URL: https://github.com/SSSD/sssd/pull/5474 Author: pbrezina Title: #5474: spec: synchronize with Fedora 34 spec file Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5474/head:pr5474 git checkout pr5474
From 78d2066ea3ee32c319a78599266a7009ce302265 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Fri, 29 Jan 2021 12:41:28 +0100 Subject: [PATCH 01/15] sudo: do not search by low usn value to improve performance This is a follow up on these two commits. - 819d70ef6e6fa0e736ebd60a7f8a26f672927d57 - 6815844daa7701c76e31addbbdff74656cd30bea The first one improved the search filter little bit to achieve better performance, however it also changed the behavior: we started to search for `usn >= 1` in the filter if no usn number was known. This caused issues on OpenLDAP server which was fixed by the second patch. However, the fix was wrong and searching by this meaningfully low number can cause performance issues depending on how the filter is optimized and evaluated on the server. No we omit the usn attribute from the filter if there is no meaningful value. How to test: 1. Setup LDAP with no sudo rules defined 2. Make sure that the LDAP server does not support USN or use the following diff to enforce modifyTimestamp (last USN is always available from rootDSE) ```diff diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 32c0144b9..c853e4dc1 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name; entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name; if (rootdse) { - if (last_usn_name) { + if (false) { ret = sysdb_attrs_get_string(rootdse, last_usn_name, &last_usn_value); if (ret != EOK) { @@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, } } - if (!last_usn_name) { + if (true) { DEBUG(SSSDBG_FUNC_DATA, "No known USN scheme is supported by this server!\n"); if (!entry_usn_name) { ``` 3. Run SSSD with sudo and check that smart refresh filter does not contain modifyTimestamp 4. Add new sudo rule, check that the filter does contain it after the rules is cached Resolves: https://github.com/SSSD/sssd/issues/5483 --- src/providers/ldap/sdap_sudo_refresh.c | 3 ++- src/providers/ldap/sdap_sudo_shared.c | 21 ++++++--------------- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c index ddcb237811..3441dd8fd6 100644 --- a/src/providers/ldap/sdap_sudo_refresh.c +++ b/src/providers/ldap/sdap_sudo_refresh.c @@ -181,7 +181,8 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, state->sysdb = id_ctx->be->domain->sysdb; /* Download all rules from LDAP that are newer than usn */ - if (srv_opts == NULL || srv_opts->max_sudo_value == 0) { + if (srv_opts == NULL || srv_opts->max_sudo_value == NULL + || strcmp(srv_opts->max_sudo_value, "0") == 0) { DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n"); usn = "0"; search_filter = talloc_asprintf(state, "(%s=%s)", diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c index 4f09957ea4..75d1bc3d85 100644 --- a/src/providers/ldap/sdap_sudo_shared.c +++ b/src/providers/ldap/sdap_sudo_shared.c @@ -129,25 +129,17 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx, static char * sdap_sudo_new_usn(TALLOC_CTX *mem_ctx, unsigned long usn, - const char *leftover, - bool supports_usn) + const char *leftover) { const char *str = leftover == NULL ? "" : leftover; char *newusn; - /* This is a fresh start and server uses modifyTimestamp. We need to - * provide proper datetime value. */ - if (!supports_usn && usn == 0) { - newusn = talloc_strdup(mem_ctx, "00000101000000Z"); - if (newusn == NULL) { - DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n"); - return NULL; - } - - return newusn; + /* Current largest USN is unknown so we keep "0" to indicate it. */ + if (usn == 0) { + return talloc_strdup(mem_ctx, "0"); } - /* We increment USN number so that we can later use simplify filter + /* We increment USN number so that we can later use simplified filter * (just usn >= last+1 instead of usn >= last && usn != last). */ usn++; @@ -219,8 +211,7 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, srv_opts->last_usn = usn_number; } - newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone, - srv_opts->supports_usn); + newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone); if (newusn == NULL) { return; } From 226f5a63bc2fc124801625e669f51492c8891316 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 21 Jan 2021 13:38:03 +0100 Subject: [PATCH 02/15] spec: synchronize with Fedora 34 spec file --- contrib/sssd.spec.in | 791 +++++++++---------------------------------- 1 file changed, 154 insertions(+), 637 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index f7e5ce1332..6fb573ded2 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1,167 +1,49 @@ -# SSSD is running as root user by default. -# Set --with sssd_user or bcond_without to run SSSD as non-root user(sssd). -%bcond_with sssd_user +# SSSD SPEC file for Fedora 34+ and RHEL-9+ -%global rhel6_minor %(%{__grep} -o "6\\.[0-9]*" /etc/redhat-release |%{__sed} -s 's/6.//') -%global rhel7_minor %(%{__grep} -o "7\\.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//') +%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//') -%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) - -%if 0%{?rhel} && 0%{?rhel} <= 6 -%{!?__python2: %global __python2 /usr/bin/python2} -%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} -%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} -%endif - -%{!?python_provide: %global need_python_provide 1} -%if 0%{?need_python_provide} -%define python_provide() %{lua: - function string.starts(String, Start) - return string.sub(String, 1, string.len(Start)) == Start - end - package = rpm.expand("%{?1:%{1}}"); - vr = rpm.expand("%{?epoch:%{epoch}:}%{version}-%{release}") - if (string.starts(package, "python2-")) then - if (rpm.expand("%{?buildarch}") ~= "noarch") then - str = "Provides: python-" .. - string.sub(package, 9, string.len(package)) .. - "%{?_isa} = " .. vr; - print(rpm.expand(str)); - end - print("\\nProvides: python-"); - print(string.sub(package, 9, string.len(package))); - print(" = "); - print(vr); - --Obsoleting the previous default python package - if (rpm.expand("%{?buildarch}") ~= "noarch") then - str = "\\nObsoletes: python-" .. - string.sub(package, 9, string.len(package)) .. - "%{?_isa} < " .. vr; - print(rpm.expand(str)); - end - print("\\nObsoletes: python-"); - print(string.sub(package, 9, string.len(package))); - print(" < "); - print(vr); - elseif (string.starts(package, "python3-")) then - --No unversioned provides as python3 is not default - else - print("%python_provide: ERROR: "); - print(package); - print(" not recognized."); - end -} -%endif - -# Fedora and RHEL 6+ # we don't want to provide private python extension libs -%define __provides_exclude_from %{python2_sitearch}/.*\.so$ %define __provides_exclude_from %{python3_sitearch}/.*\.so$ -# workaround for rpm 4.13 -%define _empty_manifest_terminate_build 0 - -%if (0%{?fedora} || 0%{?rhel} >= 7) - %global use_systemd 1 -%endif +# SSSD fails to build with -Wl,-z,defs +%undefine _strict_symbol_defs_build -%if (0%{?fedora} || 0%{?rhel} >= 8) - %global enable_files_domain 1 -%endif +%define _hardened_build 1 -# on Fedora and RHEL7 p11_child needs a polkit config snippet to be allowed to -# talk to pcscd if SSSD runs as unprivileged user -%if (%{with sssd_user} && (0%{?fedora} || 0%{?rhel} >= 7)) - %global install_pcscd_polkit_rule 1 -%else %global enable_polkit_rules_option --disable-polkit-rules-path -%endif - -%if (0%{?use_systemd} == 1) - %global with_initscript --with-initscript=systemd --with-systemdunitdir=%{_unitdir} - %global with_syslog --with-syslog=journald -%else - %global with_initscript --with-initscript=sysv -%endif - -%global enable_experimental 1 - -%if (0%{?enable_experimental} == 1) - %global experimental --enable-all-experimental-features -%endif # Determine the location of the LDB modules directory %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) +%global ldb_version 1.2.0 -%if (0%{?fedora} || 0%{?rhel} >= 7) -%define _hardened_build 1 -%endif - -%if (0%{?fedora} || 0%{?rhel} >= 7) %global with_cifs_utils_plugin 1 -%else - %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin -%endif - -%if (0%{?fedora} || 0%{?rhel} > 7) - %global with_python3 1 -%else - %global with_python3_option --without-python3-bindings -%endif - -%if (0%{?fedora} > 28 || 0%{?rhel} > 7) - %global with_python2_option --without-python2-bindings -%else - %global with_python2 1 - %global with_python2_option --with-python2-bindings -%endif %global enable_systemtap 1 -%if (0%{?enable_systemtap} == 1) %global enable_systemtap_opt --enable-systemtap -%endif - -%global with_secrets 0 -%global with_secret_responder --without-secrets -%if (0%{?fedora} >= 23 || 0%{?rhel} >= 7) %global with_kcm 1 - %global with_kcm_option --with-kcm -%else - %global with_kcm_option --without-kcm -%endif -%if (0%{?fedora} >= 27 || 0%{?rhel} >= 7) %global with_gdm_pam_extensions 1 -%else - %global with_gdm_pam_extensions 0 -%endif - -# Do not try to detect the idmap version on RHEL6 to avoid conflicts between -# samba and samba4 package -%if (0%{?fedora} || 0%{?rhel} >= 7) - %global detect_idmap_version 1 -%else - %global with_idmap_version --with-smb-idmap-interface-version=5 -%endif -%global with_local_provider 0 -%if (0%{?fedora} <= 28 || 0%{?rhel <= 7}) - %global with_local_provider 1 - %global enable_local_provider --enable-local-provider +%if (0%{?fedora} > 28) || (0%{?rhel} > 7) + %global use_openssl 1 %endif Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ Release: 