Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sssd for openSUSE:Factory checked in at 2026-05-04 12:49:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sssd (Old) and /work/SRC/openSUSE:Factory/.sssd.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sssd" Mon May 4 12:49:15 2026 rev:149 rq:1350294 version:2.13.0 Changes: -------- --- /work/SRC/openSUSE:Factory/sssd/sssd.changes 2026-04-29 19:18:37.687009002 +0200 +++ /work/SRC/openSUSE:Factory/.sssd.new.30200/sssd.changes 2026-05-04 12:50:12.925323332 +0200 @@ -1,0 +2,17 @@ +Thu Apr 30 11:45:26 UTC 2026 - Samuel Cabrero <[email protected]> + +- Add support for UsrEtc; (bsc#1257643); Add patch + 0016-UsrEtc.patch +- The default configuration file is installed now in + /usr/etc/sssd/sssd.conf. It can be completely overridden by + manually creating the system specific config file + /etc/sssd/sssd.conf, or partially overridden by creating config + snippets in /etc/sssd/conf.d/ directory. Check sssd.conf manpage + for more details. +- Use %pre scriptlet instead of %pretrans to migrate from + sssd-common [bsc#1257509]. +- The AD backend now uses realmd to update the machine account + password. The realmd package is recommended when installing + the ad backend. + +------------------------------------------------------------------- New: ---- 0016-UsrEtc.patch ----------(New B)---------- New:- Add support for UsrEtc; (bsc#1257643); Add patch 0016-UsrEtc.patch - The default configuration file is installed now in ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sssd.spec ++++++ --- /var/tmp/diff_new_pack.eL1jg3/_old 2026-05-04 12:50:13.997367473 +0200 +++ /var/tmp/diff_new_pack.eL1jg3/_new 2026-05-04 12:50:13.997367473 +0200 @@ -36,6 +36,7 @@ Patch13: harden_sssd-kcm.service.patch Patch14: symvers.patch Patch15: logrotate.patch +Patch16: 0016-UsrEtc.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -75,7 +76,6 @@ %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif -BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -107,6 +107,7 @@ Requires(post): permissions Requires(verify): permissions Requires: sssd-ldap = %version-%release +Requires(pre): pam-config Requires(postun): pam-config Provides: libsss_sudo = %version-%release Provides: sssd-client = %version-%release @@ -123,6 +124,7 @@ %define gpocachepath %sssdstatedir/gpo_cache %define keytabdir %sssdstatedir/keytabs %define mcpath %sssdstatedir/mc +%global secdbpath %sssdstatedir/secrets %define ldbdir %(pkg-config ldb --variable=modulesdir) %if 0%{?suse_version} >= 1600 @@ -146,7 +148,7 @@ License: GPL-3.0-or-later Group: System/Daemons Requires: %name-krb5-common = %version-%release -Requires: adcli +Recommends: realmd %description ad A back-end provider that the SSSD can utilize to fetch identity data @@ -201,6 +203,7 @@ License: GPL-3.0-or-later Group: System/Daemons Requires: cyrus-sasl-gssapi +Requires(post): sssd = %version-%release Requires(post): permissions Requires(verify): permissions @@ -411,6 +414,9 @@ --without-python2-bindings \ --without-oidc-child \ --with-sssd-user="%sssd_user" \ +%if "%{?_distconfdir}" != "" + --with-vendordir="%_distconfdir/sssd" \ +%endif %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid \ @@ -429,11 +435,10 @@ # Copy some defaults %if "%{?