diff --git a/.gitignore b/.gitignore index eee5b09..5e4ac2c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.2.3.tar.gz +SOURCES/sssd-2.3.0.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 3fa9e18..1dea3e7 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -c2b457f85586750f5b22bfedd4cbca5b6f8fdb88 SOURCES/sssd-2.2.3.tar.gz +61b8704c33ea80104fa9d94017c704e333c3c552 SOURCES/sssd-2.3.0.tar.gz diff --git a/SOURCES/0001-INI-sssctl-config-check-command-error-messages.patch b/SOURCES/0001-INI-sssctl-config-check-command-error-messages.patch deleted file mode 100644 index 124b9be..0000000 --- a/SOURCES/0001-INI-sssctl-config-check-command-error-messages.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001 -From: Tomas Halman -Date: Tue, 10 Dec 2019 16:30:32 +0100 -Subject: [PATCH] INI: sssctl config-check command error messages -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case of parsing error sssctl config-check command does not give -proper error messages with line number. With this patch the error -message is printed again. - -Resolves: -https://pagure.io/SSSD/sssd/issue/4129 - -Reviewed-by: Michal Židek ---- - src/util/sss_ini.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index e3699805d..5d91602cd 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - - ret = sss_ini_parse(self); - if (ret != EOK) { -+ sss_ini_config_print_errors(self->error_list); - DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); - return ERR_INI_PARSE_FAILED; - } --- -2.20.1 - diff --git a/SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch b/SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch new file mode 100644 index 0000000..52ba2f4 --- /dev/null +++ b/SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch @@ -0,0 +1,114 @@ +From a7c755672cd277497da3df4714f6d9457b6ac5ae Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 28 May 2020 15:02:43 +0200 +Subject: [PATCH] ad_gpo_ndr.c: more ndr updates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch add another update to the ndr code which was previously +updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and +1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc. + +As missing update in ndr_pull_security_ace() cased +a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was +added to prevent similar issues in future. + +Resolves: https://github.com/SSSD/sssd/issues/5183 + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_gpo_ndr.c | 1 + + src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++ + 2 files changed, 58 insertions(+) + +diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c +index acd7b77c8..71d6d40f2 100644 +--- a/src/providers/ad/ad_gpo_ndr.c ++++ b/src/providers/ad/ad_gpo_ndr.c +@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr, + ndr->offset += pad; + } + if (ndr_flags & NDR_BUFFERS) { ++ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type)); + NDR_CHECK(ndr_pull_security_ace_object_ctr + (ndr, NDR_BUFFERS, &r->object)); + } +diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c +index 97f70408a..d1f7a6915 100644 +--- a/src/tests/cmocka/test_ad_gpo.c ++++ b/src/tests/cmocka/test_ad_gpo.c +@@ -347,6 +347,60 @@ void test_ad_gpo_ace_includes_host_sid_true(void **state) + group_size, ace_dom_sid, true); + } + ++uint8_t test_sid_data[] = { ++0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, ++0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, ++0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00, ++0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, ++0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, ++0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, ++0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, ++0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, ++0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, ++0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, ++0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, ++0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00, ++0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, ++0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, ++0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, ++0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00, ++0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11, ++0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, ++0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00, ++0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00 ++}; ++ ++void test_ad_gpo_parse_sd(void **state) ++{ ++ int ret; ++ struct security_descriptor *sd = NULL; ++ ++ ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd); ++ assert_int_equal(ret, EINVAL); ++ ++ ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd); ++ assert_int_equal(ret, EOK); ++ assert_non_null(sd); ++ assert_int_equal(sd->revision, 1); ++ assert_int_equal(sd->type, 39940); ++ assert_null(sd->owner_sid); ++ assert_null(sd->group_sid); ++ assert_null(sd->sacl); ++ assert_non_null(sd->dacl); ++ assert_int_equal(sd->dacl->revision, 4); ++ assert_int_equal(sd->dacl->size, 308); ++ assert_int_equal(sd->dacl->num_aces, 10); ++ assert_int_equal(sd->dacl->aces[0].type, 0); ++ assert_int_equal(sd->dacl->aces[0].flags, 0); ++ assert_int_equal(sd->dacl->aces[0].size, 36); ++ assert_int_equal(sd->dacl->aces[0].access_mask, 917693); ++ /* There are more components and ACEs in the security_descriptor struct ++ * which are not checked here. */ ++ ++ talloc_free(sd); ++} ++ + int main(int argc, const char *argv[]) + { + poptContext pc; +@@ -385,6 +439,9 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true, + ad_gpo_test_setup, + ad_gpo_test_teardown), ++ cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd, ++ ad_gpo_test_setup, ++ ad_gpo_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ +-- +2.21.1 + diff --git a/SOURCES/0002-certmap-mention-special-regex-characters-in-man-page.patch b/SOURCES/0002-certmap-mention-special-regex-characters-in-man-page.patch deleted file mode 100644 index 1eee827..0000000 --- a/SOURCES/0002-certmap-mention-special-regex-characters-in-man-page.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 12 Dec 2019 13:10:16 +0100 -Subject: [PATCH] certmap: mention special regex characters in man page -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since some of the matching rules use regular expressions some characters -must be escaped so that they can be used a ordinary characters in the -rules. - -Related to https://pagure.io/SSSD/sssd/issue/4127 - -Reviewed-by: Michal Židek ---- - src/man/sss-certmap.5.xml | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml -index db258d14a..10343625e 100644 ---- a/src/man/sss-certmap.5.xml -+++ b/src/man/sss-certmap.5.xml -@@ -92,6 +92,15 @@ - - Example: <SUBJECT>.*,DC=MY,DC=DOMAIN - -+ -+ Please note that the characters "^.[$()|*+?{\" have a -+ special meaning in regular expressions and must be -+ escaped with the help of the '\' character so that they -+ are matched as ordinary characters. -+ -+ -+ Example: <SUBJECT>^CN=.* \(Admin\),DC=MY,DC=DOMAIN$ -+ - - - --- -2.20.1 - diff --git a/SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch b/SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch new file mode 100644 index 0000000..9a6d266 --- /dev/null +++ b/SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch @@ -0,0 +1,39 @@ +From 532b75c937d767caf60bb00f1a525ae7f6c70cc6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 20 May 2020 12:07:13 +0200 +Subject: [PATCH] test: avoid endian issues in network tests + +Reviewed-by: Alexey Tikhonov +--- + src/tests/cmocka/test_nss_srv.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c +index 2c91d0a23..3cd7809cf 100644 +--- a/src/tests/cmocka/test_nss_srv.c ++++ b/src/tests/cmocka/test_nss_srv.c +@@ -35,6 +35,7 @@ + #include "util/util_sss_idmap.h" + #include "util/crypto/sss_crypto.h" + #include "util/crypto/nss/nss_util.h" ++#include "util/sss_endian.h" + #include "db/sysdb_private.h" /* new_subdomain() */ + #include "db/sysdb_iphosts.h" + #include "db/sysdb_ipnetworks.h" +@@ -5308,7 +5309,13 @@ struct netent test_netent = { + .n_name = discard_const("test_network"), + .n_aliases = discard_const(test_netent_aliases), + .n_addrtype = AF_INET, ++#if (__BYTE_ORDER == __LITTLE_ENDIAN) + .n_net = 0x04030201 /* 1.2.3.4 */ ++#elif (__BYTE_ORDER == __BIG_ENDIAN) ++ .n_net = 0x01020304 /* 1.2.3.4 */ ++#else ++ #error "unknow endianess" ++#endif + }; + + static void mock_input_netbyname(const char *name) +-- +2.21.1 + diff --git a/SOURCES/0003-ldap_child-do-not-try-PKINIT.patch b/SOURCES/0003-ldap_child-do-not-try-PKINIT.patch deleted file mode 100644 index c0d5c51..0000000 --- a/SOURCES/0003-ldap_child-do-not-try-PKINIT.