Filelist changes needed for upcoming libldb.pc from samba-4.21

The python3_fix_shebang_path rpm macro is not available in < 1600

Signed-off-by: Samuel Cabrero <scabrero@suse.de>

0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch

@@ -1,49 +0,0 @@
-From e5224f0cb684e61203d2cd8045266f7248696204 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 10 Oct 2025 12:57:40 +0200
-Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a client is joined to AD or IPA SSSD's localauth plugin can handle
-the mapping of Kerberos principals to local accounts. In case it cannot
-map the Kerberos principals libkrb5 is currently configured to fall back
-to the default localauth plugins 'default', 'rule', 'names',
-'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
-All plugins except 'an2ln' require some explicit configuration by either
-the administrator or the local user. To avoid some unexpected mapping is
-done by the 'an2ln' plugin this patch disables it in the configuration
-snippets for SSSD's localauth plugin.
-
-Resolves: https://github.com/SSSD/sssd/issues/8021
-
-:relnote: After startup SSSD already creates a Kerberos configuration
- snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
- if the AD or IPA providers are used. This enables SSSD's localauth plugin.
- Starting with this release the an2ln plugin is disabled in the
- configuration snippet as well. If this file or its content are included in
- the Kerberos configuration it will fix CVE-2025-11561.
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
----
- src/util/domain_info_utils.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
-index edaf967e1..5c1f05018 100644
---- a/src/util/domain_info_utils.c
-+++ b/src/util/domain_info_utils.c
-@@ -751,6 +751,7 @@ done:
- #define LOCALAUTH_PLUGIN_CONFIG \
- "[plugins]\n" \
- " localauth = {\n" \
-+"  disable = an2ln\n" \
- "  module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
- " }\n"
- 
--- 
-2.51.1
-

sssd.changes

@@ -1,24 +1,3 @@
--------------------------------------------------------------------
-Tue Nov 18 11:15:49 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
-
-- Install file in krb5.conf.d to include sssd krb5 config snippets;
-  (bsc#1244325);
-- Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561);
-  (bsc#1251827); Add patch
-  0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
-
--------------------------------------------------------------------
-Tue Mar 25 17:42:38 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
-
-- Add python3-setuptools build dependency
-- Drop nscd build dependency
-
--------------------------------------------------------------------
-Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
-
-- Migrate away from update-alternatives, replaced by package
-  conflicts; (bsc#1235789); (bsc#1216739);
-
 -------------------------------------------------------------------
 Tue Oct  1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 
@@ -1848,6 +1827,7 @@ Wed Apr  4 16:13:33 PDT 2012 - ben.kevan@gmail.com
   connect to an auth server
 
 -------------------------------------------------------------------
+
 Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
 
 - Update to new upstream release 1.8.0

sssd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package sssd
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,7 +32,6 @@ Patch1:         krb-noversion.diff
 Patch2:         harden_sssd-ifp.service.patch
 Patch3:         harden_sssd-kcm.service.patch
 Patch4:         symvers.patch
-Patch5:         0005-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -49,6 +48,7 @@ BuildRequires:  libtool
 BuildRequires:  libunistring-devel
 BuildRequires:  libxml2-tools
 BuildRequires:  libxslt-tools
+BuildRequires:  nscd
 BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
@@ -86,7 +86,6 @@ BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
 BuildRequires:  pkgconfig(uuid)
-BuildRequires:  python3-setuptools
 %if 0%{?suse_version} && 0%{?suse_version} < 1600
 # samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
 # this conflicts with
@@ -111,8 +110,16 @@ Obsoletes:      sssd-common < %version-%release
 %define gpocachepath	%sssdstatedir/gpo_cache
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
 
+# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
+# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
+# * cifs-utils one is the default (priority 20)
+# * installing SSSD should NOT switch to SSSD plugin (priority 10)
 %define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
 %define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
+%define cifs_idmap_name         cifs-idmap-plugin
+%define cifs_idmap_priority     10
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -225,23 +232,6 @@ Group:          System/Libraries
 The idmap_sss module provides a way for Winbind to call SSSD to map
 UIDs/GIDs and SIDs.
 
