scabrero/sssd
SHA256
1
0
Fork 0
forked from pool/sssd
Code Pull Requests Activity

builds

Browse Source
This commit is contained in:
Samuel Cabrero 2024-08-30 11:37:19 +02:00
parent bf358d8fff
commit cd4781f19c
9 changed files with 241 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
harden_sssd-kcm.service.patch
View File

@ -1,7 +1,16 @@
Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in From 47a18db90ae89803532d6fa8e0790fcb98b76a07 Mon Sep 17 00:00:00 2001
=================================================================== From: Samuel Cabrero <scabrero@suse.de>
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in Date: Tue, 16 Jul 2024 09:21:00 +0200
+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in Subject: [PATCH] Harden sssd-kcm.service
---
src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
index 2b3de184b..610ba2e18 100644
--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket @@ -8,6 +8,19 @@ After=sssd-kcm.socket
Also=sssd-kcm.socket Also=sssd-kcm.socket
@ -20,5 +29,8 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+RestrictRealtime=true +RestrictRealtime=true
+# end of automatic additions +# end of automatic additions
Environment=DEBUG_LOGGER=--logger=files Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-@sbindir@/sssd --genconf-section=kcm ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
--
2.45.2

BIN
sssd-2.10.0-beta2.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
sssd-2.10.0-beta2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZ735wACgkQ09IbKRDP
Z1lYNRAAjsjAHwIznwSYKMT+XrfKk6xS8oEgbzT8zme5jR0Dd8XtIVDAs3tTjQkm
kdRZMDXdKOTghXUCRpTOdejuxvZ3qxrfXU9YYekWoO5iWegdXy+bRgkmdvyLVyeh
Mz+Hk9EHGtCxgcZ0B64ksY6g9P4LFxTneA9mkfh9LjY+QWbONG5KfcC1J6BTpxUX
5IAO1YKuk6Pt6ERyYViSTTzW1aC2JVGIFHK8kDrqxvFgeqY7n96K0PdPtPFhtQuA
A8aOHZh8yPimO1fcnlx8G0HmnK2cSJu5zmXMhKLNQhzSgYaGURzwKu1dDQquCBEH
8Y1AOBcA7OOTfY6BdDYVGR/ewGBay5NBBl+qMH4skN/Tfz5+IyjbfrK5JNsJVIB0
3CflPSs0PHQIkawH8h3bjYm/7EmuWidoP941TkTfw//nWHkJa++XwQQvZWsJooUN
LJYmhRO1RenhPDluZkkzmywwUGLdoqKFu5EnRkGEprYppIkso0umbgV/Ju7mi1u8
GGFoNZugl0Cdohe0xkgyDTYwI/SESgUHbl/4Ovt3FFgrj0QOMcBUf6HqhV0/6AfY
iABz/fT7TsgrjzlO5V+3or9Q1J/DHW6n//u0oeazwdRy/S9/dUWAIQ77pWqp1kO4
QjDLg+EZMVm9mmMJbdbMu5aRfvdgRf24yHxK/kQl7LlXBMNoMWw=
=sV+3
-----END PGP SIGNATURE-----

BIN
sssd-2.9.5.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
sssd-2.9.5.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP
Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf
SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu
oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f
v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er
zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ
Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav
l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi
T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ
eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED
mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH
d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek=
=pY7t
-----END PGP SIGNATURE-----

1
sssd-rpmlintrc Normal file
View File

@ -0,0 +1 @@
addFilter("binary-or-shlib-calls-gethostbyname")

13
sssd.changes
View File

@ -1,16 +1,3 @@
-------------------------------------------------------------------
Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
python3_fix_shebang_path RPM macro is not available
-------------------------------------------------------------------
Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Revert the change dropping the default configuration file. If
/usr/etc exists will be installed there, otherwise in /etc.
(bsc#1226157);
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt <jengelh@inai.de> Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

