pool/sssd
SHA256
2
0
Fork 3
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sssd-2.3.0

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=233
This commit is contained in:
Jan Engelhardt 2020-05-19 11:46:11 +00:00 committed by Git OBS Bridge
parent c445b52558
commit 45570786c6
10 changed files with 44 additions and 1047 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch
View File

@ -1,114 +0,0 @@
From 2143c7276c7603520e2575ef6c9d93a5fc031256 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 13 Jan 2020 13:52:34 +0100
Subject: [PATCH] AD: use getaddrinfo with AI_CANONNAME to find the FQDN
In systems where gethostbyname() does not return the FQDN try calling
getaddrinfo().
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/man/sssd-ad.5.xml | 14 ++++++------
src/providers/ad/ad_common.c | 42 ++++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index c30e5b9db..23e351fc0 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -193,15 +193,17 @@ ad_enabled_domains = sales.example.com, eng.example.com
<term>ad_hostname (string)</term>
<listitem>
<para>
- Optional. May be set on machines where the
- hostname(5) does not reflect the fully qualified
- name used in the Active Directory domain to
- identify this host.
+ Optional. On machines where the hostname(5) does
+ not reflect the fully qualified name, sssd will try
+ to expand the short name. If it is not possible or
+ the short name should be really used instead, set
+ this parameter explicitly.
</para>
<para>
This field is used to determine the host principal
- in use in the keytab. It must match the hostname
- for which the keytab was issued.
+ in use in the keytab and to perform dynamic DNS
+ updates. It must match the hostname for which the
+ keytab was issued.
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 51300f5b2..e5fa83595 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -406,6 +406,34 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
return ad_options;
}
+static errno_t
+ad_try_to_get_fqdn(const char *hostname,
+ char *buf,
+ size_t buflen)
+{
+ int ret;
+ struct addrinfo *res;
+ struct addrinfo hints;
+
+ memset(&hints, 0, sizeof(struct addrinfo));
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_flags = AI_CANONNAME;
+
+ ret = getaddrinfo(hostname, NULL, &hints, &res);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "getaddrinfo failed: %s\n",
+ gai_strerror(ret));
+ return ret;
+ }
+
+ strncpy(buf, res->ai_canonname, buflen);
+
+ freeaddrinfo(res);
+
+ return EOK;
+}
+
errno_t
ad_get_common_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
@@ -421,6 +449,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx,
char *realm;
char *ad_hostname;
char hostname[HOST_NAME_MAX + 1];
+ char fqdn[HOST_NAME_MAX + 1];
char *case_sensitive_opt;
const char *opt_override;
@@ -468,6 +497,19 @@ ad_get_common_options(TALLOC_CTX *mem_ctx,
goto done;
}
hostname[HOST_NAME_MAX] = '\0';
+
+ if (strchr(hostname, '.') == NULL) {
+ ret = ad_try_to_get_fqdn(hostname, fqdn, sizeof(fqdn));
+ if (ret == EOK) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "The hostname [%s] has been expanded to FQDN [%s]. "
+ "If sssd should really use the short hostname, please "
+ "set ad_hostname explicitly.\n", hostname, fqdn);
+ strncpy(hostname, fqdn, sizeof(hostname));
+ hostname[HOST_NAME_MAX] = '\0';
+ }
+ }
+
DEBUG(SSSDBG_CONF_SETTINGS,
"Setting ad_hostname to [%s].\n", hostname);
ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname);
--
2.25.1

53
0001-Fix-build-failure-against-samba-4.12.0rc1.patch
View File

@ -1,53 +0,0 @@
From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 24 Jan 2020 15:17:39 +0100
Subject: [PATCH] Fix build failure against samba 4.12.0rc1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The ndr_pull_get_switch() function was dropped, but it was just a wrapper
around the ndr_token_peek() function, so we can use this approach on both
old and new versions of libndr.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_gpo_ndr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
index d57303349..8f405aa62 100644
--- a/src/providers/ad/ad_gpo_ndr.c
+++ b/src/providers/ad/ad_gpo_ndr.c
@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
union security_ace_object_type *r)
{
uint32_t level;
- level = ndr_pull_get_switch_value(ndr, r);
+ level = ndr_token_peek(&ndr->switch_list, r);
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_union_align(ndr, 4));
@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
union security_ace_object_inherited_type *r)
{
uint32_t level;
- level = ndr_pull_get_switch_value(ndr, r);
+ level = ndr_token_peek(&ndr->switch_list, r);
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_union_align(ndr, 4));
@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
union security_ace_object_ctr *r)
{
uint32_t level;
- level = ndr_pull_get_switch_value(ndr, r);
+ level = ndr_token_peek(&ndr->switch_list, r);
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_union_align(ndr, 4));
--
2.25.1

