From eed6a99e67705a09d68b155aad6becdc170adcb8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 15 2022 06:53:41 +0000 Subject: import authselect-1.2.5-1.el9 --- diff --git a/.authselect.metadata b/.authselect.metadata index d08bc58..d4b44bd 100644 --- a/.authselect.metadata +++ b/.authselect.metadata @@ -1 +1 @@ -3f004c30e9f07c0dd259403f1cd9f13c5ec297ce SOURCES/authselect-1.2.3.tar.gz +4eb7fbb53b31d92f0fae17d6fd5e5da46bc8b434 SOURCES/authselect-1.2.5.tar.gz diff --git a/.gitignore b/.gitignore index 00d9be7..23c7894 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/authselect-1.2.3.tar.gz +SOURCES/authselect-1.2.5.tar.gz diff --git a/SOURCES/0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch b/SOURCES/0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch deleted file mode 100644 index 091d8f7..0000000 --- a/SOURCES/0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6924b8f8d82ecd32e897cf5f441e5c87f8816859 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Thu, 22 Jul 2021 11:29:20 +0200 -Subject: [PATCH] lib: avoid freeing uninitialized variable in - authselect_apply_changes() - -If authselect_profile() fails, we goto done and try to free uninitialized -variable. - -Resolves: -https://github.com/authselect/authselect/issues/265 ---- - src/lib/authselect.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/authselect.c b/src/lib/authselect.c -index 0f43e12202c16769dfc6ac7dee41812159cc1d3a..a901e02719713bd13d5a4fab606ee713b3d6ddca 100644 ---- a/src/lib/authselect.c -+++ b/src/lib/authselect.c -@@ -163,7 +163,7 @@ authselect_uninstall(void) - _PUBLIC_ int - authselect_apply_changes(void) - { -- struct authselect_profile *profile; -+ struct authselect_profile *profile = NULL; - char **supported = NULL; - char *profile_id; - char **features; --- -2.31.1 - diff --git a/SOURCES/0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch b/SOURCES/0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch new file mode 100644 index 0000000..5935de1 --- /dev/null +++ b/SOURCES/0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch @@ -0,0 +1,25 @@ +From c3c2c3b7ffe04dc2e810c9fffdd82689543a94df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 30 Oct 2018 14:08:12 +0100 +Subject: [PATCH 1/4] rhel9: remove mention of Fedora Change page in compat + tool + +--- + src/compat/authcompat.py.in.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index 1a68d95c71b51beabe80e9b07c084ea9c2f3580d..8334293911d1d4c2d98a6d233b91fc348cf06575 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -471,7 +471,6 @@ class AuthCompat: + "It does not provide all capabilities of authconfig.\n")) + print(_("IMPORTANT: authconfig is replaced by authselect, " + "please update your scripts.")) +- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault")) + print(_("See man authselect-migration(7) to help you with migration to authselect")) + + options = self.options.getSetButUnsupported() +-- +2.34.1 + diff --git a/SOURCES/0902-rhel9-remove-ecryptfs-support.patch b/SOURCES/0902-rhel9-remove-ecryptfs-support.patch new file mode 100644 index 0000000..6f8dd13 --- /dev/null +++ b/SOURCES/0902-rhel9-remove-ecryptfs-support.patch @@ -0,0 +1,283 @@ +From 9da7355f1e2c8a148d4730fec4c4707c56e6dfa1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 10 Jun 2019 10:53:15 +0200 +Subject: [PATCH 2/4] rhel9: remove ecryptfs support + +--- + profiles/nis/README | 3 --- + profiles/nis/fingerprint-auth | 1 - + profiles/nis/password-auth | 1 - + profiles/nis/postlogin | 4 ---- + profiles/nis/system-auth | 1 - + profiles/sssd/README | 3 --- + profiles/sssd/fingerprint-auth | 1 - + profiles/sssd/password-auth | 1 - + profiles/sssd/postlogin | 4 ---- + profiles/sssd/smartcard-auth | 1 - + profiles/sssd/system-auth | 1 - + profiles/winbind/README | 3 --- + profiles/winbind/fingerprint-auth | 1 - + profiles/winbind/password-auth | 1 - + profiles/winbind/postlogin | 4 ---- + profiles/winbind/system-auth | 1 - + src/compat/authcompat.py.in.in | 1 - + src/compat/authcompat_Options.py | 2 +- + src/man/authselect-migration.7.adoc | 5 ++--- + 19 files changed, 3 insertions(+), 36 deletions(-) + +diff --git a/profiles/nis/README b/profiles/nis/README +index 895e8fa8650c04d41bf8bc8d6e3cda18db9bf814..71e23d61a8c1ea773c98524256a5eaad5a75d197 100644 +--- a/profiles/nis/README ++++ b/profiles/nis/README +@@ -21,9 +21,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth +index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be2982bdf36cb 100644 +--- a/profiles/nis/fingerprint-auth ++++ b/profiles/nis/fingerprint-auth +@@ -15,7 +15,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth +index f181a58ab7792c7e1a4234e677cbb7e3d0a6548d..79fb521eb5dff4978203166491b185887d1ec744 100644 +--- a/profiles/nis/password-auth ++++ b/profiles/nis/password-auth +@@ -18,7 +18,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/nis/postlogin ++++ b/profiles/nis/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth +index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae849d1186fc 100644 +--- a/profiles/nis/system-auth ++++ b/profiles/nis/system-auth +@@ -19,7 +19,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/README b/profiles/sssd/README +index 61d5aedf65b2351cf23cea0a6b6b0932e32f0e48..ab9af237442089ded86b63942dd856397108ccf0 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -40,9 +40,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-smartcard:: + Enable authentication with smartcards through SSSD. Please note that + smartcard support must be also explicitly enabled within +diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth +index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e5232126df55564 100644 +--- a/profiles/sssd/fingerprint-auth ++++ b/profiles/sssd/fingerprint-auth +@@ -20,7 +20,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth +index 3e33dcc09f68055f2f87709e638005929bd577b3..858c6db357d07dc554806f4807f9b0858a649f44 100644 +--- a/profiles/sssd/password-auth ++++ b/profiles/sssd/password-auth +@@ -28,7 +28,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/sssd/postlogin ++++ b/profiles/sssd/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth +index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b963caa3b 100644 +--- a/profiles/sssd/smartcard-auth ++++ b/profiles/sssd/smartcard-auth +@@ -18,7 +18,6 @@ account required pam_permit.