scabrero/sssd
SHA256
1
0
Fork 1
forked from pool/sssd
Code Pull Requests Activity

Compare commits

base: scabrero:sssd-2-10-update
Branches Tags
scabrero:factory scabrero:master scabrero:rpmlintrc scabrero:bsc1236031 scabrero:remove-u-a scabrero:sssd-2-10-update scabrero:sssd-2-10-dirty scabrero:fix-slfo-build pool:slfo-1.2 pool:slfo-main pool:factory pool:devel
..
compare: scabrero:sssd-2-10-dirty
Branches Tags
scabrero:master scabrero:rpmlintrc scabrero:bsc1236031 scabrero:remove-u-a scabrero:sssd-2-10-update scabrero:sssd-2-10-dirty scabrero:fix-slfo-build scabrero:factory pool:slfo-1.2 pool:slfo-main pool:factory pool:devel

5 Commits
sssd-2-10- ... sssd-2-10-

Author SHA256 Message Date
Samuel Cabrero
5594f1d5a9 Update patches for 2.10.0 2024-10-16 14:19:19 +02:00
Samuel Cabrero
da3ea7db5b Update to 2.10.0 
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2024-10-16 13:57:45 +02:00
Samuel Cabrero
6b181b9260 wip 2024-10-01 11:56:51 +02:00
Samuel Cabrero
5165cf2176 Fix python3-fix-shebang-path 2024-09-30 14:28:11 +02:00
Samuel Cabrero
8aeefcbe42 builds 2024-09-30 13:23:29 +02:00
5 changed files with 82 additions and 202 deletions
Expand all files Collapse all files

73
0005-sssd-always-print-path-when-config-object-is-rejecte.patch
View File

@@ -1,73 +0,0 @@
From 2b7915dd84a6b8c3ee26e45357283677fe22f2cb Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Wed, 16 Oct 2024 09:55:50 +0200
Subject: [PATCH] sssd: always print path when config object is rejected
Observed:
```
Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
```
Expected:
_Well yes, but **which one**_!?
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/util/sss_ini.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index 7f9824d88..2a611eb8c 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_open(self, config_file, "[sssd]\n");
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "The sss_ini_open failed %s: %d\n",
+ "sss_ini_open on %s failed: %d\n",
config_file,
ret);
return ERR_INI_OPEN_FAILED;
@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_access_check(self);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Permission check on config file failed.\n");
+ "Permission check on config file %s failed: %d\n",
+ config_file, ret);
return ERR_INI_INVALID_PERMISSION;
}
} else {
DEBUG(SSSDBG_CONF_SETTINGS,
- "File %1$s does not exist.\n",
- (config_file ? config_file : "NULL"));
+ "File %s does not exist.\n", config_file);
}
ret = sss_ini_parse(self);
if (ret != EOK) {
sss_ini_config_print_errors(self->error_list);
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
+ config_file, ret);
return ERR_INI_PARSE_FAILED;
}
ret = sss_ini_add_snippets(self, config_dir);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Error while reading configuration directory.\n");
+ "Error while reading configuration directory %s: %d\n",
+ config_dir, ret);
return ERR_INI_ADD_SNIPPETS_FAILED;
}
--
2.47.0

1
TODO Normal file
View File

@@ -0,0 +1 @@
* cifs idmap plugin alternatives

55
sssd.changes
View File

@@ -1,58 +1,3 @@
-------------------------------------------------------------------
Wed Oct 16 14:52:05 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Daemon runs now as unprivileged user 'sssd'
- Add sssd.permissions to set capabilities
- Fix socket activation of responders
- Renamed patches:
krb-noversion.diff -> 0001-Remove-versions-checks-that-need-updating-every-iter.patch
harden_sssd-ifp.service.patch -> 0002-Harden-sssd-ifp.service.patch
harden_sssd-kcm.service.patch -> 0003-Harden-sssd-kcm.service.patch
symvers.patch -> 0004-Add-symvers.patch
0001-sssd-always-print-path-when-config-object-is-rejecte.patch ->
0005-sssd-always-print-path-when-config-object-is-rejecte.patch
-------------------------------------------------------------------
Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.0
* The ``sssctl cache-upgrade`` command was removed. SSSD
performs automatic upgrades at startup when needed.
* Support of ``enumeration`` feature (i.e. ability to list all
users/groups using ``getent passwd/group`` without argument)
for AD/IPA providers is deprecated and might be removed in
further releases.
* The new tool ``sss_ssh_knownhosts`` can be used with ssh's
``KnownHostsCommand`` configuration option to retrieve the
host's public keys from a remote server (FreeIPA, LDAP,
etc.). It replaces ```sss_ssh_knownhostsproxy``.
* The default value for ``ldap_id_use_start_tls`` changed from
false to true for improved security.
* https://github.com/SSSD/sssd/releases/tag/2.10.0
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
-------------------------------------------------------------------
Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Update filelists involving memberof.so and idmap/sss.so to
avoid gobbling up one file into multiple sssd subpackages.
(Between samba-4.20 and 4.21, %ldbdir changes from
/usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now
`%_libdir/samba` is a bit too broad.)
-------------------------------------------------------------------
Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
python3_fix_shebang_path RPM macro is not available
-------------------------------------------------------------------
Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Revert the change dropping the default configuration file. If
/usr/etc exists will be installed there, otherwise in /etc.
(bsc#1226157);
-------------------------------------------------------------------
Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

