rpms/authselect
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import authselect-1.2.3-7.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-05-17 06:36:20 -04:00 committed by Stepan Oksanichenko
commit 77518afb47
9 changed files with 1329 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.authselect.metadata Normal file
View File

@ -0,0 +1 @@
3f004c30e9f07c0dd259403f1cd9f13c5ec297ce SOURCES/authselect-1.2.3.tar.gz

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/authselect-1.2.3.tar.gz

31
SOURCES/0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch Normal file
View File

@ -0,0 +1,31 @@
From 6924b8f8d82ecd32e897cf5f441e5c87f8816859 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 22 Jul 2021 11:29:20 +0200
Subject: [PATCH] lib: avoid freeing uninitialized variable in
authselect_apply_changes()
If authselect_profile() fails, we goto done and try to free uninitialized
variable.
Resolves:
https://github.com/authselect/authselect/issues/265
---
src/lib/authselect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/authselect.c b/src/lib/authselect.c
index 0f43e12202c16769dfc6ac7dee41812159cc1d3a..a901e02719713bd13d5a4fab606ee713b3d6ddca 100644
--- a/src/lib/authselect.c
+++ b/src/lib/authselect.c
@@ -163,7 +163,7 @@ authselect_uninstall(void)
_PUBLIC_ int
authselect_apply_changes(void)
{
- struct authselect_profile *profile;
+ struct authselect_profile *profile = NULL;
char **supported = NULL;
char *profile_id;
char **features;
--
2.31.1

25
SOURCES/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch Normal file
View File

@ -0,0 +1,25 @@
From 2e2a7143cbfa719905cb130a5e67313c65bf3b65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Oct 2018 14:08:12 +0100
Subject: [PATCH 1/3] rhel9: remove mention of Fedora Change page in compat
tool
---
src/compat/authcompat.py.in.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index f879e08eb94e9620dfc28f245b0ea5815df7e4f2..e4b8c05c6a11a215529ba66f8b36b72a6ac18448 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -468,7 +468,6 @@ class AuthCompat:
"It does not provide all capabilities of authconfig.\n"))
print(_("IMPORTANT: authconfig is replaced by authselect, "
"please update your scripts."))
- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault"))
print(_("See man authselect-migration(7) to help you with migration to authselect"))
options = self.options.getSetButUnsupported()
--
2.29.2