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 6 Dec 2019 12:29:49 +0100 -Subject: [PATCH] ldap_child: do not try PKINIT - -if the PKINIT plugin is installed and pkinit_identities is set in -/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only -wants to authenticate with a keytab. As a result ldap_child might try to -access a Smartcard which is either not allowed at all or might cause -unexpected delays. - -To avoid this the current patch sets pkinit_identities for LDAP child -explicitly to make the PKINIT plugin fail because if installed libkrb5 -will always use it. - -It turned out the setting pre-authentication options requires some -internal flags to be set and krb5_get_init_creds_opt_alloc() must be -used to initialize the options struct. - -Related to https://pagure.io/SSSD/sssd/issue/4126 - -Reviewed-by: Alexey Tikhonov ---- - src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++-------- - 1 file changed, 22 insertions(+), 8 deletions(-) - -diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c -index 408d64db4..b081df90f 100644 ---- a/src/providers/ldap/ldap_child.c -+++ b/src/providers/ldap/ldap_child.c -@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, - krb5_ccache ccache = NULL; - krb5_principal kprinc; - krb5_creds my_creds; -- krb5_get_init_creds_opt options; -+ krb5_get_init_creds_opt *options = NULL; - krb5_error_code krberr; - krb5_timestamp kdc_time_offset; - int canonicalize = 0; -@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, - } - - memset(&my_creds, 0, sizeof(my_creds)); -- memset(&options, 0, sizeof(options)); - -- krb5_get_init_creds_opt_set_address_list(&options, NULL); -- krb5_get_init_creds_opt_set_forwardable(&options, 0); -- krb5_get_init_creds_opt_set_proxiable(&options, 0); -- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); -+ krberr = krb5_get_init_creds_opt_alloc(context, &options); -+ if (krberr != 0) { -+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n"); -+ goto done; -+ } -+ -+ krb5_get_init_creds_opt_set_address_list(options, NULL); -+ krb5_get_init_creds_opt_set_forwardable(options, 0); -+ krb5_get_init_creds_opt_set_proxiable(options, 0); -+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime); -+ krberr = krb5_get_init_creds_opt_set_pa(context, options, -+ "X509_user_identity", ""); -+ if (krberr != 0) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n", -+ krberr); -+ } -+ - - tmp_str = getenv("KRB5_CANONICALIZE"); - if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { - DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n"); - canonicalize = 1; - } -- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); -+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize); - - ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", - DB_PATH, realm_name); -@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, - } - - krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, -- keytab, 0, NULL, &options); -+ keytab, 0, NULL, options); - if (krberr != 0) { - DEBUG(SSSDBG_OP_FAILURE, - "krb5_get_init_creds_keytab() failed: %d\n", krberr); -@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, - *expire_time_out = my_creds.times.endtime - kdc_time_offset; - - done: -+ krb5_get_init_creds_opt_free(context, options); - if (krberr != 0) { - if (*_krb5_msg == NULL) { - /* no custom error message provided hence get one from libkrb5 */ --- -2.20.1 - diff --git a/SOURCES/0003-sssctl-sssctl-config-check-alternative-config-file.patch b/SOURCES/0003-sssctl-sssctl-config-check-alternative-config-file.patch new file mode 100644 index 0000000..9934c57 --- /dev/null +++ b/SOURCES/0003-sssctl-sssctl-config-check-alternative-config-file.patch @@ -0,0 +1,137 @@ +From 61f4aaa56ea876fb75c1366c938818b7799408ab Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Wed, 29 Apr 2020 16:40:36 +0200 +Subject: [PATCH] sssctl: sssctl config-check alternative config file + +The sssctl config-check now allows to specify alternative config +file so