rpms/sssd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-40253 - Rebase SSSD for RHEL 10-beta

Browse Source 
Resolves: RHEL-29303 - Issue discovered by static analyzer.
Resolves: RHEL-11181 - sssd[4022110]: gencache_init: Failed to create directory: //.cache/samba - Permission denied
Resolves: RHEL-4986 - [RFE] sssd use systemd-sysusers
Resolves: RHEL-4974 - sssd status shows error "krb5_kt_start_seq_get failed: Permission denied" when running as unprivileged user 'sssd'
This commit is contained in:
Alexey Tikhonov 2024-06-06 17:38:58 +02:00
parent b6d596256b
commit fbb9958c33
7 changed files with 132 additions and 365 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -110,3 +110,5 @@ sssd-1.2.91.tar.gz
/sssd-2.9.2.tar.gz /sssd-2.9.2.tar.gz
/sssd-2.9.3.tar.gz /sssd-2.9.3.tar.gz
/sssd-2.9.4.tar.gz /sssd-2.9.4.tar.gz
/sssd-2.10.0~beta1.tar.gz
/sssd-2.10.0-beta1.tar.gz

244
0001-ENUMERATION-conditional-build-of-enumeration-support.patch
View File

@ -1,244 +0,0 @@
From b42cc3d2bf4ea1751cacb63e53536c8ad1782632 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 23 Jun 2023 16:33:09 +0200
Subject: [PATCH] ENUMERATION: conditional build of enumeration support for
providers other than LDAP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
:relnote:Support of 'enumeration' feature (i.e. ability to list all
users/groups using 'getent passwd/group' without argument) for AD/IPA
providers is deprecated and might be removed in further releases.
Those who are interested to keep using it awhile should configure
its build explicitly using '--with-extended-enumeration-support'
./configure option.
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 9240bca7dcc28371ae5dce31c01e85d28409cd04)
---
configure.ac | 1 +
src/conf_macros.m4 | 17 +++++++++++++++++
src/confdb/confdb.c | 23 ++++++++++++++++++-----
src/db/sysdb_subdomains.c | 4 ++++
src/man/Makefile.am | 7 ++++++-
src/man/sssd-ldap.5.xml | 4 ++--
src/man/sssd.conf.5.xml | 14 +++++++++-----
7 files changed, 57 insertions(+), 13 deletions(-)
diff --git a/configure.ac b/configure.ac
index 470c04949..adb2c5447 100644
--- a/configure.ac
+++ b/configure.ac
@@ -185,6 +185,7 @@ WITH_SUDO
WITH_SUDO_LIB_PATH
WITH_AUTOFS
WITH_FILES_PROVIDER
+WITH_EXTENDED_ENUMERATION_SUPPORT
WITH_SUBID
WITH_SUBID_LIB_PATH
WITH_PASSKEY
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index cb97eeb78..5ef257908 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -651,6 +651,23 @@ AC_DEFUN([WITH_FILES_PROVIDER],
AM_CONDITIONAL([BUILD_FILES_PROVIDER], [test x"$with_files_provider" = xyes])
])
+AC_DEFUN([WITH_EXTENDED_ENUMERATION_SUPPORT],
+ [ AC_ARG_WITH([extended-enumeration-support],
+ [AC_HELP_STRING([--with-extended-enumeration-support],
+ [Whether to build enumeration support for
+ IPA and AD providers [no].]
