scabrero/sssd
SHA256
1
0
Fork 1
forked from pool/sssd
Code Pull Requests Activity

Compare commits

merge into: scabrero:sssd-2-10-update
Branches Tags
scabrero:factory scabrero:master scabrero:rpmlintrc scabrero:bsc1236031 scabrero:remove-u-a scabrero:sssd-2-10-update scabrero:sssd-2-10-dirty scabrero:fix-slfo-build pool:factory pool:devel
...
pull from: scabrero:master
Branches Tags
scabrero:master scabrero:rpmlintrc scabrero:bsc1236031 scabrero:remove-u-a scabrero:sssd-2-10-update scabrero:sssd-2-10-dirty scabrero:fix-slfo-build scabrero:factory pool:factory pool:devel

22 Commits
sssd-2-10- ... master

Author SHA256 Message Date
Samuel Cabrero
07ba7dab75 Install file to load sssd generated krb5 config snippets 
Signed-off-by: Samuel Cabrero <scabrero@suse.com>
 2025-06-11 18:51:36 +02:00
Jan Engelhardt
1802fa3261 Stricter syntax adherence for changelog 2025-06-05 18:32:59 +02:00
Jan Engelhardt
11708aedcc sssd 2.11.0 2025-06-05 14:46:45 +02:00
Jan Engelhardt
ea880556c3 Run mkdir/rm with verbose mode for the build log 2025-03-11 22:35:43 +01:00
Samuel Cabrero
0dd76c3fb1 Add rpmlintrc file for sssd-krb5-common package 
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2025-02-03 10:25:56 +01:00
Jan Engelhardt
28a3ba978a sssd 2.10.2 2025-01-30 15:54:21 +01:00
Jan Engelhardt
24b0354b14 Merge 'refs/pull/7/head' of ssh://src.opensuse.org/jengelh/sssd 2025-01-22 11:12:54 +01:00
Jan Engelhardt
660ade3bb1 Combine disparate idmap plugin descriptions 2025-01-22 11:09:37 +01:00
Dominique Leuenberger
73ddc33a8e No longer depend on deprecated nscd 2025-01-22 10:23:04 +01:00
Samuel Cabrero
e6e6fdcbb8 Replace u-a with package conflicts 
The plugin for cifs.idmap is moved to its own package and conflicts with
the winbind plugin provided by cifs-utils.

Fixes bsc#1235789, bsc#1216739

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2025-01-22 09:48:53 +01:00
Jan Engelhardt
e9bed7037d Align with polkit-1 directory permissions 
found conflict of polkit-123-6.7.x86_64 with sssd-2.10.1-1.1.x86_64
  /usr/share/polkit-1/rules.d [mode mismatch: d555 root:root, d755 root:root]
 2025-01-10 20:53:16 +01:00
Jan Engelhardt
090bf5ef30 Mention 0001-TOOL-Fix-build-parameter-name-omitted.patch 2025-01-09 18:30:40 +01:00
Samuel Cabrero
cd05c14a49 Adjust permissions file location for Tumbleweed and Leap 16 
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2025-01-02 14:33:44 +01:00
Samuel Cabrero
7f9841f325 Fix Leap 15.x builds 
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2025-01-02 14:33:44 +01:00
Jan Engelhardt
1507d9a094 Add note about unprivileged mode security review 2024-12-20 09:20:44 +01:00
Jan Engelhardt
7a9befa693 sssd 2.10.1 2024-12-11 10:33:24 +01:00
Samuel Cabrero
6e6893108a Unprivileged mode for sssd 2024-11-05 22:15:00 +01:00
Samuel Cabrero
0823836080 Use default nsslibdir 2024-11-05 21:34:50 +01:00
Jan Engelhardt
066c89155b Add patches to kill extraneous INI permission checks 2024-11-05 20:41:59 +01:00
Jan Engelhardt
64fc4926ab Add 0001-Configuration-make-sure-etc-sssd-and-everything.patch 
0001-Configuration-make-sure-etc-sssd-and-everything.patch is
added ahead of the stack because it is an upstream-accepted patch.
harden_sssd-kcm.service.patch then needs a refresh for reasons of
fuzz 2.
 2024-11-05 19:09:18 +01:00
Samuel Cabrero
4c1a7e3419 Fix socket activation for responders 2024-11-05 18:56:08 +01:00
Jan Engelhardt
0b818bbcb7 Update 0001-sssd-always-print-path-when-config-object-is-rejecte.patch with accepted commit 2024-11-05 18:54:05 +01:00
11 changed files with 346 additions and 233 deletions
Expand all files Collapse all files

