sssd 2.10.2

The plugin for cifs.idmap is moved to its own package and conflicts with
the winbind plugin provided by cifs-utils.

Fixes bsc#1235789, bsc#1216739

Signed-off-by: Samuel Cabrero <scabrero@suse.de>

_scmsync.obsinfo

@@ -1,4 +0,0 @@
-mtime: 1736538796
-commit: e9bed7037d80b1a2f8f6599da3e1d34aee9e5b250cf5642ba8f8e1c6ea438517
-url: https://src.opensuse.org/jengelh/sssd
-revision: master

build.specials.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c125f3492f8f3631e79acbaf633c871c2e3afe7c0e9ce5e0da888e0ba4cbd104
-size 256

harden_sssd-kcm.service.patch

@@ -2,10 +2,10 @@
  src/sysv/systemd/sssd-kcm.service.in |   13 +++++++++++++
  1 file changed, 13 insertions(+)
 
-Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+Index: sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
 ===================================================================
---- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in
-+++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+--- sssd-2.10.2.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
 @@ -8,6 +8,19 @@ After=sssd-kcm.socket
  Also=sssd-kcm.socket
  
@@ -24,5 +24,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
 +RestrictRealtime=true
 +# end of automatic additions 
  Environment=DEBUG_LOGGER=--logger=files
- ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
- ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
+ # '-H' is used with @sssdconfdir@ to support use case where /etc/sssd is a symlink.
+ # '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed.

sssd-2.10.1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmdYSb4ACgkQ09IbKRDP
-Z1kRyRAAmkKhCUcBs4h2mDg7uzz7DfYFkHXEiY8EMoVP5Iw6ZsNL/V9fwF9xhj49
-XbnCfxj2zFfVWZd5VYnTpl86Hg3NrxuPehgM+iMAXS6U/55TvRPunCtTiRwoTZ4t
-zSgiBaSg3I2hmSN2cnSU8PpilEDCIeSP3uafmGXI1KUxEQltVbp0EeJ5CL5GP3xU
-rFgI1pKdTySlw6jZ3vjkAaHwdsJGB0MKtjiBJYtqvHmIzbUdSNN/iE5Wf5xsdtez
-KKLUrnKeQFuNyYWpjipJvbs7i9+E5VKFvCfrqFb6vQbp+Rgd98epVjp2VKovNy8p
-gZQmgfbi5GCWKuBx+dbaRSFa8hWemEwnBNboV6JKq4+CoPsMkI367utZV5gd58V5
-RHgLsrZfjahAXgG4ytwPhgKDV+sX+sSn4aXIdaSgc+vP7+ykLMxyzyR2GXyG+y11
-WrnovdR0HywHfzvlUnKQmcLUjCkXKVwIMw0oBRa8+YLTD08EeYgu+oXXDpGD0oL1
-YJLLBdr6ycR9Rk/sUqbZgEnzQZPYXazIraUrd71Ry8CaNvqi86Of7sX6SgSQQeg/
-ZPLNcPWPadG/9jpMNJNsXXEZicNJXznQczlXKvRXINOJzknJYwwgH+/55otbzNzq
-EjlOmFEn07bGAHCsHTfydlCeYqD9x+WV/X8CReMFjcaaBH4TDms=
-=S0c5
------END PGP SIGNATURE-----

sssd-2.10.2.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmeaLD8ACgkQ09IbKRDP
+Z1nLAxAAm9zM2u1XR3FBK6iy2xC+PoDWdu8Kh+oU0B6NgFK5LEJk9TWBdHlLpYcS
+HugTfQb5wPfUejZTk9u8TIoVIa7pTYl3kGH8RuLnEUr5lBKdYaDf5BUb8uM7YaBP
+NZQDqCFshNMMF8Z44HfRQltmqblJWj7TdFXJ8dCkRupbXjrbqiBrH5XjooLUK0dX
+/7m63at6BZFjuuFt/QvA2QbwK3fa2wUxuX0vMrD6f2zZuWptcE3zhXaa/BtPm5ZD
+8S5oC+RkKMGfLWNfIc1noXOZQIT+sGNyeUhq/QRFybcHZ+tXqJrNmfz/OWf5HZ/U
+vsJDIWv4db83asTtU3j5+ec4+fRwv7BK8X2V2UnpPOrAhN0r+zWp98BwUfSCqHlR
+E8dBlbAU3pRL1qDZG71tpIgHeDNtB42MM0UmmBY4w18nNBbp8Be6vtEbD6ktoa0P
+2uZRO9v/RgeKQTs0hfuzsbHcpd1hQmhtfwGAlxTWuGkoSjZyk2xUiV3JZ/3/kWH5
+dCU26txrtgWFqLbUhanatFrdmdKwn5hp5eP/Px330zJVTjuILlqTZ1CLAW2B5Gal
+JJT17j8ecqVedyHCkVnN9wD26ivwl8POBnrD3FfB6zKszcZewNRuKW24RyVamo6e
+k4JVMTDzjOwr31Tt6eLhU0BsPA8G8wCntl3wj36T7VWh47ncsX8=
+=vuNl
+-----END PGP SIGNATURE-----

