.gitignore

@@ -1 +1,23 @@
-SOURCES/authselect-1.2.6.tar.gz
+/0.1-alpha.tar.gz
+/0.1.tar.gz
+/authselect-0.2.tar.gz
+/authselect-0.3.tar.gz
+/authselect-0.3.1.tar.gz
+/authselect-0.3.2.tar.gz
+/authselect-0.4.tar.gz
+/authselect-1.0.tar.gz
+/authselect-1.0.1.tar.gz
+/authselect-1.0.2.tar.gz
+/authselect-1.0.3.tar.gz
+/authselect-1.1.tar.gz
+/authselect-1.2.tar.gz
+/authselect-1.2.1.tar.gz
+/authselect-1.2.2.tar.gz
+/authselect-1.2.3.tar.gz
+/authselect-1.2.4.tar.gz
+/authselect-1.3.0.tar.gz
+/authselect-1.4.0.tar.gz
+/authselect-1.4.1.tar.gz
+/authselect-1.4.2.tar.gz
+/authselect-1.4.3.tar.gz
+/authselect-1.5.0.tar.gz

0001-sssd-reintroduce-with-files-access-provider.patch

@@ -0,0 +1,101 @@
+From adb36ae3633e2dfaa9c21bb45d05551f1ea3d749 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 21 Feb 2024 14:27:49 +0100
+Subject: [PATCH 01/11] sssd: reintroduce with-files-access-provider
+
+This is still needed to support .k5login file with proxy domain. For
+example:
+
+```
+[domain/proxy]
+id_provider = proxy
+proxy_lib_name = files
+access_provider = krb5
+auth_provider = krb5
+krb5_server = kdc.test
+krb5_realm = TEST
+```
+---
+ profiles/sssd/README           | 10 ++++++++++
+ profiles/sssd/fingerprint-auth |  2 +-
+ profiles/sssd/password-auth    |  2 +-
+ profiles/sssd/smartcard-auth   |  2 +-
+ profiles/sssd/system-auth      |  2 +-
+ 5 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/profiles/sssd/README b/profiles/sssd/README
+index 770891a338754b53ee48ba34d9d80c2f2f31cdb6..f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d 100644
+--- a/profiles/sssd/README
++++ b/profiles/sssd/README
+@@ -89,6 +89,16 @@ with-mdns4::
+ with-mdns6::
+     Enable multicast DNS over IPv6.
+ 
++with-files-access-provider:: If set, account management for local users is
++    handled also by pam_sss. This can be used to support SSSD's proxy domain
++    that is configured to serve users from local files but provide
++    authentication and access management (.k5login file) via Kerberos.
++
++    *WARNING:* SSSD access check will become mandatory for local users and
++    if SSSD is stopped then local users will not be able to log in. Only
++    system accounts (as defined by pam_usertype, including root) will be
++    able to log in.
++
+ with-gssapi::
+     If set, pam_sss_gss module is enabled to perform user authentication over
+     GSSAPI.
+diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
+index 94232086a60f56976bd5182f5d10da9c63ec22b6..20ad3613e66ec85c7d2462d0449854e522383b3a 100644
+--- a/profiles/sssd/fingerprint-auth
++++ b/profiles/sssd/fingerprint-auth
+@@ -11,7 +11,7 @@ auth        required                                     pam_deny.so
+ account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+ account     required                                     pam_unix.so
+-account     sufficient                                   pam_localuser.so
++account     sufficient                                   pam_localuser.so                                       {exclude if "with-files-access-provider"}
+ account     sufficient                                   pam_usertype.so issystem
+ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+ account     required                                     pam_permit.so
+diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
+index 05487ca293138a1154cb6820dbc9a53770904670..97c33b678706e7eeb86bf45251baa41739f2940f 100644
+--- a/profiles/sssd/password-auth
++++ b/profiles/sssd/password-auth
+@@ -18,7 +18,7 @@ account     required                                     pam_access.so
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+ account     sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so
+-account     sufficient                                   pam_localuser.so
++account     sufficient                                   pam_localuser.so                                       {exclude if "with-files-access-provider"}
+ account     sufficient                                   pam_usertype.so issystem
+ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+ account     required                                     pam_permit.so
+diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
+index 540556ce89b727a226bec4d3322a1775ef350253..78cb329bf332f4d629740a0fff7d2dfe43f7d78d 100644
+--- a/profiles/sssd/smartcard-auth
++++ b/profiles/sssd/smartcard-auth
+@@ -11,7 +11,7 @@ auth        required                                     pam_deny.so
+ account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+ account     required                                     pam_unix.so
+-account     sufficient                                   pam_localuser.so
++account     sufficient                                   pam_localuser.so                                       {exclude if "with-files-access-provider"}
+ account     sufficient                                   pam_usertype.so issystem
+ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+ account     required                                     pam_permit.so
+diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
+index 83f9214fdd0a97ec49a8df52a2e202e034cbc0c6..90c3504a414f0a151475cc207285b230fec381b1 100644
+--- a/profiles/sssd/system-auth
++++ b/profiles/sssd/system-auth
+@@ -25,7 +25,7 @@ account     required                                     pam_access.so
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+ account     sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so
+-account     sufficient                                   pam_localuser.so
++account     sufficient                                   pam_localuser.so                                       {exclude if "with-files-access-provider"}
+ account     sufficient                                   pam_usertype.so issystem
+ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+ account     required                                     pam_permit.so
+-- 
+2.42.0
+

0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch

@@ -0,0 +1,217 @@
+From d498f7aa562cf41e0999f7733664c27fa62bcf7c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 23 Feb 2024 11:54:44 +0100
+Subject: [PATCH 02/11] spec: modify specfile for Fedora 40 and RHEL 10 as
+ minimal version
+
+- conditionals that are no longer used are removed
+- upgrade path is removed
+  - this was already triggered in Fedora 38, so it is no longer useful
+  - RHEL is updated to authselect with leapp when going from 7 to 8
+    we don't want to touch existing configurations
+---
+ rpm/authselect.spec.in | 102 ++---------------------------------------
+ 1 file changed, 3 insertions(+), 99 deletions(-)
+
+diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
+index 24ce4e603208ce26eb228bbee565c868428a2af1..e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1 100644
+--- a/rpm/authselect.spec.in
++++ b/rpm/authselect.spec.in
+@@ -12,20 +12,6 @@ Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+ 
+ %global makedir %{_builddir}/%{name}-%{version}
+ 
+-%if 0%{?fedora} >= 35 || 0%{?rhel} >= 10
+-%global with_compat 0
+-%else
+-%global with_compat 1
+-%endif
+-
+-%if 0%{?fedora} >= 36 || 0%{?rhel} >= 10
+-%global with_user_nsswitch 0
+-%global enforce_authselect 1
+-%else
+-%global with_user_nsswitch 1
+-%global enforce_authselect 0
+-%endif
+-
+ # Set the default profile
+ %{?fedora:%global default_profile local with-silent-lastlog}
+ %{?rhel:%global default_profile local}
+@@ -43,21 +29,14 @@ BuildRequires:  po4a
+ BuildRequires:  %{_bindir}/a2x
+ BuildRequires:  libcmocka-devel >= 1.0.0
+ BuildRequires:  libselinux-devel
+-%if %{with_compat}
+-BuildRequires: python3-devel
+-%endif
+ Requires: authselect-libs%{?_isa} = %{version}-%{release}
+ Suggests: sssd
+ Suggests: samba-winbind
+ Suggests: fprintd-pam
+ Suggests: oddjob-mkhomedir
+ 
+-%if !%{with_compat}
+ # Properly obsolete removed authselect-compat package.
+-Obsoletes: authselect-compat < 1.2.4
+-# Inherited from former authselect-compat package.
+-Obsoletes: authconfig < 7.0.1-6
+-%endif
++Obsoletes: authselect-compat < 1.3
+ 
+ %description
+ Authselect is designed to be a replacement for authconfig but it takes
+@@ -74,14 +53,6 @@ Summary: Utility library used by the authselect tool
+ Requires: coreutils
+ Requires: sed
+ Suggests: systemd
+-%if %{enforce_authselect}
+-# authselect now owns nsswitch.conf (glibc) and pam files
+-Conflicts: pam < 1.5.2-8
+-Conflicts: glibc < 2.34.9000-27
+-# systemd, nss-mdns no longer contains nsswitch.conf scriptlets
+-Conflicts: systemd < 249.7-4
+-Conflicts: nss-mdns < 0.15.1-3
+-%endif
+ 
+ %description libs
+ Common library files for authselect. This package is used by the authselect
+@@ -95,25 +66,6 @@ Requires: authselect-libs%{?_isa} = %{version}-%{release}
+ System header files and development libraries for authselect. Useful if
+ you develop a front-end for the authselect library.
+ 
+-%if %{with_compat}
+-%package compat
+-Summary: Tool to provide minimum backwards compatibility with authconfig
+-Obsoletes: authconfig < 7.0.1-6
+-Provides: authconfig
+-Requires: authselect%{?_isa} = %{version}-%{release}
+-Recommends: oddjob-mkhomedir
+-Suggests: sssd
+-Suggests: realmd
+-Suggests: samba-winbind
+-
+-%description compat
+-This package will replace %{_sbindir}/authconfig with a tool that will
+-translate some of the authconfig calls into authselect calls. It provides
+-only minimum backward compatibility and users are encouraged to migrate
+-to authselect completely.
+-%endif
+-
+-
+ %prep
+ %setup -q
+ 
+@@ -123,16 +75,7 @@ done
+ 
+ %build
+ autoreconf -if
+-%configure \
+-%if %{with_compat}
+-    --with-pythonbin="%{__python3}" \
+-    --with-compat \
+-%endif
+-%if %{with_user_nsswitch}
+-    --with-user-nsswitch \
+-%endif
+-    %{nil}
+-
++%configure
+ %make_build
+ 
+ %check
+@@ -168,20 +111,14 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
+ %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
+ %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
+ %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
+-%if %{enforce_authselect}
+ %ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
+ %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
+ %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
+ %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
+ %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
+ %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
+-%endif
+ %dir %{_localstatedir}/lib/authselect
+ %ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
+-%if %{with_user_nsswitch}
+-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
+-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
+-%endif
+ %dir %{_datadir}/authselect
+ %dir %{_datadir}/authselect/vendor
+ %dir %{_datadir}/authselect/default
+@@ -241,12 +178,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
+ %{_libdir}/libauthselect.so
+ %{_libdir}/pkgconfig/authselect.pc
+ 
+-%if %{with_compat}
+-%files compat
+-%{_sbindir}/authconfig
+-%{python3_sitelib}/authselect/
+-%endif
+-
+ %files  -f %{name}.8.lang  -f %{name}-migration.7.lang
+ %{_bindir}/authselect
+ %{_mandir}/man8/authselect.8*
+@@ -265,47 +196,21 @@ if [ $1 == 0 ] ; then
+ fi
+ 
+ %pre libs
+-%if %{enforce_authselect}
+ # Check if this is a new installation.
+ %__rm -f %{forcefile}
+ if [ $1 -eq 1 ] ; then
+     touch %{forcefile}
+ fi
+-
+-# Check if we are upgrading from older version then authselect-1.3.0
+-# The version command is not available on earlier versions
+-if [ $1 -gt 1 ] ; then
+-    %{_bindir}/authselect check &> /dev/null
+-    if [ $? -ne 0 ]; then
+-        %{_bindir}/authselect version &> /dev/null
+-        if [ $? -ne 0 ]; then
+-            touch %{forcefile}
+-        fi
+-    fi
+-fi
+-%endif
+-
+ exit 0
+ 
+ %posttrans libs
+-# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
+-%if %{with_user_nsswitch}
+-if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
+-    %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
+-    touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
+-fi
+-%endif
+ 
+ # Keep nss-altfiles for all rpm-ostree based systems.
+ # See https://github.com/authselect/authselect/issues/48
+ if test -e /run/ostree-booted; then
+     for PROFILE in `ls %{_datadir}/authselect/default`; do
+         %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
+-%if %{with_user_nsswitch}
+-        %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+-%else
+         %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+-%endif
+     done
+ fi
+ 
+@@ -314,8 +219,7 @@ if [ $? -eq 6 ]; then
+     NOBACKUP="--nobackup"
+ fi
+ 
+-# If we are upgrading from pre authselect-1.3.0 or this is a new installation
+-# select the default configuration.
++# If this is a new installation select the default configuration.
+ if [ -f %{forcefile} ]; then
+     %{_bindir}/authselect select %{default_profile} --force $NOBACKUP &> /dev/null
+     %__rm -f %{forcefile}
+-- 
+2.42.0
+