it can be tested before rewriting system configuration. + + sssctl config-check -c ./sssd.conf + +Configuration snippets are looked up in the same place under +conf.d directory. It would be in ./conf.d/ for the example above. + +Resolves: +https://github.com/SSSD/sssd/issues/5142 + +Reviewed-by: Pawel Polawski +--- + src/confdb/confdb.h | 6 ++-- + src/tools/sssctl/sssctl_config.c | 56 ++++++++++++++++++++++++++++---- + 2 files changed, 53 insertions(+), 9 deletions(-) + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 0a5593232..a2b58e12a 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -40,8 +40,10 @@ + + #define CONFDB_DEFAULT_CFG_FILE_VER 2 + #define CONFDB_FILE "config.ldb" +-#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf" +-#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/conf.d" ++#define SSSD_CONFIG_FILE_NAME "sssd.conf" ++#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME ++#define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d" ++#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/"CONFDB_DEFAULT_CONFIG_DIR_NAME + #define SSSD_MIN_ID 1 + #define SSSD_LOCAL_MINID 1000 + #define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh" +diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c +index 74395b61c..de9f3de6e 100644 +--- a/src/tools/sssctl/sssctl_config.c ++++ b/src/tools/sssctl/sssctl_config.c +@@ -34,6 +34,29 @@ + + + #ifdef HAVE_LIBINI_CONFIG_V1_3 ++ ++static char *sssctl_config_snippet_path(TALLOC_CTX *ctx, const char *path) ++{ ++ char *tmp = NULL; ++ const char delimiter = '/'; ++ char *dpos = NULL; ++ ++ tmp = talloc_strdup(ctx, path); ++ if (!tmp) { ++ return NULL; ++ } ++ ++ dpos = strrchr(tmp, delimiter); ++ if (dpos != NULL) { ++ ++dpos; ++ *dpos = '\0'; ++ } else { ++ *tmp = '\0'; ++ } ++ ++ return talloc_strdup_append(tmp, CONFDB_DEFAULT_CONFIG_DIR_NAME); ++} ++ + errno_t sssctl_config_check(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +@@ -47,8 +70,15 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, + size_t num_ra_error, num_ra_success; + char **strs = NULL; + TALLOC_CTX *tmp_ctx = NULL; +- +- ret = sss_tool_popt(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); ++ const char *config_path = NULL; ++ const char *config_snippet_path = NULL; ++ struct poptOption long_options[] = { ++ {"config", 'c', POPT_ARG_STRING, &config_path, ++ 0, _("Specify a non-default config file"), NULL}, ++ POPT_TABLEEND ++ }; ++ ++ ret = sss_tool_popt(cmdline, long_options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; +@@ -62,17 +92,29 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, + goto done; + } + ++ if (config_path != NULL) { ++ config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path); ++ if (config_snippet_path == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ } else { ++ config_path = SSSD_CONFIG_FILE; ++ config_snippet_path = CONFDB_DEFAULT_CONFIG_DIR; ++ } ++ + ret = sss_ini_read_sssd_conf(init_data, +- SSSD_CONFIG_FILE, +- CONFDB_DEFAULT_CONFIG_DIR); ++ config_path, ++ config_snippet_path); + + if (ret == ERR_INI_OPEN_FAILED) { +- PRINT("Failed to open %s\n", SSSD_CONFIG_FILE); ++ PRINT("Failed to open %s\n", config_path); + goto done; + } + + if (!sss_ini_exists(init_data)) { +- PRINT("File %1$s does not exist.\n", SSSD_CONFIG_FILE); ++ PRINT("File %1$s does not exist.\n", config_path); + } + + if (ret == ERR_INI_INVALID_PERMISSION) { +@@ -83,7 +125,7 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, + + if (ret == ERR_INI_PARSE_FAILED) { + PRINT("Failed to load configuration from %s.\n", +- SSSD_CONFIG_FILE); ++ config_path); + goto done; + } + +-- +2.21.