+ )
+ ],
+ [with_extended_enumeration_support=$withval],
+ with_extended_enumeration_support=no
+ )
+
+ if test x"$with_extended_enumeration_support" = xyes; then
+ AC_DEFINE(BUILD_EXTENDED_ENUMERATION_SUPPORT, 1, [Whether to build extended enumeration support])
+ fi
+ AM_CONDITIONAL([BUILD_EXTENDED_ENUMERATION_SUPPORT], [test x"$with_extended_enumeration_support" = xyes])
+ ])
+
AC_DEFUN([WITH_SUBID],
[ AC_ARG_WITH([subid],
[AC_HELP_STRING([--with-subid],
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index a7344e166..1760ea6b5 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1068,6 +1068,9 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
errno_t ret;
const char *tmp, *tmp_pam_target, *tmp_auth;
+#ifndef BUILD_EXTENDED_ENUMERATION_SUPPORT
+ if (domain->provider != NULL && strcasecmp(domain->provider, "ldap") == 0) {
+#endif
/* TEMP: test if the old bitfield conf value is used and warn it has been
* superseded. */
val = ldb_msg_find_attr_as_int(res->msgs[0], CONFDB_DOMAIN_ENUMERATE, 0);
@@ -1086,6 +1089,11 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
goto done;
}
}
+#ifndef BUILD_EXTENDED_ENUMERATION_SUPPORT
+ } else {
+ domain->enumerate = false;
+ }
+#endif
if (is_files_provider(domain)) {
/* The password field must be reported as 'x', else pam_unix won't
@@ -1122,11 +1130,7 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
}
if (!domain->enumerate) {
- DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name);
- DEBUG(SSSDBG_TRACE_FUNC,
- "Please note that when enumeration is disabled `getent "
- "passwd` does not return all users by design. See "
- "sssd.conf man page for more detailed information\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]\n", domain->name);
}
ret = EOK;
@@ -1537,6 +1541,7 @@ static errno_t confdb_init_domain_subdomains(struct sss_domain_info *domain,
errno_t ret;
const char *tmp;
+#ifdef BUILD_EXTENDED_ENUMERATION_SUPPORT
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
CONFDB_SUBDOMAIN_ENUMERATE,
CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE);
@@ -1549,6 +1554,14 @@ static errno_t confdb_init_domain_subdomains(struct sss_domain_info *domain,
goto done;
}
}
+#else
+ ret = split_on_separator(domain, "none", ',', true, true,
+ &domain->sd_enumerate, NULL);
+ if (ret != 0) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Cannot set 'sd_enumerate'\n");
+ goto done;
+ }
+#endif
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
CONFDB_DOMAIN_SUBDOMAIN_INHERIT,
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 61cf48c31..149e9a161 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -494,8 +494,12 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
}
mpg_mode = str_to_domain_mpg_mode(str_mpg_mode);
+#ifdef BUILD_EXTENDED_ENUMERATION_SUPPORT
enumerate = ldb_msg_find_attr_as_bool(res->msgs[i],
SYSDB_SUBDOMAIN_ENUM, false);
+#else
+ enumerate = false;
+#endif
forest = ldb_msg_find_attr_as_string(res->msgs[i],
SYSDB_SUBDOMAIN_FOREST, NULL);
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 1e51aebfd..77b08e84c 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -55,12 +55,17 @@ FILES_PROVIDER_CONDS = ;with_files_provider
else
FILES_PROVIDER_CONDS = ;without_files_provider
endif
+if BUILD_EXTENDED_ENUMERATION_SUPPORT
+ENUM_CONDS = ;with_ext_enumeration
+else
+ENUM_CONDS = ;without_ext_enumeration
+endif
if SSSD_NON_ROOT_USER
SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
#Special Rules:
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 0a814ec35..ccf284abb 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -323,7 +323,7 @@
before refreshing its cache of enumerated
records.
</para>
- <para>
+ <para condition="with_ext_enumeration">
This option can be also set per subdomain or
inherited via
<emphasis>subdomain_inherit</emphasis>.
@@ -486,7 +486,7 @@
cached results are returned (and offline mode is
entered)
</para>
- <para>
+ <para condition="with_ext_enumeration">
This option can be also set per subdomain or
inherited via
<emphasis>subdomain_inherit</emphasis>.
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e7a8cbd9a..7276d233f 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2673,8 +2673,12 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
and store ALL user and group entries from the
remote server.