283
SOURCES/9002-rhel9-remove-ecryptfs-support.patch Normal file
View File

@ -0,0 +1,283 @@
From 6de7d2e033d67f23b33620a2b80f5a6c106bd6f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 10 Jun 2019 10:53:15 +0200
Subject: [PATCH 2/3] rhel9: remove ecryptfs support
---
profiles/nis/README | 3 ---
profiles/nis/fingerprint-auth | 1 -
profiles/nis/password-auth | 1 -
profiles/nis/postlogin | 4 ----
profiles/nis/system-auth | 1 -
profiles/sssd/README | 3 ---
profiles/sssd/fingerprint-auth | 1 -
profiles/sssd/password-auth | 1 -
profiles/sssd/postlogin | 4 ----
profiles/sssd/smartcard-auth | 1 -
profiles/sssd/system-auth | 1 -
profiles/winbind/README | 3 ---
profiles/winbind/fingerprint-auth | 1 -
profiles/winbind/password-auth | 1 -
profiles/winbind/postlogin | 4 ----
profiles/winbind/system-auth | 1 -
src/compat/authcompat.py.in.in | 1 -
src/compat/authcompat_Options.py | 2 +-
src/man/authselect-migration.7.adoc | 5 ++---
19 files changed, 3 insertions(+), 36 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 5dbb9b49fb7708ef3b073aff7e1883e3f9a0bd06..cac3428bf844b0a9d251015988583f4c1b15c3c9 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -21,9 +21,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 756993cf1b2095f505208df19dd739dcaed1af31..eebec6d0d6edeae6a3eb224f0ff284016b0fc642 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -13,7 +13,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..9a8ae9cde644a4ac981f4b9553af2f0f428bfebb 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -17,7 +17,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/nis/postlogin
+++ b/profiles/nis/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 057b31e074f29c46b492fa310a954e281631800e..2e7462983d35e4a2f5cef8151ed53baaf7e5c790 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 95ef5dc785ed0530122837b5e08d03590ed1ada5..ac063e8d065d0488279dc2381bdd7f8ac361bfcb 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -40,9 +40,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-smartcard::
Enable authentication with smartcards through SSSD. Please note that
smartcard support must be also explicitly enabled within
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index fe3cac7a976845017d034ac1158a38f889926ce8..ad0a95440ebd006ff88264177598c77afc472dda 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..6d87cbe0a805bf5d3ab2a6192d570b9e5c6dc143 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -27,7 +27,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/sssd/postlogin
+++ b/profiles/sssd/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 230269c42508a50ad5b4677ab6514b9afe4d5fbf..874ffaca1b2c15c81adc4ca130c15834154bdc0e 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -16,7 +16,6 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 6f914ea91eb7782d60959ced56112f9cc1365347..dfc53b4ce55a0d575dc4fe68004a846f43360ccc 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,7 +32,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index 40a1a459355d2ee8ab98e31d2868cb24261e2c17..0e80bb697f8050ac8eb3c78d4f41945b9bcbba29 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -33,9 +33,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index c4b8261ca45d4f6b9eda03ea96850bb32d605d30..6262549af2ca8aed540e7a7e1d97e0ba3b2ef088 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -17,7 +17,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index bbeca057d49102889e3eeee040ea256dbd751eef..aef4d5ce6a6ec9496deabc1010cde0370a3ecba7 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -24,7 +24,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/winbind/postlogin
+++ b/profiles/winbind/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..e4bdd0bf1c315c86cc8064625b80161baa5c455f 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -25,7 +25,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -520,7 +520,6 @@ class AuthCompat:
'smartcard' : 'with-smartcard',
'requiresmartcard' : 'with-smartcard-required',
'fingerprint' : 'with-fingerprint',
- 'ecryptfs' : 'with-ecryptfs',
'mkhomedir' : 'with-mkhomedir',
'faillock' : 'with-faillock',
'pamaccess' : 'with-pamaccess',
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -93,7 +93,6 @@ class Options:
Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard",_("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued ("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued ("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
@@ -141,6 +140,7 @@ class Options:
# layers and will produce warning when used. They will not affect
# the system.
Option.UnsupportedFeature("cache"),
+ Option.UnsupportedFeature("ecryptfs"),
Option.UnsupportedFeature("shadow"),
Option.UnsupportedSwitch ("useshadow"),
Option.UnsupportedFeature("md5"),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -80,7 +80,6 @@ configuration file for required services.
|*Authconfig options* |*Authselect profile feature*
|--enablesmartcard |with-smartcard
|--enablefingerprint |with-fingerprint
-|--enableecryptfs |with-ecryptfs
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
@@ -95,8 +94,8 @@ authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
-authconfig --enableecryptfs --enablepamaccess --updateall
-authselect select sssd with-ecryptfs with-pamaccess
+authconfig --enablepamaccess --updateall
+authselect select sssd with-pamaccess
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
--
2.29.2

58
SOURCES/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch Normal file
View File

@ -0,0 +1,58 @@
From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 18 Feb 2021 13:38:53 +0100
Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups
The passwd and group databases will now default to files first.
The order "sss files" can be enabled with "with-files-provider"
feature.
---
profiles/sssd/README | 5 +++++
profiles/sssd/REQUIREMENTS | 4 ++++
profiles/sssd/nsswitch.conf | 4 ++--
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -76,6 +76,11 @@ with-sudo::
with-pamaccess::
Check access.conf during account authorization.
+with-files-domain::
+ If set, SSSD will be contacted before "files" when resolving users and
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
+ "files sss" for passwd and group maps.
+
with-files-access-provider::
If set, account management for local users is handled also by pam_sss. This
is needed if there is an explicitly configured domain with id_provider=files
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
+ {include if "with-files-domain"}
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
\ No newline at end of file
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,5 +1,5 @@
-passwd: sss files systemd {exclude if "with-custom-passwd"}
-group: sss files systemd {exclude if "with-custom-group"}
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
netgroup: sss files {exclude if "with-custom-netgroup"}
automount: sss files {exclude if "with-custom-automount"}
services: sss files {exclude if "with-custom-services"}
--
2.29.2