0003-po-update-translations.patch

@@ -0,0 +1,471 @@
+From 4485f4686c285310b2a11ac545e88e3acef870ea Mon Sep 17 00:00:00 2001
+From: Weblate <noreply@weblate.org>
+Date: Tue, 20 Feb 2024 21:36:02 +0100
+Subject: [PATCH 03/11] po: update translations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(Finnish) currently translated at 100.0% (349 of 349 strings)
+Translation: authselect/master
+Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-application/fi/
+
+Update translation files
+
+Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+po: update translations
+
+(Turkish) currently translated at 100.0% (349 of 349 strings)
+Translation: authselect/master
+Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-application/tr/
+
+Co-authored-by: Jan Kuparinen <copper_fin@hotmail.com>
+Co-authored-by: Oğuz Ersen <oguz@ersen.moe>
+Co-authored-by: Weblate <noreply@weblate.org>
+Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-authselect8adoc/
+Translation: authselect/master-authselect.8.adoc
+---
+ po/fi.po                              | 11 +++++------
+ po/tr.po                              | 12 ++++++------
+ src/man/po/authselect.8.adoc.ca.po    |  2 +-
+ src/man/po/authselect.8.adoc.cs.po    |  2 +-
+ src/man/po/authselect.8.adoc.de.po    |  2 +-
+ src/man/po/authselect.8.adoc.es.po    |  2 +-
+ src/man/po/authselect.8.adoc.fa.po    |  2 +-
+ src/man/po/authselect.8.adoc.fi.po    |  2 +-
+ src/man/po/authselect.8.adoc.fr.po    |  2 +-
+ src/man/po/authselect.8.adoc.hu.po    |  2 +-
+ src/man/po/authselect.8.adoc.it.po    |  2 +-
+ src/man/po/authselect.8.adoc.ja.po    |  2 +-
+ src/man/po/authselect.8.adoc.ko.po    |  2 +-
+ src/man/po/authselect.8.adoc.nl.po    |  2 +-
+ src/man/po/authselect.8.adoc.pl.po    |  2 +-
+ src/man/po/authselect.8.adoc.pt.po    |  2 +-
+ src/man/po/authselect.8.adoc.pt_BR.po |  2 +-
+ src/man/po/authselect.8.adoc.ru.po    |  2 +-
+ src/man/po/authselect.8.adoc.si.po    |  2 +-
+ src/man/po/authselect.8.adoc.sv.po    |  2 +-
+ src/man/po/authselect.8.adoc.tr.po    |  2 +-
+ src/man/po/authselect.8.adoc.uk.po    |  2 +-
+ src/man/po/authselect.8.adoc.zh_CN.po | 16 +++++++---------
+ src/man/po/authselect.8.adoc.zh_TW.po |  2 +-
+ 24 files changed, 39 insertions(+), 42 deletions(-)
+
+diff --git a/po/fi.po b/po/fi.po
+index 63f52ad6a8cd85d6f5c06b0a57d194ac94268206..12c84ea64ed09176d2e08e0d02aa47278540758f 100644
+--- a/po/fi.po
++++ b/po/fi.po
+@@ -1,14 +1,14 @@
+ # SOME DESCRIPTIVE TITLE.
+ # Copyright (C) YEAR Red Hat, Inc.
+ # This file is distributed under the same license as the authselect package.
+-# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022.
++# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2024.
+ # Ricky Tigg <ricky.tigg@gmail.com>, 2022.
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: authselect 1.2.2\n"
+ "Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n"
+ "POT-Creation-Date: 2023-09-27 13:03+0200\n"
+-"PO-Revision-Date: 2022-05-23 17:18+0000\n"
++"PO-Revision-Date: 2024-02-20 20:36+0000\n"
+ "Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
+ "Language-Team: Finnish <https://translate.fedoraproject.org/projects/"
+ "authselect/master-application/fi/>\n"
+@@ -17,7 +17,7 @@ msgstr ""
+ "Content-Type: text/plain; charset=UTF-8\n"
+ "Content-Transfer-Encoding: 8bit\n"
+ "Plural-Forms: nplurals=2; plural=n != 1;\n"
+-"X-Generator: Weblate 4.12.2\n"
++"X-Generator: Weblate 5.4\n"
+ 
+ #: src/lib/authselect.c:47 src/lib/authselect.c:188
+ msgid "Unable to obtain supported features"
+@@ -671,10 +671,9 @@ msgid "Unable to chown file [%s] [%d]: %s"
+ msgstr "Ei pysty ajamaan chmod tiedostolle [%s] [%d]: %s"
+ 
+ #: src/lib/util/selinux.c:46
+-#, fuzzy, c-format
+-#| msgid "Unable to create selabel context [%d]: %s"
++#, c-format
+ msgid "Unable to create selabel handle [%d]: %s"
+-msgstr "Selabel-kontekstia [%d] ei voida luoda: %s"
++msgstr "Selabel-kahvaa [%d] ei voida luoda: %s"
+ 
+ #: src/lib/util/selinux.c:55
+ #, c-format
+diff --git a/po/tr.po b/po/tr.po
+index 546e09bcb7457a44b43965dc222328cbdfe6f94d..8799903c5c18c48972d6faf464f5ee256460729a 100644
+--- a/po/tr.po
++++ b/po/tr.po
+@@ -3,13 +3,14 @@
+ # This file is distributed under the same license as the authselect package.
+ # Oğuz Ersen <oguzersen@protonmail.com>, 2020, 2021.
+ # Anonymous <noreply@weblate.org>, 2020.
++# Oğuz Ersen <oguz@ersen.moe>, 2024.
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: authselect 1.1\n"
+ "Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n"
+ "POT-Creation-Date: 2023-09-27 13:03+0200\n"
+-"PO-Revision-Date: 2021-12-10 17:16+0000\n"
+-"Last-Translator: Oğuz Ersen <oguzersen@protonmail.com>\n"
++"PO-Revision-Date: 2024-01-29 17:36+0000\n"
++"Last-Translator: Oğuz Ersen <oguz@ersen.moe>\n"
+ "Language-Team: Turkish <https://translate.fedoraproject.org/projects/"
+ "authselect/master-application/tr/>\n"
+ "Language: tr\n"
+@@ -17,7 +18,7 @@ msgstr ""
+ "Content-Type: text/plain; charset=UTF-8\n"
+ "Content-Transfer-Encoding: 8bit\n"
+ "Plural-Forms: nplurals=2; plural=n != 1;\n"
+-"X-Generator: Weblate 4.9.1\n"
++"X-Generator: Weblate 5.3.1\n"
+ 
+ #: src/lib/authselect.c:47 src/lib/authselect.c:188
+ msgid "Unable to obtain supported features"
+@@ -671,10 +672,9 @@ msgid "Unable to chown file [%s] [%d]: %s"
+ msgstr "[%s] dosyasının sahibi değiştirilemedi [%d]: %s"
+ 
+ #: src/lib/util/selinux.c:46
+-#, fuzzy, c-format
+-#| msgid "Unable to create selabel context [%d]: %s"
++#, c-format
+ msgid "Unable to create selabel handle [%d]: %s"
+-msgstr "selabel bağlamı oluşturulamadı [%d]: %s"
++msgstr "selabel tanıtıcısı oluşturulamadı [%d]: %s"
+ 
+ #: src/lib/util/selinux.c:55
+ #, c-format
+diff --git a/src/man/po/authselect.8.adoc.ca.po b/src/man/po/authselect.8.adoc.ca.po
+index 8c04b973ccfb0136589965d79a4fc38f57c38523..01e54857766fcbf7f063792a9953cbd26a979a51 100644
+--- a/src/man/po/authselect.8.adoc.ca.po
++++ b/src/man/po/authselect.8.adoc.ca.po
+@@ -5,7 +5,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+ "Last-Translator: Automatically generated\n"
+ "Language-Team: none\n"
+diff --git a/src/man/po/authselect.8.adoc.cs.po b/src/man/po/authselect.8.adoc.cs.po
+index 84d630218ec7ef3b880a0da7315b2abd30bd3e62..cc98ea8c50ad65a19862b8470938cafafecc3e70 100644
+--- a/src/man/po/authselect.8.adoc.cs.po
++++ b/src/man/po/authselect.8.adoc.cs.po
+@@ -3,7 +3,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-08-07 20:21+0000\n"
+ "Last-Translator: Jan Kalabza <jan.kalabza@gmail.com>\n"
+ "Language-Team: Czech <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.de.po b/src/man/po/authselect.8.adoc.de.po
+index c336bc529496cf756c4bbf19740866ebaf42a338..e3182a8baf1652da247c2dc9f773a313f29f79a2 100644
+--- a/src/man/po/authselect.8.adoc.de.po
++++ b/src/man/po/authselect.8.adoc.de.po
+@@ -7,7 +7,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-08-15 14:21+0000\n"
+ "Last-Translator: Jens Maucher <jensmaucher@gmail.com>\n"
+ "Language-Team: German <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.es.po b/src/man/po/authselect.8.adoc.es.po
+index 3d4ad340075ba970b2b56768fffb49567d16dcfa..b578e40a436b8ea242c4aba0e5149c09336162e2 100644
+--- a/src/man/po/authselect.8.adoc.es.po
++++ b/src/man/po/authselect.8.adoc.es.po
+@@ -5,7 +5,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-11-26 20:01+0000\n"
+ "Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
+ "Language-Team: Spanish <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.fa.po b/src/man/po/authselect.8.adoc.fa.po
+index ae77afb38249e573ebeedd97b6ebddfc8f681d59..e4b24f2f91ea06ed6e83a50c4e6e35678f65dd80 100644
+--- a/src/man/po/authselect.8.adoc.fa.po
++++ b/src/man/po/authselect.8.adoc.fa.po
+@@ -6,7 +6,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-05-28 19:20+0000\n"
+ "Last-Translator: Taha Mokhtary <taha490mokh@outlook.com>\n"
+ "Language-Team: Persian <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.fi.po b/src/man/po/authselect.8.adoc.fi.po
+index 8253cfd47b1b4ddb9d57283f887f1de6ad59b473..16aec3e6d69581b8875b5af4e426efc5cbc0ca5e 100644
+--- a/src/man/po/authselect.8.adoc.fi.po
++++ b/src/man/po/authselect.8.adoc.fi.po
+@@ -6,7 +6,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2022-05-26 06:18+0000\n"
+ "Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
+ "Language-Team: Finnish <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.fr.po b/src/man/po/authselect.8.adoc.fr.po
+index d8a23e660ec33a5d59b3647ae4795375451e70a9..ffb86dc6e1f79205213f4c576ddea94858f00088 100644
+--- a/src/man/po/authselect.8.adoc.fr.po
++++ b/src/man/po/authselect.8.adoc.fr.po
+@@ -6,7 +6,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-03-24 15:20+0000\n"
+ "Last-Translator: grimst <grimaitres@gmail.com>\n"
+ "Language-Team: French <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.hu.po b/src/man/po/authselect.8.adoc.hu.po
+index cc9533c0b0b31a691c636bee3305a0d6dcd05f7b..e9afadedb912b8e1838ab0552e1fce292e5a972f 100644
+--- a/src/man/po/authselect.8.adoc.hu.po
++++ b/src/man/po/authselect.8.adoc.hu.po
+@@ -4,7 +4,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-05-12 16:21+0000\n"
+ "Last-Translator: Dankaházi (ifj.) István <dankahazi.istvan@gmail.com>\n"
+ "Language-Team: Hungarian <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.it.po b/src/man/po/authselect.8.adoc.it.po
+index ba4c7f28c8339e051f6ec1a671f5b36a241ed22c..f7be3a8f0316ad6ab3d85e0e844801e8709d4c23 100644
+--- a/src/man/po/authselect.8.adoc.it.po
++++ b/src/man/po/authselect.8.adoc.it.po
+@@ -6,7 +6,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2022-06-09 21:18+0000\n"
+ "Last-Translator: Nathan <nathan95@live.it>\n"
+ "Language-Team: Italian <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.ja.po b/src/man/po/authselect.8.adoc.ja.po
+index a51b5e224fabe4481cad474e75428d0ebf3e6b8e..ef82bf20e14d8f34f81709ab5b591a5608577dfe 100644
+--- a/src/man/po/authselect.8.adoc.ja.po
++++ b/src/man/po/authselect.8.adoc.ja.po
+@@ -6,7 +6,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2022-01-21 09:16+0000\n"
+ "Last-Translator: simmon <simmon@nplob.com>\n"
+ "Language-Team: Japanese <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.ko.po b/src/man/po/authselect.8.adoc.ko.po
+index 1c5e72b3d83c651e892f957829a8a95f4e8a3de5..27d7ea56ccb60b2623245bb002b2aca1fceafe9c 100644
+--- a/src/man/po/authselect.8.adoc.ko.po
++++ b/src/man/po/authselect.8.adoc.ko.po
+@@ -9,7 +9,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2022-12-03 10:19+0000\n"
+ "Last-Translator: 김인수 <simmon@nplob.com>\n"
+ "Language-Team: Korean <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.nl.po b/src/man/po/authselect.8.adoc.nl.po
+index 63237e8274e347f97bccf9cb10fbf2b9ed6a4d65..b26ffb2185f994f4305b59d59567a787cd2e4bfd 100644
+--- a/src/man/po/authselect.8.adoc.nl.po
++++ b/src/man/po/authselect.8.adoc.nl.po
+@@ -5,7 +5,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-04-02 20:20+0000\n"
+ "Last-Translator: Maarten <maarten@posteo.de>\n"
+ "Language-Team: Dutch <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.pl.po b/src/man/po/authselect.8.adoc.pl.po
+index b75ee13e702eef796f650c3a9da3b6c5b4e6fc0c..a7d6b42b39470b34672a543ae84f8cb0f0f0be05 100644
+--- a/src/man/po/authselect.8.adoc.pl.po
++++ b/src/man/po/authselect.8.adoc.pl.po
+@@ -9,7 +9,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2022-05-07 11:00+0000\n"
+ "Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
+ "Language-Team: Polish <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.pt.po b/src/man/po/authselect.8.adoc.pt.po
+index 6b70ebc6b96a6ff6a83c853090939a2c6fb9818c..d38eb472eaabaa1475aba0438e00b0a76eb6eb0c 100644
+--- a/src/man/po/authselect.8.adoc.pt.po
++++ b/src/man/po/authselect.8.adoc.pt.po
+@@ -7,7 +7,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2020-05-27 14:40+0000\n"
+ "Last-Translator: Manuela Silva <mmsrs@sky.com>\n"
+ "Language-Team: Portuguese <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.pt_BR.po b/src/man/po/authselect.8.adoc.pt_BR.po
+index b53c0991c3741bda2863f5741279da4f94ad9ac1..6793e2b4bb32ddc268a998de262c4e2ebbbbe60b 100644
+--- a/src/man/po/authselect.8.adoc.pt_BR.po
++++ b/src/man/po/authselect.8.adoc.pt_BR.po
+@@ -7,7 +7,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2020-08-05 21:29+0000\n"
+ "Last-Translator: Fábio Rodrigues Ribeiro <farribeiro@gmail.com>\n"
+ "Language-Team: Portuguese (Brazil) <https://translate.fedoraproject.org/"
+diff --git a/src/man/po/authselect.8.adoc.ru.po b/src/man/po/authselect.8.adoc.ru.po
+index e3be9c2f74466768d302a7b572c611b66a8ce06c..e09ff934255b8159b96844698191edf49563c3b3 100644
+--- a/src/man/po/authselect.8.adoc.ru.po
++++ b/src/man/po/authselect.8.adoc.ru.po
+@@ -7,7 +7,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2022-04-15 19:17+0000\n"
+ "Last-Translator: Igor Gorbounov <igor.gorbounov@gmail.com>\n"
+ "Language-Team: Russian <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.si.po b/src/man/po/authselect.8.adoc.si.po
+index 680dbc849fffac6aa36f6cd73bfa7e937495c184..73ee855f62defbe3c1b9f7dcbf0d52e64a57f2e3 100644
+--- a/src/man/po/authselect.8.adoc.si.po
++++ b/src/man/po/authselect.8.adoc.si.po
+@@ -5,7 +5,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2021-08-18 19:04+0000\n"
+ "Last-Translator: Hela Basa <r45xveza@pm.me>\n"
+ "Language-Team: Sinhala <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.sv.po b/src/man/po/authselect.8.adoc.sv.po
+index 09230620986f5e51d6fb3f448408cd358fa2f405..e02d689dfe45c91a5a9498b80628b179c2900141 100644
+--- a/src/man/po/authselect.8.adoc.sv.po
++++ b/src/man/po/authselect.8.adoc.sv.po
+@@ -5,7 +5,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-02-04 22:20+0000\n"
+ "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
+ "Language-Team: Swedish <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.tr.po b/src/man/po/authselect.8.adoc.tr.po
+index 6e07d847ebe1215f2447409a4a278569ce937665..9ae399bdd4834ff268be140ced000e8940a9bd47 100644
+--- a/src/man/po/authselect.8.adoc.tr.po
++++ b/src/man/po/authselect.8.adoc.tr.po
+@@ -6,7 +6,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2022-12-03 10:19+0000\n"
+ "Last-Translator: Oğuz Ersen <oguz@ersen.moe>\n"
+ "Language-Team: Turkish <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.uk.po b/src/man/po/authselect.8.adoc.uk.po
+index 5f29b38d2c6134893285054e8ee53bf57c5afb4e..4ea4a570a0cc1aaa6c705fe29d39aaa2d58fab5f 100644
+--- a/src/man/po/authselect.8.adoc.uk.po
++++ b/src/man/po/authselect.8.adoc.uk.po
+@@ -5,7 +5,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2022-12-03 10:19+0000\n"
+ "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
+ "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
+diff --git a/src/man/po/authselect.8.adoc.zh_CN.po b/src/man/po/authselect.8.adoc.zh_CN.po
+index 914e9495d27dd96dc8642f2f8fd14cf423ec4b81..eda47df87c59010fe0cc3a970352257604e6b0a9 100644
+--- a/src/man/po/authselect.8.adoc.zh_CN.po
++++ b/src/man/po/authselect.8.adoc.zh_CN.po
+@@ -8,7 +8,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2023-12-04 03:43+0000\n"
+ "Last-Translator: Jingge Chen <mariocanfly@hotmail.com>\n"
+ "Language-Team: Chinese (Simplified) <https://translate.fedoraproject.org/"
+@@ -141,9 +141,7 @@ msgstr ""
+ #: src/man/authselect.8.adoc:51
+ #, no-wrap
+ msgid "*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] [--backup=NAME]"
+-msgstr ""
+-"*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] "
+-"[--backup=NAME]"
++msgstr "*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] [--backup=NAME]"
+ 
+ #. type: Plain text
+ #: src/man/authselect.8.adoc:54
+@@ -254,8 +252,8 @@ msgid ""
+ "otherwise an error is returned."
+ msgstr ""
+ "重新应用当前选定的配置文件。如果配置文件模板已更新，该命令可用于重新生成当前"
+-"系统配置，以便在系统上应用这些更改。只有当现有配置是有效的 authselect "
+-"配置时，此命令才会重新应用更改，否则将返回错误信息。"
++"系统配置，以便在系统上应用这些更改。只有当现有配置是有效的 authselect 配置"
++"时，此命令才会重新应用更改，否则将返回错误信息。"
+ 
+ #. type: Plain text
+ #: src/man/authselect.8.adoc:91
+@@ -308,8 +306,7 @@ msgid ""
+ "_Note:_ This will only list the features without any description. Please, read the profile documentation with *show* to see what the features do."
+ msgstr ""
+ "列出给定配置文件中的所有可用功能。\n"
+-"_注意：_这仅会列出所有功能但不提供任何描述。请使用 *show* "
+-"阅读配置文件，了解这些功能。"
++"_注意：_这仅会列出所有功能但不提供任何描述。请使用 *show* 阅读配置文件，了解这些功能。"
+ 
+ #. type: Labeled list
+ #: src/man/authselect.8.adoc:105
+@@ -345,7 +342,8 @@ msgid ""
+ "Print information about currently selected profiles. If *--raw* option is "
+ "specified, the command will print raw parameters as they were passed to "
+ "*select* command instead of formatted output."
+-msgstr "打印当前所选配置文件的信息。如果指定了 *--raw* 选项，命令将打印传给 *select* "
++msgstr ""
++"打印当前所选配置文件的信息。如果指定了 *--raw* 选项，命令将打印传给 *select* "
+ "命令的原始参数，而不是格式化输出。"
+ 
+ #. type: Labeled list
+diff --git a/src/man/po/authselect.8.adoc.zh_TW.po b/src/man/po/authselect.8.adoc.zh_TW.po
+index eb80dce79f25d5aba2c9806c869fdaf959fd4c93..80c3eed4a6ef2259540ca32335c9e1f4f623a25a 100644
+--- a/src/man/po/authselect.8.adoc.zh_TW.po
++++ b/src/man/po/authselect.8.adoc.zh_TW.po
+@@ -6,7 +6,7 @@
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
++"POT-Creation-Date: 2024-01-18 16:34+0100\n"
+ "PO-Revision-Date: 2020-05-22 17:40+0000\n"
+ "Last-Translator: Yi-Jyun Pan <pan93412@gmail.com>\n"
+ "Language-Team: Chinese (Traditional) <https://translate.fedoraproject.org/"
+-- 
+2.42.0
+

0004-nis-install-nis-profile-conditionally.patch

@@ -0,0 +1,177 @@
+From 9321126e20898b23c19e168177d8a383a750fefb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 23 Feb 2024 12:51:37 +0100
+Subject: [PATCH 04/11] nis: install nis profile conditionally
+
+NIS profile is installed only if --with-nis-profile configure flag is
+given.
+---
+ profiles/Makefile.am                |  2 ++
+ rpm/authselect.spec.in              | 37 +++++++++++++++++++----------
+ scripts/manpages-build.sh.in        |  1 +
+ src/conf_macros.m4                  | 10 ++++++++
+ src/man/authselect-migration.7.adoc |  7 ++++++
+ 5 files changed, 45 insertions(+), 12 deletions(-)
+
+diff --git a/profiles/Makefile.am b/profiles/Makefile.am
+index bc437c158f6922afdba4ab261c73f31c93846118..61728cab77022ddc0bb35a3649a38123dc4987cf 100644
+--- a/profiles/Makefile.am
++++ b/profiles/Makefile.am
+@@ -15,6 +15,7 @@ dist_profile_local_DATA = \
+     $(top_srcdir)/profiles/local/dconf-locks \
+     $(NULL)
+ 
++if WITH_NIS_PROFILE
+ profile_nisdir = $(authselect_profile_dir)/nis
+ dist_profile_nis_DATA = \
+     $(top_srcdir)/profiles/nis/nsswitch.conf \
+@@ -28,6 +29,7 @@ dist_profile_nis_DATA = \
+     $(top_srcdir)/profiles/nis/dconf-db \
+     $(top_srcdir)/profiles/nis/dconf-locks \
+     $(NULL)
++endif
+ 
+ profile_sssddir = $(authselect_profile_dir)/sssd
+ dist_profile_sssd_DATA = \
+diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
+index e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1..350ca953632f21be861c1ee75f25f71d107ca1ee 100644
+--- a/rpm/authselect.spec.in
++++ b/rpm/authselect.spec.in
+@@ -12,6 +12,13 @@ Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+ 
+ %global makedir %{_builddir}/%{name}-%{version}
+ 
++# Disable NIS profile on RHEL
++%if 0%{?rhel}
++%global with_nis_profile 0
++%else
++%global with_nis_profile 1
++%endif
++
+ # Set the default profile
+ %{?fedora:%global default_profile local with-silent-lastlog}
+ %{?rhel:%global default_profile local}
+@@ -75,7 +82,11 @@ done
+ 
+ %build
+ autoreconf -if
+-%configure
++%configure \
++%if %{with_nis_profile}
++    --with-nis-profile \
++%endif
++    %{nil}
+ %make_build
+ 
+ %check
+@@ -123,7 +134,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
+ %dir %{_datadir}/authselect/vendor
+ %dir %{_datadir}/authselect/default
+ %dir %{_datadir}/authselect/default/local/
+-%dir %{_datadir}/authselect/default/nis/
+ %dir %{_datadir}/authselect/default/sssd/
+ %dir %{_datadir}/authselect/default/winbind/
+ %{_datadir}/authselect/default/local/dconf-db
+@@ -136,16 +146,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
+ %{_datadir}/authselect/default/local/REQUIREMENTS
+ %{_datadir}/authselect/default/local/smartcard-auth
+ %{_datadir}/authselect/default/local/system-auth
+-%{_datadir}/authselect/default/nis/dconf-db
+-%{_datadir}/authselect/default/nis/dconf-locks
+-%{_datadir}/authselect/default/nis/fingerprint-auth
+-%{_datadir}/authselect/default/nis/nsswitch.conf
+-%{_datadir}/authselect/default/nis/password-auth
+-%{_datadir}/authselect/default/nis/postlogin
+-%{_datadir}/authselect/default/nis/README
+-%{_datadir}/authselect/default/nis/REQUIREMENTS
+-%{_datadir}/authselect/default/nis/smartcard-auth
+-%{_datadir}/authselect/default/nis/system-auth
+ %{_datadir}/authselect/default/sssd/dconf-db
+ %{_datadir}/authselect/default/sssd/dconf-locks
+ %{_datadir}/authselect/default/sssd/fingerprint-auth
+@@ -166,6 +166,19 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
+ %{_datadir}/authselect/default/winbind/REQUIREMENTS
+ %{_datadir}/authselect/default/winbind/smartcard-auth
+ %{_datadir}/authselect/default/winbind/system-auth
++%if %{with_nis_profile}
++%dir %{_datadir}/authselect/default/nis/
++%{_datadir}/authselect/default/nis/dconf-db
++%{_datadir}/authselect/default/nis/dconf-locks
++%{_datadir}/authselect/default/nis/fingerprint-auth
++%{_datadir}/authselect/default/nis/nsswitch.conf
++%{_datadir}/authselect/default/nis/password-auth
++%{_datadir}/authselect/default/nis/postlogin
++%{_datadir}/authselect/default/nis/README
++%{_datadir}/authselect/default/nis/REQUIREMENTS
++%{_datadir}/authselect/default/nis/smartcard-auth
++%{_datadir}/authselect/default/nis/system-auth
++%endif
+ %{_libdir}/libauthselect.so.*
+ %{_mandir}/man5/authselect-profiles.5*
+ %{_datadir}/doc/authselect/COPYING
+diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
+index 314bb2b2a0e4432632478230ab5ff5b3dce2943f..9e553f755a64717f854f3aba33c62140130ce18f 100755
+--- a/scripts/manpages-build.sh.in
++++ b/scripts/manpages-build.sh.in
+@@ -233,6 +233,7 @@ ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
+ ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
+ ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
+ ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
++ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
+ 
+ manpages-translate
+ 
+diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
+index 17c1629723066b0c4e354051366ce209428af6c1..9a81a6e194d16ecc0408e8631530cf7048fd9241 100644
+--- a/src/conf_macros.m4
++++ b/src/conf_macros.m4
+@@ -99,3 +99,13 @@ if test x"$with_user_nsswitch" = xyes; then
+     AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
+     AC_SUBST(BUILD_USER_NSSWITCH, 1)
+ fi
++
++AC_ARG_WITH([nis-profile],
++    [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
++    [], with_nis_profile=no
++)
++AM_CONDITIONAL([WITH_NIS_PROFILE], [test x$with_nis_profile = xyes])
++AC_SUBST(WITH_NIS_PROFILE, 0)
++if test x"$with_nis_profile" = xyes; then
++    AC_SUBST(WITH_NIS_PROFILE, 1)
++fi
+diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
+index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..8cc58e60301925974fdb738c5b9a746749981df8 100644
+--- a/src/man/authselect-migration.7.adoc
++++ b/src/man/authselect-migration.7.adoc
+@@ -72,7 +72,12 @@ configuration file for required services.
+ |--enablesssd --enablesssdauth       |sssd
+ |--enablekrb5                        |sssd
+ |--enablewinbind --enablewinbindauth |winbind
++ifeval::[{WITH_NIS_PROFILE} == 1]
+ |--enablenis                         |nis
++endif::[]
++ifeval::[{WITH_NIS_PROFILE} != 1]
++|--enablenis                         |none
++endif::[]
+ |=========================================================
+ 
+ .Relation of authconfig options to authselect profile features
+@@ -199,6 +204,7 @@ will perform an initial setup which involves creating a Kerberos keytab and
+ running `adcli` to join the domain. It also makes changes to `smb.conf`. You
+ can then tune it up by modifying {sysconfdir}/samba/smb.conf.
+ 
++ifeval::[{WITH_NIS_PROFILE} == 1]
+ NIS
+ ~~~
+ There are several places that needs to be configured in order to make
+@@ -227,6 +233,7 @@ $ domainname mydomain
+ $ setsebool -P allow_ypbind 1
+ ----
+ 
++endif::[]
+ PASSWORD QUALITY
+ ~~~~~~~~~~~~~~~~
+ Authselect enables `pam_pwquality` module to enforce password quality
+-- 
+2.42.0
+