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index bc700d2..fa7ea36 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -8,12 +8,14 @@ %global install_pcscd_polkit_rule 1 +%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) + # Determine the location of the LDB modules directory %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) %global ldb_version 1.2.0 %global enable_systemtap 1 - %global enable_systemtap_opt --enable-systemtap +%global enable_systemtap_opt --enable-systemtap %global libwbc_alternatives_version 0.14 %global libwbc_lib_version %{libwbc_alternatives_version}.0 @@ -23,8 +25,8 @@ %endif Name: sssd -Version: 2.2.3 -Release: 6%{?dist} +Version: 2.3.0 +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -32,9 +34,9 @@ URL: https://pagure.io/SSSD/sssd/ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz ### Patches ### -Patch0001: 0001-INI-sssctl-config-check-command-error-messages.patch -Patch0002: 0002-certmap-mention-special-regex-characters-in-man-page.patch -Patch0003: 0003-ldap_child-do-not-try-PKINIT.patch +Patch0001: 0001-ad_gpo_ndr.c-more-ndr-updates.patch +Patch0002: 0002-test-avoid-endian-issues-in-network-tests.patch +Patch0003: 0003-sssctl-sssctl-config-check-alternative-config-file.patch ### Downstream Patches ### @@ -119,7 +121,7 @@ BuildRequires: systemd-devel BuildRequires: systemd BuildRequires: cifs-utils-devel BuildRequires: libnfsidmap-devel -BuildRequires: samba4-devel +BuildRequires: samba-devel BuildRequires: libsmbclient-devel BuildRequires: samba-winbind BuildRequires: systemtap-sdt-devel @@ -212,6 +214,7 @@ Requires: sssd-common = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} +Recommends: sssd-dbus %description tools Provides userspace tools for manipulating users, groups, and nested groups in @@ -309,6 +312,7 @@ Summary: The IPA back end of the SSSD Group: Applications/System License: GPLv3+ Conflicts: sssd < 1.10.0-8.beta2 +Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libipa_hbac%{?_isa} = %{version}-%{release} @@ -325,6 +329,7 @@ Summary: The AD back end of the SSSD Group: Applications/System License: GPLv3+ Conflicts: sssd < 1.10.0-8.beta2 +Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: sssd-common-pac = %{version}-%{release} @@ -597,6 +602,8 @@ autoreconf -ivf make %{?_smp_mflags} all docs +make -C po ja.gmo +make -C po fr.gmo %check export CK_TIMEOUT_MULTIPLIER=10 @@ -1190,6 +1197,69 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Thu Jun 11 2020 Alexey Tikhonov - 2.3.0-2 +- Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. + +* Mon Jun 08 2020 Alexey Tikhonov - 2.3.0-1 +- Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 +- Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure +- Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working + +* Mon Mar 16 2020 Alexey Tikhonov - 2.2.3-19 +- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard + certificate EKU and perform an action based + on value when generating SSH key from a certificate + (additional patch) + +* Fri Mar 13 2020 Alexey Tikhonov - 2.2.3-19 +- Resolves: rhbz#1810634 - id command taking 1+ minute for returning user + information + +* Fri Feb 28 2020 Michal Židek - 2.2.3-18 +- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard + certificate EKU and perform an action based + on value when generating SSH key from a certificate + +* Mon Feb 24 2020 Alexey Tikhonov - 2.2.3-17 +- Resolves: rhbz#1718193 - p11_child should have an option to skip + C_WaitForSlotEvent if the PKCS#11 module + does not implement it properly + +* Mon Feb 17 2020 Alexey Tikhonov - 2.2.3-16 +- Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is + omitted and auth_provider is krb5 + +* Wed Feb 12 2020 Michal Židek - 2.2.3-15 +- Resolves: rhbz#1754996 - [sssd] Tier 0 Localization + +* Tue Jan 28 2020 Michal Židek - 2.2.3-14 +- Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be + specified up to the seconds + +* Tue Jan 28 2020 Michal Židek - 2.2.3-13 +- Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools + +* Tue Jan 28 2020 Michal Židek - 2.2.3-12 +* Resolves: rhbz#1794016 - sssd_be frequent crash + +* Tue Jan 14 2020 Michal Židek - 2.2.3-11 +* Resolves: rhbz#1762415 - Force LDAPS over 636 with AD Access Provider + +* Tue Jan 14 2020 Michal Židek - 2.2.3-10 +* Resolves: rhbz#1583592 - [RFE] Add configurable randomness to SSSD ldap + connection timeout + +* Tue Jan 14 2020 Michal Židek - 2.2.3-9 +* Resolves: rhbz#1783190 - [abrt] [faf] sssd: + raise(): /usr/libexec/sssd/sssd_autofs killed by 6 + + +* Thu Dec 19 2019 Michal Židek - 2.2.3-8 +* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect + +* Thu Dec 19 2019 Michal Židek - 2.2.3-7 +* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect + * Sun Dec 15 2019 Michal Židek - 2.2.3-6 * Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized