import authselect-1.2.5-1.el9

This commit is contained in:
CentOS Sources 2022-11-15 01:53:41 -05:00 committed by Stepan Oksanichenko
parent 77518afb47
commit 244df81de1
9 changed files with 115 additions and 341 deletions

View File

@ -1 +1 @@
3f004c30e9f07c0dd259403f1cd9f13c5ec297ce SOURCES/authselect-1.2.3.tar.gz
4eb7fbb53b31d92f0fae17d6fd5e5da46bc8b434 SOURCES/authselect-1.2.5.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/authselect-1.2.3.tar.gz
SOURCES/authselect-1.2.5.tar.gz

View File

@ -1,31 +0,0 @@
From 6924b8f8d82ecd32e897cf5f441e5c87f8816859 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 22 Jul 2021 11:29:20 +0200
Subject: [PATCH] lib: avoid freeing uninitialized variable in
authselect_apply_changes()
If authselect_profile() fails, we goto done and try to free uninitialized
variable.
Resolves:
https://github.com/authselect/authselect/issues/265
---
src/lib/authselect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/authselect.c b/src/lib/authselect.c
index 0f43e12202c16769dfc6ac7dee41812159cc1d3a..a901e02719713bd13d5a4fab606ee713b3d6ddca 100644
--- a/src/lib/authselect.c
+++ b/src/lib/authselect.c
@@ -163,7 +163,7 @@ authselect_uninstall(void)
_PUBLIC_ int
authselect_apply_changes(void)
{
- struct authselect_profile *profile;
+ struct authselect_profile *profile = NULL;
char **supported = NULL;
char *profile_id;
char **features;
--
2.31.1

View File

@ -1,7 +1,7 @@
From 2e2a7143cbfa719905cb130a5e67313c65bf3b65 Mon Sep 17 00:00:00 2001
From c3c2c3b7ffe04dc2e810c9fffdd82689543a94df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Oct 2018 14:08:12 +0100
Subject: [PATCH 1/3] rhel9: remove mention of Fedora Change page in compat
Subject: [PATCH 1/4] rhel9: remove mention of Fedora Change page in compat
tool
---
@ -9,10 +9,10 @@ Subject: [PATCH 1/3] rhel9: remove mention of Fedora Change page in compat
1 file changed, 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index f879e08eb94e9620dfc28f245b0ea5815df7e4f2..e4b8c05c6a11a215529ba66f8b36b72a6ac18448 100755
index 1a68d95c71b51beabe80e9b07c084ea9c2f3580d..8334293911d1d4c2d98a6d233b91fc348cf06575 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -468,7 +468,6 @@ class AuthCompat:
@@ -471,7 +471,6 @@ class AuthCompat:
"It does not provide all capabilities of authconfig.\n"))
print(_("IMPORTANT: authconfig is replaced by authselect, "
"please update your scripts."))
@ -21,5 +21,5 @@ index f879e08eb94e9620dfc28f245b0ea5815df7e4f2..e4b8c05c6a11a215529ba66f8b36b72a
options = self.options.getSetButUnsupported()
--
2.29.2
2.34.1

