Accepting request 1243227 from network:ldap

- Update to release 2.10.2

OBS-URL: https://build.opensuse.org/request/show/1243227
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=143

0001-Remove-versions-checks-that-need-updating-every-iter.patch

@@ -1,25 +0,0 @@
-From f3ee55182600b2731b21bbdabbc5c891202f6dbb Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Fri, 15 Feb 2019 17:20:47 +0100
-Subject: [PATCH 1/4] Remove versions checks that need updating every
- iteration.
-
----
- src/external/pac_responder.m4 | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
-index 90727185b..af9fded6f 100644
---- a/src/external/pac_responder.m4
-+++ b/src/external/pac_responder.m4
-@@ -11,6 +11,7 @@ then
-     AC_MSG_CHECKING(for supported MIT krb5 version)
-     KRB5_VERSION="`$KRB5_CONFIG --version`"
-     case $KRB5_VERSION in
-+        *|\
-         Kerberos\ 5\ release\ 1.9* | \
-         Kerberos\ 5\ release\ 1.10* | \
-         Kerberos\ 5\ release\ 1.11* | \
--- 
-2.46.1
-

0001-TOOL-Fix-build-parameter-name-omitted.patch

@@ -0,0 +1,85 @@
+From b927ca4196f828bda6d5db6c6a6d852389bfede0 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Thu, 2 Jan 2025 14:09:17 +0100
+Subject: [PATCH] TOOL: Fix build, parameter name omitted
+
+Signed-off-by: Samuel Cabrero <scabrero@suse.de>
+---
+ src/tools/sssctl/sssctl_data.c | 8 ++++----
+ src/tools/sssctl/sssctl_logs.c | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index b28556e73..a473e7e14 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -125,7 +125,7 @@ static errno_t sssctl_backup(bool force)
+ }
+ 
+ errno_t sssctl_client_data_backup(struct sss_cmdline *cmdline,
+-                                  struct sss_tool_ctx *)
++                                  struct sss_tool_ctx *tool_ctx)
+ {
+     struct sssctl_data_opts opts = {0};
+     errno_t ret;
+@@ -184,7 +184,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+ }
+ 
+ errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline,
+-                                   struct sss_tool_ctx *)
++                                   struct sss_tool_ctx *tool_ctx)
+ {
+     struct sssctl_data_opts opts = {0};
+     errno_t ret;
+@@ -206,7 +206,7 @@ errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline,
+ }
+ 
+ errno_t sssctl_cache_remove(struct sss_cmdline *cmdline,
+-                            struct sss_tool_ctx *)
++                            struct sss_tool_ctx *tool_ctx)
+ {
+     struct sssctl_data_opts opts = {0};
+     errno_t ret;
+@@ -413,7 +413,7 @@ done:
+ }
+ 
+ errno_t sssctl_cache_index(struct sss_cmdline *cmdline,
+-                           struct sss_tool_ctx *)
++                           struct sss_tool_ctx *tool_ctx)
+ {
+     const char *attr = NULL;
+     const char *action_str = NULL;
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index f8ef9f2c6..8ba18b394 100644
+--- a/src/tools/sssctl/sssctl_logs.c
++++ b/src/tools/sssctl/sssctl_logs.c
+@@ -418,7 +418,7 @@ int parse_debug_level(const char *strlevel)
+ }
+ 
+ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+-                           struct sss_tool_ctx *)
++                           struct sss_tool_ctx *tool_ctx)
+ {
+     struct sssctl_logs_opts opts = {0};
+     errno_t ret;
+@@ -470,7 +470,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ }
+ 
+ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+-                          struct sss_tool_ctx *)
++                          struct sss_tool_ctx *tool_ctx)
+ {
+     const char *file = NULL;
+     errno_t ret;
+@@ -587,7 +587,7 @@ fini:
+ }
+ 
+ errno_t sssctl_analyze(struct sss_cmdline *cmdline,
+-                       struct sss_tool_ctx *)
++                       struct sss_tool_ctx *tool_ctx)
+ {
+ #ifndef BUILD_CHAIN_ID
+     PRINT("ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n");
+-- 
+2.47.1
+

0002-Harden-sssd-ifp.service.patch

@@ -1,36 +0,0 @@
-From 7889dbb390091f0be5fea8f915fab68020556de7 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Wed, 16 Oct 2024 14:03:06 +0200
-Subject: [PATCH 2/4] Harden sssd-ifp.service
-
----
- src/sysv/systemd/sssd-ifp.service.in | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
-index 1ab163392..c8d6dc9ae 100644
---- a/src/sysv/systemd/sssd-ifp.service.in
-+++ b/src/sysv/systemd/sssd-ifp.service.in
-@@ -5,6 +5,19 @@ After=sssd.service
- BindsTo=sssd.service
- 
- [Service]
-+# added automatically, for details please see
-+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-+ProtectSystem=full
-+ProtectHome=true
-+PrivateDevices=true
-+ProtectHostname=true
-+ProtectClock=true
-+ProtectKernelTunables=true
-+ProtectKernelModules=true
-+ProtectKernelLogs=true
-+ProtectControlGroups=true
-+RestrictRealtime=true
-+# end of automatic additions
- Environment=DEBUG_LOGGER=--logger=files
- EnvironmentFile=-@environment_file@
- Type=dbus
--- 
-2.46.1
-