sssd.changes

@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Thu Jan 30 14:24:04 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.2
+  * If the ssh responder is not running, sss_ssh_knownhosts will
+    not fail (but it will not return the keys).
+  * SSSD is now capable of handling multiple services associated
+    with the same port.
+  * sssd_pam, being a privileged binary, now clears the
+    environment and does not allow configuration of the
+    PR_SET_DUMPABLE flag as a precaution.
+
+-------------------------------------------------------------------
+Wed Jan 22 09:21:43 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop build dependency on ncsd, which has been deprecated
+  (boo#1239262).
+
+-------------------------------------------------------------------
+Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Migrate away from update-alternatives, replaced by package
+  conflicts; (bsc#1235789); (bsc#1216739);
+
 -------------------------------------------------------------------
 Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

sssd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package sssd
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.10.1
+Version:        2.10.2
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -50,7 +50,6 @@ BuildRequires:  libunistring-devel
 BuildRequires:  libxml2-tools
 BuildRequires:  libxslt-tools
 BuildRequires:  libopenssl-3-devel
-BuildRequires:  nscd
 BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
@@ -130,16 +129,8 @@ Obsoletes:      sssd-common < %version-%release
 %define permissions_path %_sysconfdir/permissions.d/
 %endif
 
-# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
-# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
-# * cifs-utils one is the default (priority 20)
-# * installing SSSD should NOT switch to SSSD plugin (priority 10)
 %define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
 %define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
-%define cifs_idmap_name         cifs-idmap-plugin
-%define cifs_idmap_priority     10
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 
 %description
 A set of daemons to manage access to remote directories and
@@ -253,6 +244,23 @@ Group:          System/Libraries
 The idmap_sss module provides a way for Winbind to call SSSD to map
 UIDs/GIDs and SIDs.
 
+%package cifs-idmap-plugin
+Summary:        The sssd idmap plugin for cifs.idmap
+Group:          System/Libraries
+# Conflict as per https://bugzilla.suse.com/1235789
+Provides:       cifs-idmap-plugin
+Conflicts:      cifs-idmap-plugin
+
+%description cifs-idmap-plugin
+The cifs.idmap(8) userspace helper relies on a plugin to handle the
+ID mapping. This package contains the ID mapping plugin that will use
+sssd.
+
+In SUSE systems, only one such plugin can be installed at a time
+(either the one from sssd, or from cifs-utils).
+Without the plugin, file objects in a mounted share have UID/GID of
+the original mounting process.
+
 %package -n libsss_certmap0
 Summary:        FreeIPA ID mapping library
 License:        LGPL-3.0-or-later
@@ -408,9 +416,6 @@ Security Services Daemon (sssd).
 %autosetup -p1
 
 %build
-# help configure find nscd
-export PATH="$PATH:/usr/sbin"
-
 autoreconf -fiv
 %configure \
 	--with-db-path="%dbpath" \
@@ -473,8 +478,9 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
-ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
+mkdir -p %{buildroot}%{_sysconfdir}/cifs-utils
+ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
+
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
 %python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
@@ -530,9 +536,6 @@ fi
 %tmpfiles_create %name.conf
 %set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
 
-# install SSSD cifs-idmap plugin as an alternative
-update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
-
 %preun
 %service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
@@ -544,9 +547,6 @@ fi
 # del_postun includes a try-restart
 %service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
-if [ ! -f "%cifs_idmap_lib" ]; then
-	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
-fi
 
 %ldconfig_scriptlets -n libsss_certmap0
 %ldconfig_scriptlets -n libipa_hbac0
@@ -781,12 +781,7 @@ fi
 %_mandir/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
-# cifs idmap plugin
-%dir %_sysconfdir/cifs-utils
-%cifs_idmap_plugin
-%dir %_libdir/cifs-utils
-%cifs_idmap_lib
-%ghost %_sysconfdir/alternatives/%cifs_idmap_name
+
 
 %files ad
 %dir %_libdir/%name/
@@ -892,6 +887,12 @@ fi
 %_libdir/samba/idmap/
 %_mandir/man8/idmap_sss.8*
 
+%files cifs-idmap-plugin
+%dir %_sysconfdir/cifs-utils
+%cifs_idmap_plugin
+%dir %_libdir/cifs-utils
+%cifs_idmap_lib
+
 %files -n libipa_hbac0
 %_libdir/libipa_hbac.so.0*