builds

2024-08-30 11:37:19 +02:00 · 2024-08-30 11:37:19 +02:00 · 8aeefcbe42
commit 8aeefcbe42
parent 73fb2a82f6
10 changed files with 193 additions and 101 deletions
--- a/harden_sssd-kcm.service.patch
+++ b/harden_sssd-kcm.service.patch
@ -1,7 +1,16 @@
-Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
-===================================================================
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
-+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+From 47a18db90ae89803532d6fa8e0790fcb98b76a07 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 16 Jul 2024 09:21:00 +0200
+Subject: [PATCH] Harden sssd-kcm.service
+
+---
+ src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
+index 2b3de184b..610ba2e18 100644
+--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket
 Also=sssd-kcm.socket
 
@ -18,7 +27,10 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
 +ProtectKernelLogs=true
 +ProtectControlGroups=true
 +RestrictRealtime=true
-+# end of automatic additions 
+# end of automatic additions
 Environment=DEBUG_LOGGER=--logger=files
- ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
- ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
+ ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
+ ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
+-- 
+2.45.2
+
--- a/sssd-2.10.0-beta2.tar.gz
+++ b/sssd-2.10.0-beta2.tar.gz
--- a/sssd-2.10.0-beta2.tar.gz.asc
+++ b/sssd-2.10.0-beta2.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZ735wACgkQ09IbKRDP
+Z1lYNRAAjsjAHwIznwSYKMT+XrfKk6xS8oEgbzT8zme5jR0Dd8XtIVDAs3tTjQkm
+kdRZMDXdKOTghXUCRpTOdejuxvZ3qxrfXU9YYekWoO5iWegdXy+bRgkmdvyLVyeh
+Mz+Hk9EHGtCxgcZ0B64ksY6g9P4LFxTneA9mkfh9LjY+QWbONG5KfcC1J6BTpxUX
+5IAO1YKuk6Pt6ERyYViSTTzW1aC2JVGIFHK8kDrqxvFgeqY7n96K0PdPtPFhtQuA
+A8aOHZh8yPimO1fcnlx8G0HmnK2cSJu5zmXMhKLNQhzSgYaGURzwKu1dDQquCBEH
+8Y1AOBcA7OOTfY6BdDYVGR/ewGBay5NBBl+qMH4skN/Tfz5+IyjbfrK5JNsJVIB0
+3CflPSs0PHQIkawH8h3bjYm/7EmuWidoP941TkTfw//nWHkJa++XwQQvZWsJooUN
+LJYmhRO1RenhPDluZkkzmywwUGLdoqKFu5EnRkGEprYppIkso0umbgV/Ju7mi1u8
+GGFoNZugl0Cdohe0xkgyDTYwI/SESgUHbl/4Ovt3FFgrj0QOMcBUf6HqhV0/6AfY
+iABz/fT7TsgrjzlO5V+3or9Q1J/DHW6n//u0oeazwdRy/S9/dUWAIQ77pWqp1kO4
+QjDLg+EZMVm9mmMJbdbMu5aRfvdgRf24yHxK/kQl7LlXBMNoMWw=
+=sV+3
+-----END PGP SIGNATURE-----
--- a/sssd-2.9.5.tar.gz
+++ b/sssd-2.9.5.tar.gz
--- a/sssd-2.9.5.tar.gz.asc
+++ b/sssd-2.9.5.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP
-Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf
-SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu
-oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f
-v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er
-zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ
-Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav
-l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi
-T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ
-eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED
-mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH
-d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek=
-=pY7t
-----END PGP SIGNATURE-----
--- a/1
+++ b/1
@ -0,0 +1 @@
+addFilter("binary-or-shlib-calls-gethostbyname")
--- a/sssd.changes
+++ b/sssd.changes
@ -1,16 +1,3 @@
-------------------------------------------------------------------
-Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
-
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
-  python3_fix_shebang_path RPM macro is not available
-
-------------------------------------------------------------------
-Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
-
- Revert the change dropping the default configuration file. If
-  /usr/etc exists will be installed there, otherwise in /etc.
-  (bsc#1226157);
-
 -------------------------------------------------------------------
 Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

--- a/sssd.spec
+++ b/sssd.spec
@ -17,21 +17,24 @@


 Name:           sssd
-Version:        2.9.5
+Version:        2.10.0
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
 Group:          System/Daemons
 URL:            https://github.com/SSSD/sssd
 #Git-Clone:	https://github.com/SSSD/sssd
-Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz
-Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
+Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0-beta2.tar.gz
+Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0-beta2.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
+Source6:        sssd.sysusers
 Patch1:         krb-noversion.diff
 Patch2:         harden_sssd-ifp.service.patch
 Patch3:         harden_sssd-kcm.service.patch
-Patch4:         symvers.patch
+# Does not build if ${PACKAGE_VERSION} contains a dash
+#Patch4:         symvers.patch
+
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@ -53,6 +56,7 @@ BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
 BuildRequires:  pkg-config >= 0.21
+BuildRequires:  python3-setuptools
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  uid_wrapper
 BuildRequires:  pkgconfig(augeas) >= 1.0.0
@ -68,6 +72,7 @@ BuildRequires:  pkgconfig(libcrypto)
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libcurl)
 %endif
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
@ -75,6 +80,9 @@ BuildRequires:  pkgconfig(libpcre2-8)
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libsemanage)
 %endif
+BuildRequires:  polkit
+BuildRequires:  sysuser-shadow
+BuildRequires:  sysuser-tools
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(ndr_krb5pac)
 BuildRequires:  pkgconfig(ndr_nbt)
@ -94,6 +102,7 @@ BuildRequires:  pkgconfig(uuid)
 #!BuildIgnore: libldap-data
 %endif
 %{?systemd_ordering}
+%sysusers_requires
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
 Provides:       libsss_sudo = %version-%release
@ -102,12 +111,18 @@ Obsoletes:      libsss_sudo < %version-%release
 Provides:       sssd-common = %version-%release
 Obsoletes:      sssd-common < %version-%release

+%global sssd_user sssd
+%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
+
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
 %define dbpath		%sssdstatedir/db
 %define pipepath	%sssdstatedir/pipes
 %define pubconfpath	%sssdstatedir/pubconf
 %define gpocachepath	%sssdstatedir/gpo_cache
+%define keytabdir %sssdstatedir/keytabs
+%define mcpath %sssdstatedir/mc
+%define deskprofilepath %sssdstatedir/deskprofile
 %define ldbdir %(pkg-config ldb --variable=modulesdir)

 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
@ -150,6 +165,18 @@ Requires:       %name = %version
 Provides the D-Bus responder of sssd, called InfoPipe, which allows
 information from sssd to be transmitted over the system bus.

+%package polkit-rules
+Summary:        Rules for polkit integration for SSSD
+Group:          System/Daemons
+License:        GPL-3.0-or-later
+Requires:       %{name} = %{version}-%{release}
+Requires:       polkit >= 0.106
+BuildArch:      noarch
+
+%description polkit-rules
+Provides rules for polkit integration with SSSD. This is required
+for smartcard support.
+
 %package ipa
 Summary:        FreeIPA backend plugin for sssd
 License:        GPL-3.0-or-later
@ -386,7 +413,7 @@ Provide python module to access and manage configuration of the System
 Security Services Daemon (sssd).

 %prep
-%autosetup -p1
+%autosetup -p1 -n sssd-2.10.0-beta2

 %build
 # help configure find nscd
@ -394,6 +421,9 @@ export PATH="$PATH:/usr/sbin"

 autoreconf -fiv
 %configure \
+  --runstatedir=%{_rundir} \
+  --disable-rpath \
+  --disable-static \
 	--with-db-path="%dbpath" \
 	--with-pipe-path="%pipepath" \
 	--with-pubconf-path="%pubconfpath" \
@ -402,13 +432,14 @@ autoreconf -fiv
 	--with-initscript=systemd \
 	--with-syslog=journald \
 	--with-pid-path="%_rundir" \
-	--enable-nsslibdir="/%_lib" \
+	--enable-nsslibdir="%_libdir" \
 	--enable-pammoddir="%_pam_moduledir" \
 	--with-ldb-lib-dir="%ldbdir" \
 	--with-os=suse \
 	--disable-ldb-version-check \
 	--without-python2-bindings \
 	--without-oidc-child \
+  --with-sssd-user=%{sssd_user} \
 %if 0%{?suse_version} >= 1600
 	--with-selinux=yes \
 	--with-subid
@ -418,7 +449,9 @@ autoreconf -fiv
 	--with-libsifp \
 	--with-files-provider
 %endif
-%make_build all
+%make_build all runstatedir=%{_rundir}
+
+%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf

 %install
 # sss_obfuscate is compatible with both python 2 and 3
@ -459,18 +492,30 @@ mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-util
 ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
+# TODO Check latest fix for leap 15.6
 %python3_fix_shebang_path %buildroot/%_libexecdir/%name/
 %elif 0%{?suse_version} == 1600
 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
 sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
 %endif

+install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
+
 %check
 # sss_config-tests fails
 %make_build check || :

 %pre
+%sysusers_create_package %{name} %SOURCE6
 %service_add_pre sssd.service
+%service_add_pre sssd-autofs.service sssd-autofs.socket
+%service_add_pre sssd-nss.service sssd-nss.socket
+%service_add_pre sssd-pac.service sssd-pac.socket
+%service_add_pre sssd-pam.service sssd-pam.socket
+%service_add_pre sssd-ssh.service sssd-ssh.socket
+%service_add_pre sssd-sudo.service sssd-sudo.socket
+
 %if "%{?_distconfdir}" != ""
 # Prepare for migration to /usr/etc; save any old .rpmsave
 for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
@ -485,12 +530,33 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 	/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
 fi
 %service_add_post sssd.service
+%service_add_post sssd-autofs.service sssd-autofs.socket
+%service_add_post sssd-nss.service sssd-nss.socket
+%service_add_post sssd-pac.service sssd-pac.socket
+%service_add_post sssd-pam.service sssd-pam.socket
+%service_add_post sssd-ssh.service sssd-ssh.socket
+%service_add_post sssd-sudo.service sssd-sudo.socket
+
+%{_bindir}/rm -f %{mcpath}/passwd
+%{_bindir}/rm -f %{mcpath}/group
+%{_bindir}/rm -f %{mcpath}/initgroups
+%{_bindir}/rm -f %{mcpath}/sid
+%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
+%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
+%{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
+%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true

 # install SSSD cifs-idmap plugin as an alternative
 update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority

 %preun
 %service_del_preun sssd.service
+%service_del_preun sssd-autofs.service sssd-autofs.socket
+%service_del_preun sssd-nss.service sssd-nss.socket
+%service_del_preun sssd-pac.service sssd-pac.socket
+%service_del_preun sssd-pam.service sssd-pam.socket
+%service_del_preun sssd-ssh.service sssd-ssh.socket
+%service_del_preun sssd-sudo.service sssd-sudo.socket

 %postun
 /sbin/ldconfig
@ -499,6 +565,12 @@ if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
 fi
 # del_postun includes a try-restart
 %service_del_postun sssd.service
+%service_del_postun sssd-autofs.service sssd-autofs.socket
+%service_del_postun sssd-nss.service sssd-nss.socket
+%service_del_postun sssd-pac.service sssd-pac.socket
+%service_del_postun sssd-pam.service sssd-pam.socket
+%service_del_postun sssd-ssh.service sssd-ssh.socket
+%service_del_postun sssd-sudo.service sssd-sudo.socket

 if [ ! -f "%cifs_idmap_lib" ]; then
 	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
@ -550,6 +622,14 @@ fi
 %postun kcm
 %service_del_postun sssd-kcm.service sssd-kcm.socket

+%pre krb5-common
+%sysusers_create_package %{name} %SOURCE6
+%sysusers_create_package %{name}-krb5-common %SOURCE6
+
+%pre proxy
+%sysusers_create_package %{name} %SOURCE6
+%sysusers_create_package %{name}-proxy %SOURCE6
+
 %pretrans
 # Migrate sssd.service from sssd-common to sssd
 systemctl is-enabled sssd.service > /dev/null
@ -598,7 +678,6 @@ fi
 %_unitdir/sssd-pac.socket
 %_unitdir/sssd-pac.service
 %_unitdir/sssd-pam.socket
-%_unitdir/sssd-pam-priv.socket
 %_unitdir/sssd-pam.service
 %_unitdir/sssd-ssh.socket
 %_unitdir/sssd-ssh.service
@ -654,38 +733,39 @@ fi
 %dir %_libdir/%name/modules/
 %_libdir/%name/modules/libsss_autofs.so
 %_libdir/libsss_sudo.so
-%ldbdir/
+%ldbdir/memberof.so
 %dir %_libexecdir/%name/
 %_libexecdir/%name/p11_child
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
-%_libexecdir/%name/sssd_pam
+%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
 %_libexecdir/%name/sssd_ssh
 %_libexecdir/%name/sssd_sudo
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%_libexecdir/%name/selinux_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
 %endif
 %dir %sssdstatedir
-%attr(700,root,root) %dir %dbpath/
-%attr(755,root,root) %dir %pipepath/
-%attr(700,root,root) %dir %pipepath/private/
-%attr(755,root,root) %dir %pubconfpath/
-%attr(755,root,root) %dir %pubconfpath/krb5.include.d
-%attr(755,root,root) %dir %gpocachepath/
-%attr(755,root,root) %dir %sssdstatedir/mc/
-%attr(700,root,root) %dir %sssdstatedir/keytabs/
-%attr(750,root,root) %dir %_localstatedir/log/%name/
+%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
+%attr(755,%{sssd_user},%{sssd_user}) %dir %pipepath/
+%attr(700,%{sssd_user},%{sssd_user}) %dir %pipepath/private/
+%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/
+%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/krb5.include.d
+%attr(755,%{sssd_user},%{sssd_user}) %dir %gpocachepath/
+%attr(755,%{sssd_user},%{sssd_user}) %dir %mcpath/
+%attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/
+%attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/
 %if "%{?_distconfdir}" != ""
-%dir %_distconfdir/sssd/
-%%dir %_distconfdir/sssd/conf.d
-%config(noreplace) %_distconfdir/sssd/sssd.conf
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d
+%attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_distconfdir/sssd/sssd.conf
 %else
-%dir %_sysconfdir/sssd/
-%%dir %_sysconfdir/sssd/conf.d
-%config(noreplace) %_sysconfdir/sssd/sssd.conf
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d
+%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_sysconfdir/sssd/sssd.conf
 %endif
 %if 0%{?suse_version} > 1500
 %_distconfdir/logrotate.d/sssd
@ -704,11 +784,14 @@ fi
 %else
 %exclude %_mandir/*/*/sssd-files.5.gz
 %endif
+%attr(775,%{sssd_user},%{sssd_user}) %ghost %dir %{_rundir}/sssd
 %doc src/examples/sssd.conf
+%{_sysusersdir}/sssd.conf
+%{_tmpfilesdir}/sssd.conf
 #
 # sssd-client
 #
-/%_lib/libnss_sss.so.2
+%{_libdir}/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/
@ -793,8 +876,11 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/krb5_child
-%_libexecdir/%name/ldap_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child
+
+%files polkit-rules
+%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules

 %files ldap
 %dir %_libdir/%name/
@ -811,7 +897,7 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_proxy.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/proxy_child
+%attr(0750,root,%{sssd_user}) %_libexecdir/%name/proxy_child
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-proxy.conf
@ -832,7 +918,9 @@ fi
 %python3_sitelib/sssd/

 %files winbind-idmap
-%_libdir/samba/
+%dir %_libdir/samba
+%dir %_libdir/samba/idmap
+%_libdir/samba/idmap/sss.so
 %_mandir/man8/idmap_sss.8*

 %files -n libipa_hbac0
--- a/sssd.sysusers
+++ b/sssd.sysusers
@ -0,0 +1,2 @@
+# Type Name ID GECOS [HOME] [SHELL]
+u     sssd   -   "User for sssd"     /run/sssd/      /sbin/nologin
--- a/symvers.patch
+++ b/symvers.patch
@ -1,25 +1,24 @@
+From 1ad3abee3ed69cad410aff5f2e17542d2f34deb7 Mon Sep 17 00:00:00 2001
 From: Jan Engelhardt <jengelh@inai.de>
-Date: 2022-12-22 00:09:20.375896408 +0100
-References: https://bugzilla.suse.com/show_bug.cgi?id=1206592
-
-The theory for this sssd crash is that during rpm upgrading it,
-sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
-sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls
-over its feet when it loads 2.7.4 .so files. Addin symvers like below
-should prevent this and pin the modules to another: sssd_be's attempt
-to dlopen libsss_ldap.so(-2.7.4) will fail because
-libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
-the system only has libsss_util.so(-2.8.2) at this point.
+Date: Thu, 22 Dec 2022 00:09:20 +0100
+Subject: [PATCH] The theory for this sssd crash is that during rpm upgrading
+ it, sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
+ sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over its
+ feet when it loads 2.7.4 .so files. Addin symvers like below should prevent
+ this and pin the modules to another: sssd_be's attempt to dlopen
+ libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot find a
+ libsss_util.so(-2.7.4), since the system only has libsss_util.so(-2.8.2) at
+ this point.

 ---
- Makefile.am |   47 ++++++++++++++++++++++++++++++++---------------
+ Makefile.am | 47 ++++++++++++++++++++++++++++++++---------------
 1 file changed, 32 insertions(+), 15 deletions(-)

-Index: sssd-2.9.2/Makefile.am
-===================================================================
--- sssd-2.9.2.orig/Makefile.am
-+++ sssd-2.9.2/Makefile.am
-@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \
+diff --git a/Makefile.am b/Makefile.am
+index f4cadee6f..ea01d0ea5 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
 libsss_debug_la_LIBADD = \
     $(SYSLOG_LIBS)
 libsss_debug_la_LDFLAGS = \
@ -32,7 +31,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libsss_child.la
 libsss_child_la_SOURCES = src/util/child_common.c
-@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \
+@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
     $(DHASH_LIBS) \
     libsss_debug.la \
     $(NULL)
@ -42,7 +41,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libsss_crypt.la
 
-@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \
+@@ -1020,7 +1025,8 @@ libsss_crypt_la_LIBADD = \
     libsss_debug.la \
     $(NULL)
 libsss_crypt_la_LDFLAGS = \
@ -52,7 +51,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libsss_cert.la
 
-@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \
+@@ -1045,8 +1051,9 @@ libsss_cert_la_LIBADD = \
     libsss_debug.la \
     $(NULL)
 libsss_cert_la_LDFLAGS = \
@ -63,7 +62,7 @@ Index: sssd-2.9.2/Makefile.am
 
 generate-sbus-code:
 	$(builddir)/sbus_generate.sh $(abs_srcdir)
-@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \
+@@ -1147,8 +1154,9 @@ libsss_sbus_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libsss_sbus_la_LDFLAGS = \
@ -74,7 +73,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libsss_sbus_sync.la
 libsss_sbus_sync_la_SOURCES = \
-@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \
+@@ -1183,8 +1191,9 @@ libsss_sbus_sync_la_CFLAGS = \
     $(UNICODE_LIBS) \
     $(NULL)
 libsss_sbus_sync_la_LDFLAGS = \
@ -85,7 +84,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libsss_iface.la
 libsss_iface_la_SOURCES = \
-@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \
+@@ -1213,8 +1222,9 @@ libsss_iface_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libsss_iface_la_LDFLAGS = \
@ -96,7 +95,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libsss_iface_sync.la
 libsss_iface_sync_la_SOURCES = \
-@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \
+@@ -1241,8 +1251,9 @@ libsss_iface_sync_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libsss_iface_sync_la_LDFLAGS = \
@ -107,7 +106,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libsss_util.la
 libsss_util_la_SOURCES = \
-@@ -1322,7 +1333,8 @@ endif
+@@ -1338,7 +1349,8 @@ endif
 if BUILD_PASSKEY
 libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
 endif # BUILD_PASSKEY
@ -117,7 +116,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libsss_semanage.la
 libsss_semanage_la_CFLAGS = \
-@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
+@@ -1357,7 +1369,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
 endif
 
 libsss_semanage_la_LDFLAGS = \
@ -127,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am
 
 SSSD_INTERNAL_LTLIBS = \
     libsss_util.la \
-@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+@@ -1373,7 +1386,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
                   $(NULL)
 
 pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@ -136,7 +135,7 @@ Index: sssd-2.9.2/Makefile.am
 libipa_hbac_la_SOURCES = \
     src/lib/ipa_hbac/hbac_evaluator.c \
     src/util/sss_utf8.c
-@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \
+@@ -1699,8 +1712,9 @@ libifp_iface_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libifp_iface_la_LDFLAGS = \
@ -147,7 +146,7 @@ Index: sssd-2.9.2/Makefile.am
 
 pkglib_LTLIBRARIES += libifp_iface_sync.la
 libifp_iface_sync_la_SOURCES = \
-@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \
+@@ -1725,8 +1739,9 @@ libifp_iface_sync_la_CFLAGS = \
     $(DBUS_CFLAGS) \
     $(NULL)
 libifp_iface_sync_la_LDFLAGS = \
@ -158,7 +157,7 @@ Index: sssd-2.9.2/Makefile.am
 
 sssd_ifp_SOURCES = \
     src/responder/ifp/ifpsrv.c \
-@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \
+@@ -4362,8 +4377,9 @@ libsss_ldap_common_la_LIBADD = \
     $(SSSD_INTERNAL_LTLIBS) \
     $(NULL)
 libsss_ldap_common_la_LDFLAGS = \
@ -169,7 +168,7 @@ Index: sssd-2.9.2/Makefile.am
 if BUILD_SYSTEMTAP
 libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
 endif
-@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \
+@@ -4420,7 +4436,8 @@ libsss_krb5_common_la_LIBADD = \
     $(SSSD_INTERNAL_LTLIBS) \
     $(NULL)
 libsss_krb5_common_la_LDFLAGS = \
@ -179,3 +178,6 @@ Index: sssd-2.9.2/Makefile.am
 
 libsss_ldap_la_SOURCES = \
     src/providers/ldap/ldap_init.c \
+-- 
+2.46.1
+
				`@ -0,0 +1 @@`
				`addFilter("binary-or-shlib-calls-gethostbyname")`