0@PRERELEASE_VERSION@%{?dist} -Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ -URL: https://github.com/SSSD/sssd -Source0: %{name}-%{version}.tar.gz -BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +URL: https://github.com/SSSD/sssd/ +Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz ### Patches ### +# Place your patches here: +# Patch0001: 0001-patch-file.patch + +### Downstream only patches ### +# Place your downstream only patches here: +# Patch0901: 0901-downstream-only-patch-file.patch ### Dependencies ### @@ -170,15 +52,9 @@ Requires: sssd-ldap = %{version}-%{release} Requires: sssd-krb5 = %{version}-%{release} Requires: sssd-ipa = %{version}-%{release} Requires: sssd-ad = %{version}-%{release} -Requires: sssd-proxy = %{version}-%{release} -%if (0%{?with_python3} == 1) -Requires: python3-sssdconfig = %{version}-%{release} -%else -Requires: python2-sssdconfig = %{version}-%{release} -%endif -%if (0%{?fedora} >= 30 || 0%{?rhel} >= 8) -Recommends: logrotate -%endif +Recommends: sssd-proxy = %{version}-%{release} +Suggests: python3-sssdconfig = %{version}-%{release} +Suggests: sssd-dbus = %{version}-%{release} %global servicename sssd %global sssdstatedir %{_localstatedir}/lib/sss @@ -203,7 +79,7 @@ BuildRequires: popt-devel BuildRequires: libtalloc-devel BuildRequires: libtevent-devel BuildRequires: libtdb-devel -BuildRequires: libldb-devel +BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: libdhash-devel >= 0.4.2 BuildRequires: libcollection-devel BuildRequires: libini_config-devel >= 1.1 @@ -211,8 +87,7 @@ BuildRequires: dbus-devel BuildRequires: dbus-libs BuildRequires: openldap-devel BuildRequires: pam-devel -BuildRequires: p11-kit-devel -BuildRequires: openssl-devel +BuildRequires: nss-devel BuildRequires: nspr-devel BuildRequires: pcre-devel BuildRequires: libxslt @@ -220,12 +95,7 @@ BuildRequires: libxml2 BuildRequires: docbook-style-xsl BuildRequires: krb5-devel BuildRequires: c-ares-devel -%if (0%{?with_python2} == 1) -BuildRequires: python2-devel -%endif -%if (0%{?with_python3} == 1) BuildRequires: python3-devel -%endif BuildRequires: check-devel BuildRequires: doxygen BuildRequires: libselinux-devel @@ -234,106 +104,79 @@ BuildRequires: bind-utils BuildRequires: keyutils-libs-devel BuildRequires: gettext-devel BuildRequires: pkgconfig +BuildRequires: diffstat BuildRequires: findutils BuildRequires: glib2-devel BuildRequires: selinux-policy-targeted -%if (0%{?fedora} || 0%{?epel}) BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: uid_wrapper BuildRequires: nss_wrapper BuildRequires: pam_wrapper - -# p11tool from the gnutls-utils package and softhsm2-util from the softhsm package -# are needed to prepare the data needed for the p11_child Smartcard tests. -# Since p11_child only looks at slots with are flagged as 'removable' -# softhsm version 2.1.0 or higher is needed. -BuildRequires: gnutls-utils -BuildRequires: softhsm >= 2.1.0 - -BuildRequires: openssl -BuildRequires: openssh -%endif BuildRequires: libnl3-devel -%if (0%{?use_systemd} == 1) BuildRequires: systemd-devel BuildRequires: systemd -%endif -%if (0%{?with_cifs_utils_plugin} == 1) BuildRequires: cifs-utils-devel -%endif -%if (0%{?fedora} || (0%{?rhel} >= 7)) BuildRequires: libnfsidmap-devel -%else -BuildRequires: nfs-utils-lib-devel -%endif - -BuildRequires: samba-devel +BuildRequires: samba4-devel BuildRequires: libsmbclient-devel -%if (0%{?detect_idmap_version} == 1) BuildRequires: samba-winbind -%endif - -%if (0%{?enable_systemtap} == 1) BuildRequires: systemtap-sdt-devel -%endif -%if (0%{?with_secrets} == 1) BuildRequires: http-parser-devel -BuildRequires: libcurl-devel -%endif -%if (0%{?with_kcm} == 1) BuildRequires: libuuid-devel -%endif -%if (0%{?with_secrets} == 1 || 0%{?with_kcm} == 1) BuildRequires: jansson-devel -%endif -%if (0%{?with_gdm_pam_extensions} == 1) +BuildRequires: libcurl-devel BuildRequires: gdm-pam-extensions-devel +%if (0%{?use_openssl} == 1) +BuildRequires: p11-kit-devel +BuildRequires: openssl-devel +BuildRequires: gnutls-utils +BuildRequires: softhsm >= 2.1.0 %endif +BuildRequires: openssl +BuildRequires: openssh +BuildRequires: nss-tools %description Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward -the system and a pluggable backend system to connect to multiple different +the system and a plug-gable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. -The sssd subpackage is a meta-package that contains the daemon as well as all +The sssd sub-package is a meta-package that contains the daemon as well as all the existing back ends. %package common Summary: Common files for the SSSD -Group: Applications/System License: GPLv3+ +# Conflicts +Conflicts: selinux-policy < 3.10.0-46 +Conflicts: sssd < 1.10.0-8%{?dist}.beta2 +# Requires +# due to ABI changes in 1.1.30/1.2.0 +Requires: libldb >= %{ldb_version} Requires: sssd-client%{?_isa} = %{version}-%{release} -Requires: libsss_sudo = %{version}-%{release} -Requires: libsss_autofs%{?_isa} = %{version}-%{release} +Recommends: libsss_sudo = %{version}-%{release} +Recommends: libsss_autofs%{?_isa} = %{version}-%{release} +Recommends: sssd-nfs-idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} -Conflicts: sssd < %{version}-%{release} -%if (0%{?use_systemd} == 1) %{?systemd_requires} -%else -Requires(post): initscripts chkconfig -Requires(preun): initscripts chkconfig -Requires(postun): initscripts chkconfig -%endif ### Provides ### Provides: libsss_sudo-devel = %{version}-%{release} -Obsoletes: libsss_sudo-devel <= 1.9.93 +Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1 %description common Common files for the SSSD. The common package includes all the files needed to run a particular back end, however, the back ends are packaged in separate -subpackages such as sssd-ldap. +sub-packages such as sssd-ldap. %package client Summary: SSSD Client libraries for NSS and PAM -Group: Applications/System License: LGPLv3+ -Requires: libsss_nss_idmap = %{version}-%{release} -Requires: libsss_idmap = %{version}-%{release} Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig +Requires(post): /usr/sbin/alternatives +Requires(preun): /usr/sbin/alternatives %description client Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD @@ -341,42 +184,28 @@ service. %package -n libsss_sudo Summary: A library to allow communication between SUDO and SSSD -Group: Development/Libraries License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig +Conflicts: sssd-common < %{version}-%{release} %description -n libsss_sudo A utility library to allow communication between SUDO and SSSD %package -n libsss_autofs Summary: A library to allow communication between Autofs and SSSD -Group: Development/Libraries License: LGPLv3+ +Conflicts: sssd-common < %{version}-%{release} %description -n libsss_autofs A utility library to allow communication between Autofs and SSSD %package tools Summary: Userspace tools for use with the SSSD -Group: Applications/System License: GPLv3+ Requires: sssd-common = %{version}-%{release} -Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate -%if (0%{?with_python3} == 1) Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} -%else -Requires: python2-sss = %{version}-%{release} -Requires: python2-sssdconfig = %{version}-%{release} -%endif -%if (0%{?use_systemd} == 0) -Requires: /sbin/service -%endif -%if (0%{?fedora} >= 30 || 0%{?rhel} >= 8) Recommends: sssd-dbus -%endif %description tools Provides userspace tools for manipulating users, groups, and nested groups in @@ -388,51 +217,17 @@ Also provides several other administrative tools: * sss_obfuscate for generating an obfuscated LDAP password * sssctl -- an sssd status and control utility -%if (0%{?with_python2} == 1) -%package -n python2-sssdconfig -Summary: SSSD and IPA configuration file manipulation classes and functions -Group: Applications/System -License: GPLv3+ -BuildArch: noarch -%{?python_provide:%python_provide python2-sssdconfig} - -%description -n python2-sssdconfig -Provides python2 files for manipulation SSSD and IPA configuration files. -%endif - -%if (0%{?with_python3} == 1) %package -n python3-sssdconfig Summary: SSSD and IPA configuration file manipulation classes and functions -Group: Applications/System License: GPLv3+ BuildArch: noarch %{?python_provide:%python_provide python3-sssdconfig} %description -n python3-sssdconfig Provides python3 files for manipulation SSSD and IPA configuration files. -%endif - -%if (0%{?with_python2} == 1) -%package -n python2-sss -Summary: Python2 bindings for sssd -Group: Development/Libraries -License: LGPLv3+ -Requires: sssd-common = %{version}-%{release} -%{?python_provide:%python_provide python2-sss} -%description -n python2-sss -Provides python2 module for manipulating users, groups, and nested groups in -SSSD when using id_provider = local in /etc/sssd/sssd.conf. - -Also provides several other useful python2 bindings: - * function for retrieving list of groups user belongs to. - * class for obfuscation of passwords -%endif - -%if (0%{?with_python3} == 1) %package -n python3-sss Summary: Python3 bindings for sssd -Group: Development/Libraries License: LGPLv3+ Requires: sssd-common = %{version}-%{release} %{?python_provide:%python_provide python3-sss} @@ -444,38 +239,21 @@ SSSD when using id_provider = local in /etc/sssd/sssd.conf. Also provides several other useful python3 bindings: * function for retrieving list of groups user belongs to. * class for obfuscation of passwords -%endif -%if (0%{?with_python2} == 1) -%package -n python2-sss-murmur -Summary: Python2 bindings for murmur hash function -Group: Development/Libraries -License: LGPLv3+ -%{?python_provide:%python_provide python2-sss-murmur} - -%description -n python2-sss-murmur -Provides python2 module for calculating the murmur hash version 3 -%endif - -%if (0%{?with_python3} == 1) %package -n python3-sss-murmur Summary: Python3 bindings for murmur hash function -Group: Development/Libraries License: LGPLv3+ %{?python_provide:%python_provide python3-sss-murmur} %description -n python3-sss-murmur Provides python3 module for calculating the murmur hash version 3 -%endif %package ldap Summary: The LDAP back end of the SSSD -Group: Applications/System License: GPLv3+ -Conflicts: sssd < %{version}-%{release} +Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} -Requires: libsss_idmap = %{version}-%{release} %description ldap Provides the LDAP back end that the SSSD can utilize to fetch identity data @@ -483,10 +261,9 @@ from and authenticate against an LDAP server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication -Group: Applications/System License: GPLv3+ -Conflicts: sssd < %{version}-%{release} -Requires: cyrus-sasl-gssapi +Conflicts: sssd < 1.10.0-8.beta2 +Requires: cyrus-sasl-gssapi%{?