Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0
Resolves: RHEL-4984 - Mismatch between input and parsed domain name when default_domain_suffix is set. Resolves: RHEL-65848 - sssd password authentication broken in sssd-2.10.0~beta2-2 and later Resolves: RHEL-67669 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option Resolves: RHEL-68421 - sssd ldap_child process segfaults when krb5.conf is invalid [rhel-10] Resolves: RHEL-66935 - Avoid log flooding in case an app keeps making invalid `getservbyport(0, ...)` request Resolves: RHEL-65736 - ipa: sudo commands doesn't check threshold correctly Resolves: RHEL-68319 - Please deprecate/remove ad_allow_remote_domain_local_groups
This commit is contained in:
parent
c4d16510de
commit
98cad07f1e
1
.gitignore
vendored
1
.gitignore
vendored
@ -114,3 +114,4 @@ sssd-1.2.91.tar.gz
|
|||||||
/sssd-2.10.0-beta1.tar.gz
|
/sssd-2.10.0-beta1.tar.gz
|
||||||
/sssd-2.10.0-beta2.tar.gz
|
/sssd-2.10.0-beta2.tar.gz
|
||||||
/sssd-2.10.0.tar.gz
|
/sssd-2.10.0.tar.gz
|
||||||
|
/sssd-2.10.1.tar.gz
|
||||||
|
@ -1,68 +0,0 @@
|
|||||||
From e4ae4d6129e85fe99bbb82438ed90352400ecdf3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Fri, 26 Jul 2024 15:55:01 +0200
|
|
||||||
Subject: [PATCH] BUILD: configure logrotate to work with non-root-group
|
|
||||||
writable folder
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Otherwise logrotate complains:
|
|
||||||
```
|
|
||||||
error: skipping "/var/log/sssd/sssd_kcm.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
|
|
||||||
```
|
|
||||||
|
|
||||||
See https://bugzilla.redhat.com/show_bug.cgi?id=2299733 for details
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Vávra <jvavra@redhat.com>
|
|
||||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
Makefile.am | 1 +
|
|
||||||
configure.ac | 1 +
|
|
||||||
src/examples/{logrotate => logrotate.in} | 1 +
|
|
||||||
3 files changed, 3 insertions(+)
|
|
||||||
rename src/examples/{logrotate => logrotate.in} (90%)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index f4cadee6f..82e0c5882 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -5706,6 +5706,7 @@ endif
|
|
||||||
rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket
|
|
||||||
rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service
|
|
||||||
rm -f $(builddir)/src/tools/wrappers/sss_debuglevel
|
|
||||||
+ rm -Rf $(builddir)/src/examples
|
|
||||||
rm -Rf $(builddir)/contrib
|
|
||||||
|
|
||||||
CLEANFILES += *.X */*.X */*/*.X
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 105d77a4d..380c16ba8 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -563,6 +563,7 @@ AC_DEFINE_UNQUOTED([ABS_SRC_DIR], ["$my_srcdir"], [Absolute path to the source d
|
|
||||||
AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
|
|
||||||
contrib/sssd-pcsc.rules contrib/90-sssd-token-access.rules
|
|
||||||
contrib/sssd-tmpfiles.conf
|
|
||||||
+ src/examples/logrotate
|
|
||||||
src/sysv/sssd src/sysv/gentoo/sssd src/sysv/gentoo/sssd-kcm
|
|
||||||
po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile
|
|
||||||
src/tests/intg/Makefile src/tests/test_CA/Makefile
|
|
||||||
diff --git a/src/examples/logrotate b/src/examples/logrotate.in
|
|
||||||
similarity index 90%
|
|
||||||
rename from src/examples/logrotate
|
|
||||||
rename to src/examples/logrotate.in
|
|
||||||
index 6e769451c..0421946a2 100644
|
|
||||||
--- a/src/examples/logrotate
|
|
||||||
+++ b/src/examples/logrotate.in
|
|
||||||
@@ -6,6 +6,7 @@
|
|
||||||
rotate 2
|
|
||||||
compress
|
|
||||||
delaycompress
|
|
||||||
+ su @SSSD_USER@ @SSSD_USER@
|
|
||||||
postrotate
|
|
||||||
/bin/kill -HUP `cat /var/run/sssd.pid 2>/dev/null` 2> /dev/null || true
|
|
||||||
/bin/pkill -HUP sssd_kcm 2> /dev/null || true
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
@ -1,230 +0,0 @@
|
|||||||
From d523261c312c1ccab0253ddf14b54daba44ed268 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 13 Sep 2024 15:45:59 +0200
|
|
||||||
Subject: [PATCH] ldap: add 'exop_force' value for ldap_pwmodify_mode
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
In case the LDAP server allows to run the extended operation to change a
|
|
||||||
password even if an authenticated bind fails due to missing grace logins
|
|
||||||
the new option 'exop_force' can be used to run the extended operation to
|
|
||||||
change the password anyways.