0005-configure-drop-user-nsswitch.conf-support.patch

@@ -0,0 +1,349 @@
+From 923fd37712eae8d99d514708e35894b6ea056628 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 23 Feb 2024 13:24:25 +0100
+Subject: [PATCH 05/11] configure: drop user-nsswitch.conf support
+
+user-nsswitch.conf support is now completely dropped, it can no
+longer be enabled via configure flag
+---
+ scripts/manpages-build.sh.in       |   1 -
+ src/cli/main.c                     |   9 --
+ src/conf_macros.m4                 |  10 --
+ src/lib/files/nsswitch.c           | 156 -----------------------------
+ src/lib/paths.h                    |   3 -
+ src/man/authselect-profiles.5.adoc |   7 --
+ src/man/authselect.8.adoc          |  61 -----------
+ 7 files changed, 247 deletions(-)
+
+diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
+index 9e553f755a64717f854f3aba33c62140130ce18f..f4ac71e3a22723a52101bb9cbbadd79740515070 100755
+--- a/scripts/manpages-build.sh.in
++++ b/scripts/manpages-build.sh.in
+@@ -232,7 +232,6 @@ ATTR+=" -a AUTHSELECT_PAM_DIR=\"@AUTHSELECT_PAM_DIR@\""
+ ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
+ ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
+ ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
+-ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
+ ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
+ 
+ manpages-translate
+diff --git a/src/cli/main.c b/src/cli/main.c
+index 18486b50bc42f9937cc7294c3e5e2b32cafab5e0..fe06a5d8ababa58209690a97e84ae254b859cdc6 100644
+--- a/src/cli/main.c
++++ b/src/cli/main.c
+@@ -186,15 +186,6 @@ static errno_t activate(struct cli_cmdline *cmdline)
+         goto done;
+     }
+ 
+-#ifdef BUILD_USER_NSSWITCH
+-    maps = authselect_profile_nsswitch_maps(profile, features);
+-    if (maps == NULL) {
+-        ERROR("Unable to obtain nsswitch maps!");
+-        ret = EFAULT;
+-        goto done;
+-    }
+-#endif
+-
+     if (backup || backup_name != NULL || (enforce && !nobackup)) {
+         ret = perform_backup(quiet, 1, backup_name);
+         if (ret != EOK) {
+diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
+index 9a81a6e194d16ecc0408e8631530cf7048fd9241..ae8fa0274e038e98115d000717487dbdbc04df4c 100644
+--- a/src/conf_macros.m4
++++ b/src/conf_macros.m4
+@@ -90,16 +90,6 @@ if test x"$with_compat" = xyes; then
+ fi
+ AM_CONDITIONAL([BUILD_COMPAT], [test x$with_compat = xyes])
+ 
+-AC_ARG_WITH([user-nsswitch],
+-    [AC_HELP_STRING([--with-user-nsswitch], [Build with user nsswitch support [no]])],
+-    [], with_user_nsswitch=no
+-)
+-AC_SUBST(BUILD_USER_NSSWITCH, 0)
+-if test x"$with_user_nsswitch" = xyes; then
+-    AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
+-    AC_SUBST(BUILD_USER_NSSWITCH, 1)
+-fi
+-
+ AC_ARG_WITH([nis-profile],
+     [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
+     [], with_nis_profile=no
+diff --git a/src/lib/files/nsswitch.c b/src/lib/files/nsswitch.c
+index 9598ea5cc5d5e30678acd91354629a87fc727be9..0e35380a2603316483cd6bcfdc58742c25b6a2b1 100644
+--- a/src/lib/files/nsswitch.c
++++ b/src/lib/files/nsswitch.c
+@@ -87,160 +87,6 @@ done:
+     return ret;
+ }
+ 
+-#ifdef BUILD_USER_NSSWITCH
+-
+-static errno_t
+-authselect_nsswitch_delete_maps(char **maps,
+-                                char *content)
+-{
+-    char *match_string;
+-    const char *map_name;
+-    size_t map_len;
+-    size_t orig_len;
+-    regmatch_t m[RE_NSS_MATCHES];
+-    regex_t regex;
+-    errno_t ret;
+-    int reret;
+-    int i;
+-
+-    if (string_is_empty(content)) {
+-        return EOK;
+-    }
+-
+-    orig_len = strlen(content);
+-
+-    reret = regcomp(&regex, RE_NSS, REG_EXTENDED | REG_NEWLINE);
+-    if (reret != REG_NOERROR) {
+-        ERROR("Unable to compile regular expression: regex error %d", reret);
+-        ret = EFAULT;
+-        goto done;
+-    }
+-
+-    match_string = content;
+-    while ((reret = regexec(&regex, match_string, 2, m, 0)) == REG_NOERROR) {
+-        map_name = match_string + m[1].rm_so;
+-        map_len = m[1].rm_eo - m[1].rm_so;
+-        for (i = 0; maps[i] != NULL; i++) {
+-            if (strncmp(map_name, maps[i], map_len) == 0) {
+-                string_remove_line(content, match_string, m[1].rm_so);
+-                break;
+-            }
+-        }
+-
+-        /* Since the whole line could have been removed, we have to find first
+-         * non-zero position. */
+-        match_string += m[0].rm_eo;
+-        while (*match_string == '\0' && match_string - content < orig_len) {
+-            match_string++;
+-        }
+-    }
+-
+-    if (reret != REG_NOMATCH) {
+-        ERROR("Unable to search string: regex error %d", reret);
+-        ret = EFAULT;
+-        goto done;
+-    }
+-
+-    string_replace_shake(content, orig_len);
+-
+-    ret = EOK;
+-
+-done:
+-    regfree(&regex);
+-
+-    return ret;
+-}
+-
+-errno_t
+-authselect_nsswitch_generate(const char *template,
+-                             const char **features,
+-                             char **_content)
+-{
+-    static const char *preambule = \
+-    "# If you want to make changes to nsswitch.conf please modify\n"
+-    "# " PATH_USER_NSSWITCH " and run 'authselect apply-changes'.\n"
+-    "#\n"
+-    "# Note that your changes may not be applied as they may be\n"
+-    "# overwritten by selected profile. Maps set in the authselect\n"
+-    "# profile takes always precedence and overwrites the same maps\n"
+-    "# set in the user file. Only maps that are not set by the profile\n"
+-    "# are applied from the user file.\n"
+-    "#\n"
+-    "# For example, if the profile sets:\n"
+-    "#     passwd: sss files\n"
+-    "# and " PATH_USER_NSSWITCH " contains:\n"
+-    "#     passwd: files\n"
+-    "#     hosts: files dns\n"
+-    "# the resulting generated nsswitch.conf will be:\n"
+-    "#     passwd: sss files # from profile\n"
+-    "#     hosts: files dns  # from user file\n\n";
+-    char *user_content = NULL;
+-    char *generated = NULL;
+-    char *content = NULL;
+-    char **maps = NULL;
+-    errno_t ret;
+-
+-    generated = template_generate(template, features);
+-    if (generated == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    ret = textfile_read(PATH_USER_NSSWITCH, AUTHSELECT_FILE_SIZE_LIMIT,
+-                        &user_content);
+-    switch (ret) {
+-    case EOK:
+-        ret = authselect_nsswitch_find_maps(generated, &maps);
+-        if (ret != EOK) {
+-            goto done;
+-        }
+-
+-        ret = authselect_nsswitch_delete_maps(maps, user_content);
+-        if (ret != EOK) {
+-            goto done;
+-        }
+-
+-        if (string_is_empty(user_content)) {
+-            content = format("%s%s", preambule, generated);
+-            break;
+-        }
+-
+-        content = format("%s%s\n# Included from %s\n\n%s",
+-                         preambule, generated, PATH_USER_NSSWITCH,
+-                         user_content);
+-        break;
+-    case ENOENT:
+-        content = format("%s%s", preambule, generated);
+-        break;
+-    default:
+-        ERROR("Unable to read [%s] [%d]: %s", PATH_USER_NSSWITCH,
+-              ret, strerror(ret));
+-        goto done;
+-    }
+-
+-    if (content == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    *_content = content;
+-
+-    ret = EOK;
+-
+-done:
+-    if (ret != EOK) {
+-        ERROR("Unable to generate nsswitch.conf [%d]: %s", ret, strerror(ret));
+-    }
+-
+-    free(user_content);
+-    free(generated);
+-    string_array_free(maps);
+-
+-    return ret;
+-}
+-
+-#else /* BUILD_USER_NSSWITCH */
+-
+ errno_t
+ authselect_nsswitch_generate(const char *template,
+                              const char **features,
+@@ -257,5 +103,3 @@ authselect_nsswitch_generate(const char *template,
+ 
+     return EOK;
+ }
+-
+-#endif /* BUILD_USER_NSSWITCH */
+diff --git a/src/lib/paths.h b/src/lib/paths.h
+index ca30b784f8bc63150f46ef08a26ec2bc5bcb3d67..41e4534b2efd421be8b9fea3b1fa9ebc3a699749 100644
+--- a/src/lib/paths.h
++++ b/src/lib/paths.h
+@@ -53,9 +53,6 @@
+ #define PATH_DCONF_DB    AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_DB
+ #define PATH_DCONF_LOCK  AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_LOCK
+ 
+-/* Path to files that can be modified by user. */
+-#define PATH_USER_NSSWITCH  AUTHSELECT_CONFIG_DIR "/user-nsswitch.conf"
+-
+ /* Names of symbolic links that points to generated files. */
+ #define PATH_SYMLINK_SYSTEM      AUTHSELECT_PAM_DIR "/" FILE_SYSTEM
+ #define PATH_SYMLINK_PASSWORD    AUTHSELECT_PAM_DIR "/" FILE_PASSWORD
+diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
+index 76a48fa25a13a7052eeac662d7f5f1b11f1f9493..648b7980cfaabeb02913650a35dfffa8e17b0aaa 100644
+--- a/src/man/authselect-profiles.5.adoc
++++ b/src/man/authselect-profiles.5.adoc
+@@ -53,14 +53,7 @@ done to the system.
+      the modules in the system-auth configuration file._
+ 
+ *nsswitch.conf*::
+-ifeval::[{BUILD_USER_NSSWITCH} == 0]
+     Name Service Switch configuration file.
+-endif::[]
+-ifeval::[{BUILD_USER_NSSWITCH} == 1]
+-    Name Service Switch configuration file. Only maps relevant to the profile
+-    must be set. Maps that are not specified by the profile are included from
+-    {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf.
+-endif::[]
+ 
+ *dconf-db*::
+     Changes to dconf database. The main uses case of this file is to set
+diff --git a/src/man/authselect.8.adoc b/src/man/authselect.8.adoc
+index 39758a6ca71e962ae942ce3608ac3bd0ffd3fabf..5d695cced0fbdc2cda78d61eb3f7b8d929cae692 100644
+--- a/src/man/authselect.8.adoc
++++ b/src/man/authselect.8.adoc
+@@ -261,67 +261,6 @@ These options are available with all commands.
+     the program execution but may indicate some undesired situations
+     (e.g. unexpected file in a profile directory).
+ 
+-ifeval::[{BUILD_USER_NSSWITCH} == 1]
+-NSSWITCH.CONF MANAGEMENT
+-------------------------
+-Authselect generates {AUTHSELECT_NSSWITCH_CONF} and does not allow any user
+-changes to this file. Such changes are detected and authselect will refuse to
+-write any system configuration unless a *--force* option is provided to
+-the *select* command. This mechanism prevents authselect from overwriting
+-anything that does not match any available profile.
+-
+-Any user changes to nsswitch maps must be done in file
+-{AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf. When authselect generates
+-new _nsswitch.conf_ it reads this file and combines it with configuration
+-from selected profile. The profile configuration takes always precedence.
+-In other words, profiles do not have to set all nsswitch maps but can set only
+-those that are relevant to the profile. If a map is set within a profile,
+-it always overwrites the same map from _user-nsswitch.conf_.
+-
+-.Example 1
+-[subs="attributes"]
+-----
+-# "sssd" profile
+-$ cat {AUTHSELECT_PROFILE_DIR}/sssd/nsswitch.conf
+-passwd:     sss files systemd
+-group:      sss files systemd
+-netgroup:   sss files
+-automount:  sss files
+-services:   sss files
+-sudoers:    files sss {include if "with-sudo"}
+-
+-$ cat {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf
+-passwd: files sss
+-group: files sss
+-hosts: files dns myhostname
+-sudoers: files
+-
+-$ authselect select sssd
+-
+-# passwd and group maps from user-nsswitch.conf are ignored
+-$ cat {AUTHSELECT_NSSWITCH_CONF}
+-passwd:     sss files systemd
+-group:      sss files systemd
+-netgroup:   sss files
+-automount:  sss files
+-services:   sss files
+-hosts:      files dns myhostname
+-sudoers:    files
+-
+-$ authselect select sssd with-sudo
+-
+-# passwd, group and sudoers maps from user-nsswitch.conf are ignored
+-$ cat {AUTHSELECT_NSSWITCH_CONF}
+-passwd:     sss files systemd
+-group:      sss files systemd
+-netgroup:   sss files
+-automount:  sss files
+-services:   sss files
+-sudoers:    files sss
+-hosts:      files dns myhostname
+-----
+-endif::[]
+-
+ TROUBLESHOOTING
+ ---------------
+ 
+-- 
+2.42.0
+

0007-ci-remove-python-checks.patch

@@ -0,0 +1,46 @@
+From 23936036c5b6cd51843a7f964998f5345877fa8e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 23 Feb 2024 13:34:31 +0100
+Subject: [PATCH 07/11] ci: remove python checks
+
+With the compat tool gone, there is no other python script.
+---
+ .github/workflows/analyze.yml | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml
+index 37682f068b586dc0e7ba34f1098f4009b88e7254..16b48b031519b81221de9248d65f076b2616b2f7 100644
+--- a/.github/workflows/analyze.yml
++++ b/.github/workflows/analyze.yml
+@@ -25,7 +25,7 @@ jobs:
+     - name: Initialize CodeQL
+       uses: github/codeql-action/init@v1
+       with:
+-        languages: cpp, python
++        languages: cpp
+         queries: +security-and-quality
+ 
+     - name: Autobuild
+@@ -33,19 +33,3 @@ jobs:
+ 
+     - name: Perform CodeQL Analysis
+       uses: github/codeql-action/analyze@v1
+-
+-  flake8:
+-    runs-on: ubuntu-latest
+-    permissions:
+-      contents: read
+-    steps:
+-    - name: Checkout repository
+-      uses: actions/checkout@v2
+-
+-    - name: Install flake8
+-      run: |
+-        sudo apt update
+-        sudo apt install -y flake8
+-
+-    - name: Execute flake8 on the repository
+-      run: flake8 --ignore=W503,E501 src/compat/authcompat.py.in.in .
+-- 
+2.42.0
+

0009-profiles-merge-groups-records-with-SUCCESS-merge.patch

@@ -0,0 +1,78 @@
+From 8d8adbd35c741d9038588386414ccbddb99bd31d Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 14 Dec 2023 14:16:11 +0100
+Subject: [PATCH 09/11] profiles: merge groups records with [SUCCESS=merge]
+
+Services such as systemd-homed would like to advertise users which are
+part of system groups, such as "wheel". That only works if glibc's
+[SUCCESS=merge] feature is used in nsswitch.conf, so that group records
+from multiple sources are merged.
+
+This is documented here:
+
+https://www.freedesktop.org/software/systemd/man/latest/nss-systemd.html#Configuration%20in%20/etc/nsswitch.conf
+
+This hence adds [SUCCESS=merge] expressions to all NSS modules listed in
+the "groups" lines.
+---
+ profiles/local/nsswitch.conf   | 2 +-
+ profiles/nis/nsswitch.conf     | 2 +-
+ profiles/sssd/nsswitch.conf    | 2 +-
+ profiles/winbind/nsswitch.conf | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
+index c63692fc00c0815c5ba303ec5b48b6c9d7577df2..8582a955c8d03ea1d122a34cd273326d985bdcfb 100644
+--- a/profiles/local/nsswitch.conf
++++ b/profiles/local/nsswitch.conf
+@@ -1,7 +1,7 @@
+ # In order of likelihood of use to accelerate lookup.
+ passwd:     files {if "with-altfiles":altfiles }systemd
+ shadow:     files
+-group:      files {if "with-altfiles":altfiles }systemd
++group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
+ hosts:      files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+ services:   files
+ netgroup:   files
+diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
+index 685f92c326bc7767ee167a77b7ba782672bf801f..c033812facee9159c76e2d514ac652e4de2e0b6b 100644
+--- a/profiles/nis/nsswitch.conf
++++ b/profiles/nis/nsswitch.conf
+@@ -1,7 +1,7 @@
+ # In order of likelihood of use to accelerate lookup.
+ passwd:     files {if "with-altfiles":altfiles }nis systemd
+ shadow:     files nis
+-group:      files {if "with-altfiles":altfiles }nis systemd
++group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
+ hosts:      files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
+ services:   files nis
+ netgroup:   files nis
+diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
+index 58844a62c8f52f8f25477a811b02a5e401120f30..9f194bc82cee52d4e12779def95afa2f794f66bf 100644
+--- a/profiles/sssd/nsswitch.conf
++++ b/profiles/sssd/nsswitch.conf
+@@ -1,7 +1,7 @@
+ # In order of likelihood of use to accelerate lookup.
+ passwd:     {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
+ shadow:     files
+-group:      {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
++group:      {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
+ hosts:      files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+ services:   files sss
+ netgroup:   files sss
+diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
+index f0a97e42e084f94fddd329d4cb93d5b5d1da3360..1591ccb3ffa8bd10b8ff06a0620328e275d09241 100644
+--- a/profiles/winbind/nsswitch.conf
++++ b/profiles/winbind/nsswitch.conf
+@@ -1,7 +1,7 @@
+ # In order of likelihood of use to accelerate lookup.
+ passwd:     files {if "with-altfiles":altfiles }winbind systemd
+ shadow:     files
+-group:      files {if "with-altfiles":altfiles }winbind systemd
++group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
+ hosts:      files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+ services:   files
+ netgroup:   files
+-- 
+2.42.0
+