0003-Harden-sssd-kcm.service.patch

@@ -1,36 +0,0 @@
-From 1fea2a4039f9e838554abe17bbf1513a8f99f348 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Wed, 16 Oct 2024 14:05:02 +0200
-Subject: [PATCH 3/4] Harden sssd-kcm.service
-
----
- src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
-index 0c839ec5c..b403cd709 100644
---- a/src/sysv/systemd/sssd-kcm.service.in
-+++ b/src/sysv/systemd/sssd-kcm.service.in
-@@ -8,6 +8,19 @@ After=sssd-kcm.socket
- Also=sssd-kcm.socket
- 
- [Service]
-+# added automatically, for details please see
-+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-+ProtectSystem=full
-+ProtectHome=true
-+PrivateDevices=true
-+ProtectHostname=true
-+ProtectClock=true
-+ProtectKernelTunables=true
-+ProtectKernelModules=true
-+ProtectKernelLogs=true
-+ProtectControlGroups=true
-+RestrictRealtime=true
-+# end of automatic additions
- Environment=DEBUG_LOGGER=--logger=files
- ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
- ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
--- 
-2.46.1
-

0005-sssd-always-print-path-when-config-object-is-rejecte.patch

@@ -1,73 +0,0 @@
-From 2b7915dd84a6b8c3ee26e45357283677fe22f2cb Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Wed, 16 Oct 2024 09:55:50 +0200
-Subject: [PATCH] sssd: always print path when config object is rejected
-
-Observed:
-
-```
-Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
-Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
-Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
-```
-
-Expected:
-
-_Well yes, but **which one**_!?
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
----
- src/util/sss_ini.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
-index 7f9824d88..2a611eb8c 100644
---- a/src/util/sss_ini.c
-+++ b/src/util/sss_ini.c
-@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
-     ret = sss_ini_open(self, config_file, "[sssd]\n");
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
--              "The sss_ini_open failed %s: %d\n",
-+              "sss_ini_open on %s failed: %d\n",
-               config_file,
-               ret);
-         return ERR_INI_OPEN_FAILED;
-@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
-         ret = sss_ini_access_check(self);
-         if (ret != EOK) {
-             DEBUG(SSSDBG_CRIT_FAILURE,
--                  "Permission check on config file failed.\n");
-+                  "Permission check on config file %s failed: %d\n",
-+                  config_file, ret);
-             return ERR_INI_INVALID_PERMISSION;
-         }
-     } else {
-         DEBUG(SSSDBG_CONF_SETTINGS,
--              "File %1$s does not exist.\n",
--              (config_file ? config_file : "NULL"));
-+              "File %s does not exist.\n", config_file);
-     }
- 
-     ret = sss_ini_parse(self);
-     if (ret != EOK) {
-         sss_ini_config_print_errors(self->error_list);
--        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
-+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
-+              config_file, ret);
-         return ERR_INI_PARSE_FAILED;
-     }
- 
-     ret = sss_ini_add_snippets(self, config_dir);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_FATAL_FAILURE,
--              "Error while reading configuration directory.\n");
-+              "Error while reading configuration directory %s: %d\n",
-+              config_dir, ret);
-         return ERR_INI_ADD_SNIPPETS_FAILED;
-     }
- 
--- 
-2.47.0
-

_scmsync.obsinfo

@@ -0,0 +1,4 @@
+mtime: 1738574756
+commit: 0dd76c3fb1e8976e3f2203732d255929ddd4647604210f34bc9970c9c866a7c6
+url: https://src.opensuse.org/jengelh/sssd
+revision: master

build.specials.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:057383006ab62d4a1ca24c5a28ada9061ca2aacd5b4b70b4384ba1850e394e6f
+size 256

harden_sssd-ifp.service.patch

@@ -0,0 +1,24 @@
+Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
+===================================================================
+--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
++++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
+@@ -5,6 +5,19 @@ After=sssd.service
+ BindsTo=sssd.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Environment=DEBUG_LOGGER=--logger=files
+ EnvironmentFile=-@environment_file@
+ Type=dbus

harden_sssd-kcm.service.patch

@@ -0,0 +1,28 @@
+---
+ src/sysv/systemd/sssd-kcm.service.in |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+Index: sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
+===================================================================
+--- sssd-2.10.2.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
+@@ -8,6 +8,19 @@ After=sssd-kcm.socket
+ Also=sssd-kcm.socket
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Environment=DEBUG_LOGGER=--logger=files
+ # '-H' is used with @sssdconfdir@ to support use case where /etc/sssd is a symlink.
+ # '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed.