|
|
||||||
|
|
||||||
:config: Added `exop_force` value for configuration option
|
|
||||||
`ldap_pwmodify_mode`. This can be used to force a password change even
|
|
||||||
if no grace logins are left. Depending on the configuration of the
|
|
||||||
LDAP server it might be expected that the password change will fail.
|
|
||||||
|
|
||||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit 7184541976608d357a5da48d09a7fa08862477d8)
|
|
||||||
---
|
|
||||||
src/man/sssd-ldap.5.xml | 11 +++++++++
|
|
||||||
src/providers/ipa/ipa_auth.c | 3 ++-
|
|
||||||
src/providers/ldap/ldap_auth.c | 5 +++-
|
|
||||||
src/providers/ldap/ldap_options.c | 2 ++
|
|
||||||
src/providers/ldap/sdap.h | 5 ++--
|
|
||||||
src/providers/ldap/sdap_async.h | 3 ++-
|
|
||||||
src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++-----
|
|
||||||
7 files changed, 45 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
||||||
index a6f9b1c97..d50aa65b2 100644
|
|
||||||
--- a/src/man/sssd-ldap.5.xml
|
|
||||||
+++ b/src/man/sssd-ldap.5.xml
|
|
||||||
@@ -234,6 +234,17 @@
|
|
||||||
userPassword (not recommended).
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ exop_force - Try Password Modify
|
|
||||||
+ Extended Operation (RFC 3062) even if
|
|
||||||
+ there are no grace logins left.
|
|
||||||
+ Depending on the type and configuration
|
|
||||||
+ of the LDAP server the password change
|
|
||||||
+ might fail because an authenticated bind
|
|
||||||
+ is not possible.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
</itemizedlist>
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
|
|
||||||
index e238d0623..db1cd6ad3 100644
|
|
||||||
--- a/src/providers/ipa/ipa_auth.c
|
|
||||||
+++ b/src/providers/ipa/ipa_auth.c
|
|
||||||
@@ -397,7 +397,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq)
|
|
||||||
SDAP_USE_PPOLICY);
|
|
||||||
|
|
||||||
subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn,
|
|
||||||
- state->pd->authtok, timeout, use_ppolicy);
|
|
||||||
+ state->pd->authtok, timeout, use_ppolicy,
|
|
||||||
+ state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode);
|
|
||||||
if (subreq == NULL) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
||||||
index 9ccbdabdb..370cdf171 100644
|
|
||||||
--- a/src/providers/ldap/ldap_auth.c
|
|
||||||
+++ b/src/providers/ldap/ldap_auth.c
|
|
||||||
@@ -914,7 +914,8 @@ static void auth_do_bind(struct tevent_req *req)
|
|
||||||
subreq = sdap_auth_send(state, state->ev, state->sh,
|
|
||||||
NULL, NULL, state->dn,
|
|
||||||
state->authtok,
|
|
||||||
- timeout, use_ppolicy);
|
|
||||||
+ timeout, use_ppolicy,
|
|
||||||
+ state->ctx->opts->pwmodify_mode);
|
|
||||||
if (!subreq) {
|
|
||||||
tevent_req_error(req, ENOMEM);
|
|
||||||
return;
|
|
||||||
@@ -1208,6 +1209,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
switch (opts->pwmodify_mode) {
|
|
||||||
case SDAP_PWMODIFY_EXOP:
|
|
||||||
+ case SDAP_PWMODIFY_EXOP_FORCE:
|
|
||||||
use_ppolicy = dp_opt_get_bool(opts->basic, SDAP_USE_PPOLICY);
|
|
||||||
subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn,
|
|
||||||
password, new_password,
|
|
||||||
@@ -1252,6 +1254,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq)
|
|
||||||
|
|
||||||
switch (state->mode) {
|
|
||||||
case SDAP_PWMODIFY_EXOP:
|
|
||||||
+ case SDAP_PWMODIFY_EXOP_FORCE:
|
|
||||||
ret = sdap_exop_modify_passwd_recv(subreq, state,
|
|
||||||
&state->user_error_message);
|
|
||||||
break;
|
|
||||||
diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
|
|
||||||
index 277bcb529..72a95300d 100644
|
|
||||||
--- a/src/providers/ldap/ldap_options.c
|
|
||||||
+++ b/src/providers/ldap/ldap_options.c
|
|
||||||
@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
|
|
||||||
opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
|
|
||||||
} else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
|
|
||||||
opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
|
|
||||||
+ } else if (strcasecmp(pwmodify, "exop_force") == 0) {
|
|
||||||
+ opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE;
|
|
||||||
} else {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
|
|
||||||
ret = EINVAL;
|
|
||||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
|
||||||
index d66ca156a..35a4d5e1c 100644
|
|
||||||
--- a/src/providers/ldap/sdap.h
|
|
||||||
+++ b/src/providers/ldap/sdap.h
|
|
||||||
@@ -550,8 +550,9 @@ struct sdap_options {
|
|
||||||
|
|
||||||
/* password modify mode */
|
|
||||||
enum pwmodify_mode {
|
|
||||||
- SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
|
|
||||||
- SDAP_PWMODIFY_LDAP = 2 /* ldap_modify of userPassword */
|
|
||||||
+ SDAP_PWMODIFY_EXOP = 1, /* pwmodify extended operation */
|
|
||||||
+ SDAP_PWMODIFY_LDAP = 2, /* ldap_modify of userPassword */