</para>
+ <para condition="without_ext_enumeration">
+ Feature is only supported for domains with
+ id_provider = ldap.
+ </para>
<para>
- Note: Enabling enumeration has a moderate
+ Note: Enabling enumeration has a severe
performance impact on SSSD while enumeration
is running. It may take up to several minutes
after SSSD startup to fully complete enumerations.
@@ -2709,7 +2713,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</listitem>
</varlistentry>
- <varlistentry>
+ <varlistentry condition="with_ext_enumeration">
<term>subdomain_enumerate (string)</term>
<listitem>
<para>
@@ -3857,10 +3861,10 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
<para>
ldap_offline_timeout
</para>
- <para>
+ <para condition="with_ext_enumeration">
ldap_enumeration_refresh_timeout
</para>
- <para>
+ <para condition="with_ext_enumeration">
ldap_enumeration_refresh_offset
</para>
<para>
@@ -3876,7 +3880,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
<para>
ldap_krb5_ticket_lifetime
</para>
- <para>
+ <para condition="with_ext_enumeration">
ldap_enumeration_search_timeout
</para>
<para>
--
2.41.0

25
0002-Fix-the-build-with-Samba-4.20.patch
View File

@ -1,25 +0,0 @@
From 6b0cbea2f643269c5af6333b59979de9c0ad6ce5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 31 Jan 2024 10:42:40 +0100
Subject: [PATCH] Fix the build with Samba 4.20
Guenther
---
src/external/samba.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/external/samba.m4 b/src/external/samba.m4
index 49c6db8d2..5ab0e7527 100644
--- a/src/external/samba.m4
+++ b/src/external/samba.m4
@@ -58,7 +58,7 @@ with argument --without-samba
SAVE_CFLAGS=$CFLAGS
SAVE_LIBS=$LIBS
CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS"
- LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}"
+ LIBS="$LIBS -L${sambalibdir} -lidmap-private-samba -Wl,-rpath ${sambalibdir}"
AC_RUN_IFELSE(
[AC_LANG_SOURCE([
#include <stdlib.h>
--
2.43.0

48
0003-tests-Drop-extensions-from-openssl-command-if-there-.patch
View File

@ -1,48 +0,0 @@
From 32b72c7c3303edb2bf55ae9a22e8db7855f3d7d1 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 24 Jan 2024 23:03:04 +0100
Subject: [PATCH] tests: Drop -extensions from openssl command if there is no
-x509
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The 'openssl req' ignores the '-extensions' option without '-x509'.
OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
an error is generated:
| /usr/bin/openssl req -batch -config
| ../../../../../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.config
| -new -nodes -key
| …/build/../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
-sha256 -extensions v3_ca -out SSSD_test_intermediate_CA_req.pem
| Error adding request extensions from section v3_ca
| 003163BAB27F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156:
| 003163BAB27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always
|
Remove the '-extensions' option.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/tests/test_CA/intermediate_CA/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/test_CA/intermediate_CA/Makefile.am b/src/tests/test_CA/intermediate_CA/Makefile.am
index b439f82cb03e5c99006b948c9eba2ba26ef4206c..50fcddb8d22213400f7ee31c6ba1eb7b8ccd14cd 100644
--- a/src/tests/test_CA/intermediate_CA/Makefile.am
+++ b/src/tests/test_CA/intermediate_CA/Makefile.am
@@ -33,7 +33,7 @@ SSSD_test_CA.pem:
ln -s $(builddir)/../$@
SSSD_test_intermediate_CA_req.pem: $(openssl_intermediate_ca_key) $(openssl_intermediate_ca_config) SSSD_test_CA.pem
- $(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -extensions v3_ca -out $@
+ $(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -out $@
SSSD_test_intermediate_CA.pem: SSSD_test_intermediate_CA_req.pem $(openssl_root_ca_config) $(openssl_root_ca_key)