_isa} Requires: sssd-common = %{version}-%{release} %description krb5-common @@ -495,9 +272,8 @@ Kerberos user or host authentication. %package krb5 Summary: The Kerberos authentication back end for the SSSD -Group: Applications/System License: GPLv3+ -Conflicts: sssd < %{version}-%{release} +Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} @@ -507,10 +283,8 @@ against a Kerberos server. %package common-pac Summary: Common files needed for supporting PAC processing -Group: Applications/System License: GPLv3+ Requires: sssd-common = %{version}-%{release} -Requires: libsss_idmap = %{version}-%{release} %description common-pac Provides common files needed by SSSD providers such as IPA and Active Directory @@ -518,16 +292,13 @@ for handling Kerberos PACs. %package ipa Summary: The IPA back end of the SSSD -Group: Applications/System License: GPLv3+ -Conflicts: sssd < %{version}-%{release} -Requires: samba-client-libs >= %{samba_package_version} +Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} -Requires: libipa_hbac = %{version}-%{release} -Requires: bind-utils +Requires: libipa_hbac%{?_isa} = %{version}-%{release} +Recommends: bind-utils Requires: sssd-common-pac = %{version}-%{release} -Requires: libsss_idmap = %{version}-%{release} %description ipa Provides the IPA back end that the SSSD can utilize to fetch identity data @@ -535,15 +306,14 @@ from and authenticate against an IPA server. %package ad Summary: The AD back end of the SSSD -Group: Applications/System License: GPLv3+ -Conflicts: sssd < %{version}-%{release} -Requires: samba-client-libs >= %{samba_package_version} +Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: sssd-common-pac = %{version}-%{release} -Requires: libsss_idmap = %{version}-%{release} -Requires: bind-utils +Recommends: bind-utils +Recommends: adcli +Suggests: sssd-winbind-idmap = %{version}-%{release} %description ad Provides the Active Directory back end that the SSSD can utilize to fetch @@ -551,9 +321,8 @@ identity data from and authenticate against an Active Directory server. %package proxy Summary: The proxy back end of the SSSD -Group: Applications/System License: GPLv3+ -Conflicts: sssd < %{version}-%{release} +Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} %description proxy @@ -562,61 +331,36 @@ PAM modules to leverage SSSD caching. %package -n libsss_idmap Summary: FreeIPA Idmap library -Group: Development/Libraries License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig %description -n libsss_idmap -Utility library to convert SIDs to UNIX UIDs and GIDs +Utility library to convert SIDs to Unix uids and gids %package -n libsss_idmap-devel Summary: FreeIPA Idmap library -Group: Development/Libraries License: LGPLv3+ Requires: libsss_idmap = %{version}-%{release} %description -n libsss_idmap-devel -Utility library to SIDs to UNIX UIDs and GIDs +Utility library to SIDs to Unix uids and gids %package -n libipa_hbac Summary: FreeIPA HBAC Evaluator library -Group: Development/Libraries License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig %description -n libipa_hbac Utility library to validate FreeIPA HBAC rules for authorization requests %package -n libipa_hbac-devel Summary: FreeIPA HBAC Evaluator library -Group: Development/Libraries License: LGPLv3+ Requires: libipa_hbac = %{version}-%{release} %description -n libipa_hbac-devel Utility library to validate FreeIPA HBAC rules for authorization requests -%if (0%{?with_python2} == 1) -%package -n python2-libipa_hbac -Summary: Python2 bindings for the FreeIPA HBAC Evaluator library -Group: Development/Libraries -License: LGPLv3+ -Requires: libipa_hbac = %{version}-%{release} -Provides: libipa_hbac-python = %{version}-%{release} -Obsoletes: libipa_hbac-python < 1.12.90 -%{?python_provide:%python_provide python2-libipa_hbac} - -%description -n python2-libipa_hbac -The python2-libipa_hbac contains the bindings so that libipa_hbac can be -used by Python applications. -%endif - -%if (0%{?with_python3} == 1) %package -n python3-libipa_hbac Summary: Python3 bindings for the FreeIPA HBAC Evaluator library -Group: Development/Libraries License: LGPLv3+ Requires: libipa_hbac = %{version}-%{release} %{?python_provide:%python_provide python3-libipa_hbac} @@ -624,46 +368,24 @@ Requires: libipa_hbac = %{version}-%{release} %description -n python3-libipa_hbac The python3-libipa_hbac contains the bindings so that libipa_hbac can be used by Python applications. -%endif %package -n libsss_nss_idmap Summary: Library for SID and certificate based lookups -Group: Development/Libraries License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig %description -n libsss_nss_idmap Utility library for SID and certificate based lookups %package -n libsss_nss_idmap-devel Summary: Library for SID and certificate based lookups -Group: Development/Libraries License: LGPLv3+ Requires: libsss_nss_idmap = %{version}-%{release} %description -n libsss_nss_idmap-devel Utility library for SID and certificate based lookups -%if (0%{?with_python2} == 1) -%package -n python2-libsss_nss_idmap -Summary: Python2 bindings for libsss_nss_idmap -Group: Development/Libraries -License: LGPLv3+ -Requires: libsss_nss_idmap = %{version}-%{release} -Provides: libsss_nss_idmap-python = %{version}-%{release} -Obsoletes: libsss_nss_idmap-python < 1.12.90 -%{?python_provide:%python_provide python2-libsss_nss_idmap} - -%description -n python2-libsss_nss_idmap -The python2-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can -be used by Python applications. -%endif - -%if (0%{?with_python3} == 1) %package -n python3-libsss_nss_idmap Summary: Python3 bindings for libsss_nss_idmap -Group: Development/Libraries License: LGPLv3+ Requires: libsss_nss_idmap = %{version}-%{release} %{?python_provide:%python_provide python3-libsss_nss_idmap} @@ -671,11 +393,9 @@ Requires: libsss_nss_idmap = %{version}-%{release} %description -n python3-libsss_nss_idmap The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can be used by Python applications. -%endif %package dbus Summary: The D-Bus responder of the SSSD -Group: Applications/System License: GPLv3+ Requires: sssd-common = %{version}-%{release} %{?systemd_requires} @@ -684,33 +404,16 @@ Requires: sssd-common = %{version}-%{release} Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus. -%if (0%{?install_pcscd_polkit_rule} == 1) -%package polkit-rules -Summary: Rules for polkit integration for SSSD -Group: Applications/System -License: GPLv3+ -Requires: polkit >= 0.106 -Requires: sssd-common = %{version}-%{release} - -%description polkit-rules -Provides rules for polkit integration with SSSD. This is required -for smartcard support. -%endif - %package -n libsss_simpleifp Summary: The SSSD D-Bus responder helper library -Group: Development/Libraries License: GPLv3+ Requires: sssd-dbus = %{version}-%{release} -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig %description -n libsss_simpleifp Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. %package -n libsss_simpleifp-devel Summary: The SSSD D-Bus responder helper library -Group: Development/Libraries License: GPLv3+ Requires: dbus-devel Requires: libsss_simpleifp = %{version}-%{release} @@ -720,10 +423,8 @@ Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. %package winbind-idmap Summary: SSSD's idmap_sss Backend for Winbind -Group: Applications/System License: GPLv3+ and LGPLv3+ -Requires: libsss_nss_idmap = %{version}-%{release} -Requires: libsss_idmap = %{version}-%{release} +Conflicts: sssd-common < %{version}-%{release} %description winbind-idmap The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs @@ -731,8 +432,8 @@ and SIDs. %package nfs-idmap Summary: SSSD plug-in for NFSv4 rpc.idmapd -Group: Applications/System License: GPLv3+ +Conflicts: sssd-common < %{version}-%{release} %description nfs-idmap The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map @@ -741,27 +442,22 @@ UIDs/GIDs to names and vice versa. It can be also used for mapping principal %package -n libsss_certmap Summary: SSSD Certificate Mapping Library -Group: Development/Libraries License: LGPLv3+ -Requires(post): /sbin/ldconfig -Requires(postun): /sbin/ldconfig +Conflicts: sssd-common < %{version}-%{release} %description -n libsss_certmap Library to map certificates to users based on rules %package -n libsss_certmap-devel Summary: SSSD Certificate Mapping Library -Group: Development/Libraries License: LGPLv3+ Requires: libsss_certmap = %{version}-%{release} %description -n libsss_certmap-devel Library to map certificates to users based on rules -%if (0%{?with_kcm} == 1) %package kcm Summary: An implementation of a Kerberos KCM server -Group: Applications/System License: GPLv3+ Requires: sssd-common = %{version}-%{release} %{?systemd_requires} @@ -769,12 +465,36 @@ Requires: sssd-common = %{version}-%{release} %description kcm An implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache. -%endif %prep -%setup -q -n %{name}-%{version} +# Update timestamps on the files touched by a patch, to avoid non-equal +# .pyc/.pyo files across the multilib peers within a build, where "Level" +# is the patch prefix option (e.g. -p1) +# Taken from specfile for python-simplejson +UpdateTimestamps() { + Level=$1 + PatchFile=$2 + + # Locate the affected files: + for f in $(diffstat $Level -l $PatchFile); do + # Set the files to have the same timestamp as that of the patch: + touch -r $PatchFile $f + done +} + +%setup -q + +for p in %patches ; do + %__patch -p1 -i $p + UpdateTimestamps -p1 $p +done %build +# This package uses -Wl,-wrap to wrap calls at link time. This is incompatible +# with LTO. +# Disable LTO +%define _lto_cflags %{nil} + autoreconf -ivf %configure \ @@ -786,46 +506,36 @@ autoreconf -ivf --with-gpo-cache-path=%{gpocachepath} \ --with-init-dir=%{_initrddir} \ --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ - --enable-nsslibdir=/%{_lib} \ - --enable-pammoddir=/%{_lib}/security \ + --with-pid-path=%{_rundir} \ + --enable-nsslibdir=%{_libdir} \ + --enable-pammoddir=%{_libdir}/security \ --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ --disable-static \ --disable-rpath \ -%if %{with sssd_user} - --with-sssd-user=sssd \ + --with-initscript=systemd \ + --with-syslog=journald \ + --without-python2-bindings \ +%if (0%{?use_openssl} == 1) + --with-crypto=libcrypto \ %endif -%if (0%{?enable_files_domain} == 1) + --enable-sss-default-nss-plugin \ --enable-files-domain \ -%endif - %{with_initscript} \ - %{?with_syslog} \ + --enable-gss-spnego-for-zero-maxssf \ %{?with_cifs_utils_plugin_option} \ - %{?with_python2_option} \ - %{?with_python3_option} \ - %{?enable_polkit_rules_option} \ - %{?enable_systemtap_opt} \ - %{?with_secret_responder} \ - %{?with_kcm_option} \ - %{?with_idmap_version} \ - %{?enable_local_provider} \ - %{?experimental} + %{?enable_systemtap_opt} -make %{?_smp_mflags} all +%make_build all docs runstatedir=%{_rundir} -make %{?_smp_mflags} docs +sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate %check export CK_TIMEOUT_MULTIPLIER=10 -make %{?_smp_mflags} check VERBOSE=yes +%make_build check VERBOSE=yes unset CK_TIMEOUT_MULTIPLIER %install -%if (0%{?with_python3} == 1) -sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate -%endif - -make install DESTDIR=$RPM_BUILD_ROOT +%make_install # Prepare language files /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd @@ -839,17 +549,13 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd # Kerberos KCM credential cache by default -%if (0%{?with_kcm} == 1) mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache -%endif -%if (0%{?with_cifs_utils_plugin} == 1) # Create directory for cifs-idmap alternative # Otherwise this directory could not be owned by sssd-client mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils -%endif # Remove .la files created by libtool find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; @@ -859,19 +565,10 @@ rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name} # Older versions of rpmbuild can only handle one -f option # So we need to append to the sssd*.lang file -%if (0%{?with_python2} == 1) -for file in `ls $RPM_BUILD_ROOT/%{python2_sitelib}/*.egg-info 2> /dev/null` -do - echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang -done -%endif - -%if (0%{?with_python3} == 1) for file in `ls $RPM_BUILD_ROOT/%{python3_sitelib}/*.egg-info 2> /dev/null` do echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang done -%endif touch sssd.lang for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ @@ -943,15 +640,8 @@ done echo "sssd.lang:" cat sssd.lang -%if (0%{?with_python2} == 1) -echo "python2_sssdconfig.lang:" -cat python2_sssdconfig.lang -%endif - -%if (0%{?with_python3} == 1) echo "python3_sssdconfig.lang:" cat python3_sssdconfig.lang -%endif for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ @@ -961,22 +651,13 @@ do cat $subpackage.lang done -# must be defined after last occurrence of package otherwise -# RPM will overwrite %%license as soon as it parses a License: tag -%if 0%{?rhel} <= 6 -%define license %doc -%endif - %files -%defattr(-,root,root,-) %license COPYING %files common -f sssd.lang -%defattr(-,root,root,-) %license COPYING %doc src/examples/sssd-example.conf %{_sbindir}/sssd -%if (0%{?use_systemd} == 1) %{_unitdir}/sssd.service %{_unitdir}/sssd-autofs.socket %{_unitdir}/sssd-autofs.service @@ -991,9 +672,6 @@ done %{_unitdir}/sssd-ssh.service %{_unitdir}/sssd-sudo.socket %{_unitdir}/sssd-sudo.service -%else -%{_initrddir}/%{name} -%endif %dir %{_libexecdir}/%{servicename} %{_libexecdir}/%{servicename}/sssd_be @@ -1003,9 +681,7 @@ done %{_libexecdir}/%{servicename}/sssd_ssh %{_libexecdir}/%{servicename}/sssd_sudo %{_libexecdir}/%{servicename}/p11_child -%if (0%{?use_systemd} == 1) %{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders -%endif %dir %{_libdir}/%{name} # The files provider is intentionally packaged in -common @@ -1021,15 +697,12 @@ done %{_libdir}/%{name}/libsss_ldap_common.so %{_libdir}/%{name}/libsss_util.so %{_libdir}/%{name}/libsss_semanage.so -%{_libdir}/%{name}/libsss_sbus.so -%{_libdir}/%{name}/libsss_sbus_sync.so -%{_libdir}/%{name}/libsss_iface.so -%{_libdir}/%{name}/libsss_iface_sync.so %{_libdir}/%{name}/libifp_iface.so %{_libdir}/%{name}/libifp_iface_sync.so -%if (0%{?with_secrets} == 1 || 0%{?with_kcm} == 1) -%{_libdir}/%{name}/libsss_secrets.so -%endif +%{_libdir}/%{name}/libsss_iface.so +%{_libdir}/%{name}/libsss_iface_sync.so +%{_libdir}/%{name}/libsss_sbus.so +%{_libdir}/%{name}/libsss_sbus_sync.so %{ldb_modulesdir}/memberof.so %{_bindir}/sss_ssh_authorizedkeys @@ -1039,31 +712,36 @@ done %dir %{sssdstatedir} %dir %{_localstatedir}/cache/krb5rcache -%attr(700,sssd,sssd) %dir %{dbpath} -%attr(775,sssd,sssd) %dir %{mcpath} -%attr(751,sssd,sssd) %dir %{deskprofilepath} -%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd -%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group -%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups -%attr(755,sssd,sssd) %dir %{pipepath} -%attr(750,sssd,root) %dir %{pipepath}/private -%attr(755,sssd,sssd) %dir %{pubconfpath} -%attr(755,sssd,sssd) %dir %{gpocachepath} -%attr(750,sssd,sssd) %dir %{_var}/log/%{name} -%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd -%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d -%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/pki -%ghost %attr(0600,sssd,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf +%attr(700,root,root) %dir %{dbpath} +%attr(775,root,root) %dir %{mcpath} +%attr(700,root,root) %dir %{secdbpath} +%attr(751,root,root) %dir %{deskprofilepath} +%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd +%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group +%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups +%attr(755,root,root) %dir %{pipepath} +%attr(700,root,root) %dir %{pipepath}/private +%attr(755,root,root) %dir %{pubconfpath} +%attr(755,root,root) %dir %{gpocachepath} +%attr(750,root,root) %dir %{_var}/log/%{name} +%attr(700,root,root) %dir %{_sysconfdir}/sssd +%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d +%if (0%{?use_openssl} == 1) +%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki +%endif +%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %dir %{_sysconfdir}/logrotate.d %config(noreplace) %{_sysconfdir}/logrotate.d/sssd %dir %{_sysconfdir}/rwtab.d %config(noreplace) %{_sysconfdir}/rwtab.d/sssd %dir %{_datadir}/sssd -%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils +%{_sysconfdir}/pam.d/sssd-shadowutils %dir %{_libdir}/%{name}/conf %{_libdir}/%{name}/conf/sssd.conf %{_datadir}/sssd/cfg_rules.ini +%{_datadir}/sssd/sssd.api.conf +%{_datadir}/sssd/sssd.api.d %{_mandir}/man1/sss_ssh_authorizedkeys.1* %{_mandir}/man1/sss_ssh_knownhostsproxy.1* %{_mandir}/man5/sssd.conf.5* @@ -1073,7 +751,6 @@ done %{_mandir}/man5/sssd-session-recording.5* %{_mandir}/man8/sssd.8* %{_mandir}/man8/sss_cache.8* -%if (0%{?enable_systemtap} == 1) %dir %{_datadir}/sssd/systemtap %{_datadir}/sssd/systemtap/id_perf.stp %{_datadir}/sssd/systemtap/nested_group_perf.stp @@ -1084,77 +761,60 @@ done %{_datadir}/systemtap/tapset/sssd.stp %{_datadir}/systemtap/tapset/sssd_functions.stp %{_mandir}/man5/sssd-systemtap.5* -%endif -%if (0%{?install_pcscd_polkit_rule} == 1) -%files polkit-rules -%{_datadir}/polkit-1/rules.d/* -%endif %files ldap -f sssd_ldap.lang -%defattr(-,root,root,-) %license COPYING %{_libdir}/%{name}/libsss_ldap.so %{_mandir}/man5/sssd-ldap.5* %{_mandir}/man5/sssd-ldap-attributes.5* %files krb5-common -%defattr(-,root,root,-) %license COPYING -%attr(755,sssd,sssd) %dir %{pubconfpath}/krb5.include.d -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child +%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d +%{_libexecdir}/%{servicename}/ldap_child +%{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang -%defattr(-,root,root,-) %license COPYING %{_libdir}/%{name}/libsss_krb5.so %{_mandir}/man5/sssd-krb5.5* %files common-pac -%defattr(-,root,root,-) %license COPYING %{_libexecdir}/%{servicename}/sssd_pac %files ipa -f sssd_ipa.lang -%defattr(-,root,root,-) %license COPYING -%attr(700,sssd,sssd) %dir %{keytabdir} +%attr(700,root,root) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child +%{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* %files ad -f sssd_ad.lang -%defattr(-,root,root,-) %license COPYING %{_libdir}/%{name}/libsss_ad.so %{_libexecdir}/%{servicename}/gpo_child %{_mandir}/man5/sssd-ad.5* %files proxy -%defattr(-,root,root,-) %license COPYING -%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/proxy_child +%{_libexecdir}/%{servicename}/proxy_child %{_libdir}/%{name}/libsss_proxy.so %files dbus -f sssd_dbus.lang -%defattr(-,root,root,-) %license COPYING %{_libexecdir}/%{servicename}/sssd_ifp %{_mandir}/man5/sssd-ifp.5* -%if (0%{?use_systemd} == 1) %{_unitdir}/sssd-ifp.service -%endif # InfoPipe DBus plumbing %{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service %files -n libsss_simpleifp -%defattr(-,root,root,-) %{_libdir}/libsss_simpleifp.so.