URL: https://github.com/SSSD/sssd/pull/5474
Author: pbrezina
Title: #5474: spec: synchronize with Fedora 34 spec file
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5474/head:pr5474
git checkout pr5474
From 78d2066ea3ee32c319a78599266a7009ce302265 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Fri, 29 Jan 2021 12:41:28 +0100
Subject: [PATCH 01/15] sudo: do not search by low usn value to improve
performance
This is a follow up on these two commits.
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea
The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.
This caused issues on OpenLDAP server which was fixed by the second patch.
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.
No we omit the usn attribute from the filter if there is no meaningful value.
How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 32c0144b9..c853e4dc1 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name;
entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name;
if (rootdse) {
- if (last_usn_name) {
+ if (false) {
ret = sysdb_attrs_get_string(rootdse,
last_usn_name, &last_usn_value);
if (ret != EOK) {
@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
}
}
- if (!last_usn_name) {
+ if (true) {
DEBUG(SSSDBG_FUNC_DATA,
"No known USN scheme is supported by this server!\n");
if (!entry_usn_name) {
```
3. Run SSSD with sudo and check that smart refresh filter does not contain modifyTimestamp
4. Add new sudo rule, check that the filter does contain it after the rules is cached
Resolves: https://github.com/SSSD/sssd/issues/5483
---
src/providers/ldap/sdap_sudo_refresh.c | 3 ++-
src/providers/ldap/sdap_sudo_shared.c | 21 ++++++---------------
2 files changed, 8 insertions(+), 16 deletions(-)
diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c
index ddcb237811..3441dd8fd6 100644
--- a/src/providers/ldap/sdap_sudo_refresh.c
+++ b/src/providers/ldap/sdap_sudo_refresh.c
@@ -181,7 +181,8 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
state->sysdb = id_ctx->be->domain->sysdb;
/* Download all rules from LDAP that are newer than usn */
- if (srv_opts == NULL || srv_opts->max_sudo_value == 0) {
+ if (srv_opts == NULL || srv_opts->max_sudo_value == NULL
+ || strcmp(srv_opts->max_sudo_value, "0") == 0) {
DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n");
usn = "0";
search_filter = talloc_asprintf(state, "(%s=%s)",
diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
index 4f09957ea4..75d1bc3d85 100644
--- a/src/providers/ldap/sdap_sudo_shared.c
+++ b/src/providers/ldap/sdap_sudo_shared.c
@@ -129,25 +129,17 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
static char *
sdap_sudo_new_usn(TALLOC_CTX *mem_ctx,
unsigned long usn,
- const char *leftover,
- bool supports_usn)
+ const char *leftover)
{
const char *str = leftover == NULL ? "" : leftover;
char *newusn;
- /* This is a fresh start and server uses modifyTimestamp. We need to
- * provide proper datetime value. */
- if (!supports_usn && usn == 0) {
- newusn = talloc_strdup(mem_ctx, "00000101000000Z");
- if (newusn == NULL) {
- DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n");
- return NULL;
- }
-
- return newusn;
+ /* Current largest USN is unknown so we keep "0" to indicate it. */
+ if (usn == 0) {
+ return talloc_strdup(mem_ctx, "0");
}
- /* We increment USN number so that we can later use simplify filter
+ /* We increment USN number so that we can later use simplified filter
* (just usn >= last+1 instead of usn >= last && usn != last).
*/
usn++;
@@ -219,8 +211,7 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
srv_opts->last_usn = usn_number;
}
- newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone,
- srv_opts->supports_usn);
+ newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone);
if (newusn == NULL) {
return;
}
From 226f5a63bc2fc124801625e669f51492c8891316 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 21 Jan 2021 13:38:03 +0100
Subject: [PATCH 02/15] spec: synchronize with Fedora 34 spec file
---
contrib/sssd.spec.in | 791 +++++++++----------------------------------
1 file changed, 154 insertions(+), 637 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index f7e5ce1332..6fb573ded2 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1,167 +1,49 @@
-# SSSD is running as root user by default.
-# Set --with sssd_user or bcond_without to run SSSD as non-root user(sssd).
-%bcond_with sssd_user
+# SSSD SPEC file for Fedora 34+ and RHEL-9+
-%global rhel6_minor %(%{__grep} -o "6\\.[0-9]*" /etc/redhat-release |%{__sed} -s 's/6.//')
-%global rhel7_minor %(%{__grep} -o "7\\.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
+%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
-%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
-
-%if 0%{?rhel} && 0%{?rhel} <= 6
-%{!?__python2: %global __python2 /usr/bin/python2}
-%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
-%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
-%endif
-
-%{!?python_provide: %global need_python_provide 1}
-%if 0%{?need_python_provide}
-%define python_provide() %{lua:
- function string.starts(String, Start)
- return string.sub(String, 1, string.len(Start)) == Start
- end
- package = rpm.expand("%{?1:%{1}}");
- vr = rpm.expand("%{?epoch:%{epoch}:}%{version}-%{release}")
- if (string.starts(package, "python2-")) then
- if (rpm.expand("%{?buildarch}") ~= "noarch") then
- str = "Provides: python-" ..
- string.sub(package, 9, string.len(package)) ..
- "%{?_isa} = " .. vr;
- print(rpm.expand(str));
- end
- print("\\nProvides: python-");
- print(string.sub(package, 9, string.len(package)));
- print(" = ");
- print(vr);
- --Obsoleting the previous default python package
- if (rpm.expand("%{?buildarch}") ~= "noarch") then
- str = "\\nObsoletes: python-" ..
- string.sub(package, 9, string.len(package)) ..
- "%{?_isa} < " .. vr;
- print(rpm.expand(str));
- end
- print("\\nObsoletes: python-");
- print(string.sub(package, 9, string.len(package)));
- print(" < ");
- print(vr);
- elseif (string.starts(package, "python3-")) then
- --No unversioned provides as python3 is not default
- else
- print("%python_provide: ERROR: ");
- print(package);
- print(" not recognized.");
- end
-}
-%endif
-
-# Fedora and RHEL 6+
# we don't want to provide private python extension libs
-%define __provides_exclude_from %{python2_sitearch}/.*\.so$
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
-# workaround for rpm 4.13
-%define _empty_manifest_terminate_build 0
-
-%if (0%{?fedora} || 0%{?rhel} >= 7)
- %global use_systemd 1
-%endif
+# SSSD fails to build with -Wl,-z,defs
+%undefine _strict_symbol_defs_build
-%if (0%{?fedora} || 0%{?rhel} >= 8)
- %global enable_files_domain 1
-%endif
+%define _hardened_build 1
-# on Fedora and RHEL7 p11_child needs a polkit config snippet to be allowed to
-# talk to pcscd if SSSD runs as unprivileged user
-%if (%{with sssd_user} && (0%{?fedora} || 0%{?rhel} >= 7))
- %global install_pcscd_polkit_rule 1
-%else
%global enable_polkit_rules_option --disable-polkit-rules-path
-%endif
-
-%if (0%{?use_systemd} == 1)
- %global with_initscript --with-initscript=systemd --with-systemdunitdir=%{_unitdir}
- %global with_syslog --with-syslog=journald
-%else
- %global with_initscript --with-initscript=sysv
-%endif
-
-%global enable_experimental 1
-
-%if (0%{?enable_experimental} == 1)
- %global experimental --enable-all-experimental-features
-%endif
# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
+%global ldb_version 1.2.0
-%if (0%{?fedora} || 0%{?rhel} >= 7)
-%define _hardened_build 1
-%endif
-
-%if (0%{?fedora} || 0%{?rhel} >= 7)
%global with_cifs_utils_plugin 1
-%else
- %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
-%endif
-
-%if (0%{?fedora} || 0%{?rhel} > 7)
- %global with_python3 1
-%else
- %global with_python3_option --without-python3-bindings
-%endif
-
-%if (0%{?fedora} > 28 || 0%{?rhel} > 7)
- %global with_python2_option --without-python2-bindings
-%else
- %global with_python2 1
- %global with_python2_option --with-python2-bindings
-%endif
%global enable_systemtap 1
-%if (0%{?enable_systemtap} == 1)
%global enable_systemtap_opt --enable-systemtap
-%endif
-
-%global with_secrets 0
-%global with_secret_responder --without-secrets
-%if (0%{?fedora} >= 23 || 0%{?rhel} >= 7)
%global with_kcm 1
- %global with_kcm_option --with-kcm
-%else
- %global with_kcm_option --without-kcm
-%endif
-%if (0%{?fedora} >= 27 || 0%{?rhel} >= 7)
%global with_gdm_pam_extensions 1
-%else
- %global with_gdm_pam_extensions 0
-%endif
-
-# Do not try to detect the idmap version on RHEL6 to avoid conflicts between
-# samba and samba4 package
-%if (0%{?fedora} || 0%{?rhel} >= 7)
- %global detect_idmap_version 1
-%else
- %global with_idmap_version --with-smb-idmap-interface-version=5
-%endif
-%global with_local_provider 0
-%if (0%{?fedora} <= 28 || 0%{?rhel <= 7})
- %global with_local_provider 1
- %global enable_local_provider --enable-local-provider
+%if (0%{?fedora} > 28) || (0%{?rhel} > 7)
+ %global use_openssl 1
%endif
Name: @PACKAGE_NAME@
Version: @PACKAGE_VERSION@
Release: 0@PRERELEASE_VERSION@%{?dist}
-Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
-URL: https://github.com/SSSD/sssd
-Source0: %{name}-%{version}.tar.gz
-BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+URL: https://github.com/SSSD/sssd/
+Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
### Patches ###
+# Place your patches here:
+# Patch0001: 0001-patch-file.patch
+
+### Downstream only patches ###
+# Place your downstream only patches here:
+# Patch0901: 0901-downstream-only-patch-file.patch
### Dependencies ###
@@ -170,15 +52,9 @@ Requires: sssd-ldap = %{version}-%{release}
Requires: sssd-krb5 = %{version}-%{release}
Requires: sssd-ipa = %{version}-%{release}
Requires: sssd-ad = %{version}-%{release}
-Requires: sssd-proxy = %{version}-%{release}
-%if (0%{?with_python3} == 1)
-Requires: python3-sssdconfig = %{version}-%{release}
-%else
-Requires: python2-sssdconfig = %{version}-%{release}
-%endif
-%if (0%{?fedora} >= 30 || 0%{?rhel} >= 8)
-Recommends: logrotate
-%endif
+Recommends: sssd-proxy = %{version}-%{release}
+Suggests: python3-sssdconfig = %{version}-%{release}
+Suggests: sssd-dbus = %{version}-%{release}
%global servicename sssd
%global sssdstatedir %{_localstatedir}/lib/sss
@@ -203,7 +79,7 @@ BuildRequires: popt-devel
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
BuildRequires: libtdb-devel
-BuildRequires: libldb-devel
+BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libdhash-devel >= 0.4.2
BuildRequires: libcollection-devel
BuildRequires: libini_config-devel >= 1.1
@@ -211,8 +87,7 @@ BuildRequires: dbus-devel
BuildRequires: dbus-libs
BuildRequires: openldap-devel
BuildRequires: pam-devel
-BuildRequires: p11-kit-devel
-BuildRequires: openssl-devel
+BuildRequires: nss-devel
BuildRequires: nspr-devel
BuildRequires: pcre-devel
BuildRequires: libxslt
@@ -220,12 +95,7 @@ BuildRequires: libxml2
BuildRequires: docbook-style-xsl
BuildRequires: krb5-devel
BuildRequires: c-ares-devel
-%if (0%{?with_python2} == 1)
-BuildRequires: python2-devel
-%endif
-%if (0%{?with_python3} == 1)
BuildRequires: python3-devel
-%endif
BuildRequires: check-devel
BuildRequires: doxygen
BuildRequires: libselinux-devel
@@ -234,106 +104,79 @@ BuildRequires: bind-utils
BuildRequires: keyutils-libs-devel
BuildRequires: gettext-devel
BuildRequires: pkgconfig
+BuildRequires: diffstat
BuildRequires: findutils
BuildRequires: glib2-devel
BuildRequires: selinux-policy-targeted
-%if (0%{?fedora} || 0%{?epel})
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: uid_wrapper
BuildRequires: nss_wrapper
BuildRequires: pam_wrapper
-
-# p11tool from the gnutls-utils package and softhsm2-util from the softhsm package
-# are needed to prepare the data needed for the p11_child Smartcard tests.
