Accepting request 1296905 from network:ldap

- Update to release 2.11.1

OBS-URL: https://build.opensuse.org/request/show/1296905
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=144

_scmsync.obsinfo

@@ -1,4 +1,4 @@
-mtime: 1738574756
-commit: 0dd76c3fb1e8976e3f2203732d255929ddd4647604210f34bc9970c9c866a7c6
+mtime: 1753994117
+commit: 0e0d1361c8452d81d3f95f3e2e6ee1170e16356d1e2c4145af472ea204b6b873
 url: https://src.opensuse.org/jengelh/sssd
 revision: master

build.specials.obscpio

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:057383006ab62d4a1ca24c5a28ada9061ca2aacd5b4b70b4384ba1850e394e6f
+oid sha256:a31e4d0a5d8f6b3d45219c049e9bb6f29dc8d630ca5dbc7f9e4e89be2ae35fa2
 size 256

logrotate.patch

@@ -0,0 +1,48 @@
+From: Jan Engelhardt <ej@inai.de>
+Date: 2025-07-18 11:02:24.078457348 +0200
+References: https://bugzilla.suse.com/show_bug.cgi?id=1246537
+References: https://github.com/SSSD/sssd/issues/8041
+
+---
+ src/examples/logrotate.in            |    3 +--
+ src/sysv/systemd/sssd-kcm.service.in |    1 +
+ src/sysv/systemd/sssd.service.in     |    1 +
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+Index: sssd-2.11.1/src/examples/logrotate.in
+===================================================================
+--- sssd-2.11.1.orig/src/examples/logrotate.in
++++ sssd-2.11.1/src/examples/logrotate.in
+@@ -8,7 +8,6 @@
+     delaycompress
+     su @SSSD_USER@ @SSSD_USER@
+     postrotate
+-        /bin/kill -HUP `cat @pidpath@/sssd.pid 2>/dev/null` 2> /dev/null || true
+-        /bin/pkill -HUP sssd_kcm 2> /dev/null || true
++        /usr/bin/systemctl try-reload-or-restart sssd sssd_kcm
+     endscript
+ }
+Index: sssd-2.11.1/src/sysv/systemd/sssd-kcm.service.in
+===================================================================
+--- sssd-2.11.1.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.11.1/src/sysv/systemd/sssd-kcm.service.in
+@@ -32,6 +32,7 @@ ExecStartPre=+-/bin/chmod -f g+x @sssdco
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log*"
+ ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
++ExecReload=kill -HUP $MAINPID
+ CapabilityBoundingSet= CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID
+ SecureBits=noroot noroot-locked
+ User=@SSSD_USER@
+Index: sssd-2.11.1/src/sysv/systemd/sssd.service.in
+===================================================================
+--- sssd-2.11.1.orig/src/sysv/systemd/sssd.service.in
++++ sssd-2.11.1/src/sysv/systemd/sssd.service.in
+@@ -21,6 +21,7 @@ ExecStartPre=+-/bin/sh -c "/bin/chown -f
+ ExecStartPre=+-/bin/chown -f -R -h @SSSD_USER@:@SSSD_USER@ @gpocachepath@
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/*.log*"
+ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
++ExecReload=kill -HUP $MAINPID
+ Type=notify
+ NotifyAccess=main
+ Restart=on-abnormal