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth +index a43341120f55bad3fb07dfea1c04453d0a278329..88c49e2dd5b60847d1d19154622a8614a21e5e1f 100644 +--- a/profiles/sssd/system-auth ++++ b/profiles/sssd/system-auth +@@ -35,7 +35,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/README b/profiles/winbind/README +index 0048c29256f5d4064edfb84a2f4b761fd09e90f6..6f7a7cab1efc768c4c82791d6a8f00def1771d37 100644 +--- a/profiles/winbind/README ++++ b/profiles/winbind/README +@@ -33,9 +33,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth +index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a41202d21fd67 100644 +--- a/profiles/winbind/fingerprint-auth ++++ b/profiles/winbind/fingerprint-auth +@@ -19,7 +19,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth +index 58705f3b15165c8d8bd4938889e3fb4d89c1a528..e84e2fcbb2bad9af6156e6e6db23f089f2b5d210 100644 +--- a/profiles/winbind/password-auth ++++ b/profiles/winbind/password-auth +@@ -25,7 +25,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/winbind/postlogin ++++ b/profiles/winbind/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth +index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a0a53a03e 100644 +--- a/profiles/winbind/system-auth ++++ b/profiles/winbind/system-auth +@@ -26,7 +26,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index 8334293911d1d4c2d98a6d233b91fc348cf06575..55e205bae2c0b1f7892f8b286c288dfeaa26a60d 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -523,7 +523,6 @@ class AuthCompat: + 'smartcard': 'with-smartcard', + 'requiresmartcard': 'with-smartcard-required', + 'fingerprint': 'with-fingerprint', +- 'ecryptfs': 'with-ecryptfs', + 'mkhomedir': 'with-mkhomedir', + 'faillock': 'with-faillock', + 'pamaccess': 'with-pamaccess', +diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py +index d26dedabdfb9519861076b58cddd0dd0eb04b7cb..5c8b21b55014198d6d9dfc98bd807c3c922b06f4 100644 +--- a/src/compat/authcompat_Options.py ++++ b/src/compat/authcompat_Options.py +@@ -93,7 +93,6 @@ class Options: + Option.Valued("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")), + Option.Feature("requiresmartcard", _("require smart card for authentication by default")), + Option.Feature("fingerprint", _("authentication with fingerprint readers by default")), +- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")), + Option.Feature("krb5", _("Kerberos authentication by default")), + Option.Valued("krb5kdc", _(""), _("default Kerberos KDC")), + Option.Valued("krb5adminserver", _(""), _("default Kerberos admin server")), +@@ -141,6 +140,7 @@ class Options: + # layers and will produce warning when used. They will not affect + # the system. + Option.UnsupportedFeature("cache"), ++ Option.UnsupportedFeature("ecryptfs"), + Option.UnsupportedFeature("shadow"), + Option.UnsupportedSwitch("useshadow"), + Option.UnsupportedFeature("md5"), +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd42472741 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -80,7 +80,6 @@ configuration file for required services. + |*Authconfig options* |*Authselect profile feature* + |--enablesmartcard |with-smartcard + |--enablefingerprint |with-fingerprint +-|--enableecryptfs |with-ecryptfs + |--enablemkhomedir |with-mkhomedir + |--enablefaillock |with-faillock + |--enablepamaccess |with-pamaccess +@@ -103,8 +102,8 @@ authselect select sssd with-faillock + authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall + authselect select sssd with-smartcard + +-authconfig --enableecryptfs --enablepamaccess --updateall +-authselect select sssd with-ecryptfs with-pamaccess ++authconfig --enablepamaccess --updateall ++authselect select sssd with-pamaccess + + authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall + realm join -U Administrator --client-software=winbind WINBINDDOMAIN +-- +2.34.1 + diff --git a/SOURCES/0903-rhel9-Revert-profiles-add-support-for-resolved.patch b/SOURCES/0903-rhel9-Revert-profiles-add-support-for-resolved.patch new file mode 100644 index 0000000..a3e5c50 --- /dev/null +++ b/SOURCES/0903-rhel9-Revert-profiles-add-support-for-resolved.patch @@ -0,0 +1,42 @@ +From 6381b49e90b3850fade68c8af03b17d0cc016d3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 25 Nov 2020 14:05:00 +0100 +Subject: [PATCH 3/4] rhel9: Revert "profiles: add support for resolved" + +systemd-resolved should not be enabled by default on rhel8. + +This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54. +--- + profiles/minimal/nsswitch.conf | 2 +- + profiles/nis/nsswitch.conf | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf +index a9e4bc79a1090304542ccd8b43d1107eeb5304df..a39e4d32ebf79e8bf05f2db5753b01596222dc35 100644 +--- a/profiles/minimal/nsswitch.conf ++++ b/profiles/minimal/nsswitch.conf +@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom + automount: files {exclude if "with-custom-automount"} + ethers: files {exclude if "with-custom-ethers"} + group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"} +-hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"} ++hosts: files dns myhostname {exclude if "with-custom-hosts"} + initgroups: files {exclude if "with-custom-initgroups"} + netgroup: files {exclude if "with-custom-netgroup"} + networks: files {exclude if "with-custom-networks"} +diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf +index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644 +--- a/profiles/nis/nsswitch.conf ++++ b/profiles/nis/nsswitch.conf +@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"} + automount: files nis {exclude if "with-custom-automount"} + ethers: files nis {exclude if "with-custom-ethers"} + group: files nis systemd {exclude if "with-custom-group"} +-hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"} ++hosts: files nis dns myhostname {exclude if "with-custom-hosts"} + initgroups: files nis {exclude if "with-custom-initgroups"} + netgroup: files nis {exclude if "with-custom-netgroup"} + networks: files nis {exclude if "with-custom-networks"} +-- +2.34.1 + diff --git a/SOURCES/0904-rhel9-remove-nis-support.patch b/SOURCES/0904-rhel9-remove-nis-support.patch new file mode 100644 index 0000000..79be754 --- /dev/null +++ b/SOURCES/0904-rhel9-remove-nis-support.patch @@ -0,0 +1,297 @@ +From fde1c60f1e87383596ee7060f4d748675b2efae9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 9 Jun 2021 13:59:01 +0200 +Subject: [PATCH 4/4] rhel9: remove nis support + +NIS is no longer supported in RHEL9. +--- + profiles/Makefile.am | 14 ----- + profiles/nis/dconf-db | 3 - + profiles/nis/dconf-locks | 2 - + profiles/nis/nsswitch.conf | 14 ----- + profiles/nis/postlogin | 4 -- + rpm/authselect.spec.in | 11 ---- + src/compat/authcompat.py.in.in | 95 ----------------------------- + src/compat/authcompat_Options.py | 8 ++- + src/man/authselect-migration.7.adoc | 2 +- + 9 files changed, 6 insertions(+), 147 deletions(-) + delete mode 100644 profiles/nis/dconf-db + delete mode 100644 profiles/nis/dconf-locks + delete mode 100644 profiles/nis/nsswitch.conf + delete mode 100644 profiles/nis/postlogin + +diff --git a/profiles/Makefile.am b/profiles/Makefile.am +index 7191b2604ca2c9ebaba3a4f1beb950e7d0e03970..4ab613f42a581df02c427636a0070092b58ec418 100644 +--- a/profiles/Makefile.am ++++ b/profiles/Makefile.am +@@ -15,20 +15,6 @@ dist_profile_minimal_DATA = \ + $(top_srcdir)/profiles/minimal/dconf-locks \ + $(NULL) + +-profile_nisdir = $(authselect_profile_dir)/nis +-dist_profile_nis_DATA = \ +- $(top_srcdir)/profiles/nis/nsswitch.conf \ +- $(top_srcdir)/profiles/nis/password-auth \ +- $(top_srcdir)/profiles/nis/postlogin \ +- $(top_srcdir)/profiles/nis/README \ +- $(top_srcdir)/profiles/nis/REQUIREMENTS \ +- $(top_srcdir)/profiles/nis/smartcard-auth \ +- $(top_srcdir)/profiles/nis/system-auth \ +- $(top_srcdir)/profiles/nis/fingerprint-auth \ +- $(top_srcdir)/profiles/nis/dconf-db \ +- $(top_srcdir)/profiles/nis/dconf-locks \ +- $(NULL) +- + profile_sssddir = $(authselect_profile_dir)/sssd + dist_profile_sssd_DATA = \ + $(top_srcdir)/profiles/sssd/nsswitch.conf \ +diff --git a/profiles/nis/dconf-db b/profiles/nis/dconf-db +deleted file mode 100644 +index