-# Since p11_child only looks at slots with are flagged as 'removable'
-# softhsm version 2.1.0 or higher is needed.
-BuildRequires: gnutls-utils
-BuildRequires: softhsm >= 2.1.0
-
-BuildRequires: openssl
-BuildRequires: openssh
-%endif
BuildRequires: libnl3-devel
-%if (0%{?use_systemd} == 1)
BuildRequires: systemd-devel
BuildRequires: systemd
-%endif
-%if (0%{?with_cifs_utils_plugin} == 1)
BuildRequires: cifs-utils-devel
-%endif
-%if (0%{?fedora} || (0%{?rhel} >= 7))
BuildRequires: libnfsidmap-devel
-%else
-BuildRequires: nfs-utils-lib-devel
-%endif
-
-BuildRequires: samba-devel
+BuildRequires: samba4-devel
BuildRequires: libsmbclient-devel
-%if (0%{?detect_idmap_version} == 1)
BuildRequires: samba-winbind
-%endif
-
-%if (0%{?enable_systemtap} == 1)
BuildRequires: systemtap-sdt-devel
-%endif
-%if (0%{?with_secrets} == 1)
BuildRequires: http-parser-devel
-BuildRequires: libcurl-devel
-%endif
-%if (0%{?with_kcm} == 1)
BuildRequires: libuuid-devel
-%endif
-%if (0%{?with_secrets} == 1 || 0%{?with_kcm} == 1)
BuildRequires: jansson-devel
-%endif
-%if (0%{?with_gdm_pam_extensions} == 1)
+BuildRequires: libcurl-devel
BuildRequires: gdm-pam-extensions-devel
+%if (0%{?use_openssl} == 1)
+BuildRequires: p11-kit-devel
+BuildRequires: openssl-devel
+BuildRequires: gnutls-utils
+BuildRequires: softhsm >= 2.1.0
%endif
+BuildRequires: openssl
+BuildRequires: openssh
+BuildRequires: nss-tools
%description
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
-the system and a pluggable backend system to connect to multiple different
+the system and a plug-gable back-end system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.
-The sssd subpackage is a meta-package that contains the daemon as well as all
+The sssd sub-package is a meta-package that contains the daemon as well as all
the existing back ends.
%package common
Summary: Common files for the SSSD
-Group: Applications/System
License: GPLv3+
+# Conflicts
+Conflicts: selinux-policy < 3.10.0-46
+Conflicts: sssd < 1.10.0-8%{?dist}.beta2
+# Requires
+# due to ABI changes in 1.1.30/1.2.0
+Requires: libldb >= %{ldb_version}
Requires: sssd-client%{?_isa} = %{version}-%{release}
-Requires: libsss_sudo = %{version}-%{release}
-Requires: libsss_autofs%{?_isa} = %{version}-%{release}
+Recommends: libsss_sudo = %{version}-%{release}
+Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
+Recommends: sssd-nfs-idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
-Conflicts: sssd < %{version}-%{release}
-%if (0%{?use_systemd} == 1)
%{?systemd_requires}
-%else
-Requires(post): initscripts chkconfig
-Requires(preun): initscripts chkconfig
-Requires(postun): initscripts chkconfig
-%endif
### Provides ###
Provides: libsss_sudo-devel = %{version}-%{release}
-Obsoletes: libsss_sudo-devel <= 1.9.93
+Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1
%description common
Common files for the SSSD. The common package includes all the files needed
to run a particular back end, however, the back ends are packaged in separate
-subpackages such as sssd-ldap.
+sub-packages such as sssd-ldap.
%package client
Summary: SSSD Client libraries for NSS and PAM
-Group: Applications/System
License: LGPLv3+
-Requires: libsss_nss_idmap = %{version}-%{release}
-Requires: libsss_idmap = %{version}-%{release}
Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
+Requires(post): /usr/sbin/alternatives
+Requires(preun): /usr/sbin/alternatives
%description client
Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
@@ -341,42 +184,28 @@ service.
%package -n libsss_sudo
Summary: A library to allow communication between SUDO and SSSD
-Group: Development/Libraries
License: LGPLv3+
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
+Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_sudo
A utility library to allow communication between SUDO and SSSD
%package -n libsss_autofs
Summary: A library to allow communication between Autofs and SSSD
-Group: Development/Libraries
License: LGPLv3+
+Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_autofs
A utility library to allow communication between Autofs and SSSD
%package tools
Summary: Userspace tools for use with the SSSD
-Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
-Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
-%if (0%{?with_python3} == 1)
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
-%else
-Requires: python2-sss = %{version}-%{release}
-Requires: python2-sssdconfig = %{version}-%{release}
-%endif
-%if (0%{?use_systemd} == 0)
-Requires: /sbin/service
-%endif
-%if (0%{?fedora} >= 30 || 0%{?rhel} >= 8)
Recommends: sssd-dbus
-%endif
%description tools
Provides userspace tools for manipulating users, groups, and nested groups in
@@ -388,51 +217,17 @@ Also provides several other administrative tools:
* sss_obfuscate for generating an obfuscated LDAP password
* sssctl -- an sssd status and control utility
-%if (0%{?with_python2} == 1)
-%package -n python2-sssdconfig
-Summary: SSSD and IPA configuration file manipulation classes and functions
-Group: Applications/System
-License: GPLv3+
-BuildArch: noarch
-%{?python_provide:%python_provide python2-sssdconfig}
-
-%description -n python2-sssdconfig
-Provides python2 files for manipulation SSSD and IPA configuration files.
-%endif
-
-%if (0%{?with_python3} == 1)
%package -n python3-sssdconfig
Summary: SSSD and IPA configuration file manipulation classes and functions
-Group: Applications/System
License: GPLv3+
BuildArch: noarch
%{?python_provide:%python_provide python3-sssdconfig}
%description -n python3-sssdconfig
Provides python3 files for manipulation SSSD and IPA configuration files.
-%endif
-
-%if (0%{?with_python2} == 1)
-%package -n python2-sss
-Summary: Python2 bindings for sssd
-Group: Development/Libraries
-License: LGPLv3+
-Requires: sssd-common = %{version}-%{release}
-%{?python_provide:%python_provide python2-sss}
-%description -n python2-sss
-Provides python2 module for manipulating users, groups, and nested groups in
-SSSD when using id_provider = local in /etc/sssd/sssd.conf.
-
-Also provides several other useful python2 bindings:
- * function for retrieving list of groups user belongs to.
- * class for obfuscation of passwords
-%endif
-
-%if (0%{?with_python3} == 1)
%package -n python3-sss
Summary: Python3 bindings for sssd
-Group: Development/Libraries
License: LGPLv3+
Requires: sssd-common = %{version}-%{release}
%{?python_provide:%python_provide python3-sss}
@@ -444,38 +239,21 @@ SSSD when using id_provider = local in /etc/sssd/sssd.conf.
Also provides several other useful python3 bindings:
* function for retrieving list of groups user belongs to.
