concurrent SRV resolution + requests better in this release + * The proxy provider gained a new option proxy_max_children that allows the + administrator to control the maximum number of child helper processes that + authenticate users with auth_provider=proxy + * The InfoPipe D-Bus responder exports the UUIDs of user and group objects + through a uniqueID property + +------------------------------------------------------------------- +Fri Aug 19 18:38:35 UTC 2016 - michael@stroeder.com + +- Update to new upstream release 1.14.1 + * The IPA provider now supports logins with enterprise principals (also + known as additional UPN suffixes). This functionality also enabled Active + Directory users from trusted AD domains who use an additional UPN suffix + to log in. Please note that this feature requires a recent IPA server. + * When a user name is overriden in an IPA domain, resolving a group these + users are a member of now returns the overriden user names + * Users can be looked up by and log in with their e-mail address as an + identifier. In order to do so, an attribute that represents the user's + e-mail address is fetched by default. This attribute can by customized + by setting the ldap_user_email configuration option. + * A new ad_enabled_domains option was added. This option lets the + administrator select domains that SSSD should attempt to reach in the + AD forest SSSD is joined to. This option is useful for deployments where + not all domains are reachable on the network level, yet the administrator + needs to access some trusted domains and therefore disabling the subdomains + provider completely is not desirable. + * The sssctl tool has two new commands active-server and servers that + allow the administrator to observe the server that SSSD is bound to and + the servers that SSSD autodiscovered + * SSSD used to fail to start when an attribute name is present in both + the default SSSD attribute map and the custom ldap_user_extra_attrs map + * GPO policy procesing no longer fails if the gPCMachineExtensionNames + attribute only contains whitespaces + * Several commits fix regressions related to switching all user and group + names to fully qualified format, such as running initgroups for a user + who is only a member of a primary group + * Several patches fix regressions caused by splitting the database into + two ldb files, such as when user attributes change without increasing + the modifyTimestamp attribute value + * systemd unit files are now shipped for the sssd-secrets responder, + allowing the responder to be socket-activated. To do so, administrators + should enable the sssd-secrets.socket and sssd-secrets.service systemd + units. + * The sssd binary has a new switch --disable-netlink that lets sssd skip + messages from the kernel's netlink interface. + * A crash when entries with special characters such as '(' were requested + was fixed + * The ldap_rfc_2307_fallback_to_local_users option was broken in the + previous version. This release fixes the functionality. + +------------------------------------------------------------------- +Fri Jul 8 10:46:59 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 1.14.0 +* The AD provider is now able to look up users from Active + Directory domains by certificate. This change enables logins for + Active Directory users with the help of a smart card. +* The sss_override tool is now able to add certificates as local + overrides in the SSSD cache. Please note that the certificate + overrides are stored in the local cache, so removing the cache + also removes all the certificates! +* Invalid certificates are skipped instead of aborting the whole + operation when logging in with a smart card using SSH. +* This version allows several OCSP-related options such as the OCSP + responder to be configured during smart card authentication. +* SSSD is now able to determine the name of the user who logs in + from the inserted smart card without having to type in the + username. Note that this functionality must be enabled with the + allow_missing_name pam_sss option. +* The sss_cache command line tool is now able to invalidate SUDO + rules with its new -r/-R switches. Note that the sudo rules ar + not refreshed with the sss_cache tool immediately. +* A new command line tool called sssctl was added. This tool + allows to observe the status of SSSD. +* A new option local_negative_timeout was added. This option + allows the admin to specify the time during which lookups for + users that are not handled by SSSD but are present on the + system (typically in /etc/passwd and /etc/group) and prevents + repeated lookups of local users on the remote server during + initgroups operation. +* An ID-mapping plugin for the winbind deamon was added. With + this plugin, it's possible for winbind to use the same + ID-mapping scheme as SSSD uses, producing consistent ID values. +- Remove 0001-build-detect-endianness-at-configure-time.patch + (included upstream) + +------------------------------------------------------------------- +Mon Apr 18 12:24:29 UTC 2016 - hguo@suse.com + +- Enable PAC responder. + PAC is an extension element returned by domain controller, to speed + up resolution of authorisation data such as group memberships. + +------------------------------------------------------------------- +Thu Apr 14 17:20:11 UTC 2016 - michael@stroeder.com + +- Update to new upstream release 1.13.4 + * The IPA sudo provider was reimplemented. The new version reads the + data from IPA's LDAP tree (as opposed to the compat tree populated by + the slapi-nis plugin that was used previously). The benefit is that + deployments which don't require the compat tree for other purposes, + such as support for non-SSSD clients can disable those autogenerated + LDAP trees to conserve resources that slapi-nis otherwise requires. There + should be no visible changes to the end user. + * SSSD now has the ability to renew the machine credentials (keytabs) + when the ad provider is used. Please note that a recent version of + the adcli (0.8 or newer) package is required for this feature to work. + * The automatic ID mapping feature was improved so that the administrator + is no longer required to manually set the range size in case a RID in + the AD domain is larger than the default range size + * A potential infinite loop in the NFS ID mapping plugin that was + resulting in an excessive memory usage was fixed + * Clients that are pinned to a particular AD site using the ad_site + option no longer communicate with DCs outside that site during service + discovery. + * The IPA identity provider is now able to resolve external + (typically coming from a trusted AD forest) group members during + get-group-information requests. Please note that resolving external + group memberships for AD users during the initgroup requests used to + work even prior to this update. This feature is mostly useful for cases + where an IPA client is using the compat tree to resolve AD trust users. + * The IPA ID views feature now works correctly even for deployments + without a trust relationship. Previously, the subdomains IPA provider + failed to read the views data if no master domain record was created + on the IPA server during trust establishment. + * A race condition in the client libraries between the SSSD closing + the socket as idle and the client application using the socket was + fixed. This bug manifested with a Broken Pipe error message on the + client. + * SSSD is now able to resolve users with the same usernames in different + OUs of an AD domain + * The smartcard authentication now works properly with gnome-screensaver + +------------------------------------------------------------------- +Wed Feb 10 16:38:37 UTC 2016 - mpluskal@suse.com + +- Enable internal testsuite + +------------------------------------------------------------------- +Wed Dec 16 14:08:01 UTC 2015 - jengelh@inai.de + +- Update to new maintenance release 1.13.3 +* A bug that prevented user lookups and logins after migration from + winsync to IPA-AD trusts was fixed. +* A bug that prevented the ignore_group_members option from working + correctly in AD provider setups that use a dedicated primary + group (as opposed to a user-private group) was fixed. +* Offline detection and offline login timeouts were improved for AD + users logging in from a domain trusted by an IPA server. +* The AD provider supports setting up autofs_provider=ad . + +------------------------------------------------------------------- +Fri Nov 20 10:39:56 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.13.2 +* Initial support for Smart Card authentication was added. +* The PAM prompting was enhanced so that when Two-Factor + Authentication is used, both factors (password and token) can be + entered separately on separate prompts. +* This release supports authenticating againt a KDC proxy. + +------------------------------------------------------------------- +Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com + +- Update to new upstream release 1.13.1 +* Initial support for Smart Card authentication was added. The + feature can be activated with the new pam_cert_auth option. +* The PAM prompting was enhanced so that when Two-Factor + Authentication is used, both factors (password and token) can + be entered separately on separate prompts. At the same time, + only the long-term password is cached, so offline access would + still work using the long term password. +* A new command line tool sss_override is present in this + release. The tools allows to override attributes on the SSSD + side. It's helpful in environment where e.g. some hosts need to + have a different view of POSIX attributes than others. Please + note that the overrides are stored in the cache as well, so + removing the cache will also remove the overrides. +* Several enhancements to the dynamic DNS update code. Notably, + clients that update multiple interfaces work better with this + release. +* This release supports authenticating againt a KDC proxy +* The fail over code was enhanced so that if a trusted domain is + not reachable, only that domain will be marked as inactive but + the backed would