bd32b2819f66acdc75ab0fc522ec85673d10ed72..0000000000000000000000000000000000000000 +--- a/profiles/nis/dconf-db ++++ /dev/null +@@ -1,3 +0,0 @@ +-[org/gnome/login-screen] +-enable-smartcard-authentication=false +-enable-fingerprint-authentication={if "with-fingerprint":true|false} +diff --git a/profiles/nis/dconf-locks b/profiles/nis/dconf-locks +deleted file mode 100644 +index 8a36fa9568344338272786394aece872185d0ab3..0000000000000000000000000000000000000000 +--- a/profiles/nis/dconf-locks ++++ /dev/null +@@ -1,2 +0,0 @@ +-/org/gnome/login-screen/enable-smartcard-authentication +-/org/gnome/login-screen/enable-fingerprint-authentication +diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf +deleted file mode 100644 +index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..0000000000000000000000000000000000000000 +--- a/profiles/nis/nsswitch.conf ++++ /dev/null +@@ -1,14 +0,0 @@ +-aliases: files nis {exclude if "with-custom-aliases"} +-automount: files nis {exclude if "with-custom-automount"} +-ethers: files nis {exclude if "with-custom-ethers"} +-group: files nis systemd {exclude if "with-custom-group"} +-hosts: files nis dns myhostname {exclude if "with-custom-hosts"} +-initgroups: files nis {exclude if "with-custom-initgroups"} +-netgroup: files nis {exclude if "with-custom-netgroup"} +-networks: files nis {exclude if "with-custom-networks"} +-passwd: files nis systemd {exclude if "with-custom-passwd"} +-protocols: files nis {exclude if "with-custom-protocols"} +-publickey: files nis {exclude if "with-custom-publickey"} +-rpc: files nis {exclude if "with-custom-rpc"} +-services: files nis {exclude if "with-custom-services"} +-shadow: files nis {exclude if "with-custom-shadow"} +diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin +deleted file mode 100644 +index 04a11f049bc1e220c9064fba7b46eb243ddd4996..0000000000000000000000000000000000000000 +--- a/profiles/nis/postlogin ++++ /dev/null +@@ -1,4 +0,0 @@ +-session optional pam_umask.so silent +-session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +-session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +-session optional pam_lastlog.so silent noupdate showfailed +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index f8539d5a028da1a7184b47609a8efdb5ce0be14e..95da183a41a29f7913a0a255a94070908ed9a66c 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -165,7 +165,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %dir %{_datadir}/authselect/vendor + %dir %{_datadir}/authselect/default + %dir %{_datadir}/authselect/default/minimal/ +-%dir %{_datadir}/authselect/default/nis/ + %dir %{_datadir}/authselect/default/sssd/ + %dir %{_datadir}/authselect/default/winbind/ + %{_datadir}/authselect/default/minimal/dconf-db +@@ -178,16 +177,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %{_datadir}/authselect/default/minimal/REQUIREMENTS + %{_datadir}/authselect/default/minimal/smartcard-auth + %{_datadir}/authselect/default/minimal/system-auth +-%{_datadir}/authselect/default/nis/dconf-db +-%{_datadir}/authselect/default/nis/dconf-locks +-%{_datadir}/authselect/default/nis/fingerprint-auth +-%{_datadir}/authselect/default/nis/nsswitch.conf +-%{_datadir}/authselect/default/nis/password-auth +-%{_datadir}/authselect/default/nis/postlogin +-%{_datadir}/authselect/default/nis/README +-%{_datadir}/authselect/default/nis/REQUIREMENTS +-%{_datadir}/authselect/default/nis/smartcard-auth +-%{_datadir}/authselect/default/nis/system-auth + %{_datadir}/authselect/default/sssd/dconf-db + %{_datadir}/authselect/default/sssd/dconf-locks + %{_datadir}/authselect/default/sssd/fingerprint-auth +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index 55e205bae2c0b1f7892f8b286c288dfeaa26a60d..c6d1f2786c233f7ebdbfe5f2503aa0016012aee0 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -243,20 +243,6 @@ class Configuration: + + config.write(keys) + +- class Network(Base): +- def __init__(self, options): +- super(Configuration.Network, self).__init__(options) +- +- def write(self): +- nisdomain = self.get("nisdomain") +- config = EnvironmentFile(Path.System('network')) +- +- if nisdomain is None: +- return +- +- config.set("NISDOMAIN", nisdomain) +- config.write() +- + class SSSD(Base): + def __init__(self, options): + super(Configuration.SSSD, self).__init__(options, ServiceName="sssd") +@@ -378,83 +364,6 @@ class Configuration: + # other applications may depend on it. + return + +- class NIS(Base): +- def __init__(self, options): +- super(Configuration.NIS, self).__init__(options) +- self.rpcbind = Service("rpcbind") +- self.ypbind = Service("ypbind") +- +- def isEnabled(self): +- if not self.isset("nis"): +- return None +- +- return self.getBool("nis") +- +- def enableService(self, nostart): +- if not self.isset("nisdomain"): +- return +- +- nisdom = self.get("nisdomain") +- +- if not nostart: +- cmd = Command(Path.System('cmd-domainname'), [nisdom]) +- cmd.run() +- +- cmd = Command(Path.System('cmd-setsebool'), +- ['-P', 'allow_ypbind', '1']) +- cmd.run() +- +- self.rpcbind.enable() +- self.ypbind.enable() +- +- if not nostart: +- self.rpcbind.start(Restart=False) +- self.ypbind.start() +- +- def disableService(self, nostop): +- if not nostop: +- cmd = Command(Path.System('cmd-domainname'), ["(none)"]) +- cmd.run() +- +- cmd = Command(Path.System('cmd-setsebool'), +- ['-P', 'allow_ypbind', '0']) +- cmd.run() +- +- self.rpcbind.disable() +- self.ypbind.disable() +- +- if not nostop: +- self.rpcbind.stop() +- self.ypbind.stop() +- +- def write(self): +- if not self.isset("nisdomain"): +- return +- +- output = "domain " + self.get("nisdomain") +- +- additional_servers = [] +- if self.isset("nisserver"): +- servers = self.get("nisserver").split(",") +- additional_servers = servers[1:] +- output += " server " + servers[0] + "\n" +- else: +- output += " broadcast\n" +- +- for server in additional_servers: +- output += "ypserver " + server + "\n" +- +- filename = Path.System('yp.conf') +- if self.getBool("test-call"): +- print("========== BEGIN Content of [%s] ==========" % filename) +- print(output) +- print("========== END Content of [%s] ==========\n" % filename) +- return +- +- with open(filename, "w") as f: +- f.write(output) +- +- + class AuthCompat: + def __init__(self): + self.sysconfig = EnvironmentFile(Path.System('authconfig')) +@@ -538,8 +447,6 @@ class AuthCompat: + or self.options.getBool("sssd") + or self.options.getBool("sssdauth")): + profile = "sssd" +- elif self.options.getBool("nis"): +- profile = "nis" + elif self.options.getBool("winbind"): + profile = "winbind" + +@@ -596,13 +503,11 @@ class AuthCompat: + def writeConfiguration(self): + configs = [ + Configuration.LDAP(self.options), +- Configuration.Network(self.options), + Configuration.Kerberos(self.options), + Configuration.SSSD(self.options), + Configuration.Winbind(self.options), + Configuration.PWQuality(self.options), + Configuration.MakeHomedir(self.options), +- Configuration.NIS(self.options) + ] + + for config in configs: +diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py +index 5c8b21b55014198d6d9dfc98bd807c3c922b06f4..79ead60fa9edc1244227e3b69df025471b7c7991 100644 +--- a/src/compat/authcompat_Options.py ++++ b/src/compat/authcompat_Options.py +@@ -79,9 +79,6 @@ class Options: + # However, they will just make sure that an authentication against + # expected service is working. They may not result in the exact same + # configuration as authconfig would generate. +- Option.Feature("nis", _("NIS for user information by default")), +- Option.Valued("nisdomain", _(""), _("default NIS domain")), +- Option.Valued("nisserver", _(""), _("default NIS server")), + Option.Feature("ldap", _("LDAP for user information by default")), + Option.Feature("ldapauth", _("LDAP for authentication by default")), + Option.Valued("ldapserver", _(""), _("default LDAP server hostname or URI")), +@@ -164,6 +161,11 @@ class Options: + Option.UnsupportedFeature("locauthorize"), + Option.UnsupportedFeature("sysnetauth"), + Option.UnsupportedValued("faillockargs", _("")), ++ ++ # NIS is no longer supported ++ Option.UnsupportedFeature("nis"), ++ Option.UnsupportedValued("nisdomain", _("")), ++ Option.UnsupportedValued("nisserver", _("")), + ] + + Map = { +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index 888cd4e5a0750d4e1aa5898887f5f7fd42472741..d9777b9b473859d7ec532f39f7e14bd81c4f1b90 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -72,7 +72,7 @@ configuration file for required services. + |--enablesssd --enablesssdauth |sssd + |--enablekrb5 |sssd + |--enablewinbind --enablewinbindauth |winbind +-|--enablenis |nis ++|--enablenis |none + |========================================================= + + .Relation of authconfig options to authselect profile features +-- +2.34.1 + diff --git a/SOURCES/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch b/SOURCES/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch deleted file mode 100644 index 007679c..0000000 --- a/SOURCES/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 2e2a7143cbfa719905cb130a5e67313c65bf3b65 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Tue, 30 Oct 2018 14:08:12 +0100 -Subject: [PATCH 1/3] rhel9: remove mention of Fedora Change page in compat - tool - ---- - src/compat/authcompat.py.in.in | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in -index f879e08eb94e9620dfc28f245b0ea5815df7e4f2..e4b8c05c6a11a215529ba66f8b36b72a6ac18448 100755 ---- a/src/compat/authcompat.py.in.in -+++ b/src/compat/authcompat.py.in.in -@@ -468,7 +468,6 @@ class AuthCompat: - "It does not provide all capabilities of authconfig.\n")) - print(_("IMPORTANT: authconfig is replaced by authselect, " - "please update your scripts.")) -- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault")) - print(_("See man authselect-migration(7) to help you with migration to authselect")) - - options = self.options.getSetButUnsupported() --- -2.29.2 - diff --git a/SOURCES/9002-rhel9-remove-ecryptfs-support.patch b/SOURCES/9002-rhel9-remove-ecryptfs-support.patch deleted file mode 100644 index 9a43bca..0000000 --- a/SOURCES/9002-rhel9-remove-ecryptfs-support.patch +++ /dev/null @@ -1,283 +0,0 @@ -From 6de7d2e033d67f23b33620a2b80f5a6c106bd6f5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Mon, 10 Jun 2019 10:53:15 +0200 -Subject: [PATCH 2/3] rhel9: remove ecryptfs support - ---- - profiles/nis/README | 3 --- - profiles/nis/fingerprint-auth | 1 - - profiles/nis/password-auth | 1 - - profiles/nis/postlogin | 4 ---- - profiles/nis/system-auth | 1 - - profiles/sssd/README | 3 --- - profiles/sssd/fingerprint-auth | 1 - - profiles/sssd/password-auth | 1 - - profiles/sssd/postlogin | 4 ---- - profiles/sssd/smartcard-auth | 1 - - profiles/sssd/system-auth | 1 - - profiles/winbind/README | 3 --- - profiles/winbind/fingerprint-auth | 1 - - profiles/winbind/password-auth | 1 - - profiles/winbind/postlogin | 4 ---- - profiles/winbind/system-auth | 1 - - src/compat/authcompat.py.in.in | 1 - - src/compat/authcompat_Options.py | 2 +- - src/man/authselect-migration.7.adoc | 5 ++--- - 19 files changed, 3 insertions(+), 36 deletions(-) - -diff --git a/profiles/nis/README b/profiles/nis/README -index 5dbb9b49fb7708ef3b073aff7e1883e3f9a0bd06..cac3428bf844b0a9d251015988583f4c1b15c3c9 100644 ---- a/profiles/nis/README -+++ b/profiles/nis/README -@@ -21,9 +21,6 @@ with-mkhomedir:: - Enable automatic creation of home directories for users on their - first login. - --with-ecryptfs:: -- Enable automatic per-user ecryptfs. -- - with-fingerprint:: - Enable authentication with fingerprint reader through *pam_fprintd*. - -diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth -index 756993cf1b2095f505208df19dd739dcaed1af31..eebec6d0d6edeae6a3eb224f0ff284016b0fc642 100644 ---- a/profiles/nis/fingerprint-auth -+++ b/profiles/nis/fingerprint-auth -@@ -13,7 +13,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth -index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..9a8ae9cde644a4ac981f4b9553af2f0f428bfebb 100644 ---- a/profiles/nis/password-auth -+++ b/profiles/nis/password-auth -@@ -17,7 +17,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin -index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 ---- a/profiles/nis/postlogin -+++ b/profiles/nis/postlogin -@@ -1,7 +1,3 @@ --auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -- --password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -- - session optional pam_umask.so silent - session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet - session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} -diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth -index 057b31e074f29c46b492fa310a954e281631800e..2e7462983d35e4a2f5cef8151ed53baaf7e5c790 100644 ---- a/profiles/nis/system-auth -+++ b/profiles/nis/system-auth -@@ -18,7 +18,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/sssd/README b/profiles/sssd/README -index 95ef5dc785ed0530122837b5e08d03590ed1ada5..ac063e8d065d0488279dc2381bdd7f8ac361bfcb 100644 ---- a/profiles/sssd/README -+++ b/profiles/sssd/README -@@ -40,9 +40,6 @@ with-mkhomedir:: - Enable automatic creation of home directories for users on their - first login. - --with-ecryptfs:: -- Enable automatic per-user ecryptfs. -- - with-smartcard:: - Enable authentication with smartcards through SSSD. Please note that - smartcard support must be also explicitly enabled within -diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth -index fe3cac7a976845017d034ac1158a38f889926ce8..ad0a95440ebd006ff88264177598c77afc472dda 100644 ---- a/profiles/sssd/fingerprint-auth -+++ b/profiles/sssd/fingerprint-auth -@@ -18,7 +18,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth -index d6953428cca7d6518f63c3fdbaabc4746c35f91b..6d87cbe0a805bf5d3ab2a6192d570b9e5c6dc143 100644 ---- a/profiles/sssd/password-auth -+++ b/profiles/sssd/password-auth -@@ -27,7 +27,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin -index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 ---- a/profiles/sssd/postlogin -+++ b/profiles/sssd/postlogin -@@ -1,7 +1,3 @@ --auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -- --password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -- - session optional pam_umask.so silent - session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet - session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} -diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth -index 230269c42508a50ad5b4677ab6514b9afe4d5fbf..874ffaca1b2c15c81adc4ca130c15834154bdc0e 100644 ---- a/profiles/sssd/smartcard-auth -+++ b/profiles/sssd/smartcard-auth -@@ -16,7 +16,6 @@ account required pam_permit.