* %files -n libsss_simpleifp-devel -%defattr(-,root,root,-) %doc sss_simpleifp_doc/html %{_includedir}/sss_sifp.h %{_includedir}/sss_sifp_dbus.h @@ -1162,19 +822,16 @@ done %{_libdir}/pkgconfig/sss_simpleifp.pc %files client -f sssd_client.lang -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER -/%{_lib}/libnss_sss.so.2 -/%{_lib}/security/pam_sss.so -/%{_lib}/security/pam_sss_gss.so +%{_libdir}/libnss_sss.so.2 +%{_libdir}/security/pam_sss.so +%{_libdir}/security/pam_sss_gss.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so -%if (0%{?with_cifs_utils_plugin} == 1) %dir %{_libdir}/cifs-utils %{_libdir}/cifs-utils/cifs_idmap_sss.so %dir %{_sysconfdir}/cifs-utils %ghost %{_sysconfdir}/cifs-utils/idmap-plugin -%endif %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/modules %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so @@ -1183,153 +840,74 @@ done %{_mandir}/man8/sssd_krb5_locator_plugin.8* %files -n libsss_sudo -%defattr(-,root,root,-) %license src/sss_client/COPYING %{_libdir}/libsss_sudo.so* %files -n libsss_autofs -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %dir %{_libdir}/%{name}/modules %{_libdir}/%{name}/modules/libsss_autofs.so %files tools -f sssd_tools.lang -%defattr(-,root,root,-) %license COPYING -%if (0%{with_local_provider} == 1) -%{_sbindir}/sss_useradd -%{_sbindir}/sss_userdel -%{_sbindir}/sss_usermod -%{_sbindir}/sss_groupadd -%{_sbindir}/sss_groupdel -%{_sbindir}/sss_groupmod -%{_sbindir}/sss_groupshow -%endif %{_sbindir}/sss_obfuscate %{_sbindir}/sss_override %{_sbindir}/sss_debuglevel %{_sbindir}/sss_seed %{_sbindir}/sssctl -%if (0%{with_local_provider} == 1) -%{_mandir}/man8/sss_groupadd.8* -%{_mandir}/man8/sss_groupdel.8* -%{_mandir}/man8/sss_groupmod.8* -%{_mandir}/man8/sss_groupshow.8* -%{_mandir}/man8/sss_useradd.8* -%{_mandir}/man8/sss_userdel.8* -%{_mandir}/man8/sss_usermod.8* -%endif %{_mandir}/man8/sss_obfuscate.8* %{_mandir}/man8/sss_override.8* %{_mandir}/man8/sss_debuglevel.8* %{_mandir}/man8/sss_seed.8* %{_mandir}/man8/sssctl.8* -%if (0%{?with_python2} == 1) -%files -n python2-sssdconfig -f python2_sssdconfig.lang -%defattr(-,root,root,-) -%dir %{python2_sitelib}/SSSDConfig -%{python2_sitelib}/SSSDConfig/*.py* -%dir %{_datadir}/sssd -%{_datadir}/sssd/sssd.api.conf -%{_datadir}/sssd/sssd.api.d -%endif - -%if (0%{?with_python3} == 1) %files -n python3-sssdconfig -f python3_sssdconfig.lang -%defattr(-,root,root,-) %dir %{python3_sitelib}/SSSDConfig %{python3_sitelib}/SSSDConfig/*.py* %dir %{python3_sitelib}/SSSDConfig/__pycache__ %{python3_sitelib}/SSSDConfig/__pycache__/*.py* -%dir %{_datadir}/sssd -%{_datadir}/sssd/sssd.api.conf -%{_datadir}/sssd/sssd.api.d -%endif - -%if (0%{?with_python2} == 1) -%files -n python2-sss -%defattr(-,root,root,-) -%{python2_sitearch}/pysss.so -%endif -%if (0%{?with_python3} == 1) %files -n python3-sss -%defattr(-,root,root,-) %{python3_sitearch}/pysss.so -%endif -%if (0%{?with_python2} == 1) -%files -n python2-sss-murmur -%defattr(-,root,root,-) -%{python2_sitearch}/pysss_murmur.so -%endif - -%if (0%{?with_python3} == 1) %files -n python3-sss-murmur -%defattr(-,root,root,-) %{python3_sitearch}/pysss_murmur.so -%endif %files -n libsss_idmap -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_idmap.so.* %files -n libsss_idmap-devel -%defattr(-,root,root,-) %doc idmap_doc/html %{_includedir}/sss_idmap.h %{_libdir}/libsss_idmap.so %{_libdir}/pkgconfig/sss_idmap.pc %files -n libipa_hbac -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libipa_hbac.so.* %files -n libipa_hbac-devel -%defattr(-,root,root,-) %doc hbac_doc/html %{_includedir}/ipa_hbac.h %{_libdir}/libipa_hbac.so %{_libdir}/pkgconfig/ipa_hbac.pc %files -n libsss_nss_idmap -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_nss_idmap.so.* %files -n libsss_nss_idmap-devel -%defattr(-,root,root,-) %doc nss_idmap_doc/html %{_includedir}/sss_nss_idmap.h %{_libdir}/libsss_nss_idmap.so %{_libdir}/pkgconfig/sss_nss_idmap.pc -%if (0%{?with_python2} == 1) -%files -n python2-libsss_nss_idmap -%defattr(-,root,root,-) -%{python2_sitearch}/pysss_nss_idmap.so -%endif - -%if (0%{?with_python3} == 1) %files -n python3-libsss_nss_idmap -%defattr(-,root,root,-) %{python3_sitearch}/pysss_nss_idmap.so -%endif -%if (0%{?with_python2} == 1) -%files -n python2-libipa_hbac -%defattr(-,root,root,-) -%{python2_sitearch}/pyhbac.so -%endif - -%if (0%{?with_python3} == 1) %files -n python3-libipa_hbac -%defattr(-,root,root,-) %{python3_sitearch}/pyhbac.so -%endif %files winbind-idmap -f sssd_winbind_idmap.lang %dir %{_libdir}/samba/idmap @@ -1341,44 +919,26 @@ done %{_libdir}/libnfsidmap/sss.so %files -n libsss_certmap -f libsss_certmap.lang -%defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_certmap.so.* %{_mandir}/man5/sss-certmap.5* %files -n libsss_certmap-devel -%defattr(-,root,root,-) %doc certmap_doc/html %{_includedir}/sss_certmap.h %{_libdir}/libsss_certmap.so %{_libdir}/pkgconfig/sss_certmap.pc -%if (0%{?with_kcm} == 1) %files kcm -f sssd_kcm.lang -%attr(700,root,root) %dir %{secdbpath} %{_libexecdir}/%{servicename}/sssd_kcm -%if (0%{?with_secrets} == 1) -%{_libexecdir}/%{servicename}/sssd_secrets -%endif %config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache %dir %{_datadir}/sssd-kcm %{_datadir}/sssd-kcm/kcm_default_ccache %{_unitdir}/sssd-kcm.socket %{_unitdir}/sssd-kcm.service %{_mandir}/man8/sssd-kcm.8* -%if (0%{?with_secrets} == 1) -%{_unitdir}/sssd-secrets.socket -%{_unitdir}/sssd-secrets.service -%{_mandir}/man5/sssd-secrets.5* -%endif -%endif - -%pre common -getent group sssd >/dev/null || groupadd -r sssd -getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd +%{_libdir}/%{name}/libsss_secrets.so -%if (0%{?use_systemd} == 1) -# systemd %post common %systemd_post sssd.service %systemd_post sssd-autofs.socket @@ -1400,7 +960,6 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %systemd_preun sssd-sudo.socket %postun common -%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd-autofs.socket %systemd_postun_with_restart sssd-autofs.service %systemd_postun_with_restart sssd-nss.socket @@ -1424,7 +983,6 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %postun dbus %systemd_postun_with_restart sssd-ifp.service -%if (0%{?with_kcm} == 1) %post kcm %systemd_post sssd-kcm.socket @@ -1434,74 +992,33 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %postun kcm %systemd_postun_with_restart sssd-kcm.socket %systemd_postun_with_restart sssd-kcm.service -%endif - -%if (0%{?with_secrets} == 1) -%post secrets -%systemd_postun_with_restart sssd-secrets.socket - -%preun secrets -%systemd_preun_with_restart sssd-secrets.socket - -%postun secrets -%systemd_postun_with_restart sssd-secrets.socket -%systemd_postun_with_restart sssd-secrets.service -%endif - -%else -# sysv -%post common -/sbin/chkconfig --add %{servicename} - -%posttrans -/sbin/service %{servicename} condrestart 2>&1 > /dev/null -%preun common -if [ $1 = 0 ] ; then - /sbin/service %{servicename} stop 2>&1 > /dev/null - /sbin/chkconfig --del %{servicename} -fi -%endif - -%if (0%{?with_cifs_utils_plugin} == 1) %post client -/sbin/ldconfig +%{?ldconfig} /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20 %preun client if [ $1 -eq 0 ] ; then /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so fi -%else -%post client -p /sbin/ldconfig -%endif -%postun client -p /sbin/ldconfig +%ldconfig_postun client -%post -n libsss_sudo -p /sbin/ldconfig +%ldconfig_scriptlets -n libsss_sudo -%postun -n libsss_sudo -p /sbin/ldconfig +%ldconfig_scriptlets -n libipa_hbac -%post -n libipa_hbac -p /sbin/ldconfig +%ldconfig_scriptlets -n libsss_idmap -%postun -n libipa_hbac -p /sbin/ldconfig +%ldconfig_scriptlets -n libsss_nss_idmap -%post -n libsss_idmap -p /sbin/ldconfig +%ldconfig_scriptlets -n libsss_simpleifp -%postun -n libsss_idmap -p /sbin/ldconfig +%ldconfig_scriptlets -n libsss_certmap -%post -n libsss_nss_idmap -p /sbin/ldconfig - -%postun -n libsss_nss_idmap -p /sbin/ldconfig - -%post -n libsss_simpleifp -p /sbin/ldconfig - -%postun -n libsss_simpleifp -p /sbin/ldconfig - -%post -n libsss_certmap -p /sbin/ldconfig - -%postun -n libsss_certmap -p /sbin/ldconfig +%posttrans common +%systemd_postun_with_restart sssd.service %changelog -* Mon Mar 15 2010 Stephen Gallagher <sgall...@redhat.com> - @PACKAGE_VERSION@-0@PRERELEASE_VERSION@ -- Automated build of the SSSD +* Thu Jan 21 2021 Pavel Březina <pbrez...