263
sssd.spec
View File

@ -17,21 +17,23 @@
Name: sssd Name: sssd
Version: 2.9.5 Version: 2.10.0
Release: 0 Release: 0
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPL-3.0-or-later AND LGPL-3.0-or-later License: GPL-3.0-or-later AND LGPL-3.0-or-later
Group: System/Daemons Group: System/Daemons
URL: https://github.com/SSSD/sssd URL: https://github.com/SSSD/sssd
#Git-Clone: https://github.com/SSSD/sssd #Git-Clone: https://github.com/SSSD/sssd
Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz Source: https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0-beta2.tar.gz
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0-beta2.tar.gz.asc
Source3: baselibs.conf Source3: baselibs.conf
Source5: %name.keyring Source5: %name.keyring
Source6: sssd.sysusers
Patch1: krb-noversion.diff Patch1: krb-noversion.diff
Patch2: harden_sssd-ifp.service.patch Patch2: harden_sssd-ifp.service.patch
Patch3: harden_sssd-kcm.service.patch Patch3: harden_sssd-kcm.service.patch
Patch4: symvers.patch #Patch4: symvers.patch
BuildRequires: autoconf >= 2.59 BuildRequires: autoconf >= 2.59
BuildRequires: automake BuildRequires: automake
BuildRequires: bind-utils BuildRequires: bind-utils
@ -53,6 +55,7 @@ BuildRequires: nss_wrapper
BuildRequires: openldap2-devel BuildRequires: openldap2-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pkg-config >= 0.21 BuildRequires: pkg-config >= 0.21
BuildRequires: python3-setuptools
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: uid_wrapper BuildRequires: uid_wrapper
BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(augeas) >= 1.0.0
@ -68,6 +71,7 @@ BuildRequires: pkgconfig(libcrypto)
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libcurl)
%endif %endif
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnfsidmap)
BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-3.0) >= 3.0
BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0
@ -75,6 +79,9 @@ BuildRequires: pkgconfig(libpcre2-8)
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(libsemanage) BuildRequires: pkgconfig(libsemanage)
%endif %endif
BuildRequires: polkit
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_krb5pac)
BuildRequires: pkgconfig(ndr_nbt) BuildRequires: pkgconfig(ndr_nbt)
@ -87,6 +94,7 @@ BuildRequires: pkgconfig(tdb) >= 1.1.3
BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(tevent)
BuildRequires: pkgconfig(uuid) BuildRequires: pkgconfig(uuid)
%{?systemd_ordering} %{?systemd_ordering}
%sysusers_requires
Requires: sssd-ldap = %version-%release Requires: sssd-ldap = %version-%release
Requires(postun): pam-config Requires(postun): pam-config
Provides: libsss_sudo = %version-%release Provides: libsss_sudo = %version-%release
@ -95,25 +103,20 @@ Obsoletes: libsss_sudo < %version-%release
Provides: sssd-common = %version-%release Provides: sssd-common = %version-%release
Obsoletes: sssd-common < %version-%release Obsoletes: sssd-common < %version-%release
%global sssd_user sssd
%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
%define servicename sssd %define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss %define sssdstatedir %_localstatedir/lib/sss
%define dbpath %sssdstatedir/db %define dbpath %sssdstatedir/db
%define keytabdir %sssdstatedir/keytabs
%define pipepath %sssdstatedir/pipes %define pipepath %sssdstatedir/pipes
%define mcpath %sssdstatedir/mc
%define pubconfpath %sssdstatedir/pubconf %define pubconfpath %sssdstatedir/pubconf
%define gpocachepath %sssdstatedir/gpo_cache %define gpocachepath %sssdstatedir/gpo_cache
%define deskprofilepath %sssdstatedir/deskprofile
%define ldbdir %(pkg-config ldb --variable=modulesdir) %define ldbdir %(pkg-config ldb --variable=modulesdir)
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
# * cifs-utils one is the default (priority 20)
# * installing SSSD should NOT switch to SSSD plugin (priority 10)
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
%define cifs_idmap_name cifs-idmap-plugin
%define cifs_idmap_priority 10
Requires(post): update-alternatives
Requires(postun): update-alternatives
%description %description
Provides a set of daemons to manage access to remote directories and Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward authentication mechanisms. It provides an NSS and PAM interface toward
@ -143,6 +146,18 @@ Requires: %name = %version
Provides the D-Bus responder of sssd, called InfoPipe, which allows Provides the D-Bus responder of sssd, called InfoPipe, which allows
information from sssd to be transmitted over the system bus. information from sssd to be transmitted over the system bus.