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth -index 6f914ea91eb7782d60959ced56112f9cc1365347..dfc53b4ce55a0d575dc4fe68004a846f43360ccc 100644 ---- a/profiles/sssd/system-auth -+++ b/profiles/sssd/system-auth -@@ -32,7 +32,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/winbind/README b/profiles/winbind/README -index 40a1a459355d2ee8ab98e31d2868cb24261e2c17..0e80bb697f8050ac8eb3c78d4f41945b9bcbba29 100644 ---- a/profiles/winbind/README -+++ b/profiles/winbind/README -@@ -33,9 +33,6 @@ with-mkhomedir:: - Enable automatic creation of home directories for users on their - first login. - --with-ecryptfs:: -- Enable automatic per-user ecryptfs. -- - with-fingerprint:: - Enable authentication with fingerprint reader through *pam_fprintd*. - -diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth -index c4b8261ca45d4f6b9eda03ea96850bb32d605d30..6262549af2ca8aed540e7a7e1d97e0ba3b2ef088 100644 ---- a/profiles/winbind/fingerprint-auth -+++ b/profiles/winbind/fingerprint-auth -@@ -17,7 +17,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth -index bbeca057d49102889e3eeee040ea256dbd751eef..aef4d5ce6a6ec9496deabc1010cde0370a3ecba7 100644 ---- a/profiles/winbind/password-auth -+++ b/profiles/winbind/password-auth -@@ -24,7 +24,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin -index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 ---- a/profiles/winbind/postlogin -+++ b/profiles/winbind/postlogin -@@ -1,7 +1,3 @@ --auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -- --password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} -- - session optional pam_umask.so silent - session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet - session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} -diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth -index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..e4bdd0bf1c315c86cc8064625b80161baa5c455f 100644 ---- a/profiles/winbind/system-auth -+++ b/profiles/winbind/system-auth -@@ -25,7 +25,6 @@ password required pam_deny.so - - session optional pam_keyinit.so revoke - session required pam_limits.so --session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} - -session optional pam_systemd.so - session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} - session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in -index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755 ---- a/src/compat/authcompat.py.in.in -+++ b/src/compat/authcompat.py.in.in -@@ -520,7 +520,6 @@ class AuthCompat: - 'smartcard' : 'with-smartcard', - 'requiresmartcard' : 'with-smartcard-required', - 'fingerprint' : 'with-fingerprint', -- 'ecryptfs' : 'with-ecryptfs', - 'mkhomedir' : 'with-mkhomedir', - 'faillock' : 'with-faillock', - 'pamaccess' : 'with-pamaccess', -diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py -index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644 ---- a/src/compat/authcompat_Options.py -+++ b/src/compat/authcompat_Options.py -@@ -93,7 +93,6 @@ class Options: - Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")), - Option.Feature("requiresmartcard",_("require smart card for authentication by default")), - Option.Feature("fingerprint", _("authentication with fingerprint readers by default")), -- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")), - Option.Feature("krb5", _("Kerberos authentication by default")), - Option.Valued ("krb5kdc", _(""), _("default Kerberos KDC")), - Option.Valued ("krb5adminserver", _(""), _("default Kerberos admin server")), -@@ -141,6 +140,7 @@ class Options: - # layers and will produce warning when used. They will not affect - # the system. - Option.UnsupportedFeature("cache"), -+ Option.UnsupportedFeature("ecryptfs"), - Option.UnsupportedFeature("shadow"), - Option.UnsupportedSwitch ("useshadow"), - Option.UnsupportedFeature("md5"), -diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc -index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644 ---- a/src/man/authselect-migration.7.adoc -+++ b/src/man/authselect-migration.7.adoc -@@ -80,7 +80,6 @@ configuration file for required services. - |*Authconfig options* |*Authselect profile feature* - |--enablesmartcard |with-smartcard - |--enablefingerprint |with-fingerprint --|--enableecryptfs |with-ecryptfs - |--enablemkhomedir |with-mkhomedir - |--enablefaillock |with-faillock - |--enablepamaccess |with-pamaccess -@@ -95,8 +94,8 @@ authselect select sssd with-faillock - authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall - authselect select sssd with-smartcard - --authconfig --enableecryptfs --enablepamaccess --updateall --authselect select sssd with-ecryptfs with-pamaccess -+authconfig --enablepamaccess --updateall -+authselect select sssd with-pamaccess - - authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall - realm join -U Administrator --client-software=winbind WINBINDDOMAIN --- -2.29.2 - diff --git a/SOURCES/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch b/SOURCES/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch deleted file mode 100644 index 1d8c8fa..0000000 --- a/SOURCES/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Thu, 18 Feb 2021 13:38:53 +0100 -Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups - -The passwd and group databases will now default to files first. -The order "sss files" can be enabled with "with-files-provider" -feature. ---- - profiles/sssd/README | 5 +++++ - profiles/sssd/REQUIREMENTS | 4 ++++ - profiles/sssd/nsswitch.conf | 4 ++-- - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/profiles/sssd/README b/profiles/sssd/README -index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644 ---- a/profiles/sssd/README -+++ b/profiles/sssd/README -@@ -76,6 +76,11 @@ with-sudo:: - with-pamaccess:: - Check access.conf during account authorization. - -+with-files-domain:: -+ If set, SSSD will be contacted before "files" when resolving users and -+ groups. The order in nsswitch.conf will be set to "sss files" instead of -+ "files sss" for passwd and group maps. -+ - with-files-access-provider:: - If set, account management for local users is handled also by pam_sss. This - is needed if there is an explicitly configured domain with id_provider=files -diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS -index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644 ---- a/profiles/sssd/REQUIREMENTS -+++ b/profiles/sssd/REQUIREMENTS -@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo - - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} - is present and oddjobd service is enabled and active {include if "with-mkhomedir"} - - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} -+ {include if "with-files-domain"} -+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"} -+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"} -+ - or create a custom domain with id_provider=files {include if "with-files-domain"} -\ No newline at end of file -diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf -index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644 ---- a/profiles/sssd/nsswitch.conf -+++ b/profiles/sssd/nsswitch.conf -@@ -1,5 +1,5 @@ --passwd: sss files systemd {exclude if "with-custom-passwd"} --group: sss files systemd {exclude if "with-custom-group"} -+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} -+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} - netgroup: sss files {exclude if "with-custom-netgroup"} - automount: sss files {exclude if "with-custom-automount"} - services: sss files {exclude if "with-custom-services"} --- -2.29.2 - diff --git a/SOURCES/9004-rhel9-remove-support-for-for-resolved.patch b/SOURCES/9004-rhel9-remove-support-for-for-resolved.patch deleted file mode 100644 index a009f8d..0000000 --- a/SOURCES/9004-rhel9-remove-support-for-for-resolved.