136
sssd.spec
View File

@@ -24,8 +24,8 @@ License: GPL-3.0-or-later AND LGPL-3.0-or-later
Group: System/Daemons
URL: https://github.com/SSSD/sssd
#Git-Clone: https://github.com/SSSD/sssd
Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
Source: https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0.tar.gz
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0.tar.gz.asc
Source3: baselibs.conf
Source5: %name.keyring
Source6: sssd.sysusers
@@ -34,7 +34,6 @@ Patch1: 0001-Remove-versions-checks-that-need-updating-every-iter.patch
Patch2: 0002-Harden-sssd-ifp.service.patch
Patch3: 0003-Harden-sssd-kcm.service.patch
Patch4: 0004-Add-symvers.patch
Patch5: 0005-sssd-always-print-path-when-config-object-is-rejecte.patch
BuildRequires: autoconf >= 2.59
BuildRequires: automake
@@ -57,22 +56,19 @@ BuildRequires: nss_wrapper
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pkg-config >= 0.21
BuildRequires: python3-wheel
BuildRequires: python3-setuptools
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: uid_wrapper
BuildRequires: pkgconfig(augeas) >= 1.0.0
BuildRequires: pkgconfig(collection) >= 0.5.1
BuildRequires: pkgconfig(dbus-1) >= 1.0.0
BuildRequires: pkgconfig(dhash) >= 0.4.2
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(ini_config) >= 1.3
BuildRequires: pkgconfig(ini_config) >= 1.1.0
BuildRequires: pkgconfig(jansson)
BuildRequires: pkgconfig(ldb) >= 1.2.0
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(ldb) >= 0.9.2
BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libcrypto) >= 1.0.1
BuildRequires: pkgconfig(libcrypto)
%if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(libcurl)
%endif
@@ -105,7 +101,6 @@ BuildRequires: pkgconfig(uuid)
# Package contains just config files, not needed for build.
#!BuildIgnore: libldap-data
%endif
%sysusers_requires
%{?systemd_ordering}
%sysusers_requires
Requires(pre): permissions
@@ -131,7 +126,6 @@ Obsoletes: sssd-common < %version-%release
%define mcpath %sssdstatedir/mc
%define deskprofilepath %sssdstatedir/deskprofile
%define ldbdir %(pkg-config ldb --variable=modulesdir)
%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@@ -145,11 +139,11 @@ Requires(post): update-alternatives
Requires(postun): update-alternatives
%description
A set of daemons to manage access to remote directories and
authentication mechanisms. sssd provides an NSS and PAM interfaces
toward the system and a pluggable backend system to connect to
multiple different account sources. It is also the basis to provide
client auditing and policy services for projects like FreeIPA.
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.
%package ad
Summary: The ActiveDirectory backend plugin for sssd
@@ -159,8 +153,9 @@ Requires: %name-krb5-common = %version-%release
Requires: adcli
%description ad
A back-end provider that the SSSD can utilize to fetch identity data
from, and authenticate with, an Active Directory server.
Provides the Active Directory back end that the SSSD can utilize to
fetch identity data from and authenticate against an Active Directory
server.
%package dbus
Summary: The D-Bus responder of sssd
@@ -169,7 +164,7 @@ Group: System/Base
Requires: %name = %version
%description dbus
D-Bus responder of sssd, called InfoPipe, which allows
Provides the D-Bus responder of sssd, called InfoPipe, which allows
information from sssd to be transmitted over the system bus.
%package polkit-rules
@@ -195,8 +190,8 @@ Obsoletes: %name-ipa-provider < %version-%release
Provides: %name-ipa-provider = %version-%release
%description ipa
A back-end provider that the SSSD can utilize to fetch identity data
from, and authenticate with, an IPA server.
Provides the IPA back end that the SSSD can utilize to fetch identity
data from and authenticate against an IPA server.
%package kcm
Summary: SSSD's Kerberos cache manager
@@ -215,8 +210,8 @@ Group: System/Daemons
Requires: %name-krb5-common = %version-%release
%description krb5
A back-end provider that the SSSD can utilize to authenticate against
a Kerberos server.
Provides the Kerberos back end that the SSSD can utilize authenticate