stay in online mode. + +------------------------------------------------------------------- +Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.13 +* Support for separate prompts when using two-factor authentication +* Added support for one-way trusts between an IPA and Active + Directory environment. (Depends on IPA 4.2) +* The fast memory cache now also supports the initgroups operation. +* The PAM responder is now capable of caching authentication for + configurable period, which might reduce server load in cases + where accounts authenticate very frequently. + Refer to the "cached_auth_timeout" option in sssd.conf(5). +* The Active Directory provider has changed the default value of + the "ad_gpo_access_control" option from permissive to enforcing. + As a consequence, the GPO access control now affects all clients + that set access_provider to ad. In order to restore the previous + behaviour, set ad_gpo_access_control to permissive or use a + different access_provider type. +* Group Policy objects defined in a different AD domain that the + computer object is defined in are now supported. +* Credential caching and Offline authentication are also available + when using two-factor authentication +* The Python bindings are now built for both Python2 and Python3. +* The LDAP bind timeout, StartTLS timeout and password change + timeout are now configurable using the ldap_opt_timeout option. + +------------------------------------------------------------------- +Wed Aug 12 18:20:25 UTC 2015 - jengelh@inai.de + +- Kill unused libsss_sudo-devel solvable. + +------------------------------------------------------------------- +Tue Aug 11 07:41:07 UTC 2015 - hguo@suse.com + +- Obsolete/provide libsss_sudo in sssd main package. + Sudo capability is an integral feature in SSSD and the library + is not supposed to be used separately. + +------------------------------------------------------------------- +Thu Jun 25 16:44:49 UTC 2015 - crrodriguez@opensuse.org + +- sssd.service: add Before= and Wants=nss-user-lookup.target + correct fix for bsc#926961 + +------------------------------------------------------------------- +Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com + +- Update to new upstream release 1.12.5 +* The background refresh tasks now supports refreshing users and + groups as well. See the "refresh_expired_interval" parameter in + the sssd.conf manpage. +* A new option subdomain_inherit was added. +* When an expired account attempts to log in, a configurable + error message can be displayed with sufficient pam_verbosity + setting. See the "pam_account_expired_message" option. +* OpenLDAP ppolicy can be honored even when an alternate login + method (such as SSH key) is used. See the "ldap_access_order" + option. +* A new option :krb5_map_user" was added, allowing the admin to + map UNIX usernames to Kerberos principals. +* BUG FIXES: +* Fixed AD-specific bugs that resulted in the incorrect set of + groups being displayed after the initgroups operation. +* Fixes related to the IPA ID views feature. Setups using this + should update sssd on both IPA servers and clients. +* The AD provider now handles binary GUIDs correctly. +* A bug that prevented the `ignore_group_members` parameter to be + used with the AD provider was fixed. +* The failover code now reads and honors TTL value for SRV + queries as well. +* Race condition between setting the timeout in the back ends and + reading it in the front end during initgroup operation was + fixed. This bug affected applications that perform the + initgroups(3) operation in multiple processes simultaneously. +* Setups that only want to use the domain SSSD is connected to, + but not the autodiscovered trusted domains by setting + `subdomains_provider=none` now work correctly as long as the + domain SID is set manually in the config file. +* In case only "allow" rules are used, the simple access provider + is now able to skip unresolvable groups. +* The GPO access control code now handles situations where user + and computer objects were in different domains. + +------------------------------------------------------------------- +Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com + +- Update to new upstream release 1.12.4 (Changelog highlights following) +* This is mostly a bug fixing release with only minor enhancements + visible to the end user. +* Contains many fixes and enhancements related to the ID views + functionality of FreeIPA servers. +* Several fixes related to retrieving AD group membership in an + IPA-AD trust scenario. +* Fixes a bug where the GPO access control previously didn't work + at all if debugging was enabled in smb.conf. +* SSSD can now be pinned to a particular AD site instead of + autodiscovering the site. +* A regression that caused setting the SELinux context for IPA users + to fail, was fixed. +* Fixed a potential crash caused by a double-free error when an SSSD + service was killed by the monitor process. + +------------------------------------------------------------------- +Mon Feb 16 10:09:18 UTC 2015 - howard@localhost + +- A minor rpmspec cleanup to get rid of five rpmlint warnings +* Remove mentioning of system-wide dbus configuration file from comments. +* Remove traditional init script. +* Remove compatibility for producing packages on older OpenSUSE releases. + +------------------------------------------------------------------- +Thu Jan 8 22:23:42 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.12.3 +* SSSD now allows the IPA client to move from one ID view to + another after SSSD restart. +* It is possible to apply ID views to IPA domains as well. + Previous SSSD versions only allowed views to be applied to AD + trusted domains. +* Overriding SSH public keys is supported in this release. +* Move semanage related functions to a separate library. + +------------------------------------------------------------------- +Thu Jan 1 22:01:02 UTC 2015 - meissner@suse.com + +- build with PIE + +------------------------------------------------------------------- +Mon Nov 10 00:37:00 UTC 2014 - Led + +- fix bashism in postun script + +------------------------------------------------------------------- +Thu Oct 30 12:22:06 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.2 (bugfix release, bnc#900159) +* Fixed a regression where the IPA provider did not fetch User + Private Groups correctly +* An important bug in the GPO access control which resulted in a + wrong principal being used, was fixed. +* Several new options are available for deployments that need to + restrict a certain PAM service from connecting to a certain SSSD + domain. For more details, see the description of + pam_trusted_users and pam_public_domains options in the + sssd.conf(5) man page and the domains option in the pam_sss(8) + man page. +* When SSSD is acting as an IPA client in setup with trusted AD + domains, it is able to return group members or full group + memberships for users from trusted AD domains. +* Support for the "views" feature of IPA. +- Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch + (merged upstream) + +------------------------------------------------------------------- +Sat Oct 11 13:36:48 UTC 2014 - jengelh@inai.de + +- Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch + to workaround bad autoconf invocation + +------------------------------------------------------------------- +Sat Oct 11 00:16:15 UTC 2014 - crrodriguez@opensuse.org + +- 0001-build-detect-endianness-at-configure-time.patch + Correct defective endianness test. + +------------------------------------------------------------------- +Mon Oct 6 13:25:23 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.1 +* The GPO access control was further enhanced to allow the access + control decisions while offline and map the Windows logon + rights onto Linux PAM services. +* The SSSD now ships a plugin for the rpc.idmapd daemon, + sss_rpcidmapd(5). +* A MIT Kerberos localauth plugin was added to SSSD. This plugin + helps translating principals to user names in IPA-AD trust + scenarios, allowing the krb5.conf configuration to be less + complex. +* A libwbclient plugin implementation is now part of the SSSD. + The main purpose is to map Active Directory users and groups + identified by their SID to POSIX users and groups for the + file-server use-case. +* Active Directory users ca nnow use their User Logon Name to log + in. +* The sss_cache tool was enhanced to allow invalidating the SSH + host keys. +* Groups without full POSIX information can now be used to enroll + group membership (CVE-2014-0249). +* Detection of transition from offline to online state was + improved, resulting in fewer timeouts when SSSD is offline. +* The Active Directory provider now correctly detects Windows + Server 2012 R2. Previous versions would fall back to the slower + non-AD path with 2012 R2. +* Several other bugs related to deployments where SSSD is acting + as an AD client were fixed. + +------------------------------------------------------------------- +Fri Aug 22 15:44:14 UTC 2014 - lchiquitto@suse.com + +- The utility sss_obfuscate uses the Python module pysss, so add a + dependency on python-sssd-config to sssd-tools (bnc#890242) + +------------------------------------------------------------------- +Sun Aug 10 12:20:50 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.0 +* A new responder, called InfoPipe was added. This responder + provides a public D-Bus interface accessible over the system bus. + In this release, methods for retrieving user attributes and list + of groups were added as well as objects representing SSSD domains + and processes. (The next 1.12.x releases will publish objects + representing users and groups, too.) +* SSSD provides an ID-mapping plugin for cifs-utils so that Windows + SIDs can be mapped onto POSIX IDs and/or names without requiring + Winbind and using the same code as the SSSD uses for identity + information. +* First phase of Group Policy-based access control for the AD + provider was added. At the moment, the gpo-ldap component that + downloads the list of GPOs that apply for the specific client has + been implemented as well as the