cd .. && $(OPENSSL) ca -config ${openssl_root_ca_config} -batch -notext -keyfile $(openssl_root_ca_key) -in $(abs_builddir)/$< -days 200 -extensions v3_intermediate_ca -out $(abs_builddir)/$@
--
2.43.2

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-2.9.4.tar.gz) = 9546cf074628f32137b16ca0c763988785271124244b645d1e786762e8578f10d983793a29bffcc004b064452fe8d465476a3041688d2f3c11c2751fb5bec3e2 SHA512 (sssd-2.10.0-beta1.tar.gz) = f643872c36b22f14eab9e8d8495d8720499a5710e45c117e71aa59ac75593767725b6c63295f37a784c1f3206cf3aef68d12b0292a5db60ca81a3aa5191dbea4

175
sssd.spec
View File

@ -1,19 +1,24 @@
# SSSD SPEC file for Fedora 34+ and RHEL-9+ # SSSD SPEC file for Fedora 34+ and RHEL-9+
# define SSSD user # define SSSD user
%if 0%{?rhel} %if 0%{?fedora} >= 41 || 0%{?rhel}
%global use_sssd_user 1
%global sssd_user sssd %global sssd_user sssd
%else %else
%global use_sssd_user 0
%global sssd_user root %global sssd_user root
%endif %endif
# Set setuid bit on child helpers if we support non-root user. # sysusers depends on presence of sssd user
%if "%{sssd_user}" == "root" %if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
%global child_attrs 0750 %global use_sysusers 1
%else %else
%global child_attrs 4750 %global use_sysusers 0
%endif %endif
# Capabilities of privileged child helpers (required even if SSSD runs under root)
%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
%global build_subid 1 %global build_subid 1
%else %else
@ -30,6 +35,18 @@
%global build_kcm_renewals 0 %global build_kcm_renewals 0
%endif %endif
%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9
%global build_passkey 1
%else
%global build_passkey 0
%endif
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
%global build_ssh_known_hosts_proxy 0
%else
%global build_ssh_known_hosts_proxy 1
%endif
# we don't want to provide private python extension libs # we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$ %define __provides_exclude_from %{python3_sitearch}/.*\.so$
@ -42,17 +59,16 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd Name: sssd
Version: 2.9.4 Version: 2.10.0~beta1
Release: 6%{?dist} # Using '.el10' directly is a work around RHEL-38900
Release: 1.el10
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPL-3.0-or-later License: GPL-3.0-or-later
URL: https://github.com/SSSD/sssd/ URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/2.9.4/sssd-2.9.4.tar.gz Source0: https://github.com/SSSD/sssd/releases/download/2.10.0-beta1/sssd-2.10.0-beta1.tar.gz
Source1: sssd.sysusers
### Patches ### ### Patches ###
Patch0001: 0001-ENUMERATION-conditional-build-of-enumeration-support.patch
Patch0002: 0002-Fix-the-build-with-Samba-4.20.patch
Patch0003: 0003-tests-Drop-extensions-from-openssl-command-if-there-.patch
### Dependencies ### ### Dependencies ###
@ -78,7 +94,6 @@ Suggests: sssd-dbus = %{version}-%{release}
%global secdbpath %{sssdstatedir}/secrets %global secdbpath %{sssdstatedir}/secrets
%global deskprofilepath %{sssdstatedir}/deskprofile %global deskprofilepath %{sssdstatedir}/deskprofile
### Build Dependencies ### ### Build Dependencies ###
BuildRequires: autoconf BuildRequires: autoconf
@ -97,14 +112,17 @@ BuildRequires: gettext-devel
# required for p11_child smartcard tests # required for p11_child smartcard tests
BuildRequires: gnutls-utils BuildRequires: gnutls-utils
BuildRequires: jansson-devel BuildRequires: jansson-devel
BuildRequires: libcap-devel
BuildRequires: libcurl-devel BuildRequires: libcurl-devel
BuildRequires: libjose-devel BuildRequires: libjose-devel
BuildRequires: keyutils-libs-devel BuildRequires: keyutils-libs-devel
BuildRequires: krb5-devel BuildRequires: krb5-devel
BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libdhash-devel >= 0.4.2 BuildRequires: libdhash-devel >= 0.4.2
%if %{build_passkey}
BuildRequires: libfido2-devel BuildRequires: libfido2-devel