|
|
||||||
+ SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */
|
|
||||||
} pwmodify_mode;
|
|
||||||
|
|
||||||
/* The search bases for the domain or its subdomain */
|
|
||||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
|
||||||
index a78a1157c..700cd6f9c 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async.h
|
|
||||||
+++ b/src/providers/ldap/sdap_async.h
|
|
||||||
@@ -147,7 +147,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
|
|
||||||
const char *user_dn,
|
|
||||||
struct sss_auth_token *authtok,
|
|
||||||
int simple_bind_timeout,
|
|
||||||
- bool use_ppolicy);
|
|
||||||
+ bool use_ppolicy,
|
|
||||||
+ enum pwmodify_mode pwmodify_mode);
|
|
||||||
|
|
||||||
errno_t sdap_auth_recv(struct tevent_req *req,
|
|
||||||
TALLOC_CTX *memctx,
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
|
||||||
index a6d4ee443..67c09835b 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_connection.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_connection.c
|
|
||||||
@@ -646,6 +646,7 @@ struct simple_bind_state {
|
|
||||||
struct tevent_context *ev;
|
|
||||||
struct sdap_handle *sh;
|
|
||||||
const char *user_dn;
|
|
||||||
+ enum pwmodify_mode pwmodify_mode;
|
|
||||||
|
|
||||||
struct sdap_op *op;
|
|
||||||
|
|
||||||
@@ -663,7 +664,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
|
|
||||||
int timeout,
|
|
||||||
const char *user_dn,
|
|
||||||
struct berval *pw,
|
|
||||||
- bool use_ppolicy)
|
|
||||||
+ bool use_ppolicy,
|
|
||||||
+ enum pwmodify_mode pwmodify_mode)
|
|
||||||
{
|
|
||||||
struct tevent_req *req;
|
|
||||||
struct simple_bind_state *state;
|
|
||||||
@@ -686,6 +688,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
|
|
||||||
state->ev = ev;
|
|
||||||
state->sh = sh;
|
|
||||||
state->user_dn = user_dn;
|
|
||||||
+ state->pwmodify_mode = pwmodify_mode;
|
|
||||||
|
|
||||||
if (use_ppolicy) {
|
|
||||||
ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
|
|
||||||
@@ -872,7 +875,12 @@ static void simple_bind_done(struct sdap_op *op,
|
|
||||||
* Grace Authentications". */
|
|
||||||
DEBUG(SSSDBG_TRACE_LIBS,
|
|
||||||
"Password expired, grace logins exhausted.\n");
|
|
||||||
- ret = ERR_AUTH_FAILED;
|
|
||||||
+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
|
|
||||||
+ ret = ERR_PASSWORD_EXPIRED;
|
|
||||||
+ } else {
|
|
||||||
+ ret = ERR_AUTH_FAILED;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
} else if (strcmp(response_controls[c]->ldctl_oid,
|
|
||||||
LDAP_CONTROL_PWEXPIRED) == 0) {
|
|
||||||
@@ -885,7 +893,12 @@ static void simple_bind_done(struct sdap_op *op,
|
|
||||||
if (result == LDAP_INVALID_CREDENTIALS) {
|
|
||||||
DEBUG(SSSDBG_TRACE_LIBS,
|
|
||||||
"Password expired, grace logins exhausted.\n");
|
|
||||||
- ret = ERR_AUTH_FAILED;
|
|
||||||
+ if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
|
|
||||||
+ ret = ERR_PASSWORD_EXPIRED;
|
|
||||||
+ } else {
|
|
||||||
+ ret = ERR_AUTH_FAILED;
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
DEBUG(SSSDBG_TRACE_LIBS,
|
|
||||||
"Password expired, user must set a new password.\n");
|
|
||||||
@@ -1365,7 +1378,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
|
|
||||||
const char *user_dn,
|
|
||||||
struct sss_auth_token *authtok,
|
|
||||||
int simple_bind_timeout,
|
|
||||||
- bool use_ppolicy)
|
|
||||||
+ bool use_ppolicy,
|
|
||||||
+ enum pwmodify_mode pwmodify_mode)
|
|
||||||
{
|
|
||||||
struct tevent_req *req, *subreq;
|
|
||||||
struct sdap_auth_state *state;
|
|
||||||
@@ -1404,7 +1418,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
|
|
||||||
pw.bv_len = pwlen;
|
|
||||||
|
|
||||||
state->is_sasl = false;
|
|
||||||
- subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, use_ppolicy);
|
|
||||||
+ subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, use_ppolicy, pwmodify_mode);
|
|
||||||
if (!subreq) {
|
|
||||||
tevent_req_error(req, ENOMEM);
|
|
||||||
return tevent_req_post(req, ev);
|
|
||||||
@@ -1981,7 +1995,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
|
|
||||||
dp_opt_get_int(state->opts->basic,
|
|
||||||
SDAP_OPT_TIMEOUT),
|
|
||||||
dp_opt_get_bool(state->opts->basic,
|
|
||||||
- SDAP_USE_PPOLICY));
|
|
||||||
+ SDAP_USE_PPOLICY),
|
|
||||||
+ state->opts->pwmodify_mode);
|
|
||||||
talloc_free(authtok);
|
|
||||||
if (!subreq) {
|
|
||||||
tevent_req_error(req, ENOMEM);
|
|
||||||
--
|
|
||||||
2.46.1
|
|
||||||
|
|
@ -1,207 +0,0 @@
|
|||||||
From fc2a26c306e51b66680aef85aa0d2c41d8049a7f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Tue, 16 Jul 2024 13:08:02 +0200
|
|
||||||
Subject: [PATCH 2/3] TS_CACHE: never try to upgrade timestamps cache
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
It's easier and more consistent to recreate it instead.