* class for obfuscation of passwords
-%endif
-%if (0%{?with_python2} == 1)
-%package -n python2-sss-murmur
-Summary: Python2 bindings for murmur hash function
-Group: Development/Libraries
-License: LGPLv3+
-%{?python_provide:%python_provide python2-sss-murmur}
-
-%description -n python2-sss-murmur
-Provides python2 module for calculating the murmur hash version 3
-%endif
-
-%if (0%{?with_python3} == 1)
%package -n python3-sss-murmur
Summary: Python3 bindings for murmur hash function
-Group: Development/Libraries
License: LGPLv3+
%{?python_provide:%python_provide python3-sss-murmur}
%description -n python3-sss-murmur
Provides python3 module for calculating the murmur hash version 3
-%endif
%package ldap
Summary: The LDAP back end of the SSSD
-Group: Applications/System
License: GPLv3+
-Conflicts: sssd < %{version}-%{release}
+Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
-Requires: libsss_idmap = %{version}-%{release}
%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch identity data
@@ -483,10 +261,9 @@ from and authenticate against an LDAP server.
%package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
-Group: Applications/System
License: GPLv3+
-Conflicts: sssd < %{version}-%{release}
-Requires: cyrus-sasl-gssapi
+Conflicts: sssd < 1.10.0-8.beta2
+Requires: cyrus-sasl-gssapi%{?_isa}
Requires: sssd-common = %{version}-%{release}
%description krb5-common
@@ -495,9 +272,8 @@ Kerberos user or host authentication.
%package krb5
Summary: The Kerberos authentication back end for the SSSD
-Group: Applications/System
License: GPLv3+
-Conflicts: sssd < %{version}-%{release}
+Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
@@ -507,10 +283,8 @@ against a Kerberos server.
%package common-pac
Summary: Common files needed for supporting PAC processing
-Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
-Requires: libsss_idmap = %{version}-%{release}
%description common-pac
Provides common files needed by SSSD providers such as IPA and Active Directory
@@ -518,16 +292,13 @@ for handling Kerberos PACs.
%package ipa
Summary: The IPA back end of the SSSD
-Group: Applications/System
License: GPLv3+
-Conflicts: sssd < %{version}-%{release}
-Requires: samba-client-libs >= %{samba_package_version}
+Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
-Requires: libipa_hbac = %{version}-%{release}
-Requires: bind-utils
+Requires: libipa_hbac%{?_isa} = %{version}-%{release}
+Recommends: bind-utils
Requires: sssd-common-pac = %{version}-%{release}
-Requires: libsss_idmap = %{version}-%{release}
%description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity data
@@ -535,15 +306,14 @@ from and authenticate against an IPA server.
%package ad
Summary: The AD back end of the SSSD
-Group: Applications/System
License: GPLv3+
-Conflicts: sssd < %{version}-%{release}
-Requires: samba-client-libs >= %{samba_package_version}
+Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
-Requires: libsss_idmap = %{version}-%{release}
-Requires: bind-utils
+Recommends: bind-utils
+Recommends: adcli
+Suggests: sssd-winbind-idmap = %{version}-%{release}
%description ad
Provides the Active Directory back end that the SSSD can utilize to fetch
@@ -551,9 +321,8 @@ identity data from and authenticate against an Active Directory server.
%package proxy
Summary: The proxy back end of the SSSD
-Group: Applications/System
License: GPLv3+
-Conflicts: sssd < %{version}-%{release}
+Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
%description proxy
@@ -562,61 +331,36 @@ PAM modules to leverage SSSD caching.
%package -n libsss_idmap
Summary: FreeIPA Idmap library
-Group: Development/Libraries
License: LGPLv3+
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
%description -n libsss_idmap
-Utility library to convert SIDs to UNIX UIDs and GIDs
+Utility library to convert SIDs to Unix uids and gids
%package -n libsss_idmap-devel
Summary: FreeIPA Idmap library
-Group: Development/Libraries
License: LGPLv3+
Requires: libsss_idmap = %{version}-%{release}
%description -n libsss_idmap-devel
-Utility library to SIDs to UNIX UIDs and GIDs
+Utility library to SIDs to Unix uids and gids
%package -n libipa_hbac
Summary: FreeIPA HBAC Evaluator library
-Group: Development/Libraries
License: LGPLv3+
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
%description -n libipa_hbac
Utility library to validate FreeIPA HBAC rules for authorization requests
%package -n libipa_hbac-devel
Summary: FreeIPA HBAC Evaluator library
-Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization requests
-%if (0%{?with_python2} == 1)
-%package -n python2-libipa_hbac
-Summary: Python2 bindings for the FreeIPA HBAC Evaluator library
-Group: Development/Libraries
-License: LGPLv3+
-Requires: libipa_hbac = %{version}-%{release}
-Provides: libipa_hbac-python = %{version}-%{release}
-Obsoletes: libipa_hbac-python < 1.12.90
-%{?python_provide:%python_provide python2-libipa_hbac}
-
-%description -n python2-libipa_hbac
-The python2-libipa_hbac contains the bindings so that libipa_hbac can be
-used by Python applications.
-%endif
-
-%if (0%{?with_python3} == 1)
%package -n python3-libipa_hbac
Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
-Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
%{?python_provide:%python_provide python3-libipa_hbac}
@@ -624,46 +368,24 @@ Requires: libipa_hbac = %{version}-%{release}
%description -n python3-libipa_hbac
The python3-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications.
-%endif
%package -n libsss_nss_idmap
Summary: Library for SID and certificate based lookups
-Group: Development/Libraries
License: LGPLv3+
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
%description -n libsss_nss_idmap
Utility library for SID and certificate based lookups
%package -n libsss_nss_idmap-devel
Summary: Library for SID and certificate based lookups
-Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
%description -n libsss_nss_idmap-devel
Utility library for SID and certificate based lookups
-%if (0%{?with_python2} == 1)
-%package -n python2-libsss_nss_idmap
-Summary: Python2 bindings for libsss_nss_idmap
-Group: Development/Libraries
-License: LGPLv3+
-Requires: libsss_nss_idmap = %{version}-%{release}
-Provides: libsss_nss_idmap-python = %{version}-%{release}
-Obsoletes: libsss_nss_idmap-python < 1.12.90
-%{?python_provide:%python_provide python2-libsss_nss_idmap}
-
-%description -n python2-libsss_nss_idmap
-The python2-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
-be used by Python applications.
-%endif
-
-%if (0%{?with_python3} == 1)
%package -n python3-libsss_nss_idmap
Summary: Python3 bindings for libsss_nss_idmap
-Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
%{?python_provide:%python_provide python3-libsss_nss_idmap}
@@ -671,11 +393,9 @@ Requires: libsss_nss_idmap = %{version}-%{release}
%description -n python3-libsss_nss_idmap
The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
be used by Python applications.
-%endif
%package dbus
Summary: The D-Bus responder of the SSSD
-Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
%{?systemd_requires}
@@ -684,33 +404,16 @@ Requires: sssd-common = %{version}-%{release}
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus.
-%if (0%{?install_pcscd_polkit_rule} == 1)
-%package polkit-rules
-Summary: Rules for polkit integration for SSSD
-Group: Applications/System
-License: GPLv3+
-Requires: polkit >= 0.106
-Requires: sssd-common = %{version}-%{release}
-
-%description polkit-rules
-Provides rules for polkit integration with SSSD. This is required
-for smartcard support.
-%endif
-
%package -n libsss_simpleifp
Summary: The SSSD D-Bus responder helper library
-Group: Development/Libraries
License: GPLv3+
Requires: sssd-dbus = %{version}-%{release}
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
%description -n libsss_simpleifp
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
%package -n libsss_simpleifp-devel
Summary: The SSSD D-Bus responder helper library
-Group: Development/Libraries
License: GPLv3+
Requires: dbus-devel
Requires: libsss_simpleifp = %{version}-%{release}
@@ -720,10 +423,8 @@ Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
%package winbind-idmap
Summary: SSSD's idmap_sss Backend for Winbind
-Group: Applications/System
License: GPLv3+ and LGPLv3+
-Requires: libsss_nss_idmap = %{version}-%{release}
-Requires: libsss_idmap = %{version}-%{release}
+Conflicts: sssd-common < %{version}-%{release}
%description winbind-idmap
The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs
@@ -731,8 +432,8 @@ and SIDs.
%package nfs-idmap
Summary: SSSD plug-in for NFSv4 rpc.idmapd
-Group: Applications/System
License: GPLv3+
+Conflicts: sssd-common < %{version}-%{release}
%description nfs-idmap
The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
@@ -741,27 +442,22 @@ UIDs/GIDs to names and vice versa. It can be also used for mapping principal
%package -n libsss_certmap
Summary: SSSD Certificate Mapping Library
-Group: Development/Libraries
License: LGPLv3+
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
+Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_certmap
Library to map certificates to users based on rules
%package -n libsss_certmap-devel
Summary: SSSD Certificate Mapping Library
-Group: Development/Libraries
License: LGPLv3+
Requires: libsss_certmap = %{version}-%{release}
%description -n libsss_certmap-devel
Library to map certificates to users based on rules
-%if (0%{?with_kcm} == 1)
%package kcm
Summary: An implementation of a Kerberos KCM server
-Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
%{?systemd_requires}
@@ -769,12 +465,36 @@ Requires: sssd-common = %{version}-%{release}
%description kcm
An implementation of a Kerberos KCM server. Use this package if you want to
use the KCM: Kerberos credentials cache.
-%endif
%prep
-%setup -q -n %{name}-%{version}
+# Update timestamps on the files touched by a patch, to avoid non-equal
+# .pyc/.pyo files across the multilib peers within a build, where "Level"
+# is the patch prefix option (e.g. -p1)
+# Taken from specfile for python-simplejson
+UpdateTimestamps() {
+ Level=$1
+ PatchFile=$2
+
+ # Locate the affected files:
+ for f in $(diffstat $Level -l $PatchFile); do
+ # Set the files to have the same timestamp as that of the patch:
+ touch -r $PatchFile $f
+ done
+}
+
+%setup -q
+
+for p in %patches ; do
+ %__patch -p1 -i $p
+ UpdateTimestamps -p1 $p
+done
%build
+# This package uses -Wl,-wrap to wrap calls at link time. This is incompatible
+# with LTO.