krb-noversion.diff

@@ -0,0 +1,20 @@
+From: Jan Engelhardt <jengelh@inai.de>
+Date: 2019-02-15 17:20:47.842813210 +0100
+
+Remove versions checks that need updating every iteration.
+---
+ src/external/pac_responder.m4 |    1 +
+ 1 file changed, 1 insertion(+)
+
+Index: sssd-2.0.0/src/external/pac_responder.m4
+===================================================================
+--- sssd-2.0.0.orig/src/external/pac_responder.m4
++++ sssd-2.0.0/src/external/pac_responder.m4
+@@ -11,6 +11,7 @@ then
+     AC_MSG_CHECKING(for supported MIT krb5 version)
+     KRB5_VERSION="`$KRB5_CONFIG --version`"
+     case $KRB5_VERSION in
++        *|\
+         Kerberos\ 5\ release\ 1.9* | \
+         Kerberos\ 5\ release\ 1.10* | \
+         Kerberos\ 5\ release\ 1.11* | \

sssd-2.10.0.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP
-Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8
-wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43
-cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8
-nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8
-MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe
-HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V
-kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW
-gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo
-D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ
-qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT
-PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA=
-=mJVY
------END PGP SIGNATURE-----

sssd-2.10.2.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmeaLD8ACgkQ09IbKRDP
+Z1nLAxAAm9zM2u1XR3FBK6iy2xC+PoDWdu8Kh+oU0B6NgFK5LEJk9TWBdHlLpYcS
+HugTfQb5wPfUejZTk9u8TIoVIa7pTYl3kGH8RuLnEUr5lBKdYaDf5BUb8uM7YaBP
+NZQDqCFshNMMF8Z44HfRQltmqblJWj7TdFXJ8dCkRupbXjrbqiBrH5XjooLUK0dX
+/7m63at6BZFjuuFt/QvA2QbwK3fa2wUxuX0vMrD6f2zZuWptcE3zhXaa/BtPm5ZD
+8S5oC+RkKMGfLWNfIc1noXOZQIT+sGNyeUhq/QRFybcHZ+tXqJrNmfz/OWf5HZ/U
+vsJDIWv4db83asTtU3j5+ec4+fRwv7BK8X2V2UnpPOrAhN0r+zWp98BwUfSCqHlR
+E8dBlbAU3pRL1qDZG71tpIgHeDNtB42MM0UmmBY4w18nNBbp8Be6vtEbD6ktoa0P
+2uZRO9v/RgeKQTs0hfuzsbHcpd1hQmhtfwGAlxTWuGkoSjZyk2xUiV3JZ/3/kWH5
+dCU26txrtgWFqLbUhanatFrdmdKwn5hp5eP/Px330zJVTjuILlqTZ1CLAW2B5Gal
+JJT17j8ecqVedyHCkVnN9wD26ivwl8POBnrD3FfB6zKszcZewNRuKW24RyVamo6e
+k4JVMTDzjOwr31Tt6eLhU0BsPA8G8wCntl3wj36T7VWh47ncsX8=
+=vuNl
+-----END PGP SIGNATURE-----

sssd-krb5-common-rpmlintrc

@@ -0,0 +1,2 @@
+# See https://github.com/SSSD/sssd/pull/7794 for details
+addFilter("E: missing-call-to-setgroups-before-setuid")

sssd-rpmlintrc

@@ -1 +0,0 @@
-addFilter("binary-or-shlib-calls-gethostbyname")

sssd.changes

@@ -1,16 +1,43 @@
 -------------------------------------------------------------------
-Wed Oct 16 14:52:05 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
+Thu Jan 30 14:24:04 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
 
-- Daemon runs now as unprivileged user 'sssd'
-- Add sssd.permissions to set capabilities
-- Fix socket activation of responders
-- Renamed patches:
-  krb-noversion.diff -> 0001-Remove-versions-checks-that-need-updating-every-iter.patch
-  harden_sssd-ifp.service.patch -> 0002-Harden-sssd-ifp.service.patch
-  harden_sssd-kcm.service.patch -> 0003-Harden-sssd-kcm.service.patch
-  symvers.patch -> 0004-Add-symvers.patch
-  0001-sssd-always-print-path-when-config-object-is-rejecte.patch ->
-  0005-sssd-always-print-path-when-config-object-is-rejecte.patch
+- Update to release 2.10.2
+  * If the ssh responder is not running, sss_ssh_knownhosts will
+    not fail (but it will not return the keys).
+  * SSSD is now capable of handling multiple services associated
+    with the same port.
+  * sssd_pam, being a privileged binary, now clears the
+    environment and does not allow configuration of the
+    PR_SET_DUMPABLE flag as a precaution.
+
+-------------------------------------------------------------------
+Wed Jan 22 09:21:43 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop build dependency on ncsd, which has been deprecated
+  (boo#1239262).
+
+-------------------------------------------------------------------
+Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Migrate away from update-alternatives, replaced by package
+  conflicts; (bsc#1235789); (bsc#1216739);
+
+-------------------------------------------------------------------
+Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.1
+  * SSSD does not create anymore missing path components of
+    DIR:/FILE: ccache types while acquiring user's TGT. The
+    parent directory of requested ccache directory must exist and
+    the user trying to log in must have rwx access to this
+    directory. This matches behavior of /usr/bin/kinit.
+  * The option default_domain_suffix is deprecated.
+- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch,
+  0001-INI-relax-config-files-checks.patch,
+  0001-INI-stop-using-libini_config-for-access-check.patch,
+  0001-sssd-always-print-path-when-config-object-is-rejecte.patch
+  (merged)
+- Add 0001-TOOL-Fix-build-parameter-name-omitted.patch
 