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 259e4e50a97a5196436e3d7ed42d2ecf0be3203f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Mon, 31 May 2021 15:42:49 +0200 -Subject: [PATCH] rhel9: remove support for for resolved - -systemd-resolved is an experimental feature at this point and it -should not be enabled by default. Steps to switch this feature on -will be documented in RHEL guide. - -This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54. ---- - profiles/minimal/nsswitch.conf | 2 +- - profiles/nis/nsswitch.conf | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf -index a9e4bc79a1090304542ccd8b43d1107eeb5304df..a39e4d32ebf79e8bf05f2db5753b01596222dc35 100644 ---- a/profiles/minimal/nsswitch.conf -+++ b/profiles/minimal/nsswitch.conf -@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom - automount: files {exclude if "with-custom-automount"} - ethers: files {exclude if "with-custom-ethers"} - group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"} --hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"} -+hosts: files dns myhostname {exclude if "with-custom-hosts"} - initgroups: files {exclude if "with-custom-initgroups"} - netgroup: files {exclude if "with-custom-netgroup"} - networks: files {exclude if "with-custom-networks"} -diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf -index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644 ---- a/profiles/nis/nsswitch.conf -+++ b/profiles/nis/nsswitch.conf -@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"} - automount: files nis {exclude if "with-custom-automount"} - ethers: files nis {exclude if "with-custom-ethers"} - group: files nis systemd {exclude if "with-custom-group"} --hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"} -+hosts: files nis dns myhostname {exclude if "with-custom-hosts"} - initgroups: files nis {exclude if "with-custom-initgroups"} - netgroup: files nis {exclude if "with-custom-netgroup"} - networks: files nis {exclude if "with-custom-networks"} --- -2.31.1 - diff --git a/SOURCES/9005-rhel9-remove-nis-support.patch b/SOURCES/9005-rhel9-remove-nis-support.patch deleted file mode 100644 index 6fe3cdb..0000000 --- a/SOURCES/9005-rhel9-remove-nis-support.patch +++ /dev/null @@ -1,435 +0,0 @@ -From 7236f7a303215805de7195a8fdef7567543e8b0b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 9 Jun 2021 13:59:01 +0200 -Subject: [PATCH] rhel9: remove nis support - -NIS is no longer supported in RHEL9. ---- - profiles/Makefile.am | 13 ---- - profiles/nis/README | 111 ---------------------------- - profiles/nis/REQUIREMENTS | 13 ---- - profiles/nis/dconf-db | 3 - - profiles/nis/dconf-locks | 2 - - profiles/nis/nsswitch.conf | 14 ---- - profiles/nis/postlogin | 4 - - rpm/authselect.spec.in | 10 --- - src/compat/authcompat.py.in.in | 95 ------------------------ - src/compat/authcompat_Options.py | 8 +- - src/man/authselect-migration.7.adoc | 2 +- - 11 files changed, 6 insertions(+), 269 deletions(-) - delete mode 100644 profiles/nis/README - delete mode 100644 profiles/nis/REQUIREMENTS - delete mode 100644 profiles/nis/dconf-db - delete mode 100644 profiles/nis/dconf-locks - delete mode 100644 profiles/nis/nsswitch.conf - delete mode 100644 profiles/nis/postlogin - -diff --git a/profiles/Makefile.am b/profiles/Makefile.am -index 95e27147b2b0a229a76a293884d605484d3fa841..c658521de01130f19f669fe0a6cb86c11043a406 100644 ---- a/profiles/Makefile.am -+++ b/profiles/Makefile.am -@@ -13,19 +13,6 @@ dist_profile_minimal_DATA = \ - $(top_srcdir)/profiles/minimal/dconf-locks \ - $(NULL) - --profile_nisdir = $(authselect_profile_dir)/nis --dist_profile_nis_DATA = \ -- $(top_srcdir)/profiles/nis/nsswitch.conf \ -- $(top_srcdir)/profiles/nis/password-auth \ -- $(top_srcdir)/profiles/nis/postlogin \ -- $(top_srcdir)/profiles/nis/README \ -- $(top_srcdir)/profiles/nis/REQUIREMENTS \ -- $(top_srcdir)/profiles/nis/system-auth \ -- $(top_srcdir)/profiles/nis/fingerprint-auth \ -- $(top_srcdir)/profiles/nis/dconf-db \ -- $(top_srcdir)/profiles/nis/dconf-locks \ -- $(NULL) -- - profile_sssddir = $(authselect_profile_dir)/sssd - dist_profile_sssd_DATA = \ - $(top_srcdir)/profiles/sssd/nsswitch.conf \ -diff --git a/profiles/nis/README b/profiles/nis/README -deleted file mode 100644 -index cac3428bf844b0a9d251015988583f4c1b15c3c9..0000000000000000000000000000000000000000 ---- a/profiles/nis/README -+++ /dev/null -@@ -1,111 +0,0 @@ --Enable NIS for system authentication --==================================== -- --Selecting this profile will enable Network Information Services as the source --of identity and authentication providers. -- --NIS CONFIGURATION ------------------- -- --Authselect does not touch NIS configuration. Please, read NIS' documentation --to see how to configure it manually. -- --AVAILABLE OPTIONAL FEATURES ----------------------------- -- --with-faillock:: -- Enable account locking in case of too many consecutive -- authentication failures. -- --with-mkhomedir:: -- Enable automatic creation of home directories for users on their -- first login. -- --with-fingerprint:: -- Enable authentication with fingerprint reader through *pam_fprintd*. -- --with-pam-u2f:: -- Enable authentication via u2f dongle through *pam_u2f*. -- --with-pam-u2f-2fa:: -- Enable 2nd factor authentication via u2f dongle through *pam_u2f*. -- --without-pam-u2f-nouserok:: -- Module argument nouserok is omitted if also with-pam-u2f-2fa is used. -- *WARNING*: Omitting nouserok argument means that users without pam-u2f -- authentication configured will not be able to log in *INCLUDING* root. -- Make sure you are able to log in before losing root privileges. -- --with-silent-lastlog:: -- Do not produce pam_lastlog message during login. -- --with-pamaccess:: -- Check access.conf during account authorization. -- --with-nispwquality:: -- If this option is set pam_pwquality module will check password quality -- for NIS users as well as local users during password change. Without this -- option only local users passwords are checked. -- --without-nullok:: -- Do not add nullok parameter to pam_unix. -- --DISABLE SPECIFIC NSSWITCH DATABASES ------------------------------------- -- --Normally, nsswitch databases set by the profile overwrites values set in --user-nsswitch.conf. The following options can force authselect to --ignore value set by the profile and use the one set in user-nsswitch.conf --instead. -- --with-custom-aliases:: --Ignore "aliases" map set by the profile. -- --with-custom-automount:: --Ignore "automount" map