gpo-smb component that retrieves + the group policy files and determines the access control check + results based on those files. Future improvements will focus on + storing the GPO policies as local files and mapping the Windows + logon rights onto Linux PAM services. +* Added a new library called sss_sifp that provides a simple + synchronous API for communication with our new InfoPipe responder + over the system bus. +- Remove 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch + (merged upstream) +- Provide "rcsssd" in systemd environments +- Ensure sssd is always startable by removing /var/lib/sss/db/*.ldb + on package installation so as to avoid potentially cache + format incompatibility which would cause sssd to exit + +------------------------------------------------------------------- +Thu Jun 12 14:18:30 UTC 2014 - ckornacker@suse.com + +- fix %postun to not erroneously remove sss pam module + +------------------------------------------------------------------- +Tue May 27 16:56:42 UTC 2014 - crrodriguez@opensuse.org + +- Switch to libnl-3 so we can get rid of libnl-1. + +------------------------------------------------------------------- +Sat May 24 14:36:43 UTC 2014 - jengelh@inai.de + +- Redo 0001-build-detect-endianness-at-configure-time.patch to be -p1 +- Add 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch + to resolve runtime loading problems + (http://lists.opensuse.org/opensuse-factory/2014-05/msg00181.html ) + +------------------------------------------------------------------- +Tue May 13 11:11:59 UTC 2014 - varkoly@suse.com + +- bnc#877457 - 78 Configuration file /usr/lib/systemd/system/sssd.service is marked executable. + Please remove executable permission bits. + +------------------------------------------------------------------- +Tue May 6 14:01:29 UTC 2014 - ddiss@suse.com + +- Detect endianness at configure time, for use by Samba's byteorder.h header; + (bnc#876544). + + 0001-build-detect-endianness-at-configure-time.patch + +------------------------------------------------------------------- +Tue Apr 29 10:00:57 UTC 2014 - varkoly@suse.com + +- Update to new upstream release 1.11.5.1 + * sssd crashes after upgrade from 1.11.4 to 1.11.5 when using a samba4 domain + * SSSD pam module accepts usernames with leading spaces + * [RFE] Expose the list of trusted domains to IPA + * If both IPA and LDAP are set up with enumeration on, two enum tasks are running + * sssd.conf man pages don't list a configuration option. + * Make SSSD compilable on systems with non-standard paths to krb5 includes + * [freebsd] pam_sss: add ignore_unknown_user option + * MAN: Remove misleading memberof example from ldap_access_filter example + * not retrieving homedirs of AD users with posix attributes + * Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes + * Check IPA idranges before saving them to the cache + * Evaluate usage of sudo LDAP provider together with the AD provider + * Setting int option to 0 yields the default value + * ipa-server-mode: Use lower-case user name component in home dir path + * SSSD Does not cache SELinux map from FreeIPA correctly + * IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in + * sssd fails to handle expired passwords when OTP is used + * Add another Kerberos error code to trigger IPA password migration + * Double OK when starting the service + * SSSD should create the SELinux mapping file with format expected by pam_selinux + * Valgrind: Invalid read of int while processing netgroup + * other subdomains are unavailable when joined to a subdomain in the ad forest + * Error during password change + * configure time variables not expanded when running ./configure + * RHEL7 IPA selinuxusermap hbac rule not always matching + +------------------------------------------------------------------- +Fri Mar 7 15:18:34 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.11.4 +* The simple access provider supports specifying users and groups + using their NetBIOS domain name (such as DOMAIN\username) +* Support for enumerating users and groups from trusted AD domains + was added to the AD provider +* The Active Directory site discovery was made more robust for + configurations which use multiple trusted domains +* Several bugs in the LDAP provider that affected setups which + mapped Windows SIDs to POSIX IDs were fixed +* The SSSD is now able to use One Time Password (OTP) + authentication configured on an IPA server. + +------------------------------------------------------------------- +Fri Dec 20 21:54:58 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.3 +* The AD provider is able to resolve group memberships for groups + with Global and Universal scope +* The initgroups (get groups for user) operation for users from + trusted AD domains was made more reliable by reading the required + tokenGroups attribute from LDAP instead of Global Catalog +* A new option ad_enable_gc was added to the AD provider. This + option allows the administrator to force SSSD to talk to LDAP + port only and never try the Global Catalog +* The AD provider is now able to leverage the tokenGroups attribute + even when POSIX attributes are used, providing better performance + during logins. +* A memory leak in the NSS responder that affected long-lived + clients that requested netgroup data was fixed +- Remove sssd-ldflags.diff (merged upstream) + +------------------------------------------------------------------- +Thu Nov 28 16:51:39 UTC 2013 - ckornacker@suse.com + +- Migrate deprecated krb5_kdcip variable to krb5_server (bnc#851048) + +------------------------------------------------------------------- +Fri Nov 1 22:12:03 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.2 +* A new option ad_access_filter was added. This option allows the + administrator to easily configure LDAP search filter that the users + logging in must match in order to be granted access. +* The Kerberos provider will no longer try to create public + directories when evaluating the krb5_ccachedir option. +- Remove 0005-implicit-decl.diff (merged upstream) + +------------------------------------------------------------------- +Tue Sep 3 21:12:37 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.0 +* The sudo integration was made more robust. SSSD is now able to + gracefully handle situations where it is not able to resolve the + client host name or sudo rules have multiple name attributes. +* Several nested group membership bugs were fixed +* The PAC responder was made more robust and efficient, modifying + existing cache entries instead of always recreating them. +* The Kerberos provider now supports the new KEYRING ccache type. +- Remove sssd-no-ldb-check.diff, now implemented through a + configure argument --disable-ldb-version-check + +------------------------------------------------------------------- +Sun Jun 16 16:11:42 UTC 2013 - jengelh@inai.de + +- Explicitly formulate SASL BuildRequires + +------------------------------------------------------------------- +Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.9.5 +* Includes a fix for CVE-2013-0287: A simple access provider flaw + prevents intended ACL use when SSSD is configured as an Active + Directory client. +* Fixed spurious password expiration warning that was printed on + login with the Kerberos back end. +* A new option ldap_rfc2307_fallback_to_local_users was added. If + this option is set to true, SSSD is be able to resolve local + group members of LDAP groups. +* Fixed an indexing bug that prevented the contents of autofs maps + from being returned to the automounter deamon in case the map + contained a large number of entries. +* Several fixes for safer handling of Kerberos credential caches + for cases where the ccache is set to be stored in a DIR: type. +- Remove Provide-a-be_get_account_info_send-function.patch, + Add-unit-tests-for-simple-access-test-by-groups.patch, + Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch, + Resolve-GIDs-in-the-simple-access-provider.patch + (CVE-2013-0287 material is in upstream), + sssd-sysdb-binary-attrs.diff (merged upstream) + +------------------------------------------------------------------- +Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de + +- Implement signature verification + +------------------------------------------------------------------- +Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com + +- Fixed security issue: CVE-2013-0287 (bnc#809153): + When SSSD is configured as an Active Directory client by using + the new Active Directory provider or equivalent configuration + of the LDAP provider, the Simple Access Provider does not + handle access control correctly. If any groups are specified + with the simple_deny_groups option, the group members are + permitted access. New patches: + * Provide-a-be_get_account_info_send-function.patch + * Add-unit-tests-for-simple-access-test-by-groups.patch + * Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch + * Resolve-GIDs-in-the-simple-access-provider.patch + +------------------------------------------------------------------- +Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de + +- Resolve user retrieval problems when encountering binary data + in LDAP attributes (bnc#806078), + added sssd-sysdb-binary-attrs.diff +- Added sssd-no-ldb-check.diff so that SSSD continues to start + even after an LDB update. + +------------------------------------------------------------------- +Fri Feb 8 10:31:52 UTC 2013 - rhafer@suse.com + +- fix package name in baselibs.conf (bnc#796423) + +------------------------------------------------------------------- +Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com + +- update to 1.9.4 (bnc#801036): + * A security bug assigned CVE-2013-0219 was fixed - TOCTOU race + conditions when creating or removing home directories for users + in local domain + * A security bug assigned CVE-2013-0220 was fixed - out-of-bounds + reads in autofs and ssh responder + * The sssd_pam responder processes pending requests after + reconnect + * A serious memory leak in the NSS responder was fixed + * Requests that were processing group entries with DNs pointing + out of any configured search bases