 -------------------------------------------------------------------
 Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
@@ -29,7 +56,12 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
   * The default value for ``ldap_id_use_start_tls`` changed from
     false to true for improved security.
   * https://github.com/SSSD/sssd/releases/tag/2.10.0
-- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
+- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch,
+  0001-INI-stop-using-libini_config-for-access-check.patch,
+  0001-INI-relax-config-files-checks.patch,
+  0001-Configuration-make-sure-etc-sssd-and-everything.patch
+- Fix socket activation of responders
+- Daemon runs now as unprivileged user 'sssd'
 
 -------------------------------------------------------------------
 Tue Oct  1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

sssd.permissions

@@ -1,11 +0,0 @@
-/usr/libexec/sssd/sssd_pam root:sssd 0750
- +capabilities cap_dac_read_search=p
-
-/usr/libexec/sssd/selinux_child root:sssd 0750
- +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
-
-/usr/libexec/sssd/krb5_child root:sssd 0750
- +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
-
-/usr/libexec/sssd/ldap_child root:sssd 0750
- +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep

sssd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package sssd
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.10.0
+Version:        2.10.2
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -28,14 +28,11 @@ Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
-Source6:        sssd.sysusers
-Source7:        sssd.permissions
-Patch1:         0001-Remove-versions-checks-that-need-updating-every-iter.patch
-Patch2:         0002-Harden-sssd-ifp.service.patch
-Patch3:         0003-Harden-sssd-kcm.service.patch
-Patch4:         0004-Add-symvers.patch
-Patch5:         0005-sssd-always-print-path-when-config-object-is-rejecte.patch
-
+Patch1:         0001-TOOL-Fix-build-parameter-name-omitted.patch
+Patch11:        krb-noversion.diff
+Patch12:        harden_sssd-ifp.service.patch
+Patch13:        harden_sssd-kcm.service.patch
+Patch14:        symvers.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -52,7 +49,7 @@ BuildRequires:  libtool
 BuildRequires:  libunistring-devel
 BuildRequires:  libxml2-tools
 BuildRequires:  libxslt-tools
-BuildRequires:  nscd
+BuildRequires:  libopenssl-3-devel
 BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
@@ -84,9 +81,6 @@ BuildRequires:  pkgconfig(libpcre2-8)
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libsemanage)
 %endif
-BuildRequires:  polkit
-BuildRequires:  sysuser-shadow
-BuildRequires:  sysuser-tools
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(ndr_krb5pac)
 BuildRequires:  pkgconfig(ndr_nbt)
@@ -107,9 +101,8 @@ BuildRequires:  pkgconfig(uuid)
 %endif
 %sysusers_requires
 %{?systemd_ordering}
-%sysusers_requires
-Requires(pre):  permissions
 Requires(post): permissions
+Requires(verify): permissions
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
 Provides:       libsss_sudo = %version-%release
@@ -118,9 +111,7 @@ Obsoletes:      libsss_sudo < %version-%release
 Provides:       sssd-common = %version-%release
 Obsoletes:      sssd-common < %version-%release
 
-# Adjust sssd.permissions if the user changes
 %global sssd_user sssd
-
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
 %define dbpath		%sssdstatedir/db
@@ -129,20 +120,17 @@ Obsoletes:      sssd-common < %version-%release
 %define gpocachepath	%sssdstatedir/gpo_cache
 %define keytabdir	%sssdstatedir/keytabs
 %define mcpath		%sssdstatedir/mc
-%define deskprofilepath	%sssdstatedir/deskprofile
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
-%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
 
-# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
-# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
-# * cifs-utils one is the default (priority 20)
-# * installing SSSD should NOT switch to SSSD plugin (priority 10)
+
+%if 0%{?suse_version} >= 1600
+%define permissions_path %_datadir/permissions/permissions.d/
+%else
+%define permissions_path %_sysconfdir/permissions.d/
+%endif
+
 %define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
 %define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
-%define cifs_idmap_name         cifs-idmap-plugin
-%define cifs_idmap_priority     10
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 
 %description
 A set of daemons to manage access to remote directories and
@@ -172,18 +160,6 @@ Requires:       %name = %version
 D-Bus responder of sssd, called InfoPipe, which allows
 information from sssd to be transmitted over the system bus.
 