44
SOURCES/9004-rhel9-remove-support-for-for-resolved.patch Normal file
View File

@ -0,0 +1,44 @@
From 259e4e50a97a5196436e3d7ed42d2ecf0be3203f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 31 May 2021 15:42:49 +0200
Subject: [PATCH] rhel9: remove support for for resolved
systemd-resolved is an experimental feature at this point and it
should not be enabled by default. Steps to switch this feature on
will be documented in RHEL guide.
This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54.
---
profiles/minimal/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
index a9e4bc79a1090304542ccd8b43d1107eeb5304df..a39e4d32ebf79e8bf05f2db5753b01596222dc35 100644
--- a/profiles/minimal/nsswitch.conf
+++ b/profiles/minimal/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom
automount: files {exclude if "with-custom-automount"}
ethers: files {exclude if "with-custom-ethers"}
group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
-hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"}
+hosts: files dns myhostname {exclude if "with-custom-hosts"}
initgroups: files {exclude if "with-custom-initgroups"}
netgroup: files {exclude if "with-custom-netgroup"}
networks: files {exclude if "with-custom-networks"}
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"}
automount: files nis {exclude if "with-custom-automount"}
ethers: files nis {exclude if "with-custom-ethers"}
group: files nis systemd {exclude if "with-custom-group"}
-hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"}
+hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
initgroups: files nis {exclude if "with-custom-initgroups"}
netgroup: files nis {exclude if "with-custom-netgroup"}
networks: files nis {exclude if "with-custom-networks"}
--
2.31.1

