Install file to load sssd generated krb5 config snippets

Signed-off-by: Samuel Cabrero <scabrero@suse.com>

harden_sssd-kcm.service.patch

@@ -2,10 +2,10 @@
  src/sysv/systemd/sssd-kcm.service.in |   13 +++++++++++++
  1 file changed, 13 insertions(+)
 
-Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+Index: sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
 ===================================================================
---- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in
-+++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+--- sssd-2.10.2.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
 @@ -8,6 +8,19 @@ After=sssd-kcm.socket
  Also=sssd-kcm.socket
  
@@ -24,5 +24,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
 +RestrictRealtime=true
 +# end of automatic additions 
  Environment=DEBUG_LOGGER=--logger=files
- ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
- ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
+ # '-H' is used with @sssdconfdir@ to support use case where /etc/sssd is a symlink.
+ # '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed.

sssd-2.10.1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmdYSb4ACgkQ09IbKRDP
-Z1kRyRAAmkKhCUcBs4h2mDg7uzz7DfYFkHXEiY8EMoVP5Iw6ZsNL/V9fwF9xhj49
-XbnCfxj2zFfVWZd5VYnTpl86Hg3NrxuPehgM+iMAXS6U/55TvRPunCtTiRwoTZ4t
-zSgiBaSg3I2hmSN2cnSU8PpilEDCIeSP3uafmGXI1KUxEQltVbp0EeJ5CL5GP3xU
-rFgI1pKdTySlw6jZ3vjkAaHwdsJGB0MKtjiBJYtqvHmIzbUdSNN/iE5Wf5xsdtez
-KKLUrnKeQFuNyYWpjipJvbs7i9+E5VKFvCfrqFb6vQbp+Rgd98epVjp2VKovNy8p
-gZQmgfbi5GCWKuBx+dbaRSFa8hWemEwnBNboV6JKq4+CoPsMkI367utZV5gd58V5
-RHgLsrZfjahAXgG4ytwPhgKDV+sX+sSn4aXIdaSgc+vP7+ykLMxyzyR2GXyG+y11
-WrnovdR0HywHfzvlUnKQmcLUjCkXKVwIMw0oBRa8+YLTD08EeYgu+oXXDpGD0oL1
-YJLLBdr6ycR9Rk/sUqbZgEnzQZPYXazIraUrd71Ry8CaNvqi86Of7sX6SgSQQeg/
-ZPLNcPWPadG/9jpMNJNsXXEZicNJXznQczlXKvRXINOJzknJYwwgH+/55otbzNzq
-EjlOmFEn07bGAHCsHTfydlCeYqD9x+WV/X8CReMFjcaaBH4TDms=
-=S0c5
------END PGP SIGNATURE-----

sssd-2.11.0.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmhBWQkACgkQ09IbKRDP
+Z1nnrg//ZyIWtg+Qp5bVW6MQS99kuATk0hvAQnm4tTjO8HzphWFl0Hta7h9QOsM3
+QhVs4liW13eb9yZDnHfFh44o0F+QEYzHouMikZaA6riIxzYO0Im5Rglq/jkcZGn9
+IrR4w0of45wmL9huZAsXnYosw9RtDuF5FEDB6yypcPqSyXxr+jyW3U52hEXpjaQ/
+M3XXmoeQVMeb1RmQkcMWt+7/gjOoWSjONtOOFoUlGxn3GgeIroPIzUViYqJDJZi2
+zIkBhoGw1EdKPVFV/8YTNH4u5RA3PmN92tmey9uWA5mfxH//njPUNv5sKO8RKkaU
+BD2ftTK3Vv8QzLpKEuANnJ5/P/bh5LWGjn3J6kJBn5w2Zedy0AecZfo1PKONfukv
++QIyNKBlc9x0kts/TwMLo60p2olJqh/AKlXwgexfxAzQqcuBlcZdpMqyV279cmXl
+X78NYzdR9F5n4czKiDU8JWudndIzagVi/0NmuQJWfFCz0o3sCtI9QUj+GUH8Ynxd
+DCyxXZptN2LtobxJnaSXB3HwwJ6qKlQTrfHWwqcmzf/p2KyJIaGg93nYhwIlLrev
+HVkuTB9dTpZa0LkljWOd/i7eoGQ0zxYM3pTm2FKDy/Ff5ChPriHdjIAhYqgPxt+j
+r3wMiMOIRckv1a538CAKdbC8k8Q0nmHfYTdrt3dp+fSSr4iwZLA=
+=gdC9
+-----END PGP SIGNATURE-----

sssd-krb5-common-rpmlintrc

@@ -0,0 +1,2 @@
+# See https://github.com/SSSD/sssd/pull/7794 for details
+addFilter("E: missing-call-to-setgroups-before-setuid")