|
|
||||||
|
|
||||||
This is a natural extension of 3b67fc6488ac10ca13561d9032f59951f82203e6
|
|
||||||
|
|
||||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb_init.c | 103 +----------------------------------------
|
|
||||||
src/db/sysdb_upgrade.c | 45 ------------------
|
|
||||||
2 files changed, 1 insertion(+), 147 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
|
||||||
index 85db5f9e1..ecf16fd11 100644
|
|
||||||
--- a/src/db/sysdb_init.c
|
|
||||||
+++ b/src/db/sysdb_init.c
|
|
||||||
@@ -348,57 +348,6 @@ static errno_t sysdb_cache_create_empty(struct ldb_context *ldb,
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static errno_t sysdb_ts_cache_upgrade(TALLOC_CTX *mem_ctx,
|
|
||||||
- struct sysdb_ctx *sysdb,
|
|
||||||
- struct ldb_context *ldb,
|
|
||||||
- struct sss_domain_info *domain,
|
|
||||||
- const char *cur_version,
|
|
||||||
- const char **_new_version)
|
|
||||||
-{
|
|
||||||
- errno_t ret;
|
|
||||||
- TALLOC_CTX *tmp_ctx;
|
|
||||||
- const char *version;
|
|
||||||
- struct ldb_context *save_ldb;
|
|
||||||
-
|
|
||||||
- tmp_ctx = talloc_new(NULL);
|
|
||||||
- if (tmp_ctx == NULL) {
|
|
||||||
- return ENOMEM;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* The upgrade process depends on having ldb around, yet the upgrade
|
|
||||||
- * function shouldn't set the ldb pointer, only the connect function
|
|
||||||
- * should after it's successful. To avoid hard refactoring, save the
|
|
||||||
- * ldb pointer here and restore in the 'done' handler
|
|
||||||
- */
|
|
||||||
- save_ldb = sysdb->ldb;
|
|
||||||
- sysdb->ldb = ldb;
|
|
||||||
-
|
|
||||||
- version = talloc_strdup(tmp_ctx, cur_version);
|
|
||||||
- if (version == NULL) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
- "Upgrading timstamp cache of DB [%s] from version: %s\n",
|
|
||||||
- domain->name, version);
|
|
||||||
-
|
|
||||||
- if (strcmp(version, SYSDB_TS_VERSION_0_1) == 0) {
|
|
||||||
- ret = sysdb_ts_upgrade_01(sysdb, &version);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = EOK;
|
|
||||||
-
|
|
||||||
-done:
|
|
||||||
- sysdb->ldb = save_ldb;
|
|
||||||
- *_new_version = version;
|
|
||||||
- talloc_free(tmp_ctx);
|
|
||||||
- return ret;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sysdb_ctx *sysdb,
|
|
||||||
struct sysdb_dom_upgrade_ctx *upgrade_ctx,
|
|
||||||
@@ -856,56 +805,6 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
|
|
||||||
- switch (ret) {
|
|
||||||
- case ERR_SYSDB_VERSION_TOO_OLD:
|
|
||||||
- if (upgrade_ctx == NULL) {
|
|
||||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
- "DB version too old [%s], expected [%s] for domain %s!\n",
|
|
||||||
- version, SYSDB_VERSION, domain->name);
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = sysdb_ts_cache_upgrade(tmp_ctx, sysdb, ldb, domain, version,
|
|
||||||
- &version);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "Could not upgrade the timestamp ldb file (%d) (%s)\n",
|
|
||||||
- ret, sss_strerror(ret));
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* The version should now match SYSDB_VERSION.