BuildRequires: libini_config-devel >= 1.1 %endif
BuildRequires: libini_config-devel >= 1.3
BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libnfsidmap-devel BuildRequires: libnfsidmap-devel
BuildRequires: libnl3-devel BuildRequires: libnl3-devel
@ -135,7 +153,7 @@ BuildRequires: pcre2-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: popt-devel BuildRequires: popt-devel
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: (python3-setuptools if python3 >= 3.12) BuildRequires: python3-setuptools
BuildRequires: samba-devel BuildRequires: samba-devel
# required for idmap_sss.so # required for idmap_sss.so
BuildRequires: samba-winbind BuildRequires: samba-winbind
@ -147,12 +165,17 @@ BuildRequires: systemd-devel
BuildRequires: systemtap-sdt-devel BuildRequires: systemtap-sdt-devel
BuildRequires: uid_wrapper BuildRequires: uid_wrapper
BuildRequires: po4a BuildRequires: po4a
BuildRequires: valgrind-devel
%if %{build_subid} %if %{build_subid}
BuildRequires: shadow-utils-subid-devel BuildRequires: shadow-utils-subid-devel
%endif %endif
%if %{build_kcm_renewals} %if %{build_kcm_renewals}
BuildRequires: krb5-libs >= %{krb5_version} BuildRequires: krb5-libs >= %{krb5_version}
%endif %endif
%if %{use_sysusers} || %{build_passkey}
BuildRequires: systemd-rpm-macros
%{?sysusers_requires_compat}
%endif
%description %description
Provides a set of daemons to manage access to remote directories and Provides a set of daemons to manage access to remote directories and
@ -180,7 +203,9 @@ Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap) Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
Requires: libsss_idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release}
%if 0%{?rhel} Requires(post): coreutils
Requires(postun): coreutils
%if %{use_sssd_user}
Requires(pre): shadow-utils Requires(pre): shadow-utils
%endif %endif
%{?systemd_requires} %{?systemd_requires}
@ -429,7 +454,7 @@ Requires: sssd-common = %{version}-%{release}
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus. the information from the SSSD to be transmitted over the system bus.
%if 0%{?rhel} %if %{use_sssd_user}
%package polkit-rules %package polkit-rules
Summary: Rules for polkit integration for SSSD Summary: Rules for polkit integration for SSSD
Group: Applications/System Group: Applications/System
@ -485,6 +510,7 @@ License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release} Requires: sssd-common = %{version}-%{release}
%if %{build_kcm_renewals} %if %{build_kcm_renewals}
Requires: krb5-libs >= %{krb5_version} Requires: krb5-libs >= %{krb5_version}
Requires: sssd-krb5-common = %{version}-%{release}
%endif %endif
%{?systemd_requires} %{?systemd_requires}
@ -502,24 +528,30 @@ This package provides Kerberos plugins that are required to enable
authentication against external identity providers. Additionally a helper authentication against external identity providers. Additionally a helper
program to handle the OAuth 2.0 Device Authorization Grant is provided. program to handle the OAuth 2.0 Device Authorization Grant is provided.
%if %{build_passkey}
%package passkey %package passkey
Summary: SSSD helpers and plugins needed for authentication with passkey token Summary: SSSD helpers and plugins needed for authentication with passkey token
License: GPL-3.0-or-later License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release} Requires: sssd-common = %{version}-%{release}
Requires: libfido2 Requires: libfido2
%if "%{sssd_user}" != "root"
Requires: acl
%endif
%description passkey %description passkey
This package provides helper processes and Kerberos plugins that are required to This package provides helper processes and Kerberos plugins that are required to
enable authentication with passkey token. enable authentication with passkey token.