0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch

@@ -0,0 +1,26 @@
+From 565d8a76f1d6ec6c23cd38f7aa4812426e8cb460 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 23 Feb 2024 14:18:00 +0100
+Subject: [PATCH 10/11] spec: use altfiles with success=merge on ostree systems
+ as well
+
+---
+ rpm/authselect.spec.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
+index 350ca953632f21be861c1ee75f25f71d107ca1ee..39c4ca66058e0749e6d3aea6e7ff76a7a06c4ecc 100644
+--- a/rpm/authselect.spec.in
++++ b/rpm/authselect.spec.in
+@@ -223,7 +223,7 @@ exit 0
+ if test -e /run/ostree-booted; then
+     for PROFILE in `ls %{_datadir}/authselect/default`; do
+         %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
+-        %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
++        %__sed -ie 's/{if "with-altfiles":altfiles \[SUCCESS=merge\] }/altfiles [SUCCESS=merge] /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+     done
+ fi
+ 
+-- 
+2.42.0
+

0011-profiles-put-myhostname-before-dns.patch

@@ -0,0 +1,72 @@
+From 7b7889507928610b37b73641d28d5bbe3f763a4a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 23 Feb 2024 17:22:45 +0100
+Subject: [PATCH 11/11] profiles: put myhostname before dns
+
+To allow `hostname --fqdn` to work correctly. Putting myhostname early
+prevents lookup of canonical hostname if only shortname is provided.
+
+myhostname has been moved back and forth several times, it looks
+like this place is now functional and works as expected.
+---
+ profiles/local/nsswitch.conf   | 2 +-
+ profiles/nis/nsswitch.conf     | 2 +-
+ profiles/sssd/nsswitch.conf    | 2 +-
+ profiles/winbind/nsswitch.conf | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
+index 8582a955c8d03ea1d122a34cd273326d985bdcfb..538926e4d5cc8c190a7b2d10fd3756ad3269a720 100644
+--- a/profiles/local/nsswitch.conf
++++ b/profiles/local/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }systemd
+ shadow:     files
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
+-hosts:      files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+ services:   files
+ netgroup:   files
+ automount:  files
+diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
+index c033812facee9159c76e2d514ac652e4de2e0b6b..488476e91879b549fe605008d500b1810360f3be 100644
+--- a/profiles/nis/nsswitch.conf
++++ b/profiles/nis/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }nis systemd
+ shadow:     files nis
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
+-hosts:      files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
+ services:   files nis
+ netgroup:   files nis
+ automount:  files nis
+diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
+index 9f194bc82cee52d4e12779def95afa2f794f66bf..b98094d9e0eaeb1559347b81a9505822ff713034 100644
+--- a/profiles/sssd/nsswitch.conf
++++ b/profiles/sssd/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
+ shadow:     files
+ group:      {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
+-hosts:      files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+ services:   files sss
+ netgroup:   files sss
+ sudoers:    files sss {include if "with-sudo"}
+diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
+index 1591ccb3ffa8bd10b8ff06a0620328e275d09241..cc966b34464bb28776b903d61fff1f6a94a1eb6f 100644
+--- a/profiles/winbind/nsswitch.conf
++++ b/profiles/winbind/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }winbind systemd
+ shadow:     files
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
+-hosts:      files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+ services:   files
+ netgroup:   files
+ automount:  files
+-- 
+2.42.0
+

0901-rhel10-remove-systemd-homed.patch

@@ -0,0 +1,376 @@
+From 054c83d1a40d5e0f98230d0f6ac34bd7ecdf383e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 23 Feb 2024 15:49:09 +0100
+Subject: [PATCH 1/3] rhel10: remove systemd-homed
+
+systemd-homed is not present in rhel.
+---
+ profiles/local/README          | 3 ---
+ profiles/local/password-auth   | 4 ----
+ profiles/local/system-auth     | 4 ----
+ profiles/nis/README            | 3 ---
+ profiles/nis/REQUIREMENTS      | 3 ---
+ profiles/nis/password-auth     | 4 ----
+ profiles/nis/system-auth       | 4 ----
+ profiles/sssd/README           | 3 ---
+ profiles/sssd/REQUIREMENTS     | 3 ---
+ profiles/sssd/password-auth    | 4 ----
+ profiles/sssd/system-auth      | 4 ----
+ profiles/winbind/README        | 3 ---
+ profiles/winbind/REQUIREMENTS  | 3 ---
+ profiles/winbind/password-auth | 4 ----
+ profiles/winbind/system-auth   | 4 ----
+ 15 files changed, 53 deletions(-)
+
+diff --git a/profiles/local/README b/profiles/local/README
+index 03f602441fe95ee280b575508f20d1f1de949b25..eedb298090b5b7c068ee1dfec0ee36c8b3086af4 100644
+--- a/profiles/local/README
++++ b/profiles/local/README
+@@ -54,9 +54,6 @@ with-mdns4::
+ with-mdns6::
+     Enable multicast DNS over IPv6.
+ 
+-with-systemd-homed::
+-    If set, pam_systemd_homed is enabled for all pam operations.
+-
+ with-libvirt::
+     Enable connecting to libvirt VMs using the hostname configured in the
+     guest OS or, as a fallback, their name.
+diff --git a/profiles/local/password-auth b/profiles/local/password-auth
+index 13e10d93b1d43ade8c45c32c50c613f6cf2abcca..d50d7e1fefaf257b8ddcdd1610004ffca9d93634 100644
+--- a/profiles/local/password-auth
++++ b/profiles/local/password-auth
+@@ -4,17 +4,14 @@ auth        required                                     pam_faillock.so preauth
+ auth        sufficient                                   pam_u2f.so cue                                         {include if "with-pam-u2f"}
+ auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+ auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
+-auth        sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
+ auth        optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
+ auth        required                                     pam_deny.so
+ 
+ account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+-account     sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so
+ 
+-password    sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ password    requisite                                    pam_pwquality.so
+ password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
+ password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
+@@ -24,7 +21,6 @@ password    required                                     pam_deny.so
+ session     optional                                     pam_keyinit.so revoke
+ session     required                                     pam_limits.so
+ session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
+-session     optional                                     pam_systemd_home.so                                   {include if "with-systemd-homed"}
+ -session    optional                                     pam_systemd.so
+ session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
+ session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+diff --git a/profiles/local/system-auth b/profiles/local/system-auth
+index 7f3c56adb2329dd4a08b1cb08b63e8d0d9b13c86..290cd24eb9c50f196d6fc68a3688f097f49159fe 100644
+--- a/profiles/local/system-auth
++++ b/profiles/local/system-auth
+@@ -5,17 +5,14 @@ auth        sufficient                                   pam_fprintd.so
+ auth        sufficient                                   pam_u2f.so cue                                         {include if "with-pam-u2f"}
+ auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+ auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
+-auth        sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
+ auth        optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
+ auth        required                                     pam_deny.so
+ 
+ account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+-account     sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so
+ 
+-password    sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ password    requisite                                    pam_pwquality.so
+ password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
+ password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
+@@ -25,7 +22,6 @@ password    required                                     pam_deny.so
+ session     optional                                     pam_keyinit.so revoke
+ session     required                                     pam_limits.so
+ session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
+-session     optional                                     pam_systemd_home.so                                   {include if "with-systemd-homed"}
+ -session    optional                                     pam_systemd.so
+ session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
+ session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+diff --git a/profiles/nis/README b/profiles/nis/README
+index e3a1a0b986689bfd43d9531464bcd8fa7a0f5237..745138bbdb1e045db41990dcb8864477d3408e36 100644
+--- a/profiles/nis/README
++++ b/profiles/nis/README
+@@ -65,9 +65,6 @@ with-mdns4::
+ with-mdns6::
+     Enable multicast DNS over IPv6.
+ 
+-with-systemd-homed::
+-    If set, pam_systemd_homed is enabled for all pam operations.
+-
+ without-nullok::
+     Do not add nullok parameter to pam_unix.
+ 
+diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
+index 3e32879eba37e1bd2692aa2852c87036bfa78ed5..d8fe0456ee2b351e98af374fc0206717e6994031 100644
+--- a/profiles/nis/REQUIREMENTS
++++ b/profiles/nis/REQUIREMENTS
+@@ -16,6 +16,3 @@ Make sure that NIS service is configured and enabled. See NIS documentation for
+   - systemctl enable --now oddjobd.service                                                {include if "with-mkhomedir"}
+                                                                                           {include if "with-libvirt"}
+ - with-libvirt is selected, make sure that the libvirt NSS plugins are installed          {include if "with-libvirt"}
+-                                                                                          {include if "with-systemd-homed"}
+-- with-systemd-homed is selected, make sure that the system-homed service is enabled      {include if "with-systemd-homed"}
+-  - systemctl enable --now systemd-homed.service                                          {include if "with-systemd-homed"}
+diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
+index 45af4792df9f661fe04e1060e32cc6c0aa38c7c4..927fbcbda8fa4e910e29c88a3806fb5265bbc7bc 100644
+--- a/profiles/nis/password-auth
++++ b/profiles/nis/password-auth
+@@ -4,17 +4,14 @@ auth        required                                     pam_faillock.so preauth
+ auth        sufficient                                   pam_u2f.so cue                                           {include if "with-pam-u2f"}
+ auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+ auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
+-auth        sufficient                                   pam_systemd_home.so                                      {include if "with-systemd-homed"}
+ auth        required                                     pam_faillock.so authfail                                 {include if "with-faillock"}
+ auth        optional                                     pam_gnome_keyring.so only_if=login auto_start            {include if "with-pam-gnome-keyring"}
+ auth        required                                     pam_deny.so
+ 
+ account     required                                     pam_access.so                                            {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                          {include if "with-faillock"}
+-account     sufficient                                   pam_systemd_home.so                                      {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so broken_shadow
+ 
+-password    sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ password    requisite                                    pam_pwquality.so {if not "with-nispwquality":local_users_only}
+ password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
+ password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
+@@ -24,7 +21,6 @@ password    required                                     pam_deny.so
+ session     optional                                     pam_keyinit.so revoke
+ session     required                                     pam_limits.so
+ session     optional                                     pam_ecryptfs.so unwrap                                  {include if "with-ecryptfs"}
+-session    optional                                      pam_systemd_home.so                                     {include if "with-systemd-homed"}
+ -session    optional                                     pam_systemd.so
+ session     optional                                     pam_oddjob_mkhomedir.so                                 {include if "with-mkhomedir"}
+ session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
+index 0bd022ee2286f37a5becb0daba2a5813693300a9..40a1bf74aaf3d721c4d720938e57766bfe651e47 100644
+--- a/profiles/nis/system-auth
++++ b/profiles/nis/system-auth
+@@ -5,17 +5,14 @@ auth        sufficient                                   pam_fprintd.so
+ auth        sufficient                                   pam_u2f.so cue                                         {include if "with-pam-u2f"}
+ auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+ auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
+-auth        sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
+ auth        optional                                     pam_gnome_keyring.so only_if=login auto_start          {include if "with-pam-gnome-keyring"}
+ auth        required                                     pam_deny.so
+ 
+ account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+-account     sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so broken_shadow
+ 
+-password    sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ password    requisite                                    pam_pwquality.so {if not "with-nispwquality":local_users_only}
+ password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
+ password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
+@@ -25,7 +22,6 @@ password    required                                     pam_deny.so
+ session     optional                                     pam_keyinit.so revoke
+ session     required                                     pam_limits.so
+ session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
+-session     optional                                     pam_systemd_home.so                                   {include if "with-systemd-homed"}
+ -session    optional                                     pam_systemd.so
+ session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
+ session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+diff --git a/profiles/sssd/README b/profiles/sssd/README
+index f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d..a497da5dcffd0a03a122677c49ee2f8021927b04 100644
+--- a/profiles/sssd/README
++++ b/profiles/sssd/README
+@@ -106,9 +106,6 @@ with-gssapi::
+ with-subid::
+     Enable SSSD as a source of subid database in /etc/nsswitch.conf.
+ 
+-with-systemd-homed::
+-    If set, pam_systemd_homed is enabled for all pam operations.
+-
+ without-nullok::
+     Do not add nullok parameter to pam_unix.
+ 
+diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
+index 6aaf7c771f7c1bcbf2aee7152422acc9d53c71f5..b36f6069a54a5f711a10aa0700f33e1a8e37794e 100644
+--- a/profiles/sssd/REQUIREMENTS
++++ b/profiles/sssd/REQUIREMENTS
+@@ -25,6 +25,3 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
+ - with-tlog is selected, make sure that session recording is enabled in SSSD              {include if "with-tlog"}
+                                                                                           {include if "with-libvirt"}
+ - with-libvirt is selected, make sure that the libvirt NSS plugins are installed          {include if "with-libvirt"}
+-                                                                                          {include if "with-systemd-homed"}
+-- with-systemd-homed is selected, make sure that the system-homed service is enabled      {include if "with-systemd-homed"}
+-  - systemctl enable --now systemd-homed.service                                          {include if "with-systemd-homed"}
+diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
+index 97c33b678706e7eeb86bf45251baa41739f2940f..f468507b938ea2a7ac305a65f5fdea14a1ae10f1 100644
+--- a/profiles/sssd/password-auth
++++ b/profiles/sssd/password-auth
+@@ -7,7 +7,6 @@ auth        required                                     pam_u2f.so cue {if not
+ auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+ auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
+ auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
+-auth        sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+ auth        sufficient                                   pam_sss.so forward_pass
+ auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
+@@ -16,14 +15,12 @@ auth        required                                     pam_deny.so
+ 
+ account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+-account     sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so
+ account     sufficient                                   pam_localuser.so                                       {exclude if "with-files-access-provider"}
+ account     sufficient                                   pam_usertype.so issystem
+ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+ account     required                                     pam_permit.so
+ 
+-password    sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ password    requisite                                    pam_pwquality.so local_users_only
+ password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
+ password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
+@@ -35,7 +32,6 @@ password    required                                     pam_deny.so
+ session     optional                                     pam_keyinit.so revoke
+ session     required                                     pam_limits.so
+ session     optional                                     pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
+-session     optional                                     pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ -session    optional                                     pam_systemd.so
+ session     optional                                     pam_oddjob_mkhomedir.so                                {include if "with-mkhomedir"}
+ session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
+index 90c3504a414f0a151475cc207285b230fec381b1..870e4d7024066e3e40786bde6c3c39c7ba8d62c0 100644
+--- a/profiles/sssd/system-auth
++++ b/profiles/sssd/system-auth
+@@ -12,7 +12,6 @@ auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
+ auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
+ auth        [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
+ auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
+-auth        sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular                              {include if "with-gssapi"}
+ auth        sufficient                                   pam_sss_gss.so                                         {include if "with-gssapi"}
+ auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+@@ -23,14 +22,12 @@ auth        required                                     pam_deny.so
+ 
+ account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+-account     sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so
+ account     sufficient                                   pam_localuser.so                                       {exclude if "with-files-access-provider"}
+ account     sufficient                                   pam_usertype.so issystem
+ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+ account     required                                     pam_permit.so
+ 
+-password    sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ password    requisite                                    pam_pwquality.so local_users_only
+ password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
+ password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
+@@ -42,7 +39,6 @@ password    required                                     pam_deny.so
+ session     optional                                     pam_keyinit.so revoke
+ session     required                                     pam_limits.so
+ session     optional                                     pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
+-session     optional                                     pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ -session    optional                                     pam_systemd.so
+ session     optional                                     pam_oddjob_mkhomedir.so                                {include if "with-mkhomedir"}
+ session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+diff --git a/profiles/winbind/README b/profiles/winbind/README
+index f65870d1d03da6465ad446dac87ed141d7115d8b..8844e1da2003a0266dfe8937774d6d6f7dad0210 100644
+--- a/profiles/winbind/README
++++ b/profiles/winbind/README
+@@ -75,9 +75,6 @@ with-mdns4::
+ with-mdns6::
+     Enable multicast DNS over IPv6.
+ 
+-with-systemd-homed::
+-    If set, pam_systemd_homed is enabled for all pam operations.
+-
+ without-nullok::
+     Do not add nullok parameter to pam_unix.
+ 
+diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS
+index 232f6ee986ac66c5fed972c91c17080e0740e5c7..31a37d74ca5a4c46415545b8f6e0f61e8ad3b433 100644
+--- a/profiles/winbind/REQUIREMENTS
++++ b/profiles/winbind/REQUIREMENTS
+@@ -16,6 +16,3 @@ Make sure that winbind service is configured and enabled. See winbind documentat
+   - systemctl enable --now oddjobd.service                                                {include if "with-mkhomedir"}
+                                                                                           {include if "with-libvirt"}
+ - with-libvirt is selected, make sure that the libvirt NSS plugins are installed          {include if "with-libvirt"}
+-                                                                                          {include if "with-systemd-homed"}
+-- with-systemd-homed is selected, make sure that the system-homed service is enabled      {include if "with-systemd-homed"}
+-  - systemctl enable --now systemd-homed.service                                          {include if "with-systemd-homed"}
+diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
+index 8d74149dd48643dbb4b80d62600d3ece0868ec30..8d1682b9301c2b9c92292a41120f69611f148108 100644
+--- a/profiles/winbind/password-auth
++++ b/profiles/winbind/password-auth
+@@ -4,7 +4,6 @@ auth        required                                     pam_faillock.so preauth
+ auth        sufficient                                   pam_u2f.so cue                                           {include if "with-pam-u2f"}
+ auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+ auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
+-auth        sufficient                                   pam_systemd_home.so                                      {include if "with-systemd-homed"}
+ auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+ auth        sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
+ auth        required                                     pam_faillock.so authfail                                 {include if "with-faillock"}
+@@ -13,14 +12,12 @@ auth        required                                     pam_deny.so
+ 
+ account     required                                     pam_access.so                                            {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                          {include if "with-faillock"}
+-account     sufficient                                   pam_systemd_home.so                                      {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so broken_shadow
+ account     sufficient                                   pam_localuser.so
+ account     sufficient                                   pam_usertype.so issystem
+ account     [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
+ account     required                                     pam_permit.so
+ 
+-password    sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ password    requisite                                    pam_pwquality.so local_users_only
+ password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
+ password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
+@@ -31,7 +28,6 @@ password    required                                     pam_deny.so
+ session     optional                                     pam_keyinit.so revoke
+ session     required                                     pam_limits.so
+ session     optional                                     pam_ecryptfs.so unwrap                                  {include if "with-ecryptfs"}
+-session     optional                                     pam_systemd_home.so                                     {include if "with-systemd-homed"}
+ -session    optional                                     pam_systemd.so
+ session     optional                                     pam_oddjob_mkhomedir.so                                 {include if "with-mkhomedir"}
+ session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
+index 2326c859284c5823c5a6d34390d794dbf33110d2..612143d10fe502d7f6ed636b4fba6cc639aa66b0 100644
+--- a/profiles/winbind/system-auth
++++ b/profiles/winbind/system-auth
+@@ -5,7 +5,6 @@ auth        sufficient                                   pam_fprintd.so
+ auth        sufficient                                   pam_u2f.so cue                                         {include if "with-pam-u2f"}
+ auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+ auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
+-auth        sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
+ auth        sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
+ auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
+@@ -14,14 +13,12 @@ auth        required                                     pam_deny.so
+ 
+ account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+ account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+-account     sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ account     required                                     pam_unix.so broken_shadow
+ account     sufficient                                   pam_localuser.so
+ account     sufficient                                   pam_usertype.so issystem
+ account     [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
+ account     required                                     pam_permit.so
+ 
+-password    sufficient                                   pam_systemd_home.so                                    {include if "with-systemd-homed"}
+ password    requisite                                    pam_pwquality.so local_users_only
+ password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
+ password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
+@@ -32,7 +29,6 @@ password    required                                     pam_deny.so
+ session     optional                                     pam_keyinit.so revoke
+ session     required                                     pam_limits.so
+ session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
+-session     optional                                     pam_systemd_home.so                                   {include if "with-systemd-homed"}
+ -session    optional                                     pam_systemd.so
+ session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
+ session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+-- 
+2.42.0
+