sssd-2.10.2.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmeaLD8ACgkQ09IbKRDP
-Z1nLAxAAm9zM2u1XR3FBK6iy2xC+PoDWdu8Kh+oU0B6NgFK5LEJk9TWBdHlLpYcS
-HugTfQb5wPfUejZTk9u8TIoVIa7pTYl3kGH8RuLnEUr5lBKdYaDf5BUb8uM7YaBP
-NZQDqCFshNMMF8Z44HfRQltmqblJWj7TdFXJ8dCkRupbXjrbqiBrH5XjooLUK0dX
-/7m63at6BZFjuuFt/QvA2QbwK3fa2wUxuX0vMrD6f2zZuWptcE3zhXaa/BtPm5ZD
-8S5oC+RkKMGfLWNfIc1noXOZQIT+sGNyeUhq/QRFybcHZ+tXqJrNmfz/OWf5HZ/U
-vsJDIWv4db83asTtU3j5+ec4+fRwv7BK8X2V2UnpPOrAhN0r+zWp98BwUfSCqHlR
-E8dBlbAU3pRL1qDZG71tpIgHeDNtB42MM0UmmBY4w18nNBbp8Be6vtEbD6ktoa0P
-2uZRO9v/RgeKQTs0hfuzsbHcpd1hQmhtfwGAlxTWuGkoSjZyk2xUiV3JZ/3/kWH5
-dCU26txrtgWFqLbUhanatFrdmdKwn5hp5eP/Px330zJVTjuILlqTZ1CLAW2B5Gal
-JJT17j8ecqVedyHCkVnN9wD26ivwl8POBnrD3FfB6zKszcZewNRuKW24RyVamo6e
-k4JVMTDzjOwr31Tt6eLhU0BsPA8G8wCntl3wj36T7VWh47ncsX8=
-=vuNl
------END PGP SIGNATURE-----

sssd-2.11.1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmiLT74ACgkQ09IbKRDP
+Z1nIIQ/+NjryrInjiH9LmBZKa5wgYE8d49aHxtOc4pySV3CFhVMM0cUT0rO1umy3
++4xlvxDs/7OYdZkJapotcpf8CJDyLttxsA4/0gfBDGoCRsRLAXxnoZ9K7+0PgV5j
+2DbB6+0Ay0JJ9IYjJwoIMbSKiWm2/KuqLBicNoaxvYK/OJc/K+3AkPIyqVmOItl8
+23UOMuMn6NRBJP6m0R+LUEJQ4rW6cej1lc+mqsPYlerHY8BmRFzRcFjVqhsgUpQj
+hCTJwq5iUpbhiyDIpYzGeS5Jr0bxAVeAZbo4YcN2GQVawOjLQYOP7UPWFm80JLbQ
+GEvQHHo2YDBxcZEma6Z614/8aQI6nVzc/DMq3ffPb4E5snMJ+/v9LCGN1jjmCPWo
+TSiYZrt33zeJrmsmnImWT4ejErkt7dLV9qOQS6BTjHGtgNgl4qrbiFLSZZk2oJp6
+1eJERF/uqBmBYJ2Bq7Fq0Gp4u90TK6kgLV8pkz71Tl+BUPjoD8H9b6VMrwY0jiux
+FfE9ZjWDDAlaLqRlbpd6lVHiQfkgCUflw7o5E+jSL96S4X+6e1aCcL3vdkLxFSCa
+PCQggDD+Ng2HvNsqQ8Z1eA0k2wNuYUNLKab2eUcc4siIKmoMsPQkgmLUBINiPMyR
+GR6ZQ6xdiQkBFBC+JplQM5AsVddJ7UZ2DCzUzFkriyqua58Cuyo=
+=DoFI
+-----END PGP SIGNATURE-----

sssd.changes

@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Thu Jul 31 16:15:46 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.11.1
+  * Fixed AD users in external groups not being cleared once the
+    cache expires.
+  * Fixed `cache_credentials=true` not having any effect.
+  * Fixed socket activation not having an effect for sssd_pam.
+
+-------------------------------------------------------------------
+Fri Jul 18 09:03:19 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add logrotate.patch [boo#1246537]
+
+-------------------------------------------------------------------
+Wed Jun 11 14:53:26 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Install file in krb5.conf.d to include sssd krb5 config snippets;
+  (bsc#1244325);
+
+-------------------------------------------------------------------
+Thu Jun  5 12:14:03 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.11
+  * The deprecated tool `sss_ssh_knownhostsproxy` was finally
+    removed.
+  * Support for `id_provider = files` was removed.
+  * SSSD doesn't create any more missing path components of
+    DIR:/FILE: ccache types while acquiring user's TGT.
+  * New generic id and auth provider for Identity Providers (IdPs)
+    for Keycloak/EntraID. [Not enabled in openSUSE for now.]
+
+-------------------------------------------------------------------
+Tue Mar 11 21:35:32 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Run mkdir/rm with verbose mode for the build log
+
 -------------------------------------------------------------------
 Thu Jan 30 14:24:04 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
 