%endif
%prep %prep
%autosetup -p1 %autosetup -n sssd-2.10.0-beta1 -p1
%build %build
autoreconf -ivf autoreconf -ivf
%configure \ %configure \
--runstatedir=%{_rundir} \
--disable-rpath \ --disable-rpath \
--disable-static \ --disable-static \
--enable-gss-spnego-for-zero-maxssf \ --enable-gss-spnego-for-zero-maxssf \
@ -534,7 +566,6 @@ autoreconf -ivf
--with-initscript=systemd \ --with-initscript=systemd \
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
--with-mcache-path=%{mcpath} \ --with-mcache-path=%{mcpath} \
--with-pid-path=%{_rundir} \
--with-pipe-path=%{pipepath} \ --with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \ --with-pubconf-path=%{pubconfpath} \
--with-sssd-user=%{sssd_user} \ --with-sssd-user=%{sssd_user} \
@ -543,10 +574,15 @@ autoreconf -ivf
%if %{build_subid} %if %{build_subid}
--with-subid \ --with-subid \
%endif %endif
%if 0%{?fedora} %if ! %{use_sssd_user}
--disable-polkit-rules-path \ --disable-polkit-rules-path \
%endif %endif
%if %{build_passkey}
--with-passkey \ --with-passkey \
%endif
%if %{build_ssh_known_hosts_proxy}
--with-ssh-known-hosts-proxy \
%endif
%{nil} %{nil}
%make_build all docs runstatedir=%{_rundir} %make_build all docs runstatedir=%{_rundir}
@ -584,8 +620,13 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
# Enable krb5 passkey plugins by default (when sssd-passkey package is installed) # Enable krb5 passkey plugins by default (when sssd-passkey package is installed)
%if %{build_passkey}
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
%if "%{sssd_user}" != "root"
install -D -p -m 0644 contrib/90-sssd-token-access.rules %{buildroot}%{_udevrulesdir}/90-sssd-token-access.rules
%endif
%endif
# krb5 configuration snippet # krb5 configuration snippet
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
@ -595,6 +636,9 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
# Otherwise this directory could not be owned by sssd-client # Otherwise this directory could not be owned by sssd-client
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
# tmpfiles.d config
install -D -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
# Remove .la files created by libtool # Remove .la files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
@ -689,6 +733,10 @@ do
cat $subpackage.lang cat $subpackage.lang
done done
%if %{use_sysusers}
install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%endif
%files %files
%license COPYING %license COPYING
@ -704,13 +752,14 @@ done
%{_unitdir}/sssd-pac.socket %{_unitdir}/sssd-pac.socket
%{_unitdir}/sssd-pac.service %{_unitdir}/sssd-pac.service
%{_unitdir}/sssd-pam.socket %{_unitdir}/sssd-pam.socket
%{_unitdir}/sssd-pam-priv.socket
%{_unitdir}/sssd-pam.service %{_unitdir}/sssd-pam.service
%{_unitdir}/sssd-ssh.socket %{_unitdir}/sssd-ssh.socket
%{_unitdir}/sssd-ssh.service %{_unitdir}/sssd-ssh.service
%{_unitdir}/sssd-sudo.socket %{_unitdir}/sssd-sudo.socket
%{_unitdir}/sssd-sudo.service %{_unitdir}/sssd-sudo.service
%{_tmpfilesdir}/%{name}.conf
%dir %{_libexecdir}/%{servicename} %dir %{_libexecdir}/%{servicename}
%{_libexecdir}/%{servicename}/sssd_be %{_libexecdir}/%{servicename}/sssd_be
%{_libexecdir}/%{servicename}/sssd_nss %{_libexecdir}/%{servicename}/sssd_nss
@ -742,40 +791,42 @@ done
%{ldb_modulesdir}/memberof.so %{ldb_modulesdir}/memberof.so
%{_bindir}/sss_ssh_authorizedkeys %{_bindir}/sss_ssh_authorizedkeys
%{_bindir}/sss_ssh_knownhosts
%{_bindir}/sss_ssh_knownhostsproxy %{_bindir}/sss_ssh_knownhostsproxy
%{_sbindir}/sss_cache %{_sbindir}/sss_cache
%{_libexecdir}/%{servicename}/sss_signal %{_libexecdir}/%{servicename}/sss_signal
%dir %{sssdstatedir} %attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache %dir %{_localstatedir}/cache/krb5rcache