_distconfdir}" != "" install -Dpvm 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" -install -dvm 0755 "$b/%_distconfdir/sssd/conf.d" %else install -Dpm 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" -install -dvm 0755 "$b/%_sysconfdir/sssd/conf.d" %endif +install -dvm 0755 "$b/%_sysconfdir/sssd/conf.d" install -dv "$b/%_unitdir" %if 0%{?suse_version} > 1500 install -dv "$b/%_distconfdir/logrotate.d" @@ -497,6 +502,21 @@ %make_build check || : %pre -f random.pre +# Migrate sssd.service from sssd-common to sssd +# bsc#1257509: systemctl is-active detects chroot in build env and +# returns 0, creating the file and breaking the build. Use stdout +# instead of return codes. +if [ "$(systemctl is-enabled sssd.service)" = enabled ]; then + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-enabled +fi +if [ "$(systemctl is-active sssd.service)" = active ]; then + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-active +fi +# Migrate pam_sss.so from sssd-common to sssd (bsc#1226407) +mkdir -p /run/systemd/rpm/ +%_sbindir/pam-config -q --sss 1> /run/systemd/rpm/pam-sss-state %service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave @@ -526,7 +546,9 @@ "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_postun sssd.service sssd-autofs.socket sssd-nss.socket sssd-pac.socket sssd-pam.socket sssd-ssh.socket sssd-sudo.socket +# These services have RefuseManualStart=true +%service_del_postun_without_restart sssd-autofs.service sssd-nss.service sssd-pac.service sssd-pam.service sssd-ssh.service sssd-sudo.service %ldconfig_scriptlets -n libsss_certmap0 %ldconfig_scriptlets -n libipa_hbac0 @@ -579,19 +601,6 @@ %pre proxy -f random.pre -%pretrans -# Migrate sssd.service from sssd-common to sssd -systemctl is-enabled sssd.service > /dev/null -if [ $? -eq 0 ]; then - mkdir -p /run/systemd/rpm/ - touch /run/systemd/rpm/sssd-was-enabled -fi -systemctl is-active sssd.service > /dev/null -if [ $? -eq 0 ]; then - mkdir -p /run/systemd/rpm/ - touch /run/systemd/rpm/sssd-was-active -fi - %posttrans %if "%{?_distconfdir}" != "" # Migration to /usr/etc, restore just created .rpmsave @@ -601,21 +610,27 @@ %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then - systemctl is-enabled sssd.service >/dev/null - if [ $? -ne 0 ]; then + if [ "$(systemctl is-enabled sssd.service)" != "enabled" ]; then echo "Migrating sssd.service, was enabled" systemctl enable sssd.service fi rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then - systemctl is-active sssd.service >/dev/null - if [ $? -ne 0 ]; then + if [ "$(systemctl is-active sssd.service)" != "active" ]; then echo "Migrating sssd.service, was active" systemctl start sssd.service fi rm /run/systemd/rpm/sssd-was-active fi +# Migrate pam_sss.so from sssd-common to sssd (bsc#1226407) +if [ -e /run/systemd/rpm/pam-sss-state ]; then + grep -q "auth:" /run/systemd/rpm/pam-sss-state + if [ $? -eq 0 ]; then + "%_sbindir/pam-config" -a --sss || : + fi + rm /run/systemd/rpm/pam-sss-state +fi %files -f sssd.lang %license COPYING @@ -634,10 +649,11 @@ %_unitdir/sssd-sudo.service %_sysusersdir/*sssd* %_tmpfilesdir/*sssd* -%permissions_path/sssd +%config(noreplace) %permissions_path/sssd %dir %_datadir/polkit-1 -%attr(0555,root,root) %dir %_datadir/polkit-1/rules.d -%_datadir/polkit-1/rules.d/* +%dir %attr(555,root,root) %_datadir/polkit-1/rules.d +%_datadir/polkit-1/rules.d/sssd-pcsc.rules +%_datadir/polkit-1/rules.d/sssd-realmd.rules %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 @@ -684,32 +700,32 @@ %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam +%verify(not caps) %attr(750,root,%sssd_user) %_libexecdir/%name/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child +%verify(not caps) %attr(750,root,%sssd_user) %_libexecdir/%name/selinux_child %endif -%dir %sssdstatedir -%attr(700,%sssd_user,%sssd_user) %dir %dbpath/ -%attr(755,%sssd_user,%sssd_user) %dir %pipepath/ -%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/ -%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/ -%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/ -%attr(755,%sssd_user,%sssd_user) %dir %mcpath/ -%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/ -%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/ %attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/ +%attr(770,%sssd_user,%sssd_user) %dir %dbpath/ +%attr(775,%sssd_user,%sssd_user) %dir %mcpath/ +%attr(775,%sssd_user,%sssd_user) %dir %pipepath/ +%attr(770,%sssd_user,%sssd_user) %dir %pipepath/private/ +%attr(775,%sssd_user,%sssd_user) %dir %pubconfpath/ +%attr(770,%sssd_user,%sssd_user) %dir %gpocachepath/ +%attr(770,%sssd_user,%sssd_user) %dir %keytabdir/ +%attr(770,%sssd_user,%sssd_user) %dir %secdbpath/ +%attr(770,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/ +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/pki %if "%{?_distconfdir}" != "" %attr(750,root,%sssd_user) %dir %_distconfdir/sssd/ -%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d %attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf %else -%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/ -%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d -%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf +%attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -808,13 +824,13 @@ %_mandir/??/man5/sssd-krb5.5* %files krb5-common -%attr(755,root,root) %dir %pubconfpath/krb5.include.d +%attr(775,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d %config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child -%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child +%verify(not caps) %attr(750,root,%sssd_user) %_libexecdir/%name/krb5_child +%verify(not caps) %attr(750,root,%sssd_user) %_libexecdir/%name/ldap_child %dir %{_datadir}/sssd/krb5-snippets %_datadir/%name/krb5-snippets/enable_sssd_conf_dir %_datadir/%name/krb5-snippets/sssd_enable_idp ++++++ 0016-UsrEtc.patch ++++++ >From c85c8ffa04217396aab41729dec5308ab10e18aa Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Fri, 6 Mar 2026 13:57:05 +0100 Subject: [PATCH 1/4] sssctl: Add missing new line Signed-off-by: Samuel Cabrero <[email protected]> --- src/tools/sssctl/sssctl_config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c index b29cef2a5..3fe228b18 100644 --- a/src/tools/sssctl/sssctl_config.c +++ b/src/tools/sssctl/sssctl_config.c @@ -126,7 +126,7 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, SSSDDATADIR"/cfg_rules.ini", &strs, &num_errors); if (ret) { - PRINT("Failed to run validators"); + PRINT("Failed to run validators\n"); goto done; } -- 2.53.0 >From c6b2d599b74c2e79e89d5b4e872d2d6628ef3c33 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Fri, 6 Mar 2026 13:53:47 +0100 Subject: [PATCH 2/4] confdb: Add UsrEtc support Vendor provided configuration is installed in /usr/etc/sssd/sssd.conf. Users can override it creating /etc/sssd/sssd.conf, or override defaults dropping config snippets to /etc/sssd/conf.d/ Doc: https://en.opensuse.org/openSUSE:Packaging_UsrEtc Doc: https://github.com/uapi-group/specifications/blob/main/specs/configuration_files_specification.md :packaging: New configure option '--with-vendordir' to enable reading the vendor provided configuration file. Signed-off-by: Samuel Cabrero <[email protected]> --- Makefile.am | 1 + configure.ac | 1 + src/conf_macros.m4 | 13 ++++++++ src/confdb/confdb.h | 3 ++ src/monitor/monitor.c | 6 ++-- src/responder/kcm/kcm.c | 12 +++++-- src/tools/sssctl/sssctl_config.c | 31 ++++++++++++------ src/util/sss_config.c | 55 ++++++++++++++++++++++++++++++++ src/util/util.h | 3 ++ 9 files changed, 111 insertions(+), 14 deletions(-) create mode 100644 src/util/sss_config.c diff --git a/Makefile.am b/Makefile.am index d55dc3585..ef2ec40de 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1302,6 +1302,7 @@ libsss_util_la_SOURCES = \ src/util/sss_chain_id.c \ src/util/sss_time.c \ src/util/sss_prctl.c \ + src/util/sss_config.c \ $(NULL) libsss_util_la_CFLAGS = \ $(AM_CFLAGS) \ diff --git a/configure.ac b/configure.ac index 0a58e9613..552a5583b 100644 --- a/configure.ac +++ b/configure.ac @@ -201,6 +201,7 @@ WITH_TMPFILES_DIR WITH_UDEV_RULES_DIR WITH_SYSTEMD_SYSUSERS_DIR WITH_LDB_MODULES_PATH +WITH_VENDOR_DIR m4_include([src/external/pkg.m4]) m4_include([src/external/libpopt.m4]) diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 898d779be..54a157023 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -973,3 +973,16 @@ AC_ARG_ENABLE([sensitive-logs], AS_IF([test x$enable_sensitive_logs = xyes], AC_DEFINE_UNQUOTED([ENABLE_SENSITIVE_LOGS], [1], [whether to enable logging sensitive data])) + +AC_DEFUN([WITH_VENDOR_DIR], + [ AC_ARG_WITH([vendordir], + [AS_HELP_STRING([--with-vendordir=DIR], + [Directory for distribution provided configuration files])], + [vendordir=$withval], + [with_vendordir=no]) + AS_IF([test x"$with_vendordir" != xno], + [ + AC_DEFINE([USE_VENDORDIR], 1, [whether to use distribution provided configuration files]), + AC_DEFINE_UNQUOTED([SSSD_VENDOR_DIR], "$with_vendordir", [Directory for distribution provided configuration files]) + ]) + ]) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 7d4ea55b4..d99dd5e66 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -47,6 +47,9 @@ #define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/"CONFDB_DEFAULT_CONFIG_DIR_NAME #define SSSD_MIN_ID 1 #define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh" +#if defined(USE_VENDORDIR) +#define SSSD_VENDOR_CONFIG_FILE SSSD_VENDOR_DIR"/"SSSD_CONFIG_FILE_NAME +#endif /* Configuration options */ diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index 7ace5ffc7..e0d2bff2d 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -1724,7 +1724,7 @@ int main(int argc, const char *argv[]) int opt_version = 0; char *opt_config_file = NULL; const char *opt_logger = NULL; - char *config_file = NULL; + const char *config_file = NULL; int flags = FLAGS_NO_WATCHDOG; struct main_context *main_ctx; TALLOC_CTX *tmp_ctx; @@ -1812,9 +1812,11 @@ int main(int argc, const char *argv[]) if (opt_config_file) { config_file = talloc_strdup(tmp_ctx, opt_config_file); } else { - config_file = talloc_strdup(tmp_ctx, SSSD_CONFIG_FILE); + config_file = sss_get_default_config_file(tmp_ctx); } if (config_file == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get the configuration file name\n"); ret = 2; goto out; } diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c index 8fd1af59c..d8044b6c5 100644 --- a/src/responder/kcm/kcm.c +++ b/src/responder/kcm/kcm.c @@ -395,10 +395,16 @@ int main(int argc, const char *argv[]) debug_log_file = "sssd_kcm"; DEBUG_INIT(debug_level, opt_logger); - if (opt_config_file == NULL) { - config_file = SSSD_CONFIG_FILE; + if (opt_config_file) { + config_file = talloc_strdup(tmp_ctx, opt_config_file); } else { - config_file = opt_config_file; + config_file = sss_get_default_config_file(tmp_ctx); + } + if (config_file == NULL) { + TALLOC_FREE(tmp_ctx); + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get the configuration file name\n"); + return 