%package polkit-rules
Summary: Rules for polkit integration for SSSD
Group: System/Daemons
License: GPL-3.0-or-later
Requires: %{name} = %{version}-%{release}
Requires: polkit >= 0.106
BuildArch: noarch
%description polkit-rules
Provides rules for polkit integration with SSSD. This is required
for smartcard support.
%package ipa %package ipa
Summary: FreeIPA backend plugin for sssd Summary: FreeIPA backend plugin for sssd
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -379,7 +394,7 @@ Provide python module to access and manage configuration of the System
Security Services Daemon (sssd). Security Services Daemon (sssd).
%prep %prep
%autosetup -p1 %autosetup -p1 -n sssd-2.10.0-beta2
%build %build
# help configure find nscd # help configure find nscd
@ -387,6 +402,9 @@ export PATH="$PATH:/usr/sbin"
autoreconf -fiv autoreconf -fiv
%configure \ %configure \
--runstatedir=%{_rundir} \
--disable-rpath \
--disable-static \
--with-db-path="%dbpath" \ --with-db-path="%dbpath" \
--with-pipe-path="%pipepath" \ --with-pipe-path="%pipepath" \
--with-pubconf-path="%pubconfpath" \ --with-pubconf-path="%pubconfpath" \
@ -395,13 +413,14 @@ autoreconf -fiv
--with-initscript=systemd \ --with-initscript=systemd \
--with-syslog=journald \ --with-syslog=journald \
--with-pid-path="%_rundir" \ --with-pid-path="%_rundir" \
--enable-nsslibdir="/%_lib" \ --enable-nsslibdir="%_libdir" \
--enable-pammoddir="%_pam_moduledir" \ --enable-pammoddir="%_pam_moduledir" \
--with-ldb-lib-dir="%ldbdir" \ --with-ldb-lib-dir="%ldbdir" \
--with-os=suse \ --with-os=suse \
--disable-ldb-version-check \ --disable-ldb-version-check \
--without-python2-bindings \ --without-python2-bindings \
--without-oidc-child \ --without-oidc-child \
--with-sssd-user=%{sssd_user} \
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
--with-selinux=yes \ --with-selinux=yes \
--with-subid --with-subid
@ -413,6 +432,8 @@ autoreconf -fiv
%endif %endif
%make_build all %make_build all
%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
%install %install
# sss_obfuscate is compatible with both python 2 and 3 # sss_obfuscate is compatible with both python 2 and 3
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
@ -420,8 +441,8 @@ perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
b="%buildroot" b="%buildroot"
# Copy some defaults # Copy some defaults
%if %{?_distconfdir:1} %if %{defined _distconfdir}
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" install -D -p -m 0644 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
%else %else
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
@ -447,27 +468,46 @@ mkdir -pv "$b/%sssdstatedir/mc"
find "$b" -type f -name "*.la" -print -delete find "$b" -type f -name "*.la" -print -delete
%find_lang %name --all-name %find_lang %name --all-name
# dummy target for cifs-idmap-plugin
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
%python3_fix_shebang %python3_fix_shebang
%if 0%{?suse_version} > 1600 %if %{suse_version} >= 1600
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ sed -i -e 's:/usr/bin/env python3:/usr/bin/python3:' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
%elif 0%{?suse_version} == 1600 %python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
%endif %endif
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# _sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
#mkdir -pv "%{buildroot}/%_sysconfdir/cifs-utils"
#ln -s %{buildroot}/%_libdir/cifs-utils/cifs_idmap_sss.so %{buildroot}/%_sysconfdir/cifs-utils/idmap-plugin
%check %check
# sss_config-tests fails # sss_config-tests fails
%make_build check || : %make_build check || :
%pre %pre
%service_add_pre sssd.service %service_add_pre sssd.service
%if %{?_distconfdir:1} %service_add_pre sssd-autofs.service
%service_add_pre sssd-nss.service
%service_add_pre sssd-nss.service
%service_add_pre sssd-pac.service
%service_add_pre sssd-pam.service
%service_add_pre sssd-ssh.service
%service_add_pre sssd-sudo.service
%service_add_pre sssd-autofs.socket
%service_add_pre sssd-nss.socket
%service_add_pre sssd-nss.socket
%service_add_pre sssd-pac.socket
%service_add_pre sssd-pam.socket
%service_add_pre sssd-ssh.socket
%service_add_pre sssd-sudo.socket
%if %{defined _distconfdir}
# Prepare for migration to /usr/etc; save any old .rpmsave # Prepare for migration to /usr/etc; save any old .rpmsave
for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done done
%endif %endif
@ -477,25 +517,107 @@ done
if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
fi fi