%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath} %attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath} %attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
%attr(700,root,root) %dir %{secdbpath} %attr(770,%{sssd_user},%{sssd_user}) %dir %{secdbpath}
%attr(751,root,root) %dir %{deskprofilepath} %attr(771,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath}
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd %attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group %attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath} %attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
%attr(750,%{sssd_user},root) %dir %{pipepath}/private %attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath} %attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath} %attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name} %attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd %ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d %dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%dir %{_sysconfdir}/rwtab.d %dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd %config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd %dir %{_datadir}/sssd
%attr(775,%{sssd_user},%{sssd_user}) %dir %{_rundir}/sssd
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils %config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf %dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf %{_libdir}/%{name}/conf/sssd.conf
%{_datadir}/sssd/cfg_rules.ini %{_datadir}/sssd/cfg_rules.ini
%{_mandir}/man1/sss_ssh_authorizedkeys.1* %{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhosts.1*
%if %{build_ssh_known_hosts_proxy}
%{_mandir}/man1/sss_ssh_knownhostsproxy.1* %{_mandir}/man1/sss_ssh_knownhostsproxy.1*
%endif
%{_mandir}/man5/sssd.conf.5* %{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-simple.5* %{_mandir}/man5/sssd-simple.5*
%{_mandir}/man5/sssd-sudo.5* %{_mandir}/man5/sssd-sudo.5*
@ -792,8 +843,12 @@ done
%{_datadir}/systemtap/tapset/sssd.stp %{_datadir}/systemtap/tapset/sssd.stp
%{_datadir}/systemtap/tapset/sssd_functions.stp %{_datadir}/systemtap/tapset/sssd_functions.stp
%{_mandir}/man5/sssd-systemtap.5* %{_mandir}/man5/sssd-systemtap.5*
%if %{use_sysusers}
%{_sysusersdir}/sssd.conf
%endif
%if 0%{?rhel}
%if %{use_sssd_user}
%files polkit-rules %files polkit-rules
%{_datadir}/polkit-1/rules.d/* %{_datadir}/polkit-1/rules.d/*
%endif %endif
@ -806,9 +861,9 @@ done
%files krb5-common %files krb5-common
%license COPYING %license COPYING
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child %attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/ldap_child
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child %attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/krb5_child
%files krb5 -f sssd_krb5.lang %files krb5 -f sssd_krb5.lang
%license COPYING %license COPYING
@ -824,9 +879,9 @@ done
%files ipa -f sssd_ipa.lang %files ipa -f sssd_ipa.lang
%license COPYING %license COPYING
%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir} %attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so %{_libdir}/%{name}/libsss_ipa.so
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child %attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5* %{_mandir}/man5/sssd-ipa.5*
%files ad -f sssd_ad.lang %files ad -f sssd_ad.lang
@ -837,7 +892,7 @@ done
%files proxy %files proxy
%license COPYING %license COPYING
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child %{_libexecdir}/%{servicename}/proxy_child
%{_libdir}/%{name}/libsss_proxy.so %{_libdir}/%{name}/libsss_proxy.so
%files dbus -f sssd_dbus.lang %files dbus -f sssd_dbus.lang