435
SOURCES/9005-rhel9-remove-nis-support.patch Normal file
View File

@ -0,0 +1,435 @@
From 7236f7a303215805de7195a8fdef7567543e8b0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 9 Jun 2021 13:59:01 +0200
Subject: [PATCH] rhel9: remove nis support
NIS is no longer supported in RHEL9.
---
profiles/Makefile.am | 13 ----
profiles/nis/README | 111 ----------------------------
profiles/nis/REQUIREMENTS | 13 ----
profiles/nis/dconf-db | 3 -
profiles/nis/dconf-locks | 2 -
profiles/nis/nsswitch.conf | 14 ----
profiles/nis/postlogin | 4 -
rpm/authselect.spec.in | 10 ---
src/compat/authcompat.py.in.in | 95 ------------------------
src/compat/authcompat_Options.py | 8 +-
src/man/authselect-migration.7.adoc | 2 +-
11 files changed, 6 insertions(+), 269 deletions(-)
delete mode 100644 profiles/nis/README
delete mode 100644 profiles/nis/REQUIREMENTS
delete mode 100644 profiles/nis/dconf-db
delete mode 100644 profiles/nis/dconf-locks
delete mode 100644 profiles/nis/nsswitch.conf
delete mode 100644 profiles/nis/postlogin
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
index 95e27147b2b0a229a76a293884d605484d3fa841..c658521de01130f19f669fe0a6cb86c11043a406 100644
--- a/profiles/Makefile.am
+++ b/profiles/Makefile.am
@@ -13,19 +13,6 @@ dist_profile_minimal_DATA = \
$(top_srcdir)/profiles/minimal/dconf-locks \
$(NULL)
-profile_nisdir = $(authselect_profile_dir)/nis
-dist_profile_nis_DATA = \
- $(top_srcdir)/profiles/nis/nsswitch.conf \
- $(top_srcdir)/profiles/nis/password-auth \
- $(top_srcdir)/profiles/nis/postlogin \
- $(top_srcdir)/profiles/nis/README \
- $(top_srcdir)/profiles/nis/REQUIREMENTS \
- $(top_srcdir)/profiles/nis/system-auth \
- $(top_srcdir)/profiles/nis/fingerprint-auth \
- $(top_srcdir)/profiles/nis/dconf-db \
- $(top_srcdir)/profiles/nis/dconf-locks \
- $(NULL)
-
profile_sssddir = $(authselect_profile_dir)/sssd
dist_profile_sssd_DATA = \
$(top_srcdir)/profiles/sssd/nsswitch.conf \
diff --git a/profiles/nis/README b/profiles/nis/README
deleted file mode 100644
index cac3428bf844b0a9d251015988583f4c1b15c3c9..0000000000000000000000000000000000000000
--- a/profiles/nis/README
+++ /dev/null
@@ -1,111 +0,0 @@
-Enable NIS for system authentication
-====================================
-
-Selecting this profile will enable Network Information Services as the source
-of identity and authentication providers.
-
-NIS CONFIGURATION
------------------
-
-Authselect does not touch NIS configuration. Please, read NIS' documentation
-to see how to configure it manually.
-
-AVAILABLE OPTIONAL FEATURES
----------------------------
-
-with-faillock::
- Enable account locking in case of too many consecutive
- authentication failures.
-
-with-mkhomedir::
- Enable automatic creation of home directories for users on their
- first login.
-
-with-fingerprint::
- Enable authentication with fingerprint reader through *pam_fprintd*.
-
-with-pam-u2f::
- Enable authentication via u2f dongle through *pam_u2f*.
-
-with-pam-u2f-2fa::
- Enable 2nd factor authentication via u2f dongle through *pam_u2f*.
-
-without-pam-u2f-nouserok::
- Module argument nouserok is omitted if also with-pam-u2f-2fa is used.
- *WARNING*: Omitting nouserok argument means that users without pam-u2f
- authentication configured will not be able to log in *INCLUDING* root.
- Make sure you are able to log in before losing root privileges.
-
-with-silent-lastlog::
- Do not produce pam_lastlog message during login.
-
-with-pamaccess::
- Check access.conf during account authorization.
-
-with-nispwquality::
- If this option is set pam_pwquality module will check password quality
- for NIS users as well as local users during password change. Without this
- option only local users passwords are checked.
-
-without-nullok::
- Do not add nullok parameter to pam_unix.
-
-DISABLE SPECIFIC NSSWITCH DATABASES
------------------------------------
-
-Normally, nsswitch databases set by the profile overwrites values set in
-user-nsswitch.conf. The following options can force authselect to
-ignore value set by the profile and use the one set in user-nsswitch.conf
-instead.
-
-with-custom-aliases::
-Ignore "aliases" map set by the profile.
-
-with-custom-automount::
-Ignore "automount" map set by the profile.
-
-with-custom-ethers::
-Ignore "ethers" map set by the profile.
-
-with-custom-group::
-Ignore "group" map set by the profile.
-
-with-custom-hosts::
-Ignore "hosts" map set by the profile.
-
-with-custom-initgroups::
-Ignore "initgroups" map set by the profile.
-
-with-custom-netgroup::
-Ignore "netgroup" map set by the profile.
-
-with-custom-networks::
-Ignore "networks" map set by the profile.
-
-with-custom-passwd::
-Ignore "passwd" map set by the profile.
-
-with-custom-protocols::