set by the profile. -- --with-custom-ethers:: --Ignore "ethers" map set by the profile. -- --with-custom-group:: --Ignore "group" map set by the profile. -- --with-custom-hosts:: --Ignore "hosts" map set by the profile. -- --with-custom-initgroups:: --Ignore "initgroups" map set by the profile. -- --with-custom-netgroup:: --Ignore "netgroup" map set by the profile. -- --with-custom-networks:: --Ignore "networks" map set by the profile. -- --with-custom-passwd:: --Ignore "passwd" map set by the profile. -- --with-custom-protocols:: --Ignore "protocols" map set by the profile. -- --with-custom-publickey:: --Ignore "publickey" map set by the profile. -- --with-custom-rpc:: --Ignore "rpc" map set by the profile. -- --with-custom-services:: --Ignore "services" map set by the profile. -- --with-custom-shadow:: --Ignore "shadow" map set by the profile. -- --EXAMPLES ---------- --* Enable NIS with no additional modules -- -- authselect select nis -- --* Enable NIS and create home directories for users on their first login -- -- authselect select nis with-mkhomedir -diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS -deleted file mode 100644 -index c58aa2789f4ef064b7904cacf4fc3158dce7ad41..0000000000000000000000000000000000000000 ---- a/profiles/nis/REQUIREMENTS -+++ /dev/null -@@ -1,13 +0,0 @@ --Make sure that NIS service is configured and enabled. See NIS documentation for more information. -- {include if "with-fingerprint"} --- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} -- {include if "with-pam-u2f"} --- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} -- - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} -- {include if "with-pam-u2f-2fa"} --- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} -- - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} -- {include if "with-mkhomedir"} --- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} -- is present and oddjobd service is enabled and active {include if "with-mkhomedir"} -- - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} -diff --git a/profiles/nis/dconf-db b/profiles/nis/dconf-db -deleted file mode 100644 -index bd32b2819f66acdc75ab0fc522ec85673d10ed72..0000000000000000000000000000000000000000 ---- a/profiles/nis/dconf-db -+++ /dev/null -@@ -1,3 +0,0 @@ --[org/gnome/login-screen] --enable-smartcard-authentication=false --enable-fingerprint-authentication={if "with-fingerprint":true|false} -diff --git a/profiles/nis/dconf-locks b/profiles/nis/dconf-locks -deleted file mode 100644 -index 8a36fa9568344338272786394aece872185d0ab3..0000000000000000000000000000000000000000 ---- a/profiles/nis/dconf-locks -+++ /dev/null -@@ -1,2 +0,0 @@ --/org/gnome/login-screen/enable-smartcard-authentication --/org/gnome/login-screen/enable-fingerprint-authentication -diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf -deleted file mode 100644 -index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..0000000000000000000000000000000000000000 ---- a/profiles/nis/nsswitch.conf -+++ /dev/null -@@ -1,14 +0,0 @@ --aliases: files nis {exclude if "with-custom-aliases"} --automount: files nis {exclude if "with-custom-automount"} --ethers: files nis {exclude if "with-custom-ethers"} --group: files nis systemd {exclude if "with-custom-group"} --hosts: files nis dns myhostname {exclude if "with-custom-hosts"} --initgroups: files nis {exclude if "with-custom-initgroups"} --netgroup: files nis {exclude if "with-custom-netgroup"} --networks: files nis {exclude if "with-custom-networks"} --passwd: files nis systemd {exclude if "with-custom-passwd"} --protocols: files nis {exclude if "with-custom-protocols"} --publickey: files nis {exclude if "with-custom-publickey"} --rpc: files nis {exclude if "with-custom-rpc"} --services: files nis {exclude if "with-custom-services"} --shadow: files nis {exclude if "with-custom-shadow"} -diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin -deleted file mode 100644 -index 04a11f049bc1e220c9064fba7b46eb243ddd4996..0000000000000000000000000000000000000000 ---- a/profiles/nis/postlogin -+++ /dev/null -@@ -1,4 +0,0 @@ --session optional pam_umask.so silent --session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet --session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} --session optional pam_lastlog.so silent noupdate showfailed -diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in -index 628d6c91e9b3b4448787915fc1f9ac42f445bfc6..a0d508a716603771878781a62168fe0a71207f66 100644 ---- a/rpm/authselect.spec.in -+++ b/rpm/authselect.spec.in -@@ -155,7 +155,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; - %dir %{_datadir}/authselect/vendor - %dir %{_datadir}/authselect/default - %dir %{_datadir}/authselect/default/minimal/ --%dir %{_datadir}/authselect/default/nis/ - %dir %{_datadir}/authselect/default/sssd/ - %dir %{_datadir}/authselect/default/winbind/ - %{_datadir}/authselect/default/minimal/nsswitch.conf -@@ -164,15 +163,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; - %{_datadir}/authselect/default/minimal/README - %{_datadir}/authselect/default/minimal/REQUIREMENTS - %{_datadir}/authselect/default/minimal/system-auth --%{_datadir}/authselect/default/nis/dconf-db --%{_datadir}/authselect/default/nis/dconf-locks --%{_datadir}/authselect/default/nis/fingerprint-auth --%{_datadir}/authselect/default/nis/nsswitch.conf --%{_datadir}/authselect/default/nis/password-auth --%{_datadir}/authselect/default/nis/postlogin --%{_datadir}/authselect/default/nis/README --%{_datadir}/authselect/default/nis/REQUIREMENTS --%{_datadir}/authselect/default/nis/system-auth - %{_datadir}/authselect/default/sssd/dconf-db - %{_datadir}/authselect/default/sssd/dconf-locks - %{_datadir}/authselect/default/sssd/fingerprint-auth -diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in -index 4e39b7ec66d0e2ba911c7280467ba78fd29c196c..7c0fdf341212250f03dc14ddf6680e90da8e217e 100755 ---- a/src/compat/authcompat.py.in.in -+++ b/src/compat/authcompat.py.in.in -@@ -240,20 +240,6 @@ class Configuration: - - config.write(keys) - -- class Network(Base): -- def __init__(self, options): -- super(Configuration.Network, self).__init__(options) -- -- def write(self): -- nisdomain = self.get("nisdomain") -- config = EnvironmentFile(Path.System('network')) -- -- if nisdomain is None: -- return -- -- config.set("NISDOMAIN", nisdomain) -- config.write() -- - class SSSD(Base): - def __init__(self, options): - super(Configuration.SSSD, self).__init__(options, ServiceName="sssd") -@@ -375,83 +361,6 @@ class Configuration: - # other applications may depend on it. - return - -- class NIS(Base): -- def __init__(self, options): -- super(Configuration.NIS, self).