-%package polkit-rules
-Summary:        Rules for polkit integration for SSSD
-Group:          System/Daemons
-License:        GPL-3.0-or-later
-Requires:       %{name} = %{version}-%{release}
-Requires:       polkit >= 0.106
-BuildArch:      noarch
-
-%description polkit-rules
-Provides rules for polkit integration with SSSD. This is required
-for smartcard support.
-
 %package ipa
 Summary:        FreeIPA backend plugin for sssd
 License:        GPL-3.0-or-later
@@ -223,8 +199,8 @@ Summary:        SSSD helpers needed for Kerberos and GSSAPI authentication
 License:        GPL-3.0-or-later
 Group:          System/Daemons
 Requires:       cyrus-sasl-gssapi
-Requires(pre):  permissions
 Requires(post): permissions
+Requires(verify): permissions
 
 %description krb5-common
 Provides helper processes that the LDAP and Kerberos back ends can
@@ -268,6 +244,23 @@ Group:          System/Libraries
 The idmap_sss module provides a way for Winbind to call SSSD to map
 UIDs/GIDs and SIDs.
 
+%package cifs-idmap-plugin
+Summary:        The sssd idmap plugin for cifs.idmap
+Group:          System/Libraries
+# Conflict as per https://bugzilla.suse.com/1235789
+Provides:       cifs-idmap-plugin
+Conflicts:      cifs-idmap-plugin
+
+%description cifs-idmap-plugin
+The cifs.idmap(8) userspace helper relies on a plugin to handle the
+ID mapping. This package contains the ID mapping plugin that will use
+sssd.
+
+In SUSE systems, only one such plugin can be installed at a time
+(either the one from sssd, or from cifs-utils).
+Without the plugin, file objects in a mounted share have UID/GID of
+the original mounting process.
+
 %package -n libsss_certmap0
 Summary:        FreeIPA ID mapping library
 License:        LGPL-3.0-or-later
@@ -423,9 +416,6 @@ Security Services Daemon (sssd).
 %autosetup -p1
 
 %build
-# help configure find nscd
-export PATH="$PATH:/usr/sbin"
-
 autoreconf -fiv
 %configure \
 	--with-db-path="%dbpath" \
@@ -435,15 +425,14 @@ autoreconf -fiv
 	--with-environment-file="%_sysconfdir/sysconfig/sssd" \
 	--with-initscript=systemd \
 	--with-syslog=journald \
-	--with-pid-path="%_rundir/sssd/" \
-	--enable-nsslibdir="%_libdir" \
+	--with-pid-path="%_rundir/sssd" \
 	--enable-pammoddir="%_pam_moduledir" \
 	--with-ldb-lib-dir="%ldbdir" \
 	--with-os=suse \
 	--disable-ldb-version-check \
 	--without-python2-bindings \
 	--without-oidc-child \
-	--with-sssd-user=%{sssd_user} \
+	--with-sssd-user="%sssd_user" \
 %if 0%{?suse_version} >= 1600
 	--with-selinux=yes \
 	--with-subid
@@ -454,8 +443,6 @@ autoreconf -fiv
 %endif
 %make_build all
 
-%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
-
 %install
 # sss_obfuscate is compatible with both Python 2 and 3
 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
@@ -491,34 +478,45 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
-ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
+mkdir -p %{buildroot}%{_sysconfdir}/cifs-utils
+ln -s -f %{cifs_idmap_lib} %{buildroot}%{cifs_idmap_plugin}
+
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
-%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
+%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
 %elif 0%{?suse_version} == 1600
 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
 sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
 %endif
 
-install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
-install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
-install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
+echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
+mkdir -p "$b/%_sysusersdir"
+cp -a system-user-sssd.conf "$b/%_sysusersdir/"
+%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
+install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+#
+# Security considerations for capabilities, chown and stuff:
+# https://www.openwall.com/lists/oss-security/2024/12/19/1
+#
+# should match entry from %%files list
+mkdir -p "$b/%permissions_path"
+cat >"$b/%permissions_path/sssd" <<-EOF
+	%_libexecdir/sssd/sssd_pam root:sssd 0750
+	 +capabilities cap_dac_read_search=p
+	%_libexecdir/sssd/selinux_child root:sssd 0750
+	 +capabilities cap_setgid,cap_setuid=p
+	%_libexecdir/sssd/krb5_child root:sssd 0750
+	 +capabilities cap_dac_read_search,cap_setgid,cap_setuid=p
+	%_libexecdir/sssd/ldap_child root:sssd 0750
+	 +capabilities cap_dac_read_search=p
+EOF
 
 %check
 # sss_config-tests fails
 %make_build check || :
 