-Ignore "protocols" map set by the profile.
-
-with-custom-publickey::
-Ignore "publickey" map set by the profile.
-
-with-custom-rpc::
-Ignore "rpc" map set by the profile.
-
-with-custom-services::
-Ignore "services" map set by the profile.
-
-with-custom-shadow::
-Ignore "shadow" map set by the profile.
-
-EXAMPLES
---------
-* Enable NIS with no additional modules
-
- authselect select nis
-
-* Enable NIS and create home directories for users on their first login
-
- authselect select nis with-mkhomedir
diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
deleted file mode 100644
index c58aa2789f4ef064b7904cacf4fc3158dce7ad41..0000000000000000000000000000000000000000
--- a/profiles/nis/REQUIREMENTS
+++ /dev/null
@@ -1,13 +0,0 @@
-Make sure that NIS service is configured and enabled. See NIS documentation for more information.
- {include if "with-fingerprint"}
-- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
- {include if "with-pam-u2f"}
-- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"}
- - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"}
- {include if "with-pam-u2f-2fa"}
-- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"}
- - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"}
- {include if "with-mkhomedir"}
-- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
- is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
- - systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
diff --git a/profiles/nis/dconf-db b/profiles/nis/dconf-db
deleted file mode 100644
index bd32b2819f66acdc75ab0fc522ec85673d10ed72..0000000000000000000000000000000000000000
--- a/profiles/nis/dconf-db
+++ /dev/null
@@ -1,3 +0,0 @@
-[org/gnome/login-screen]
-enable-smartcard-authentication=false
-enable-fingerprint-authentication={if "with-fingerprint":true|false}
diff --git a/profiles/nis/dconf-locks b/profiles/nis/dconf-locks
deleted file mode 100644
index 8a36fa9568344338272786394aece872185d0ab3..0000000000000000000000000000000000000000
--- a/profiles/nis/dconf-locks
+++ /dev/null
@@ -1,2 +0,0 @@
-/org/gnome/login-screen/enable-smartcard-authentication
-/org/gnome/login-screen/enable-fingerprint-authentication
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
deleted file mode 100644
index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..0000000000000000000000000000000000000000
--- a/profiles/nis/nsswitch.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-aliases: files nis {exclude if "with-custom-aliases"}
-automount: files nis {exclude if "with-custom-automount"}
-ethers: files nis {exclude if "with-custom-ethers"}
-group: files nis systemd {exclude if "with-custom-group"}
-hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
-initgroups: files nis {exclude if "with-custom-initgroups"}
-netgroup: files nis {exclude if "with-custom-netgroup"}
-networks: files nis {exclude if "with-custom-networks"}
-passwd: files nis systemd {exclude if "with-custom-passwd"}
-protocols: files nis {exclude if "with-custom-protocols"}
-publickey: files nis {exclude if "with-custom-publickey"}
-rpc: files nis {exclude if "with-custom-rpc"}
-services: files nis {exclude if "with-custom-services"}
-shadow: files nis {exclude if "with-custom-shadow"}
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
deleted file mode 100644
index 04a11f049bc1e220c9064fba7b46eb243ddd4996..0000000000000000000000000000000000000000
--- a/profiles/nis/postlogin
+++ /dev/null
@@ -1,4 +0,0 @@
-session optional pam_umask.so silent
-session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
-session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
-session optional pam_lastlog.so silent noupdate showfailed
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index 628d6c91e9b3b4448787915fc1f9ac42f445bfc6..a0d508a716603771878781a62168fe0a71207f66 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -155,7 +155,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/minimal/
-%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/nsswitch.conf
@@ -164,15 +163,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/system-auth
-%{_datadir}/authselect/default/nis/dconf-db
-%{_datadir}/authselect/default/nis/dconf-locks
-%{_datadir}/authselect/default/nis/fingerprint-auth
-%{_datadir}/authselect/default/nis/nsswitch.conf
-%{_datadir}/authselect/default/nis/password-auth
-%{_datadir}/authselect/default/nis/postlogin
-%{_datadir}/authselect/default/nis/README
-%{_datadir}/authselect/default/nis/REQUIREMENTS
-%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90da8e217e 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -240,20 +240,6 @@ class Configuration:
config.write(keys)
- class Network(Base):
- def __init__(self, options):