45
0001-Resolve-computer-lookup-failure-when-sam-cn.patch
View File

@ -1,45 +0,0 @@
From 0ea7661eeb7783c45d7f0ec9d19d99ce9fe407cf Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@suse.com>
Date: Fri, 10 Jan 2020 18:21:05 +0000
Subject: [PATCH] Resolve computer lookup failure when sam!=cn
References: jsc#SLE-9298
Upstream: submitted
---
src/providers/ad/ad_gpo.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 90e1909f8..6dd850cc9 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1947,7 +1947,6 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
struct sysdb_attrs **reply;
const char *target_dn = NULL;
uint32_t uac;
- char *filter = NULL;
char *domain_dn;
const char *attrs[] = {AD_AT_SID, NULL};
struct ldb_message *msg;
@@ -2050,16 +2049,10 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
goto done;
}
- filter = talloc_asprintf(subreq, SYSDB_COMP_FILTER, state->ad_hostname);
- if (!filter) {
- ret = ENOMEM;
- goto done;
- }
-
subreq = sdap_get_generic_send(state, state->ev, state->opts,
sdap_id_op_handle(state->sdap_op),
- domain_dn, LDAP_SCOPE_SUBTREE,
- filter, attrs, NULL, 0,
+ state->target_dn, LDAP_SCOPE_BASE,
+ "(&)", attrs, NULL, 0,
state->timeout,
false);
--
2.24.0

3
sssd-2.2.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:11565446290e7432dbd208c4db02fcb42ab17e853d8ba4f994af9a9c57bbbb11
size 6894302

11
sssd-2.2.3.tar.gz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEFvJCKUiOc2BIlSc3uogAD+Y5gnIFAl3i6dIACgkQuogAD+Y5
gnLovgf/QSNThIaVkCIC6doJNncuIaJuuu+GkihXe+4K6xHgksbMR7C7GyIEqxJQ
Dy2UAzH4FMUzbBoBwb9kW6Du2nt+9Rp2dVz/H/lmgNlKgX3siOVFJ4rwlCD3bJUi
eay5t9GTTQAUzpM1N1HdQPGk0ErT0mI77d3GLr7L8S64/SFI4aai58+T/VIRlbMQ
0t/BGo1yo4Ss97u9SrC62DSfev7Rl8mmdTMlJIYU2UAjEVYtJm5TViUDGy44eh+V
HM1l6EpMSGvEVrr6ALm4VNNntCjs37GJxyGrXFqljjs+tiBFpZT+5ENQl/X2RBsT
tRSZpATPjmRoYhLyqgPqLuAg5tXtaw==
=UpXd
-----END PGP SIGNATURE-----

3
sssd-2.3.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f755a105433399fff0f5788ee04795e07299b9d7bf976d02c4910cb6dcbe3a99
size 6797766

11
sssd-2.3.0.tar.gz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAl7DuF4ACgkQr/513ehQ
jhIDgAf/bnoW75HQWBMS6xOEP4ncEVXDjv/0r9tRwXke4xy3HLfMAmvS069fVnHe
dzpAquijN154qE7QArkfJtz8cuZl/IGuLFNp6W5UgVGifGgub4Uai+9wmpsO7Grb
T/bd1d4c/6EYksEtAfLYUnzsmVTcSvIMVvPpPkWbdfoAsbFbkMmi0rZvlxjdMtHl
hsJYsIGZbkugsNkUV5V4xPBz9b87CMbF9F7DikstJPhzlMeXGY9aVVnWlW8X/yMJ
BUmj2BE1jr7G0lLHVVb90tWXYvjCKzq/klxs7CPV7+4X3e3yoxLKz9HyukLx+xCo
Vlwn/XW6xksNeRTUs6S+yL7LKZJ2Sw==
=h1Bc
-----END PGP SIGNATURE-----