|
|
||||||
- * If not, it means we didn't match any of the
|
|
||||||
- * known older versions. The DB might be
|
|
||||||
- * corrupt or generated by a newer version of
|
|
||||||
- * SSSD.
|
|
||||||
- */
|
|
||||||
- ret = sysdb_version_check(SYSDB_TS_VERSION, version);
|
|
||||||
- if (ret == EOK) {
|
|
||||||
- /* The cache has been upgraded.
|
|
||||||
- * We need to reopen the LDB to ensure that
|
|
||||||
- * any changes made above take effect.
|
|
||||||
- */
|
|
||||||
- ret = sysdb_ldb_reconnect(tmp_ctx,
|
|
||||||
- sysdb->ldb_ts_file,
|
|
||||||
- LDB_FLG_NOSYNC,
|
|
||||||
- &ldb);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "Could not reopen the timestamp ldb file (%d) (%s)\n",
|
|
||||||
- ret, sss_strerror(ret));
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- break;
|
|
||||||
- case ERR_SYSDB_VERSION_TOO_NEW:
|
|
||||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "DB version too new [%s], expected [%s] for domain %s!\n",
|
|
||||||
- version, SYSDB_TS_VERSION, domain->name);
|
|
||||||
- break;
|
|
||||||
- default:
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
"The timestamps cache could not be opened. "
|
|
||||||
@@ -925,7 +824,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
|
|
||||||
ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "Could not delete the timestamp ldb file (%d) (%s)\n",
|
|
||||||
+ "sysdb_ts_cache_connect() failed after cache deletion [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
|
|
||||||
index 8fb17c6bb..05142d972 100644
|
|
||||||
--- a/src/db/sysdb_upgrade.c
|
|
||||||
+++ b/src/db/sysdb_upgrade.c
|
|
||||||
@@ -2820,51 +2820,6 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
|
|
||||||
-{
|
|
||||||
- struct upgrade_ctx *ctx;
|
|
||||||
- errno_t ret;
|
|
||||||
- struct ldb_message *msg = NULL;
|
|
||||||
-
|
|
||||||
- ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_TS_VERSION_0_2, &ctx);
|
|
||||||
- if (ret) {
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Remove @IDXONE from index */
|
|
||||||
- talloc_free(msg);
|
|
||||||
- msg = ldb_msg_new(ctx);
|
|
||||||
- if (msg == NULL) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST");
|
|
||||||
- if (msg->dn == NULL) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = ldb_msg_add_empty(msg, "@IDXONE", LDB_FLAG_MOD_DELETE, NULL);
|
|
||||||
- if (ret != LDB_SUCCESS) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = ldb_modify(sysdb->ldb, msg);
|
|
||||||
- if (ret != LDB_SUCCESS) {
|
|
||||||
- ret = sysdb_error_to_errno(ret);
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* conversion done, update version number */
|
|
||||||
- ret = update_version(ctx);
|
|
||||||
-
|
|
||||||
-done:
|
|
||||||
- ret = finish_upgrade(ret, &ctx, ver);
|
|
||||||
- return ret;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* Example template for future upgrades.
|
|
||||||
* Copy and change version numbers as appropriate.
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
@ -1,146 +0,0 @@
|
|||||||
From f0d45464cee1d2a6a2719dbffe5bbf6189d0554a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Fri, 21 Jun 2024 19:09:29 +0200
|
|
||||||
Subject: [PATCH 3/3] SYSDB: remove index on `dataExpireTimestamp`
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This index was only used in cleanup tasks that don't run often.
|
|
||||||
On the other hand, this index is huge and degrades performance of libldb
|
|
||||||
in general.