0902-rhel10-remove-ecryptfs-support.patch

@@ -1,8 +1,9 @@
-From bfa639947df40c7d601a459af5f0995c89a67200 Mon Sep 17 00:00:00 2001
+From 3167eaadde7a3f997925172b8d77cb380bf0d9d8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
 Date: Mon, 10 Jun 2019 10:53:15 +0200
-Subject: [PATCH 2/3] rhel8: remove ecryptfs support
+Subject: [PATCH 2/3] rhel10: remove ecryptfs support
 
+ecryptfs-utils is not present in rhel.
 ---
  profiles/nis/README                 | 3 ---
  profiles/nis/fingerprint-auth       | 1 -
@@ -20,13 +21,11 @@ Subject: [PATCH 2/3] rhel8: remove ecryptfs support
  profiles/winbind/password-auth      | 1 -
  profiles/winbind/postlogin          | 4 ----
  profiles/winbind/system-auth        | 1 -
- src/compat/authcompat.py.in.in      | 1 -
- src/compat/authcompat_Options.py    | 2 +-
  src/man/authselect-migration.7.adoc | 5 ++---
- 19 files changed, 3 insertions(+), 36 deletions(-)
+ 17 files changed, 2 insertions(+), 34 deletions(-)
 
 diff --git a/profiles/nis/README b/profiles/nis/README
-index 895e8fa8650c04d41bf8bc8d6e3cda18db9bf814..71e23d61a8c1ea773c98524256a5eaad5a75d197 100644
+index 745138bbdb1e045db41990dcb8864477d3408e36..3e2f8b01fa37f8c7060a9c263f66c3df9782061d 100644
 --- a/profiles/nis/README
 +++ b/profiles/nis/README
 @@ -21,9 +21,6 @@ with-mkhomedir::
@@ -52,10 +51,10 @@ index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be298
  session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
  session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
-index f181a58ab7792c7e1a4234e677cbb7e3d0a6548d..79fb521eb5dff4978203166491b185887d1ec744 100644
+index 927fbcbda8fa4e910e29c88a3806fb5265bbc7bc..56a51d9eebb2987da340805ddb4e4a6752ebdeb2 100644
 --- a/profiles/nis/password-auth
 +++ b/profiles/nis/password-auth
-@@ -18,7 +18,6 @@ password    required                                     pam_deny.so
+@@ -20,7 +20,6 @@ password    required                                     pam_deny.so
  
  session     optional                                     pam_keyinit.so revoke
  session     required                                     pam_limits.so
@@ -76,10 +75,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
  session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
  session     [default=1]                pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
 diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
-index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae849d1186fc 100644
+index 40a1bf74aaf3d721c4d720938e57766bfe651e47..74cf6ece9ce0b1b64b122fd2309ebf5d496c4787 100644
 --- a/profiles/nis/system-auth
 +++ b/profiles/nis/system-auth
-@@ -19,7 +19,6 @@ password    required                                     pam_deny.so
+@@ -21,7 +21,6 @@ password    required                                     pam_deny.so
  
  session     optional                                     pam_keyinit.so revoke
  session     required                                     pam_limits.so
@@ -88,10 +87,10 @@ index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae84
  session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
  session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 diff --git a/profiles/sssd/README b/profiles/sssd/README
-index 61d5aedf65b2351cf23cea0a6b6b0932e32f0e48..ab9af237442089ded86b63942dd856397108ccf0 100644
+index a497da5dcffd0a03a122677c49ee2f8021927b04..2038a32b682f36d9eef51fda138730abc9666279 100644
 --- a/profiles/sssd/README
 +++ b/profiles/sssd/README
-@@ -40,9 +40,6 @@ with-mkhomedir::
+@@ -35,9 +35,6 @@ with-mkhomedir::
      Enable automatic creation of home directories for users on their
      first login.
  
@@ -114,10 +113,10 @@ index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e523212
  session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
  session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
-index 3e33dcc09f68055f2f87709e638005929bd577b3..858c6db357d07dc554806f4807f9b0858a649f44 100644
+index f468507b938ea2a7ac305a65f5fdea14a1ae10f1..c15121ad00ff00dfcd1743341594c853ba734d9c 100644
 --- a/profiles/sssd/password-auth
 +++ b/profiles/sssd/password-auth
-@@ -28,7 +28,6 @@ password    required                                     pam_deny.so
+@@ -31,7 +31,6 @@ password    required                                     pam_deny.so
  
  session     optional                                     pam_keyinit.so revoke
  session     required                                     pam_limits.so
@@ -138,7 +137,7 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
  session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
  session     [default=1]                pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
 diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
-index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b963caa3b 100644
+index 78cb329bf332f4d629740a0fff7d2dfe43f7d78d..13d3ee71f4d02c4ede777be6337031fc67baaa63 100644
 --- a/profiles/sssd/smartcard-auth
 +++ b/profiles/sssd/smartcard-auth
 @@ -18,7 +18,6 @@ account     required                                     pam_permit.so
@@ -146,14 +145,14 @@ index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b
  session     optional                                     pam_keyinit.so revoke
  session     required                                     pam_limits.so
 -session     optional                                     pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}
- -session     optional                                    pam_systemd.so
+ session     optional                                     pam_systemd.so
  session     optional                                     pam_oddjob_mkhomedir.so                                {include if "with-mkhomedir"}
  session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
-index a43341120f55bad3fb07dfea1c04453d0a278329..88c49e2dd5b60847d1d19154622a8614a21e5e1f 100644
+index 870e4d7024066e3e40786bde6c3c39c7ba8d62c0..4ea19acebe2208f9e21676bf0ae0a92e9a92b1f4 100644
 --- a/profiles/sssd/system-auth
 +++ b/profiles/sssd/system-auth
-@@ -35,7 +35,6 @@ password    required                                     pam_deny.so
+@@ -38,7 +38,6 @@ password    required                                     pam_deny.so
  
  session     optional                                     pam_keyinit.so revoke
  session     required                                     pam_limits.so
@@ -162,7 +161,7 @@ index a43341120f55bad3fb07dfea1c04453d0a278329..88c49e2dd5b60847d1d19154622a8614
  session     optional                                     pam_oddjob_mkhomedir.so                                {include if "with-mkhomedir"}
  session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 diff --git a/profiles/winbind/README b/profiles/winbind/README
-index 0048c29256f5d4064edfb84a2f4b761fd09e90f6..6f7a7cab1efc768c4c82791d6a8f00def1771d37 100644
+index 8844e1da2003a0266dfe8937774d6d6f7dad0210..7397bb9a6c8086b9720cc355d98de70b8107e79b 100644
 --- a/profiles/winbind/README
 +++ b/profiles/winbind/README
 @@ -33,9 +33,6 @@ with-mkhomedir::
@@ -188,10 +187,10 @@ index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a4120
  session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
  session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
 diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
-index 58705f3b15165c8d8bd4938889e3fb4d89c1a528..e84e2fcbb2bad9af6156e6e6db23f089f2b5d210 100644
+index 8d1682b9301c2b9c92292a41120f69611f148108..8b260fa06f5ed8494d1f6fac74517d3a54622693 100644
 --- a/profiles/winbind/password-auth
 +++ b/profiles/winbind/password-auth
-@@ -25,7 +25,6 @@ password    required                                     pam_deny.so
+@@ -27,7 +27,6 @@ password    required                                     pam_deny.so
  
  session     optional                                     pam_keyinit.so revoke
  session     required                                     pam_limits.so
@@ -212,10 +211,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
  session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
  session     [default=1]                pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
 diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
-index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a0a53a03e 100644
+index 612143d10fe502d7f6ed636b4fba6cc639aa66b0..33aa13efb92405393236c3511ebb351facd916f0 100644
 --- a/profiles/winbind/system-auth
 +++ b/profiles/winbind/system-auth
-@@ -26,7 +26,6 @@ password    required                                     pam_deny.so
+@@ -28,7 +28,6 @@ password    required                                     pam_deny.so
  
  session     optional                                     pam_keyinit.so revoke
  session     required                                     pam_limits.so
@@ -223,43 +222,11 @@ index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a
  -session    optional                                     pam_systemd.so
  session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
  session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
-diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
-index 8334293911d1d4c2d98a6d233b91fc348cf06575..55e205bae2c0b1f7892f8b286c288dfeaa26a60d 100755
---- a/src/compat/authcompat.py.in.in
-+++ b/src/compat/authcompat.py.in.in
-@@ -523,7 +523,6 @@ class AuthCompat:
-             'smartcard': 'with-smartcard',
-             'requiresmartcard': 'with-smartcard-required',
-             'fingerprint': 'with-fingerprint',
--            'ecryptfs': 'with-ecryptfs',
-             'mkhomedir': 'with-mkhomedir',
-             'faillock': 'with-faillock',
-             'pamaccess': 'with-pamaccess',
-diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
-index d26dedabdfb9519861076b58cddd0dd0eb04b7cb..5c8b21b55014198d6d9dfc98bd807c3c922b06f4 100644
---- a/src/compat/authcompat_Options.py
-+++ b/src/compat/authcompat_Options.py
-@@ -93,7 +93,6 @@ class Options:
-         Option.Valued("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
-         Option.Feature("requiresmartcard", _("require smart card for authentication by default")),
-         Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
--        Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
-         Option.Feature("krb5", _("Kerberos authentication by default")),
-         Option.Valued("krb5kdc", _("<server>"), _("default Kerberos KDC")),
-         Option.Valued("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
-@@ -141,6 +140,7 @@ class Options:
-         # layers and will produce warning when used. They will not affect
-         # the system.
-         Option.UnsupportedFeature("cache"),
-+        Option.UnsupportedFeature("ecryptfs"),
-         Option.UnsupportedFeature("shadow"),
-         Option.UnsupportedSwitch("useshadow"),
-         Option.UnsupportedFeature("md5"),
 diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
-index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd42472741 100644
+index 8cc58e60301925974fdb738c5b9a746749981df8..9056913dee9eef1590c8590d3cc0b51005a98af3 100644
 --- a/src/man/authselect-migration.7.adoc
 +++ b/src/man/authselect-migration.7.adoc
-@@ -80,7 +80,6 @@ configuration file for required services.
+@@ -85,7 +85,6 @@ endif::[]
  |*Authconfig options* |*Authselect profile feature*
  |--enablesmartcard    |with-smartcard
  |--enablefingerprint  |with-fingerprint
@@ -267,7 +234,7 @@ index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd
  |--enablemkhomedir    |with-mkhomedir
  |--enablefaillock     |with-faillock
  |--enablepamaccess    |with-pamaccess
-@@ -103,8 +102,8 @@ authselect select sssd with-faillock
+@@ -108,8 +107,8 @@ authselect select sssd with-faillock
  authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
  authselect select sssd with-smartcard
  
@@ -279,5 +246,5 @@ index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd
  authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
  realm join -U Administrator --client-software=winbind WINBINDDOMAIN
 -- 
-2.34.1
+2.42.0
 

0903-rhel10-remove-systemd-resolved.patch

@@ -0,0 +1,68 @@
+From b259ca399de497e0fc5e0763257e89bcc2e5a902 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 23 Feb 2024 16:01:58 +0100
+Subject: [PATCH 3/3] rhel10: remove systemd-resolved
+
+systemd-resolved should not be enabled by default in rhel.
+---
+ profiles/local/nsswitch.conf   | 2 +-
+ profiles/nis/nsswitch.conf     | 2 +-
+ profiles/sssd/nsswitch.conf    | 2 +-
+ profiles/winbind/nsswitch.conf | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
+index 538926e4d5cc8c190a7b2d10fd3756ad3269a720..1ad4276566f775086fc091d8e1c35d4ac94a9786 100644
+--- a/profiles/local/nsswitch.conf
++++ b/profiles/local/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }systemd
+ shadow:     files
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
+-hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
+ services:   files
+ netgroup:   files
+ automount:  files
+diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
+index 488476e91879b549fe605008d500b1810360f3be..88110258a69e7366980944ec3ccd9c79c0a1b323 100644
+--- a/profiles/nis/nsswitch.conf
++++ b/profiles/nis/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }nis systemd
+ shadow:     files nis
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
+-hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis myhostname dns
+ services:   files nis
+ netgroup:   files nis
+ automount:  files nis
+diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
+index b98094d9e0eaeb1559347b81a9505822ff713034..89a1f230487a18d12ff9c3862e3394035bf17cff 100644
+--- a/profiles/sssd/nsswitch.conf
++++ b/profiles/sssd/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
+ shadow:     files
+ group:      {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
+-hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
+ services:   files sss
+ netgroup:   files sss
+ sudoers:    files sss {include if "with-sudo"}
+diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
+index cc966b34464bb28776b903d61fff1f6a94a1eb6f..5315640e39f7c84b4c138f393fa3b5c970e4afa5 100644
+--- a/profiles/winbind/nsswitch.conf
++++ b/profiles/winbind/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }winbind systemd
+ shadow:     files
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
+-hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
+ services:   files
+ netgroup:   files
+ automount:  files
+-- 
+2.42.0
+

0904-rhel10-move-myhostname-after-dns-to-fix-hostname-fqd.patch

@@ -0,0 +1,74 @@
+From 1a19a17f08cc65ff0d701e107155cb61344bed5b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 2 Aug 2024 12:26:38 +0200
+Subject: [PATCH] rhel10: move myhostname after dns to fix hostname --fqdn
+ behavior
+
+Since rhel10 does not have systemd-resolved support in authselect,
+we need to place myhostname after dns module to make
+` hostname --fqdn` work. This was the default order
+in rhel8 and rhel9.
+
+Resolves: https://issues.redhat.com/browse/RHEL-39537
+---
+ profiles/local/nsswitch.conf   | 2 +-
+ profiles/nis/nsswitch.conf     | 2 +-
+ profiles/sssd/nsswitch.conf    | 2 +-
+ profiles/winbind/nsswitch.conf | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
+index 1ad4276566f775086fc091d8e1c35d4ac94a9786..48c7f0420030069048d41a99ec3cfad1d15da2cc 100644
+--- a/profiles/local/nsswitch.conf
++++ b/profiles/local/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }systemd
+ shadow:     files
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
+-hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] } dns myhostname
+ services:   files
+ netgroup:   files
+ automount:  files
+diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
+index 88110258a69e7366980944ec3ccd9c79c0a1b323..24c7499ecbfd9c034f480b7b155e6d3ae4bfd38a 100644
+--- a/profiles/nis/nsswitch.conf
++++ b/profiles/nis/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }nis systemd
+ shadow:     files nis
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
+-hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis myhostname dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis dns myhostname
+ services:   files nis
+ netgroup:   files nis
+ automount:  files nis
+diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
+index 89a1f230487a18d12ff9c3862e3394035bf17cff..40ea3aecbf0adb71bc8cc33b7dd2241c7596bcfd 100644
+--- a/profiles/sssd/nsswitch.conf
++++ b/profiles/sssd/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
+ shadow:     files
+ group:      {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
+-hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] } dns myhostname
+ services:   files sss
+ netgroup:   files sss
+ sudoers:    files sss {include if "with-sudo"}
+diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
+index 5315640e39f7c84b4c138f393fa3b5c970e4afa5..8b6c494dcf8bff14694e61ea044eb29e23ac3e47 100644
+--- a/profiles/winbind/nsswitch.conf
++++ b/profiles/winbind/nsswitch.conf
+@@ -2,7 +2,7 @@
+ passwd:     files {if "with-altfiles":altfiles }winbind systemd
+ shadow:     files
+ group:      files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
+-hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
++hosts:      files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] } dns myhostname
+ services:   files
+ netgroup:   files
+ automount:  files
+-- 
+2.42.0
+

SOURCES/0002-profiles-do-not-try-to-change-password-via-sssd-for-.patch

@@ -1,48 +0,0 @@
-From c7fbbc569d150b09878ccf6e8e0e031d0f41224d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Thu, 29 Jun 2023 14:07:25 +0200
-Subject: [PATCH 2/7] profiles: do not try to change password via sssd for
- local users
-
-Steps to reproduce:
-1. Create local user and set passsword
-2. Log in as the local user
-3. Run passwd and provide wrong password as "Current password"
-
-"Current password" prompt should be printed only once.
-
-Resolves: https://github.com/authselect/authselect/issues/338
-(cherry picked from commit c9cc4b23badeb5e2fe3a38fa5b0649b3d7b0a718)
-(cherry picked from commit 7fbb0454f2adfd8de44e17e1784eab79fce2232f)
----
- profiles/sssd/password-auth | 1 +
- profiles/sssd/system-auth   | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
-index 5ea280a..7fe23f2 100644
---- a/profiles/sssd/password-auth
-+++ b/profiles/sssd/password-auth
-@@ -25,6 +25,7 @@ password    requisite                                    pam_pwquality.so local_
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
- password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
-+password    [success=1 default=ignore]                   pam_localuser.so
- password    sufficient                                   pam_sss.so use_authtok
- password    required                                     pam_deny.so
- 
-diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
-index fd1e31c..ce2e266 100644
---- a/profiles/sssd/system-auth
-+++ b/profiles/sssd/system-auth
-@@ -32,6 +32,7 @@ password    requisite                                    pam_pwquality.so local_
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
- password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
-+password    [success=1 default=ignore]                   pam_localuser.so
- password    sufficient                                   pam_sss.so use_authtok
- password    required                                     pam_deny.so
- 
--- 
-2.40.1
-

SOURCES/0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch

@@ -1,25 +0,0 @@
-From 2f1fea5ec3132f2ced05887ba24d03e134934930 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Tue, 30 Oct 2018 14:08:12 +0100
-Subject: [PATCH 1/3] rhel8: remove mention of Fedora Change page in compat
- tool
-
----
- src/compat/authcompat.py.in.in | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
-index 1a68d95c71b51beabe80e9b07c084ea9c2f3580d..8334293911d1d4c2d98a6d233b91fc348cf06575 100755
---- a/src/compat/authcompat.py.in.in
-+++ b/src/compat/authcompat.py.in.in
-@@ -471,7 +471,6 @@ class AuthCompat:
-                 "It does not provide all capabilities of authconfig.\n"))
-         print(_("IMPORTANT: authconfig is replaced by authselect, "
-                 "please update your scripts."))
--        print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault"))
-         print(_("See man authselect-migration(7) to help you with migration to authselect"))
- 
-         options = self.options.getSetButUnsupported()
--- 
-2.34.1
-