809
sssd-gpo_host_security_filter-2.2.2.patch
View File

@ -1,809 +0,0 @@
From dfeedc8ce8c484c317ff16c7460487ee3a1a4dde Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@suse.com>
Date: Fri, 4 Oct 2019 13:04:01 -0600
Subject: [PATCH 1/5] SSSD should accept host entries from GPO's security
filter
References: jsc#SLE-9298
Upstream: submitted
Not accepting host entries in the security filter
creates the need for sub-OU's, each with its own
GPO, otherwise one OU with an assigned GPO would
be sufficient.
---
Makefile.am | 2
src/confdb/confdb.c | 11 ++
src/confdb/confdb.h | 2
src/config/cfg_rules.ini | 1
src/db/sysdb_computer.c | 185 ++++++++++++++++++++++++++++++++++++
src/db/sysdb_computer.h | 51 ++++++++++
src/man/sssd-ad.5.xml | 7 -
src/man/sssd.conf.5.xml | 13 ++
src/providers/ad/ad_gpo.c | 208 +++++++++++++++++++++++++++++++++++++++--
src/providers/ad/ad_gpo_ndr.c | 2
src/tests/cmocka/test_ad_gpo.c | 33 +++++-
11 files changed, 495 insertions(+), 20 deletions(-)
create mode 100644 src/db/sysdb_computer.c
create mode 100644 src/db/sysdb_computer.h
Index: sssd-2.2.3/Makefile.am
===================================================================
--- sssd-2.2.3.orig/Makefile.am
+++ sssd-2.2.3/Makefile.am
@@ -781,6 +781,7 @@ dist_noinst_HEADERS = \
src/db/sysdb_services.h \
src/db/sysdb_ssh.h \
src/db/sysdb_domain_resolution_order.h \
+ src/db/sysdb_computer.h \
src/confdb/confdb.h \
src/confdb/confdb_private.h \
src/confdb/confdb_setup.h \
@@ -1247,6 +1248,7 @@ libsss_util_la_SOURCES = \
src/db/sysdb_certmap.c \
src/db/sysdb_domain_resolution_order.c \
src/util/sss_pam_data.c \
+ src/db/sysdb_computer.c \
src/util/util.c \
src/util/util_ext.c \
src/util/util_preauth.c \
Index: sssd-2.2.3/src/confdb/confdb.c
===================================================================
--- sssd-2.2.3.orig/src/confdb/confdb.c
+++ sssd-2.2.3/src/confdb/confdb.c
@@ -1228,6 +1228,17 @@ static int confdb_get_domain_internal(st
goto done;
}
+ /* Override the computer timeout, if specified */
+ ret = get_entry_as_uint32(res->msgs[0], &domain->computer_timeout,
+ CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT,
+ entry_cache_timeout);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Invalid value for [%s]\n",
+ CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT);
+ goto done;
+ }
+
/* Set refresh_expired_interval, if specified */
ret = get_entry_as_uint32(res->msgs[0], &domain->refresh_expired_interval,
CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL,
Index: sssd-2.2.3/src/confdb/confdb.h
===================================================================
--- sssd-2.2.3.orig/src/confdb/confdb.h
+++ sssd-2.2.3/src/confdb/confdb.h
@@ -230,6 +230,7 @@
#define CONFDB_DOMAIN_AUTOFS_CACHE_TIMEOUT "entry_cache_autofs_timeout"
#define CONFDB_DOMAIN_SUDO_CACHE_TIMEOUT "entry_cache_sudo_timeout"
#define CONFDB_DOMAIN_SSH_HOST_CACHE_TIMEOUT "entry_cache_ssh_host_timeout"
+#define CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT "entry_cache_computer_timeout"
#define CONFDB_DOMAIN_PWD_EXPIRATION_WARNING "pwd_expiration_warning"
#define CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL "refresh_expired_interval"
#define CONFDB_DOMAIN_OFFLINE_TIMEOUT "offline_timeout"
@@ -373,6 +374,7 @@ struct sss_domain_info {
uint32_t autofsmap_timeout;
uint32_t sudo_timeout;
uint32_t ssh_host_timeout;
+ uint32_t computer_timeout;
uint32_t refresh_expired_interval;
uint32_t subdomain_refresh_interval;
Index: sssd-2.2.3/src/config/cfg_rules.ini
===================================================================
--- sssd-2.2.3.orig/src/config/cfg_rules.ini
+++ sssd-2.2.3/src/config/cfg_rules.ini
@@ -403,6 +403,7 @@ option = entry_cache_service_timeout
option = entry_cache_autofs_timeout
option = entry_cache_sudo_timeout
option = entry_cache_ssh_host_timeout
+option = entry_cache_computer_timeout
option = refresh_expired_interval
# Dynamic DNS updates
Index: sssd-2.2.3/src/db/sysdb_computer.c
===================================================================
--- /dev/null
+++ sssd-2.2.3/src/db/sysdb_computer.c
@@ -0,0 +1,185 @@
+/*
+ SSSD
+
+ Authors:
+ Samuel Cabrero <scabrero@suse.com>
+ David Mulder <dmulder@suse.com>
+
+ Copyright (C) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <arpa/inet.h>
+
+#include "db/sysdb.h"
+#include "db/sysdb_private.h"
+#include "db/sysdb_computer.h"
+
+static errno_t
+sysdb_search_computer(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *filter,
+ const char **attrs,
+ size_t *_num_hosts,
+ struct ldb_message ***_hosts)