- super(Configuration.Network, self).__init__(options)
-
- def write(self):
- nisdomain = self.get("nisdomain")
- config = EnvironmentFile(Path.System('network'))
-
- if nisdomain is None:
- return
-
- config.set("NISDOMAIN", nisdomain)
- config.write()
-
class SSSD(Base):
def __init__(self, options):
super(Configuration.SSSD, self).__init__(options, ServiceName="sssd")
@@ -375,83 +361,6 @@ class Configuration:
# other applications may depend on it.
return
- class NIS(Base):
- def __init__(self, options):
- super(Configuration.NIS, self).__init__(options)
- self.rpcbind = Service("rpcbind")
- self.ypbind = Service("ypbind")
-
- def isEnabled(self):
- if not self.isset("nis"):
- return None
-
- return self.getBool("nis")
-
- def enableService(self, nostart):
- if not self.isset("nisdomain"):
- return
-
- nisdom = self.get("nisdomain")
-
- if not nostart:
- cmd = Command(Path.System('cmd-domainname'), [nisdom])
- cmd.run()
-
- cmd = Command(Path.System('cmd-setsebool'),
- ['-P', 'allow_ypbind', '1'])
- cmd.run()
-
- self.rpcbind.enable()
- self.ypbind.enable()
-
- if not nostart:
- self.rpcbind.start(Restart=False)
- self.ypbind.start()
-
- def disableService(self, nostop):
- if not nostop:
- cmd = Command(Path.System('cmd-domainname'), ["(none)"])
- cmd.run()
-
- cmd = Command(Path.System('cmd-setsebool'),
- ['-P', 'allow_ypbind', '0'])
- cmd.run()
-
- self.rpcbind.disable()
- self.ypbind.disable()
-
- if not nostop:
- self.rpcbind.stop()
- self.ypbind.stop()
-
- def write(self):
- if not self.isset("nisdomain"):
- return
-
- output = "domain " + self.get("nisdomain")
-
- additional_servers = []
- if self.isset("nisserver"):
- servers = self.get("nisserver").split(",")
- additional_servers = servers[1:]
- output += " server " + servers[0] + "\n"
- else:
- output += " broadcast\n"
-
- for server in additional_servers:
- output += "ypserver " + server + "\n"
-
- filename = Path.System('yp.conf')
- if self.getBool("test-call"):
- print("========== BEGIN Content of [%s] ==========" % filename)
- print(output)
- print("========== END Content of [%s] ==========\n" % filename)
- return
-
- with open(filename, "w") as f:
- f.write(output)
-
-
class AuthCompat:
def __init__(self):
self.sysconfig = EnvironmentFile(Path.System('authconfig'))
@@ -533,8 +442,6 @@ class AuthCompat:
if (self.options.getBool("ldap") or self.options.getBool("ldapauth") or
self.options.getBool("sssd") or self.options.getBool("sssdauth")):
profile = "sssd"
- elif self.options.getBool("nis"):
- profile = "nis"
elif self.options.getBool("winbind"):
profile = "winbind"
@@ -591,13 +498,11 @@ class AuthCompat:
def writeConfiguration(self):
configs = [
Configuration.LDAP(self.options),
- Configuration.Network(self.options),
Configuration.Kerberos(self.options),
Configuration.SSSD(self.options),
Configuration.Winbind(self.options),
Configuration.PWQuality(self.options),
Configuration.MakeHomedir(self.options),
- Configuration.NIS(self.options)
]
for config in configs:
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index 433a3340bac29739174e78928701214c08ec6f3c..2712d85a377ee92c7816e3d2284302307084b0c4 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -79,9 +79,6 @@ class Options:
# However, they will just make sure that an authentication against
# expected service is working. They may not result in the exact same
# configuration as authconfig would generate.
- Option.Feature("nis", _("NIS for user information by default")),
- Option.Valued ("nisdomain", _("<domain>"), _("default NIS domain")),
- Option.Valued ("nisserver", _("<server>"), _("default NIS server")),
Option.Feature("ldap", _("LDAP for user information by default")),
Option.Feature("ldapauth", _("LDAP for authentication by default")),
Option.Valued ("ldapserver", _("<server>"), _("default LDAP server hostname or URI")),
@@ -164,6 +161,11 @@ class Options:
Option.UnsupportedFeature("locauthorize"),
Option.UnsupportedFeature("sysnetauth"),
Option.UnsupportedValued ("faillockargs", _("<options>")),
+
+ # NIS is no longer supported
+ Option.UnsupportedFeature("nis"),
+ Option.UnsupportedValued ("nisdomain", _("<domain>")),
+ Option.UnsupportedValued ("nisserver", _("<server>")),
]
Map = {
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index a27af036738274d8d392f7fe1f7d59c89e9c4ffb..515104b160d956d04b9ec8cacd25d166983e02d5 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -72,7 +72,7 @@ configuration file for required services.
|--enablesssd --enablesssdauth |sssd
|--enablekrb5 |sssd
|--enablewinbind --enablewinbindauth |winbind
-|--enablenis |nis
+|--enablenis |none
|=========================================================
.Relation of authconfig options to authselect profile features
--
2.20.1