+# Disable LTO
+%define _lto_cflags %{nil}
+
autoreconf -ivf
%configure \
@@ -786,46 +506,36 @@ autoreconf -ivf
--with-gpo-cache-path=%{gpocachepath} \
--with-init-dir=%{_initrddir} \
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
- --enable-nsslibdir=/%{_lib} \
- --enable-pammoddir=/%{_lib}/security \
+ --with-pid-path=%{_rundir} \
+ --enable-nsslibdir=%{_libdir} \
+ --enable-pammoddir=%{_libdir}/security \
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
--disable-static \
--disable-rpath \
-%if %{with sssd_user}
- --with-sssd-user=sssd \
+ --with-initscript=systemd \
+ --with-syslog=journald \
+ --without-python2-bindings \
+%if (0%{?use_openssl} == 1)
+ --with-crypto=libcrypto \
%endif
-%if (0%{?enable_files_domain} == 1)
+ --enable-sss-default-nss-plugin \
--enable-files-domain \
-%endif
- %{with_initscript} \
- %{?with_syslog} \
+ --enable-gss-spnego-for-zero-maxssf \
%{?with_cifs_utils_plugin_option} \
- %{?with_python2_option} \
- %{?with_python3_option} \
- %{?enable_polkit_rules_option} \
- %{?enable_systemtap_opt} \
- %{?with_secret_responder} \
- %{?with_kcm_option} \
- %{?with_idmap_version} \
- %{?enable_local_provider} \
- %{?experimental}
+ %{?enable_systemtap_opt}
-make %{?_smp_mflags} all
+%make_build all docs runstatedir=%{_rundir}
-make %{?_smp_mflags} docs
+sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
%check
export CK_TIMEOUT_MULTIPLIER=10
-make %{?_smp_mflags} check VERBOSE=yes
+%make_build check VERBOSE=yes
unset CK_TIMEOUT_MULTIPLIER
%install
-%if (0%{?with_python3} == 1)
-sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
-%endif
-
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
# Prepare language files
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
@@ -839,17 +549,13 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d
install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd
# Kerberos KCM credential cache by default
-%if (0%{?with_kcm} == 1)
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
-%endif
-%if (0%{?with_cifs_utils_plugin} == 1)
# Create directory for cifs-idmap alternative
# Otherwise this directory could not be owned by sssd-client
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
-%endif
# Remove .la files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
@@ -859,19 +565,10 @@ rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
# Older versions of rpmbuild can only handle one -f option
# So we need to append to the sssd*.lang file
-%if (0%{?with_python2} == 1)
-for file in `ls $RPM_BUILD_ROOT/%{python2_sitelib}/*.egg-info 2> /dev/null`
-do
- echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang
-done
-%endif
-
-%if (0%{?with_python3} == 1)
for file in `ls $RPM_BUILD_ROOT/%{python3_sitelib}/*.egg-info 2> /dev/null`
do
echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang
done
-%endif
touch sssd.lang
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
@@ -943,15 +640,8 @@ done
echo "sssd.lang:"
cat sssd.lang
-%if (0%{?with_python2} == 1)
-echo "python2_sssdconfig.lang:"
-cat python2_sssdconfig.lang
-%endif
-
-%if (0%{?with_python3} == 1)
echo "python3_sssdconfig.lang:"
cat python3_sssdconfig.lang
-%endif
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
@@ -961,22 +651,13 @@ do
cat $subpackage.lang
done
-# must be defined after last occurrence of package otherwise
-# RPM will overwrite %%license as soon as it parses a License: tag
-%if 0%{?rhel} <= 6
-%define license %doc
-%endif
-
%files
-%defattr(-,root,root,-)
%license COPYING
%files common -f sssd.lang
-%defattr(-,root,root,-)
%license COPYING
%doc src/examples/sssd-example.conf
%{_sbindir}/sssd
-%if (0%{?use_systemd} == 1)
%{_unitdir}/sssd.service
%{_unitdir}/sssd-autofs.socket
%{_unitdir}/sssd-autofs.service
@@ -991,9 +672,6 @@ done
%{_unitdir}/sssd-ssh.service
%{_unitdir}/sssd-sudo.socket
%{_unitdir}/sssd-sudo.service
-%else
-%{_initrddir}/%{name}
-%endif
%dir %{_libexecdir}/%{servicename}
%{_libexecdir}/%{servicename}/sssd_be
@@ -1003,9 +681,7 @@ done
%{_libexecdir}/%{servicename}/sssd_ssh
%{_libexecdir}/%{servicename}/sssd_sudo
%{_libexecdir}/%{servicename}/p11_child
-%if (0%{?use_systemd} == 1)
%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders
-%endif
%dir %{_libdir}/%{name}
# The files provider is intentionally packaged in -common
@@ -1021,15 +697,12 @@ done
%{_libdir}/%{name}/libsss_ldap_common.so
%{_libdir}/%{name}/libsss_util.so
%{_libdir}/%{name}/libsss_semanage.so
-%{_libdir}/%{name}/libsss_sbus.so
-%{_libdir}/%{name}/libsss_sbus_sync.so
-%{_libdir}/%{name}/libsss_iface.so
-%{_libdir}/%{name}/libsss_iface_sync.so
%{_libdir}/%{name}/libifp_iface.so
%{_libdir}/%{name}/libifp_iface_sync.so
-%if (0%{?with_secrets} == 1 || 0%{?with_kcm} == 1)
-%{_libdir}/%{name}/libsss_secrets.so
-%endif
+%{_libdir}/%{name}/libsss_iface.so
+%{_libdir}/%{name}/libsss_iface_sync.so
+%{_libdir}/%{name}/libsss_sbus.so
+%{_libdir}/%{name}/libsss_sbus_sync.so
%{ldb_modulesdir}/memberof.so
%{_bindir}/sss_ssh_authorizedkeys
@@ -1039,31 +712,36 @@ done
%dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
-%attr(700,sssd,sssd) %dir %{dbpath}
-%attr(775,sssd,sssd) %dir %{mcpath}
-%attr(751,sssd,sssd) %dir %{deskprofilepath}
-%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd
-%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
-%ghost %attr(0664,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
-%attr(755,sssd,sssd) %dir %{pipepath}
-%attr(750,sssd,root) %dir %{pipepath}/private
-%attr(755,sssd,sssd) %dir %{pubconfpath}
-%attr(755,sssd,sssd) %dir %{gpocachepath}
-%attr(750,sssd,sssd) %dir %{_var}/log/%{name}
-%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd
-%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d
-%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/pki
-%ghost %attr(0600,sssd,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
+%attr(700,root,root) %dir %{dbpath}
+%attr(775,root,root) %dir %{mcpath}
+%attr(700,root,root) %dir %{secdbpath}
+%attr(751,root,root) %dir %{deskprofilepath}
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
+%attr(755,root,root) %dir %{pipepath}
+%attr(700,root,root) %dir %{pipepath}/private
+%attr(755,root,root) %dir %{pubconfpath}
+%attr(755,root,root) %dir %{gpocachepath}
+%attr(750,root,root) %dir %{_var}/log/%{name}
+%attr(700,root,root) %dir %{_sysconfdir}/sssd
+%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
+%if (0%{?use_openssl} == 1)
+%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
+%endif
+%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
-%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
+%{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf
%{_datadir}/sssd/cfg_rules.ini
+%{_datadir}/sssd/sssd.api.conf
+%{_datadir}/sssd/sssd.api.d
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
%{_mandir}/man5/sssd.conf.5*
@@ -1073,7 +751,6 @@ done
%{_mandir}/man5/sssd-session-recording.5*
%{_mandir}/man8/sssd.8*
%{_mandir}/man8/sss_cache.8*
-%if (0%{?enable_systemtap} == 1)
%dir %{_datadir}/sssd/systemtap
%{_datadir}/sssd/systemtap/id_perf.stp
%{_datadir}/sssd/systemtap/nested_group_perf.stp
@@ -1084,77 +761,60 @@ done
%{_datadir}/systemtap/tapset/sssd.stp
%{_datadir}/systemtap/tapset/sssd_functions.stp
%{_mandir}/man5/sssd-systemtap.5*
-%endif
-%if (0%{?install_pcscd_polkit_rule} == 1)
-%files polkit-rules
-%{_datadir}/polkit-1/rules.d/*
-%endif
%files ldap -f sssd_ldap.lang
-%defattr(-,root,root,-)
%license COPYING
%{_libdir}/%{name}/libsss_ldap.so
%{_mandir}/man5/sssd-ldap.5*
%{_mandir}/man5/sssd-ldap-attributes.5*
%files krb5-common
-%defattr(-,root,root,-)
%license COPYING
-%attr(755,sssd,sssd) %dir %{pubconfpath}/krb5.include.d
-%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child
-%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child
+%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
+%{_libexecdir}/%{servicename}/ldap_child
+%{_libexecdir}/%{servicename}/krb5_child
%files krb5 -f sssd_krb5.lang
-%defattr(-,root,root,-)
%license COPYING
%{_libdir}/%{name}/libsss_krb5.so
%{_mandir}/man5/sssd-krb5.5*
%files common-pac
-%defattr(-,root,root,-)
%license COPYING
%{_libexecdir}/%{servicename}/sssd_pac
%files ipa -f sssd_ipa.lang
-%defattr(-,root,root,-)
%license COPYING
-%attr(700,sssd,sssd) %dir %{keytabdir}
+%attr(700,root,root) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so
-%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child
+%{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5*
%files ad -f sssd_ad.lang
-%defattr(-,root,root,-)
%license COPYING
%{_libdir}/%{name}/libsss_ad.so
%{_libexecdir}/%{servicename}/gpo_child
%{_mandir}/man5/sssd-ad.5*
%files proxy
-%defattr(-,root,root,-)
%license COPYING
-%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/proxy_child
+%{_libexecdir}/%{servicename}/proxy_child
%{_libdir}/%{name}/libsss_proxy.so
%files dbus -f sssd_dbus.lang
-%defattr(-,root,root,-)
%license COPYING
%{_libexecdir}/%{servicename}/sssd_ifp
%{_mandir}/man5/sssd-ifp.5*
-%if (0%{?use_systemd} == 1)
%{_unitdir}/sssd-ifp.service
-%endif
# InfoPipe DBus plumbing
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
%files -n libsss_simpleifp
-%defattr(-,root,root,-)
%{_libdir}/libsss_simpleifp.so.*
%files -n libsss_simpleifp-devel
-%defattr(-,root,root,-)
%doc sss_simpleifp_doc/html
%{_includedir}/sss_sifp.h
%{_includedir}/sss_sifp_dbus.h
@@ -1162,19 +822,16 @@ done
%{_libdir}/pkgconfig/sss_simpleifp.pc
%files client -f sssd_client.lang
-%defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
-/%{_lib}/libnss_sss.so.2
-/%{_lib}/security/pam_sss.so
-/%{_lib}/security/pam_sss_gss.so
+%{_libdir}/libnss_sss.so.2
+%{_libdir}/security/pam_sss.so
+%{_libdir}/security/pam_sss_gss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
-%if (0%{?with_cifs_utils_plugin} == 1)
%dir %{_libdir}/cifs-utils
%{_libdir}/cifs-utils/cifs_idmap_sss.so
%dir %{_sysconfdir}/cifs-utils
%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
-%endif
%dir %{_libdir}/%{name}
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
@@ -1183,153 +840,74 @@ done
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
%files -n libsss_sudo
-%defattr(-,root,root,-)
%license src/sss_client/COPYING
%{_libdir}/libsss_sudo.so*
%files -n libsss_autofs
-%defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/libsss_autofs.so
%files tools -f sssd_tools.lang
-%defattr(-,root,root,-)
%license COPYING
-%if (0%{with_local_provider} == 1)
-%{_sbindir}/sss_useradd
-%{_sbindir}/sss_userdel
-%{_sbindir}/sss_usermod
-%{_sbindir}/sss_groupadd
-%{_sbindir}/sss_groupdel
-%{_sbindir}/sss_groupmod
-%{_sbindir}/sss_groupshow
-%endif
%{_sbindir}/sss_obfuscate
%{_sbindir}/sss_override
%{_sbindir}/sss_debuglevel
%{_sbindir}/sss_seed
%{_sbindir}/sssctl
-%if (0%{with_local_provider} == 1)
-%{_mandir}/man8/sss_groupadd.8*
-%{_mandir}/man8/sss_groupdel.8*
-%{_mandir}/man8/sss_groupmod.8*
-%{_mandir}/man8/sss_groupshow.8*
-%{_mandir}/man8/sss_useradd.8*
-%{_mandir}/man8/sss_userdel.8*
-%{_mandir}/man8/sss_usermod.8*
-%endif
%{_mandir}/man8/sss_obfuscate.8*
%{_mandir}/man8/sss_override.8*
%{_mandir}/man8/sss_debuglevel.8*
%{_mandir}/man8/sss_seed.8*
%{_mandir}/man8/sssctl.8*
-%if (0%{?with_python2} == 1)
-%files -n python2-sssdconfig -f python2_sssdconfig.lang
-%defattr(-,root,root,-)
-%dir %{python2_sitelib}/SSSDConfig
-%{python2_sitelib}/SSSDConfig/*.py*
-%dir %{_datadir}/sssd
-%{_datadir}/sssd/sssd.api.conf
-%{_datadir}/sssd/sssd.api.d
-%endif
-
-%if (0%{?with_python3} == 1)
%files -n python3-sssdconfig -f python3_sssdconfig.lang
-%defattr(-,root,root,-)
%dir %{python3_sitelib}/SSSDConfig
%{python3_sitelib}/SSSDConfig/*.py*
%dir %{python3_sitelib}/SSSDConfig/__pycache__
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
-%dir %{_datadir}/sssd
-%{_datadir}/sssd/sssd.api.conf
-%{_datadir}/sssd/sssd.api.d
-%endif
-
-%if (0%{?with_python2} == 1)
-%files -n python2-sss
-%defattr(-,root,root,-)
-%{python2_sitearch}/pysss.so
-%endif
-%if (0%{?with_python3} == 1)
%files -n python3-sss
-%defattr(-,root,root,-)
%{python3_sitearch}/pysss.so
-%endif
-%if (0%{?with_python2} == 1)
-%files -n python2-sss-murmur
-%defattr(-,root,root,-)
-%{python2_sitearch}/pysss_murmur.so
-%endif
-
-%if (0%{?with_python3} == 1)
%files -n python3-sss-murmur
-%defattr(-,root,root,-)
%{python3_sitearch}/pysss_murmur.so
-%endif
%files -n libsss_idmap
-%defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_idmap.so.*
%files -n libsss_idmap-devel
-%defattr(-,root,root,-)
%doc idmap_doc/html
%{_includedir}/sss_idmap.h
%{_libdir}/libsss_idmap.so
%{_libdir}/pkgconfig/sss_idmap.pc
%files -n libipa_hbac
-%defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libipa_hbac.so.*
%files -n libipa_hbac-devel
-%defattr(-,root,root,-)
%doc hbac_doc/html
%{_includedir}/ipa_hbac.h
%{_libdir}/libipa_hbac.so
%{_libdir}/pkgconfig/ipa_hbac.pc
%files -n libsss_nss_idmap
-%defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_nss_idmap.so.*
%files -n libsss_nss_idmap-devel
-%defattr(-,root,root,-)
%doc nss_idmap_doc/html
%{_includedir}/sss_nss_idmap.h
%{_libdir}/libsss_nss_idmap.so
%{_libdir}/pkgconfig/sss_nss_idmap.pc
-%if (0%{?with_python2} == 1)
-%files -n python2-libsss_nss_idmap
-%defattr(-,root,root,-)
-%{python2_sitearch}/pysss_nss_idmap.so
-%endif
-
-%if (0%{?with_python3} == 1)
%files -n python3-libsss_nss_idmap
-%defattr(-,root,root,-)
%{python3_sitearch}/pysss_nss_idmap.so
-%endif
-%if (0%{?with_python2} == 1)
-%files -n python2-libipa_hbac
-%defattr(-,root,root,-)
-%{python2_sitearch}/pyhbac.so
-%endif
-
-%if (0%{?with_python3} == 1)
%files -n python3-libipa_hbac
-%defattr(-,root,root,-)
%{python3_sitearch}/pyhbac.so
-%endif
%files winbind-idmap -f sssd_winbind_idmap.lang
%dir %{_libdir}/samba/idmap
@@ -1341,44 +919,26 @@ done
%{_libdir}/libnfsidmap/sss.so
%files -n libsss_certmap -f libsss_certmap.lang
-%defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_certmap.so.*
%{_mandir}/man5/sss-certmap.5*
%files -n libsss_certmap-devel
-%defattr(-,root,root,-)
%doc certmap_doc/html
%{_includedir}/sss_certmap.h
%{_libdir}/libsss_certmap.so
%{_libdir}/pkgconfig/sss_certmap.pc
-%if (0%{?with_kcm} == 1)
%files kcm -f sssd_kcm.lang
-%attr(700,root,root) %dir %{secdbpath}
%{_libexecdir}/%{servicename}/sssd_kcm
-%if (0%{?with_secrets} == 1)
-%{_libexecdir}/%{servicename}/sssd_secrets
-%endif
%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache
%dir %{_datadir}/sssd-kcm
%{_datadir}/sssd-kcm/kcm_default_ccache
%{_unitdir}/sssd-kcm.socket
%{_unitdir}/sssd-kcm.service
%{_mandir}/man8/sssd-kcm.8*
-%if (0%{?with_secrets} == 1)
-%{_unitdir}/sssd-secrets.socket
-%{_unitdir}/sssd-secrets.service
-%{_mandir}/man5/sssd-secrets.5*
-%endif
-%endif
-
-%pre common
-getent group sssd >/dev/null || groupadd -r sssd
-getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+%{_libdir}/%{name}/libsss_secrets.so
-%if (0%{?use_systemd} == 1)
-# systemd
%post common
%systemd_post sssd.service
%systemd_post sssd-autofs.socket
@@ -1400,7 +960,6 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%systemd_preun sssd-sudo.socket
%postun common
-%systemd_postun_with_restart sssd.service
%systemd_postun_with_restart sssd-autofs.socket
%systemd_postun_with_restart sssd-autofs.service
%systemd_postun_with_restart sssd-nss.socket
@@ -1424,7 +983,6 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%postun dbus
%systemd_postun_with_restart sssd-ifp.service
-%if (0%{?with_kcm} == 1)
%post kcm
%systemd_post sssd-kcm.socket
@@ -1434,74 +992,33 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%postun kcm
%systemd_postun_with_restart sssd-kcm.socket
%systemd_postun_with_restart sssd-kcm.service
-%endif
-
-%if (0%{?with_secrets} == 1)
-%post secrets
-%systemd_postun_with_restart sssd-secrets.socket
-
-%preun secrets
-%systemd_preun_with_restart sssd-secrets.socket
-
-%postun secrets
-%systemd_postun_with_restart sssd-secrets.socket
-%systemd_postun_with_restart sssd-secrets.service
-%endif
-
-%else
-# sysv
-%post common
-/sbin/chkconfig --add %{servicename}
-
-%posttrans
-/sbin/service %{servicename} condrestart 2>&1 > /dev/null
-%preun common
-if [ $1 = 0 ] ; then
- /sbin/service %{servicename} stop 2>&1 > /dev/null
- /sbin/chkconfig --del %{servicename}
-fi
-%endif
-
-%if (0%{?with_cifs_utils_plugin} == 1)
%post client
-/sbin/ldconfig
+%{?ldconfig}
/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20
%preun client
if [ $1 -eq 0 ] ; then
/usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
fi
-%else
-%post client -p /sbin/ldconfig
-%endif
-%postun client -p /sbin/ldconfig
+%ldconfig_postun client
-%post -n libsss_sudo -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_sudo
-%postun -n libsss_sudo -p /sbin/ldconfig
+%ldconfig_scriptlets -n libipa_hbac
-%post -n libipa_hbac -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_idmap
-%postun -n libipa_hbac -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_nss_idmap
-%post -n libsss_idmap -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_simpleifp
-%postun -n libsss_idmap -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_certmap
-%post -n libsss_nss_idmap -p /sbin/ldconfig
-
-%postun -n libsss_nss_idmap -p /sbin/ldconfig
-
-%post -n libsss_simpleifp -p /sbin/ldconfig
-
-%postun -n libsss_simpleifp -p /sbin/ldconfig
-
-%post -n libsss_certmap -p /sbin/ldconfig
-
-%postun -n libsss_certmap -p /sbin/ldconfig
+%posttrans common
+%systemd_postun_with_restart sssd.service
%changelog
-* Mon Mar 15 2010 Stephen Gallagher <sgall...@redhat.com> - @PACKAGE_VERSION@-0@PRERELEASE_VERSION@
-- Automated build of the SSSD
+* Thu Jan 21 2021 Pavel Březina <pbrez...@redhat.com> - @PACKAGE_NAME@-@PACKAGE_VERSION@-0@PRERELEASE_VERSION@
+- Built from upstream sources.
\ No newline at end of file
From b81b6361b9f064c7334154325bf7f799bf498fa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 25 Jan 2021 12:45:03 +0100
Subject: [PATCH 03/15] spec: remove unneeded conditionals and unused variables
This patch removes unused variables and unneeded conditions that
reflect current state.
---
contrib/sssd.spec.in | 26 +-------------------------
1 file changed, 1 insertion(+), 25 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 6fb573ded2..afdf55bb7c 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1,7 +1,5 @@
# SSSD SPEC file for Fedora 34+ and RHEL-9+
-%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
-
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
@@ -10,25 +8,10 @@
%define _hardened_build 1
- %global enable_polkit_rules_option --disable-polkit-rules-path
-
# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.2.0
- %global with_cifs_utils_plugin 1
-
-%global enable_systemtap 1
- %global enable_systemtap_opt --enable-systemtap
-
- %global with_kcm 1
-
- %global with_gdm_pam_extensions 1
-
-%if (0%{?fedora} > 28) || (0%{?rhel} > 7)
- %global use_openssl 1
-%endif
-
Name: @PACKAGE_NAME@
Version: @PACKAGE_VERSION@
Release: 0@PRERELEASE_VERSION@%{?dist}
@@ -126,12 +109,10 @@ BuildRequires: libuuid-devel
BuildRequires: jansson-devel
BuildRequires: libcurl-devel
BuildRequires: gdm-pam-extensions-devel
-%if (0%{?use_openssl} == 1)
BuildRequires: p11-kit-devel
BuildRequires: openssl-devel
BuildRequires: gnutls-utils
BuildRequires: softhsm >= 2.1.0
-%endif
BuildRequires: openssl
BuildRequires: openssh
BuildRequires: nss-tools
@@ -515,14 +496,11 @@ autoreconf -ivf
--with-initscript=systemd \
--with-syslog=journald \
--without-python2-bindings \
-%if (0%{?use_openssl} == 1)
--with-crypto=libcrypto \
-%endif
--enable-sss-default-nss-plugin \
--enable-files-domain \
--enable-gss-spnego-for-zero-maxssf \
- %{?with_cifs_utils_plugin_option} \
- %{?enable_systemtap_opt}
+ --enable-systemtap
%make_build all docs runstatedir=%{_rundir}
@@ -726,9 +704,7 @@ done
%attr(750,root,root) %dir %{_var}/log/%{name}
%attr(700,root,root) %dir %{_sysconfdir}/sssd
%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
-%if (0%{?use_openssl} == 1)
%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
-%endif
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
From 39f7e896c460922830125bf82fd1b355704733dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 25 Jan 2021 12:46:26 +0100
Subject: [PATCH 04/15] spec: keep _strict_symbol_defs_build
SSSD now builds fine with -Wl,-z,defs
---
contrib/sssd.spec.in | 3 ---
1 file changed, 3 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index afdf55bb7c..488705dde1 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -3,9 +3,6 @@
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
-# SSSD fails to build with -Wl,-z,defs
-%undefine _strict_symbol_defs_build
-
%define _hardened_build 1
# Determine the location of the LDB modules directory
From d99b9966859ac813b7ffd3f3bdede23fc9b871fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 25 Jan 2021 12:47:08 +0100
Subject: [PATCH 05/15] spec: enable LTO
SSSD builds fine with LTO. The only problem was in tests but it is now fixed.
---
contrib/sssd.spec.in | 4 ----
1 file changed, 4 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 488705dde1..dcd965c878 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -468,10 +468,6 @@ for p in %patches ; do
done
%build
-# This package uses -Wl,-wrap to wrap calls at link time. This is incompatible
-# with LTO.
-# Disable LTO
-%define _lto_cflags %{nil}
autoreconf -ivf
From 3c1e7f25bf9adf79689dd2d6fa18093fef615086 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 25 Jan 2021 12:54:44 +0100
Subject: [PATCH 06/15] spec: remove support for NSS
We no longer built with NSS. --with-crypto option no longer exist and
we don't require these packages anymore.
---
contrib/sssd.spec.in | 3 ---
1 file changed, 3 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index dcd965c878..a8797f1c80 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -67,7 +67,6 @@ BuildRequires: dbus-devel
BuildRequires: dbus-libs
BuildRequires: openldap-devel
BuildRequires: pam-devel
-BuildRequires: nss-devel
BuildRequires: nspr-devel
BuildRequires: pcre-devel
BuildRequires: libxslt
@@ -112,7 +111,6 @@ BuildRequires: gnutls-utils
BuildRequires: softhsm >= 2.1.0
BuildRequires: openssl
BuildRequires: openssh
-BuildRequires: nss-tools
%description
Provides a set of daemons to manage access to remote directories and
@@ -489,7 +487,6 @@ autoreconf -ivf
--with-initscript=systemd \
--with-syslog=journald \
--without-python2-bindings \
- --with-crypto=libcrypto \
--enable-sss-default-nss-plugin \
--enable-files-domain \
--enable-gss-spnego-for-zero-maxssf \
From 12b8a9575e3b35665aeeb2e5ab07a559e16d45f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 25 Jan 2021 13:35:03 +0100
Subject: [PATCH 07/15] spec: remove --without-python2-bindings
Python2 bindings are not built by default anymore.
---
contrib/sssd.spec.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index a8797f1c80..05cf051232 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -486,7 +486,6 @@ autoreconf -ivf
--disable-rpath \
--with-initscript=systemd \
--with-syslog=journald \
- --without-python2-bindings \
--enable-sss-default-nss-plugin \
--enable-files-domain \
--enable-gss-spnego-for-zero-maxssf \
From 03cb28804fba6b00e6e67156c631a40406814ca1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 28 Jan 2021 11:45:20 +0100
Subject: [PATCH 08/15] spec: re-import changes that were not merged in Fedora
There were several changes in upstream spec file that were not merged
in Fedora but fixed valid problems. These are:
- https://github.com/SSSD/sssd/pull/1008
- https://github.com/SSSD/sssd/pull/1039
- https://github.com/SSSD/sssd/pull/5137
- https://github.com/SSSD/sssd/commit/e698d53e0ddd3c2778e04fd8e405f8c0cee0a766
- https://github.com/SSSD/sssd/commit/7fbc7e3ffb7a5c0090bb2091011762dabf1f512f
---
contrib/sssd.spec.in | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 05cf051232..1160145d22 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -9,6 +9,8 @@
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.2.0
+%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
+
Name: @PACKAGE_NAME@
Version: @PACKAGE_VERSION@
Release: 0@PRERELEASE_VERSION@%{?dist}
@@ -35,6 +37,7 @@ Requires: sssd-ad = %{version}-%{release}
Recommends: sssd-proxy = %{version}-%{release}
Suggests: python3-sssdconfig = %{version}-%{release}
Suggests: sssd-dbus = %{version}-%{release}
+Recommends: logrotate
%global servicename sssd
%global sssdstatedir %{_localstatedir}/lib/sss
@@ -96,7 +99,7 @@ BuildRequires: systemd-devel
BuildRequires: systemd
BuildRequires: cifs-utils-devel
BuildRequires: libnfsidmap-devel
-BuildRequires: samba4-devel
+BuildRequires: samba-devel
BuildRequires: libsmbclient-devel
BuildRequires: samba-winbind
BuildRequires: systemtap-sdt-devel
@@ -150,6 +153,8 @@ sub-packages such as sssd-ldap.
%package client
Summary: SSSD Client libraries for NSS and PAM
License: LGPLv3+
+Requires: libsss_nss_idmap = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
Requires(post): /sbin/ldconfig
Requires(post): /usr/sbin/alternatives
Requires(preun): /usr/sbin/alternatives
@@ -178,6 +183,7 @@ A utility library to allow communication between Autofs and SSSD
Summary: Userspace tools for use with the SSSD
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
+Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
@@ -230,6 +236,7 @@ License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch identity data
@@ -261,6 +268,7 @@ against a Kerberos server.
Summary: Common files needed for supporting PAC processing
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
%description common-pac
Provides common files needed by SSSD providers such as IPA and Active Directory
@@ -270,11 +278,13 @@ for handling Kerberos PACs.
Summary: The IPA back end of the SSSD
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
+Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
Recommends: bind-utils
Requires: sssd-common-pac = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
%description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity data
@@ -284,9 +294,11 @@ from and authenticate against an IPA server.
