diff --git a/SOURCES/authconfig-6.2.8-ipav2join.patch b/SOURCES/authconfig-6.2.8-ipav2join.patch index b2965ad..8e128b6 100644 --- a/SOURCES/authconfig-6.2.8-ipav2join.patch +++ b/SOURCES/authconfig-6.2.8-ipav2join.patch @@ -168,7 +168,7 @@ diff -up authconfig-6.2.8/authinfo.py.ipav2join authconfig-6.2.8/authinfo.py return status == 0 def joinIPADomain(self, echo): -@@ -4258,18 +4287,26 @@ class AuthInfo: +@@ -4258,22 +4287,30 @@ class AuthInfo: realm and "--realm=" or "", realm, principal and "--principal=" or "", principal, nontp, @@ -201,3 +201,8 @@ diff -up authconfig-6.2.8/authinfo.py.ipav2join authconfig-6.2.8/authinfo.py return status == 0 def uninstallIPA(self): +- cmd = PATH_IPA_CLIENT_INSTALL + " --uninstall --noac" ++ cmd = PATH_IPA_CLIENT_INSTALL + " --uninstall --noac --unattended" + os.system(cmd) + + def toggleCachingService(self, nostart): diff --git a/SOURCES/authconfig-6.2.8-joinpassword.patch b/SOURCES/authconfig-6.2.8-joinpassword.patch new file mode 100644 index 0000000..70ccaf5 --- /dev/null +++ b/SOURCES/authconfig-6.2.8-joinpassword.patch @@ -0,0 +1,18 @@ +diff -up authconfig-6.2.8/authinfo.py.joinpassword authconfig-6.2.8/authinfo.py +--- authconfig-6.2.8/authinfo.py.joinpassword 2015-07-03 12:47:44.993864700 +0200 ++++ authconfig-6.2.8/authinfo.py 2015-07-03 12:53:21.451618592 +0200 +@@ -4296,11 +4296,12 @@ class AuthInfo: + + if echo: + sys.stderr.write("[%s]\n" % cmd) ++ if self.joinPassword or not echo: ++ status, error = feedFork(cmd, echo, "sword:", self.joinPassword) ++ else: + child = Popen([cmd], shell=True) + child.communicate() + status = child.returncode +- else: +- status, error = feedFork(cmd, echo, "sword:", self.joinPassword) + if echo: + if status != 0: + self.messageCB(_("Winbind domain join was not successful.")) diff --git a/SOURCES/authconfig-6.2.8-jointitle.patch b/SOURCES/authconfig-6.2.8-jointitle.patch new file mode 100644 index 0000000..cef6743 --- /dev/null +++ b/SOURCES/authconfig-6.2.8-jointitle.patch @@ -0,0 +1,12 @@ +diff -up authconfig-6.2.8/authconfig.glade.jointitle authconfig-6.2.8/authconfig.glade +--- authconfig-6.2.8/authconfig.glade.jointitle 2015-07-03 10:59:22.000000000 +0200 ++++ authconfig-6.2.8/authconfig.glade 2015-07-03 11:00:56.654927234 +0200 +@@ -1025,7 +1025,7 @@ + + True + False +- Joining Winbind Domain ++ Joining IPA Domain + False + True + system-config-authentication diff --git a/SOURCES/authconfig-6.2.8-krb5-include.patch b/SOURCES/authconfig-6.2.8-krb5-include.patch new file mode 100644 index 0000000..6102859 --- /dev/null +++ b/SOURCES/authconfig-6.2.8-krb5-include.patch @@ -0,0 +1,44 @@ +diff -up authconfig-6.2.8/authinfo.py.krb5-include authconfig-6.2.8/authinfo.py +--- authconfig-6.2.8/authinfo.py.krb5-include 2015-07-03 11:52:58.000000000 +0200 ++++ authconfig-6.2.8/authinfo.py 2015-07-03 12:47:44.993864700 +0200 +@@ -109,6 +109,8 @@ PATH_PAM_SSS = AUTH_MODULE_DIR + "/pam_s + + PATH_LIBSSS_AUTOFS = "/usr" + LIBDIR + "/sssd/modules/libsss_autofs.so" + ++PATH_KRB5_INCLUDEDIR = "/var/lib/sss/pubconf/krb5.include.d/" ++ + PATH_WINBIND_NET = "/usr/bin/net" + PATH_IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install" + +@@ -3022,6 +3024,8 @@ class AuthInfo: + wroteourdomrealm = False + wrotedomrealm = False + wrotedomrealm2 = False ++ # No dir -> no incdir line, set as if already written ++ wroteincdir = not os.access(PATH_KRB5_INCLUDEDIR, os.R_OK) + section = "" + subsection = "" + f = None +@@ -3043,6 +3047,12 @@ class AuthInfo: + for line in f.file: + ls = line.strip() + ++ if matchLine(ls, "includedir " + PATH_KRB5_INCLUDEDIR): ++ if not wroteincdir: ++ wroteincdir = True ++ else: ++ # already written or should be removed ++ continue + # If this is the "kdc" in our realm, replace it with + # the values we now have. + if (section == "realms" and subsection and subsection == self.kerberosRealm +@@ -3132,6 +3142,9 @@ class AuthInfo: + continue + # If it's the beginning of a section, record its name. + if matchLine(ls, "["): ++ if not wroteincdir: ++ output += "includedir " + PATH_KRB5_INCLUDEDIR + "\n" ++ wroteincdir = True + # If the previous section was "realms", and we didn't + # see ours, write our realm out. + if (section == "realms" and self.kerberosRealm diff --git a/SOURCES/authconfig-6.2.8-krb5comment.patch b/SOURCES/authconfig-6.2.8-krb5comment.patch new file mode 100644 index 0000000..5fa0a97 --- /dev/null +++ b/SOURCES/authconfig-6.2.8-krb5comment.patch @@ -0,0 +1,29 @@ +diff -up authconfig-6.2.8/authinfo.py.krb5comment authconfig-6.2.8/authinfo.py +--- authconfig-6.2.8/authinfo.py.krb5comment 2015-07-03 11:04:01.174220956 +0200 ++++ authconfig-6.2.8/authinfo.py 2015-07-03 11:09:29.329857063 +0200 +@@ -1701,6 +1701,7 @@ class AuthInfo: + return False + + for line in f: ++ line = line.split('#')[0] + line = line.strip() + + # If it's a new section, note which one we're "in". +@@ -3203,7 +3204,7 @@ class AuthInfo: + output += str(bool(self.kerberosKDCviaDNS)).lower() + output += "\n" + # If we haven't encountered a realms section yet... +- if not wroterealms2: ++ if not wroterealms2 and (self.kerberosRealm or self.smbRealm): + if not wroterealms: + output += "[realms]\n" + if not wroterealm: +@@ -3211,7 +3212,7 @@ class AuthInfo: + self.kerberosAdminServer) + if not wrotesmbrealm: + output += krbRealm(self.smbRealm, self.smbServers, "") +- if not wrotedomrealm2: ++ if not wrotedomrealm2 and self.kerberosRealm: + if not wrotedomrealm: + output += "[domain_realm]\n" + if self.kerberosRealm and not wroteourdomrealm: diff --git a/SOURCES/authconfig-6.2.8-localetb.patch b/SOURCES/authconfig-6.2.8-localetb.patch new file mode 100644 index 0000000..27beec3 --- /dev/null +++ b/SOURCES/authconfig-6.2.8-localetb.patch @@ -0,0 +1,31 @@ +diff -up authconfig-6.2.8/authconfig-gtk.py.localetb authconfig-6.2.8/authconfig-gtk.py +--- authconfig-6.2.8/authconfig-gtk.py.localetb 2015-07-03 10:59:22.000000000 +0200 ++++ authconfig-6.2.8/authconfig-gtk.py 2015-07-03 11:14:22.666532393 +0200 +@@ -30,7 +30,10 @@ _ = gettext.lgettext + import locale + import dbus + +-locale.setlocale(locale.LC_ALL, '') ++try: ++ locale.setlocale(locale.LC_ALL, '') ++except locale.Error: ++ sys.stderr.write('Warning: Unsupported locale setting.\n') + + firstbootservices = [ + "autofs", +diff -up authconfig-6.2.8/authconfig.py.localetb authconfig-6.2.8/authconfig.py +--- authconfig-6.2.8/authconfig.py.localetb 2015-07-03 10:59:22.000000000 +0200 ++++ authconfig-6.2.8/authconfig.py 2015-07-03 11:14:01.694065135 +0200 +@@ -28,7 +28,11 @@ import gettext, os, signal, sys + _ = gettext.lgettext + from optparse import OptionParser, IndentedHelpFormatter + import locale +-locale.setlocale(locale.LC_ALL, '') ++ ++try: ++ locale.setlocale(locale.LC_ALL, '') ++except locale.Error: ++ sys.stderr.write('Warning: Unsupported locale setting.