were not terminated + correctly, causing long timeouts + * Kerberos tickets are correctly renewed even after SSSD daemon + restart + * Multiple fixes related to SUDO integration, in particular + fixing functionality when the sssd back end process was + changing its online/offline status + * The pwd_exp_warning option was fixed to function as documented + in the manual page +- refreshed sssd-ldflags.diff to apply cleanly + +------------------------------------------------------------------- +Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com + +- Removed left-over "Requires" for no longer existing sssd-client + subpackage. +- New patch: sssd-ldflags.diff to fix link failures due to erroneous + LDFLAGS usage + +------------------------------------------------------------------- +Thu Dec 6 10:38:59 UTC 2012 - rhafer@suse.com + +- Switch back to using libcrypto instead of mozilla-nss as it seems + to be supported upstream again, cf. + https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010202.html +- Cleanup PAM configuration after uninstalling sssd (bnc#788328) + +------------------------------------------------------------------- +Thu Dec 6 09:05:29 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.9.3 +* Many fixes related to deployments where the SSSD is running as + a client of IPA server with trust relation established with an + Active Directory server +* Multiple fixes related to correct reporting of group + memberships, especially in setups that use nested groups +* Fixed a bug that prevented upgrade from the 1.8 series if the + cache contained nested groups before the upgrade +* Restarting the responders is more robust for cases where the + machine is under heavy load during back end restart +* The default_shell option can now be also set per-domain in + addition to global setting. + +------------------------------------------------------------------- +Sat Nov 10 00:27:06 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.9.2 +* Users or groups from trusted domains can be retrieved by UID or + GID as well +* Several fixes that mitigate file descriptor leak during logins +* SSH host keys are also removed from the cache after being + removed from the server +* Fix intermittent crash in responders if the responder was + shutting down while requests were still pending +* Catch an error condition that might have caused a tight loop in + the sssd_nss process while refreshing expired enumeration request +* Fixed memory hierarchy of subdomains discovery requests that + caused use-after-free access bugs +* The krb5_child and ldap_child processes can print libkrb5 tracing + information in the debug logs + +------------------------------------------------------------------- +Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.8.93 (1.9.0~beta3) +* Add native support for autofs to the IPA provider +* Support for id mapping when connecting to Active Directory +* Support for handling very large (> 1500 users) groups in + Active Directory +* Add a new fast in-memory cache to speed up lookups of cached data + on repeated requests +* Add support for the Kerberos DIR cache for storing multiple TGTs + automatically +* Add a new PAC responder for dealing with cross-realm Kerberos + trusts +* Terminate idle connections to the NSS and PAM responders + +------------------------------------------------------------------- +Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.8.3 +* LDAP: Handle situations where the RootDSE is not available + anonymously +* LDAP: Fix regression for users using non-standard LDAP attributes + for user information +- Switch from openssl to mozilla-nss, as this is the officially + supported crypto integration + +------------------------------------------------------------------- +Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com + +- Fix build error on SLES 11 builds + +------------------------------------------------------------------- +Mon Apr 9 21:45:45 PDT 2012 - ben.kevan@gmail.com + +- Add suse_version condition for glib over libunistring for + SLES 11 SP2. +- Update to new upstream release 1.8.2 +* Fix for GSSAPI binds when the keytab contains unrelated + principals +* Workarounds added for LDAP servers with unreadable RootDSE + +------------------------------------------------------------------- +Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com + +- Update to new upstream release 1.8.1 +* Resolve issue where we could enter an infinite loop trying to + connect to an auth server + +------------------------------------------------------------------- + +Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.8.0 +* Support for the service map in NSS +* Support for setting default SELinux user context from FreeIPA +* Support for retrieving SSH user and host keys from LDAP +* Support for caching autofs LDAP requests +* Support for caching SUDO rules +* Include the IPA AutoFS provider +* Fixed several memory-corruption bugs +* Fixed a regression in the proxy provider + +------------------------------------------------------------------- +Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de + +- Fixed systemd related packaging issues (bnc#724157) +- fixed build on older openSUSE releases + +------------------------------------------------------------------- +Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de + +- Resolve "have choice for libnl-devel: + libnl-1_1-devel libnl3-devel" + +------------------------------------------------------------------- +Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de + +- Fixed typos in configure args +- Cherry-picked password policy fixes from 1.5 branch (bnc#705768) +- switched to fd-leak fix cherry-picked from 1.5 branch +- Add /usr/sbin to the search path to make configure find nscd + (bnc#709747) + +------------------------------------------------------------------- +Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de + +- Add patches to fix an fd leak in sssd_pam + +------------------------------------------------------------------- +Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.5.11 +* Support for overriding home directory, shell and primary GID + locally +* Properly honor TTL values from SRV record lookups +* Support non-POSIX groups in nested group chains (for RFC2307bis + LDAP servers) +* Properly escape IPv6 addresses in the failover code +* Do not crash if inotify fails (e.g. resource exhaustion) +- Remove redundant %clean section; delete .la files more + efficiently + +------------------------------------------------------------------- +Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de + +- Update to 1.5.8: + * Support for the LDAP paging control + * Support for multiple DNS servers for name resolution + * Fixes for several group membership bugs + * Fixes for rare crash bugs + +------------------------------------------------------------------- +Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de + +- Update to 1.5.7 + * A flaw was found in the handling of cached passwords when + kerberos renewal tickets is enabled. Due to a bug, the cached + password was overwritten with a (moderately) predictable + filename, which could allow a user to authenticate as someone + else if they knew the name of the cache file (bnc#691135, + CVE-2011-1758) +- Changes in 1.5.6: + * Fixed a serious memory leak in the memberOf plugin + * Fixed a regression with the negative cache that caused it to be + essentially nonfunctional + * Fixed an issue where the user's full name would sometimes be + removed from the cache + * Fixed an issue with password changes in the kerberos provider + not working with kpasswd + +------------------------------------------------------------------- +Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de + +- Update to 1.5.5 + * Fixes for several crash bugs + * LDAP group lookups will no longer abort if there is a + zero-length member attribute + * Add automatic fallback to 'cn' if the 'gecos' attribute does not + exist + +------------------------------------------------------------------- +Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de + +- Should build in SLE-11-SP1 now + +------------------------------------------------------------------- +Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.4 + * Fixes for Active Directory when not all users and groups have + POSIX attributes + * Fixes for handling users and groups that have name aliases + (aliases are ignored) + * Fix group memberships after initgroups in the IPA provider + +------------------------------------------------------------------- +Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.3 + * Support for libldb >= 1.0.0 + * Proper detection of manpage translations + * Changes between 1.5.1 and 1.5.2 + * Fixes for support of FreeIPA v2 + * Fixes for failover if DNS entries change + * Improved sss_obfuscate tool with better interactive mode + * Fix several crash bugs + * Don't attempt to use START_TLS over SSL. Some LDAP servers + can't handle this + * Delete users from the local cache if initgroups calls return + 'no such user' (previously only worked for getpwnam/getpwuid) + * Use new Transifex.net translations + * Better support for automatic TGT renewal (now survives + restart) + * Netgroup fixes + +------------------------------------------------------------------- +Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.1 + * Vast performance improvements when enumerate = true + * All PAM actions will now perform a forced initgroups lookup + instead of just a user information lookup This guarantees that + all group information is available to other providers, such as + the simple provider. + * For backwards-compatibility, DNS lookups will also fall back to + trying the SSSD domain name as a DNS discovery domain. + * Support for more password expiration policies in LDAP + - 389 Directory Server + - FreeIPA + - ActiveDirectory + * Support for ldap_tls_{cert,key,cipher_suite} config options + * Assorted bugfixes + +------------------------------------------------------------------- +Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de + +- /var/lib/sss/pubconf was missing (bnc#665442) + +------------------------------------------------------------------- +Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de + +- It was possible to make sssd hang forever inside a loop in the + PAM responder by sending a carefully crafted packet to sssd. + This could be exploited by a local attacker to crash sssd and + prevent other legitimate users from logging into the system. + (bnc#660481, CVE-2010-4341) + +------------------------------------------------------------------- +Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de + +- Own /etc/systemd directories to fix build. + +------------------------------------------------------------------- +Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com + +- install systemd service file + +------------------------------------------------------------------- +Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com + +- Updated to 1.4.1 + * Add support for netgroups to the LDAP and proxy providers + * Fixes a minor bug with UIDs/GIDs >= 2^31 + * Fixes a segfault in the kerberos provider + * Fixes a segfault in the NSS responder if a data provider crashes + * Correctly use sdap_netgroup_search_base + * the utility libraries libpath_utils1, libpath_utils-devel, + libref_array1 and libref_array-devel moved to their own + separate upstream project (ding-libs) + * Performance improvements made to group processing of RFC2307 + LDAP servers + * Fixed nested group issues with RFC2307bis LDAP servers without + a memberOf plugin + * Manpage reviewed and updated + +------------------------------------------------------------------- +Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com + +- remove hard coded python version + +------------------------------------------------------------------- +Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com + +- No dependencies on %{release} + +------------------------------------------------------------------- +Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com + +- Updated to 1.3.1 + * Fixes to the HBAC backend for obsolete or removed HBAC entries + * Improvements to log messages around TLS and GSSAPI for LDAP + * Support for building in environments using --as-needed LDFLAGS + * Vast performance improvement for initgroups on RFC2307 LDAP servers + * Long-running SSSD clients (e.g. GDM) will now reconnect properly to the + daemon if SSSD is restarted + * Rewrote the internal LDB cache API. As a synchronous API it is now faster + to access and easier to work with + * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider + - We now handle failover situations much more reliably than we did + previously + - We also will now monitor the GSSAPI kerberos ticket and automatically + renew it when appropriate, instead of waiting for a connection to fail + * Support for netlink now allows us to more quickly detect situations + where we may have come online + * New option "dns_discovery_domain" allows better configuration for + using SRV records for failover +- New subpackages: libpath_utils1, libpath_utils-devel, libref_array1 + and libref_array-devel + +------------------------------------------------------------------- +Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com + +- Package pam- and nss-Modules as baselibs +- cleaned up file list and dependencies +- fixed init script dependencies + +------------------------------------------------------------------- +Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com + +- Updated to 1.1.0 + * Support for IPv6 + * Support for LDAP referrals + * Offline failed login counter + * Fix for the long-standing cache cleanup performance issues + * libini_config, libcollection, libdhash, libref_array and + libpath_utils are now built as shared libraries for general + consumption (libref_array and libpath_utils are currently not + packaged, as no component in sssd links against them) + * Users get feedback from PAM if they authenticated offline + * Native local backend now has a utility to show nested memberships + (sss_groupshow) + * New "simple" access provider for easy restriction of users +- Backported libcrypto support from master to avoid Mozilla NSS + dependency +- Backported password policy improvments for LDAP provider from + master + +------------------------------------------------------------------- +Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com + +- use logfiles for debug messages by default + +------------------------------------------------------------------- +Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com + +- subpackages for commandline tools, ipa-provider plugin and + python API + +------------------------------------------------------------------- +Fri Feb 26 14:48:50 UTC 2010 - rhafer@novell.com + +- Updated to 1.0.5. Highlights: + * Removed some dead code (libreplace + * Clarify licenses throughout the code + +------------------------------------------------------------------- +Thu Feb 4 17:04:01 UTC 2010 - rhafer@novell.com + +- Updated to 1.0.4 + +------------------------------------------------------------------- +Thu Oct 8 15:10:47 UTC 2009 - rhafer@novell.com + +- Update to 0.6.0 + +------------------------------------------------------------------- +Fri Sep 4 08:59:21 UTC 2009 - rhafer@novell.com + +- fix LDAP filter for initgroups() with rfc2307bis setups + +------------------------------------------------------------------- +Tue Sep 1 08:58:37 UTC 2009 - rhafer@novell.com + +- initial package submission + diff --git a/sssd.keyring b/sssd.keyring new file mode 100644 index 0000000..5cd9c37 --- /dev/null +++ b/sssd.keyring @@ -0,0 +1,75 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGI9m7YBEACjfmpZrW6wpmz+QRfnx1UuOABpTmsBi6ElTqx+ZzLU2R3N4KLl +PDycp6Pm5PqnLRLoC0TzHh1MjpVWiCfrnlTm6yD2Y6A37c6/elFjiZlbY93zUJi9 +mE3OXyxe3RQHVjEYiQZ+DCcgQe5r2mFL8prK2OBIIoJJK2t46EjcjsJJkOIgT9H0 +7FaLWfT2MHhO0mg6EqwqOsSKI392sVhJ0GTDULiI1ZlRULZwn3oWdXglO5O9KAhu +jSAIrKuX6QsIxXfVDG1wmOR99yyuiXpJhlKbgdw3Y37IcHRD9DLbqCnp//3WkW9W +k5Mn/bYK1TIed92U4CWNqz557lGnQxwPyyaNkJW9L1kNWO6P9Kl8RgxuX0689Zb0 +sqooxTK//O+BBOso1iSRsdyqo2KSIBF06Fe9x5i+jwX2N3hHbzODfT0rHOokPj5p +jT/o6NFQ0lMqYQJxQA7/71Dk/6EkkxE3kHTkFNHBii1pt0msyQij8URmTTN39V1f +n+HlxDOrzDSccrs5x0b+cT5wuB1tSp9JhkmmAk5rb8vsHL+iPRM4ZDIOJNm/Qlg6 +pQ+V4FEamntO9undQro0hSShEq69JDbBhT+fmHcAH2a03buTdyu3aqok3OSdxMj/ +aprl84eFxE3cwlCXzsu0qf8ue9UjFWynmwsDQgR4EMMbVDwInd/rrV+wOwARAQAB +tElTU1NEIFByb2plY3QgKGh0dHBzOi8vc3NzZC5pbykgPHNzc2QtbWFpbnRhaW5l +cnNAbGlzdHMuZmVkb3JhcHJvamVjdC5vcmc+iQJOBBMBCAA4FiEEwTzQf/stsUCO +RXo809IbKRDPZ1kFAmI9m7YCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +09IbKRDPZ1nmShAAlEZD+l7OSTb8uOQDj9wHXjkJbrz2vp3vfHiUo69NIssEQRUE +WRpygejjCsc3XlS8XivWwLIqrDOczenyCVVNSSWfaQpBc2ZR+XXBKMpxa1PlFduQ +wax2cbPXVdo47t3gVWAzicO0zxeAQVEZHUKyoWmaKtuFdN1ZJpNCvFJcr6yEFY5k +vQy5Caf6G1oDS9XYsx4YZZT0YhMo3d/8awJLJuVfnqsC/mTOaC7Khms31c2SC+50 ++i+gE9HOVkLqanYkQcmdWIMN/oOljAd3zCFBNw5cXXuNmjp32URcm4khLKuxgV12 +RetW63SAMydavCp8jMpjuE1pBo6s+/ZcvHe0IhS5fcAbXnIuxqhB2FfeJVg3Udx8 +u+zZjwtndUZ9NCETomHa77Beq3h/0A/hiEmNl6xAYttNRvF/bbNg9k3o6lZydDYM +zhdmGh+VfZhuyyGJXWsrK0ZzJ0zXjorIKPlCi32cMrOPlYd94N4aWZaHC+uDZSMW +Xwjl79Tt92psOIiQwSSm1vaRvXV9w3HzyZtOIlK+Nc7T6qTOIHGgCuQI5zXNorNb +sdmzOR+ZrnYBk/E6hiaU8b4hQS2HJyr9YqERi2LjB9VICC+KHhsjba/hxIoVZR/v +Hg+WM/NBpOoaiScxLaqWNuoxY84SNJCgupWlCmBEDxWG+Q0ku/xgyRARCt2JATME +EAEIAB0WIQQaQdxnUF+JozCCi2av/nXd6FCOEgUCYj2dVAAKCRCv/nXd6FCOEihw +CACcbB3JuIeSGZbtVOvepRSjoaWRzC97V7Lj2lz9nIc610W0WfzHCePi+I9leuup +R/eV3Hhhx04QU9Zisc0CWVUC4mpgqzSgB1o4DYu1vPVPXZdfZkGVGtSiW+5rfjZo +iqGBGX8JalieI0wNYHQz660f21w08niecpnpFyadZh8/8oH3or0xvtCbPXOM+YH3 +CpsBGS0aP2sf+uhvbGHoEygmLqr5rkkkC8XmEa8GxFFFpYVc1nzys7zVFoMWZ9Ta +UnyNwyo1JZHgVEbyCL3lK8OS9xXoPyOAqFT6Ux+Odj36hqamAsGAHL9O/DoEaUKI +fuGGvRb6Dlebrt3KDTiXbR9DiHUEEBYKAB0WIQQoeTnfBirYxTh2pTXC17mKk07s +FwUCYj2umAAKCRDC17mKk07sFyBsAQCAL84Bwe4BA8DEhGYhrl9Eb38LQ2hbNeJX +nLtjKqQlnwEA0BC1FR+bBm5NunMYbKtKcMLIAHtzSBbBrNqQzTO8XguJAjMEEAEI +AB0WIQSTAgGqtC3RlHIQt4ONcyY1GnJiEQUCYj28PgAKCRCNcyY1GnJiEZHdD/95 +sK4SFrSb1fJYcvk6OQMW2hW7VCohuqDOYWob2Tm7RWP9CxJ7I3PilEUizbp76AoX +V6UvXiBtY2q6omXMv2qBeEja7OWd3HWl0SXA5XLyRSF7hwirP2CqQZM8+zSyiYKf +TNw3rWTJjjarUnv6GYdoH55jEfk7sCIrbp5xEzvWu+9w/5pnIsSsFhYwJOD5ic+h +or3LHRN5Jn+jm6ec6H4Ums5zA4rnvTdxfcHKx1sX1KDez2d0k1BYONHGh5tTJSrx +3F5xxOqXHzPt7obiVOCYbE3NU2LswcHz2XNpdoXTyO/LLmvRVvoG1O6LGRrw5Tkg +lnres9gWMccHna4AnDGpXtXzyhlMlzIY5LNrROsg462tIWJcIopSmRct+IQxnOyW +te7k4BAVA/vO6FGnzfLPdH6Lwnos5OMfBew2j2b8yddM8qkBQxR7NUVhYMei7jLh +MiN1FTwtrtuAeMUddbIo/lZYMqUlNyl7Kiwqxse7EFGUvZwq5qhlaKfMZ48qVSYM +QQb6NILl9t5f/UrAkOSrgTF3uWQbcAOMQWusfDuBmHOolFVPTujQP7N5Asob9Nw0 ++oL2zY0MuG41xAf1tej25i8iYctJuB2L1uJULhw3i3iswPSuTJIKtYpKoES81jxG +Tit45gyS7XYpYdvAnYPTOPwF3sezy3uwmsob3geYR4h1BBAWCgAdFiEEf4f7DbyL +UMrqkdmCWuS5aYPSAzAFAmJDI/4ACgkQWuS5aYPSAzCznAD8DpzDOP5ILp2FbUGh +ROWM5T6cOppAOXDX2VN8hViDDmsA/24jLp5ga8cUwy7QVHduC9f8LLwN3O7q7XYz +BdBNnRMCuQINBGI9m7YBEACyE5/YORGMmYqKksDPFZNUW7unejUW7XTuLSMXrI9m +u8sFXT8tqPQJetYxaKiZqXxiS652u1XnLZf3ps4t6OINHSuT61Xw1Z6Svhn+o+Wz +Tmnfneahk1Czjlzs59qv3YXwLKffws7H5vGuOTnesgTyWJJG1A0wpehcZsI+rUzC +6mDwip1rSxocuFET6HK2eMpAo1B4V7XLC6srh3HzCNr5AB5UkjMWAuQqjUrqIt6O +dfPO9mqYf/w+CoI2HhVebwDjIXtoO5nVjPUncb0lUEsVWiA9C3xWi/pk2pd3nfkW +s+P0iJNYut+CQwGaHV8+gmwSLUUw/fraMASY5FVxLdSHKZ402Q6aSyuk93k7UQ7i +VIuZpOdjWASWgkATM5KEQHRVrt2enurn6oYBY2tSjzXmbTiCaaCG0p8CBtDvCIxT +Pz4Y0uaWcbIHLz3k0Tr4+zko/PEdh7qLCO83BJPf7/bVxGBMynxkAKXXgBlfjlFt +q7KMpbiM+qndP3SJpjlb0AnI7nCV1KvEeW+oIO+uQ2PwAlyFyV0pf8IYOeI0SN/R +3QSKL8CjlzSIwraUoCk79h3hJgBPG9D4ASwxeSPmriY9tbhNtsVUCT9YZgfxrJg8 +bzZvObeng+2IknKbxDzs/hnkNQ7uWx2GGeq7BYZ1eTwctWsw3V8VejiPByJEjQve +PQARAQABiQI2BBgBCAAgFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmI9m7YCGwwA +CgkQ09IbKRDPZ1mbeA//YYPvboEUjp/qqXK8XEgcEL33M+uWJJQucuhtBEjfwAlQ +m29NqO6I3n9cbuINXRtNMUawk86LMouEkhexqUmSg7NNDu1Nqp32yHn8MMJjOPsy +u6AZQinQoT8UKnUMqvmqMFJiotvDb2j2aP9yL0PjCiEeyYkk3bl2oGSdMD4A4o4D +0PUpLWt+w+3YbG58iBazPD/FwiGhe8TO7EAm3I7dYZ4ErALdmT6ptCW90IG9AHfK +CZTvaMB0NX/IksfJ9DEwMgsF0Hwlx5dmTin9ufFKfhKFcwV5aDXlEsYDMqT2o7z9 +l/7UTNXnk6VG/QXFhRjBDPtQNkgZoze1VV5itGmBsVE+c9lRtr+6YPJ04CDDv9dX +DI0eGdPxVmfDTR2tHOt+LOYIw4umsID3/qQzYluoUx5Cpud45qaBRjq7/iE+KJgS +IqxgBTXkV39C8T4gXrDRRjlBsOcIc7P6yUVqyClExynQ1BAJSEueO95CtxXV2btK +xSkZ2CyhVtjRxW5TOfQdvrFPueoxC17syQTslM/mKk6DBRHJrullqPLbSieKEJyc +SMkza3BVIhi0hdPfVfBRnSYe8jRFmBIR+cXnyAOkDkPqWK7q/icGVDpJPuunteH3 +1vXu/KcDrL7GVRj2LD136Xla1sgGUEbYmLfIHvYmqh1DXJQvnoAyUFKaBWEpSBg= +=E0Gq +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sssd.spec b/sssd.spec new file mode 100644 index 0000000..158b0a0 --- /dev/null +++ b/sssd.spec @@ -0,0 +1,903 @@ +# +# spec file for package sssd +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: sssd +Version: 2.10.0 +Release: 0 +Summary: System Security Services Daemon +License: GPL-3.0-or-later AND LGPL-3.0-or-later +Group: System/Daemons +URL: https://github.com/SSSD/sssd +#Git-Clone: https://github.com/SSSD/sssd +Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz +Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc +Source3: baselibs.conf +Source5: %name.keyring +Patch1: krb-noversion.diff +Patch2: harden_sssd-ifp.service.patch +Patch3: harden_sssd-kcm.service.patch +Patch4: symvers.patch +BuildRequires: autoconf >= 2.59 +BuildRequires: automake +BuildRequires: bind-utils +BuildRequires: check-devel +BuildRequires: cifs-utils-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel >= 1.12 +BuildRequires: libcmocka-devel +%if 0%{?suse_version} >= 1600 +BuildRequires: libsubid-devel +%endif +BuildRequires: libtool +BuildRequires: libunistring-devel +BuildRequires: libxml2-tools +BuildRequires: libxslt-tools +BuildRequires: nscd +BuildRequires: nss_wrapper +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pkg-config >= 0.21 +BuildRequires: systemd-rpm-macros +BuildRequires: uid_wrapper +BuildRequires: pkgconfig(augeas) >= 1.0.0 +BuildRequires: pkgconfig(collection) >= 0.5.1 +BuildRequires: pkgconfig(dbus-1) >= 1.0.0 +BuildRequires: pkgconfig(dhash) >= 0.4.2 +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(ini_config) >= 1.3 +BuildRequires: pkgconfig(jansson) +BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libcares) +BuildRequires: pkgconfig(libcrypto) >= 1.0.1 +%if 0%{?suse_version} >= 1600 +BuildRequires: pkgconfig(libcurl) +%endif +BuildRequires: pkgconfig(libnfsidmap) +BuildRequires: pkgconfig(libnl-3.0) >= 3.0 +BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 +BuildRequires: pkgconfig(libpcre2-8) +%if 0%{?suse_version} >= 1600 +BuildRequires: pkgconfig(libsemanage) +%endif +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(ndr_krb5pac) +BuildRequires: pkgconfig(ndr_nbt) +BuildRequires: pkgconfig(p11-kit-1) >= 0.23.3 +BuildRequires: pkgconfig(popt) +BuildRequires: pkgconfig(python3) +BuildRequires: pkgconfig(smbclient) +BuildRequires: pkgconfig(talloc) +BuildRequires: pkgconfig(tdb) >= 1.1.3 +BuildRequires: pkgconfig(tevent) +BuildRequires: pkgconfig(uuid) +BuildRequires: python3-wheel +BuildRequires: python3-setuptools +%if 0%{?suse_version} && 0%{?suse_version} < 1600 +# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); +# this conflicts with +# openldap2-devel pulls libldap2 wants libldap-data(-2.6) +# Package contains just config files, not needed for build. +#!BuildIgnore: libldap-data +%endif +%{?systemd_ordering} +Requires: sssd-ldap = %version-%release +Requires(postun): pam-config +Provides: libsss_sudo = %version-%release +Provides: sssd-client = %version-%release +Obsoletes: libsss_sudo < %version-%release +Provides: sssd-common = %version-%release +Obsoletes: sssd-common < %version-%release + +%define servicename sssd +%define sssdstatedir %_localstatedir/lib/sss +%define dbpath %sssdstatedir/db +%define pipepath %sssdstatedir/pipes +%define pubconfpath %sssdstatedir/pubconf +%define gpocachepath %sssdstatedir/gpo_cache +%define ldbdir %(pkg-config ldb --variable=modulesdir) + +# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko +# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins +# * cifs-utils one is the default (priority 20) +# * installing SSSD should NOT switch to SSSD plugin (priority 10) +%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin +%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so +%define cifs_idmap_name cifs-idmap-plugin +%define cifs_idmap_priority 10 +Requires(post): update-alternatives +Requires(postun): update-alternatives + +%description +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable backend system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. + +%package ad +Summary: The ActiveDirectory backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons +Requires: %name-krb5-common = %version-%release +Requires: adcli + +%description ad +Provides the Active Directory back end that the SSSD can utilize to +fetch identity data from and authenticate against an Active Directory +server. + +%package dbus +Summary: The D-Bus responder of sssd +License: GPL-3.0-or-later +Group: System/Base +Requires: %name = %version + +%description dbus +Provides the D-Bus responder of sssd, called InfoPipe, which allows +information from sssd to be transmitted over the system bus. + +%package ipa +Summary: FreeIPA backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons +Requires: %name = %version +Requires: %name-ad = %version-%release +Requires: %name-krb5-common = %version-%release +Obsoletes: %name-ipa-provider < %version-%release +Provides: %name-ipa-provider = %version-%release + +%description ipa +Provides the IPA back end that the SSSD can utilize to fetch identity +data from and authenticate against an IPA server. + +%package kcm +Summary: SSSD's Kerberos cache manager +License: GPL-3.0-or-later +Group: System/Daemons +Requires: sssd = %version-%release + +%description kcm +KCM is a process that stores, tracks and manages Kerberos credential +caches. + +%package krb5 +Summary: The Kerberos authentication backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons +Requires: %name-krb5-common = %version-%release + +%description krb5 +Provides the Kerberos back end that the SSSD can utilize authenticate +against a Kerberos server. + +%package krb5-common +Summary: SSSD helpers needed for Kerberos and GSSAPI authentication +License: GPL-3.0-or-later +Group: System/Daemons +Requires: cyrus-sasl-gssapi + +%description krb5-common +Provides helper processes that the LDAP and Kerberos back ends can +use for Kerberos user or host authentication. + +%package ldap +Summary: The LDAP backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons +Requires: %name-krb5-common = %version-%release + +%description ldap +Provides the LDAP back end that the SSSD can utilize to fetch +identity data from and authenticate against an LDAP server. + +%package proxy +Summary: The proxy backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons + +%description proxy +Provides the proxy back end which can be used to wrap an existing NSS +and/or PAM modules to leverage SSSD caching. + +%package tools +Summary: Commandline tools for sssd +License: GPL-3.0-or-later AND LGPL-3.0-or-later +Group: System/Management +Requires: python3-sssd-config = %version-%release +Requires: sssd = %version + +%description tools +The packages contains commandline tools for managing users and groups using +the "local" id provider of the System Security Services Daemon (sssd). + +%package winbind-idmap +Summary: The sss idmap backend for Winbind +Group: System/Libraries + +%description winbind-idmap +The idmap_sss module provides a way for Winbind to call SSSD to map +UIDs/GIDs and SIDs. + +%package -n libsss_certmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0-or-later +Group: System/Libraries + +%description -n libsss_certmap0 +A utility library for FreeIPA to map certs. + +%package -n libsss_certmap-devel +Summary: Development files for the FreeIPA certmap library +License: LGPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libsss_certmap0 = %version + +%description -n libsss_certmap-devel +A utility library for FreeIPA to map certs. + +%package -n libipa_hbac0 +Summary: FreeIPA HBAC Evaluator library +License: LGPL-3.0-or-later +Group: System/Libraries + +%description -n libipa_hbac0 +Utility library to validate FreeIPA HBAC rules for authorization +requests. + +%package -n libipa_hbac-devel +Summary: Development files for the FreeIPA HBAC Evaluator library +License: LGPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libipa_hbac0 = %version + +%description -n libipa_hbac-devel +Utility library to validate FreeIPA HBAC rules for authorization +requests. + +%package -n libnfsidmap-sss +Summary: Library to allow communication between libnfsidmap and SSSD +License: GPL-3.0-or-later +Group: System/Libraries +Supplements: (nfsidmap and sssd-client) + +%description -n libnfsidmap-sss +A utility library to allow communication between libnfsidmap and SSSD. + +%package -n libsss_idmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0-or-later +Group: System/Libraries + +%description -n libsss_idmap0 +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%package -n libsss_idmap-devel +Summary: Development files for the FreeIPA idmap library +License: LGPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libsss_idmap0 = %version + +%description -n libsss_idmap-devel +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%package -n libsss_nss_idmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0-or-later +Group: System/Libraries + +%description -n libsss_nss_idmap0 +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%package -n libsss_nss_idmap-devel +Summary: Development files for the FreeIPA idmap library +License: LGPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libsss_nss_idmap0 = %version + +%description -n libsss_nss_idmap-devel +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%if 0%{?suse_version} < 1600 +%package -n libsss_simpleifp0 +Summary: The SSSD D-Bus responder helper library +License: GPL-3.0-or-later +Group: System/Libraries +# Even though sssd has obsoleted simpleifp, the plan here is to retain ABI +# compatibility with the existing SUSE 15.x product line. ...at least, until +# sssd completely removes SIFP from source. + +%description -n libsss_simpleifp0 +This subpackage provides a library that simplifies the D-Bus API for +the SSSD InfoPipe responder. + +%package -n libsss_simpleifp-devel +Summary: Development files for the SSSD D-Bus responder helper library +License: GPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libsss_simpleifp0 = %version + +%description -n libsss_simpleifp-devel +This subpackage provides the development files for sssd's simpleifp, +a library that simplifies the D-Bus API for the SSSD InfoPipe +responder. +%endif + +%package -n libsss_sudo +Summary: A library to allow communication between sudo and SSSD +License: LGPL-3.0-or-later +Group: System/Libraries +Supplements: (sudo and sssd-client) + +%description -n libsss_sudo +A utility library to allow communication between sudo and SSSD. + +%package -n python3-ipa_hbac +Summary: Python bindings for the FreeIPA HBAC Evaluator library +License: LGPL-3.0-or-later +Group: Development/Libraries/Python +Requires: python3 + +%description -n python3-ipa_hbac +The python-ipa_hbac package contains the bindings so that libipa_hbac +can be used by Python applications. + +%package -n python3-sss-murmur +Summary: Python3 bindings for SSSD Murmur hash function +License: LGPL-3.0-or-later +Group: Development/Libraries/Python +Requires: python3 + +%description -n python3-sss-murmur +This subpackage provides the python3 module for calculating the +Murmur hash version 3. + +%package -n python3-sss_nss_idmap +Summary: Python bindings for libsss_nss_idmap +License: LGPL-3.0-or-later +Group: Development/Libraries/Python +Requires: python3 + +%description -n python3-sss_nss_idmap +The libsss_nss_idmap-python contains the bindings so that +libsss_nss_idmap can be used by Python applications. + +%package -n python3-sssd-config +Summary: Python API for configuring sssd +License: GPL-3.0-or-later AND LGPL-3.0-or-later +Group: Development/Libraries/Python +Requires: python3 + +%description -n python3-sssd-config +Provide python module to access and manage configuration of the System +Security Services Daemon (sssd). + +%prep +%autosetup -p1 + +%build +# help configure find nscd +export PATH="$PATH:/usr/sbin" + +autoreconf -fiv +%configure \ + --with-db-path="%dbpath" \ + --with-pipe-path="%pipepath" \ + --with-pubconf-path="%pubconfpath" \ + --with-gpo-cache-path="%gpocachepath" \ + --with-environment-file="%_sysconfdir/sysconfig/sssd" \ + --with-initscript=systemd \ + --with-syslog=journald \ + --with-pid-path="%_rundir" \ + --enable-nsslibdir="/%_lib" \ + --enable-pammoddir="%_pam_moduledir" \ + --with-ldb-lib-dir="%ldbdir" \ + --with-os=suse \ + --disable-ldb-version-check \ + --without-python2-bindings \ + --without-oidc-child \ +%if 0%{?suse_version} >= 1600 + --with-selinux=yes \ + --with-subid +%else + --with-selinux=no \ + --with-libsifp \ + --with-files-provider +%endif +%make_build all + +%install +# sss_obfuscate is compatible with both python 2 and 3 +perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate +%make_install dbuspolicydir=%_datadir/dbus-1/system.d +b="%buildroot" + +# Copy some defaults +%if "%{?_distconfdir}" != "" +install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" +install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" +%else +install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" +install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d" +%endif +install -d "$b/%_unitdir" +%if 0%{?suse_version} > 1500 +install -d "$b/%_distconfdir/logrotate.d" +install -m644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd" +install -d "$b/%_pam_vendordir" +mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir" +%else +install -d "$b/%_sysconfdir/logrotate.d" +install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd" +%endif + +rm -Rfv "$b/%_initddir" +%if 0%{?suse_version} < 1600 +ln -s service "$b/%_sbindir/rcsssd" +%endif + +mkdir -pv "$b/%sssdstatedir/mc" +find "$b" -type f -name "*.la" -print -delete +%find_lang %name --all-name + +# dummy target for cifs-idmap-plugin +mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils +ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +%python3_fix_shebang +%if 0%{?suse_version} > 1600 +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ +%elif 0%{?suse_version} == 1600 +# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 +sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze +%endif + +%check +# sss_config-tests fails +%make_build check || : + +%pre +%service_add_pre sssd.service +%if "%{?_distconfdir}" != "" +# Prepare for migration to /usr/etc; save any old .rpmsave +for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do + test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : +done +%endif + +%post +/sbin/ldconfig +# migrate config variable krb5_kdcip to krb5_server (bnc#851048) +if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then + /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" +fi +%service_add_post sssd.service + +# install SSSD cifs-idmap plugin as an alternative +update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority + +%preun +%service_del_preun sssd.service + +%postun +/sbin/ldconfig +if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then + "%_sbindir/pam-config" -d --sss || : +fi +# del_postun includes a try-restart +%service_del_postun sssd.service + +if [ ! -f "%cifs_idmap_lib" ]; then + update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib +fi + +%post -n libsss_certmap0 -p /sbin/ldconfig +%postun -n libsss_certmap0 -p /sbin/ldconfig +%post -n libipa_hbac0 -p /sbin/ldconfig +%postun -n libipa_hbac0 -p /sbin/ldconfig +%post -n libsss_idmap0 -p /sbin/ldconfig +%postun -n libsss_idmap0 -p /sbin/ldconfig +%post -n libsss_nss_idmap0 -p /sbin/ldconfig +%postun -n libsss_nss_idmap0 -p /sbin/ldconfig +%if 0%{?suse_version} < 1600 +%post -n libsss_simpleifp0 -p /sbin/ldconfig +%postun -n libsss_simpleifp0 -p /sbin/ldconfig +%endif + +%triggerun -- %name < %version-%release +# sssd takes care of upgrading the database but it doesn't handle downgrades. +# Clear caches when downgrading the package, which may have an +# incompatible format afterwards preventing the daemon from startup. +if [ "$1" = "1" ] && [ "$2" = "2" ]; then + echo "Package downgrade detected, removing cache files which may have an incompatible format." + rm -f /var/lib/sss/db/*.ldb +fi + +%pre dbus +%service_add_pre sssd-ifp.service + +%post dbus +%service_add_post sssd-ifp.service + +%preun dbus +%service_del_preun sssd-ifp.service + +%postun dbus +%service_del_postun sssd-ifp.service + +%pre kcm +%service_add_pre sssd-kcm.service sssd-kcm.socket + +%post kcm +%service_add_post sssd-kcm.service sssd-kcm.socket + +%preun kcm +%service_del_preun sssd-kcm.service sssd-kcm.socket + +%postun kcm +%service_del_postun sssd-kcm.service sssd-kcm.socket + +%pretrans +# Migrate sssd.service from sssd-common to sssd +systemctl is-enabled sssd.service > /dev/null +if [ $? -eq 0 ]; then +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-enabled +fi +systemctl is-active sssd.service > /dev/null +if [ $? -eq 0 ]; then +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-active +fi + +%posttrans +%if "%{?_distconfdir}" != "" +# Migration to /usr/etc, restore just created .rpmsave +for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do + test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : +done +%endif +# Migrate sssd.service from sssd-common to sssd +if [ -e /run/systemd/rpm/sssd-was-enabled ]; then +systemctl is-enabled sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service +fi +rm /run/systemd/rpm/sssd-was-enabled +fi +if [ -e /run/systemd/rpm/sssd-was-active ]; then +systemctl is-active sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service +fi +rm /run/systemd/rpm/sssd-was-active +fi + +%files -f sssd.lang +%license COPYING +%_unitdir/sssd.service +%_unitdir/sssd-autofs.socket +%_unitdir/sssd-autofs.service +%_unitdir/sssd-nss.socket +%_unitdir/sssd-nss.service +%_unitdir/sssd-pac.socket +%_unitdir/sssd-pac.service +%_unitdir/sssd-pam.socket +%_unitdir/sssd-pam.service +%_unitdir/sssd-ssh.socket +%_unitdir/sssd-ssh.service +%_unitdir/sssd-sudo.socket +%_unitdir/sssd-sudo.service +%_bindir/sss_ssh_* +%_sbindir/sssd +%if 0%{?suse_version} < 1600 +%_sbindir/rcsssd +%endif +%dir %_mandir/??/ +%dir %_mandir/??/man[158]/ +%_mandir/??/man1/sss_ssh_* +%_mandir/??/man5/sss-certmap.5* +%_mandir/??/man5/sssd-ad.5* +%if 0%{?suse_version} < 1600 +%_mandir/??/man5/sssd-files.5* +%endif +%_mandir/??/man5/sssd-ldap-attributes.5* +%_mandir/??/man5/sssd-session-recording.5* +%_mandir/??/man5/sssd-simple.5* +%_mandir/??/man5/sssd-sudo.5* +%_mandir/??/man5/sssd-systemtap.5* +%_mandir/??/man5/sssd.conf.5* +%_mandir/??/man8/idmap_sss.8* +%_mandir/??/man8/sssd.8* +%_mandir/man1/sss_ssh_* +%_mandir/man5/sss-certmap.5* +%if 0%{?suse_version} < 1600 +%_mandir/man5/sssd-files.5* +%endif +%_mandir/man5/sssd-ldap-attributes.5* +%_mandir/man5/sssd-session-recording.5* +%_mandir/man5/sssd-simple.5* +%_mandir/man5/sssd-sudo.5* +%_mandir/man5/sssd.conf.5* +%_mandir/man8/sssd.8* +%dir %_libdir/%name/ +%_libdir/%name/conf/ +%_libdir/%name/libifp_iface* +%_libdir/%name/libsss_child* +%_libdir/%name/libsss_cert* +%_libdir/%name/libsss_crypt* +%_libdir/%name/libsss_debug* +%if 0%{?suse_version} < 1600 +%_libdir/%name/libsss_files* +%endif +%_libdir/%name/libsss_iface* +%_libdir/%name/libsss_semanage* +%_libdir/%name/libsss_sbus* +%_libdir/%name/libsss_simple* +%_libdir/%name/libsss_util* +%dir %_libdir/%name/modules/ +%_libdir/%name/modules/libsss_autofs.so +%_libdir/libsss_sudo.so +%ldbdir/ +%dir %_libexecdir/%name/ +%_libexecdir/%name/p11_child +%_libexecdir/%name/sssd_autofs +%_libexecdir/%name/sssd_be +%_libexecdir/%name/sssd_nss +%_libexecdir/%name/sssd_pam +%_libexecdir/%name/sssd_ssh +%_libexecdir/%name/sssd_sudo +%_libexecdir/%name/sss_signal +%_libexecdir/%name/sssd_check_socket_activated_responders +%if 0%{?suse_version} >= 1600 +%_libexecdir/%name/selinux_child +%endif +%dir %sssdstatedir +%attr(700,root,root) %dir %dbpath/ +%attr(755,root,root) %dir %pipepath/ +%attr(700,root,root) %dir %pipepath/private/ +%attr(755,root,root) %dir %pubconfpath/ +%attr(755,root,root) %dir %pubconfpath/krb5.include.d +%attr(755,root,root) %dir %gpocachepath/ +%attr(755,root,root) %dir %sssdstatedir/mc/ +%attr(700,root,root) %dir %sssdstatedir/keytabs/ +%attr(750,root,root) %dir %_localstatedir/log/%name/ +%if "%{?