View File

@ -1,7 +1,7 @@
From 6de7d2e033d67f23b33620a2b80f5a6c106bd6f5 Mon Sep 17 00:00:00 2001
From 9da7355f1e2c8a148d4730fec4c4707c56e6dfa1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 10 Jun 2019 10:53:15 +0200
Subject: [PATCH 2/3] rhel9: remove ecryptfs support
Subject: [PATCH 2/4] rhel9: remove ecryptfs support
---
profiles/nis/README | 3 ---
@ -26,7 +26,7 @@ Subject: [PATCH 2/3] rhel9: remove ecryptfs support
19 files changed, 3 insertions(+), 36 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 5dbb9b49fb7708ef3b073aff7e1883e3f9a0bd06..cac3428bf844b0a9d251015988583f4c1b15c3c9 100644
index 895e8fa8650c04d41bf8bc8d6e3cda18db9bf814..71e23d61a8c1ea773c98524256a5eaad5a75d197 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -21,9 +21,6 @@ with-mkhomedir::
@ -40,10 +40,10 @@ index 5dbb9b49fb7708ef3b073aff7e1883e3f9a0bd06..cac3428bf844b0a9d251015988583f4c
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 756993cf1b2095f505208df19dd739dcaed1af31..eebec6d0d6edeae6a3eb224f0ff284016b0fc642 100644
index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be2982bdf36cb 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -13,7 +13,6 @@ password required pam_deny.so
@@ -15,7 +15,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -52,10 +52,10 @@ index 756993cf1b2095f505208df19dd739dcaed1af31..eebec6d0d6edeae6a3eb224f0ff28401
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..9a8ae9cde644a4ac981f4b9553af2f0f428bfebb 100644
index f181a58ab7792c7e1a4234e677cbb7e3d0a6548d..79fb521eb5dff4978203166491b185887d1ec744 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -17,7 +17,6 @@ password required pam_deny.so
@@ -18,7 +18,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -76,10 +76,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 057b31e074f29c46b492fa310a954e281631800e..2e7462983d35e4a2f5cef8151ed53baaf7e5c790 100644
index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae849d1186fc 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
@@ -19,7 +19,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -88,7 +88,7 @@ index 057b31e074f29c46b492fa310a954e281631800e..2e7462983d35e4a2f5cef8151ed53baa
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 95ef5dc785ed0530122837b5e08d03590ed1ada5..ac063e8d065d0488279dc2381bdd7f8ac361bfcb 100644
index 61d5aedf65b2351cf23cea0a6b6b0932e32f0e48..ab9af237442089ded86b63942dd856397108ccf0 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -40,9 +40,6 @@ with-mkhomedir::
@ -102,10 +102,10 @@ index 95ef5dc785ed0530122837b5e08d03590ed1ada5..ac063e8d065d0488279dc2381bdd7f8a
Enable authentication with smartcards through SSSD. Please note that
smartcard support must be also explicitly enabled within
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index fe3cac7a976845017d034ac1158a38f889926ce8..ad0a95440ebd006ff88264177598c77afc472dda 100644
index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e5232126df55564 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
@@ -20,7 +20,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -114,10 +114,10 @@ index fe3cac7a976845017d034ac1158a38f889926ce8..ad0a95440ebd006ff88264177598c77a
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..6d87cbe0a805bf5d3ab2a6192d570b9e5c6dc143 100644
index 3e33dcc09f68055f2f87709e638005929bd577b3..858c6db357d07dc554806f4807f9b0858a649f44 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -27,7 +27,6 @@ password required pam_deny.so
@@ -28,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -138,10 +138,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 230269c42508a50ad5b4677ab6514b9afe4d5fbf..874ffaca1b2c15c81adc4ca130c15834154bdc0e 100644
index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b963caa3b 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -16,7 +16,6 @@ account required pam_permit.so
@@ -18,7 +18,6 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -150,10 +150,10 @@ index 230269c42508a50ad5b4677ab6514b9afe4d5fbf..874ffaca1b2c15c81adc4ca130c15834
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 6f914ea91eb7782d60959ced56112f9cc1365347..dfc53b4ce55a0d575dc4fe68004a846f43360ccc 100644
index a43341120f55bad3fb07dfea1c04453d0a278329..88c49e2dd5b60847d1d19154622a8614a21e5e1f 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,7 +32,6 @@ password required pam_deny.so
@@ -35,7 +35,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -162,7 +162,7 @@ index 6f914ea91eb7782d60959ced56112f9cc1365347..dfc53b4ce55a0d575dc4fe68004a846f
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index 40a1a459355d2ee8ab98e31d2868cb24261e2c17..0e80bb697f8050ac8eb3c78d4f41945b9bcbba29 100644
index 0048c29256f5d4064edfb84a2f4b761fd09e90f6..6f7a7cab1efc768c4c82791d6a8f00def1771d37 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -33,9 +33,6 @@ with-mkhomedir::
@ -176,10 +176,10 @@ index 40a1a459355d2ee8ab98e31d2868cb24261e2c17..0e80bb697f8050ac8eb3c78d4f41945b
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index c4b8261ca45d4f6b9eda03ea96850bb32d605d30..6262549af2ca8aed540e7a7e1d97e0ba3b2ef088 100644
index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a41202d21fd67 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -17,7 +17,6 @@ password required pam_deny.so
@@ -19,7 +19,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -188,10 +188,10 @@ index c4b8261ca45d4f6b9eda03ea96850bb32d605d30..6262549af2ca8aed540e7a7e1d97e0ba
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index bbeca057d49102889e3eeee040ea256dbd751eef..aef4d5ce6a6ec9496deabc1010cde0370a3ecba7 100644
index 58705f3b15165c8d8bd4938889e3fb4d89c1a528..e84e2fcbb2bad9af6156e6e6db23f089f2b5d210 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -24,7 +24,6 @@ password required pam_deny.so
@@ -25,7 +25,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -212,10 +212,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..e4bdd0bf1c315c86cc8064625b80161baa5c455f 100644
index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a0a53a03e 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -25,7 +25,6 @@ password required pam_deny.so
@@ -26,7 +26,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -224,39 +224,39 @@ index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..e4bdd0bf1c315c86cc8064625b80161b
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755
index 8334293911d1d4c2d98a6d233b91fc348cf06575..55e205bae2c0b1f7892f8b286c288dfeaa26a60d 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -520,7 +520,6 @@ class AuthCompat:
'smartcard' : 'with-smartcard',
'requiresmartcard' : 'with-smartcard-required',
'fingerprint' : 'with-fingerprint',
- 'ecryptfs' : 'with-ecryptfs',
'mkhomedir' : 'with-mkhomedir',
'faillock' : 'with-faillock',
'pamaccess' : 'with-pamaccess',
@@ -523,7 +523,6 @@ class AuthCompat:
'smartcard': 'with-smartcard',
'requiresmartcard': 'with-smartcard-required',
'fingerprint': 'with-fingerprint',
- 'ecryptfs': 'with-ecryptfs',
'mkhomedir': 'with-mkhomedir',
'faillock': 'with-faillock',
'pamaccess': 'with-pamaccess',
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644
index d26dedabdfb9519861076b58cddd0dd0eb04b7cb..5c8b21b55014198d6d9dfc98bd807c3c922b06f4 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -93,7 +93,6 @@ class Options:
Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard",_("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued ("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued ("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
Option.Valued("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard", _("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
@@ -141,6 +140,7 @@ class Options:
# layers and will produce warning when used. They will not affect
# the system.
Option.UnsupportedFeature("cache"),
+ Option.UnsupportedFeature("ecryptfs"),
Option.UnsupportedFeature("shadow"),
Option.UnsupportedSwitch ("useshadow"),
Option.UnsupportedSwitch("useshadow"),
Option.UnsupportedFeature("md5"),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd42472741 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -80,7 +80,6 @@ configuration file for required services.
@ -267,7 +267,7 @@ index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c8
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
@@ -95,8 +94,8 @@ authselect select sssd with-faillock
@@ -103,8 +102,8 @@ authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
@ -279,5 +279,5 @@ index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c8
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
--
2.29.2
2.34.1

View File

@ -1,11 +1,9 @@
From 259e4e50a97a5196436e3d7ed42d2ecf0be3203f Mon Sep 17 00:00:00 2001
From 6381b49e90b3850fade68c8af03b17d0cc016d3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 31 May 2021 15:42:49 +0200
Subject: [PATCH] rhel9: remove support for for resolved
Date: Wed, 25 Nov 2020 14:05:00 +0100
Subject: [PATCH 3/4] rhel9: Revert "profiles: add support for resolved"
systemd-resolved is an experimental feature at this point and it
should not be enabled by default. Steps to switch this feature on
will be documented in RHEL guide.
systemd-resolved should not be enabled by default on rhel8.
This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54.
---
@ -40,5 +38,5 @@ index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e
netgroup: files nis {exclude if "with-custom-netgroup"}
networks: files nis {exclude if "with-custom-networks"}
--
2.31.1
2.34.1

View File

@ -1,34 +1,30 @@
From 7236f7a303215805de7195a8fdef7567543e8b0b Mon Sep 17 00:00:00 2001
From fde1c60f1e87383596ee7060f4d748675b2efae9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 9 Jun 2021 13:59:01 +0200
Subject: [PATCH] rhel9: remove nis support
Subject: [PATCH 4/4] rhel9: remove nis support
NIS is no longer supported in RHEL9.
---
profiles/Makefile.am | 13 ----
profiles/nis/README | 111 ----------------------------
profiles/nis/REQUIREMENTS | 13 ----
profiles/nis/dconf-db | 3 -
profiles/nis/dconf-locks | 2 -
profiles/nis/nsswitch.conf | 14 ----
profiles/nis/postlogin | 4 -
rpm/authselect.spec.in | 10 ---
src/compat/authcompat.py.in.in | 95 ------------------------
src/compat/authcompat_Options.py | 8 +-
src/man/authselect-migration.7.adoc | 2 +-
11 files changed, 6 insertions(+), 269 deletions(-)
delete mode 100644 profiles/nis/README
delete mode 100644 profiles/nis/REQUIREMENTS
profiles/Makefile.am | 14 -----
profiles/nis/dconf-db | 3 -
profiles/nis/dconf-locks | 2 -
profiles/nis/nsswitch.conf | 14 -----
profiles/nis/postlogin | 4 --
rpm/authselect.spec.in | 11 ----
src/compat/authcompat.py.in.in | 95 -----------------------------
src/compat/authcompat_Options.py | 8 ++-
src/man/authselect-migration.7.adoc | 2 +-
9 files changed, 6 insertions(+), 147 deletions(-)
delete mode 100644 profiles/nis/dconf-db
delete mode 100644 profiles/nis/dconf-locks
delete mode 100644 profiles/nis/nsswitch.conf
delete mode 100644 profiles/nis/postlogin
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
index 95e27147b2b0a229a76a293884d605484d3fa841..c658521de01130f19f669fe0a6cb86c11043a406 100644
index 7191b2604ca2c9ebaba3a4f1beb950e7d0e03970..4ab613f42a581df02c427636a0070092b58ec418 100644
--- a/profiles/Makefile.am
+++ b/profiles/Makefile.am
@@ -13,19 +13,6 @@ dist_profile_minimal_DATA = \
@@ -15,20 +15,6 @@ dist_profile_minimal_DATA = \
$(top_srcdir)/profiles/minimal/dconf-locks \
$(NULL)
@ -39,6 +35,7 @@ index 95e27147b2b0a229a76a293884d605484d3fa841..c658521de01130f19f669fe0a6cb86c1
- $(top_srcdir)/profiles/nis/postlogin \
- $(top_srcdir)/profiles/nis/README \
- $(top_srcdir)/profiles/nis/REQUIREMENTS \
- $(top_srcdir)/profiles/nis/smartcard-auth \
- $(top_srcdir)/profiles/nis/system-auth \
- $(top_srcdir)/profiles/nis/fingerprint-auth \
- $(top_srcdir)/profiles/nis/dconf-db \
@ -48,142 +45,6 @@ index 95e27147b2b0a229a76a293884d605484d3fa841..c658521de01130f19f669fe0a6cb86c1
profile_sssddir = $(authselect_profile_dir)/sssd
dist_profile_sssd_DATA = \
$(top_srcdir)/profiles/sssd/nsswitch.conf \
diff --git a/profiles/nis/README b/profiles/nis/README
deleted file mode 100644
index cac3428bf844b0a9d251015988583f4c1b15c3c9..0000000000000000000000000000000000000000
--- a/profiles/nis/README
+++ /dev/null
@@ -1,111 +0,0 @@
-Enable NIS for system authentication
-====================================
-
-Selecting this profile will enable Network Information Services as the source
-of identity and authentication providers.
-
-NIS CONFIGURATION
------------------
-
-Authselect does not touch NIS configuration. Please, read NIS' documentation
-to see how to configure it manually.
-
-AVAILABLE OPTIONAL FEATURES
----------------------------
-
-with-faillock::
- Enable account locking in case of too many consecutive
- authentication failures.
-
-with-mkhomedir::
- Enable automatic creation of home directories for users on their
- first login.
-
-with-fingerprint::
- Enable authentication with fingerprint reader through *pam_fprintd*.
-
-with-pam-u2f::
- Enable authentication via u2f dongle through *pam_u2f*.
-
-with-pam-u2f-2fa::
- Enable 2nd factor authentication via u2f dongle through *pam_u2f*.
-
-without-pam-u2f-nouserok::
- Module argument nouserok is omitted if also with-pam-u2f-2fa is used.
- *WARNING*: Omitting nouserok argument means that users without pam-u2f
- authentication configured will not be able to log in *INCLUDING* root.
- Make sure you are able to log in before losing root privileges.
-
-with-silent-lastlog::
- Do not produce pam_lastlog message during login.
-
-with-pamaccess::
- Check access.conf during account authorization.
-
-with-nispwquality::
- If this option is set pam_pwquality module will check password quality
- for NIS users as well as local users during password change. Without this
- option only local users passwords are checked.
-
-without-nullok::
- Do not add nullok parameter to pam_unix.
-
-DISABLE SPECIFIC NSSWITCH DATABASES
------------------------------------
-
-Normally, nsswitch databases set by the profile overwrites values set in
-user-nsswitch.conf. The following options can force authselect to
-ignore value set by the profile and use the one set in user-nsswitch.conf
-instead.
-
-with-custom-aliases::
-Ignore "aliases" map set by the profile.
-
-with-custom-automount::
-Ignore "automount" map set by the profile.
-
-with-custom-ethers::
-Ignore "ethers" map set by the profile.
-
-with-custom-group::
-Ignore "group" map set by the profile.
-
-with-custom-hosts::
-Ignore "hosts" map set by the profile.
-
-with-custom-initgroups::
-Ignore "initgroups" map set by the profile.
-
-with-custom-netgroup::
-Ignore "netgroup" map set by the profile.
-
-with-custom-networks::
-Ignore "networks" map set by the profile.
-
-with-custom-passwd::
-Ignore "passwd" map set by the profile.
-
-with-custom-protocols::
-Ignore "protocols" map set by the profile.
-
-with-custom-publickey::
-Ignore "publickey" map set by the profile.
-
-with-custom-rpc::
-Ignore "rpc" map set by the profile.
-
-with-custom-services::
-Ignore "services" map set by the profile.
-
-with-custom-shadow::
-Ignore "shadow" map set by the profile.
-
-EXAMPLES
---------
-* Enable NIS with no additional modules
-
- authselect select nis
-
-* Enable NIS and create home directories for users on their first login
-
- authselect select nis with-mkhomedir
diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
deleted file mode 100644
index c58aa2789f4ef064b7904cacf4fc3158dce7ad41..0000000000000000000000000000000000000000
--- a/profiles/nis/REQUIREMENTS
+++ /dev/null
@@ -1,13 +0,0 @@
-Make sure that NIS service is configured and enabled. See NIS documentation for more information.
- {include if "with-fingerprint"}
-- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
- {include if "with-pam-u2f"}
-- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"}
- - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"}
- {include if "with-pam-u2f-2fa"}
-- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"}
- - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"}
- {include if "with-mkhomedir"}
-- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
- is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
- - systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
diff --git a/profiles/nis/dconf-db b/profiles/nis/dconf-db
deleted file mode 100644
index bd32b2819f66acdc75ab0fc522ec85673d10ed72..0000000000000000000000000000000000000000
@ -232,20 +93,20 @@ index 04a11f049bc1e220c9064fba7b46eb243ddd4996..00000000000000000000000000000000
-session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
-session optional pam_lastlog.so silent noupdate showfailed
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index 628d6c91e9b3b4448787915fc1f9ac42f445bfc6..a0d508a716603771878781a62168fe0a71207f66 100644
index f8539d5a028da1a7184b47609a8efdb5ce0be14e..95da183a41a29f7913a0a255a94070908ed9a66c 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -155,7 +155,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
@@ -165,7 +165,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/minimal/
-%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/nsswitch.conf
@@ -164,15 +163,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/dconf-db
@@ -178,16 +177,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/smartcard-auth
%{_datadir}/authselect/default/minimal/system-auth
-%{_datadir}/authselect/default/nis/dconf-db
-%{_datadir}/authselect/default/nis/dconf-locks
@ -255,15 +116,16 @@ index 628d6c91e9b3b4448787915fc1f9ac42f445bfc6..a0d508a716603771878781a62168fe0a
-%{_datadir}/authselect/default/nis/postlogin
-%{_datadir}/authselect/default/nis/README
-%{_datadir}/authselect/default/nis/REQUIREMENTS
-%{_datadir}/authselect/default/nis/smartcard-auth
-%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90da8e217e 100755
index 55e205bae2c0b1f7892f8b286c288dfeaa26a60d..c6d1f2786c233f7ebdbfe5f2503aa0016012aee0 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -240,20 +240,6 @@ class Configuration:
@@ -243,20 +243,6 @@ class Configuration:
config.write(keys)
@ -284,7 +146,7 @@ index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90
class SSSD(Base):
def __init__(self, options):
super(Configuration.SSSD, self).__init__(options, ServiceName="sssd")
@@ -375,83 +361,6 @@ class Configuration:
@@ -378,83 +364,6 @@ class Configuration:
# other applications may depend on it.
return
@ -368,16 +230,16 @@ index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90
class AuthCompat:
def __init__(self):
self.sysconfig = EnvironmentFile(Path.System('authconfig'))
@@ -533,8 +442,6 @@ class AuthCompat:
if (self.options.getBool("ldap") or self.options.getBool("ldapauth") or
self.options.getBool("sssd") or self.options.getBool("sssdauth")):
@@ -538,8 +447,6 @@ class AuthCompat:
or self.options.getBool("sssd")
or self.options.getBool("sssdauth")):
profile = "sssd"
- elif self.options.getBool("nis"):
- profile = "nis"
elif self.options.getBool("winbind"):
profile = "winbind"
@@ -591,13 +498,11 @@ class AuthCompat:
@@ -596,13 +503,11 @@ class AuthCompat:
def writeConfiguration(self):
configs = [
Configuration.LDAP(self.options),
@ -392,33 +254,33 @@ index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90
for config in configs:
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index 433a3340bac29739174e78928701214c08ec6f3c..2712d85a377ee92c7816e3d2284302307084b0c4 100644
index 5c8b21b55014198d6d9dfc98bd807c3c922b06f4..79ead60fa9edc1244227e3b69df025471b7c7991 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -79,9 +79,6 @@ class Options:
# However, they will just make sure that an authentication against
# expected service is working. They may not result in the exact same
# configuration as authconfig would generate.
- Option.Feature("nis", _("NIS for user information by default")),
- Option.Valued ("nisdomain", _("<domain>"), _("default NIS domain")),
- Option.Valued ("nisserver", _("<server>"), _("default NIS server")),
Option.Feature("ldap", _("LDAP for user information by default")),
Option.Feature("ldapauth", _("LDAP for authentication by default")),
Option.Valued ("ldapserver", _("<server>"), _("default LDAP server hostname or URI")),
- Option.Feature("nis", _("NIS for user information by default")),
- Option.Valued("nisdomain", _("<domain>"), _("default NIS domain")),
- Option.Valued("nisserver", _("<server>"), _("default NIS server")),
Option.Feature("ldap", _("LDAP for user information by default")),
Option.Feature("ldapauth", _("LDAP for authentication by default")),
Option.Valued("ldapserver", _("<server>"), _("default LDAP server hostname or URI")),
@@ -164,6 +161,11 @@ class Options:
Option.UnsupportedFeature("locauthorize"),
Option.UnsupportedFeature("sysnetauth"),
Option.UnsupportedValued ("faillockargs", _("<options>")),
Option.UnsupportedValued("faillockargs", _("<options>")),
+
+ # NIS is no longer supported
+ Option.UnsupportedFeature("nis"),
+ Option.UnsupportedValued ("nisdomain", _("<domain>")),
+ Option.UnsupportedValued ("nisserver", _("<server>")),
+ Option.UnsupportedValued("nisdomain", _("<domain>")),
+ Option.UnsupportedValued("nisserver", _("<server>")),
]
Map = {
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index a27af036738274d8d392f7fe1f7d59c89e9c4ffb..515104b160d956d04b9ec8cacd25d166983e02d5 100644
index 888cd4e5a0750d4e1aa5898887f5f7fd42472741..d9777b9b473859d7ec532f39f7e14bd81c4f1b90 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -72,7 +72,7 @@ configuration file for required services.
@ -431,5 +293,5 @@ index a27af036738274d8d392f7fe1f7d59c89e9c4ffb..515104b160d956d04b9ec8cacd25d166
.Relation of authconfig options to authselect profile features
--
2.20.1
2.34.1

View File

@ -1,58 +0,0 @@
From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 18 Feb 2021 13:38:53 +0100
Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups
The passwd and group databases will now default to files first.
The order "sss files" can be enabled with "with-files-provider"
feature.
---
profiles/sssd/README | 5 +++++
profiles/sssd/REQUIREMENTS | 4 ++++
profiles/sssd/nsswitch.conf | 4 ++--
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -76,6 +76,11 @@ with-sudo::
with-pamaccess::
Check access.conf during account authorization.
+with-files-domain::
+ If set, SSSD will be contacted before "files" when resolving users and
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
+ "files sss" for passwd and group maps.
+
with-files-access-provider::
If set, account management for local users is handled also by pam_sss. This
is needed if there is an explicitly configured domain with id_provider=files
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
+ {include if "with-files-domain"}
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
\ No newline at end of file
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,5 +1,5 @@
-passwd: sss files systemd {exclude if "with-custom-passwd"}
-group: sss files systemd {exclude if "with-custom-group"}
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
netgroup: sss files {exclude if "with-custom-netgroup"}
automount: sss files {exclude if "with-custom-automount"}
services: sss files {exclude if "with-custom-services"}
--
2.29.2

View File

@ -2,24 +2,19 @@
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.2.3
Release: 7%{?dist}
Version: 1.2.5
Release: 1%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
Patch0001: 0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch
### Downstream Patches ###
%if 0%{?rhel}
Patch9001: 9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch9002: 9002-rhel9-remove-ecryptfs-support.patch
Patch9003: 9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch
Patch9004: 9004-rhel9-remove-support-for-for-resolved.patch
Patch0005: 9005-rhel9-remove-nis-support.patch
%endif
Patch0901: 0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch0902: 0902-rhel9-remove-ecryptfs-support.patch
Patch0903: 0903-rhel9-Revert-profiles-add-support-for-resolved.patch
Patch0904: 0904-rhel9-remove-nis-support.patch
%global makedir %{_builddir}/%{name}-%{version}
@ -36,6 +31,7 @@ BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
BuildRequires: python3-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
@ -70,8 +66,6 @@ command line tool and any other potential front-ends.
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
BuildRequires: python3-devel
BuildRequires: make
Requires: authselect%{?_isa} = %{version}-%{release}
Recommends: oddjob-mkhomedir
Suggests: sssd
@ -104,7 +98,7 @@ done
%build
autoreconf -if
%configure --with-pythonbin="%{__python3}"
%configure --with-pythonbin="%{__python3}" --with-compat
%make_build
%check
@ -160,11 +154,13 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/dconf-db
%{_datadir}/authselect/default/minimal/dconf-locks
%{_datadir}/authselect/default/minimal/fingerprint-auth
%{_datadir}/authselect/default/minimal/nsswitch.conf
%{_datadir}/authselect/default/minimal/password-auth
%{_datadir}/authselect/default/minimal/postlogin
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/smartcard-auth
%{_datadir}/authselect/default/minimal/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
@ -184,6 +180,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
@ -293,6 +290,12 @@ exit 0
exit 0
%changelog
* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.2.5-1
- Rebase to 1.2.5 (RHBZ #2080239)
- backup-restore now works correctly (RHBZ #2070541)
- add with-subid to sssd profile (RHBZ #2075192)
- add with-gssapi to sssd profile (RHBZ #2077893)
* Thu Aug 26 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-7
- Avoid freeing uninitialized variable in authselect_apply_changes (rhbz#1970871)