|
|
||||||
|
|
||||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb_init.c | 8 ++++++++
|
|
||||||
src/db/sysdb_private.h | 9 +++++----
|
|
||||||
src/db/sysdb_upgrade.c | 27 +++++++++++++++++++++++++++
|
|
||||||
3 files changed, 40 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
|
||||||
index ecf16fd11..507a97f63 100644
|
|
||||||
--- a/src/db/sysdb_init.c
|
|
||||||
+++ b/src/db/sysdb_init.c
|
|
||||||
@@ -531,6 +531,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (strcmp(version, SYSDB_VERSION_0_24) == 0) {
|
|
||||||
+ ret = sysdb_upgrade_24(sysdb, &version);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = EOK;
|
|
||||||
done:
|
|
||||||
sysdb->ldb = save_ldb;
|
|
||||||
@@ -737,6 +744,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
|
|
||||||
ret = sysdb_domain_cache_upgrade(tmp_ctx, sysdb, upgrade_ctx,
|
|
||||||
ldb, domain, version, &version);
|
|
||||||
if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_domain_cache_upgrade() failed\n");
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
|
||||||
index 2d7d6f62d..32d3f1c7e 100644
|
|
||||||
--- a/src/db/sysdb_private.h
|
|
||||||
+++ b/src/db/sysdb_private.h
|
|
||||||
@@ -23,6 +23,7 @@
|
|
||||||
#ifndef __INT_SYS_DB_H__
|
|
||||||
#define __INT_SYS_DB_H__
|
|
||||||
|
|
||||||
+#define SYSDB_VERSION_0_25 "0.25"
|
|
||||||
#define SYSDB_VERSION_0_24 "0.24"
|
|
||||||
#define SYSDB_VERSION_0_23 "0.23"
|
|
||||||
#define SYSDB_VERSION_0_22 "0.22"
|
|
||||||
@@ -48,7 +49,7 @@
|
|
||||||
#define SYSDB_VERSION_0_2 "0.2"
|
|
||||||
#define SYSDB_VERSION_0_1 "0.1"
|
|
||||||
|
|
||||||
-#define SYSDB_VERSION SYSDB_VERSION_0_24
|
|
||||||
+#define SYSDB_VERSION SYSDB_VERSION_0_25
|
|
||||||
|
|
||||||
#define SYSDB_BASE_LDIF \
|
|
||||||
"dn: @ATTRIBUTES\n" \
|
|
||||||
@@ -73,7 +74,6 @@
|
|
||||||
"@IDXATTR: uidNumber\n" \
|
|
||||||
"@IDXATTR: gidNumber\n" \
|
|
||||||
"@IDXATTR: lastUpdate\n" \
|
|
||||||
- "@IDXATTR: dataExpireTimestamp\n" \
|
|
||||||
"@IDXATTR: originalDN\n" \
|
|
||||||
"@IDXATTR: nameAlias\n" \
|
|
||||||
"@IDXATTR: servicePort\n" \
|
|
||||||
@@ -106,10 +106,11 @@
|
|
||||||
"\n"
|
|
||||||
|
|
||||||
/* The timestamp cache has its own versioning */
|
|
||||||
+#define SYSDB_TS_VERSION_0_3 "0.3"
|
|
||||||
#define SYSDB_TS_VERSION_0_2 "0.2"
|
|
||||||
#define SYSDB_TS_VERSION_0_1 "0.1"
|
|
||||||
|
|
||||||
-#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_2
|
|
||||||
+#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_3
|
|
||||||
|
|
||||||
#define SYSDB_TS_BASE_LDIF \
|
|
||||||
"dn: @ATTRIBUTES\n" \
|
|
||||||
@@ -117,7 +118,6 @@
|
|
||||||
"\n" \
|
|
||||||
"dn: @INDEXLIST\n" \
|
|
||||||
"@IDXATTR: lastUpdate\n" \
|
|
||||||
- "@IDXATTR: dataExpireTimestamp\n" \
|
|
||||||
"\n" \
|
|
||||||
"dn: cn=sysdb\n" \
|
|
||||||
"cn: sysdb\n" \
|
|
||||||
@@ -196,6 +196,7 @@ int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
|
|
||||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
|
|
||||||
index 05142d972..c0c8e13ee 100644
|
|
||||||
--- a/src/db/sysdb_upgrade.c
|
|
||||||
+++ b/src/db/sysdb_upgrade.c
|
|
||||||
@@ -2820,6 +2820,33 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver)
|
|
||||||
+{
|
|
||||||
+ struct upgrade_ctx *ctx;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_25, &ctx);
|
|
||||||
+ if (ret) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_ldb_mod_index(sysdb, SYSDB_IDX_DELETE, sysdb->ldb, "dataExpireTimestamp");
|
|
||||||
+ if (ret == ENOENT) { /*nothing to delete */
|
|
||||||
+ ret = EOK;
|
|
||||||
+ }
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_ldb_mod_index() failed [%d]: %s\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = update_version(ctx);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ ret = finish_upgrade(ret, &ctx, ver);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Example template for future upgrades.
|
|
||||||
* Copy and change version numbers as appropriate.
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
@ -1,70 +0,0 @@
|
|||||||
From a7d0bbeb5a8a41e80fec91d7d38b5dcb35eebe8f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Tue, 23 Jul 2024 18:07:09 +0200
|
|
||||||
Subject: [PATCH] SPEC: merge 'sssd-polkit-rules' into 'sssd-common'
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
'p11_child' runs under non-privileged user and thus requires
|
|
||||||
polkit-rules by default.