-%package cifs-idmap-plugin
-Summary:        The sssd idmap plugin for cifs.idmap
-Group:          System/Libraries
-# Conflict as per https://bugzilla.suse.com/1235789
-Provides:       cifs-idmap-plugin
-Conflicts:      cifs-idmap-plugin
-
-%description cifs-idmap-plugin
-The cifs.idmap(8) userspace helper relies on a plugin to handle the
-ID mapping. This package contains the ID mapping plugin that will use
-sssd.
-
-In SUSE systems, only one such plugin can be installed at a time
-(either the one from sssd, or from cifs-utils).
-Without the plugin, file objects in a mounted share have UID/GID of
-the original mounting process.
-
 %package -n libsss_certmap0
 Summary:        FreeIPA ID mapping library
 License:        LGPL-3.0-or-later
@@ -399,6 +389,8 @@ Security Services Daemon (sssd).
 %autosetup -p1
 
 %build
+# help configure find nscd
+export PATH="$PATH:/usr/sbin"
 
 autoreconf -fiv
 %configure \
@@ -463,15 +455,15 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -p %{buildroot}%{_sysconfdir}/cifs-utils
-ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
-
+mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
+ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
 %python3_fix_shebang
-%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
-
-mkdir -pv "$b/%_sysconfdir/krb5.conf.d"
-ln -sv %_datadir/%name/krb5-snippets/enable_sssd_conf_dir \
-       "$b/%_sysconfdir/krb5.conf.d/enable_sssd_conf_dir"
+%if 0%{?suse_version} > 1600
+%python3_fix_shebang_path %buildroot/%_libexecdir/%name/
+%elif 0%{?suse_version} == 1600
+# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
+sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
+%endif
 
 %check
 # sss_config-tests fails
@@ -494,6 +486,9 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 fi
 %service_add_post sssd.service
 
+# install SSSD cifs-idmap plugin as an alternative
+update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
+
 %preun
 %service_del_preun sssd.service
 
@@ -505,6 +500,9 @@ fi
 # del_postun includes a try-restart
 %service_del_postun sssd.service
 
+if [ ! -f "%cifs_idmap_lib" ]; then
+	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
+fi
 
 %post   -n libsss_certmap0 -p /sbin/ldconfig
 %postun -n libsss_certmap0 -p /sbin/ldconfig
@@ -727,7 +725,12 @@ fi
 %_mandir/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
-
+# cifs idmap plugin
+%dir %_sysconfdir/cifs-utils
+%cifs_idmap_plugin
+%dir %_libdir/cifs-utils
+%cifs_idmap_lib
+%ghost %_sysconfdir/alternatives/%cifs_idmap_name
 
 %files ad
 %dir %_libdir/%name/
@@ -778,6 +781,7 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5.so
 %dir %_datadir/%name/
+%exclude %_datadir/%name/krb5-snippets/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-krb5.conf
 %dir %_mandir/??/
@@ -786,16 +790,11 @@ fi
 %_mandir/??/man5/sssd-krb5.5*
 
 %files krb5-common
-%dir %pubconfpath/krb5.include.d
-%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
 %_libexecdir/%name/krb5_child
 %_libexecdir/%name/ldap_child
-%dir %{_datadir}/sssd/krb5-snippets
-%_datadir/%name/krb5-snippets/enable_sssd_conf_dir
-%exclude %_datadir/%name/krb5-snippets/sssd_enable_idp
 
 %files ldap
 %dir %_libdir/%name/
@@ -837,12 +836,6 @@ fi
 %_libdir/samba/idmap/
 %_mandir/man8/idmap_sss.8*
 
-%files cifs-idmap-plugin
-%dir %_sysconfdir/cifs-utils
-%cifs_idmap_plugin
-%dir %_libdir/cifs-utils
-%cifs_idmap_lib
-
 %files -n libipa_hbac0
 %_libdir/libipa_hbac.so.0*