@redhat.com> - @PACKAGE_NAME@-@PACKAGE_VERSION@-0@PRERELEASE_VERSION@ +- Built from upstream sources. \ No newline at end of file From b81b6361b9f064c7334154325bf7f799bf498fa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 25 Jan 2021 12:45:03 +0100 Subject: [PATCH 03/15] spec: remove unneeded conditionals and unused variables This patch removes unused variables and unneeded conditions that reflect current state. --- contrib/sssd.spec.in | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 6fb573ded2..afdf55bb7c 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1,7 +1,5 @@ # SSSD SPEC file for Fedora 34+ and RHEL-9+ -%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//') - # we don't want to provide private python extension libs %define __provides_exclude_from %{python3_sitearch}/.*\.so$ @@ -10,25 +8,10 @@ %define _hardened_build 1 - %global enable_polkit_rules_option --disable-polkit-rules-path - # Determine the location of the LDB modules directory %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) %global ldb_version 1.2.0 - %global with_cifs_utils_plugin 1 - -%global enable_systemtap 1 - %global enable_systemtap_opt --enable-systemtap - - %global with_kcm 1 - - %global with_gdm_pam_extensions 1 - -%if (0%{?fedora} > 28) || (0%{?rhel} > 7) - %global use_openssl 1 -%endif - Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ Release: 0@PRERELEASE_VERSION@%{?dist} @@ -126,12 +109,10 @@ BuildRequires: libuuid-devel BuildRequires: jansson-devel BuildRequires: libcurl-devel BuildRequires: gdm-pam-extensions-devel -%if (0%{?use_openssl} == 1) BuildRequires: p11-kit-devel BuildRequires: openssl-devel BuildRequires: gnutls-utils BuildRequires: softhsm >= 2.1.0 -%endif BuildRequires: openssl BuildRequires: openssh BuildRequires: nss-tools @@ -515,14 +496,11 @@ autoreconf -ivf --with-initscript=systemd \ --with-syslog=journald \ --without-python2-bindings \ -%if (0%{?use_openssl} == 1) --with-crypto=libcrypto \ -%endif --enable-sss-default-nss-plugin \ --enable-files-domain \ --enable-gss-spnego-for-zero-maxssf \ - %{?with_cifs_utils_plugin_option} \ - %{?enable_systemtap_opt} + --enable-systemtap %make_build all docs runstatedir=%{_rundir} @@ -726,9 +704,7 @@ done %attr(750,root,root) %dir %{_var}/log/%{name} %attr(700,root,root) %dir %{_sysconfdir}/sssd %attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d -%if (0%{?use_openssl} == 1) %attr(711,root,root) %dir %{_sysconfdir}/sssd/pki -%endif %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %dir %{_sysconfdir}/logrotate.d %config(noreplace) %{_sysconfdir}/logrotate.d/sssd From 39f7e896c460922830125bf82fd1b355704733dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 25 Jan 2021 12:46:26 +0100 Subject: [PATCH 04/15] spec: keep _strict_symbol_defs_build SSSD now builds fine with -Wl,-z,defs --- contrib/sssd.spec.in | 3 --- 1 file changed, 3 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index afdf55bb7c..488705dde1 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -3,9 +3,6 @@ # we don't want to provide private python extension libs %define __provides_exclude_from %{python3_sitearch}/.*\.so$ -# SSSD fails to build with -Wl,-z,defs -%undefine _strict_symbol_defs_build - %define _hardened_build 1 # Determine the location of the LDB modules directory From d99b9966859ac813b7ffd3f3bdede23fc9b871fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 25 Jan 2021 12:47:08 +0100 Subject: [PATCH 05/15] spec: enable LTO SSSD builds fine with LTO. The only problem was in tests but it is now fixed. --- contrib/sssd.spec.in | 4 ---- 1 file changed, 4 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 488705dde1..dcd965c878 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -468,10 +468,6 @@ for p in %patches ; do done %build -# This package uses -Wl,-wrap to wrap calls at link time. This is incompatible -# with LTO. -# Disable LTO -%define _lto_cflags %{nil} autoreconf -ivf From 3c1e7f25bf9adf79689dd2d6fa18093fef615086 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 25 Jan 2021 12:54:44 +0100 Subject: [PATCH 06/15] spec: remove support for NSS We no longer built with NSS. --with-crypto option no longer exist and we don't require these packages anymore. --- contrib/sssd.spec.in | 3 --- 1 file changed, 3 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index dcd965c878..a8797f1c80 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -67,7 +67,6 @@ BuildRequires: dbus-devel BuildRequires: dbus-libs BuildRequires: openldap-devel BuildRequires: pam-devel -BuildRequires: nss-devel BuildRequires: nspr-devel BuildRequires: pcre-devel BuildRequires: libxslt @@ -112,7 +111,6 @@ BuildRequires: gnutls-utils BuildRequires: softhsm >= 2.1.0 BuildRequires: openssl BuildRequires: openssh -BuildRequires: nss-tools %description Provides a set of daemons to manage access to remote directories and @@ -489,7 +487,6 @@ autoreconf -ivf --with-initscript=systemd \ --with-syslog=journald \ --without-python2-bindings \ - --with-crypto=libcrypto \ --enable-sss-default-nss-plugin \ --enable-files-domain \ --enable-gss-spnego-for-zero-maxssf \ From 12b8a9575e3b35665aeeb2e5ab07a559e16d45f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 25 Jan 2021 13:35:03 +0100 Subject: [PATCH 07/15] spec: remove --without-python2-bindings Python2 bindings are not built by default anymore. --- contrib/sssd.spec.in | 1 - 1 file changed, 1 deletion(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index a8797f1c80..05cf051232 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -486,7 +486,6 @@ autoreconf -ivf --disable-rpath \ --with-initscript=systemd \ --with-syslog=journald \ - --without-python2-bindings \ --enable-sss-default-nss-plugin \ --enable-files-domain \ --enable-gss-spnego-for-zero-maxssf \ From 03cb28804fba6b00e6e67156c631a40406814ca1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 28 Jan 2021 11:45:20 +0100 Subject: [PATCH 08/15] spec: re-import changes that were not merged in Fedora There were several changes in upstream spec file that were not merged in Fedora but fixed valid problems. These are: - https://github.com/SSSD/sssd/pull/1008 - https://github.com/SSSD/sssd/pull/1039 - https://github.com/SSSD/sssd/pull/5137 - https://github.com/SSSD/sssd/commit/e698d53e0ddd3c2778e04fd8e405f8c0cee0a766 - https://github.com/SSSD/sssd/commit/7fbc7e3ffb7a5c0090bb2091011762dabf1f512f --- contrib/sssd.spec.in | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 05cf051232..1160145d22 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -9,6 +9,8 @@ %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) %global ldb_version 1.2.0 +%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) + Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ Release: 0@PRERELEASE_VERSION@%{?dist} @@ -35,6 +37,7 @@ Requires: sssd-ad = %{version}-%{release} Recommends: sssd-proxy = %{version}-%{release} Suggests: python3-sssdconfig = %{version}-%{release} Suggests: sssd-dbus = %{version}-%{release} +Recommends: logrotate %global servicename sssd %global sssdstatedir %{_localstatedir}/lib/sss @@ -96,7 +99,7 @@ BuildRequires: systemd-devel BuildRequires: systemd BuildRequires: cifs-utils-devel BuildRequires: libnfsidmap-devel -BuildRequires: samba4-devel +BuildRequires: samba-devel BuildRequires: libsmbclient-devel BuildRequires: samba-winbind BuildRequires: systemtap-sdt-devel @@ -150,6 +153,8 @@ sub-packages such as sssd-ldap. %package client Summary: SSSD Client libraries for NSS and PAM License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} Requires(post): /sbin/ldconfig Requires(post): /usr/sbin/alternatives Requires(preun): /usr/sbin/alternatives @@ -178,6 +183,7 @@ A utility library to allow communication between Autofs and SSSD Summary: Userspace tools for use with the SSSD License: GPLv3+ Requires: sssd-common = %{version}-%{release} +Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} @@ -230,6 +236,7 @@ License: GPLv3+ Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} %description ldap Provides the LDAP back end that the SSSD can utilize to fetch identity data @@ -261,6 +268,7 @@ against a Kerberos server. Summary: Common files needed for supporting PAC processing License: GPLv3+ Requires: sssd-common = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} %description common-pac Provides common files needed by SSSD providers such as IPA and Active Directory @@ -270,11 +278,13 @@ for handling Kerberos PACs. Summary: The IPA back end of the SSSD License: GPLv3+ Conflicts: sssd < 1.10.0-8.beta2 +Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libipa_hbac%{?