-%pre
-%sysusers_create_package %{name} %SOURCE6
-%service_add_pre sssd.service
-%service_add_pre sssd-autofs.service sssd-autofs.socket
-%service_add_pre sssd-nss.service sssd-nss.socket
-%service_add_pre sssd-pac.service sssd-pac.socket
-%service_add_pre sssd-pam.service sssd-pam.socket
-%service_add_pre sssd-ssh.service sssd-ssh.socket
-%service_add_pre sssd-sudo.service sssd-sudo.socket
-
+%pre -f random.pre
+%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 %if "%{?_distconfdir}" != ""
 # Prepare for migration to /usr/etc; save any old .rpmsave
 for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
@@ -532,38 +530,14 @@ done
 if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 	/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
 fi
-%service_add_post sssd.service
-%service_add_post sssd-autofs.service sssd-autofs.socket
-%service_add_post sssd-nss.service sssd-nss.socket
-%service_add_post sssd-pac.service sssd-pac.socket
-%service_add_post sssd-pam.service sssd-pam.socket
-%service_add_post sssd-ssh.service sssd-ssh.socket
-%service_add_post sssd-sudo.service sssd-sudo.socket
+%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
-%{_bindir}/rm -f %{mcpath}/passwd
-%{_bindir}/rm -f %{mcpath}/group
-%{_bindir}/rm -f %{mcpath}/initgroups
-%{_bindir}/rm -f %{mcpath}/sid
-%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
-%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
-%{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
-%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
-
-%tmpfiles_create %{name}.conf
-%set_permissions %_libexecdir/%{name}/selinux_child
-%set_permissions %_libexecdir/%{name}/sssd_pam
-
-# install SSSD cifs-idmap plugin as an alternative
-update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
+%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid
+%tmpfiles_create %name.conf
+%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
 
 %preun
-%service_del_preun sssd.service
-%service_del_preun sssd-autofs.service sssd-autofs.socket
-%service_del_preun sssd-nss.service sssd-nss.socket
-%service_del_preun sssd-pac.service sssd-pac.socket
-%service_del_preun sssd-pam.service sssd-pam.socket
-%service_del_preun sssd-ssh.service sssd-ssh.socket
-%service_del_preun sssd-sudo.service sssd-sudo.socket
+%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
 %postun
 /sbin/ldconfig
@@ -571,29 +545,17 @@ if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
 	"%_sbindir/pam-config" -d --sss || :
 fi
 # del_postun includes a try-restart
-%service_del_postun sssd.service
-%service_del_postun sssd-autofs.service sssd-autofs.socket
-%service_del_postun sssd-nss.service sssd-nss.socket
-%service_del_postun sssd-pac.service sssd-pac.socket
-%service_del_postun sssd-pam.service sssd-pam.socket
-%service_del_postun sssd-ssh.service sssd-ssh.socket
-%service_del_postun sssd-sudo.service sssd-sudo.socket
+%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
-if [ ! -f "%cifs_idmap_lib" ]; then
-	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
-fi
 
 %ldconfig_scriptlets -n libsss_certmap0
 %ldconfig_scriptlets -n libipa_hbac0
 %ldconfig_scriptlets -n libsss_idmap0
 %ldconfig_scriptlets -n libsss_nss_idmap0
-%if 0%{?suse_version} < 1600
 %ldconfig_scriptlets -n libsss_simpleifp0
-%endif
 
 %verifyscript
-%verify_permissions -e %_libexecdir/%{name}/selinux_child
-%verify_permissions -e %_libexecdir/%{name}/sssd_pam
+%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
 
 %triggerun -- %name < %version-%release
 # sssd takes care of upgrading the database but it doesn't handle downgrades.
@@ -628,21 +590,15 @@ fi
 %postun kcm
 %service_del_postun sssd-kcm.service sssd-kcm.socket
 
-%pre krb5-common
-%sysusers_create_package %{name} %SOURCE6
-%sysusers_create_package %{name}-krb5-common %SOURCE6
+%pre krb5-common -f random.pre
 
 %post krb5-common
-%set_permissions %_libexecdir/%{name}/krb5_child
-%set_permissions %_libexecdir/%{name}/ldap_child
+%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
 
 %verifyscript krb5-common
-%verify_permissions -e %_libexecdir/%{name}/krb5_child
-%verify_permissions -e %_libexecdir/%{name}/ldap_child
+%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
 
-%pre proxy
-%sysusers_create_package %{name} %SOURCE6
-%sysusers_create_package %{name}-proxy %SOURCE6
+%pre proxy -f random.pre
 