|
|
||||||
|
|
||||||
Reviewed-by: Scott Poore <spoore@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
||||||
---
|
|
||||||
contrib/sssd.spec.in | 20 ++++----------------
|
|
||||||
1 file changed, 4 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
|
||||||
index c65be0d27..4edabce56 100644
|
|
||||||
--- a/contrib/sssd.spec.in
|
|
||||||
+++ b/contrib/sssd.spec.in
|
|
||||||
@@ -210,6 +210,9 @@ License: GPL-3.0-or-later
|
|
||||||
Obsoletes: libsss_simpleifp < 2.9.0
|
|
||||||
Obsoletes: libsss_simpleifp-debuginfo < 2.9.0
|
|
||||||
%endif
|
|
||||||
+%if %{use_sssd_user}
|
|
||||||
+Obsoletes: sssd-polkit-rules < 2.10.0
|
|
||||||
+%endif
|
|
||||||
# Requires
|
|
||||||
# due to ABI changes in 1.1.30/1.2.0
|
|
||||||
Requires: libldb >= %{ldb_version}
|
|
||||||
@@ -470,19 +473,6 @@ Requires: sssd-common = %{version}-%{release}
|
|
||||||
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
|
|
||||||
the information from the SSSD to be transmitted over the system bus.
|
|
||||||
|
|
||||||
-%if %{use_sssd_user}
|
|
||||||
-%package polkit-rules
|
|
||||||
-Summary: Rules for polkit integration for SSSD
|
|
||||||
-Group: Applications/System
|
|
||||||
-License: GPL-3.0-or-later
|
|
||||||
-Requires: polkit >= 0.106
|
|
||||||
-Requires: sssd-common = %{version}-%{release}
|
|
||||||
-
|
|
||||||
-%description polkit-rules
|
|
||||||
-Provides rules for polkit integration with SSSD. This is required
|
|
||||||
-for smartcard support.
|
|
||||||
-%endif
|
|
||||||
-
|
|
||||||
%if 0%{?rhel} == 9
|
|
||||||
%package -n libsss_simpleifp
|
|
||||||
Summary: The SSSD D-Bus responder helper library
|
|
||||||
@@ -885,13 +875,11 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
|
|
||||||
%if %{use_sysusers}
|
|
||||||
%{_sysusersdir}/sssd.conf
|
|
||||||
%endif
|
|
||||||
-
|
|
||||||
-
|
|
||||||
%if %{use_sssd_user}
|
|
||||||
-%files polkit-rules
|
|
||||||
%{_datadir}/polkit-1/rules.d/*
|
|
||||||
%endif
|
|
||||||
|
|
||||||
+
|
|
||||||
%files ldap -f sssd_ldap.lang
|
|
||||||
%license COPYING
|
|
||||||
%{_libdir}/%{name}/libsss_ldap.so
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (sssd-2.10.0.tar.gz) = d237ff135fb21bcd1040787d6dfe8fa383290fbae1f15c6917284beb38dd95ecf6418335302e26be40c65e44e8b44135499eec0b98119ea53a38098ac0bc1e2c
|
SHA512 (sssd-2.10.1.tar.gz) = 001ff9cd60aa510ead11e418a1b96714136cc270b29551027cb12c340744890b358da5900a10863d4df649ad073f14f6f26c28e3f973b1cd5c2ab61f2a2a045b
|
||||||
|
43
sssd.spec
43
sssd.spec
@ -16,9 +16,6 @@
|
|||||||
%global use_sysusers 0
|
%global use_sysusers 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Capabilities of privileged child helpers (required even if SSSD runs under root)
|
|
||||||
%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
|
||||||
|
|
||||||
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
|
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
|
||||||
%global build_subid 1
|
%global build_subid 1
|
||||||
%else
|
%else
|
||||||
@ -59,16 +56,16 @@
|
|||||||
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
|
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.10.0
|
Version: 2.10.1
|
||||||
Release: 3%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPL-3.0-or-later
|
License: GPL-3.0-or-later
|
||||||
URL: https://github.com/SSSD/sssd/
|
URL: https://github.com/SSSD/sssd/
|
||||||
Source0: https://github.com/SSSD/sssd/releases/download/2.10.0/sssd-2.10.0.tar.gz
|
Source0: https://github.com/SSSD/sssd/releases/download/2.10.1/sssd-2.10.1.tar.gz
|
||||||
Source1: sssd.sysusers
|
Source1: sssd.sysusers
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
Patch0001: 0001-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
|
# Patch0001:
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
@ -142,10 +139,10 @@ BuildRequires: m4
|
|||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: nss_wrapper
|
BuildRequires: nss_wrapper
|
||||||
BuildRequires: openldap-devel
|
BuildRequires: openldap-devel
|
||||||
BuildRequires: openssh
|
|
||||||
# required for p11_child smartcard tests
|
# required for p11_child smartcard tests
|
||||||
BuildRequires: openssl
|
BuildRequires: openssh
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl >= 1.0.1
|
||||||
|
BuildRequires: openssl-devel >= 1.0.1
|
||||||
BuildRequires: p11-kit-devel
|
BuildRequires: p11-kit-devel
|
||||||
BuildRequires: pam_wrapper
|
BuildRequires: pam_wrapper
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
@ -163,6 +160,7 @@ BuildRequires: softhsm >= 2.1.0
|
|||||||
BuildRequires: bc
|
BuildRequires: bc
|
||||||
BuildRequires: systemd-devel
|
BuildRequires: systemd-devel
|
||||||
BuildRequires: systemtap-sdt-devel
|
BuildRequires: systemtap-sdt-devel
|
||||||
|
BuildRequires: systemtap-sdt-dtrace
|
||||||
BuildRequires: uid_wrapper
|
BuildRequires: uid_wrapper
|
||||||