Summary: The AD back end of the SSSD
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
+Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
Recommends: bind-utils
Recommends: adcli
Suggests: sssd-winbind-idmap = %{version}-%{release}
@@ -400,6 +412,8 @@ Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
%package winbind-idmap
Summary: SSSD's idmap_sss Backend for Winbind
License: GPLv3+ and LGPLv3+
+Requires: libsss_nss_idmap = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
Conflicts: sssd-common < %{version}-%{release}
%description winbind-idmap
@@ -700,13 +714,11 @@ done
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
-%{_sysconfdir}/pam.d/sssd-shadowutils
+%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf
%{_datadir}/sssd/cfg_rules.ini
-%{_datadir}/sssd/sssd.api.conf
-%{_datadir}/sssd/sssd.api.d
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
%{_mandir}/man5/sssd.conf.5*
@@ -831,6 +843,9 @@ done
%{python3_sitelib}/SSSDConfig/*.py*
%dir %{python3_sitelib}/SSSDConfig/__pycache__
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
+%dir %{_datadir}/sssd
+%{_datadir}/sssd/sssd.api.conf
+%{_datadir}/sssd/sssd.api.d
%files -n python3-sss
%{python3_sitearch}/pysss.so
From 8e5d0d23556f833a43ca870d003813a697750e80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 28 Jan 2021 12:10:03 +0100
Subject: [PATCH 09/15] spec: synchronize with RHEL spec file
Bring stuff from RHEL spec file that was not available in Fedora.
---
contrib/sssd.spec.in | 34 ++++++++++++++++++++++++++++++++--
1 file changed, 32 insertions(+), 2 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1160145d22..1e14d8393b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -35,7 +35,7 @@ Requires: sssd-krb5 = %{version}-%{release}
Requires: sssd-ipa = %{version}-%{release}
Requires: sssd-ad = %{version}-%{release}
Recommends: sssd-proxy = %{version}-%{release}
-Suggests: python3-sssdconfig = %{version}-%{release}
+Requires: python3-sssdconfig = %{version}-%{release}
Suggests: sssd-dbus = %{version}-%{release}
Recommends: logrotate
@@ -139,6 +139,8 @@ Recommends: libsss_sudo = %{version}-%{release}
Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
Recommends: sssd-nfs-idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
+Requires(pre): shadow-utils
%{?systemd_requires}
### Provides ###
@@ -187,6 +189,7 @@ Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
Recommends: sssd-dbus
%description tools
@@ -237,6 +240,7 @@ Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch identity data
@@ -248,6 +252,7 @@ License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: sssd-common = %{version}-%{release}
+Requires(pre): shadow-utils
%description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can use for
@@ -282,9 +287,11 @@ Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
+Requires(pre): shadow-utils
%description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity data
@@ -299,6 +306,7 @@ Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Recommends: adcli
Suggests: sssd-winbind-idmap = %{version}-%{release}
@@ -312,6 +320,7 @@ Summary: The proxy back end of the SSSD
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
+Requires(pre): shadow-utils
%description proxy
Provides the proxy back end which can be used to wrap an existing NSS and/or
@@ -392,6 +401,19 @@ Requires: sssd-common = %{version}-%{release}
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus.
+%if 0%{?rhel}
+%package polkit-rules
+Summary: Rules for polkit integration for SSSD
+Group: Applications/System
+License: GPLv3+
+Requires: polkit >= 0.106
+Requires: sssd-common = %{version}-%{release}
+
+%description polkit-rules
+Provides rules for polkit integration with SSSD. This is required
+for smartcard support.
+%endif
+
%package -n libsss_simpleifp
Summary: The SSSD D-Bus responder helper library
License: GPLv3+
@@ -503,7 +525,11 @@ autoreconf -ivf
--enable-sss-default-nss-plugin \
--enable-files-domain \
--enable-gss-spnego-for-zero-maxssf \
- --enable-systemtap
+ --enable-systemtap \
+%if 0%{?fedora}
+ --disable-polkit-rules-path \
+%endif
+ %{nil}
%make_build all docs runstatedir=%{_rundir}
@@ -739,6 +765,10 @@ done
%{_datadir}/systemtap/tapset/sssd_functions.stp
%{_mandir}/man5/sssd-systemtap.5*
+%if 0%{?rhel}
+%files polkit-rules
+%{_datadir}/polkit-1/rules.d/*
+%endif
%files ldap -f sssd_ldap.lang
%license COPYING
From 60d217f4f17b1a2f788cfb393b02274188511d4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 28 Jan 2021 12:31:48 +0100
Subject: [PATCH 10/15] spec: use sssd user on RHEL
---
contrib/sssd.spec.in | 66 +++++++++++++++++++++++++++++++-------------
1 file changed, 47 insertions(+), 19 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1e14d8393b..fae5885736 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1,5 +1,12 @@
# SSSD SPEC file for Fedora 34+ and RHEL-9+
+# define SSSD user
+%if 0%{?rhel}
+%global sssd_user sssd
+%else
+%global sssd_user root
+%endif
+
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
@@ -140,7 +147,9 @@ Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
Recommends: sssd-nfs-idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
+%if 0%{?rhel}
Requires(pre): shadow-utils
+%endif
%{?systemd_requires}
### Provides ###
@@ -526,6 +535,7 @@ autoreconf -ivf
--enable-files-domain \
--enable-gss-spnego-for-zero-maxssf \
--enable-systemtap \
+ --with-sssd-user=%{sssd_user} \
%if 0%{?fedora}
--disable-polkit-rules-path \
%endif
@@ -719,20 +729,20 @@ done
%dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
-%attr(700,root,root) %dir %{dbpath}
-%attr(775,root,root) %dir %{mcpath}
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
%attr(700,root,root) %dir %{secdbpath}
%attr(751,root,root) %dir %{deskprofilepath}
-%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
-%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group
-%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
-%attr(755,root,root) %dir %{pipepath}
-%attr(700,root,root) %dir %{pipepath}/private
-%attr(755,root,root) %dir %{pubconfpath}
-%attr(755,root,root) %dir %{gpocachepath}
-%attr(750,root,root) %dir %{_var}/log/%{name}
-%attr(700,root,root) %dir %{_sysconfdir}/sssd
-%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
+%attr(750,%{sssd_user},root) %dir %{pipepath}/private
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
+%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
@@ -778,9 +788,9 @@ done
%files krb5-common
%license COPYING
-%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
-%{_libexecdir}/%{servicename}/ldap_child
-%{_libexecdir}/%{servicename}/krb5_child
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
+%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
+%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
%files krb5 -f sssd_krb5.lang
%license COPYING
@@ -793,9 +803,9 @@ done
%files ipa -f sssd_ipa.lang
%license COPYING
-%attr(700,root,root) %dir %{keytabdir}
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so
-%{_libexecdir}/%{servicename}/selinux_child
+%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5*
%files ad -f sssd_ad.lang
@@ -806,7 +816,7 @@ done
%files proxy
%license COPYING
-%{_libexecdir}/%{servicename}/proxy_child
+%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
%{_libdir}/%{name}/libsss_proxy.so
%files dbus -f sssd_dbus.lang
@@ -949,6 +959,24 @@ done
%{_mandir}/man8/sssd-kcm.8*
%{_libdir}/%{name}/libsss_secrets.so
+%if 0%{?rhel}
+%pre ipa
+getent group sssd >/dev/null || groupadd -r sssd
+getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+
+%pre krb5-common
+getent group sssd >/dev/null || groupadd -r sssd
+getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+
+%pre common
+getent group sssd >/dev/null || groupadd -r sssd
+getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+
+%pre proxy
+getent group sssd >/dev/null || groupadd -r sssd
+getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+%endif
+
%post common
%systemd_post sssd.service
%systemd_post sssd-autofs.socket
@@ -1031,4 +1059,4 @@ fi
%changelog
* Thu Jan 21 2021 Pavel Březina <pbrez...@redhat.com> - @PACKAGE_NAME@-@PACKAGE_VERSION@-0@PRERELEASE_VERSION@
-- Built from upstream sources.
\ No newline at end of file
+- Built from upstream sources.
From ea533915109c9ca3af4a242418c32b01125256b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 28 Jan 2021 12:33:26 +0100
Subject: [PATCH 11/15] spec: remove conflicts that no longer make sense
---
contrib/sssd.spec.in | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index fae5885736..d1f72c11a8 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -135,9 +135,6 @@ the existing back ends.
%package common
Summary: Common files for the SSSD
License: GPLv3+
-# Conflicts
-Conflicts: selinux-policy < 3.10.0-46
-Conflicts: sssd < 1.10.0-8%{?dist}.beta2
# Requires
# due to ABI changes in 1.1.30/1.2.0
Requires: libldb >= %{ldb_version}
@@ -245,7 +242,6 @@ Provides python3 module for calculating the murmur hash version 3
%package ldap
Summary: The LDAP back end of the SSSD
License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
@@ -258,7 +254,6 @@ from and authenticate against an LDAP server.
%package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: sssd-common = %{version}-%{release}
Requires(pre): shadow-utils
@@ -270,7 +265,6 @@ Kerberos user or host authentication.
%package krb5
Summary: The Kerberos authentication back end for the SSSD
License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
@@ -291,7 +285,6 @@ for handling Kerberos PACs.
%package ipa
Summary: The IPA back end of the SSSD
License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
@@ -309,7 +302,6 @@ from and authenticate against an IPA server.
%package ad
Summary: The AD back end of the SSSD
License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
@@ -327,7 +319,6 @@ identity data from and authenticate against an Active Directory server.