@@ -1892,7 +1929,6 @@ Wed Apr  4 16:13:33 PDT 2012 - ben.kevan@gmail.com
   connect to an auth server
 
 -------------------------------------------------------------------
-
 Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
 
 - Update to new upstream release 1.8.0

sssd.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.10.2
+Version:        2.11.1
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -28,11 +28,13 @@ Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
+Source6:        %name-rpmlintrc
 Patch1:         0001-TOOL-Fix-build-parameter-name-omitted.patch
 Patch11:        krb-noversion.diff
 Patch12:        harden_sssd-ifp.service.patch
 Patch13:        harden_sssd-kcm.service.patch
 Patch14:        symvers.patch
+Patch15:        logrotate.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -88,6 +90,7 @@ BuildRequires:  pkgconfig(p11-kit-1) >= 0.23.3
 BuildRequires:  pkgconfig(popt)
 BuildRequires:  pkgconfig(python3)
 BuildRequires:  pkgconfig(smbclient)
+BuildRequires:  pkgconfig(systemd)
 BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
@@ -438,8 +441,7 @@ autoreconf -fiv
 	--with-subid
 %else
 	--with-selinux=no \
-	--with-libsifp \
-	--with-files-provider
+	--with-libsifp
 %endif
 %make_build all
 
@@ -451,26 +453,26 @@ b="%buildroot"
 
 # Copy some defaults
 %if "%{?_distconfdir}" != ""
-install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
-install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
+install -Dpvm 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
+install -dvm 0755 "$b/%_distconfdir/sssd/conf.d"
 %else
-install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
-install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d"
+install -Dpm 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
+install -dvm 0755 "$b/%_sysconfdir/sssd/conf.d"
 %endif
-install -d "$b/%_unitdir"
+install -dv "$b/%_unitdir"
 %if 0%{?suse_version} > 1500
-install -d "$b/%_distconfdir/logrotate.d"
-install -m644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
-install -d "$b/%_pam_vendordir"
+install -dv "$b/%_distconfdir/logrotate.d"
+install -vm644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
+install -dv "$b/%_pam_vendordir"
 mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir"
 %else
-install -d "$b/%_sysconfdir/logrotate.d"
-install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
+install -dv "$b/%_sysconfdir/logrotate.d"
+install -vm644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
 %endif
 
 rm -Rfv "$b/%_initddir"
 %if 0%{?suse_version} < 1600
-ln -s service "$b/%_sbindir/rcsssd"
+ln -sv service "$b/%_sbindir/rcsssd"
 %endif
 
 mkdir -pv "$b/%sssdstatedir/mc"
@@ -478,8 +480,8 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -p %{buildroot}%{_sysconfdir}/cifs-utils
-ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
+mkdir -pv %buildroot/%_sysconfdir/cifs-utils
+ln -sfv %cifs_idmap_lib %buildroot/%cifs_idmap_plugin
 
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
@@ -490,16 +492,16 @@ sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analy
 %endif
 
 echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
-mkdir -p "$b/%_sysusersdir"
-cp -a system-user-sssd.conf "$b/%_sysusersdir/"
+mkdir -pv "$b/%_sysusersdir"
+cp -av system-user-sssd.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
-install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+install -Dpvm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
 #
 # Security considerations for capabilities, chown and stuff:
 # https://www.openwall.com/lists/oss-security/2024/12/19/1
 #
 # should match entry from %%files list
-mkdir -p "$b/%permissions_path"
+mkdir -pv "$b/%permissions_path"
 cat >"$b/%permissions_path/sssd" <<-EOF
 	%_libexecdir/sssd/sssd_pam root:sssd 0750
 	 +capabilities cap_dac_read_search=p
@@ -511,6 +513,10 @@ cat >"$b/%permissions_path/sssd" <<-EOF
 	 +capabilities cap_dac_read_search=p
 EOF
 