against a Kerberos server.
%package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
@@ -237,8 +232,8 @@ Group: System/Daemons
Requires: %name-krb5-common = %version-%release
%description ldap
A back-end provider that the SSSD can utilize to fetch identity data
from, and authenticate with, an LDAP server.
Provides the LDAP back end that the SSSD can utilize to fetch
identity data from and authenticate against an LDAP server.
%package proxy
Summary: The proxy backend plugin for sssd
@@ -246,8 +241,8 @@ License: GPL-3.0-or-later
Group: System/Daemons
%description proxy
A back-end provider which can be used to wrap existing NSS and/or PAM
modules to leverage SSSD caching. (This can replace nscd.)
Provides the proxy back end which can be used to wrap an existing NSS
and/or PAM modules to leverage SSSD caching.
%package tools
Summary: Commandline tools for sssd
@@ -257,7 +252,7 @@ Requires: python3-sssd-config = %version-%release
Requires: sssd = %version
%description tools
The packages contains command-line tools for managing users and groups using
The packages contains commandline tools for managing users and groups using
the "local" id provider of the System Security Services Daemon (sssd).
%package winbind-idmap
@@ -274,7 +269,7 @@ License: LGPL-3.0-or-later
Group: System/Libraries
%description -n libsss_certmap0
A utility library for FreeIPA to map certificates.
A utility library for FreeIPA to map certs.
%package -n libsss_certmap-devel
Summary: Development files for the FreeIPA certmap library
@@ -283,7 +278,7 @@ Group: Development/Libraries/C and C++
Requires: libsss_certmap0 = %version
%description -n libsss_certmap-devel
A utility library for FreeIPA to map certificates.
A utility library for FreeIPA to map certs.
%package -n libipa_hbac0
Summary: FreeIPA HBAC Evaluator library
@@ -347,6 +342,7 @@ Requires: libsss_nss_idmap0 = %version
%description -n libsss_nss_idmap-devel
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%if 0%{?suse_version} < 1600
%package -n libsss_simpleifp0
Summary: The SSSD D-Bus responder helper library
License: GPL-3.0-or-later
@@ -369,6 +365,7 @@ Requires: libsss_simpleifp0 = %version
This subpackage provides the development files for sssd's simpleifp,
a library that simplifies the D-Bus API for the SSSD InfoPipe
responder.
%endif
%package -n libsss_sudo
Summary: A library to allow communication between sudo and SSSD
@@ -428,6 +425,9 @@ export PATH="$PATH:/usr/sbin"
autoreconf -fiv
%configure \
--runstatedir=%{_rundir} \
--disable-rpath \
--disable-static \
--with-db-path="%dbpath" \
--with-pipe-path="%pipepath" \
--with-pubconf-path="%pubconfpath" \
@@ -435,7 +435,7 @@ autoreconf -fiv
--with-environment-file="%_sysconfdir/sysconfig/sssd" \
--with-initscript=systemd \
--with-syslog=journald \
--with-pid-path="%_rundir/sssd/" \
--with-pid-path="%_rundir" \
--enable-nsslibdir="%_libdir" \
--enable-pammoddir="%_pam_moduledir" \
--with-ldb-lib-dir="%ldbdir" \
@@ -449,15 +449,16 @@ autoreconf -fiv
--with-subid
%else
--with-selinux=no \
--with-semanage=no \
--with-libsifp \
--with-files-provider
%endif
%make_build all
%make_build all runstatedir=%{_rundir}
%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
%install
# sss_obfuscate is compatible with both Python 2 and 3
# sss_obfuscate is compatible with both python 2 and 3
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
%make_install dbuspolicydir=%_datadir/dbus-1/system.d
b="%buildroot"
@@ -491,14 +492,14 @@ find "$b" -type f -name "*.la" -print -delete
%find_lang %name --all-name
# dummy target for cifs-idmap-plugin
mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
%python3_fix_shebang
%if 0%{?suse_version} > 1600
%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
%elif 0%{?suse_version} == 1600
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
%endif
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
@@ -567,7 +568,7 @@ update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_li
%postun
/sbin/ldconfig
if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