 %pretrans
 # Migrate sssd.service from sssd-common to sssd
@@ -698,6 +654,11 @@ fi
 %_unitdir/sssd-sudo.socket
 %_unitdir/sssd-sudo.service
 %_sysusersdir/*sssd*
+%_tmpfilesdir/*sssd*
+%permissions_path/sssd
+%dir %_datadir/polkit-1
+%attr(0555,root,root) %dir %_datadir/polkit-1/rules.d
+%_datadir/polkit-1/rules.d/*
 %_bindir/sss_ssh_*
 %_sbindir/sssd
 %if 0%{?suse_version} < 1600
@@ -741,7 +702,6 @@ fi
 %_libdir/%name/libsss_files*
 %endif
 %_libdir/%name/libsss_iface*
-%_libdir/%name/libsss_semanage*
 %_libdir/%name/libsss_sbus*
 %_libdir/%name/libsss_simple*
 %_libdir/%name/libsss_util*
@@ -754,34 +714,33 @@ fi
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
-%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam
 %_libexecdir/%name/sssd_ssh
 %_libexecdir/%name/sssd_sudo
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
+%attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child
 %endif
 %dir %sssdstatedir
-%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
-%attr(755,%{sssd_user},%{sssd_user}) %dir %pipepath/
-%attr(700,%{sssd_user},%{sssd_user}) %dir %pipepath/private/
-%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/
-%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/krb5.include.d
-%attr(755,%{sssd_user},%{sssd_user}) %dir %gpocachepath/
-%attr(755,%{sssd_user},%{sssd_user}) %dir %mcpath/
-%attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/
-%attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/
-%attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/
-%config(noreplace) %_sysconfdir/permissions.d/sssd
+%attr(700,%sssd_user,%sssd_user) %dir %dbpath/
+%attr(755,%sssd_user,%sssd_user) %dir %pipepath/
+%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
+%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
+%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d
+%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
+%attr(755,%sssd_user,%sssd_user) %dir %mcpath/
+%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
+%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/
+%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/
 %if "%{?_distconfdir}" != ""
-%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/
-%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d
-%attr(0600,%{sssd_user},%{sssd_user}) %_distconfdir/sssd/sssd.conf
+%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/
+%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d
+%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf
 %else
-%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/
-%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d
-%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_sysconfdir/sssd/sssd.conf
+%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/
+%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d
+%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf
 %endif
 %if 0%{?suse_version} > 1500
 %_distconfdir/logrotate.d/sssd
@@ -800,14 +759,12 @@ fi
 %else
 %exclude %_mandir/*/*/sssd-files.5.gz
 %endif
-%attr(775,%{sssd_user},%{sssd_user}) %ghost %dir %{_rundir}/sssd
+%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
 %doc src/examples/sssd.conf
-%{_sysusersdir}/sssd.conf
-%{_tmpfilesdir}/sssd.conf
 #
 # sssd-client
 #
-%{_libdir}/libnss_sss.so.2
+%_libdir/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/
@@ -824,12 +781,7 @@ fi
 %_mandir/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
-# cifs idmap plugin
-%dir %_sysconfdir/cifs-utils
-%cifs_idmap_plugin
-%dir %_libdir/cifs-utils
-%cifs_idmap_lib
-%ghost %_sysconfdir/alternatives/%cifs_idmap_name
+
 
 %files ad
 %dir %_libdir/%name/
@@ -892,11 +844,8 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child
-%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child
-
-%files polkit-rules
-%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child
 
 %files ldap
 %dir %_libdir/%name/
@@ -913,7 +862,7 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_proxy.so
 %dir %_libexecdir/%name/
-%attr(0750,root,%{sssd_user}) %_libexecdir/%name/proxy_child
+%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-proxy.conf
@@ -938,6 +887,12 @@ fi
 %_libdir/samba/idmap/
 %_mandir/man8/idmap_sss.8*
 
+%files cifs-idmap-plugin
+%dir %_sysconfdir/cifs-utils
+%cifs_idmap_plugin
+%dir %_libdir/cifs-utils
+%cifs_idmap_lib
+
 %files -n libipa_hbac0
 %_libdir/libipa_hbac.so.0*
 

sssd.sysusers

@@ -1 +0,0 @@
-u     sssd   -   "System Security Services Daemon"     /run/sssd/      /sbin/nologin

symvers.patch

@@ -1,25 +1,25 @@
-From 20c2e36a1a98a5fc648d16389fc9861eb61768d3 Mon Sep 17 00:00:00 2001
 From: Jan Engelhardt <jengelh@inai.de>
-Date: Thu, 22 Dec 2022 00:09:20 +0100
-Subject: [PATCH 4/4] Add symvers
+Date: 2022-12-22 00:09:20.375896408 +0100
+References: https://bugzilla.suse.com/show_bug.cgi?id=1206592
 
 The theory for this sssd crash is that during rpm upgrading it,
 sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
-sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over
-its feet when it loads 2.7.4 .so files. Addin symvers like below should
-prevent this and pin the modules to another: sssd_be's attempt to dlopen
-libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot
-find a libsss_util.so(-2.7.4), since the system only has
-libsss_util.so(-2.8.2) at this point.
----
- Makefile.am | 47 ++++++++++++++++++++++++++++++++---------------
- 1 file changed, 32 insertions(+), 15 deletions(-)
+sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls
+over its feet when it loads 2.7.4 .so files. Addin symvers like below
+should prevent this and pin the modules to another: sssd_be's attempt
+to dlopen libsss_ldap.so(-2.7.4) will fail because
+libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
+the system only has libsss_util.so(-2.8.2) at this point.
 