+mkdir -pv "$b/%_sysconfdir/krb5.conf.d"
+ln -sv %_datadir/%name/krb5-snippets/enable_sssd_conf_dir \
+       "$b/%_sysconfdir/krb5.conf.d/enable_sssd_conf_dir"
+
 %check
 # sss_config-tests fails
 %make_build check || :
@@ -669,12 +675,8 @@ fi
 %_mandir/??/man1/sss_ssh_*
 %_mandir/??/man5/sss-certmap.5*
 %_mandir/??/man5/sssd-ad.5*
-%if 0%{?suse_version} < 1600
-%_mandir/??/man5/sssd-files.5*
-%endif
 %_mandir/??/man5/sssd-ldap-attributes.5*
 %_mandir/??/man5/sssd-session-recording.5*
-%_mandir/??/man5/sssd-simple.5*
 %_mandir/??/man5/sssd-sudo.5*
 %_mandir/??/man5/sssd-systemtap.5*
 %_mandir/??/man5/sssd.conf.5*
@@ -682,9 +684,6 @@ fi
 %_mandir/??/man8/sssd.8*
 %_mandir/man1/sss_ssh_*
 %_mandir/man5/sss-certmap.5*
-%if 0%{?suse_version} < 1600
-%_mandir/man5/sssd-files.5*
-%endif
 %_mandir/man5/sssd-ldap-attributes.5*
 %_mandir/man5/sssd-session-recording.5*
 %_mandir/man5/sssd-simple.5*
@@ -698,9 +697,6 @@ fi
 %_libdir/%name/libsss_cert*
 %_libdir/%name/libsss_crypt*
 %_libdir/%name/libsss_debug*
-%if 0%{?suse_version} < 1600
-%_libdir/%name/libsss_files*
-%endif
 %_libdir/%name/libsss_iface*
 %_libdir/%name/libsss_sbus*
 %_libdir/%name/libsss_simple*
@@ -727,7 +723,6 @@ fi
 %attr(755,%sssd_user,%sssd_user) %dir %pipepath/
 %attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
 %attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
-%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d
 %attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
 %attr(755,%sssd_user,%sssd_user) %dir %mcpath/
 %attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
@@ -754,22 +749,16 @@ fi
 %_datadir/%name/sssd.api.conf
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-simple.conf
-%if 0%{?suse_version} < 1600
-%_datadir/%name/sssd.api.d/sssd-files.conf
-%else
-%exclude %_mandir/*/*/sssd-files.5.gz
-%endif
 %attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
 %doc src/examples/sssd.conf
 #
-# sssd-client
+# %%files sssd-client
 #
 %_libdir/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/
 %_libdir/%name/modules/sssd_krb5_localauth_plugin.so
-%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
 %if 0%{?suse_version} >= 1600
 %_libdir/libsubid_sss.so
 %endif
@@ -781,7 +770,12 @@ fi
 %_mandir/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
-
+#
+# %%files sssd-idp
+#
+%exclude %_libdir/sssd/libsss_idp.so
+%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
+%exclude %_mandir/man5/sssd-idp*
 
 %files ad
 %dir %_libdir/%name/
@@ -832,7 +826,6 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5.so
 %dir %_datadir/%name/
-%exclude %_datadir/%name/krb5-snippets/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-krb5.conf
 %dir %_mandir/??/
@@ -841,11 +834,16 @@ fi
 %_mandir/??/man5/sssd-krb5.5*
 
 %files krb5-common
+%attr(755,root,root) %dir %pubconfpath/krb5.include.d
+%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
 %attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child
 %attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child
+%dir %{_datadir}/sssd/krb5-snippets
+%_datadir/%name/krb5-snippets/enable_sssd_conf_dir
+%_datadir/%name/krb5-snippets/sssd_enable_idp
 
 %files ldap
 %dir %_libdir/%name/
@@ -931,16 +929,6 @@ fi
 %_libdir/libsss_nss_idmap.so
 %_libdir/pkgconfig/sss_nss_idmap.pc
 
-%if 0%{?suse_version} < 1600
-%files -n libsss_simpleifp0
-%_libdir/libsss_simpleifp.so.0*
-
-%files -n libsss_simpleifp-devel
-%_includedir/sss_sifp*.h
-%_libdir/libsss_simpleifp.so
-%_libdir/pkgconfig/sss_simpleifp.pc
-%endif
-
 %files -n python3-ipa_hbac
 %dir %python3_sitearch
 %python3_sitearch/pyhbac.so