85
0001-TOOL-Fix-build-parameter-name-omitted.patch Normal file
View File

@@ -0,0 +1,85 @@
From b927ca4196f828bda6d5db6c6a6d852389bfede0 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 2 Jan 2025 14:09:17 +0100
Subject: [PATCH] TOOL: Fix build, parameter name omitted
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
src/tools/sssctl/sssctl_data.c | 8 ++++----
src/tools/sssctl/sssctl_logs.c | 6 +++---
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
index b28556e73..a473e7e14 100644
--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
@@ -125,7 +125,7 @@ static errno_t sssctl_backup(bool force)
}
errno_t sssctl_client_data_backup(struct sss_cmdline *cmdline,
- struct sss_tool_ctx *)
+ struct sss_tool_ctx *tool_ctx)
{
struct sssctl_data_opts opts = {0};
errno_t ret;
@@ -184,7 +184,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline,
- struct sss_tool_ctx *)
+ struct sss_tool_ctx *tool_ctx)
{
struct sssctl_data_opts opts = {0};
errno_t ret;
@@ -206,7 +206,7 @@ errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline,
}
errno_t sssctl_cache_remove(struct sss_cmdline *cmdline,
- struct sss_tool_ctx *)
+ struct sss_tool_ctx *tool_ctx)
{
struct sssctl_data_opts opts = {0};
errno_t ret;
@@ -413,7 +413,7 @@ done:
}
errno_t sssctl_cache_index(struct sss_cmdline *cmdline,
- struct sss_tool_ctx *)
+ struct sss_tool_ctx *tool_ctx)
{
const char *attr = NULL;
const char *action_str = NULL;
diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
index f8ef9f2c6..8ba18b394 100644
--- a/src/tools/sssctl/sssctl_logs.c
+++ b/src/tools/sssctl/sssctl_logs.c
@@ -418,7 +418,7 @@ int parse_debug_level(const char *strlevel)
}
errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- struct sss_tool_ctx *)
+ struct sss_tool_ctx *tool_ctx)
{
struct sssctl_logs_opts opts = {0};
errno_t ret;
@@ -470,7 +470,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
}
errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
- struct sss_tool_ctx *)
+ struct sss_tool_ctx *tool_ctx)
{
const char *file = NULL;
errno_t ret;
@@ -587,7 +587,7 @@ fini:
}
errno_t sssctl_analyze(struct sss_cmdline *cmdline,
- struct sss_tool_ctx *)
+ struct sss_tool_ctx *tool_ctx)
{
#ifndef BUILD_CHAIN_ID
PRINT("ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n");
--
2.47.1

88
0001-sssd-always-print-path-when-config-object-is-rejecte.patch
View File

@@ -1,88 +0,0 @@
From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Wed, 16 Oct 2024 09:55:50 +0200
Subject: [PATCH] sssd: always print path when config object is rejected
References: https://github.com/SSSD/sssd/pull/7649
Observed:
```
Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
```
Expected:
_Well yes, but **which one**_!?
---
src/monitor/monitor.c | 4 ++--
src/util/sss_ini.c | 14 ++++++++------
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index e17b0e416..f67e4446f 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[])
ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false,
&config);
if (ret != EOK) {
- ERROR("Can't read config: '%s'\n", sss_strerror(ret));
+ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret));
sss_log(SSS_LOG_ALERT,
- "Failed to read configuration: '%s'", sss_strerror(ret));
+ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret));
ret = 3;
goto out;
}
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index 7f9824d88..2a611eb8c 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_open(self, config_file, "[sssd]\n");
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "The sss_ini_open failed %s: %d\n",
+ "sss_ini_open on %s failed: %d\n",
config_file,
ret);
return ERR_INI_OPEN_FAILED;
@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_access_check(self);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Permission check on config file failed.\n");
+ "Permission check on config file %s failed: %d\n",
+ config_file, ret);
return ERR_INI_INVALID_PERMISSION;
}
} else {
DEBUG(SSSDBG_CONF_SETTINGS,
- "File %1$s does not exist.\n",
- (config_file ? config_file : "NULL"));
+ "File %s does not exist.\n", config_file);
}
ret = sss_ini_parse(self);
if (ret != EOK) {
sss_ini_config_print_errors(self->error_list);
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
+ config_file, ret);
return ERR_INI_PARSE_FAILED;
}
ret = sss_ini_add_snippets(self, config_dir);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Error while reading configuration directory.\n");
+ "Error while reading configuration directory %s: %d\n",
+ config_dir, ret);
return ERR_INI_ADD_SNIPPETS_FAILED;
}
--
2.47.0

10
harden_sssd-kcm.service.patch
View File

@@ -2,10 +2,10 @@
src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
1 file changed, 13 insertions(+) 1 file changed, 13 insertions(+)
Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in Index: sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
=================================================================== ===================================================================
--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in --- sssd-2.10.2.orig/src/sysv/systemd/sssd-kcm.service.in
+++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +++ sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket @@ -8,6 +8,19 @@ After=sssd-kcm.socket
Also=sssd-kcm.socket Also=sssd-kcm.socket
@@ -24,5 +24,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+RestrictRealtime=true +RestrictRealtime=true
+# end of automatic additions +# end of automatic additions
Environment=DEBUG_LOGGER=--logger=files Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ # '-H' is used with @sssdconfdir@ to support use case where /etc/sssd is a symlink.
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf # '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed.

BIN
sssd-2.10.0.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
sssd-2.10.0.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP
Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8
wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43
cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8
nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8
MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe
HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V
kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW
gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo
D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ
qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT
PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA=
=mJVY
-----END PGP SIGNATURE-----