2; } /* Parse config file, fail if cannot be done */ diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c index 3fe228b18..d3d4878f0 100644 --- a/src/tools/sssctl/sssctl_config.c +++ b/src/tools/sssctl/sssctl_config.c @@ -68,6 +68,7 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, TALLOC_CTX *tmp_ctx = NULL; const char *config_path = NULL; const char *config_snippet_path = NULL; + const char *config_file = NULL; struct poptOption long_options[] = { SSSD_CONFIG_OPTS(config_path) {"snippet", 's', POPT_ARG_STRING, &config_snippet_path, @@ -92,25 +93,37 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, goto done; } - if (config_path == NULL) { - config_path = SSSD_CONFIG_FILE; + if (config_path) { + config_file = talloc_strdup(tmp_ctx, config_path); + } else { + config_file = sss_get_default_config_file(tmp_ctx); + } + if (config_file == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get the configuration file name\n"); + ret = ENOMEM; + goto done; } if (config_snippet_path == NULL) { - config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path); - if (config_snippet_path == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n"); - ret = ENOMEM; - goto done; + if (config_path) { + config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path); + } else { + config_snippet_path = talloc_strdup(tmp_ctx, CONFDB_DEFAULT_CONFIG_DIR); } } + if (config_snippet_path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n"); + ret = ENOMEM; + goto done; + } ret = sss_ini_read_sssd_conf(init_data, - config_path, + config_file, config_snippet_path); if (ret == ERR_INI_EMPTY_CONFIG) { - PRINT("File %1$s does not exist.\n", config_path); + PRINT("File %1$s does not exist.\n", config_file); PRINT("There is no configuration.\n"); ret = ERR_INI_OPEN_FAILED; goto done; diff --git a/src/util/sss_config.c b/src/util/sss_config.c new file mode 100644 index 000000000..dc144f373 --- /dev/null +++ b/src/util/sss_config.c @@ -0,0 +1,55 @@ +/* + SSSD + + sss_config.c + + Authors: + Samuel Cabrero <[email protected]> + + Copyright (C) 2026 SUSE LINUX GmbH, Nuernberg, Germany. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "util/util.h" + +#ifdef USE_VENDORDIR +#include <sys/stat.h> +#endif + +const char *sss_get_default_config_file(TALLOC_CTX *mem_ctx) +{ + char *config_file = NULL; + + config_file = talloc_strdup(mem_ctx, SSSD_CONFIG_FILE); + if (config_file == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory.\n"); + return NULL; + } + +#if defined(USE_VENDORDIR) + struct stat stats = {0}; + if (stat(config_file, &stats) < 0 && errno == ENOENT) { + TALLOC_FREE(config_file); + config_file = talloc_strdup(mem_ctx, SSSD_VENDOR_CONFIG_FILE); + if (config_file == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory.\n"); + return NULL; + } + DEBUG(SSSDBG_CONF_SETTINGS, "Using vendor config file %s\n", config_file); + } +#endif /* USE_VENDORDIR */ + + return config_file; +} diff --git a/src/util/util.h b/src/util/util.h index ccf0b30ab..8e6508f1c 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -866,4 +866,7 @@ errno_t sss_parse_dns_uri(TALLOC_CTX *ctx, const char *uri, struct sss_parsed_dns_uri **_parsed_uri); +/* from sss_config.c */ +const char *sss_get_default_config_file(TALLOC_CTX *mem_ctx); + #endif /* __SSSD_UTIL_H__ */ -- 2.53.0 >From 9bbd45a3c6a0102e09847307da6f9e6415e9a444 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Tue, 14 Apr 2026 17:14:23 +0200 Subject: [PATCH 3/4] doc: Document the config file hierarchy when vendor dir is enabled Adds a section in sssd.conf manpage to explain