SOURCES/0903-rhel8-Revert-profiles-add-support-for-resolved.patch

@@ -1,42 +0,0 @@
-From 9009c94f3abf85954ffc04c354c6eaff715b4512 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Wed, 25 Nov 2020 14:05:00 +0100
-Subject: [PATCH 3/3] rhel8: Revert "profiles: add support for resolved"
-
-systemd-resolved should not be enabled by default on rhel8.
-
-This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54.
----
- profiles/minimal/nsswitch.conf | 2 +-
- profiles/nis/nsswitch.conf     | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
-index a9e4bc79a1090304542ccd8b43d1107eeb5304df..a39e4d32ebf79e8bf05f2db5753b01596222dc35 100644
---- a/profiles/minimal/nsswitch.conf
-+++ b/profiles/minimal/nsswitch.conf
-@@ -2,7 +2,7 @@ aliases:    files                                       {exclude if "with-custom
- automount:  files                                       {exclude if "with-custom-automount"}
- ethers:     files                                       {exclude if "with-custom-ethers"}
- group:      files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
--hosts:      resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"}
-+hosts:      files dns myhostname                        {exclude if "with-custom-hosts"}
- initgroups: files                                       {exclude if "with-custom-initgroups"}
- netgroup:   files                                       {exclude if "with-custom-netgroup"}
- networks:   files                                       {exclude if "with-custom-networks"}
-diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
-index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644
---- a/profiles/nis/nsswitch.conf
-+++ b/profiles/nis/nsswitch.conf
-@@ -2,7 +2,7 @@ aliases:    files nis                   {exclude if "with-custom-aliases"}
- automount:  files nis                   {exclude if "with-custom-automount"}
- ethers:     files nis                   {exclude if "with-custom-ethers"}
- group:      files nis systemd           {exclude if "with-custom-group"}
--hosts:      resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"}
-+hosts:      files nis dns myhostname    {exclude if "with-custom-hosts"}
- initgroups: files nis                   {exclude if "with-custom-initgroups"}
- netgroup:   files nis                   {exclude if "with-custom-netgroup"}
- networks:   files nis                   {exclude if "with-custom-networks"}
--- 
-2.34.1
-

SOURCES/0904-rhel8-Revert-yescrypt.patch

@@ -1,946 +0,0 @@
-From c40bbcc77373120915033ab24d5ab149920666a4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 5 Dec 2022 19:03:00 +0100
-Subject: [PATCH 7/7] rhel8: Revert yescrypt
-
-Patch-name: 0904-rhel8-Revert-yescrypt.patch
-Patch-id: 904
-From-dist-git-commit: 4793c5170d11c5d4ce4c6c7b0e8902429e1011fc
----
- po/af.po                                        | 2 +-
- po/authselect.pot                               | 2 +-
- po/ca.po                                        | 2 +-
- po/cs.po                                        | 4 ++--
- po/de.po                                        | 4 ++--
- po/es.po                                        | 4 ++--
- po/fa.po                                        | 2 +-
- po/fi.po                                        | 4 ++--
- po/fr.po                                        | 4 ++--
- po/hu.po                                        | 4 ++--
- po/id.po                                        | 2 +-
- po/it.po                                        | 4 ++--
- po/ja.po                                        | 4 ++--
- po/ka.po                                        | 4 ++--
- po/ko.po                                        | 4 ++--
- po/nl.po                                        | 4 ++--
- po/pl.po                                        | 4 ++--
- po/pt.po                                        | 2 +-
- po/pt_BR.po                                     | 4 ++--
- po/ru.po                                        | 4 ++--
- po/si.po                                        | 2 +-
- po/sv.po                                        | 4 ++--
- po/tr.po                                        | 4 ++--
- po/uk.po                                        | 4 ++--
- po/zh_CN.po                                     | 4 ++--
- po/zh_TW.po                                     | 4 ++--
- profiles/minimal/password-auth                  | 2 +-
- profiles/minimal/system-auth                    | 2 +-
- profiles/nis/password-auth                      | 2 +-
- profiles/nis/system-auth                        | 2 +-
- profiles/sssd/password-auth                     | 2 +-
- profiles/sssd/system-auth                       | 2 +-
- profiles/winbind/password-auth                  | 2 +-
- profiles/winbind/system-auth                    | 2 +-
- src/compat/authcompat_Options.py                | 2 +-
- src/man/authselect-migration.7.adoc             | 2 +-
- src/man/po/authselect-migration.7.adoc.ca.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.cs.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.de.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.es.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.fa.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.fi.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.fr.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.hu.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.it.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.ja.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.ko.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.nl.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.pl.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.pot      | 2 +-
- src/man/po/authselect-migration.7.adoc.pt.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.pt_BR.po | 2 +-
- src/man/po/authselect-migration.7.adoc.ru.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.si.po    | 2 +-
- src/man/po/authselect-migration.7.adoc.sv.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.tr.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.uk.po    | 4 ++--
- src/man/po/authselect-migration.7.adoc.zh_CN.po | 2 +-
- src/man/po/authselect-migration.7.adoc.zh_TW.po | 2 +-
- 59 files changed, 87 insertions(+), 87 deletions(-)
-
-diff --git a/po/af.po b/po/af.po
-index e305029..b4f0418 100644
---- a/po/af.po
-+++ b/po/af.po
-@@ -1575,7 +1575,7 @@ msgid "<name>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/authselect.pot b/po/authselect.pot
-index ebb39b0..c308071 100644
---- a/po/authselect.pot
-+++ b/po/authselect.pot
-@@ -1535,7 +1535,7 @@ msgid "<name>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/ca.po b/po/ca.po
-index 3373e10..75d91ec 100644
---- a/po/ca.po
-+++ b/po/ca.po
-@@ -1569,7 +1569,7 @@ msgid "<name>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/cs.po b/po/cs.po
-index 48929b6..b9150b7 100644
---- a/po/cs.po
-+++ b/po/cs.po
-@@ -1600,8 +1600,8 @@ msgid "<name>"
- msgstr "<jméno>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- # auto translated by TM merge from project: authconfig, version: master, DocId: po/authconfig
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/de.po b/po/de.po
-index 07eab1e..746d167 100644
---- a/po/de.po
-+++ b/po/de.po
-@@ -1600,8 +1600,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/es.po b/po/es.po
-index 3868023..af5cde8 100644
---- a/po/es.po
-+++ b/po/es.po
-@@ -1598,8 +1598,8 @@ msgid "<name>"
- msgstr "<nombre>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/fa.po b/po/fa.po
-index 7776891..d74c1cd 100644
---- a/po/fa.po
-+++ b/po/fa.po
-@@ -1537,7 +1537,7 @@ msgid "<name>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/fi.po b/po/fi.po
-index 2ae32ff..7390590 100644
---- a/po/fi.po
-+++ b/po/fi.po
-@@ -1583,8 +1583,8 @@ msgid "<name>"
- msgstr "<nimi>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/fr.po b/po/fr.po
-index a40cf4c..d526c5d 100644
---- a/po/fr.po
-+++ b/po/fr.po
-@@ -1605,8 +1605,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/hu.po b/po/hu.po
-index 758be29..e18d6bf 100644
---- a/po/hu.po
-+++ b/po/hu.po
-@@ -1590,8 +1590,8 @@ msgid "<name>"
- msgstr "<név>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/id.po b/po/id.po
-index a83e1e2..6a7e2a7 100644
---- a/po/id.po
-+++ b/po/id.po
-@@ -1538,7 +1538,7 @@ msgid "<name>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/it.po b/po/it.po
-index 9427893..4b27ef2 100644
---- a/po/it.po
-+++ b/po/it.po
-@@ -1585,8 +1585,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/ja.po b/po/ja.po
-index fe83406..7ea9ae8 100644
---- a/po/ja.po
-+++ b/po/ja.po
-@@ -1598,8 +1598,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- # auto translated by TM merge from translation memory: authconfig, unique id: authconfig:6.2.8:authconfig:0bbce02e304562c295a1d57d66c296d3
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/ka.po b/po/ka.po
-index ef2e7c6..e19c0ab 100644
---- a/po/ka.po
-+++ b/po/ka.po
-@@ -1573,8 +1573,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/ko.po b/po/ko.po
-index 52d2cac..eb768fe 100644
---- a/po/ko.po
-+++ b/po/ko.po
-@@ -1570,8 +1570,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/nl.po b/po/nl.po
-index 1bd2a9b..ba50b52 100644
---- a/po/nl.po
-+++ b/po/nl.po
-@@ -1602,8 +1602,8 @@ msgid "<name>"
- msgstr "<naam>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/pl.po b/po/pl.po
-index 9b6627c..13553c8 100644
---- a/po/pl.po
-+++ b/po/pl.po
-@@ -1609,8 +1609,8 @@ msgid "<name>"
- msgstr "<nazwa>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/pt.po b/po/pt.po
-index ad02a0b..90d2aa3 100644
---- a/po/pt.po
-+++ b/po/pt.po
-@@ -1536,7 +1536,7 @@ msgid "<name>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/pt_BR.po b/po/pt_BR.po
-index a1215bb..544b8e9 100644
---- a/po/pt_BR.po
-+++ b/po/pt_BR.po
-@@ -1592,8 +1592,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/ru.po b/po/ru.po
-index 4919002..d23284d 100644
---- a/po/ru.po
-+++ b/po/ru.po
-@@ -1590,8 +1590,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/si.po b/po/si.po
-index 39f5a79..eaf4b3c 100644
---- a/po/si.po
-+++ b/po/si.po
-@@ -1536,7 +1536,7 @@ msgid "<name>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
- msgstr ""
- 
- #: src/compat/authcompat_Options.py:149
-diff --git a/po/sv.po b/po/sv.po
-index 9292b1f..cc70f2d 100644
---- a/po/sv.po
-+++ b/po/sv.po
-@@ -1580,8 +1580,8 @@ msgid "<name>"
- msgstr "<namn>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/tr.po b/po/tr.po
-index 9be388f..0aaa543 100644
---- a/po/tr.po
-+++ b/po/tr.po
-@@ -1589,8 +1589,8 @@ msgid "<name>"
- msgstr "<ad>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/uk.po b/po/uk.po
-index c66594f..bc4c93b 100644
---- a/po/uk.po
-+++ b/po/uk.po
-@@ -1591,8 +1591,8 @@ msgid "<name>"
- msgstr "<назва>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/zh_CN.po b/po/zh_CN.po
-index 75ec7d8..6c109a0 100644
---- a/po/zh_CN.po
-+++ b/po/zh_CN.po
-@@ -1559,8 +1559,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/po/zh_TW.po b/po/zh_TW.po
-index 89fefed..0562435 100644
---- a/po/zh_TW.po
-+++ b/po/zh_TW.po
-@@ -1562,8 +1562,8 @@ msgid "<name>"
- msgstr "<name>"
- 
- #: src/compat/authcompat_Options.py:148
--msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
--msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
-+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
- 
- #: src/compat/authcompat_Options.py:149
- msgid "<URL>"
-diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
-index 858c21f..8c4cb37 100644
---- a/profiles/minimal/password-auth
-+++ b/profiles/minimal/password-auth
-@@ -12,7 +12,7 @@ account     required                                     pam_unix.so
- password    requisite                                    pam_pwquality.so
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
--password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
-+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
- password    required                                     pam_deny.so
- 
- session     optional                                     pam_keyinit.so revoke
-diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
-index 858c21f..8c4cb37 100644
---- a/profiles/minimal/system-auth
-+++ b/profiles/minimal/system-auth
-@@ -12,7 +12,7 @@ account     required                                     pam_unix.so
- password    requisite                                    pam_pwquality.so
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
--password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
-+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
- password    required                                     pam_deny.so
- 
- session     optional                                     pam_keyinit.so revoke
-diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
-index 56a51d9..56b19a6 100644
---- a/profiles/nis/password-auth
-+++ b/profiles/nis/password-auth
-@@ -15,7 +15,7 @@ account     required                                     pam_unix.so broken_shad
- password    requisite                                    pam_pwquality.so {if not "with-nispwquality":local_users_only}
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
--password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok nis
-+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
- password    required                                     pam_deny.so
- 
- session     optional                                     pam_keyinit.so revoke
-diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
-index 74cf6ec..5d5010a 100644
---- a/profiles/nis/system-auth
-+++ b/profiles/nis/system-auth
-@@ -16,7 +16,7 @@ account     required                                     pam_unix.so broken_shad
- password    requisite                                    pam_pwquality.so {if not "with-nispwquality":local_users_only}
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
--password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok nis
-+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
- password    required                                     pam_deny.so
- 
- session     optional                                     pam_keyinit.so revoke
-diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
-index 5b235de..b64f048 100644
---- a/profiles/sssd/password-auth
-+++ b/profiles/sssd/password-auth
-@@ -24,7 +24,7 @@ account     required                                     pam_permit.so
- password    requisite                                    pam_pwquality.so local_users_only
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
--password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
-+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
- password    [success=1 default=ignore]                   pam_localuser.so
- password    sufficient                                   pam_sss.so use_authtok
- password    required                                     pam_deny.so
-diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
-index 22e87d8..d338719 100644
---- a/profiles/sssd/system-auth
-+++ b/profiles/sssd/system-auth
-@@ -31,7 +31,7 @@ account     required                                     pam_permit.so
- password    requisite                                    pam_pwquality.so local_users_only
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
--password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
-+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
- password    [success=1 default=ignore]                   pam_localuser.so
- password    sufficient                                   pam_sss.so use_authtok
- password    required                                     pam_deny.so
-diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
-index 8b260fa..4944b42 100644
---- a/profiles/winbind/password-auth
-+++ b/profiles/winbind/password-auth
-@@ -21,7 +21,7 @@ account     required                                     pam_permit.so
- password    requisite                                    pam_pwquality.so local_users_only
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
--password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
-+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
- password    sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
- password    required                                     pam_deny.so
- 
-diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
-index 33aa13e..afe27d7 100644
---- a/profiles/winbind/system-auth
-+++ b/profiles/winbind/system-auth
-@@ -22,7 +22,7 @@ account     required                                     pam_permit.so
- password    requisite                                    pam_pwquality.so local_users_only
- password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
- password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
--password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
-+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
- password    sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
- password    required                                     pam_deny.so
- 
-diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
-index 5c8b21b..5c97fee 100644
---- a/src/compat/authcompat_Options.py
-+++ b/src/compat/authcompat_Options.py
-@@ -145,7 +145,7 @@ class Options:
-         Option.UnsupportedSwitch("useshadow"),
-         Option.UnsupportedFeature("md5"),
-         Option.UnsupportedSwitch("usemd5"),
--        Option.UnsupportedValued("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>")),
-+        Option.UnsupportedValued("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512>")),
-         Option.UnsupportedValued("ldaploadcacert", _("<URL>")),
-         Option.UnsupportedValued("smartcardmodule", _("<module>")),
-         Option.UnsupportedValued("smbsecurity", _("<user|server|domain|ads>")),
-diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
-index 888cd4e..ee493ee 100644
---- a/src/man/authselect-migration.7.adoc
-+++ b/src/man/authselect-migration.7.adoc
-@@ -90,7 +90,7 @@ configuration file for required services.
- 
- NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often
- used to make sure that passwords are stored in `/etc/shadow` using `sha512`
--algorithm. *The authselect profiles now use the yescrypt hashing method* and
-+algorithm. *The authselect profiles now use the sha512 hashing method* and
- it cannot be changed through an option (only by creating a custom profile).
- You can just omit these options.
- 
-diff --git a/src/man/po/authselect-migration.7.adoc.ca.po b/src/man/po/authselect-migration.7.adoc.ca.po
-index 08b11b7..12f14d6 100644
---- a/src/man/po/authselect-migration.7.adoc.ca.po
-+++ b/src/man/po/authselect-migration.7.adoc.ca.po
-@@ -185,7 +185,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.cs.po b/src/man/po/authselect-migration.7.adoc.cs.po
-index d11809b..caf570b 100644
---- a/src/man/po/authselect-migration.7.adoc.cs.po
-+++ b/src/man/po/authselect-migration.7.adoc.cs.po
-@@ -242,7 +242,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.de.po b/src/man/po/authselect-migration.7.adoc.de.po
-index c166a0f..fff88c8 100644
---- a/src/man/po/authselect-migration.7.adoc.de.po
-+++ b/src/man/po/authselect-migration.7.adoc.de.po
-@@ -193,7 +193,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.es.po b/src/man/po/authselect-migration.7.adoc.es.po
-index 8cb3584..5403cde 100644
---- a/src/man/po/authselect-migration.7.adoc.es.po
-+++ b/src/man/po/authselect-migration.7.adoc.es.po
-@@ -241,7 +241,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.fa.po b/src/man/po/authselect-migration.7.adoc.fa.po
-index b902c0c..db37728 100644
---- a/src/man/po/authselect-migration.7.adoc.fa.po
-+++ b/src/man/po/authselect-migration.7.adoc.fa.po
-@@ -189,7 +189,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.fi.po b/src/man/po/authselect-migration.7.adoc.fi.po
-index 14c6894..79ff561 100644
---- a/src/man/po/authselect-migration.7.adoc.fi.po
-+++ b/src/man/po/authselect-migration.7.adoc.fi.po
-@@ -252,14 +252,14 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "Authconfig-asetuksia `--enableshadow` ja `--passalgo=sha512` käytettiin "
- "usein varmistamaan, että salasanat on tallennettu hakemistoon `/etc/shadow` "
- "käyttämällä `sha512`-algoritmia. *Authselect-profiilit käyttävät nyt "
--"yescrypt-hajautusmenetelmää*, eikä sitä voi muuttaa valinnalla (onnistuu "
-+"sha512-hajautusmenetelmää*, eikä sitä voi muuttaa valinnalla (onnistuu "
- "vain luomalla mukautettu profiili). Voit jättää nämä vaihtoehdot pois."
- 
- #. type: Block title
-diff --git a/src/man/po/authselect-migration.7.adoc.fr.po b/src/man/po/authselect-migration.7.adoc.fr.po
-index cf3fcf9..55a7386 100644
---- a/src/man/po/authselect-migration.7.adoc.fr.po
-+++ b/src/man/po/authselect-migration.7.adoc.fr.po
-@@ -259,14 +259,14 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "Les options d’Authconfig '--enableshadow' et '--passalgo=sha512' ont souvent "
- "été utilisées pour s’assurer que les mots de passe sont stockés dans '/etc/"
- "shadow' en utilisant l’algorithme 'sha512'. *Les profils authselect "
--"utilisent maintenant la méthode de hachage yescrypt* et elle ne peut pas "
-+"utilisent maintenant la méthode de hachage sha512* et elle ne peut pas "
- "être modifiée via une option (uniquement en créant un profil personnalisé).  "
- "Vous pouvez simplement omettre ces options."
- 
-diff --git a/src/man/po/authselect-migration.7.adoc.hu.po b/src/man/po/authselect-migration.7.adoc.hu.po
-index a058b22..368476a 100644
---- a/src/man/po/authselect-migration.7.adoc.hu.po
-+++ b/src/man/po/authselect-migration.7.adoc.hu.po
-@@ -189,7 +189,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.it.po b/src/man/po/authselect-migration.7.adoc.it.po
-index f28d362..d09af60 100644
---- a/src/man/po/authselect-migration.7.adoc.it.po
-+++ b/src/man/po/authselect-migration.7.adoc.it.po
-@@ -189,7 +189,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.ja.po b/src/man/po/authselect-migration.7.adoc.ja.po
-index 782e094..a8da7e2 100644
---- a/src/man/po/authselect-migration.7.adoc.ja.po
-+++ b/src/man/po/authselect-migration.7.adoc.ja.po
-@@ -246,13 +246,13 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "Authconfig オプション `--enableshadow`と` --passalgo = sha512`は、パスワード"
- "が `sha512`アルゴリズムを使用して` / etc / shadow`に確実に保存されるようにす"
--"るためによく使用されていました。 * authselect プロファイルはyescryptハッシュ"
-+"るためによく使用されていました。 * authselect プロファイルはsha512ハッシュ"
- "メソッドを使用するようになりました*。オプションを使用して変更することはできま"
- "せん(カスタムプロファイルを作成する場合のみ）。 これらのオプションは省略でき"
- "ます。"
-diff --git a/src/man/po/authselect-migration.7.adoc.ko.po b/src/man/po/authselect-migration.7.adoc.ko.po
-index 9704e0b..338bc33 100644
---- a/src/man/po/authselect-migration.7.adoc.ko.po
-+++ b/src/man/po/authselect-migration.7.adoc.ko.po
-@@ -249,13 +249,13 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "Authconfig 선택 `--enableshadow`와 `--passalgo=sah512`는 비밀번호는 `sha512` "
- "알고리즘을 사용하여 `/etc/shadow`에서 저장되어지도록 자주 사용되곤 합니다. "
--"*authselect 프로파일은 이제 yescrypt 해쉬 방법을 사용합니다* 그리고 이는 선택"
-+"*authselect 프로파일은 이제 sha512 해쉬 방법을 사용합니다* 그리고 이는 선택"
- "(사용자 정의 프로파일 생성에서만)을 통해 변경 될 수 없습니다.  당신은 다만 이"
- "들 옵션을 생략 할 수 있습니다."
- 
-diff --git a/src/man/po/authselect-migration.7.adoc.nl.po b/src/man/po/authselect-migration.7.adoc.nl.po
-index 15573ef..b587fa4 100644
---- a/src/man/po/authselect-migration.7.adoc.nl.po
-+++ b/src/man/po/authselect-migration.7.adoc.nl.po
-@@ -257,14 +257,14 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "De authconfig-opties '--enableshadow' and '--passalgo=sha512' werden vaak "
- "gebruikt om te verzekeren dat wachtwoorden worden opgeslagen in /etc/shadow "
- "met gebruik van het sha512-algoritme. *De authselect-profielen gebruiken "
--"thans hashing met yescrypt.* Dit kan niet met een optie worden gewijzigd, "
-+"thans hashing met sha512.* Dit kan niet met een optie worden gewijzigd, "
- "maar alleen door een eigen profiel aan te maken. U kunt de voornoemde opties "
- "gewoon weglaten."
- 
-diff --git a/src/man/po/authselect-migration.7.adoc.pl.po b/src/man/po/authselect-migration.7.adoc.pl.po
-index e0e629a..d229fb7 100644
---- a/src/man/po/authselect-migration.7.adoc.pl.po
-+++ b/src/man/po/authselect-migration.7.adoc.pl.po
-@@ -191,7 +191,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.pot b/src/man/po/authselect-migration.7.adoc.pot
-index c35b730..bed9498 100644
---- a/src/man/po/authselect-migration.7.adoc.pot
-+++ b/src/man/po/authselect-migration.7.adoc.pot
-@@ -188,7 +188,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.pt.po b/src/man/po/authselect-migration.7.adoc.pt.po
-index 982c629..e67478b 100644
---- a/src/man/po/authselect-migration.7.adoc.pt.po
-+++ b/src/man/po/authselect-migration.7.adoc.pt.po
-@@ -192,7 +192,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.pt_BR.po b/src/man/po/authselect-migration.7.adoc.pt_BR.po
-index 51584e7..a63b8fb 100644
---- a/src/man/po/authselect-migration.7.adoc.pt_BR.po
-+++ b/src/man/po/authselect-migration.7.adoc.pt_BR.po
-@@ -198,7 +198,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.ru.po b/src/man/po/authselect-migration.7.adoc.ru.po
-index 469f463..fd0eb1a 100644
---- a/src/man/po/authselect-migration.7.adoc.ru.po
-+++ b/src/man/po/authselect-migration.7.adoc.ru.po
-@@ -256,14 +256,14 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "Параметры Authconfig `--enableshadow` и`--passalgo=sha512` часто "
- "использовались, чтобы гарантировать хранение паролей в `/ etc / shadow` с "
- "использованием алгоритма`sha512`. *Профили authselect теперь используют "
--"метод хеширования yescrypt*, и его нельзя изменить с помощью параметра "
-+"метод хеширования sha512*, и его нельзя изменить с помощью параметра "
- "(только путем создания пользовательского профиля). Вы можете просто опустить "
- "эти параметры."
- 
-diff --git a/src/man/po/authselect-migration.7.adoc.si.po b/src/man/po/authselect-migration.7.adoc.si.po
-index 0dbdb2c..5f88382 100644
---- a/src/man/po/authselect-migration.7.adoc.si.po
-+++ b/src/man/po/authselect-migration.7.adoc.si.po
-@@ -188,7 +188,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.sv.po b/src/man/po/authselect-migration.7.adoc.sv.po
-index b3087ea..397e901 100644
---- a/src/man/po/authselect-migration.7.adoc.sv.po
-+++ b/src/man/po/authselect-migration.7.adoc.sv.po
-@@ -253,13 +253,13 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "Authconfig-flaggorna ”--enableshadow” och ”--passalgo=sha512” användes ofta "
- "för att säkerställa att lösenord lagras i ”/etc/shadow” med algoritmen "
--"”sha512”. *Authselect-profilerna använder nu hashningsmetoden yescrypt* och "
-+"”sha512”. *Authselect-profilerna använder nu hashningsmetoden sha512* och "
- "det kan inte ändras genom någon flagga (endast genom att skapa en anpassad "
- "profil). Du kan helt enkelt utelämna dessa flaggor."
- 
-diff --git a/src/man/po/authselect-migration.7.adoc.tr.po b/src/man/po/authselect-migration.7.adoc.tr.po
-index 35e5d5c..157f7d2 100644
---- a/src/man/po/authselect-migration.7.adoc.tr.po
-+++ b/src/man/po/authselect-migration.7.adoc.tr.po
-@@ -258,13 +258,13 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "`--enableshadow` ve `--passalgo=sha512` authconfig seçenekleri, parolaların "
- "`/etc/shadow` dosyasında `sha512` algoritması kullanılarak saklandığından "
--"emin olmak için sıklıkla kullanılırdı. *Authselect profilleri artık yescrypt "
-+"emin olmak için sıklıkla kullanılırdı. *Authselect profilleri artık sha512 "
- "şifreleme yöntemini kullanıyor* ve bir seçenek aracılığıyla değiştirilemez "
- "(yalnızca özel bir profil oluşturarak değiştirilebilir).  Bu seçenekleri "
- "yalnızca atlayabilirsiniz."
-diff --git a/src/man/po/authselect-migration.7.adoc.uk.po b/src/man/po/authselect-migration.7.adoc.uk.po
-index 5a1b8a3..98d9841 100644
---- a/src/man/po/authselect-migration.7.adoc.uk.po
-+++ b/src/man/po/authselect-migration.7.adoc.uk.po
-@@ -257,14 +257,14 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
- "Параметри authconfig `--enableshadow` і `--passalgo=sha512`часто "
- "використовували для забезпечення зберігання паролів у `/etc/shadow` з "
- "використанням алгоритму `sha512`. *У поточних версіях профілів authselect "
--"використано метод хешування yescrypt*, його не можна змінити якимось "
-+"використано метод хешування sha512*, його не можна змінити якимось "
- "параметром (лише за допомогою нетипового профілю). Ви можете просто не "
- "використовувати ці параметри."
- 
-diff --git a/src/man/po/authselect-migration.7.adoc.zh_CN.po b/src/man/po/authselect-migration.7.adoc.zh_CN.po
-index 6f5e562..2b95ca4 100644
---- a/src/man/po/authselect-migration.7.adoc.zh_CN.po
-+++ b/src/man/po/authselect-migration.7.adoc.zh_CN.po
-@@ -190,7 +190,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
-diff --git a/src/man/po/authselect-migration.7.adoc.zh_TW.po b/src/man/po/authselect-migration.7.adoc.zh_TW.po
-index 43ab062..e7112be 100644
---- a/src/man/po/authselect-migration.7.adoc.zh_TW.po
-+++ b/src/man/po/authselect-migration.7.adoc.zh_TW.po
-@@ -189,7 +189,7 @@ msgstr ""
- msgid ""
- "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
- "to make sure that passwords are stored in `/etc/shadow` using `sha512` "
--"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
-+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
- "it cannot be changed through an option (only by creating a custom profile).  "
- "You can just omit these options."
- msgstr ""
--- 
-2.40.1
-