+{
+ errno_t ret;
+ TALLOC_CTX *tmp_ctx;
+ struct ldb_message **results;
+ size_t num_results;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ ret = sysdb_search_custom(tmp_ctx, domain, filter,
+ COMPUTERS_SUBDIR, attrs,
+ &num_results, &results);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Error looking up host [%d]: %s\n",
+ ret, strerror(ret));
+ goto done;
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_FUNC, "No such host\n");
+ *_hosts = NULL;
+ *_num_hosts = 0;
+ goto done;
+ }
+
+ *_hosts = talloc_steal(mem_ctx, results);
+ *_num_hosts = num_results;
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
+int
+sysdb_get_computer(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *computer_name,
+ const char **attrs,
+ struct ldb_message **_computer)
+{
+ TALLOC_CTX *tmp_ctx;
+ errno_t ret;
+ const char *filter;
+ struct ldb_message **hosts;
+ size_t num_hosts;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ filter = talloc_asprintf(tmp_ctx, SYSDB_COMP_FILTER, computer_name);
+ if (!filter) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_search_computer(tmp_ctx, domain, filter, attrs,
+ &num_hosts, &hosts);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ if (num_hosts != 1) {
+ ret = EINVAL;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Did not find a single host with name %s\n", computer_name);
+ goto done;
+ }
+
+ *_computer = talloc_steal(mem_ctx, hosts[0]);
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
+int
+sysdb_set_computer(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *computer_name,
+ const char *sid_str,
+ int cache_timeout,
+ time_t now)
+{
+ TALLOC_CTX *tmp_ctx;
+ int ret;
+ struct sysdb_attrs *attrs;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ attrs = sysdb_new_attrs(tmp_ctx);
+ if (!attrs) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, sid_str);
+ if (ret) goto done;
+
+ ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS, SYSDB_COMPUTER_CLASS);
+ if (ret) goto done;
+
+ ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, computer_name);
+ if (ret) goto done;
+
+ /* creation time */
+ ret = sysdb_attrs_add_time_t(attrs, SYSDB_CREATE_TIME, now);
+ if (ret) goto done;
+
+ /* Set a cache expire time. There is a periodic task that cleans up
+ * expired entries from the cache even when enumeration is disabled */
+ ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
+ cache_timeout ? (now + cache_timeout) : 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Could not set sysdb cache expire [%d]: %s\n",
+ ret, strerror(ret));
+ goto done;
+ }
+
+ ret = sysdb_store_custom(domain, computer_name, COMPUTERS_SUBDIR, attrs);
+ if (ret) goto done;
+
+ /* FIXME As a future improvement we have to extend domain enumeration.
+ * When 'enumerate = true' for a domain, sssd starts a periodic task
+ * that brings all users and groups to the cache, cleaning up
+ * stale objects after each run. If enumeration is disabled, the cleanup
+ * task for expired entries is started instead.
+ *
+ * We have to extend the enumeration task to fetch 'computer'
+ * objects as well (see ad_id_enumeration_send, the entry point of the
+ * enumeration task for the id provider).
+ */
+done:
+ if (ret) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, strerror(ret));
+ }
+ talloc_zfree(tmp_ctx);
+
+ return ret;
+}
Index: sssd-2.2.3/src/db/sysdb_computer.h
===================================================================
--- /dev/null
+++ sssd-2.2.3/src/db/sysdb_computer.h
@@ -0,0 +1,51 @@
+/*
+ SSSD
+
+ Authors:
+ Samuel Cabrero <scabrero@suse.com>
+ David Mulder <dmulder@suse.com>
+
+ Copyright (C) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef SYSDB_COMPUTERS_H_
+#define SYSDB_COMPUTERS_H_
+
+#include "db/sysdb.h"
+
+#define COMPUTERS_SUBDIR "computers"
+#define SYSDB_COMPUTER_CLASS "computer"
+#define SYSDB_COMPUTERS_CONTAINER "cn="COMPUTERS_SUBDIR
+#define SYSDB_TMPL_COMPUTER_BASE SYSDB_COMPUTERS_CONTAINER","SYSDB_DOM_BASE
+#define SYSDB_TMPL_COMPUTER SYSDB_NAME"=%s,"SYSDB_TMPL_COMPUTER_BASE
+#define SYSDB_COMP_FILTER "(&("SYSDB_NAME"=%s)("SYSDB_OBJECTCLASS"="SYSDB_COMPUTER_CLASS"))"
+
+int
+sysdb_get_computer(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *computer_name,
+ const char **attrs,
+ struct ldb_message **computer);
+
+int
+sysdb_set_computer(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *computer_name,
+ const char *sid_str,
+ int cache_timeout,
+ time_t now);
+
+#endif /* SYSDB_COMPUTERS_H_ */
Index: sssd-2.2.3/src/man/sssd-ad.5.xml