_isa} = %{version}-%{release} Recommends: bind-utils Requires: sssd-common-pac = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} %description ipa Provides the IPA back end that the SSSD can utilize to fetch identity data @@ -284,9 +294,11 @@ from and authenticate against an IPA server. Summary: The AD back end of the SSSD License: GPLv3+ Conflicts: sssd < 1.10.0-8.beta2 +Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: sssd-common-pac = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} Recommends: bind-utils Recommends: adcli Suggests: sssd-winbind-idmap = %{version}-%{release} @@ -400,6 +412,8 @@ Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. %package winbind-idmap Summary: SSSD's idmap_sss Backend for Winbind License: GPLv3+ and LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} Conflicts: sssd-common < %{version}-%{release} %description winbind-idmap @@ -700,13 +714,11 @@ done %dir %{_sysconfdir}/rwtab.d %config(noreplace) %{_sysconfdir}/rwtab.d/sssd %dir %{_datadir}/sssd -%{_sysconfdir}/pam.d/sssd-shadowutils +%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils %dir %{_libdir}/%{name}/conf %{_libdir}/%{name}/conf/sssd.conf %{_datadir}/sssd/cfg_rules.ini -%{_datadir}/sssd/sssd.api.conf -%{_datadir}/sssd/sssd.api.d %{_mandir}/man1/sss_ssh_authorizedkeys.1* %{_mandir}/man1/sss_ssh_knownhostsproxy.1* %{_mandir}/man5/sssd.conf.5* @@ -831,6 +843,9 @@ done %{python3_sitelib}/SSSDConfig/*.py* %dir %{python3_sitelib}/SSSDConfig/__pycache__ %{python3_sitelib}/SSSDConfig/__pycache__/*.py* +%dir %{_datadir}/sssd +%{_datadir}/sssd/sssd.api.conf +%{_datadir}/sssd/sssd.api.d %files -n python3-sss %{python3_sitearch}/pysss.so From 8e5d0d23556f833a43ca870d003813a697750e80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 28 Jan 2021 12:10:03 +0100 Subject: [PATCH 09/15] spec: synchronize with RHEL spec file Bring stuff from RHEL spec file that was not available in Fedora. --- contrib/sssd.spec.in | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 1160145d22..1e14d8393b 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -35,7 +35,7 @@ Requires: sssd-krb5 = %{version}-%{release} Requires: sssd-ipa = %{version}-%{release} Requires: sssd-ad = %{version}-%{release} Recommends: sssd-proxy = %{version}-%{release} -Suggests: python3-sssdconfig = %{version}-%{release} +Requires: python3-sssdconfig = %{version}-%{release} Suggests: sssd-dbus = %{version}-%{release} Recommends: logrotate @@ -139,6 +139,8 @@ Recommends: libsss_sudo = %{version}-%{release} Recommends: libsss_autofs%{?_isa} = %{version}-%{release} Recommends: sssd-nfs-idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} +Requires(pre): shadow-utils %{?systemd_requires} ### Provides ### @@ -187,6 +189,7 @@ Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: sssd-dbus %description tools @@ -237,6 +240,7 @@ Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} %description ldap Provides the LDAP back end that the SSSD can utilize to fetch identity data @@ -248,6 +252,7 @@ License: GPLv3+ Conflicts: sssd < 1.10.0-8.beta2 Requires: cyrus-sasl-gssapi%{?_isa} Requires: sssd-common = %{version}-%{release} +Requires(pre): shadow-utils %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can use for @@ -282,9 +287,11 @@ Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libipa_hbac%{?_isa} = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires(pre): shadow-utils %description ipa Provides the IPA back end that the SSSD can utilize to fetch identity data @@ -299,6 +306,7 @@ Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Recommends: adcli Suggests: sssd-winbind-idmap = %{version}-%{release} @@ -312,6 +320,7 @@ Summary: The proxy back end of the SSSD License: GPLv3+ Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} +Requires(pre): shadow-utils %description proxy Provides the proxy back end which can be used to wrap an existing NSS and/or @@ -392,6 +401,19 @@ Requires: sssd-common = %{version}-%{release} Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus. +%if 0%{?rhel} +%package polkit-rules +Summary: Rules for polkit integration for SSSD +Group: Applications/System +License: GPLv3+ +Requires: polkit >= 0.106 +Requires: sssd-common = %{version}-%{release} + +%description polkit-rules +Provides rules for polkit integration with SSSD. This is required +for smartcard support. +%endif + %package -n libsss_simpleifp Summary: The SSSD D-Bus responder helper library License: GPLv3+ @@ -503,7 +525,11 @@ autoreconf -ivf --enable-sss-default-nss-plugin \ --enable-files-domain \ --enable-gss-spnego-for-zero-maxssf \ - --enable-systemtap + --enable-systemtap \ +%if 0%{?fedora} + --disable-polkit-rules-path \ +%endif + %{nil} %make_build all docs runstatedir=%{_rundir} @@ -739,6 +765,10 @@ done %{_datadir}/systemtap/tapset/sssd_functions.stp %{_mandir}/man5/sssd-systemtap.5* +%if 0%{?rhel} +%files polkit-rules +%{_datadir}/polkit-1/rules.d/* +%endif %files ldap -f sssd_ldap.lang %license COPYING From 60d217f4f17b1a2f788cfb393b02274188511d4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 28 Jan 2021 12:31:48 +0100 Subject: [PATCH 10/15] spec: use sssd user on RHEL --- contrib/sssd.spec.in | 66 +++++++++++++++++++++++++++++++------------- 1 file changed, 47 insertions(+), 19 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 1e14d8393b..fae5885736 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1,5 +1,12 @@ # SSSD SPEC file for Fedora 34+ and RHEL-9+ +# define SSSD user +%if 0%{?rhel} +%global sssd_user sssd +%else +%global sssd_user root +%endif + # we don't want to provide private python extension libs %define __provides_exclude_from %{python3_sitearch}/.*\.so$ @@ -140,7 +147,9 @@ Recommends: libsss_autofs%{?_isa} = %{version}-%{release} Recommends: sssd-nfs-idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} +%if 0%{?rhel} Requires(pre): shadow-utils +%endif %{?systemd_requires} ### Provides ### @@ -526,6 +535,7 @@ autoreconf -ivf --enable-files-domain \ --enable-gss-spnego-for-zero-maxssf \ --enable-systemtap \ + --with-sssd-user=%{sssd_user} \ %if 0%{?fedora} --disable-polkit-rules-path \ %endif @@ -719,20 +729,20 @@ done %dir %{sssdstatedir} %dir %{_localstatedir}/cache/krb5rcache -%attr(700,root,root) %dir %{dbpath} -%attr(775,root,root) %dir %{mcpath} +%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath} +%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath} %attr(700,root,root) %dir %{secdbpath} %attr(751,root,root) %dir %{deskprofilepath} -%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd -%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group -%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups -%attr(755,root,root) %dir %{pipepath} -%attr(700,root,root) %dir %{pipepath}/private -%attr(755,root,root) %dir %{pubconfpath} -%attr(755,root,root) %dir %{gpocachepath} -%attr(750,root,root) %dir %{_var}/log/%{name} -%attr(700,root,root) %dir %{_sysconfdir}/sssd -%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d +%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd +%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group +%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups +%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath} +%attr(750,%{sssd_user},root) %dir %{pipepath}/private +%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath} +%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath} +%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name} +%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd +%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d %attr(711,root,root) %dir %{_sysconfdir}/sssd/pki %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %dir %{_sysconfdir}/logrotate.d @@ -778,9 +788,9 @@ done %files krb5-common %license COPYING -%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d -%{_libexecdir}/%{servicename}/ldap_child -%{_libexecdir}/%{servicename}/krb5_child +%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d +%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child +%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang %license COPYING @@ -793,9 +803,9 @@ done %files ipa -f sssd_ipa.lang %license COPYING -%attr(700,root,root) %dir %{keytabdir} +%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so -%{_libexecdir}/%{servicename}/selinux_child +%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* %files ad -f sssd_ad.lang @@ -806,7 +816,7 @@ done %files proxy %license COPYING -%{_libexecdir}/%{servicename}/proxy_child +%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child %{_libdir}/%{name}/libsss_proxy.so %files dbus -f sssd_dbus.lang @@ -949,6 +959,24 @@ done %{_mandir}/man8/sssd-kcm.8* %{_libdir}/%{name}/libsss_secrets.so +%if 0%{?rhel} +%pre ipa +getent group sssd >/dev/null || groupadd -r sssd +getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd + +%pre krb5-common +getent group sssd >/dev/null || groupadd -r sssd +getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd + +%pre common +getent group sssd >/dev/null || groupadd -r sssd +getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd + +%pre proxy +getent group sssd >/dev/null || groupadd -r sssd +getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd +%endif + %post common %systemd_post sssd.service %systemd_post sssd-autofs.socket @@ -1031,4 +1059,4 @@ fi %changelog * Thu Jan 21 2021 Pavel Březina <pbrez...@redhat.com> - @PACKAGE_NAME@-@PACKAGE_VERSION@-0@PRERELEASE_VERSION@ -- Built from upstream sources. \ No newline at end of file +- Built from upstream sources. From ea533915109c9ca3af4a242418c32b01125256b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 28 Jan 2021 12:33:26 +0100 Subject: [PATCH 11/15] spec: remove conflicts that no longer make sense --- contrib/sssd.spec.in | 9 --------- 1 file changed, 9 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index fae5885736..d1f72c11a8 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -135,9 +135,6 @@ the existing back ends. %package common Summary: Common files for the SSSD License: GPLv3+ -# Conflicts -Conflicts: selinux-policy < 3.10.0-46 -Conflicts: sssd < 1.10.0-8%{?dist}.beta2 # Requires # due to ABI changes in 1.1.30/1.2.0 Requires: libldb >= %{ldb_version} @@ -245,7 +242,6 @@ Provides python3 module for calculating the murmur hash version 3 %package ldap Summary: The LDAP back end of the SSSD License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} @@ -258,7 +254,6 @@ from and authenticate against an LDAP server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 Requires: cyrus-sasl-gssapi%{?