\n') + + def runsAs(name): + return sys.argv[0].find(name) >= 0 diff --git a/SOURCES/authconfig-6.2.8-sssd-prompting.patch b/SOURCES/authconfig-6.2.8-sssd-prompting.patch new file mode 100644 index 0000000..b7c9e55 --- /dev/null +++ b/SOURCES/authconfig-6.2.8-sssd-prompting.patch @@ -0,0 +1,60 @@ +diff -up authconfig-6.2.8/authinfo.py.sssd-prompting authconfig-6.2.8/authinfo.py +--- authconfig-6.2.8/authinfo.py.sssd-prompting 2015-07-03 11:09:29.329857063 +0200 ++++ authconfig-6.2.8/authinfo.py 2015-07-03 11:52:58.462677742 +0200 +@@ -132,6 +132,7 @@ LOGIC_FORCE_PKCS11_KRB5 = "[success=ok i + LOGIC_SKIPNEXT = "[success=1 default=ignore]" + LOGIC_SKIPNEXT3 = "[success=3 default=ignore]" + LOGIC_ALWAYS_SKIP = "[default=1]" ++LOGIC_SKIPNEXT_ON_FAILURE = "[default=1 success=ok]" + + # Snip off line terminators and final whitespace from a passed-in string. + def snipString(s): +@@ -460,6 +461,8 @@ pam_modules[STANDARD] = [ + "permit", []], + [False, AUTH, LOGIC_SUFFICIENT, + "fprintd", []], ++ [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE, ++ "localuser", []], + [True, AUTH, LOGIC_SUFFICIENT, + "unix", argv_unix_auth], + [False, AUTH, LOGIC_REQUISITE, +@@ -583,6 +586,8 @@ pam_modules[PASSWORD_ONLY] = [ + "env", []], + [False, AUTH, LOGIC_REQUIRED, + "deny", []], ++ [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE, ++ "localuser", []], + [True, AUTH, LOGIC_SUFFICIENT, + "unix", argv_unix_auth], + [False, AUTH, LOGIC_REQUISITE, +@@ -3791,6 +3796,10 @@ class AuthInfo: + argv = module[ARGV][0:] # shallow copy + argv[1] = self.uidMin + args = " ".join(argv) ++ # do not continue to following modules if authentication fails ++ if name == "unix" and stack == "auth" and (self.enableSSSDAuth or ++ self.implicitSSSDAuth or self.enableIPAv2) and (not self.enableNIS): ++ logic = LOGIC_FORCE_PKCS11 # make it or break it logic + # use oddjob_mkhomedir if available + if name == "mkhomedir" and os.access("%s/pam_%s.so" + % (AUTH_MODULE_DIR, "oddjob_mkhomedir"), os.X_OK): +@@ -3818,6 +3827,8 @@ class AuthInfo: + args = self.mkhomedirArgs + if name == "systemd": + args = self.systemdArgs ++ if name == "sss" and stack == "auth" and not self.enableNIS: ++ args = "forward_pass" + if not args and module[ARGV]: + args = " ".join(module[ARGV]) + if name == "winbind" and self.winbindOffline and stack != "password": +@@ -3922,7 +3933,9 @@ class AuthInfo: + (self.enablePasswdQC and module[NAME] == "passwdqc") or + (self.enableWinbindAuth and module[NAME] == "winbind") or + ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or +- (self.enableLocAuthorize and module[NAME] == "localuser") or ++ ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and ++ (not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or ++ (self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or + (self.enablePAMAccess and module[NAME] == "access") or + (self.enableMkHomeDir and module[NAME] == "mkhomedir") or + (not self.enableSysNetAuth and module[STACK] == AUTH and diff --git a/SOURCES/authconfig-6.2.8-winbind-client.patch b/SOURCES/authconfig-6.2.8-winbind-client.patch index e1150d7..74b442e 100644 --- a/SOURCES/authconfig-6.2.8-winbind-client.patch +++ b/SOURCES/authconfig-6.2.8-winbind-client.patch @@ -10,3 +10,17 @@ diff -up authconfig-6.2.8/authconfig-gtk.py.winbind-client authconfig-6.2.8/auth "IPAv2": (_("IPAv2"), ("IPAv2Auth",), "ipav2options", "ipav2_map", authinfo.PATH_IPA_CLIENT_INSTALL, "freeipa-client") +diff -up authconfig-6.2.8/authconfig.py.winbind-client authconfig-6.2.8/authconfig.py +--- authconfig-6.2.8/authconfig.py.winbind-client 2015-07-03 11:34:59.798789958 +0200 ++++ authconfig-6.2.8/authconfig.py 2015-07-03 11:33:00.363034242 +0200 +@@ -704,8 +704,8 @@ class AuthconfigTUI(Authconfig): + warnNIS = [authinfo.PATH_YPBIND, _("NIS"), "ypbind", None] + warnShadow = [authinfo.PATH_PWCONV, _("shadow password"), "shadow-utils", None] + warnWinbindNet = [authinfo.PATH_WINBIND_NET, _("Winbind"), "samba-client", None] +- warnWinbindAuth = [authinfo.PATH_PAM_WINBIND, _("Winbind authentication"), "samba-common", warnWinbindNet] +- warnWinbind = [authinfo.PATH_LIBNSS_WINBIND, _("Winbind"), "samba-common", warnWinbindAuth] ++ warnWinbindAuth = [authinfo.PATH_PAM_WINBIND, _("Winbind authentication"), "samba-winbind", warnWinbindNet] ++ warnWinbind = [authinfo.PATH_LIBNSS_WINBIND, _("Winbind"), "samba-winbind", warnWinbindAuth] + + # Information + infoGrid = snack.Grid(1, 6) diff --git a/SPECS/authconfig.spec b/SPECS/authconfig.spec index 9431ed0..1b22094 100644 --- a/SPECS/authconfig.spec +++ b/SPECS/authconfig.spec @@ -1,7 +1,7 @@ Summary: Command line tool for setting up authentication from network services Name: authconfig Version: 6.2.8 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ ExclusiveOS: Linux Group: System Environment/Base @@ -22,6 +22,12 @@ Patch12: authconfig-6.2.8-altfiles.patch Patch13: authconfig-6.2.8-winbind-client.patch Patch14: authconfig-6.2.8-services.patch Patch15: authconfig-6.2.8-multiple-ldap-uris.patch +Patch16: authconfig-6.2.8-jointitle.patch +Patch17: authconfig-6.2.8-krb5comment.patch +Patch18: authconfig-6.2.8-localetb.patch +Patch19: authconfig-6.2.8-sssd-prompting.patch +Patch20: authconfig-6.2.8-krb5-include.patch +Patch21: authconfig-6.2.8-joinpassword.patch Requires: newt-python, pam >= 0.99.10.0, python, libpwquality > 0.9 Conflicts: pam_krb5 < 1.49, samba-common < 3.0, samba-client < 3.0 Conflicts: nss_ldap < 254, sssd < 0.99.1 @@ -66,6 +72,12 @@ authentication schemes. %patch13 -p1 -b .winbind-client %patch14 -p1 -b .services %patch15 -p1 -b .ldap-uris +%patch16 -p1 -b .jointitle +%patch17 -p1 -b .krb5comment +%patch18 -p1 -b .localetb +%patch19 -p1 -b .sssd-prompting +%patch20 -p1 -b .krb5-include +%patch21 -p1 -b .joinpassword %build %configure @@ -96,7 +108,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %files -f %{name}.lang %defattr(-,root,root,-) %doc COPYING NOTES TODO README.samba3 -%ghost %config(noreplace) %{_sysconfdir}/sysconfig/authconfig +%config(noreplace) %{_sysconfdir}/sysconfig/authconfig %ghost %config(noreplace) %{_sysconfdir}/pam.d/system-auth-ac %ghost %config(noreplace) %{_sysconfdir}/pam.d/password-auth-ac %ghost %config(noreplace) %{_sysconfdir}/pam.d/fingerprint-auth-ac @@ -148,6 +160,17 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %{_datadir}/icons/hicolor/256x256/apps/system-config-authentication.* %changelog +* Fri Jul 3 2015 Tomáš Mráz - 6.2.8-10 +- fix title of IPA domain join window (#1166119) +- add --unattended to IPA uninstall command (#1166131) +- do not mistake comment for krb5 realm name (#1184639) +- do not traceback with incorrect locales (#1187020) +- correct the package needed for winbind (#1190226) +- install empty /etc/sysconfig/authconfig file (#1194698) +- let SSSD prompt non-local users for passwords (#1204864) +- add includedir /var/lib/sss/pubconf/krb5.include.d/ to krb5.conf (#1207552) +- pass the password provided by --winbindjoin to net join (#1225089) + * Mon Sep 29 2014 Tomáš Mráz - 6.2.8-9 - do not overwrite special ldap base values - display error message if winbind or IPA domain join fails