===================================================================
--- sssd-2.2.3.orig/src/man/sssd-ad.5.xml
+++ sssd-2.2.3/src/man/sssd-ad.5.xml
@@ -407,13 +407,6 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.19
always apply also to the user.
</para>
<para>
- NOTE: The current version of SSSD does not support
- host (computer) entries in the GPO 'Security
- Filtering' list. Only user and group entries are
- supported. Host entries in the list have no
- effect.
- </para>
- <para>
NOTE: If the operation mode is set to enforcing, it
is possible that users that were previously allowed
logon access will now be denied logon access (as
Index: sssd-2.2.3/src/man/sssd.conf.5.xml
===================================================================
--- sssd-2.2.3.orig/src/man/sssd.conf.5.xml
+++ sssd-2.2.3/src/man/sssd.conf.5.xml
@@ -2244,6 +2244,19 @@ p11_uri = library-description=OpenSC%20s
</varlistentry>
<varlistentry>
+ <term>entry_cache_computer_timeout (integer)</term>
+ <listitem>
+ <para>
+ How many seconds to keep the local computer
+ entry before asking the backend again
+ </para>
+ <para>
+ Default: entry_cache_timeout
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>refresh_expired_interval (integer)</term>
<listitem>
<para>
Index: sssd-2.2.3/src/providers/ad/ad_gpo.c
===================================================================
--- sssd-2.2.3.orig/src/providers/ad/ad_gpo.c
+++ sssd-2.2.3/src/providers/ad/ad_gpo.c
@@ -51,6 +51,7 @@
#include "util/util_sss_idmap.h"
#include <ndr.h>
#include <gen_ndr/security.h>
+#include <db/sysdb_computer.h>
/* == gpo-ldap constants =================================================== */
@@ -65,6 +66,7 @@
#define AD_AT_MACHINE_EXT_NAMES "gPCMachineExtensionNames"
#define AD_AT_FUNC_VERSION "gPCFunctionalityVersion"
#define AD_AT_FLAGS "flags"
+#define AD_AT_SID "objectSid"
#define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000
#define UAC_SERVER_TRUST_ACCOUNT 0x00002000
@@ -654,6 +656,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
*/
static errno_t
ad_gpo_ace_includes_client_sid(const char *user_sid,
+ const char *host_sid,
const char **group_sids,
int group_size,
struct dom_sid ace_dom_sid,
@@ -662,6 +665,7 @@ ad_gpo_ace_includes_client_sid(const cha
{
int i = 0;
struct dom_sid *user_dom_sid;
+ struct dom_sid *host_dom_sid;
struct dom_sid *group_dom_sid;
enum idmap_error_code err;
bool included = false;
@@ -679,6 +683,19 @@ ad_gpo_ace_includes_client_sid(const cha
return EOK;
}
+ err = sss_idmap_sid_to_smb_sid(idmap_ctx, host_sid, &host_dom_sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n");
+ return EFAULT;
+ }
+
+ included = ad_gpo_dom_sid_equal(&ace_dom_sid, host_dom_sid);
+ sss_idmap_free_smb_sid(idmap_ctx, host_dom_sid);
+ if (included) {
+ *_included = true;
+ return EOK;
+ }
+
for (i = 0; i < group_size; i++) {
err = sss_idmap_sid_to_smb_sid(idmap_ctx, group_sids[i], &group_dom_sid);
if (err != IDMAP_SUCCESS) {
@@ -728,6 +745,7 @@ ad_gpo_ace_includes_client_sid(const cha
static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace,
struct sss_idmap_ctx *idmap_ctx,
const char *user_sid,
+ const char *host_sid,
const char **group_sids,
int group_size)
{
@@ -741,8 +759,9 @@ static enum ace_eval_status ad_gpo_evalu
return AD_GPO_ACE_NEUTRAL;
}
- ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size,
- ace->trustee, idmap_ctx, &included);
+ ret = ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
+ group_size, ace->trustee, idmap_ctx,
+ &included);
if (ret != EOK) {
return AD_GPO_ACE_DENIED;
@@ -786,6 +805,7 @@ static enum ace_eval_status ad_gpo_evalu
static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl,
struct sss_idmap_ctx *idmap_ctx,
const char *user_sid,
+ const char *host_sid,
const char **group_sids,
int group_size,
bool *_dacl_access_allowed)
@@ -810,7 +830,7 @@ static errno_t ad_gpo_evaluate_dacl(stru
for (i = 0; i < dacl->num_aces; i ++) {
ace = &dacl->aces[i];
- ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid,
+ ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid, host_sid,
group_sids, group_size);
switch (ace_status) {
@@ -838,6 +858,7 @@ static errno_t ad_gpo_evaluate_dacl(stru
static errno_t
ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx,
const char *user,
+ const char *host_sid,
struct sss_domain_info *domain,
struct sss_idmap_ctx *idmap_ctx,
struct gp_gpo **candidate_gpos,
@@ -927,8 +948,8 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *m
break;
}
- ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, group_sids,