451
SPECS/authselect.spec Normal file
View File

@ -0,0 +1,451 @@
# Do not terminate build if language files are empty.
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.2.3
Release: 7%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
Patch0001: 0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch
### Downstream Patches ###
%if 0%{?rhel}
Patch9001: 9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch9002: 9002-rhel9-remove-ecryptfs-support.patch
Patch9003: 9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch
Patch9004: 9004-rhel9-remove-support-for-for-resolved.patch
Patch0005: 9005-rhel9-remove-nis-support.patch
%endif
%global makedir %{_builddir}/%{name}-%{version}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: findutils
BuildRequires: libtool
BuildRequires: m4
BuildRequires: gcc
BuildRequires: pkgconfig
BuildRequires: pkgconfig(popt)
BuildRequires: gettext-devel
BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
%description
Authselect is designed to be a replacement for authconfig but it takes
a different approach to configure the system. Instead of letting
the administrator build the PAM stack with a tool (which may potentially
end up with a broken configuration), it would ship several tested stacks
(profiles) that solve a use-case and are well tested and supported.
At the same time, some obsolete features of authconfig are not
supported by authselect.
%package libs
Summary: Utility library used by the authselect tool
# Required by scriptlets
Requires: coreutils
Requires: findutils
Requires: gawk
Requires: grep
Requires: sed
Requires: systemd
Requires: pam >= 1.3.1-23
%description libs
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package compat
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
BuildRequires: python3-devel
BuildRequires: make
Requires: authselect%{?_isa} = %{version}-%{release}
Recommends: oddjob-mkhomedir
Suggests: sssd
Suggests: realmd
Suggests: samba-winbind
# Required by scriptlets
Requires: sed
%description compat
This package will replace %{_sbindir}/authconfig with a tool that will
translate some of the authconfig calls into authselect calls. It provides
only minimum backward compatibility and users are encouraged to migrate
to authselect completely.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
%description devel
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
%prep
%setup -q
for p in %patches ; do
%__patch -p1 -i $p
done
%build
autoreconf -if
%configure --with-pythonbin="%{__python3}"
%make_build
%check
%make_build check
%install
%make_install
# Find translations
%find_lang %{name}
%find_lang %{name} %{name}.8.lang --with-man
%find_lang %{name}-migration %{name}-migration.7.lang --with-man
%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
# We want this file to contain only manual page translations
%__sed -i '/LC_MESSAGES/d' %{name}.8.lang
# Remove .la and .a files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \;
find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ldconfig_scriptlets libs
%files libs -f %{name}.lang -f %{name}-profiles.5.lang
%dir %{_sysconfdir}/authselect
%dir %{_sysconfdir}/authselect/custom
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/minimal/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/dconf-db
%{_datadir}/authselect/default/minimal/dconf-locks
%{_datadir}/authselect/default/minimal/nsswitch.conf
%{_datadir}/authselect/default/minimal/password-auth
%{_datadir}/authselect/default/minimal/postlogin
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
%{_datadir}/authselect/default/sssd/nsswitch.conf
%{_datadir}/authselect/default/sssd/password-auth
%{_datadir}/authselect/default/sssd/postlogin
%{_datadir}/authselect/default/sssd/README
%{_datadir}/authselect/default/sssd/REQUIREMENTS
%{_datadir}/authselect/default/sssd/smartcard-auth
%{_datadir}/authselect/default/sssd/system-auth
%{_datadir}/authselect/default/winbind/dconf-db
%{_datadir}/authselect/default/winbind/dconf-locks
%{_datadir}/authselect/default/winbind/fingerprint-auth
%{_datadir}/authselect/default/winbind/nsswitch.conf
%{_datadir}/authselect/default/winbind/password-auth
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/system-auth
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
%{_datadir}/doc/authselect/README.md
%license COPYING
%doc README.md
%files compat
%{_sbindir}/authconfig
%{python3_sitelib}/authselect/
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
%{_mandir}/man7/authselect-migration.7*
%{_sysconfdir}/bash_completion.d/authselect-completion.sh
%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid
%preun
if [ $1 == 0 ] ; then
# Remove authselect symbolic links so all authselect files can be
# deleted safely. If this fail, the uninstallation must fail to avoid
# breaking the system by removing PAM files. However, the command can
# only fail if it can not write to the file system.
%{_bindir}/authselect uninstall
fi
%pre libs
%__rm -f %{validfile}
if [ $1 -gt 1 ] ; then
# Remember if the current configuration is valid
%{_bindir}/authselect check &> /dev/null
if [ $? -eq 0 ]; then
touch %{validfile}
fi
fi
exit 0
%posttrans libs
# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
%__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
# If we are upgrading from older version, we want to remove these comments.
%__sed -i '/^# Generated by authselect on .*$/{$!{
N;N # Read also next two lines
/# Generated by authselect on .*\n# Do not modify this file manually.\n/d
}}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
fi