BIN
sssd-2.11.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
sssd-2.11.0.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmhBWQkACgkQ09IbKRDP
Z1nnrg//ZyIWtg+Qp5bVW6MQS99kuATk0hvAQnm4tTjO8HzphWFl0Hta7h9QOsM3
QhVs4liW13eb9yZDnHfFh44o0F+QEYzHouMikZaA6riIxzYO0Im5Rglq/jkcZGn9
IrR4w0of45wmL9huZAsXnYosw9RtDuF5FEDB6yypcPqSyXxr+jyW3U52hEXpjaQ/
M3XXmoeQVMeb1RmQkcMWt+7/gjOoWSjONtOOFoUlGxn3GgeIroPIzUViYqJDJZi2
zIkBhoGw1EdKPVFV/8YTNH4u5RA3PmN92tmey9uWA5mfxH//njPUNv5sKO8RKkaU
BD2ftTK3Vv8QzLpKEuANnJ5/P/bh5LWGjn3J6kJBn5w2Zedy0AecZfo1PKONfukv
+QIyNKBlc9x0kts/TwMLo60p2olJqh/AKlXwgexfxAzQqcuBlcZdpMqyV279cmXl
X78NYzdR9F5n4czKiDU8JWudndIzagVi/0NmuQJWfFCz0o3sCtI9QUj+GUH8Ynxd
DCyxXZptN2LtobxJnaSXB3HwwJ6qKlQTrfHWwqcmzf/p2KyJIaGg93nYhwIlLrev
HVkuTB9dTpZa0LkljWOd/i7eoGQ0zxYM3pTm2FKDy/Ff5ChPriHdjIAhYqgPxt+j
r3wMiMOIRckv1a538CAKdbC8k8Q0nmHfYTdrt3dp+fSSr4iwZLA=
=gdC9
-----END PGP SIGNATURE-----

2
sssd-krb5-common-rpmlintrc Normal file
View File

@@ -0,0 +1,2 @@
# See https://github.com/SSSD/sssd/pull/7794 for details
addFilter("E: missing-call-to-setgroups-before-setuid")

72
sssd.changes
View File

@@ -1,3 +1,67 @@
-------------------------------------------------------------------
Wed Jun 11 14:53:26 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
- Install file in krb5.conf.d to include sssd krb5 config snippets;
(bsc#1244325);
-------------------------------------------------------------------
Thu Jun 5 12:14:03 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.11
* The deprecated tool `sss_ssh_knownhostsproxy` was finally
removed.
* Support for `id_provider = files` was removed.
* SSSD doesn't create any more missing path components of
DIR:/FILE: ccache types while acquiring user's TGT.
* New generic id and auth provider for Identity Providers (IdPs)
for Keycloak/EntraID. [Not enabled in openSUSE for now.]
-------------------------------------------------------------------
Tue Mar 11 21:35:32 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Run mkdir/rm with verbose mode for the build log
-------------------------------------------------------------------
Thu Jan 30 14:24:04 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.2
* If the ssh responder is not running, sss_ssh_knownhosts will
not fail (but it will not return the keys).
* SSSD is now capable of handling multiple services associated
with the same port.
* sssd_pam, being a privileged binary, now clears the
environment and does not allow configuration of the
PR_SET_DUMPABLE flag as a precaution.
-------------------------------------------------------------------
Wed Jan 22 09:21:43 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Drop build dependency on ncsd, which has been deprecated
(boo#1239262).
-------------------------------------------------------------------
Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
- Migrate away from update-alternatives, replaced by package
conflicts; (bsc#1235789); (bsc#1216739);
-------------------------------------------------------------------
Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.1
* SSSD does not create anymore missing path components of
DIR:/FILE: ccache types while acquiring user's TGT. The
parent directory of requested ccache directory must exist and
the user trying to log in must have rwx access to this
directory. This matches behavior of /usr/bin/kinit.
* The option default_domain_suffix is deprecated.
- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch,
0001-INI-relax-config-files-checks.patch,
0001-INI-stop-using-libini_config-for-access-check.patch,
0001-sssd-always-print-path-when-config-object-is-rejecte.patch
(merged)
- Add 0001-TOOL-Fix-build-parameter-name-omitted.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de> Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
@@ -15,7 +79,12 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
* The default value for ``ldap_id_use_start_tls`` changed from * The default value for ``ldap_id_use_start_tls`` changed from
false to true for improved security. false to true for improved security.
* https://github.com/SSSD/sssd/releases/tag/2.10.0 * https://github.com/SSSD/sssd/releases/tag/2.10.0
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch - Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch,
0001-INI-stop-using-libini_config-for-access-check.patch,
0001-INI-relax-config-files-checks.patch,
0001-Configuration-make-sure-etc-sssd-and-everything.patch
- Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de> Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
@@ -1846,7 +1915,6 @@ Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com
connect to an auth server connect to an auth server
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
- Update to new upstream release 1.8.0 - Update to new upstream release 1.8.0