-diff --git a/Makefile.am b/Makefile.am
-index 839b25eae..e79da4a40 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -964,7 +964,11 @@ libsss_debug_la_SOURCES = \
+---
+ Makefile.am |   44 ++++++++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 14 deletions(-)
+
+Index: sssd-2.10.1/Makefile.am
+===================================================================
+--- sssd-2.10.1.orig/Makefile.am
++++ sssd-2.10.1/Makefile.am
+@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
  libsss_debug_la_LIBADD = \
      $(SYSLOG_LIBS)
  libsss_debug_la_LDFLAGS = \
@@ -32,7 +32,7 @@ index 839b25eae..e79da4a40 100644
  
  pkglib_LTLIBRARIES += libsss_child.la
  libsss_child_la_SOURCES = src/util/child_common.c
-@@ -974,7 +978,8 @@ libsss_child_la_LIBADD = \
+@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
      $(DHASH_LIBS) \
      libsss_debug.la \
      $(NULL)
@@ -42,7 +42,7 @@ index 839b25eae..e79da4a40 100644
  
  pkglib_LTLIBRARIES += libsss_crypt.la
  
-@@ -1014,7 +1019,8 @@ libsss_crypt_la_LIBADD = \
+@@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_crypt_la_LDFLAGS = \
@@ -52,7 +52,7 @@ index 839b25eae..e79da4a40 100644
  
  pkglib_LTLIBRARIES += libsss_cert.la
  
-@@ -1039,8 +1045,9 @@ libsss_cert_la_LIBADD = \
+@@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_cert_la_LDFLAGS = \
@@ -63,7 +63,7 @@ index 839b25eae..e79da4a40 100644
  
  generate-sbus-code:
  	$(builddir)/sbus_generate.sh $(abs_srcdir)
-@@ -1141,8 +1148,9 @@ libsss_sbus_la_CFLAGS = \
+@@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_sbus_la_LDFLAGS = \
@@ -74,7 +74,7 @@ index 839b25eae..e79da4a40 100644
  
  pkglib_LTLIBRARIES += libsss_sbus_sync.la
  libsss_sbus_sync_la_SOURCES = \
-@@ -1177,8 +1185,9 @@ libsss_sbus_sync_la_CFLAGS = \
+@@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \
      $(UNICODE_LIBS) \
      $(NULL)
  libsss_sbus_sync_la_LDFLAGS = \
@@ -85,7 +85,7 @@ index 839b25eae..e79da4a40 100644
  
  pkglib_LTLIBRARIES += libsss_iface.la
  libsss_iface_la_SOURCES = \
-@@ -1207,8 +1216,9 @@ libsss_iface_la_CFLAGS = \
+@@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_la_LDFLAGS = \
@@ -96,7 +96,7 @@ index 839b25eae..e79da4a40 100644
  
  pkglib_LTLIBRARIES += libsss_iface_sync.la
  libsss_iface_sync_la_SOURCES = \
-@@ -1235,8 +1245,9 @@ libsss_iface_sync_la_CFLAGS = \
+@@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_sync_la_LDFLAGS = \
@@ -107,7 +107,7 @@ index 839b25eae..e79da4a40 100644
  
  pkglib_LTLIBRARIES += libsss_util.la
  libsss_util_la_SOURCES = \
-@@ -1333,7 +1344,8 @@ endif
+@@ -1338,7 +1349,8 @@ endif
  if BUILD_PASSKEY
  libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
  endif # BUILD_PASSKEY
@@ -115,19 +115,9 @@ index 839b25eae..e79da4a40 100644
 +libsss_util_la_LDFLAGS = -avoid-version ${symv}
 +EXTRA_libsss_util_la_DEPENDENCIES = x.sym
  
- pkglib_LTLIBRARIES += libsss_semanage.la
- libsss_semanage_la_CFLAGS = \
-@@ -1352,7 +1364,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
- endif
- 
- libsss_semanage_la_LDFLAGS = \
--    -avoid-version
-+    -avoid-version ${symv}
-+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym
- 
  SSSD_INTERNAL_LTLIBS = \
      libsss_util.la \
-@@ -1368,7 +1381,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+@@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
                    $(NULL)
  
  pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@@ -136,7 +126,7 @@ index 839b25eae..e79da4a40 100644
  libipa_hbac_la_SOURCES = \
      src/lib/ipa_hbac/hbac_evaluator.c \
      src/util/sss_utf8.c
-@@ -1691,8 +1704,9 @@ libifp_iface_la_CFLAGS = \
+@@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_la_LDFLAGS = \
@@ -147,7 +137,7 @@ index 839b25eae..e79da4a40 100644
  
  pkglib_LTLIBRARIES += libifp_iface_sync.la
  libifp_iface_sync_la_SOURCES = \
-@@ -1717,8 +1731,9 @@ libifp_iface_sync_la_CFLAGS = \
+@@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_sync_la_LDFLAGS = \
@@ -158,7 +148,7 @@ index 839b25eae..e79da4a40 100644
  
  sssd_ifp_SOURCES = \
      src/responder/ifp/ifpsrv.c \
-@@ -4352,8 +4367,9 @@ libsss_ldap_common_la_LIBADD = \
+@@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_ldap_common_la_LDFLAGS = \
@@ -169,7 +159,7 @@ index 839b25eae..e79da4a40 100644
  if BUILD_SYSTEMTAP
  libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
  endif
-@@ -4410,7 +4426,8 @@ libsss_krb5_common_la_LIBADD = \
+@@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_krb5_common_la_LDFLAGS = \
@@ -179,6 +169,3 @@ index 839b25eae..e79da4a40 100644
  
  libsss_ldap_la_SOURCES = \
      src/providers/ldap/ldap_init.c \
--- 
-2.46.1
-