BuildRequires: po4a
|
BuildRequires: po4a
|
||||||
BuildRequires: valgrind-devel
|
BuildRequires: valgrind-devel
|
||||||
@ -532,7 +530,7 @@ enable authentication with passkey token.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -n sssd-2.10.0 -p1
|
%autosetup -n sssd-2.10.1 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
@ -766,7 +764,6 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
|
|||||||
%{_libdir}/%{name}/libsss_krb5_common.so
|
%{_libdir}/%{name}/libsss_krb5_common.so
|
||||||
%{_libdir}/%{name}/libsss_ldap_common.so
|
%{_libdir}/%{name}/libsss_ldap_common.so
|
||||||
%{_libdir}/%{name}/libsss_util.so
|
%{_libdir}/%{name}/libsss_util.so
|
||||||
%{_libdir}/%{name}/libsss_semanage.so
|
|
||||||
%{_libdir}/%{name}/libifp_iface.so
|
%{_libdir}/%{name}/libifp_iface.so
|
||||||
%{_libdir}/%{name}/libifp_iface_sync.so
|
%{_libdir}/%{name}/libifp_iface_sync.so
|
||||||
%{_libdir}/%{name}/libsss_iface.so
|
%{_libdir}/%{name}/libsss_iface.so
|
||||||
@ -844,8 +841,8 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
|
|||||||
%files krb5-common
|
%files krb5-common
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
|
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
|
||||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/ldap_child
|
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/ldap_child
|
||||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/krb5_child
|
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search,cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/krb5_child
|
||||||
|
|
||||||
%files krb5 -f sssd_krb5.lang
|
%files krb5 -f sssd_krb5.lang
|
||||||
%license COPYING
|
%license COPYING
|
||||||
@ -863,7 +860,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
|
|||||||
%license COPYING
|
%license COPYING
|
||||||
%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
|
%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
|
||||||
%{_libdir}/%{name}/libsss_ipa.so
|
%{_libdir}/%{name}/libsss_ipa.so
|
||||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/selinux_child
|
%attr(0750,root,%{sssd_user}) %caps(cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/selinux_child
|
||||||
%{_mandir}/man5/sssd-ipa.5*
|
%{_mandir}/man5/sssd-ipa.5*
|
||||||
|
|
||||||
%files ad -f sssd_ad.lang
|
%files ad -f sssd_ad.lang
|
||||||
@ -1052,12 +1049,12 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
|
|||||||
%__rm -f %{mcpath}/group
|
%__rm -f %{mcpath}/group
|
||||||
%__rm -f %{mcpath}/initgroups
|
%__rm -f %{mcpath}/initgroups
|
||||||
%__rm -f %{mcpath}/sid
|
%__rm -f %{mcpath}/sid
|
||||||
|
%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
|
||||||
|
%__chmod -f -R g+r %{_sysconfdir}/sssd || true
|
||||||
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
|
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
|
||||||
%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
|
|
||||||
%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
|
|
||||||
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
|
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
|
||||||
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
|
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
|
||||||
%__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true
|
%__chown -f -R %{sssd_user}:%{sssd_user} %{gpocachepath} || true
|
||||||
|
|
||||||
%preun common
|
%preun common
|
||||||
%systemd_preun sssd.service
|
%systemd_preun sssd.service
|
||||||
@ -1119,6 +1116,16 @@ fi
|
|||||||
%systemd_postun_with_restart sssd.service
|
%systemd_postun_with_restart sssd.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 10 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.1-1
|
||||||
|
- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0
|
||||||
|
- Resolves: RHEL-4984 - Mismatch between input and parsed domain name when default_domain_suffix is set.
|
||||||
|
- Resolves: RHEL-65848 - sssd password authentication broken in sssd-2.10.0~beta2-2 and later
|
||||||
|
- Resolves: RHEL-67669 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option
|
||||||
|
- Resolves: RHEL-68421 - sssd ldap_child process segfaults when krb5.conf is invalid [rhel-10]
|
||||||
|
- Resolves: RHEL-66935 - Avoid log flooding in case an app keeps making invalid `getservbyport(0, ...)` request
|
||||||
|
- Resolves: RHEL-65736 - ipa: sudo commands doesn't check threshold correctly
|
||||||
|
- Resolves: RHEL-68319 - Please deprecate/remove ad_allow_remote_domain_local_groups
|
||||||
|
|
||||||
* Mon Oct 21 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.0-3
|
* Mon Oct 21 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.0-3
|
||||||
- Related: RHEL-59777 - Rebase Samba to the latest 4.21.x release
|
- Related: RHEL-59777 - Rebase Samba to the latest 4.21.x release
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user