236
sssd.spec
View File

@@ -1,7 +1,7 @@
# #
# spec file for package sssd # spec file for package sssd
# #
# Copyright (c) 2024 SUSE LLC # Copyright (c) 2025 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: sssd Name: sssd
Version: 2.10.0 Version: 2.11.0
Release: 0 Release: 0
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPL-3.0-or-later AND LGPL-3.0-or-later License: GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -28,11 +28,11 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
Source3: baselibs.conf Source3: baselibs.conf
Source5: %name.keyring Source5: %name.keyring
Patch1: krb-noversion.diff Patch1: 0001-TOOL-Fix-build-parameter-name-omitted.patch
Patch2: harden_sssd-ifp.service.patch Patch11: krb-noversion.diff
Patch3: harden_sssd-kcm.service.patch Patch12: harden_sssd-ifp.service.patch
Patch4: symvers.patch Patch13: harden_sssd-kcm.service.patch
Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch Patch14: symvers.patch
BuildRequires: autoconf >= 2.59 BuildRequires: autoconf >= 2.59
BuildRequires: automake BuildRequires: automake
BuildRequires: bind-utils BuildRequires: bind-utils
@@ -49,7 +49,7 @@ BuildRequires: libtool
BuildRequires: libunistring-devel BuildRequires: libunistring-devel
BuildRequires: libxml2-tools BuildRequires: libxml2-tools
BuildRequires: libxslt-tools BuildRequires: libxslt-tools
BuildRequires: nscd BuildRequires: libopenssl-3-devel
BuildRequires: nss_wrapper BuildRequires: nss_wrapper
BuildRequires: openldap2-devel BuildRequires: openldap2-devel
BuildRequires: pam-devel BuildRequires: pam-devel
@@ -66,13 +66,14 @@ BuildRequires: pkgconfig(dhash) >= 0.4.2
BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(ini_config) >= 1.3 BuildRequires: pkgconfig(ini_config) >= 1.3
BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(jansson)
BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(ldb) >= 1.2.0
BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libcrypto) >= 1.0.1 BuildRequires: pkgconfig(libcrypto) >= 1.0.1
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libcurl)
%endif %endif
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnfsidmap)
BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-3.0) >= 3.0
BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0
@@ -100,6 +101,8 @@ BuildRequires: pkgconfig(uuid)
%endif %endif
%sysusers_requires %sysusers_requires
%{?systemd_ordering} %{?systemd_ordering}
Requires(post): permissions
Requires(verify): permissions
Requires: sssd-ldap = %version-%release Requires: sssd-ldap = %version-%release
Requires(postun): pam-config Requires(postun): pam-config
Provides: libsss_sudo = %version-%release Provides: libsss_sudo = %version-%release
@@ -108,24 +111,26 @@ Obsoletes: libsss_sudo < %version-%release
Provides: sssd-common = %version-%release Provides: sssd-common = %version-%release
Obsoletes: sssd-common < %version-%release Obsoletes: sssd-common < %version-%release
%global sssd_user sssd
%define servicename sssd %define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss %define sssdstatedir %_localstatedir/lib/sss
%define dbpath %sssdstatedir/db %define dbpath %sssdstatedir/db
%define pipepath %sssdstatedir/pipes %define pipepath %sssdstatedir/pipes
%define pubconfpath %sssdstatedir/pubconf %define pubconfpath %sssdstatedir/pubconf
%define gpocachepath %sssdstatedir/gpo_cache %define gpocachepath %sssdstatedir/gpo_cache
%define keytabdir %sssdstatedir/keytabs
%define mcpath %sssdstatedir/mc
%define ldbdir %(pkg-config ldb --variable=modulesdir) %define ldbdir %(pkg-config ldb --variable=modulesdir)
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins %if 0%{?suse_version} >= 1600
# * cifs-utils one is the default (priority 20) %define permissions_path %_datadir/permissions/permissions.d/
# * installing SSSD should NOT switch to SSSD plugin (priority 10) %else
%define permissions_path %_sysconfdir/permissions.d/
%endif
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin %define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so %define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
%define cifs_idmap_name cifs-idmap-plugin
%define cifs_idmap_priority 10
Requires(post): update-alternatives
Requires(postun): update-alternatives
%description %description
A set of daemons to manage access to remote directories and A set of daemons to manage access to remote directories and
@@ -194,6 +199,8 @@ Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPL-3.0-or-later License: GPL-3.0-or-later
Group: System/Daemons Group: System/Daemons
Requires: cyrus-sasl-gssapi Requires: cyrus-sasl-gssapi
Requires(post): permissions
Requires(verify): permissions
%description krb5-common %description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can Provides helper processes that the LDAP and Kerberos back ends can
@@ -237,6 +244,23 @@ Group: System/Libraries
The idmap_sss module provides a way for Winbind to call SSSD to map The idmap_sss module provides a way for Winbind to call SSSD to map
UIDs/GIDs and SIDs. UIDs/GIDs and SIDs.
%package cifs-idmap-plugin
Summary: The sssd idmap plugin for cifs.idmap
Group: System/Libraries
# Conflict as per https://bugzilla.suse.com/1235789
Provides: cifs-idmap-plugin
Conflicts: cifs-idmap-plugin
%description cifs-idmap-plugin
The cifs.idmap(8) userspace helper relies on a plugin to handle the
ID mapping. This package contains the ID mapping plugin that will use
sssd.
In SUSE systems, only one such plugin can be installed at a time
(either the one from sssd, or from cifs-utils).
Without the plugin, file objects in a mounted share have UID/GID of
the original mounting process.
%package -n libsss_certmap0 %package -n libsss_certmap0
Summary: FreeIPA ID mapping library Summary: FreeIPA ID mapping library
License: LGPL-3.0-or-later License: LGPL-3.0-or-later
@@ -392,9 +416,6 @@ Security Services Daemon (sssd).
%autosetup -p1 %autosetup -p1
%build %build
# help configure find nscd
export PATH="$PATH:/usr/sbin"
autoreconf -fiv autoreconf -fiv
%configure \ %configure \
--with-db-path="%dbpath" \ --with-db-path="%dbpath" \
@@ -404,14 +425,14 @@ autoreconf -fiv
--with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-environment-file="%_sysconfdir/sysconfig/sssd" \
--with-initscript=systemd \ --with-initscript=systemd \
--with-syslog=journald \ --with-syslog=journald \
--with-pid-path="%_rundir" \ --with-pid-path="%_rundir/sssd" \
--enable-nsslibdir="/%_lib" \
--enable-pammoddir="%_pam_moduledir" \ --enable-pammoddir="%_pam_moduledir" \
--with-ldb-lib-dir="%ldbdir" \ --with-ldb-lib-dir="%ldbdir" \
--with-os=suse \ --with-os=suse \
--disable-ldb-version-check \ --disable-ldb-version-check \
--without-python2-bindings \ --without-python2-bindings \
--without-oidc-child \ --without-oidc-child \
--with-sssd-user="%sssd_user" \
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
--with-selinux=yes \ --with-selinux=yes \
--with-subid --with-subid
@@ -430,26 +451,26 @@ b="%buildroot"
# Copy some defaults # Copy some defaults
%if "%{?_distconfdir}" != "" %if "%{?_distconfdir}" != ""
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" install -Dpvm 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" install -dvm 0755 "$b/%_distconfdir/sssd/conf.d"
%else %else
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" install -Dpm 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d" install -dvm 0755 "$b/%_sysconfdir/sssd/conf.d"
%endif %endif
install -d "$b/%_unitdir" install -dv "$b/%_unitdir"
%if 0%{?suse_version} > 1500 %if 0%{?suse_version} > 1500
install -d "$b/%_distconfdir/logrotate.d" install -dv "$b/%_distconfdir/logrotate.d"
install -m644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd" install -vm644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
install -d "$b/%_pam_vendordir" install -dv "$b/%_pam_vendordir"
mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir" mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir"
%else %else
install -d "$b/%_sysconfdir/logrotate.d" install -dv "$b/%_sysconfdir/logrotate.d"
install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd" install -vm644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
%endif %endif
rm -Rfv "$b/%_initddir" rm -Rfv "$b/%_initddir"
%if 0%{?suse_version} < 1600 %if 0%{?suse_version} < 1600
ln -s service "$b/%_sbindir/rcsssd" ln -sv service "$b/%_sbindir/rcsssd"
%endif %endif
mkdir -pv "$b/%sssdstatedir/mc" mkdir -pv "$b/%sssdstatedir/mc"
@@ -457,27 +478,49 @@ find "$b" -type f -name "*.la" -print -delete
%find_lang %name --all-name %find_lang %name --all-name
# dummy target for cifs-idmap-plugin # dummy target for cifs-idmap-plugin
mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" mkdir -pv %buildroot/%_sysconfdir/cifs-utils
ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" ln -sfv %cifs_idmap_lib %buildroot/%cifs_idmap_plugin
%python3_fix_shebang %python3_fix_shebang
%if 0%{?suse_version} > 1600 %if 0%{?suse_version} > 1600
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
%elif 0%{?suse_version} == 1600 %elif 0%{?suse_version} == 1600
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
%endif %endif
echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
mkdir -p "$b/%_sysusersdir" mkdir -pv "$b/%_sysusersdir"
cp -a system-user-sssd.conf "$b/%_sysusersdir/" cp -av system-user-sssd.conf "$b/%_sysusersdir/"
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
install -Dpvm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
#
# Security considerations for capabilities, chown and stuff:
# https://www.openwall.com/lists/oss-security/2024/12/19/1
#
# should match entry from %%files list
mkdir -pv "$b/%permissions_path"
cat >"$b/%permissions_path/sssd" <<-EOF
%_libexecdir/sssd/sssd_pam root:sssd 0750
+capabilities cap_dac_read_search=p
%_libexecdir/sssd/selinux_child root:sssd 0750
+capabilities cap_setgid,cap_setuid=p
%_libexecdir/sssd/krb5_child root:sssd 0750
+capabilities cap_dac_read_search,cap_setgid,cap_setuid=p
%_libexecdir/sssd/ldap_child root:sssd 0750
+capabilities cap_dac_read_search=p
EOF
mkdir -pv "$b/%_sysconfdir/krb5.conf.d"
ln -sv %_datadir/%name/krb5-snippets/enable_sssd_conf_dir \
"$b/%_sysconfdir/krb5.conf.d/enable_sssd_conf_dir"
%check %check
# sss_config-tests fails # sss_config-tests fails
%make_build check || : %make_build check || :
%pre -f random.pre %pre -f random.pre
%service_add_pre sssd.service %service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
%if "%{?_distconfdir}" != "" %if "%{?_distconfdir}" != ""
# Prepare for migration to /usr/etc; save any old .rpmsave # Prepare for migration to /usr/etc; save any old .rpmsave
for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
@@ -491,13 +534,14 @@ done
if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
fi fi
%service_add_post sssd.service %service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
# install SSSD cifs-idmap plugin as an alternative %_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %tmpfiles_create %name.conf
%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
%preun %preun
%service_del_preun sssd.service %service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
%postun %postun
/sbin/ldconfig /sbin/ldconfig
@@ -505,11 +549,8 @@ if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
"%_sbindir/pam-config" -d --sss || : "%_sbindir/pam-config" -d --sss || :
fi fi
# del_postun includes a try-restart # del_postun includes a try-restart
%service_del_postun sssd.service %service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
if [ ! -f "%cifs_idmap_lib" ]; then
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
fi
%ldconfig_scriptlets -n libsss_certmap0 %ldconfig_scriptlets -n libsss_certmap0
%ldconfig_scriptlets -n libipa_hbac0 %ldconfig_scriptlets -n libipa_hbac0
@@ -517,6 +558,9 @@ fi
%ldconfig_scriptlets -n libsss_nss_idmap0 %ldconfig_scriptlets -n libsss_nss_idmap0
%ldconfig_scriptlets -n libsss_simpleifp0 %ldconfig_scriptlets -n libsss_simpleifp0
%verifyscript
%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
%triggerun -- %name < %version-%release %triggerun -- %name < %version-%release
# sssd takes care of upgrading the database but it doesn't handle downgrades. # sssd takes care of upgrading the database but it doesn't handle downgrades.
# Clear caches when downgrading the package, which may have an # Clear caches when downgrading the package, which may have an
@@ -550,6 +594,16 @@ fi
%postun kcm %postun kcm
%service_del_postun sssd-kcm.service sssd-kcm.socket %service_del_postun sssd-kcm.service sssd-kcm.socket
%pre krb5-common -f random.pre
%post krb5-common
%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
%verifyscript krb5-common
%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
%pre proxy -f random.pre
%pretrans %pretrans
# Migrate sssd.service from sssd-common to sssd # Migrate sssd.service from sssd-common to sssd
systemctl is-enabled sssd.service > /dev/null systemctl is-enabled sssd.service > /dev/null
@@ -604,6 +658,11 @@ fi
%_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.socket
%_unitdir/sssd-sudo.service %_unitdir/sssd-sudo.service
%_sysusersdir/*sssd* %_sysusersdir/*sssd*
%_tmpfilesdir/*sssd*
%permissions_path/sssd
%dir %_datadir/polkit-1
%attr(0555,root,root) %dir %_datadir/polkit-1/rules.d
%_datadir/polkit-1/rules.d/*
%_bindir/sss_ssh_* %_bindir/sss_ssh_*
%_sbindir/sssd %_sbindir/sssd
%if 0%{?suse_version} < 1600 %if 0%{?suse_version} < 1600
@@ -614,12 +673,8 @@ fi
%_mandir/??/man1/sss_ssh_* %_mandir/??/man1/sss_ssh_*
%_mandir/??/man5/sss-certmap.5* %_mandir/??/man5/sss-certmap.5*
%_mandir/??/man5/sssd-ad.5* %_mandir/??/man5/sssd-ad.5*
%if 0%{?suse_version} < 1600
%_mandir/??/man5/sssd-files.5*
%endif
%_mandir/??/man5/sssd-ldap-attributes.5* %_mandir/??/man5/sssd-ldap-attributes.5*
%_mandir/??/man5/sssd-session-recording.5* %_mandir/??/man5/sssd-session-recording.5*
%_mandir/??/man5/sssd-simple.5*
%_mandir/??/man5/sssd-sudo.5* %_mandir/??/man5/sssd-sudo.5*
%_mandir/??/man5/sssd-systemtap.5* %_mandir/??/man5/sssd-systemtap.5*
%_mandir/??/man5/sssd.conf.5* %_mandir/??/man5/sssd.conf.5*
@@ -627,9 +682,6 @@ fi
%_mandir/??/man8/sssd.8* %_mandir/??/man8/sssd.8*
%_mandir/man1/sss_ssh_* %_mandir/man1/sss_ssh_*
%_mandir/man5/sss-certmap.5* %_mandir/man5/sss-certmap.5*
%if 0%{?suse_version} < 1600
%_mandir/man5/sssd-files.5*
%endif
%_mandir/man5/sssd-ldap-attributes.5* %_mandir/man5/sssd-ldap-attributes.5*
%_mandir/man5/sssd-session-recording.5* %_mandir/man5/sssd-session-recording.5*
%_mandir/man5/sssd-simple.5* %_mandir/man5/sssd-simple.5*
@@ -647,7 +699,6 @@ fi
%_libdir/%name/libsss_files* %_libdir/%name/libsss_files*
%endif %endif
%_libdir/%name/libsss_iface* %_libdir/%name/libsss_iface*
%_libdir/%name/libsss_semanage*
%_libdir/%name/libsss_sbus* %_libdir/%name/libsss_sbus*
%_libdir/%name/libsss_simple* %_libdir/%name/libsss_simple*
%_libdir/%name/libsss_util* %_libdir/%name/libsss_util*
@@ -660,32 +711,32 @@ fi
%_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_autofs
%_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_be
%_libexecdir/%name/sssd_nss %_libexecdir/%name/sssd_nss
%_libexecdir/%name/sssd_pam %attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam
%_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_ssh
%_libexecdir/%name/sssd_sudo %_libexecdir/%name/sssd_sudo
%_libexecdir/%name/sss_signal %_libexecdir/%name/sss_signal
%_libexecdir/%name/sssd_check_socket_activated_responders %_libexecdir/%name/sssd_check_socket_activated_responders
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
%_libexecdir/%name/selinux_child %attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child
%endif %endif
%dir %sssdstatedir %dir %sssdstatedir
%attr(700,root,root) %dir %dbpath/ %attr(700,%sssd_user,%sssd_user) %dir %dbpath/
%attr(755,root,root) %dir %pipepath/ %attr(755,%sssd_user,%sssd_user) %dir %pipepath/
%attr(700,root,root) %dir %pipepath/private/ %attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
%attr(755,root,root) %dir %pubconfpath/ %attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
%attr(755,root,root) %dir %pubconfpath/krb5.include.d %attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
%attr(755,root,root) %dir %gpocachepath/ %attr(755,%sssd_user,%sssd_user) %dir %mcpath/
%attr(755,root,root) %dir %sssdstatedir/mc/ %attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
%attr(700,root,root) %dir %sssdstatedir/keytabs/ %attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/
%attr(750,root,root) %dir %_localstatedir/log/%name/ %attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/
%if "%{?_distconfdir}" != "" %if "%{?_distconfdir}" != ""
%dir %_distconfdir/sssd/ %attr(750,root,%sssd_user) %dir %_distconfdir/sssd/
%%dir %_distconfdir/sssd/conf.d %attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d
%config(noreplace) %_distconfdir/sssd/sssd.conf %attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf
%else %else
%dir %_sysconfdir/sssd/ %attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/
%%dir %_sysconfdir/sssd/conf.d %attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d
%config(noreplace) %_sysconfdir/sssd/sssd.conf %ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf
%endif %endif
%if 0%{?suse_version} > 1500 %if 0%{?suse_version} > 1500
%_distconfdir/logrotate.d/sssd %_distconfdir/logrotate.d/sssd
@@ -699,21 +750,16 @@ fi
%_datadir/%name/sssd.api.conf %_datadir/%name/sssd.api.conf
%dir %_datadir/%name/sssd.api.d/ %dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-simple.conf %_datadir/%name/sssd.api.d/sssd-simple.conf
%if 0%{?suse_version} < 1600 %attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
%_datadir/%name/sssd.api.d/sssd-files.conf
%else
%exclude %_mandir/*/*/sssd-files.5.gz
%endif
%doc src/examples/sssd.conf %doc src/examples/sssd.conf
# #
# sssd-client # %%files sssd-client
# #
/%_lib/libnss_sss.so.2 %_libdir/libnss_sss.so.2
%_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss.so
%_pam_moduledir/pam_sss_gss.so %_pam_moduledir/pam_sss_gss.so
%_libdir/krb5/ %_libdir/krb5/
%_libdir/%name/modules/sssd_krb5_localauth_plugin.so %_libdir/%name/modules/sssd_krb5_localauth_plugin.so
%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
%_libdir/libsubid_sss.so %_libdir/libsubid_sss.so
%endif %endif
@@ -725,12 +771,12 @@ fi
%_mandir/man8/sssd_krb5_localauth_plugin.8* %_mandir/man8/sssd_krb5_localauth_plugin.8*
%_mandir/??/man8/sssd_krb5_localauth_plugin.8* %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
%_mandir/man8/sssd_krb5_locator_plugin.8* %_mandir/man8/sssd_krb5_locator_plugin.8*
# cifs idmap plugin #
%dir %_sysconfdir/cifs-utils # %%files sssd-idp
%cifs_idmap_plugin #
%dir %_libdir/cifs-utils %exclude %_libdir/sssd/libsss_idp.so
%cifs_idmap_lib %exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
%ghost %_sysconfdir/alternatives/%cifs_idmap_name %exclude %_mandir/man5/sssd-idp*
%files ad %files ad
%dir %_libdir/%name/ %dir %_libdir/%name/
@@ -781,7 +827,6 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_krb5.so %_libdir/%name/libsss_krb5.so
%dir %_datadir/%name/ %dir %_datadir/%name/
%exclude %_datadir/%name/krb5-snippets/
%dir %_datadir/%name/sssd.api.d/ %dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-krb5.conf %_datadir/%name/sssd.api.d/sssd-krb5.conf
%dir %_mandir/??/ %dir %_mandir/??/
@@ -790,11 +835,16 @@ fi
%_mandir/??/man5/sssd-krb5.5* %_mandir/??/man5/sssd-krb5.5*
%files krb5-common %files krb5-common
%attr(755,root,root) %dir %pubconfpath/krb5.include.d
%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_krb5_common.so %_libdir/%name/libsss_krb5_common.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%_libexecdir/%name/krb5_child %attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child
%_libexecdir/%name/ldap_child %attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child
%dir %{_datadir}/sssd/krb5-snippets
%_datadir/%name/krb5-snippets/enable_sssd_conf_dir
%_datadir/%name/krb5-snippets/sssd_enable_idp
%files ldap %files ldap
%dir %_libdir/%name/ %dir %_libdir/%name/
@@ -811,7 +861,7 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_proxy.so %_libdir/%name/libsss_proxy.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%_libexecdir/%name/proxy_child %attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child
%dir %_datadir/%name/ %dir %_datadir/%name/
%dir %_datadir/%name/sssd.api.d/ %dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-proxy.conf %_datadir/%name/sssd.api.d/sssd-proxy.conf
@@ -836,6 +886,12 @@ fi
%_libdir/samba/idmap/ %_libdir/samba/idmap/
%_mandir/man8/idmap_sss.8* %_mandir/man8/idmap_sss.8*
%files cifs-idmap-plugin
%dir %_sysconfdir/cifs-utils
%cifs_idmap_plugin
%dir %_libdir/cifs-utils
%cifs_idmap_lib
%files -n libipa_hbac0 %files -n libipa_hbac0
%_libdir/libipa_hbac.so.0* %_libdir/libipa_hbac.so.0*