sssd.changes

@@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Wed Jun 11 14:53:26 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Install file in krb5.conf.d to include sssd krb5 config snippets;
+  (bsc#1244325);
+
+-------------------------------------------------------------------
+Thu Jun  5 12:14:03 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.11
+  * The deprecated tool `sss_ssh_knownhostsproxy` was finally
+    removed.
+  * Support for `id_provider = files` was removed.
+  * SSSD doesn't create any more missing path components of
+    DIR:/FILE: ccache types while acquiring user's TGT.
+  * New generic id and auth provider for Identity Providers (IdPs)
+    for Keycloak/EntraID. [Not enabled in openSUSE for now.]
+
+-------------------------------------------------------------------
+Tue Mar 11 21:35:32 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Run mkdir/rm with verbose mode for the build log
+
+-------------------------------------------------------------------
+Thu Jan 30 14:24:04 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.2
+  * If the ssh responder is not running, sss_ssh_knownhosts will
+    not fail (but it will not return the keys).
+  * SSSD is now capable of handling multiple services associated
+    with the same port.
+  * sssd_pam, being a privileged binary, now clears the
+    environment and does not allow configuration of the
+    PR_SET_DUMPABLE flag as a precaution.
+
+-------------------------------------------------------------------
+Wed Jan 22 09:21:43 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop build dependency on ncsd, which has been deprecated
+  (boo#1239262).
+
 -------------------------------------------------------------------
 Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
 
@@ -1874,7 +1915,6 @@ Wed Apr  4 16:13:33 PDT 2012 - ben.kevan@gmail.com
   connect to an auth server
 
 -------------------------------------------------------------------
-
 Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
 
 - Update to new upstream release 1.8.0

sssd.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.10.1
+Version:        2.11.0
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -50,7 +50,6 @@ BuildRequires:  libunistring-devel
 BuildRequires:  libxml2-tools
 BuildRequires:  libxslt-tools
 BuildRequires:  libopenssl-3-devel
-BuildRequires:  nscd
 BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
@@ -130,10 +129,6 @@ Obsoletes:      sssd-common < %version-%release
 %define permissions_path %_sysconfdir/permissions.d/
 %endif
 
-# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
-# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins,
-# cifs-utils or sssd. The plugins are individually packaged and conflicts with each other
-# (https://bugzilla.suse.com/show_bug.cgi?id=1235789).
 %define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
 %define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
 
@@ -252,13 +247,19 @@ UIDs/GIDs and SIDs.
 %package cifs-idmap-plugin
 Summary:        The sssd idmap plugin for cifs.idmap
 Group:          System/Libraries
+# Conflict as per https://bugzilla.suse.com/1235789
 Provides:       cifs-idmap-plugin
 Conflicts:      cifs-idmap-plugin
 
 %description cifs-idmap-plugin
-The cifs.idmap(8) userspace helper relies on a plugin to handle the ID mapping.
-This package contains the sssd ID mapping plugin.
+The cifs.idmap(8) userspace helper relies on a plugin to handle the
+ID mapping. This package contains the ID mapping plugin that will use
+sssd.
 
+In SUSE systems, only one such plugin can be installed at a time
+(either the one from sssd, or from cifs-utils).
+Without the plugin, file objects in a mounted share have UID/GID of
+the original mounting process.
 
 %package -n libsss_certmap0
 Summary:        FreeIPA ID mapping library
@@ -415,9 +416,6 @@ Security Services Daemon (sssd).
 %autosetup -p1
 
 %build
-# help configure find nscd
-export PATH="$PATH:/usr/sbin"
-
 autoreconf -fiv
 %configure \
 	--with-db-path="%dbpath" \
@@ -453,26 +451,26 @@ b="%buildroot"
 
 # Copy some defaults
 %if "%{?_distconfdir}" != ""
-install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
-install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
+install -Dpvm 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
+install -dvm 0755 "$b/%_distconfdir/sssd/conf.d"
 %else
-install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
-install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d"
+install -Dpm 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
+install -dvm 0755 "$b/%_sysconfdir/sssd/conf.d"
 %endif
-install -d "$b/%_unitdir"
+install -dv "$b/%_unitdir"
 %if 0%{?suse_version} > 1500
-install -d "$b/%_distconfdir/logrotate.d"
-install -m644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
-install -d "$b/%_pam_vendordir"
+install -dv "$b/%_distconfdir/logrotate.d"
+install -vm644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
+install -dv "$b/%_pam_vendordir"
 mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir"
 %else
-install -d "$b/%_sysconfdir/logrotate.d"
-install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
+install -dv "$b/%_sysconfdir/logrotate.d"
+install -vm644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
 %endif
 
 rm -Rfv "$b/%_initddir"
 %if 0%{?suse_version} < 1600
-ln -s service "$b/%_sbindir/rcsssd"
+ln -sv service "$b/%_sbindir/rcsssd"
 %endif
 
 mkdir -pv "$b/%sssdstatedir/mc"
@@ -480,8 +478,8 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -p %{buildroot}%{_sysconfdir}/cifs-utils
-ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
+mkdir -pv %buildroot/%_sysconfdir/cifs-utils
+ln -sfv %cifs_idmap_lib %buildroot/%cifs_idmap_plugin
 