SPECS/authselect.spec

@@ -1,442 +0,0 @@
-# Do not terminate build if language files are empty.
-%define _empty_manifest_terminate_build 0
-
-Name:           authselect
-Version:        1.2.6
-Release:        2%{?dist}
-Summary:        Configures authentication and identity sources from supported profiles
-URL:            https://github.com/authselect/authselect
-
-License:        GPLv3+
-Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
-
-%global makedir %{_builddir}/%{name}-%{version}
-
-Patch0001: 0001-po-update-translations.patch
-Patch0002: 0002-profiles-do-not-try-to-change-password-via-sssd-for-.patch
-Patch0003: 0003-po-update-translations.patch
-
-# Downstream only
-Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch
-Patch0902: 0902-rhel8-remove-ecryptfs-support.patch
-Patch0903: 0903-rhel8-Revert-profiles-add-support-for-resolved.patch
-Patch0904: 0904-rhel8-Revert-yescrypt.patch
-
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  findutils
-BuildRequires:  libtool
-BuildRequires:  m4
-BuildRequires:  gcc
-BuildRequires:  pkgconfig
-BuildRequires:  pkgconfig(popt)
-BuildRequires:  gettext-devel
-BuildRequires:  po4a
-BuildRequires:  %{_bindir}/a2x
-BuildRequires:  libcmocka-devel >= 1.0.0
-BuildRequires:  libselinux-devel
-BuildRequires: python3-devel
-Requires: authselect-libs%{?_isa} = %{version}-%{release}
-Suggests: sssd
-Suggests: samba-winbind
-Suggests: fprintd-pam
-Suggests: oddjob-mkhomedir
-
-%description
-Authselect is designed to be a replacement for authconfig but it takes
-a different approach to configure the system. Instead of letting
-the administrator build the PAM stack with a tool (which may potentially
-end up with a broken configuration), it would ship several tested stacks
-(profiles) that solve a use-case and are well tested and supported.
-At the same time, some obsolete features of authconfig are not
-supported by authselect.
-
-%package libs
-Summary: Utility library used by the authselect tool
-# Required by scriptlets
-Requires: coreutils
-Requires: findutils
-Requires: gawk
-Requires: grep
-Requires: sed
-Requires: systemd
-Requires: pam >= 1.3.1-9
-
-%description libs
-Common library files for authselect. This package is used by the authselect
-command line tool and any other potential front-ends.
-
-%package compat
-Summary: Tool to provide minimum backwards compatibility with authconfig
-Obsoletes: authconfig < 7.0.1-6
-Provides: authconfig
-Requires: authselect%{?_isa} = %{version}-%{release}
-Recommends: oddjob-mkhomedir
-Suggests: sssd
-Suggests: realmd
-Suggests: samba-winbind
-# Required by scriptlets
-Requires: sed
-
-%description compat
-This package will replace %{_sbindir}/authconfig with a tool that will
-translate some of the authconfig calls into authselect calls. It provides
-only minimum backward compatibility and users are encouraged to migrate
-to authselect completely.
-
-%package devel
-Summary: Development libraries and headers for authselect
-Requires: authselect-libs%{?_isa} = %{version}-%{release}
-
-%description devel
-System header files and development libraries for authselect. Useful if
-you develop a front-end for the authselect library.
-
-
-%prep
-%autosetup -p1
-
-%build
-autoreconf -if
-%configure --with-pythonbin="%{__python3}" --with-compat
-%make_build
-
-%check
-%make_build check
-
-%install
-%make_install
-
-# Find translations
-%find_lang %{name}
-%find_lang %{name} %{name}.8.lang --with-man
-%find_lang %{name}-migration %{name}-migration.7.lang --with-man
-%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
-
-# We want this file to contain only manual page translations
-%__sed -i '/LC_MESSAGES/d' %{name}.8.lang
-
-# Remove .la and .a files created by libtool
-find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \;
-find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
-
-%ldconfig_scriptlets libs
-
-%files libs -f %{name}.lang -f %{name}-profiles.5.lang
-%dir %{_sysconfdir}/authselect
-%dir %{_sysconfdir}/authselect/custom
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
-%dir %{_localstatedir}/lib/authselect
-%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
-%dir %{_datadir}/authselect
-%dir %{_datadir}/authselect/vendor
-%dir %{_datadir}/authselect/default
-%dir %{_datadir}/authselect/default/minimal/
-%dir %{_datadir}/authselect/default/nis/
-%dir %{_datadir}/authselect/default/sssd/
-%dir %{_datadir}/authselect/default/winbind/
-%{_datadir}/authselect/default/minimal/dconf-db
-%{_datadir}/authselect/default/minimal/dconf-locks
-%{_datadir}/authselect/default/minimal/fingerprint-auth
-%{_datadir}/authselect/default/minimal/nsswitch.conf
-%{_datadir}/authselect/default/minimal/password-auth
-%{_datadir}/authselect/default/minimal/postlogin
-%{_datadir}/authselect/default/minimal/README
-%{_datadir}/authselect/default/minimal/REQUIREMENTS
-%{_datadir}/authselect/default/minimal/smartcard-auth
-%{_datadir}/authselect/default/minimal/system-auth
-%{_datadir}/authselect/default/nis/dconf-db
-%{_datadir}/authselect/default/nis/dconf-locks
-%{_datadir}/authselect/default/nis/fingerprint-auth
-%{_datadir}/authselect/default/nis/nsswitch.conf
-%{_datadir}/authselect/default/nis/password-auth
-%{_datadir}/authselect/default/nis/postlogin
-%{_datadir}/authselect/default/nis/README
-%{_datadir}/authselect/default/nis/REQUIREMENTS
-%{_datadir}/authselect/default/nis/smartcard-auth
-%{_datadir}/authselect/default/nis/system-auth
-%{_datadir}/authselect/default/sssd/dconf-db
-%{_datadir}/authselect/default/sssd/dconf-locks
-%{_datadir}/authselect/default/sssd/fingerprint-auth
-%{_datadir}/authselect/default/sssd/nsswitch.conf
-%{_datadir}/authselect/default/sssd/password-auth
-%{_datadir}/authselect/default/sssd/postlogin
-%{_datadir}/authselect/default/sssd/README
-%{_datadir}/authselect/default/sssd/REQUIREMENTS
-%{_datadir}/authselect/default/sssd/smartcard-auth
-%{_datadir}/authselect/default/sssd/system-auth
-%{_datadir}/authselect/default/winbind/dconf-db
-%{_datadir}/authselect/default/winbind/dconf-locks
-%{_datadir}/authselect/default/winbind/fingerprint-auth
-%{_datadir}/authselect/default/winbind/nsswitch.conf
-%{_datadir}/authselect/default/winbind/password-auth
-%{_datadir}/authselect/default/winbind/postlogin
-%{_datadir}/authselect/default/winbind/README
-%{_datadir}/authselect/default/winbind/REQUIREMENTS
-%{_datadir}/authselect/default/winbind/smartcard-auth
-%{_datadir}/authselect/default/winbind/system-auth
-%{_libdir}/libauthselect.so.*
-%{_mandir}/man5/authselect-profiles.5*
-%{_datadir}/doc/authselect/COPYING
-%{_datadir}/doc/authselect/README.md
-%license COPYING
-%doc README.md
-
-%files compat
-%{_sbindir}/authconfig
-%{python3_sitelib}/authselect/
-
-%files devel
-%{_includedir}/authselect.h
-%{_libdir}/libauthselect.so
-%{_libdir}/pkgconfig/authselect.pc
-
-%files  -f %{name}.8.lang  -f %{name}-migration.7.lang
-%{_bindir}/authselect
-%{_mandir}/man8/authselect.8*
-%{_mandir}/man7/authselect-migration.7*
-%{_sysconfdir}/bash_completion.d/authselect-completion.sh
-
-%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid
-
-%preun
-if [ $1 == 0 ] ; then
-    # Remove authselect symbolic links so all authselect files can be
-    # deleted safely. If this fail, the uninstallation must fail to avoid
-    # breaking the system by removing PAM files. However, the command can
-    # only fail if it can not write to the file system.
-    %{_bindir}/authselect uninstall
-fi
-
-%pre libs
-%__rm -f %{validfile}
-if [ $1 -gt 1 ] ; then
-    # Remember if the current configuration is valid
-    %{_bindir}/authselect check &> /dev/null
-    if [ $? -eq 0 ]; then
-        touch %{validfile}
-    fi
-fi
-
-exit 0
-
-%posttrans libs
-# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
-if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
-    %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
-    touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
-
-    # If we are upgrading from older version, we want to remove these comments.
-    %__sed -i '/^# Generated by authselect on .*$/{$!{
-      N;N # Read also next two lines
-      /# Generated by authselect on .*\n# Do not modify this file manually.\n/d
-    }}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
-fi
-
-# If the configuration is valid and we are upgrading from older version
-# we need to create these files since they were added in 1.0.
-if [ -f %{validfile} ]; then
-    FILES="nsswitch.conf system-auth password-auth fingerprint-auth \
-           smartcard-auth postlogin dconf-db dconf-locks"
-
-    for FILE in $FILES ; do
-        %__cp -n %{_sysconfdir}/authselect/$FILE \
-               %{_localstatedir}/lib/authselect/$FILE &> /dev/null
-    done
-
-    %__rm -f %{validfile}
-fi
-
-# Keep nss-altfiles for all rpm-ostree based systems.
-# See https://github.com/authselect/authselect/issues/48
-if test -e /run/ostree-booted; then
-    for PROFILE in `ls %{_datadir}/authselect/default`; do
-        %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
-        %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
-    done
-fi
-
-# Apply any changes to profiles (validates configuration first internally)
-%{_bindir}/authselect apply-changes &> /dev/null
-
-# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111
-CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null`
-if [ $? -eq 0 ]; then
-    PROFILE=`echo $CURRENT | %__awk '{print $1;}'`
-
-    if [ $PROFILE == "sssd" ] ; then
-        if %__grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
-            %{_bindir}/authselect enable-feature with-sudo &> /dev/null
-        elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
-            %{_bindir}/authselect enable-feature with-sudo &> /dev/null
-        fi
-    fi
-fi
-
-exit 0
-
-%posttrans compat
-# Fix for RHBZ#1618865
-# Remove invalid lines from pwquality.conf generated by authconfig compat tool
-# - previous version could write some options without value, which is invalid
-# - we delete all options without value from existing file
-%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
-exit 0
-
-%changelog
-* Thu Aug 3 2023 Pavel Březina <pbrezina@redhat.com> - 1.2.6-2
-- Fix Japanese translations (RHBZ #2216755)
-- Update translations (RHBZ #2189557)
-- Do not prompt for password twice when changing password of local user (RHBZ #2179607)
-
-* Thu Dec 1 2022 Pavel Březina <pbrezina@redhat.com> - 1.2.6-1
-- Rebase to 1.2.6 (RHBZ #2142805)
-- Update translations (RHBZ #2139696)
-- Change password hashing algorithm from yescrypt back to sha512 (RHBZ #2151140)
-
-* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.2.5-1
-- Rebase to 1.2.5 (RHBZ #2080238)
-- sssd profile with-smartcard no longer prevents local users from accessing cron (RHBZ #2070325)
-- backup-restore now works correctly (RHBZ #2066535)
-- add with-subid to sssd profile (RHBZ #2063750)
-
-* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
-- Update translations (RHBZ #1961625)
-
-* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-2
-- try_first_pass option no longer works on some PAM modules in RHEL8 (RHBZ #1949070)
-- Need to localize the description of --debug option in authselect show (RHBZ #1970408)
-
-* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
-- Rebase to authselect-1.2.2 (RHBZ #1892761)
-
-* Fri Jun 19 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-2
-- Update translations (RHBZ #1820533)
-
-* Tue May 12 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-1
-- Rebase to authselect-1.2.1 (RHBZ #1810471)
-- CLI commands are now correctly translated (RHBZ #1816009)
-- Remove unsupported features from sssd profile description (RHBZ #1830251)
-- add `with-files-access-provider` to sssd profile (RHBZ #1734094)
-- switch to pam_usertype module (RHBZ #1773567)
-- fix typo in sssd profile description (RHBZ #1787638)
-- add minimal profile (RHBZ #1654018)
-
-* Thu Jul 4 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-2
-- Update translations (RHBZ #1689973)
-
-* Mon Jun 10 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-1
-- Rebase to authselect-1.1 (RHBZ #1685516)
-- Notify that oddjob-mkhomedir needs to be enabled manually (RHBZ #1694103)
-- Ask for smartcard insertion when smartcard authentication is required (RHBZ #1674397)
-- Update translations (RHBZ #1689973)
-
-* Mon Feb 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-13
-- Revert pam_systemd.so to be optional
-- Resolves: #rhbz1643928 - pam_systemd shouldn't be optional in system-auth
-
-* Mon Feb 4 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-12
-- make authselect work with selinux disabled (RHBZ #1668025)
-- require smartcard authentication only for specific services (RHBZ #1665058)
-- update translations (RHBZ #1608286)
-
-* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-11
-- require libselinux needed by (RHBZ #1664650)
-
-* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-10
-- invalid selinux context for files under /etc/authselect (RHBZ #1664650)
-
-* Tue Dec 4 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-9
-- fix sources for official rhel translations (RHBZ #1608286)
-- fix coverity warnings for authselect enable-features should error on unknown features (RHBZ #1651637)
-
-* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-8
-- add official rhel translations (RHBZ #1608286)
-
-* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-7
-- pam_systemd shouldn't be optional in system-auth (RHBZ #1643928)
-- compat tool: support --enablerequiresmartcard (RHBZ #1649277)
-- compat tool: support --smartcardaction=0 (RHBZ #1649279)
-- remove ecryptfs from authselect since it is not present in rhel8 (RHBZ #1649282)
-- authselect enable-features should error on unknown features (RHBZ #1651637)
-
-* Wed Oct 31 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-6
-- Remove mention of Fedora Change page from compat tool (RHBZ #1644309)
-
-* Wed Oct 10 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-5
-- Support for "require smartcard for login option" (RHBZ #1611012)
-
-* Mon Oct 1 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-4
-- add official rhel translations (RHBZ #1608286)
-
-* Fri Sep 28 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
-- scriptlet can fail if coreutils is not installed  (RHBZ #1630896)
-- fix typo (require systemd instead of systemctl)
-
-* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-2
-- authconfig --update overwrites current profile (RHBZ #1628492)
-- authselect profile nis enhancements (RHBZ #1628493)
-- scriptlet can fail if coreutils is not installed  (RHBZ #1630896)
-- authconfig --update --enablenis stops ypserv (RHBZ #1632567)
-- compat tool generates invalid pwquality configuration (RHBZ #1628491)
-
-* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
-- Rebase to 1.0 (RHBZ #1614235)
-
-* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.4-4
-- Rebuild for platform-python
-
-* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
-- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
-
-* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
-- Don't disable oddjobd.service (RHBZ #1571844)
-
-* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
-- rebasing to 0.4
-
-* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
-- rebasing to 0.3.2
-- authselect-compat now only suggests packages, not recommends
-
-* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
-- rebasing to 0.3.1
-
-* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
-- Provide authconfig
-
-* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
-- Properly own all appropriate directories
-- Remove unneeded %%defattr
-- Remove deprecated Group tag
-- Make Obsoletes versioned
-- Remove unneeded ldconfig scriptlets
-
-* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
-- rebasing to 0.3
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
-- fix rpmlint errors
-* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
-- rebasing to 0.2
-* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
-- initial packaging