__init__(options) -- self.rpcbind = Service("rpcbind") -- self.ypbind = Service("ypbind") -- -- def isEnabled(self): -- if not self.isset("nis"): -- return None -- -- return self.getBool("nis") -- -- def enableService(self, nostart): -- if not self.isset("nisdomain"): -- return -- -- nisdom = self.get("nisdomain") -- -- if not nostart: -- cmd = Command(Path.System('cmd-domainname'), [nisdom]) -- cmd.run() -- -- cmd = Command(Path.System('cmd-setsebool'), -- ['-P', 'allow_ypbind', '1']) -- cmd.run() -- -- self.rpcbind.enable() -- self.ypbind.enable() -- -- if not nostart: -- self.rpcbind.start(Restart=False) -- self.ypbind.start() -- -- def disableService(self, nostop): -- if not nostop: -- cmd = Command(Path.System('cmd-domainname'), ["(none)"]) -- cmd.run() -- -- cmd = Command(Path.System('cmd-setsebool'), -- ['-P', 'allow_ypbind', '0']) -- cmd.run() -- -- self.rpcbind.disable() -- self.ypbind.disable() -- -- if not nostop: -- self.rpcbind.stop() -- self.ypbind.stop() -- -- def write(self): -- if not self.isset("nisdomain"): -- return -- -- output = "domain " + self.get("nisdomain") -- -- additional_servers = [] -- if self.isset("nisserver"): -- servers = self.get("nisserver").split(",") -- additional_servers = servers[1:] -- output += " server " + servers[0] + "\n" -- else: -- output += " broadcast\n" -- -- for server in additional_servers: -- output += "ypserver " + server + "\n" -- -- filename = Path.System('yp.conf') -- if self.getBool("test-call"): -- print("========== BEGIN Content of [%s] ==========" % filename) -- print(output) -- print("========== END Content of [%s] ==========\n" % filename) -- return -- -- with open(filename, "w") as f: -- f.write(output) -- -- - class AuthCompat: - def __init__(self): - self.sysconfig = EnvironmentFile(Path.System('authconfig')) -@@ -533,8 +442,6 @@ class AuthCompat: - if (self.options.getBool("ldap") or self.options.getBool("ldapauth") or - self.options.getBool("sssd") or self.options.getBool("sssdauth")): - profile = "sssd" -- elif self.options.getBool("nis"): -- profile = "nis" - elif self.options.getBool("winbind"): - profile = "winbind" - -@@ -591,13 +498,11 @@ class AuthCompat: - def writeConfiguration(self): - configs = [ - Configuration.LDAP(self.options), -- Configuration.Network(self.options), - Configuration.Kerberos(self.options), - Configuration.SSSD(self.options), - Configuration.Winbind(self.options), - Configuration.PWQuality(self.options), - Configuration.MakeHomedir(self.options), -- Configuration.NIS(self.options) - ] - - for config in configs: -diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py -index 433a3340bac29739174e78928701214c08ec6f3c..2712d85a377ee92c7816e3d2284302307084b0c4 100644 ---- a/src/compat/authcompat_Options.py -+++ b/src/compat/authcompat_Options.py -@@ -79,9 +79,6 @@ class Options: - # However, they will just make sure that an authentication against - # expected service is working. They may not result in the exact same - # configuration as authconfig would generate. -- Option.Feature("nis", _("NIS for user information by default")), -- Option.Valued ("nisdomain", _(""), _("default NIS domain")), -- Option.Valued ("nisserver", _(""), _("default NIS server")), - Option.Feature("ldap", _("LDAP for user information by default")), - Option.Feature("ldapauth", _("LDAP for authentication by default")), - Option.Valued ("ldapserver", _(""), _("default LDAP server hostname or URI")), -@@ -164,6 +161,11 @@ class Options: - Option.UnsupportedFeature("locauthorize"), - Option.UnsupportedFeature("sysnetauth"), - Option.UnsupportedValued ("faillockargs", _("")), -+ -+ # NIS is no longer supported -+ Option.UnsupportedFeature("nis"), -+ Option.UnsupportedValued ("nisdomain", _("")), -+ Option.UnsupportedValued ("nisserver", _("")), - ] - - Map = { -diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc -index a27af036738274d8d392f7fe1f7d59c89e9c4ffb..515104b160d956d04b9ec8cacd25d166983e02d5 100644 ---- a/src/man/authselect-migration.7.adoc -+++ b/src/man/authselect-migration.7.adoc -@@ -72,7 +72,7 @@ configuration file for required services. - |--enablesssd --enablesssdauth |sssd - |--enablekrb5 |sssd - |--enablewinbind --enablewinbindauth |winbind --|--enablenis |nis -+|--enablenis |none - |========================================================= - - .Relation of authconfig options to authselect profile features --- -2.20.1 - diff --git a/SPECS/authselect.spec b/SPECS/authselect.spec index 9c7ecbb..6ed5ad2 100644 --- a/SPECS/authselect.spec +++ b/SPECS/authselect.spec @@ -2,24 +2,19 @@ %define _empty_manifest_terminate_build 0 Name: authselect -Version: 1.2.3 -Release: 7%{?dist} +Version: 1.2.5 +Release: 1%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/authselect/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz -Patch0001: 0001-lib-avoid-freeing-uninitialized-variable-in-authsele.patch - ### Downstream Patches ### -%if 0%{?rhel} -Patch9001: 9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch -Patch9002: 9002-rhel9-remove-ecryptfs-support.patch -Patch9003: 9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch -Patch9004: 9004-rhel9-remove-support-for-for-resolved.patch -Patch0005: 9005-rhel9-remove-nis-support.patch -%endif +Patch0901: 0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch +Patch0902: 0902-rhel9-remove-ecryptfs-support.patch +Patch0903: 0903-rhel9-Revert-profiles-add-support-for-resolved.patch +Patch0904: 0904-rhel9-remove-nis-support.patch %global makedir %{_builddir}/%{name}-%{version} @@ -36,6 +31,7 @@ BuildRequires: po4a BuildRequires: %{_bindir}/a2x BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: libselinux-devel +BuildRequires: python3-devel Requires: authselect-libs%{?_isa} = %{version}-%{release} Suggests: sssd Suggests: samba-winbind @@ -70,8 +66,6 @@ command line tool and any other potential front-ends. Summary: Tool to provide minimum backwards compatibility with authconfig Obsoletes: authconfig < 7.0.1-6 Provides: authconfig -BuildRequires: python3-devel -BuildRequires: make Requires: authselect%{?_isa} = %{version}-%{release} Recommends: oddjob-mkhomedir Suggests: sssd @@ -104,7 +98,7 @@ done %build autoreconf -if -%configure --with-pythonbin="%{__python3}" +%configure --with-pythonbin="%{__python3}" --with-compat %make_build %check @@ -160,11 +154,13 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %dir %{_datadir}/authselect/default/winbind/ %{_datadir}/authselect/default/minimal/dconf-db %{_datadir}/authselect/default/minimal/dconf-locks +%{_datadir}/authselect/default/minimal/fingerprint-auth %{_datadir}/authselect/default/minimal/nsswitch.conf %{_datadir}/authselect/default/minimal/password-auth %{_datadir}/authselect/default/minimal/postlogin %{_datadir}/authselect/default/minimal/README %{_datadir}/authselect/default/minimal/REQUIREMENTS +%{_datadir}/authselect/default/minimal/smartcard-auth %{_datadir}/authselect/default/minimal/system-auth %{_datadir}/authselect/default/sssd/dconf-db %{_datadir}/authselect/default/sssd/dconf-locks @@ -184,6 +180,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %{_datadir}/authselect/default/winbind/postlogin %{_datadir}/authselect/default/winbind/README %{_datadir}/authselect/default/winbind/REQUIREMENTS +%{_datadir}/authselect/default/winbind/smartcard-auth %{_datadir}/authselect/default/winbind/system-auth %{_libdir}/libauthselect.so.* %{_mandir}/man5/authselect-profiles.5* @@ -293,6 +290,12 @@ exit 0 exit 0 %changelog +* Thu May 5 2022 Pavel Březina - 1.2.5-1 +- Rebase to 1.2.5 (RHBZ #2080239) +- backup-restore now works correctly (RHBZ #2070541) +- add with-subid to sssd profile (RHBZ #2075192) +- add with-gssapi to sssd profile (RHBZ #2077893) + * Thu Aug 26 2021 Pavel Březina - 1.2.3-7 - Avoid freeing uninitialized variable in authselect_apply_changes (rhbz#1970871)