48
symvers.patch
View File

@@ -12,14 +12,14 @@ libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
the system only has libsss_util.so(-2.8.2) at this point. the system only has libsss_util.so(-2.8.2) at this point.
--- ---
Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- Makefile.am | 44 ++++++++++++++++++++++++++++++--------------
1 file changed, 32 insertions(+), 15 deletions(-) 1 file changed, 30 insertions(+), 14 deletions(-)
Index: sssd-2.9.2/Makefile.am Index: sssd-2.10.1/Makefile.am
=================================================================== ===================================================================
--- sssd-2.9.2.orig/Makefile.am --- sssd-2.10.1.orig/Makefile.am
+++ sssd-2.9.2/Makefile.am +++ sssd-2.10.1/Makefile.am
@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ @@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
libsss_debug_la_LIBADD = \ libsss_debug_la_LIBADD = \
$(SYSLOG_LIBS) $(SYSLOG_LIBS)
libsss_debug_la_LDFLAGS = \ libsss_debug_la_LDFLAGS = \
@@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_child.la pkglib_LTLIBRARIES += libsss_child.la
libsss_child_la_SOURCES = src/util/child_common.c libsss_child_la_SOURCES = src/util/child_common.c
@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ @@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
$(DHASH_LIBS) \ $(DHASH_LIBS) \
libsss_debug.la \ libsss_debug.la \
$(NULL) $(NULL)
@@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_crypt.la pkglib_LTLIBRARIES += libsss_crypt.la
@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ @@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \
libsss_debug.la \ libsss_debug.la \
$(NULL) $(NULL)
libsss_crypt_la_LDFLAGS = \ libsss_crypt_la_LDFLAGS = \
@@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_cert.la pkglib_LTLIBRARIES += libsss_cert.la
@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ @@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \
libsss_debug.la \ libsss_debug.la \
$(NULL) $(NULL)
libsss_cert_la_LDFLAGS = \ libsss_cert_la_LDFLAGS = \
@@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am
generate-sbus-code: generate-sbus-code:
$(builddir)/sbus_generate.sh $(abs_srcdir) $(builddir)/sbus_generate.sh $(abs_srcdir)
@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ @@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libsss_sbus_la_LDFLAGS = \ libsss_sbus_la_LDFLAGS = \
@@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_sbus_sync.la pkglib_LTLIBRARIES += libsss_sbus_sync.la
libsss_sbus_sync_la_SOURCES = \ libsss_sbus_sync_la_SOURCES = \
@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ @@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \
$(UNICODE_LIBS) \ $(UNICODE_LIBS) \
$(NULL) $(NULL)
libsss_sbus_sync_la_LDFLAGS = \ libsss_sbus_sync_la_LDFLAGS = \
@@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_iface.la pkglib_LTLIBRARIES += libsss_iface.la
libsss_iface_la_SOURCES = \ libsss_iface_la_SOURCES = \
@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ @@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libsss_iface_la_LDFLAGS = \ libsss_iface_la_LDFLAGS = \
@@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_iface_sync.la pkglib_LTLIBRARIES += libsss_iface_sync.la
libsss_iface_sync_la_SOURCES = \ libsss_iface_sync_la_SOURCES = \
@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ @@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libsss_iface_sync_la_LDFLAGS = \ libsss_iface_sync_la_LDFLAGS = \
@@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_util.la pkglib_LTLIBRARIES += libsss_util.la
libsss_util_la_SOURCES = \ libsss_util_la_SOURCES = \
@@ -1322,7 +1333,8 @@ endif @@ -1338,7 +1349,8 @@ endif
if BUILD_PASSKEY if BUILD_PASSKEY
libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
endif # BUILD_PASSKEY endif # BUILD_PASSKEY
@@ -115,19 +115,9 @@ Index: sssd-2.9.2/Makefile.am
+libsss_util_la_LDFLAGS = -avoid-version ${symv} +libsss_util_la_LDFLAGS = -avoid-version ${symv}
+EXTRA_libsss_util_la_DEPENDENCIES = x.sym +EXTRA_libsss_util_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_semanage.la
libsss_semanage_la_CFLAGS = \
@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
endif
libsss_semanage_la_LDFLAGS = \
- -avoid-version
+ -avoid-version ${symv}
+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym
SSSD_INTERNAL_LTLIBS = \ SSSD_INTERNAL_LTLIBS = \
libsss_util.la \ libsss_util.la \
@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ @@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
$(NULL) $(NULL)
pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@@ -136,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am
libipa_hbac_la_SOURCES = \ libipa_hbac_la_SOURCES = \
src/lib/ipa_hbac/hbac_evaluator.c \ src/lib/ipa_hbac/hbac_evaluator.c \
src/util/sss_utf8.c src/util/sss_utf8.c
@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ @@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libifp_iface_la_LDFLAGS = \ libifp_iface_la_LDFLAGS = \
@@ -147,7 +137,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libifp_iface_sync.la pkglib_LTLIBRARIES += libifp_iface_sync.la
libifp_iface_sync_la_SOURCES = \ libifp_iface_sync_la_SOURCES = \
@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ @@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libifp_iface_sync_la_LDFLAGS = \ libifp_iface_sync_la_LDFLAGS = \
@@ -158,7 +148,7 @@ Index: sssd-2.9.2/Makefile.am
sssd_ifp_SOURCES = \ sssd_ifp_SOURCES = \
src/responder/ifp/ifpsrv.c \ src/responder/ifp/ifpsrv.c \
@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ @@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \
$(SSSD_INTERNAL_LTLIBS) \ $(SSSD_INTERNAL_LTLIBS) \
$(NULL) $(NULL)
libsss_ldap_common_la_LDFLAGS = \ libsss_ldap_common_la_LDFLAGS = \
@@ -169,7 +159,7 @@ Index: sssd-2.9.2/Makefile.am
if BUILD_SYSTEMTAP if BUILD_SYSTEMTAP
libsss_ldap_common_la_LIBADD += stap_generated_probes.lo libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
endif endif
@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ @@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \
$(SSSD_INTERNAL_LTLIBS) \ $(SSSD_INTERNAL_LTLIBS) \
$(NULL) $(NULL)
libsss_krb5_common_la_LDFLAGS = \ libsss_krb5_common_la_LDFLAGS = \