authselect.rpmlintrc

@@ -0,0 +1,14 @@
+# Whitelist known warnings that can not be fixed
+addFilter("authselect.*: W: package-with-huge-docs 70%");
+addFilter("authselect.*: W: obsolete-not-provided authconfig");
+addFilter("authselect.*: W: obsolete-not-provided authselect-compat");
+addFilter("authselect.*: W: non-conffile-in-etc /etc/bash_completion.d/authselect-completion.sh");
+addFilter("authselect-devel.*: W: no-documentation");
+addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/winbind/dconf-locks /usr/share/authselect/default/minimal/dconf-locks:/usr/share/authselect/default/nis/dconf-locks");
+addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/winbind/smartcard-auth /usr/share/authselect/default/minimal/fingerprint-auth:/usr/share/authselect/default/minimal/smartcard-auth:/usr/share/authselect/default/nis/smartcard-auth");
+addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/minimal/system-auth /usr/share/authselect/default/minimal/password-auth");
+addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/winbind/postlogin /usr/share/authselect/default/minimal/postlogin:/usr/share/authselect/default/nis/postlogin:/usr/share/authselect/default/sssd/postlogin");
+addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/winbind/dconf-db /usr/share/authselect/default/nis/dconf-db");
+addFilter("authselect-libs.*: W: files-duplicate /usr/share/doc/authselect/README.md /usr/share/doc/authselect-libs/README.md");
+addFilter("authselect-libs.*: W: files-duplicate /usr/share/licenses/authselect-libs/COPYING /usr/share/doc/authselect/COPYING");
+addFilter("authselect-libs.*: W: dangerous-command-in-%posttrans rm");

authselect.spec

@@ -0,0 +1,489 @@
+# Do not terminate build if language files are empty.
+%define _empty_manifest_terminate_build 0
+
+Name:           authselect
+Version:        1.5.0
+Release:        8%{?dist}
+Summary:        Configures authentication and identity sources from supported profiles
+URL:            https://github.com/authselect/authselect
+
+License:        GPL-3.0-or-later
+Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+
+%global makedir %{_builddir}/%{name}-%{version}
+
+# Disable NIS profile on RHEL
+%if 0%{?rhel}
+%global with_nis_profile 0
+%else
+%global with_nis_profile 1
+%endif
+
+# Set the default profile
+%{?fedora:%global default_profile local with-silent-lastlog}
+%{?rhel:%global default_profile local}
+
+# Patches
+Patch0001: 0001-sssd-reintroduce-with-files-access-provider.patch
+Patch0002: 0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch
+Patch0003: 0003-po-update-translations.patch
+Patch0004: 0004-nis-install-nis-profile-conditionally.patch
+Patch0005: 0005-configure-drop-user-nsswitch.conf-support.patch
+Patch0006: 0006-configure-drop-authconfig-compat-tool.patch
+Patch0007: 0007-ci-remove-python-checks.patch
+Patch0008: 0008-pot-update-pot-files.patch
+Patch0009: 0009-profiles-merge-groups-records-with-SUCCESS-merge.patch
+Patch0010: 0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch
+Patch0011: 0011-profiles-put-myhostname-before-dns.patch
+
+# RHEL-only patches
+%if 0%{?rhel}
+Patch0901: 0901-rhel10-remove-systemd-homed.patch
+Patch0902: 0902-rhel10-remove-ecryptfs-support.patch
+Patch0903: 0903-rhel10-remove-systemd-resolved.patch
+Patch0904: 0904-rhel10-move-myhostname-after-dns-to-fix-hostname-fqd.patch
+%endif
+
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  findutils
+BuildRequires:  libtool
+BuildRequires:  m4
+BuildRequires:  gcc
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(popt)
+BuildRequires:  gettext-devel
+BuildRequires:  po4a
+BuildRequires:  %{_bindir}/a2x
+BuildRequires:  libcmocka-devel >= 1.0.0
+BuildRequires:  libselinux-devel
+Requires: authselect-libs%{?_isa} = %{version}-%{release}
+Suggests: sssd
+Suggests: samba-winbind
+Suggests: fprintd-pam
+Suggests: oddjob-mkhomedir
+
+# Properly obsolete removed authselect-compat package.
+Obsoletes: authselect-compat < 1.3
+
+%description
+Authselect is designed to be a replacement for authconfig but it takes
+a different approach to configure the system. Instead of letting
+the administrator build the PAM stack with a tool (which may potentially
+end up with a broken configuration), it would ship several tested stacks
+(profiles) that solve a use-case and are well tested and supported.
+At the same time, some obsolete features of authconfig are not
+supported by authselect.
+
+%package libs
+Summary: Utility library used by the authselect tool
+# Required by scriptlets
+Requires: coreutils
+Requires: sed
+Suggests: systemd
+
+%description libs
+Common library files for authselect. This package is used by the authselect
+command line tool and any other potential front-ends.
+
+%package devel
+Summary: Development libraries and headers for authselect
+Requires: authselect-libs%{?_isa} = %{version}-%{release}
+
+%description devel
+System header files and development libraries for authselect. Useful if
+you develop a front-end for the authselect library.
+
+%prep
+%setup -q
+
+for p in %patches ; do
+    %__patch -p1 -i $p
+done
+
+%build
+autoreconf -if
+%configure \
+%if %{with_nis_profile}
+    --with-nis-profile \
+%endif
+    %{nil}
+
+%make_build
+
+%check
+%make_build check
+
+%install
+%make_install
+
+# Find translations
+%find_lang %{name}
+%find_lang %{name} %{name}.8.lang --with-man
+%find_lang %{name}-migration %{name}-migration.7.lang --with-man
+%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
+
+# We want this file to contain only manual page translations
+%__sed -i '/LC_MESSAGES/d' %{name}.8.lang
+
+# Remove .la and .a files created by libtool
+find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \;
+find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
+
+%ldconfig_scriptlets libs
+
+%files libs -f %{name}.lang -f %{name}-profiles.5.lang
+%dir %{_sysconfdir}/authselect
+%dir %{_sysconfdir}/authselect/custom
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
+%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
+%dir %{_localstatedir}/lib/authselect
+%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
+%dir %{_datadir}/authselect
+%dir %{_datadir}/authselect/vendor
+%dir %{_datadir}/authselect/default
+%dir %{_datadir}/authselect/default/local/
+%dir %{_datadir}/authselect/default/sssd/
+%dir %{_datadir}/authselect/default/winbind/
+%{_datadir}/authselect/default/local/dconf-db
+%{_datadir}/authselect/default/local/dconf-locks
+%{_datadir}/authselect/default/local/fingerprint-auth
+%{_datadir}/authselect/default/local/nsswitch.conf
+%{_datadir}/authselect/default/local/password-auth
+%{_datadir}/authselect/default/local/postlogin
+%{_datadir}/authselect/default/local/README
+%{_datadir}/authselect/default/local/REQUIREMENTS
+%{_datadir}/authselect/default/local/smartcard-auth
+%{_datadir}/authselect/default/local/system-auth
+%{_datadir}/authselect/default/sssd/dconf-db
+%{_datadir}/authselect/default/sssd/dconf-locks
+%{_datadir}/authselect/default/sssd/fingerprint-auth
+%{_datadir}/authselect/default/sssd/nsswitch.conf
+%{_datadir}/authselect/default/sssd/password-auth
+%{_datadir}/authselect/default/sssd/postlogin
+%{_datadir}/authselect/default/sssd/README
+%{_datadir}/authselect/default/sssd/REQUIREMENTS
+%{_datadir}/authselect/default/sssd/smartcard-auth
+%{_datadir}/authselect/default/sssd/system-auth
+%{_datadir}/authselect/default/winbind/dconf-db
+%{_datadir}/authselect/default/winbind/dconf-locks
+%{_datadir}/authselect/default/winbind/fingerprint-auth
+%{_datadir}/authselect/default/winbind/nsswitch.conf
+%{_datadir}/authselect/default/winbind/password-auth
+%{_datadir}/authselect/default/winbind/postlogin
+%{_datadir}/authselect/default/winbind/README
+%{_datadir}/authselect/default/winbind/REQUIREMENTS
+%{_datadir}/authselect/default/winbind/smartcard-auth
+%{_datadir}/authselect/default/winbind/system-auth
+%if %{with_nis_profile}
+%dir %{_datadir}/authselect/default/nis/
+%{_datadir}/authselect/default/nis/dconf-db
+%{_datadir}/authselect/default/nis/dconf-locks
+%{_datadir}/authselect/default/nis/fingerprint-auth
+%{_datadir}/authselect/default/nis/nsswitch.conf
+%{_datadir}/authselect/default/nis/password-auth
+%{_datadir}/authselect/default/nis/postlogin
+%{_datadir}/authselect/default/nis/README
+%{_datadir}/authselect/default/nis/REQUIREMENTS
+%{_datadir}/authselect/default/nis/smartcard-auth
+%{_datadir}/authselect/default/nis/system-auth
+%endif
+%{_libdir}/libauthselect.so.*
+%{_mandir}/man5/authselect-profiles.5*
+%{_datadir}/doc/authselect/COPYING
+%{_datadir}/doc/authselect/README.md
+%license COPYING
+%doc README.md
+
+%files devel
+%{_includedir}/authselect.h
+%{_libdir}/libauthselect.so
+%{_libdir}/pkgconfig/authselect.pc
+
+%files  -f %{name}.8.lang  -f %{name}-migration.7.lang
+%{_bindir}/authselect
+%{_mandir}/man8/authselect.8*
+%{_mandir}/man7/authselect-migration.7*
+%{_sysconfdir}/bash_completion.d/authselect-completion.sh
+
+%preun
+if [ $1 == 0 ] ; then
+    # Remove authselect symbolic links so all authselect files can be
+    # deleted safely. If this fail, the uninstallation must fail to avoid
+    # breaking the system by removing PAM files. However, the command can
+    # only fail if it can not write to the file system.
+    %{_bindir}/authselect opt-out
+fi
+
+%posttrans libs
+# Keep nss-altfiles for all rpm-ostree based systems.
+# See https://github.com/authselect/authselect/issues/48
+if test -e /run/ostree-booted; then
+    for PROFILE in `ls %{_datadir}/authselect/default`; do
+        %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
+        %__sed -i -e 's/{if "with-altfiles":\([^}]\+\)}/\1/g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+    done
+fi
+
+# If this is a new installation select the default configuration.
+if [ $1 == 1 ] ; then
+    %{_bindir}/authselect select %{default_profile} --force --nobackup &> /dev/null
+    exit 0
+fi
+
+# Minimal profile was removed. Switch to local during upgrade.
+%__sed -i '1 s/^minimal$/local/'  %{_sysconfdir}/authselect/authselect.conf
+for file in  %{_sysconfdir}/authselect/custom/*/*; do
+    link=`%{_bindir}/readlink "$file"`
+    if [[ "$link" == %{_datadir}/authselect/default/minimal/* ]]; then
+        target=`%{_bindir}/basename "$link"`
+        %{_bindir}/ln -sfn "%{_datadir}/authselect/default/local/$target" "$file"
+    fi
+done
+
+# Apply any changes to profiles (validates configuration first internally)
+%{_bindir}/authselect apply-changes &> /dev/null
+
+exit 0
+
+%changelog
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.5.0-8
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Fri Aug 02 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-7
+- myhostname is put after dns module in nsswitch.conf hosts to fix hostname --fqdn (RHEL-39537)
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.5.0-6
+- Bump release for June 2024 mass rebuild
+
+* Tue Feb 27 2024 Jonathan Lebon <jonathan@jlebon.com> - 1.5.0-5
+- Fix altfiles rendering on OSTree variants
+
+* Fri Feb 23 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-4
+- Add back with-files-access-provider
+- Remove outdated scriptlets
+- Group merging added to nsswitch.conf group in all profiles
+- myhostname is put right before dns module in nsswitch.conf hosts (rhbz#2257197)
+- Internal packaging changes
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jan 18 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-1
+- Rebase to 1.5.0
+- "minimal" profile was removed and replaced with "local". (rhbz#2253180)
+- "local" profile is now default (rhbz#2253180)
+
+* Wed Sep 27 2023 Pavel Březina <pbrezina@redhat.com> - 1.4.3-1
+- Rebase to 1.4.3
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Mon Dec 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.2-1
+- Rebase to 1.4.2
+
+* Thu Dec 1 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.1-1
+- Rebase to 1.4.1
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Fri Jul 8 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-2
+- Fix issues with popt-1.19
+
+* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-1
+- Rebase to 1.3.0
+
+* Thu Feb 10 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-10
+- Fix mdns support (#2052269)
+
+* Thu Feb 3 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-9
+- Make authselect compatible with ostree (#2034360)
+- Authselect now requires explicit opt-out if users don't want to use it (#2051545)
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-7
+- Remove unnecessary dependencies (#2039869)
+
+* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-6
+- Fix detection of ostree system (#2034360)
+
+* Tue Dec 28 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-5
+- Try to use io.open() in pre scriptlet instead of rpm.open() (rpm >= 4.17.0)
+
+* Tue Dec 21 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-4
+- Use lua for pre scriptlets to reduce dependencies
+
+* Fri Dec 10 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-3
+- Update conflicting versions of glibc and pam
+
+* Mon Dec 6 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-1
+- Rebase to 1.3.0
+- Authselect configuration is now enforced (#2000936)
+
+* Sat Aug 14 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.4-2
+- Add proper Obsoletes for removed authselect-compat package
+  Fixes: rhbz#1993189
+
+* Mon Aug 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.4-1
+- Rebase to 1.2.4
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.3-3
+- Backport support for yescrypt hash method
+
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.2.3-2
+- Rebuilt for Python 3.10
+
+* Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-1
+- Rebase to 1.2.3
+
+* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-4
+- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors
+  Resolves: #1935331
+
+* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
+- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
+- Rebase to 1.2.2
+- Add nss-altfiles to profiles on Fedora Silverblue
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 22 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-3
+- Add resolved by default to nis and minimal profiles
+- Fix parsing of multiple conditionals on the same line
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.2.1-2
+- Rebuilt for Python 3.9
+
+* Mon May 11 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-1
+- Rebase to 1.2.1
+
+* Wed Mar 4 2020 Pavel Březina <pbrezina@redhat.com> - 1.2-1
+- Rebase to 1.2
+
+* Mon Feb 17 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-7
+- fix restoring non-authselect configuration from backup
+
+* Wed Jan 29 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-6
+- cli: fix auto backup when --force is set
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-4
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-3
+- Rebuilt for Python 3.8
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jun 13 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-1
+- Rebase to 1.1
+
+* Tue Feb 26 2019 Pavel Březina <pbrezina@redhat.com> - 1.0.3-1
+- Rebase to 1.0.3
+
+* Tue Feb 26 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0.2-4
+- Use %ghost for files owned by authselect
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-2
+- Resolves rhbz#1655025 (invalid backup).
+
+* Fri Nov 23 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-1
+- Rebase to 1.0.2
+
+* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-2
+- Require systemd instead of systemctl
+
+* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-1
+- Rebase to 1.0.1
+
+* Fri Sep 14 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
+- Scriptlets should no produce any error messages (RHBZ #1622272)
+- Provide fix for pwquality configuration (RHBZ #1618865)
+
+* Thu Aug 30 2018 Adam Williamson <awilliam@redhat.com> - 1.0-2
+- Backport PR #78 to fix broken pwquality config (RHBZ #1618865)
+
+* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
+- Rebase to 1.0
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.4-4
+- Rebuilt for Python 3.7
+
+* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
+- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
+
+* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
+- Don't disable oddjobd.service (RHBZ #1571844)
+
+* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
+- rebasing to 0.4
+
+* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
+- rebasing to 0.3.2
+- authselect-compat now only suggests packages, not recommends
+
+* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
+- rebasing to 0.3.1
+
+* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
+- Provide authconfig
+
+* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
+- Properly own all appropriate directories
+- Remove unneeded %%defattr
+- Remove deprecated Group tag
+- Make Obsoletes versioned
+- Remove unneeded ldconfig scriptlets
+
+* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
+- rebasing to 0.3
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
+- fix rpmlint errors
+* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
+- rebasing to 0.2
+* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
+- initial packaging

gating.yaml

@@ -0,0 +1,8 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
+

sources

@@ -0,0 +1 @@
+SHA512 (authselect-1.5.0.tar.gz) = 33101654f8fd15e14bb644cf486734757fcfb7f0b83916ec1571f71d3e558e199ac6a14d10d402932531b54951717fda65d4a506199f9760937af26159ee5894

tests/tests.yml

@@ -0,0 +1,11 @@
+---  
+- hosts: localhost
+  tags:
+    - classic
+  roles:
+  - role: standard-test-basic
+    become: True
+    tests:
+    - simple:
+        dir: .
+        run: authselect list