%package proxy
Summary: The proxy back end of the SSSD
License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires(pre): shadow-utils
From a9bcbf2e916bd0306385fa6f979a4af80fd98367 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 28 Jan 2021 12:39:18 +0100
Subject: [PATCH 12/15] spec: remove unused BuildRequires
- http-parser-devel, libcurl-devel - needed by secrets responder which is not built anymore
- dbus-libs, openssl, systemd - pulled in by -devel packages
- libcollection-devel, nspr-devel - not required
---
contrib/sssd.spec.in | 7 -------
1 file changed, 7 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index d1f72c11a8..47461c82ae 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -71,13 +71,10 @@ BuildRequires: libtevent-devel
BuildRequires: libtdb-devel
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libdhash-devel >= 0.4.2
-BuildRequires: libcollection-devel
BuildRequires: libini_config-devel >= 1.1
BuildRequires: dbus-devel
-BuildRequires: dbus-libs
BuildRequires: openldap-devel
BuildRequires: pam-devel
-BuildRequires: nspr-devel
BuildRequires: pcre-devel
BuildRequires: libxslt
BuildRequires: libxml2
@@ -103,23 +100,19 @@ BuildRequires: nss_wrapper
BuildRequires: pam_wrapper
BuildRequires: libnl3-devel
BuildRequires: systemd-devel
-BuildRequires: systemd
BuildRequires: cifs-utils-devel
BuildRequires: libnfsidmap-devel
BuildRequires: samba-devel
BuildRequires: libsmbclient-devel
BuildRequires: samba-winbind
BuildRequires: systemtap-sdt-devel
-BuildRequires: http-parser-devel
BuildRequires: libuuid-devel
BuildRequires: jansson-devel
-BuildRequires: libcurl-devel
BuildRequires: gdm-pam-extensions-devel
BuildRequires: p11-kit-devel
BuildRequires: openssl-devel
BuildRequires: gnutls-utils
BuildRequires: softhsm >= 2.1.0
-BuildRequires: openssl
BuildRequires: openssh
%description
From 907cbe88666d97b3f19c689568a4be0904a79141 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 28 Jan 2021 12:43:24 +0100
Subject: [PATCH 13/15] spec: remove unused Requires
- simpleifp was required by sssctl but not anymore
- we don't call ldconfig in post for client
---
contrib/sssd.spec.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 47461c82ae..db3ebd958b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -184,7 +184,6 @@ A utility library to allow communication between Autofs and SSSD
Summary: Userspace tools for use with the SSSD
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
-Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
From 21809a029aac06f4e27af5dec4e8b650d988e0a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 28 Jan 2021 13:33:18 +0100
Subject: [PATCH 14/15] spec: sort Requires, BuildRequires and configure for
better clarity
---
contrib/sssd.spec.in | 124 +++++++++++++++++++++----------------------
1 file changed, 62 insertions(+), 62 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index db3ebd958b..47529ee13f 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -36,15 +36,15 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
### Dependencies ###
+Requires: python3-sssdconfig = %{version}-%{release}
+Requires: sssd-ad = %{version}-%{release}
Requires: sssd-common = %{version}-%{release}
-Requires: sssd-ldap = %{version}-%{release}
-Requires: sssd-krb5 = %{version}-%{release}
Requires: sssd-ipa = %{version}-%{release}
-Requires: sssd-ad = %{version}-%{release}
+Requires: sssd-krb5 = %{version}-%{release}
+Requires: sssd-ldap = %{version}-%{release}
Recommends: sssd-proxy = %{version}-%{release}
-Requires: python3-sssdconfig = %{version}-%{release}
-Suggests: sssd-dbus = %{version}-%{release}
Recommends: logrotate
+Suggests: sssd-dbus = %{version}-%{release}
%global servicename sssd
%global sssdstatedir %{_localstatedir}/lib/sss
@@ -59,61 +59,61 @@ Recommends: logrotate
### Build Dependencies ###
-BuildRequires: make
BuildRequires: autoconf
BuildRequires: automake
-BuildRequires: libtool
-BuildRequires: m4
-BuildRequires: gcc
-BuildRequires: popt-devel
-BuildRequires: libtalloc-devel
-BuildRequires: libtevent-devel
-BuildRequires: libtdb-devel
-BuildRequires: libldb-devel >= %{ldb_version}
-BuildRequires: libdhash-devel >= 0.4.2
-BuildRequires: libini_config-devel >= 1.1
-BuildRequires: dbus-devel
-BuildRequires: openldap-devel
-BuildRequires: pam-devel
-BuildRequires: pcre-devel
-BuildRequires: libxslt
-BuildRequires: libxml2
-BuildRequires: docbook-style-xsl
-BuildRequires: krb5-devel
+BuildRequires: bind-utils
BuildRequires: c-ares-devel
-BuildRequires: python3-devel
BuildRequires: check-devel
-BuildRequires: doxygen
-BuildRequires: libselinux-devel
-BuildRequires: libsemanage-devel
-BuildRequires: bind-utils
-BuildRequires: keyutils-libs-devel
-BuildRequires: gettext-devel
-BuildRequires: pkgconfig
+BuildRequires: cifs-utils-devel
+BuildRequires: dbus-devel
BuildRequires: diffstat
+BuildRequires: docbook-style-xsl
+BuildRequires: doxygen
BuildRequires: findutils
+BuildRequires: gcc
+BuildRequires: gdm-pam-extensions-devel
+BuildRequires: gettext-devel
BuildRequires: glib2-devel
-BuildRequires: selinux-policy-targeted
+BuildRequires: gnutls-utils
+BuildRequires: jansson-devel
+BuildRequires: keyutils-libs-devel
+BuildRequires: krb5-devel
BuildRequires: libcmocka-devel >= 1.0.0
-BuildRequires: uid_wrapper
-BuildRequires: nss_wrapper
-BuildRequires: pam_wrapper
-BuildRequires: libnl3-devel
-BuildRequires: systemd-devel
-BuildRequires: cifs-utils-devel
+BuildRequires: libdhash-devel >= 0.4.2
+BuildRequires: libini_config-devel >= 1.1
+BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libnfsidmap-devel
-BuildRequires: samba-devel
+BuildRequires: libnl3-devel
+BuildRequires: libselinux-devel
+BuildRequires: libsemanage-devel
BuildRequires: libsmbclient-devel
-BuildRequires: samba-winbind
-BuildRequires: systemtap-sdt-devel
+BuildRequires: libtalloc-devel
+BuildRequires: libtdb-devel
+BuildRequires: libtevent-devel
+BuildRequires: libtool
BuildRequires: libuuid-devel
-BuildRequires: jansson-devel
-BuildRequires: gdm-pam-extensions-devel
-BuildRequires: p11-kit-devel
+BuildRequires: libxml2
+BuildRequires: libxslt
+BuildRequires: m4
+BuildRequires: make
+BuildRequires: nss_wrapper
+BuildRequires: openldap-devel
+BuildRequires: openssh
BuildRequires: openssl-devel
-BuildRequires: gnutls-utils
+BuildRequires: p11-kit-devel
+BuildRequires: pam_wrapper
+BuildRequires: pam-devel
+BuildRequires: pcre-devel
+BuildRequires: pkgconfig
+BuildRequires: popt-devel
+BuildRequires: python3-devel
+BuildRequires: samba-devel
+BuildRequires: samba-winbind
+BuildRequires: selinux-policy-targeted
BuildRequires: softhsm >= 2.1.0
-BuildRequires: openssh
+BuildRequires: systemd-devel
+BuildRequires: systemtap-sdt-devel
+BuildRequires: uid_wrapper
%description
Provides a set of daemons to manage access to remote directories and
@@ -498,27 +498,27 @@ done
autoreconf -ivf
%configure \
- --with-test-dir=/dev/shm \
+ --disable-rpath \
+ --disable-static \
+ --enable-files-domain \
+ --enable-gss-spnego-for-zero-maxssf \
+ --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
+ --enable-nsslibdir=%{_libdir} \
+ --enable-pammoddir=%{_libdir}/security \
+ --enable-sss-default-nss-plugin \
+ --enable-systemtap \
--with-db-path=%{dbpath} \
- --with-mcache-path=%{mcpath} \
- --with-pipe-path=%{pipepath} \
- --with-pubconf-path=%{pubconfpath} \
--with-gpo-cache-path=%{gpocachepath} \
--with-init-dir=%{_initrddir} \
+ --with-initscript=systemd \
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
+ --with-mcache-path=%{mcpath} \
--with-pid-path=%{_rundir} \
- --enable-nsslibdir=%{_libdir} \
- --enable-pammoddir=%{_libdir}/security \
- --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
- --disable-static \
- --disable-rpath \
- --with-initscript=systemd \
- --with-syslog=journald \
- --enable-sss-default-nss-plugin \
- --enable-files-domain \
- --enable-gss-spnego-for-zero-maxssf \
- --enable-systemtap \
+ --with-pipe-path=%{pipepath} \
+ --with-pubconf-path=%{pubconfpath} \
--with-sssd-user=%{sssd_user} \
+ --with-syslog=journald \
+ --with-test-dir=/dev/shm \
%if 0%{?fedora}
--disable-polkit-rules-path \
%endif
From e1c95c357385f42ae9860644d2b33c7381baed76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Thu, 28 Jan 2021 13:36:08 +0100
Subject: [PATCH 15/15] spec: comment some requirements
---
contrib/sssd.spec.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 47529ee13f..dd8eebe2d5 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -74,6 +74,7 @@ BuildRequires: gcc
BuildRequires: gdm-pam-extensions-devel
BuildRequires: gettext-devel
BuildRequires: glib2-devel
+# required for p11_child smartcard tests
BuildRequires: gnutls-utils
BuildRequires: jansson-devel
BuildRequires: keyutils-libs-devel
@@ -108,8 +109,10 @@ BuildRequires: pkgconfig
BuildRequires: popt-devel
BuildRequires: python3-devel
BuildRequires: samba-devel
+# required for idmap_sss.so
BuildRequires: samba-winbind
BuildRequires: selinux-policy-targeted
+# required for p11_child smartcard tests
BuildRequires: softhsm >= 2.1.0
BuildRequires: systemd-devel
BuildRequires: systemtap-sdt-devel
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