_distconfdir}" != "" +%dir %_distconfdir/sssd/ +%%dir %_distconfdir/sssd/conf.d +%config(noreplace) %_distconfdir/sssd/sssd.conf +%else +%dir %_sysconfdir/sssd/ +%%dir %_sysconfdir/sssd/conf.d +%config(noreplace) %_sysconfdir/sssd/sssd.conf +%endif +%if 0%{?suse_version} > 1500 +%_distconfdir/logrotate.d/sssd +%_pam_vendordir/sssd-shadowutils +%else +%config(noreplace) %_sysconfdir/logrotate.d/sssd +%config(noreplace) %_pam_confdir/sssd-shadowutils +%endif +%dir %_datadir/%name/ +%_datadir/%name/cfg_rules.ini +%_datadir/%name/sssd.api.conf +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-simple.conf +%if 0%{?suse_version} < 1600 +%_datadir/%name/sssd.api.d/sssd-files.conf +%else +%exclude %_mandir/*/*/sssd-files.5.gz +%endif +%doc src/examples/sssd.conf +# +# sssd-client +# +/%_lib/libnss_sss.so.2 +%_pam_moduledir/pam_sss.so +%_pam_moduledir/pam_sss_gss.so +%_libdir/krb5/ +%_libdir/%name/modules/sssd_krb5_localauth_plugin.so +%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so +%if 0%{?suse_version} >= 1600 +%_libdir/libsubid_sss.so +%endif +%_mandir/??/man8/sssd_krb5_locator_plugin.8* +%_mandir/??/man8/pam_sss.8* +%_mandir/??/man8/pam_sss_gss.8* +%_mandir/man8/pam_sss.8* +%_mandir/man8/pam_sss_gss.8* +%_mandir/man8/sssd_krb5_localauth_plugin.8* +%_mandir/??/man8/sssd_krb5_localauth_plugin.8* +%_mandir/man8/sssd_krb5_locator_plugin.8* +# cifs idmap plugin +%dir %_sysconfdir/cifs-utils +%cifs_idmap_plugin +%dir %_libdir/cifs-utils +%cifs_idmap_lib +%ghost %_sysconfdir/alternatives/%cifs_idmap_name + +%files ad +%dir %_libdir/%name/ +%_libdir/%name/libsss_ad.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/sssd_pac +%_libexecdir/%name/gpo_child +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-ad.conf +%_mandir/man5/sssd-ad.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ + +%files dbus +%dir %_libexecdir/sssd/ +%_libexecdir/sssd/sssd_ifp +%dir %_libdir/sssd/ +%_mandir/man5/sssd-ifp.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ifp.5* +%_unitdir/sssd-ifp.service +%_datadir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service + +%files ipa +%dir %_libdir/%name/ +%_libdir/%name/libsss_ipa* +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d +%_datadir/%name/sssd.api.d/sssd-ipa.conf +%_mandir/man5/sssd-ipa.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ipa.5* + +%files kcm +%dir %_libexecdir/sssd/ +%_libexecdir/sssd/sssd_kcm +%dir %_libdir/sssd/ +%_mandir/man8/sssd-kcm.8* +%_mandir/??/man8/sssd-kcm.8* +%_datadir/sssd-kcm/ +%_unitdir/sssd-kcm.* + +%files krb5 +%dir %_libdir/%name/ +%_libdir/%name/libsss_krb5.so +%dir %_datadir/%name/ +%exclude %_datadir/%name/krb5-snippets/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-krb5.conf +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/man5/sssd-krb5.5* +%_mandir/??/man5/sssd-krb5.5* + +%files krb5-common +%dir %_libdir/%name/ +%_libdir/%name/libsss_krb5_common.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/krb5_child +%_libexecdir/%name/ldap_child + +%files ldap +%dir %_libdir/%name/ +%_libdir/%name/libsss_ldap* +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-ldap.conf +%_mandir/man5/sssd-ldap.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ldap.5* + +%files proxy +%dir %_libdir/%name/ +%_libdir/%name/libsss_proxy.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/proxy_child +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-proxy.conf + +%files tools +%_sbindir/sssctl +%_sbindir/sss_cache +%_sbindir/sss_debuglevel +%_sbindir/sss_seed +%_sbindir/sss_obfuscate +%_sbindir/sss_override +%_libexecdir/%name/sss_analyze +%dir %_mandir/??/man8/ +%_mandir/??/man8/sssctl.8* +%_mandir/??/man8/sss_*.8* +%_mandir/man8/sssctl.8* +%_mandir/man8/sss_*.8* +%python3_sitelib/sssd/ + +%files winbind-idmap +%dir %_libdir/samba/ +%_libdir/samba/idmap/ +%_mandir/man8/idmap_sss.8* + +%files -n libipa_hbac0 +%_libdir/libipa_hbac.so.0* + +%files -n libipa_hbac-devel +%_includedir/ipa_hbac.h +%_libdir/libipa_hbac.so +%_libdir/pkgconfig/ipa_hbac.pc + +%files -n libsss_certmap0 +%_libdir/libsss_certmap.so.0* + +%files -n libsss_certmap-devel +%_includedir/sss_certmap.h +%_libdir/libsss_certmap.so +%_libdir/pkgconfig/sss_certmap.pc + +%files -n libnfsidmap-sss +%_libdir/libnfsidmap/ +%_mandir/man5/sss_rpcidmapd.5* +%dir %_mandir/??/man5/ +%_mandir/??/man5/sss_rpcidmapd.5* + +%files -n libsss_idmap0 +%_libdir/libsss_idmap.so.0* + +%files -n libsss_idmap-devel +%_includedir/sss_idmap.h +%_libdir/libsss_idmap.so +%_libdir/pkgconfig/sss_idmap.pc + +%files -n libsss_nss_idmap0 +%_libdir/libsss_nss_idmap.so.0* + +%files -n libsss_nss_idmap-devel +%_includedir/sss_nss_idmap.h +%_libdir/libsss_nss_idmap.so +%_libdir/pkgconfig/sss_nss_idmap.pc + +%if 0%{?suse_version} < 1600 +%files -n libsss_simpleifp0 +%_libdir/libsss_simpleifp.so.0* + +%files -n libsss_simpleifp-devel +%_includedir/sss_sifp*.h +%_libdir/libsss_simpleifp.so +%_libdir/pkgconfig/sss_simpleifp.pc +%endif + +%files -n python3-ipa_hbac +%dir %python3_sitearch +%python3_sitearch/pyhbac.so + +%files -n python3-sss-murmur +%python3_sitearch/pysss_murmur.so + +%files -n python3-sss_nss_idmap +%dir %python3_sitearch +%python3_sitearch/pysss_nss_idmap.so + +%files -n python3-sssd-config +%python3_sitearch/pysss.so +%python3_sitelib/SSSDConfig* + +%changelog diff --git a/symvers.patch b/symvers.patch new file mode 100644 index 0000000..ab19be6 --- /dev/null +++ b/symvers.patch @@ -0,0 +1,181 @@ +From: Jan Engelhardt +Date: 2022-12-22 00:09:20.375896408 +0100 +References: https://bugzilla.suse.com/show_bug.cgi?id=1206592 + +The theory for this sssd crash is that during rpm upgrading it, +sssd-2.8.2 gets installed, %post runs to restart it, but oh no, +sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls +over its feet when it loads 2.7.4 .so files. Addin symvers like below +should prevent this and pin the modules to another: sssd_be's attempt +to dlopen libsss_ldap.so(-2.7.4) will fail because +libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since +the system only has libsss_util.so(-2.8.2) at this point. + +--- + Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +Index: sssd-2.9.2/Makefile.am +=================================================================== +--- sssd-2.9.2.orig/Makefile.am ++++ sssd-2.9.2/Makefile.am +@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ + libsss_debug_la_LIBADD = \ + $(SYSLOG_LIBS) + libsss_debug_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_debug_la_DEPENDENCIES = x.sym ++symv = -Wl,--version-script=${builddir}/x.sym ++x.sym: ${top_builddir}/config.status ++ echo "V_${PACKAGE_VERSION} { global: *; };" >$@ + + pkglib_LTLIBRARIES += libsss_child.la + libsss_child_la_SOURCES = src/util/child_common.c +@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ + $(DHASH_LIBS) \ + libsss_debug.la \ + $(NULL) +-libsss_child_la_LDFLAGS = -avoid-version ++libsss_child_la_LDFLAGS = -avoid-version ${symv} ++EXTRA_libsss_child_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_crypt.la + +@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ + libsss_debug.la \ + $(NULL) + libsss_crypt_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_crypt_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_cert.la + +@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ + libsss_debug.la \ + $(NULL) + libsss_cert_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_cert_la_DEPENDENCIES = x.sym + + generate-sbus-code: + $(builddir)/sbus_generate.sh $(abs_srcdir) +@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_sbus_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_sbus_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_sbus_sync.la + libsss_sbus_sync_la_SOURCES = \ +@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ + $(UNICODE_LIBS) \ + $(NULL) + libsss_sbus_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_sbus_sync_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_iface.la + libsss_iface_la_SOURCES = \ +@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_iface_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_iface_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_iface_sync.la + libsss_iface_sync_la_SOURCES = \ +@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_iface_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_iface_sync_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_util.la + libsss_util_la_SOURCES = \ +@@ -1322,7 +1333,8 @@ endif + if BUILD_PASSKEY + libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c + endif # BUILD_PASSKEY +-libsss_util_la_LDFLAGS = -avoid-version ++libsss_util_la_LDFLAGS = -avoid-version ${symv} ++EXTRA_libsss_util_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_semanage.la + libsss_semanage_la_CFLAGS = \ +@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ + endif + + libsss_semanage_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym + + SSSD_INTERNAL_LTLIBS = \ + libsss_util.la \ +@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ + $(NULL) + + pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc +-libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports ++EXTRA_libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports + libipa_hbac_la_SOURCES = \ + src/lib/ipa_hbac/hbac_evaluator.c \ + src/util/sss_utf8.c +@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libifp_iface_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libifp_iface_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libifp_iface_sync.la + libifp_iface_sync_la_SOURCES = \ +@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libifp_iface_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libifp_iface_sync_la_DEPENDENCIES = x.sym + + sssd_ifp_SOURCES = \ + src/responder/ifp/ifpsrv.c \ +@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + libsss_ldap_common_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_ldap_common_la_DEPENDENCIES = x.sym + if BUILD_SYSTEMTAP + libsss_ldap_common_la_LIBADD += stap_generated_probes.lo + endif +@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + libsss_krb5_common_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_krb5_common_la_DEPENDENCIES = x.sym + + libsss_ldap_la_SOURCES = \ + src/providers/ldap/ldap_init.c \