_isa} Requires: sssd-common = %{version}-%{release} Requires(pre): shadow-utils @@ -270,7 +265,6 @@ Kerberos user or host authentication. %package krb5 Summary: The Kerberos authentication back end for the SSSD License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} @@ -291,7 +285,6 @@ for handling Kerberos PACs. %package ipa Summary: The IPA back end of the SSSD License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} @@ -309,7 +302,6 @@ from and authenticate against an IPA server. %package ad Summary: The AD back end of the SSSD License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} @@ -327,7 +319,6 @@ identity data from and authenticate against an Active Directory server. %package proxy Summary: The proxy back end of the SSSD License: GPLv3+ -Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires(pre): shadow-utils From a9bcbf2e916bd0306385fa6f979a4af80fd98367 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 28 Jan 2021 12:39:18 +0100 Subject: [PATCH 12/15] spec: remove unused BuildRequires - http-parser-devel, libcurl-devel - needed by secrets responder which is not built anymore - dbus-libs, openssl, systemd - pulled in by -devel packages - libcollection-devel, nspr-devel - not required --- contrib/sssd.spec.in | 7 ------- 1 file changed, 7 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index d1f72c11a8..47461c82ae 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -71,13 +71,10 @@ BuildRequires: libtevent-devel BuildRequires: libtdb-devel BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: libdhash-devel >= 0.4.2 -BuildRequires: libcollection-devel BuildRequires: libini_config-devel >= 1.1 BuildRequires: dbus-devel -BuildRequires: dbus-libs BuildRequires: openldap-devel BuildRequires: pam-devel -BuildRequires: nspr-devel BuildRequires: pcre-devel BuildRequires: libxslt BuildRequires: libxml2 @@ -103,23 +100,19 @@ BuildRequires: nss_wrapper BuildRequires: pam_wrapper BuildRequires: libnl3-devel BuildRequires: systemd-devel -BuildRequires: systemd BuildRequires: cifs-utils-devel BuildRequires: libnfsidmap-devel BuildRequires: samba-devel BuildRequires: libsmbclient-devel BuildRequires: samba-winbind BuildRequires: systemtap-sdt-devel -BuildRequires: http-parser-devel BuildRequires: libuuid-devel BuildRequires: jansson-devel -BuildRequires: libcurl-devel BuildRequires: gdm-pam-extensions-devel BuildRequires: p11-kit-devel BuildRequires: openssl-devel BuildRequires: gnutls-utils BuildRequires: softhsm >= 2.1.0 -BuildRequires: openssl BuildRequires: openssh %description From 907cbe88666d97b3f19c689568a4be0904a79141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 28 Jan 2021 12:43:24 +0100 Subject: [PATCH 13/15] spec: remove unused Requires - simpleifp was required by sssctl but not anymore - we don't call ldconfig in post for client --- contrib/sssd.spec.in | 1 - 1 file changed, 1 deletion(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 47461c82ae..db3ebd958b 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -184,7 +184,6 @@ A utility library to allow communication between Autofs and SSSD Summary: Userspace tools for use with the SSSD License: GPLv3+ Requires: sssd-common = %{version}-%{release} -Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} From 21809a029aac06f4e27af5dec4e8b650d988e0a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 28 Jan 2021 13:33:18 +0100 Subject: [PATCH 14/15] spec: sort Requires, BuildRequires and configure for better clarity --- contrib/sssd.spec.in | 124 +++++++++++++++++++++---------------------- 1 file changed, 62 insertions(+), 62 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index db3ebd958b..47529ee13f 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -36,15 +36,15 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz ### Dependencies ### +Requires: python3-sssdconfig = %{version}-%{release} +Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} -Requires: sssd-ldap = %{version}-%{release} -Requires: sssd-krb5 = %{version}-%{release} Requires: sssd-ipa = %{version}-%{release} -Requires: sssd-ad = %{version}-%{release} +Requires: sssd-krb5 = %{version}-%{release} +Requires: sssd-ldap = %{version}-%{release} Recommends: sssd-proxy = %{version}-%{release} -Requires: python3-sssdconfig = %{version}-%{release} -Suggests: sssd-dbus = %{version}-%{release} Recommends: logrotate +Suggests: sssd-dbus = %{version}-%{release} %global servicename sssd %global sssdstatedir %{_localstatedir}/lib/sss @@ -59,61 +59,61 @@ Recommends: logrotate ### Build Dependencies ### -BuildRequires: make BuildRequires: autoconf BuildRequires: automake -BuildRequires: libtool -BuildRequires: m4 -BuildRequires: gcc -BuildRequires: popt-devel -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -BuildRequires: libtdb-devel -BuildRequires: libldb-devel >= %{ldb_version} -BuildRequires: libdhash-devel >= 0.4.2 -BuildRequires: libini_config-devel >= 1.1 -BuildRequires: dbus-devel -BuildRequires: openldap-devel -BuildRequires: pam-devel -BuildRequires: pcre-devel -BuildRequires: libxslt -BuildRequires: libxml2 -BuildRequires: docbook-style-xsl -BuildRequires: krb5-devel +BuildRequires: bind-utils BuildRequires: c-ares-devel -BuildRequires: python3-devel BuildRequires: check-devel -BuildRequires: doxygen -BuildRequires: libselinux-devel -BuildRequires: libsemanage-devel -BuildRequires: bind-utils -BuildRequires: keyutils-libs-devel -BuildRequires: gettext-devel -BuildRequires: pkgconfig +BuildRequires: cifs-utils-devel +BuildRequires: dbus-devel BuildRequires: diffstat +BuildRequires: docbook-style-xsl +BuildRequires: doxygen BuildRequires: findutils +BuildRequires: gcc +BuildRequires: gdm-pam-extensions-devel +BuildRequires: gettext-devel BuildRequires: glib2-devel -BuildRequires: selinux-policy-targeted +BuildRequires: gnutls-utils +BuildRequires: jansson-devel +BuildRequires: keyutils-libs-devel +BuildRequires: krb5-devel BuildRequires: libcmocka-devel >= 1.0.0 -BuildRequires: uid_wrapper -BuildRequires: nss_wrapper -BuildRequires: pam_wrapper -BuildRequires: libnl3-devel -BuildRequires: systemd-devel -BuildRequires: cifs-utils-devel +BuildRequires: libdhash-devel >= 0.4.2 +BuildRequires: libini_config-devel >= 1.1 +BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: libnfsidmap-devel -BuildRequires: samba-devel +BuildRequires: libnl3-devel +BuildRequires: libselinux-devel +BuildRequires: libsemanage-devel BuildRequires: libsmbclient-devel -BuildRequires: samba-winbind -BuildRequires: systemtap-sdt-devel +BuildRequires: libtalloc-devel +BuildRequires: libtdb-devel +BuildRequires: libtevent-devel +BuildRequires: libtool BuildRequires: libuuid-devel -BuildRequires: jansson-devel -BuildRequires: gdm-pam-extensions-devel -BuildRequires: p11-kit-devel +BuildRequires: libxml2 +BuildRequires: libxslt +BuildRequires: m4 +BuildRequires: make +BuildRequires: nss_wrapper +BuildRequires: openldap-devel +BuildRequires: openssh BuildRequires: openssl-devel -BuildRequires: gnutls-utils +BuildRequires: p11-kit-devel +BuildRequires: pam_wrapper +BuildRequires: pam-devel +BuildRequires: pcre-devel +BuildRequires: pkgconfig +BuildRequires: popt-devel +BuildRequires: python3-devel +BuildRequires: samba-devel +BuildRequires: samba-winbind +BuildRequires: selinux-policy-targeted BuildRequires: softhsm >= 2.1.0 -BuildRequires: openssh +BuildRequires: systemd-devel +BuildRequires: systemtap-sdt-devel +BuildRequires: uid_wrapper %description Provides a set of daemons to manage access to remote directories and @@ -498,27 +498,27 @@ done autoreconf -ivf %configure \ - --with-test-dir=/dev/shm \ + --disable-rpath \ + --disable-static \ + --enable-files-domain \ + --enable-gss-spnego-for-zero-maxssf \ + --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ + --enable-nsslibdir=%{_libdir} \ + --enable-pammoddir=%{_libdir}/security \ + --enable-sss-default-nss-plugin \ + --enable-systemtap \ --with-db-path=%{dbpath} \ - --with-mcache-path=%{mcpath} \ - --with-pipe-path=%{pipepath} \ - --with-pubconf-path=%{pubconfpath} \ --with-gpo-cache-path=%{gpocachepath} \ --with-init-dir=%{_initrddir} \ + --with-initscript=systemd \ --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ + --with-mcache-path=%{mcpath} \ --with-pid-path=%{_rundir} \ - --enable-nsslibdir=%{_libdir} \ - --enable-pammoddir=%{_libdir}/security \ - --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ - --disable-static \ - --disable-rpath \ - --with-initscript=systemd \ - --with-syslog=journald \ - --enable-sss-default-nss-plugin \ - --enable-files-domain \ - --enable-gss-spnego-for-zero-maxssf \ - --enable-systemtap \ + --with-pipe-path=%{pipepath} \ + --with-pubconf-path=%{pubconfpath} \ --with-sssd-user=%{sssd_user} \ + --with-syslog=journald \ + --with-test-dir=/dev/shm \ %if 0%{?fedora} --disable-polkit-rules-path \ %endif From e1c95c357385f42ae9860644d2b33c7381baed76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Thu, 28 Jan 2021 13:36:08 +0100 Subject: [PATCH 15/15] spec: comment some requirements --- contrib/sssd.spec.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 47529ee13f..dd8eebe2d5 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -74,6 +74,7 @@ BuildRequires: gcc BuildRequires: gdm-pam-extensions-devel BuildRequires: gettext-devel BuildRequires: glib2-devel +# required for p11_child smartcard tests BuildRequires: gnutls-utils BuildRequires: jansson-devel BuildRequires: keyutils-libs-devel @@ -108,8 +109,10 @@ BuildRequires: pkgconfig BuildRequires: popt-devel BuildRequires: python3-devel BuildRequires: samba-devel +# required for idmap_sss.so BuildRequires: samba-winbind BuildRequires: selinux-policy-targeted +# required for p11_child smartcard tests BuildRequires: softhsm >= 2.1.0 BuildRequires: systemd-devel BuildRequires: systemtap-sdt-devel
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org