- group_size, &access_allowed);
+ ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, host_sid,
+ group_sids, group_size, &access_allowed);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Could not determine if GPO is applicable\n");
continue;
@@ -1602,6 +1623,7 @@ struct ad_gpo_access_state {
const char *user;
int gpo_timeout_option;
const char *ad_hostname;
+ const char *host_sid;
const char *target_dn;
struct gp_gpo **dacl_filtered_gpos;
int num_dacl_filtered_gpos;
@@ -1617,6 +1639,7 @@ static void ad_gpo_process_gpo_done(stru
static errno_t ad_gpo_cse_step(struct tevent_req *req);
static void ad_gpo_cse_done(struct tevent_req *subreq);
+static void ad_gpo_get_host_sid_retrieval_done(struct tevent_req *subreq);
struct tevent_req *
ad_gpo_access_send(TALLOC_CTX *mem_ctx,
@@ -1924,6 +1947,11 @@ ad_gpo_target_dn_retrieval_done(struct t
struct sysdb_attrs **reply;
const char *target_dn = NULL;
uint32_t uac;
+ char *filter = NULL;
+ char *domain_dn;
+ const char *attrs[] = {AD_AT_SID, NULL};
+ struct ldb_message *msg;
+ static const char *host_attrs[] = { SYSDB_SID_STR, NULL };
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_gpo_access_state);
@@ -2008,6 +2036,173 @@ ad_gpo_target_dn_retrieval_done(struct t
goto done;
}
+ /* Check if computer exists in cache */
+ ret = sysdb_get_computer(state, state->user_domain, state->ad_hostname,
+ host_attrs, &msg);
+ if (ret == ENOENT) {
+ /* The computer is not in cache so query LDAP server */
+ /* Convert the domain name into domain DN */
+ ret = domain_to_basedn(state, state->host_domain->name, &domain_dn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot convert domain name [%s] to base DN [%d]: %s\n",
+ state->host_domain->name, ret, sss_strerror(ret));
+ goto done;
+ }
+
+ filter = talloc_asprintf(subreq, SYSDB_COMP_FILTER, state->ad_hostname);
+ if (!filter) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ subreq = sdap_get_generic_send(state, state->ev, state->opts,
+ sdap_id_op_handle(state->sdap_op),
+ domain_dn, LDAP_SCOPE_SUBTREE,
+ filter, attrs, NULL, 0,
+ state->timeout,
+ false);
+
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ tevent_req_set_callback(subreq, ad_gpo_get_host_sid_retrieval_done, req);
+ return;
+ } else if (ret != EOK) {
+ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
+ goto done;
+ }
+
+ /* The computer exists in the cache, there is no need to query LDAP.
+ * Store the retrieved host sid from cache in the state to avoid querying
+ * the cache again in ad_gpo_get_sids.
+ */
+ state->host_sid = ldb_msg_find_attr_as_string(msg, SYSDB_SID_STR, NULL);
+ talloc_steal(state, state->host_sid);
+
+ subreq = ad_gpo_process_som_send(state,
+ state->ev,
+ state->conn,
+ state->ldb_ctx,
+ state->sdap_op,
+ state->opts,
+ state->access_ctx->ad_options,
+ state->timeout,
+ state->target_dn,
+ state->host_domain->name);
+ if (subreq == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ tevent_req_set_callback(subreq, ad_gpo_process_som_done, req);
+
+ ret = EOK;
+
+ done:
+
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ }
+
+}
+
+enum ndr_err_code
+ndr_pull_dom_sid(struct ndr_pull *ndr,
+ int ndr_flags,
+ struct dom_sid *r);
+
+static void ad_gpo_get_host_sid_retrieval_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req;
+ struct ad_gpo_access_state *state;
+ int ret;
+ int dp_error;
+ size_t reply_count;
+ struct sysdb_attrs **reply;
+ struct ldb_message_element *el = NULL;
+ enum ndr_err_code ndr_err;
+ struct dom_sid host_sid;
+ char *sid_str;
+
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct ad_gpo_access_state);
+
+ ret = sdap_get_generic_recv(subreq, state,
+ &reply_count, &reply);
+ talloc_zfree(subreq);
+
+ if (ret != EOK) {
+ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
+
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sdap_get_generic_recv failed: [%d](%s)\n",
+ ret, sss_strerror(ret));
+ ret = ENOENT;
+ tevent_req_error(req, ret);
+ return;
+ }
+
+ if (reply_count == 0 || !reply) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sdap_get_generic_recv failed to receive host sid\n");
+ ret = EIO;
+ goto done;
+ }
+
+ /* reply[0] holds the requested attribute */
+ ret = sysdb_attrs_get_el(reply[0], AD_AT_SID, &el);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_get_el failed: [%d](%s)\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+ if (el->num_values != 1) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "ad_gpo_get_host_sid_retrieval_done failed: sid not present\n");