how the vendor provided configuration can be masked or overriden. Signed-off-by: Samuel Cabrero <[email protected]> --- src/conf_macros.m4 | 2 ++ src/man/Makefile.am | 20 ++++++++++++++++++-- src/man/sssd.conf.5.xml | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 57 insertions(+), 2 deletions(-) diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 54a157023..f9fff9df5 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -985,4 +985,6 @@ AC_DEFUN([WITH_VENDOR_DIR], AC_DEFINE([USE_VENDORDIR], 1, [whether to use distribution provided configuration files]), AC_DEFINE_UNQUOTED([SSSD_VENDOR_DIR], "$with_vendordir", [Directory for distribution provided configuration files]) ]) + AC_SUBST(SSSD_VENDOR_DIR, [$vendordir]) + AM_CONDITIONAL([HAVE_VENDORDIR], [test x"$with_vendordir" != xno]) ]) diff --git a/src/man/Makefile.am b/src/man/Makefile.am index deb50317f..9c111aa48 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -67,9 +67,13 @@ endif if BUILD_SAMBA SAMBA_CONDS = ;with_samba endif +if HAVE_VENDORDIR +VENDORDIR_CONDS = ;have_vendordir +endif +sssdconfdir = $(sysconfdir)/sssd -CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(SUBID_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(LIBNL_CONDS)$(IDP_CONDS)$(JSON_PAM_CONDS)$(SAMBA_CONDS) +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(SUBID_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(LIBNL_CONDS)$(IDP_CONDS)$(JSON_PAM_CONDS)$(SAMBA_CONDS)$(VENDORDIR_CONDS) #Special Rules: @@ -125,6 +129,14 @@ $(builddir)/src/man/sssd_user_name.include: @mkdir -p $(builddir)/src/man @echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include +$(builddir)/src/man/sssd_vendor_dir.include: + @mkdir -p $(builddir)/src/man + @echo -n $(SSSD_VENDOR_DIR) > $(builddir)/src/man/sssd_vendor_dir.include + +$(builddir)/src/man/sssd_conf_dir.include: + @mkdir -p $(builddir)/src/man + @echo -n $(sssdconfdir) > $(builddir)/src/man/sssd_conf_dir.include + %.1: %.1.xml $(XMLLINT) $(XMLLINT_FLAGS) $< $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< @@ -133,7 +145,7 @@ $(builddir)/src/man/sssd_user_name.include: $(XMLLINT) $(XMLLINT_FLAGS) $< $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< -%.5: %.5.xml $(builddir)/src/man/sssd_user_name.include +%.5: %.5.xml $(builddir)/src/man/sssd_user_name.include $(builddir)/src/man/sssd_vendor_dir.include $(builddir)/src/man/sssd_conf_dir.include $(XMLLINT) --path "$(srcdir)/src/man:$(builddir)/src/man" $(XMLLINT_FLAGS) $< $(XSLTPROC) --path "$(srcdir)/src/man:$(builddir)/src/man" -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< @@ -220,6 +232,8 @@ clean-local: rm -f $(man_MANS) rm -f man.stamp rm -f $(builddir)/src/man/sssd_user_name.include + rm -f $(builddir)/src/man/sssd_conf_dir.include + rm -f $(builddir)/src/man/sssd_vendor_dir.include else @@ -230,6 +244,8 @@ clean-local: rm -f $(man_MANS) rm -f man.stamp rm -f $(builddir)/src/man/sssd_user_name.include + rm -f $(builddir)/src/man/sssd_conf_dir.include + rm -f $(builddir)/src/man/sssd_vendor_dir.include endif diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 952389e41..75eca2308 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -3,6 +3,8 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ <!ENTITY sssd_user_name SYSTEM "sssd_user_name.include"> +<!ENTITY sssd_conf_dir SYSTEM "sssd_conf_dir.include"> +<!ENTITY sssd_vendor_dir SYSTEM "sssd_vendor_dir.include"> ]> <reference> <title>SSSD Manual pages</title> @@ -99,6 +101,39 @@ </para> </refsect1> + <refsect1 id='vendor-dir' condition="have_vendordir"> + <title>VENDOR PROVIDED