%service_add_post sssd.service %systemd_post sssd.service
%systemd_post sssd-autofs.socket
%systemd_post sssd-nss.socket
%systemd_post sssd-pac.socket
%systemd_post sssd-pam.socket
%systemd_post sssd-ssh.socket
%systemd_post sssd-sudo.socket
# install SSSD cifs-idmap plugin as an alternative %service_add_post sssd.service
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %service_add_post sssd-autofs.service
%service_add_post sssd-nss.service
%service_add_post sssd-nss.service
%service_add_post sssd-pac.service
%service_add_post sssd-pam.service
%service_add_post sssd-ssh.service
%service_add_post sssd-sudo.service
%service_add_post sssd-autofs.socket
%service_add_post sssd-nss.socket
%service_add_post sssd-nss.socket
%service_add_post sssd-pac.socket
%service_add_post sssd-pam.socket
%service_add_post sssd-ssh.socket
%service_add_post sssd-sudo.socket
%__rm -f %{mcpath}/passwd
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
#__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
#if %{defined _distconfdir}
#__chown -f %{sssd_user}:%{sssd_user} %{_distconfdir}/sssd/sssd.conf || true
#__chown -f -R %{sssd_user}:%{sssd_user} %{_distconfdir}/sssd/conf.d || true
#else
#__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
#__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
#endif
#__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
#__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
%preun %preun
%service_del_preun sssd.service %systemd_preun sssd.service
%systemd_preun sssd-autofs.service
%systemd_preun sssd-nss.service
%systemd_preun sssd-nss.service
%systemd_preun sssd-pac.service
%systemd_preun sssd-pam.service
%systemd_preun sssd-ssh.service
%systemd_preun sssd-sudo.service
%systemd_preun sssd-autofs.socket
%systemd_preun sssd-nss.socket
%systemd_preun sssd-nss.socket
%systemd_preun sssd-pac.socket
%systemd_preun sssd-pam.socket
%systemd_preun sssd-ssh.socket
%systemd_preun sssd-sudo.socket
%postun %postun
/sbin/ldconfig /sbin/ldconfig
if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
"%_sbindir/pam-config" -d --sss || : "%_sbindir/pam-config" -d --sss || :
fi fi
# del_postun includes a try-restart
%service_del_postun sssd.service
if [ ! -f "%cifs_idmap_lib" ]; then %service_del_postun sssd.service
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib %service_del_postun sssd-autofs.service
fi %service_del_postun sssd-nss.service
%service_del_postun sssd-nss.service
%service_del_postun sssd-pac.service
%service_del_postun sssd-pam.service
%service_del_postun sssd-ssh.service
%service_del_postun sssd-sudo.service
%service_del_postun sssd-autofs.socket
%service_del_postun sssd-nss.socket
%service_del_postun sssd-nss.socket
%service_del_postun sssd-pac.socket
%service_del_postun sssd-pam.socket
%service_del_postun sssd-ssh.socket
%service_del_postun sssd-sudo.socket
%systemd_postun sssd.service
%systemd_postun sssd-autofs.service
%systemd_postun sssd-nss.service
%systemd_postun sssd-nss.service
%systemd_postun sssd-pac.service
%systemd_postun sssd-pam.service
%systemd_postun sssd-ssh.service
%systemd_postun sssd-sudo.service
%systemd_postun sssd-autofs.socket
%systemd_postun sssd-nss.socket
%systemd_postun sssd-nss.socket
%systemd_postun sssd-pac.socket
%systemd_postun sssd-pam.socket
%systemd_postun sssd-ssh.socket
%systemd_postun sssd-sudo.socket
%post -n libsss_certmap0 -p /sbin/ldconfig %post -n libsss_certmap0 -p /sbin/ldconfig
%postun -n libsss_certmap0 -p /sbin/ldconfig %postun -n libsss_certmap0 -p /sbin/ldconfig
@ -557,10 +679,10 @@ touch /run/systemd/rpm/sssd-was-active
fi fi
%posttrans %posttrans
%if %{?_distconfdir:1} %if %{defined _distconfdir}
# Migration to /usr/etc, restore just created .rpmsave # Migration to /usr/etc, restore just created .rpmsave
for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done done
%endif %endif
# Migrate sssd.service from sssd-common to sssd # Migrate sssd.service from sssd-common to sssd
@ -591,7 +713,7 @@ fi
%_unitdir/sssd-pac.socket %_unitdir/sssd-pac.socket
%_unitdir/sssd-pac.service %_unitdir/sssd-pac.service
%_unitdir/sssd-pam.socket %_unitdir/sssd-pam.socket
%_unitdir/sssd-pam-priv.socket #%_unitdir/sssd-pam-priv.socket
%_unitdir/sssd-pam.service %_unitdir/sssd-pam.service
%_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.socket
%_unitdir/sssd-ssh.service %_unitdir/sssd-ssh.service
@ -653,32 +775,32 @@ fi
%_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_autofs
%_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_be
%_libexecdir/%name/sssd_nss %_libexecdir/%name/sssd_nss
%_libexecdir/%name/sssd_pam %attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
%_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_ssh
%_libexecdir/%name/sssd_sudo %_libexecdir/%name/sssd_sudo
%_libexecdir/%name/sss_signal %_libexecdir/%name/sss_signal
%_libexecdir/%name/sssd_check_socket_activated_responders %_libexecdir/%name/sssd_check_socket_activated_responders
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
%_libexecdir/%name/selinux_child %attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
%endif %endif
%dir %sssdstatedir %attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
%attr(700,root,root) %dir %dbpath/ %attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
%attr(755,root,root) %dir %pipepath/ %attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
%attr(700,root,root) %dir %pipepath/private/ %attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
%attr(755,root,root) %dir %pubconfpath/ %attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
%attr(755,root,root) %dir %pubconfpath/krb5.include.d %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
%attr(755,root,root) %dir %gpocachepath/ %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
%attr(755,root,root) %dir %sssdstatedir/mc/ %attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
%attr(700,root,root) %dir %sssdstatedir/keytabs/ %attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%attr(750,root,root) %dir %_localstatedir/log/%name/ %attr(750,%{sssd_user},%{sssd_user}) %dir %{_localstatedir}/log/%name/
%if %{?_distconfdir:1} %if %{defined _distconfdir}
%dir %_distconfdir/sssd/ %attr(750,%{sssd_user},%{sssd_user}) %dir %{_distconfdir}/sssd
%%dir %_distconfdir/sssd/conf.d %attr(750,%{sssd_user},%{sssd_user}) %dir %{_distconfdir}/sssd/conf.d
%config(noreplace) %_distconfdir/sssd/sssd.conf %ghost %attr(0600,%{sssd_user},%{sssd_user}) %{_distconfdir}/sssd/sssd.conf
%else %else
%dir %_sysconfdir/sssd/ %attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
%%dir %_sysconfdir/sssd/conf.d %attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
%config(noreplace) %_sysconfdir/sssd/sssd.conf %ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%endif %endif
%if 0%{?suse_version} > 1500 %if 0%{?suse_version} > 1500
%_distconfdir/logrotate.d/sssd %_distconfdir/logrotate.d/sssd
@ -697,11 +819,13 @@ fi
%else %else
%exclude %_mandir/*/*/sssd-files.5.gz %exclude %_mandir/*/*/sssd-files.5.gz
%endif %endif
%attr(775,%{sssd_user},%{sssd_user}) %ghost %dir %{_rundir}/sssd
%doc src/examples/sssd.conf %doc src/examples/sssd.conf
%{_sysusersdir}/sssd.conf
# #
# sssd-client # sssd-client
# #
/%_lib/libnss_sss.so.2 %{_libdir}/libnss_sss.so.2
%_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss.so
%_pam_moduledir/pam_sss_gss.so %_pam_moduledir/pam_sss_gss.so
%_libdir/krb5/ %_libdir/krb5/
@ -718,12 +842,10 @@ fi
%_mandir/man8/sssd_krb5_localauth_plugin.8* %_mandir/man8/sssd_krb5_localauth_plugin.8*
%_mandir/??/man8/sssd_krb5_localauth_plugin.8* %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
%_mandir/man8/sssd_krb5_locator_plugin.8* %_mandir/man8/sssd_krb5_locator_plugin.8*
# cifs idmap plugin #%dir %_sysconfdir/cifs-utils
%dir %_sysconfdir/cifs-utils #%_sysconfdir/cifs-utils/idmap-plugin
%cifs_idmap_plugin
%dir %_libdir/cifs-utils %dir %_libdir/cifs-utils
%cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
%ghost %_sysconfdir/alternatives/%cifs_idmap_name
%files ad %files ad
%dir %_libdir/%name/ %dir %_libdir/%name/
@ -786,8 +908,11 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_krb5_common.so %_libdir/%name/libsss_krb5_common.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%_libexecdir/%name/krb5_child %attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/ldap_child
%_libexecdir/%name/ldap_child %attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/krb5_child
%files polkit-rules
%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules
%files ldap %files ldap
%dir %_libdir/%name/ %dir %_libdir/%name/
@ -804,7 +929,7 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_proxy.so %_libdir/%name/libsss_proxy.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%_libexecdir/%name/proxy_child %attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/proxy_child
%dir %_datadir/%name/ %dir %_datadir/%name/
%dir %_datadir/%name/sssd.api.d/ %dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-proxy.conf %_datadir/%name/sssd.api.d/sssd-proxy.conf

2
sssd.sysusers Normal file
View File

@ -0,0 +1,2 @@
# Type Name ID GECOS [HOME] [SHELL]
u sssd - "User for sssd" /run/sssd/ /sbin/nologin