+ ret = EIO;
+ goto done;
+ }
+
+ /* parse the dom_sid from the ldb blob */
+ ndr_err = ndr_pull_struct_blob_all((DATA_BLOB*)&(el->values[0]),
+ subreq, &host_sid,
+ (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "ndr_pull_struct_blob_all failed: [%d]\n",
+ ndr_err);
+ ret = EIO;
+ goto done;
+ }
+
+ /* Convert the dom_sid to a sid string */
+ ret = sss_idmap_smb_sid_to_sid(state->opts->idmap_ctx->map,
+ &host_sid, &sid_str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_idmap_smb_sid_to_sid failed: [%d](%s)\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+ state->host_sid = talloc_steal(state, sid_str);
+
+ /* Put the sid string in the sysdb */
+ ret = sysdb_set_computer(subreq, state->user_domain,
+ state->ad_hostname, state->host_sid,
+ state->user_domain->computer_timeout,
+ time(NULL));
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_set_computer failed: [%d](%s)\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
subreq = ad_gpo_process_som_send(state,
state->ev,
state->conn,
@@ -2143,7 +2338,8 @@ ad_gpo_process_gpo_done(struct tevent_re
goto done;
}
- ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->user_domain,
+ ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->host_sid,
+ state->user_domain,
state->opts->idmap_ctx->map,
candidate_gpos, num_candidate_gpos,
&state->dacl_filtered_gpos,
Index: sssd-2.2.3/src/providers/ad/ad_gpo_ndr.c
===================================================================
--- sssd-2.2.3.orig/src/providers/ad/ad_gpo_ndr.c
+++ sssd-2.2.3/src/providers/ad/ad_gpo_ndr.c
@@ -248,7 +248,7 @@ ndr_pull_security_ace_object_ctr(struct
return NDR_ERR_SUCCESS;
}
-static enum ndr_err_code
+enum ndr_err_code
ndr_pull_dom_sid(struct ndr_pull *ndr,
int ndr_flags,
struct dom_sid *r)
Index: sssd-2.2.3/src/tests/cmocka/test_ad_gpo.c
===================================================================
--- sssd-2.2.3.orig/src/tests/cmocka/test_ad_gpo.c
+++ sssd-2.2.3/src/tests/cmocka/test_ad_gpo.c
@@ -267,6 +267,7 @@ void test_populate_gplink_list_malformed
* Test SID-matching logic
*/
static void test_ad_gpo_ace_includes_client_sid(const char *user_sid,
+ const char *host_sid,
const char **group_sids,
int group_size,
struct dom_sid ace_dom_sid,
@@ -286,8 +287,8 @@ static void test_ad_gpo_ace_includes_cli
&idmap_ctx);
assert_int_equal(err, IDMAP_SUCCESS);
- ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size,
- ace_dom_sid, idmap_ctx,
+ ret = ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
+ group_size, ace_dom_sid, idmap_ctx,
&includes_client_sid);
talloc_free(idmap_ctx);
@@ -305,13 +306,14 @@ void test_ad_gpo_ace_includes_client_sid
struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}};
const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103";
+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102";
int group_size = 2;
const char *group_sids[] = {"S-1-5-21-2-3-4",
"S-1-5-21-2-3-5"};
- test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size,
- ace_dom_sid, true);
+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
+ group_size, ace_dom_sid, true);
}
void test_ad_gpo_ace_includes_client_sid_false(void **state)
@@ -320,13 +322,29 @@ void test_ad_gpo_ace_includes_client_sid
struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}};
const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103";
+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102";
int group_size = 2;
const char *group_sids[] = {"S-1-5-21-2-3-5",
"S-1-5-21-2-3-6"};
- test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size,
- ace_dom_sid, false);
+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
+ group_size, ace_dom_sid, false);
+}
+
+void test_ad_gpo_ace_includes_host_sid_true(void **state)
+{
+ /* ace_dom_sid represents "S-1-5-21-1898687337-2196588786-2775055786-2102" */
+ struct dom_sid ace_dom_sid = {1, 5, {0, 0, 0, 0, 0, 5}, {21, 1898687337, 2196588786, 2775055786, 2102}};
+
+ const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103";
+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102";
+
+ int group_size = 0;
+ const char *group_sids[] = {};
+
+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
+ group_size, ace_dom_sid, true);
}
int main(int argc, const char *argv[])
@@ -364,6 +382,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false,
ad_gpo_test_setup,
ad_gpo_test_teardown),
+ cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true,
+ ad_gpo_test_setup,
+ ad_gpo_test_teardown),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */

23
sssd.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Tue May 19 11:32:22 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.3.0
* SSSD can now handle hosts and networks nsswitch databases
(see resolve_provider option).
* By default, authentication request only refresh user's
initgroups if it is expired or there is not active user's
session (see pam_initgroups_scheme option).
* OpenSSL is used as default crypto provider, NSS is deprecated.
* The AD provider now defaults to GSS-SPNEGO SASL mechanism
(see ldap_sasl_mech option).
* The AD provider can now be configured to use only ldaps port
(see ad_use_ldaps option).
* SSSD now accepts host entries from GPO's security filter.
* New debug level (0x10000) added for low level LDB messages
only (see sssd.conf man page).
- Drop sssd-gpo_host_security_filter-2.2.2.patch,
0001-Resolve-computer-lookup-failure-when-sam-cn.patch,
0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged)
- Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
(unapplicable)
-------------------------------------------------------------------
Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt <jengelh@inai.de>

19
sssd.spec
View File

@ -18,22 +18,18 @@
%define _buildshell /bin/bash
Name: sssd
Version: 2.2.3
Version: 2.3.0
Release: 0
Summary: System Security Services Daemon
License: GPL-3.0-or-later and LGPL-3.0-or-later
Group: System/Daemons
URL: https://pagure.io/SSSD/sssd
#Git-Clone: https://pagure.io/SSSD/sssd
Source: https://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz
Source2: https://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc
Source: https://github.com/SSSD/sssd/releases/download/sssd-2_3_0/%name-%version.tar.gz
Source2: https://github.com/SSSD/sssd/releases/download/sssd-2_3_0/%name-%version.tar.gz.asc
Source3: baselibs.conf
Source5: %name.keyring
Patch1: krb-noversion.diff
Patch2: sssd-gpo_host_security_filter-2.2.2.patch
Patch3: 0001-Resolve-computer-lookup-failure-when-sam-cn.patch
Patch4: 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch
Patch5: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
%define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss
@ -45,23 +41,23 @@ Patch5: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
BuildRequires: autoconf >= 2.59
BuildRequires: automake
BuildRequires: bind-utils
BuildRequires: check-devel
BuildRequires: cifs-utils-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: docbook-xsl-stylesheets
BuildRequires: krb5-devel >= 1.12
BuildRequires: libcmocka-devel
BuildRequires: libsmbclient-devel
BuildRequires: libtool
BuildRequires: libxml2-tools
BuildRequires: libxslt-tools
BuildRequires: nscd
BuildRequires: nss_wrapper
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pkg-config >= 0.21
BuildRequires: systemd-rpm-macros
BuildRequires: libcmocka-devel
BuildRequires: nss_wrapper
BuildRequires: uid_wrapper
BuildRequires: check-devel
BuildRequires: pkgconfig(augeas) >= 1.0.0
BuildRequires: pkgconfig(collection) >= 0.5.1
BuildRequires: pkgconfig(dbus-1) >= 1.0.0
@ -447,7 +443,7 @@ rm -Rfv "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug"
%check
# sss_config-tests fails
make %{?_smp_mflags} check ||:
make %{?_smp_mflags} check || :
%pre
%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
@ -606,7 +602,6 @@ rm -f /var/lib/sss/db/*.ldb
%_libdir/cifs-utils/
%_libdir/krb5/
%_libdir/%name/modules/sssd_krb5_localauth_plugin.so
%_mandir/??/man8/pam_sss.8*
%_mandir/??/man8/sssd_krb5_locator_plugin.8*
%_mandir/man8/pam_sss.8*
%_mandir/man8/sssd_krb5_locator_plugin.8*