CONFIGURATION</title> + + <para> + The vendor provided configuraiton file is installed in + <filename>&sssd_vendor_dir;/sssd.conf</filename>, but this file must + not be directly edited. It can be completely masked by creating the + system specific configurtion file + <filename>&sssd_conf_dir;/sssd.conf</filename>, or partly overriden + by creating config snippets in + <filename>&sssd_conf_dir;/conf.d</filename> directory. + </para> + <refsect2 id='vendor-dir-conf-hierarchy'> + <title>CONFIGURATION FILE HIERARCHY</title> + <para> + When sssd reads the configuration it first tries to open the system + specific configuration file in + <filename>&sssd_conf_dir;/sssd.conf</filename>. If it exists, it is + loaded and snippets from <filename>&sssd_conf_dir;/conf.d</filename> + are applied. The vendor provided configuration file + <filename>&sssd_vendor_dir;/sssd.conf</filename> is completely ignored + in this case. + </para> + <para> + If the system specific configuration file + <filename>&sssd_conf_dir;/sssd.conf</filename> does not exist, then + the vendor configuration file + <filename>&sssd_vendor_dir;/sssd.conf</filename> is loaded and + snippets from <filename>&sssd_conf_dir;/conf.d</filename> are applied. + </para> + </refsect2> + </refsect1> + <refsect1 id='general-options'> <title>GENERAL OPTIONS</title> <para> -- 2.53.0 >From 88154a8e08c362c224dcff60e161fe95b9f4ccdd Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Wed, 29 Apr 2026 18:14:54 +0200 Subject: [PATCH 4/4] SYSTEMD: Add vendor provided configuration file as a triggering condition If vendor directory is enabled (--with-vendordir=<dir>) then add the vendor provided configuration file as a triggering condition to start the service. Signed-off-by: Samuel Cabrero <[email protected]> --- Makefile.am | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile.am b/Makefile.am index ef2ec40de..346a56a80 100644 --- a/Makefile.am +++ b/Makefile.am @@ -101,7 +101,11 @@ ifp_dbus_exec_cmd = $(sssdlibexecdir)/sssd_ifp --socket-activated ifp_systemdservice = SystemdService=sssd-ifp.service # SSSD requires a configuration file (either /etc/sssd/sssd.conf, # or some snippet under /etc/sssd/sssd.conf.d/) to be present. +if HAVE_VENDORDIR +condconfigexists = ConditionPathExists=\|@SSSD_VENDOR_DIR@/sssd.conf\nConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/ +else condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/ +endif # Bounding set needs to list capabilities required by ldap/krb5/selinux_childs and sssd_pam, otherwise they can't gain it. # Capabilities usage by binaries: -- 2.53.0 ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.eL1jg3/_old 2026-05-04 12:50:14.065370273 +0200 +++ /var/tmp/diff_new_pack.eL1jg3/_new 2026-05-04 12:50:14.073370602 +0200 @@ -1,5 +1,5 @@ -mtime: 1777385407 -commit: 81fca6509a353cd563568a519056fe04e1a38e432670f9eeb5e5d44a7ac32673 +mtime: 1777565936 +commit: 94c4b3ed832495fb52917ed503014d79b4b756f6a8eb9d8a16ab5d64ace0c8dc url: https://src.opensuse.org/jengelh/sssd revision: master ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.eL1jg3/_old 2026-05-04 12:50:14.097371590 +0200 +++ /var/tmp/diff_new_pack.eL1jg3/_new 2026-05-04 12:50:14.101371755 +0200 @@ -2,6 +2,7 @@ supplements "packageand(sssd:pam-<targettype>)" supplements "packageand(sssd:glibc-<targettype>)" -/usr/lib(64)?/* + +/usr/lib(64)?/libnss_sss.so* obsoletes "sssd-common-<targettype> < <version>" provides "sssd-common-<targettype> = <version>" ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-30 18:18:56.000000000 +0200 @@ -0,0 +1 @@ +.osc