# If the configuration is valid and we are upgrading from older version
# we need to create these files since they were added in 1.0.
if [ -f %{validfile} ]; then
FILES="nsswitch.conf system-auth password-auth fingerprint-auth \
smartcard-auth postlogin dconf-db dconf-locks"
for FILE in $FILES ; do
%__cp -n %{_sysconfdir}/authselect/$FILE \
%{_localstatedir}/lib/authselect/$FILE &> /dev/null
done
%__rm -f %{validfile}
fi
# Add nss-altfiles if we are on Silverblue
if %__grep -i silverblue /etc/os-release &> /dev/null; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
%__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
done
fi
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111
CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null`
if [ $? -eq 0 ]; then
PROFILE=`echo $CURRENT | %__awk '{print $1;}'`
if [ $PROFILE == "sssd" ] ; then
if %__grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
fi
fi
fi
exit 0
%posttrans compat
# Fix for RHBZ#1618865
# Remove invalid lines from pwquality.conf generated by authconfig compat tool
# - previous version could write some options without value, which is invalid
# - we delete all options without value from existing file
%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
exit 0
%changelog
* Thu Aug 26 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-7
- Avoid freeing uninitialized variable in authselect_apply_changes (rhbz#1970871)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.3-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-5
- Remove nis support (rhbz#1968396)
* Wed Jun 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-4
- Remove nis support (rhbz#1968396)
* Tue Jun 1 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-3
- Remove systemd-resolved support (rhbz#1966484)
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.3-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-1
- Rebase to 1.2.3
* Mon Mar 29 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-7
- Fix fingerprint-auth success result
The previous patch had an issue breaking fingerprint login
* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-6
- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors
Resolves: #1935331
* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-5
- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication
* Wed Feb 24 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-4
- Prepare authselect for RHEL-9, add downstream-only patches that will be synced
* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- Add RHEL9 only patch
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
- Rebase to 1.2.2
- Add nss-altfiles to profiles on Fedora Silverblue
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 22 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-3
- Add resolved by default to nis and minimal profiles
- Fix parsing of multiple conditionals on the same line
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.2.1-2
- Rebuilt for Python 3.9
* Mon May 11 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-1
- Rebase to 1.2.1
* Wed Mar 4 2020 Pavel Březina <pbrezina@redhat.com> - 1.2-1
- Rebase to 1.2
* Mon Feb 17 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-7
- fix restoring non-authselect configuration from backup
* Wed Jan 29 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-6
- cli: fix auto backup when --force is set
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-4
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-3
- Rebuilt for Python 3.8
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jun 13 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-1
- Rebase to 1.1
* Tue Feb 26 2019 Pavel Březina <pbrezina@redhat.com> - 1.0.3-1
- Rebase to 1.0.3
* Tue Feb 26 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0.2-4
- Use %ghost for files owned by authselect
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-2
- Resolves rhbz#1655025 (invalid backup).
* Fri Nov 23 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-1
- Rebase to 1.0.2
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-2
- Require systemd instead of systemctl
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-1
- Rebase to 1.0.1
* Fri Sep 14 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
- Scriptlets should no produce any error messages (RHBZ #1622272)
- Provide fix for pwquality configuration (RHBZ #1618865)
* Thu Aug 30 2018 Adam Williamson <awilliam@redhat.com> - 1.0-2
- Backport PR #78 to fix broken pwquality config (RHBZ #1618865)
* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
- Rebase to 1.0
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.4-4
- Rebuilt for Python 3.7
* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
- Don't disable oddjobd.service (RHBZ #1571844)
* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
- rebasing to 0.4
* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
- rebasing to 0.3.2
- authselect-compat now only suggests packages, not recommends
* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
- rebasing to 0.3.1
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
- Provide authconfig
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
- Properly own all appropriate directories
- Remove unneeded %%defattr
- Remove deprecated Group tag
- Make Obsoletes versioned
- Remove unneeded ldconfig scriptlets
* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
- rebasing to 0.3
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
- fix rpmlint errors
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
- rebasing to 0.2
* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
- initial packaging