@ -981,17 +1036,26 @@ done
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp %{_datadir}/sssd/krb5-snippets/sssd_enable_idp
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
%if %{build_passkey}
%files passkey %files passkey
%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child %attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child
%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so %{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey %{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
%if "%{sssd_user}" != "root"
%{_udevrulesdir}/90-sssd-token-access.rules
%endif
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
%endif
%if 0%{?rhel} %if %{use_sssd_user}
%pre common %pre common
%if %{use_sysusers}
%sysusers_create_compat %{SOURCE1}
%else
getent group sssd >/dev/null || groupadd -r sssd getent group sssd >/dev/null || groupadd -r sssd
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
%endif %endif
%endif
%post common %post common
%systemd_post sssd.service %systemd_post sssd.service
@ -999,9 +1063,17 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%systemd_post sssd-nss.socket %systemd_post sssd-nss.socket
%systemd_post sssd-pac.socket %systemd_post sssd-pac.socket
%systemd_post sssd-pam.socket %systemd_post sssd-pam.socket
%systemd_post sssd-pam-priv.socket
%systemd_post sssd-ssh.socket %systemd_post sssd-ssh.socket
%systemd_post sssd-sudo.socket %systemd_post sssd-sudo.socket
%__rm -f %{mcpath}/passwd
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
%preun common %preun common
%systemd_preun sssd.service %systemd_preun sssd.service
@ -1009,16 +1081,18 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%systemd_preun sssd-nss.socket %systemd_preun sssd-nss.socket
%systemd_preun sssd-pac.socket %systemd_preun sssd-pac.socket
%systemd_preun sssd-pam.socket %systemd_preun sssd-pam.socket
%systemd_preun sssd-pam-priv.socket
%systemd_preun sssd-ssh.socket %systemd_preun sssd-ssh.socket
%systemd_preun sssd-sudo.socket %systemd_preun sssd-sudo.socket
%postun common %postun common
%__rm -f %{mcpath}/passwd
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%systemd_postun_with_restart sssd-autofs.socket %systemd_postun_with_restart sssd-autofs.socket
%systemd_postun_with_restart sssd-nss.socket %systemd_postun_with_restart sssd-nss.socket
%systemd_postun_with_restart sssd-pac.socket %systemd_postun_with_restart sssd-pac.socket
%systemd_postun_with_restart sssd-pam.socket %systemd_postun_with_restart sssd-pam.socket
%systemd_postun_with_restart sssd-pam-priv.socket
%systemd_postun_with_restart sssd-ssh.socket %systemd_postun_with_restart sssd-ssh.socket
%systemd_postun_with_restart sssd-sudo.socket %systemd_postun_with_restart sssd-sudo.socket
@ -1061,6 +1135,13 @@ fi
%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd.service
%changelog %changelog
* Thu Jun 6 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.0~beta1-1
- Resolves: RHEL-40253 - Rebase SSSD for RHEL 10-beta
- Resolves: RHEL-29303 - Issue discovered by static analyzer.
- Resolves: RHEL-11181 - sssd[4022110]: gencache_init: Failed to create directory: //.cache/samba - Permission denied
- Resolves: RHEL-4986 - [RFE] sssd use systemd-sysusers
- Resolves: RHEL-4974 - sssd status shows error "krb5_kt_start_seq_get failed: Permission denied" when running as unprivileged user 'sssd'
* Thu Feb 22 2024 Troy Dawson <tdawson@redhat.com> - 2.9.4-6 * Thu Feb 22 2024 Troy Dawson <tdawson@redhat.com> - 2.9.4-6
- Bump release to rebuild on correct samba - Bump release to rebuild on correct samba

1
sssd.sysusers Normal file
View File

@ -0,0 +1 @@
u sssd - "User for sssd" /run/sssd/ /sbin/nologin