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
@@ -492,16 +490,16 @@ sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analy
 %endif
 
 echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
-mkdir -p "$b/%_sysusersdir"
-cp -a system-user-sssd.conf "$b/%_sysusersdir/"
+mkdir -pv "$b/%_sysusersdir"
+cp -av system-user-sssd.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
-install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+install -Dpvm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
 #
 # Security considerations for capabilities, chown and stuff:
 # https://www.openwall.com/lists/oss-security/2024/12/19/1
 #
 # should match entry from %%files list
-mkdir -p "$b/%permissions_path"
+mkdir -pv "$b/%permissions_path"
 cat >"$b/%permissions_path/sssd" <<-EOF
 	%_libexecdir/sssd/sssd_pam root:sssd 0750
 	 +capabilities cap_dac_read_search=p
@@ -513,6 +511,10 @@ cat >"$b/%permissions_path/sssd" <<-EOF
 	 +capabilities cap_dac_read_search=p
 EOF
 
+mkdir -pv "$b/%_sysconfdir/krb5.conf.d"
+ln -sv %_datadir/%name/krb5-snippets/enable_sssd_conf_dir \
+       "$b/%_sysconfdir/krb5.conf.d/enable_sssd_conf_dir"
+
 %check
 # sss_config-tests fails
 %make_build check || :
@@ -671,12 +673,8 @@ fi
 %_mandir/??/man1/sss_ssh_*
 %_mandir/??/man5/sss-certmap.5*
 %_mandir/??/man5/sssd-ad.5*
-%if 0%{?suse_version} < 1600
-%_mandir/??/man5/sssd-files.5*
-%endif
 %_mandir/??/man5/sssd-ldap-attributes.5*
 %_mandir/??/man5/sssd-session-recording.5*
-%_mandir/??/man5/sssd-simple.5*
 %_mandir/??/man5/sssd-sudo.5*
 %_mandir/??/man5/sssd-systemtap.5*
 %_mandir/??/man5/sssd.conf.5*
@@ -684,9 +682,6 @@ fi
 %_mandir/??/man8/sssd.8*
 %_mandir/man1/sss_ssh_*
 %_mandir/man5/sss-certmap.5*
-%if 0%{?suse_version} < 1600
-%_mandir/man5/sssd-files.5*
-%endif
 %_mandir/man5/sssd-ldap-attributes.5*
 %_mandir/man5/sssd-session-recording.5*
 %_mandir/man5/sssd-simple.5*
@@ -729,7 +724,6 @@ fi
 %attr(755,%sssd_user,%sssd_user) %dir %pipepath/
 %attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
 %attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
-%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d
 %attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
 %attr(755,%sssd_user,%sssd_user) %dir %mcpath/
 %attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
@@ -756,22 +750,16 @@ fi
 %_datadir/%name/sssd.api.conf
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-simple.conf
-%if 0%{?suse_version} < 1600
-%_datadir/%name/sssd.api.d/sssd-files.conf
-%else
-%exclude %_mandir/*/*/sssd-files.5.gz
-%endif
 %attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
 %doc src/examples/sssd.conf
 #
-# sssd-client
+# %%files sssd-client
 #
 %_libdir/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/
 %_libdir/%name/modules/sssd_krb5_localauth_plugin.so
-%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
 %if 0%{?suse_version} >= 1600
 %_libdir/libsubid_sss.so
 %endif
@@ -783,7 +771,12 @@ fi
 %_mandir/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
-
+#
+# %%files sssd-idp
+#
+%exclude %_libdir/sssd/libsss_idp.so
+%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
+%exclude %_mandir/man5/sssd-idp*
 
 %files ad
 %dir %_libdir/%name/
@@ -834,7 +827,6 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5.so
 %dir %_datadir/%name/
-%exclude %_datadir/%name/krb5-snippets/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-krb5.conf
 %dir %_mandir/??/
@@ -843,11 +835,16 @@ fi
 %_mandir/??/man5/sssd-krb5.5*
 
 %files krb5-common
+%attr(755,root,root) %dir %pubconfpath/krb5.include.d
+%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
 %attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child
 %attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child
+%dir %{_datadir}/sssd/krb5-snippets
+%_datadir/%name/krb5-snippets/enable_sssd_conf_dir
+%_datadir/%name/krb5-snippets/sssd_enable_idp
 
 %files ldap
 %dir %_libdir/%name/