"%_sbindir/pam-config" -d --sss || :
fi
# del_postun includes a try-restart
@@ -583,18 +584,23 @@ if [ ! -f "%cifs_idmap_lib" ]; then
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
fi
%ldconfig_scriptlets -n libsss_certmap0
%ldconfig_scriptlets -n libipa_hbac0
%ldconfig_scriptlets -n libsss_idmap0
%ldconfig_scriptlets -n libsss_nss_idmap0
%if 0%{?suse_version} < 1600
%ldconfig_scriptlets -n libsss_simpleifp0
%endif
%verifyscript
%verify_permissions -e %_libexecdir/%{name}/selinux_child
%verify_permissions -e %_libexecdir/%{name}/sssd_pam
%post -n libsss_certmap0 -p /sbin/ldconfig
%postun -n libsss_certmap0 -p /sbin/ldconfig
%post -n libipa_hbac0 -p /sbin/ldconfig
%postun -n libipa_hbac0 -p /sbin/ldconfig
%post -n libsss_idmap0 -p /sbin/ldconfig
%postun -n libsss_idmap0 -p /sbin/ldconfig
%post -n libsss_nss_idmap0 -p /sbin/ldconfig
%postun -n libsss_nss_idmap0 -p /sbin/ldconfig
%if 0%{?suse_version} < 1600
%post -n libsss_simpleifp0 -p /sbin/ldconfig
%postun -n libsss_simpleifp0 -p /sbin/ldconfig
%endif
%triggerun -- %name < %version-%release
# sssd takes care of upgrading the database but it doesn't handle downgrades.
# Clear caches when downgrading the package, which may have an
@@ -648,13 +654,13 @@ fi
# Migrate sssd.service from sssd-common to sssd
systemctl is-enabled sssd.service > /dev/null
if [ $? -eq 0 ]; then
mkdir -p /run/systemd/rpm/
touch /run/systemd/rpm/sssd-was-enabled
mkdir -p /run/systemd/rpm/
touch /run/systemd/rpm/sssd-was-enabled
fi
systemctl is-active sssd.service > /dev/null
if [ $? -eq 0 ]; then
mkdir -p /run/systemd/rpm/
touch /run/systemd/rpm/sssd-was-active
mkdir -p /run/systemd/rpm/
touch /run/systemd/rpm/sssd-was-active
fi
%posttrans
@@ -666,20 +672,20 @@ done
%endif
# Migrate sssd.service from sssd-common to sssd
if [ -e /run/systemd/rpm/sssd-was-enabled ]; then
systemctl is-enabled sssd.service >/dev/null
if [ $? -ne 0 ]; then
systemctl is-enabled sssd.service > /dev/null
if [ $? -ne 0 ]; then
echo "Migrating sssd.service, was enabled"
systemctl enable sssd.service
fi
rm /run/systemd/rpm/sssd-was-enabled
fi
rm /run/systemd/rpm/sssd-was-enabled
fi
if [ -e /run/systemd/rpm/sssd-was-active ]; then
systemctl is-active sssd.service >/dev/null
if [ $? -ne 0 ]; then
systemctl is-active sssd.service > /dev/null
if [ $? -ne 0 ]; then
echo "Migrating sssd.service, was active"
systemctl start sssd.service
fi
rm /run/systemd/rpm/sssd-was-active
fi
rm /run/systemd/rpm/sssd-was-active
fi
%files -f sssd.lang
@@ -697,7 +703,6 @@ fi
%_unitdir/sssd-ssh.service
%_unitdir/sssd-sudo.socket
%_unitdir/sssd-sudo.service
%_sysusersdir/*sssd*
%_bindir/sss_ssh_*
%_sbindir/sssd
%if 0%{?suse_version} < 1600
@@ -748,19 +753,19 @@ fi
%dir %_libdir/%name/modules/
%_libdir/%name/modules/libsss_autofs.so
%_libdir/libsss_sudo.so
%ldbdir/
%ldbdir/memberof.so
%dir %_libexecdir/%name/
%_libexecdir/%name/p11_child
%_libexecdir/%name/sssd_autofs
%_libexecdir/%name/sssd_be
%_libexecdir/%name/sssd_nss
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/sssd_pam
%_libexecdir/%name/sssd_ssh
%_libexecdir/%name/sssd_sudo
%_libexecdir/%name/sss_signal
%_libexecdir/%name/sssd_check_socket_activated_responders
%if 0%{?suse_version} >= 1600
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/selinux_child
%endif
%dir %sssdstatedir
%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
@@ -892,8 +897,8 @@ fi
%dir %_libdir/%name/
%_libdir/%name/libsss_krb5_common.so
%dir %_libexecdir/%name/
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/krb5_child
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/ldap_child
%files polkit-rules
%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules
@@ -934,8 +939,9 @@ fi
%python3_sitelib/sssd/
%files winbind-idmap
%dir %_libdir/samba/
%_libdir/samba/idmap/
%dir %_libdir/samba
%dir %_libdir/samba/idmap
%_libdir/samba/idmap/sss.so
%_mandir/man8/idmap_sss.8*
%files -n libipa_hbac0

3
sssd.sysusers
View File

@@ -1 +1,2 @@
u sssd - "System Security Services Daemon" /run/sssd/ /sbin/nologin
# Type Name ID GECOS [HOME] [SHELL]
u sssd - "User for sssd" /run/sssd/ /sbin/nologin