diff --git a/.gitignore b/.gitignore index a69f309..552dbf2 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ sssd-1.2.91.tar.gz /sssd-1.6.3.tar.gz /sssd-1.6.4.tar.gz /sssd-1.7.0.tar.gz +/sssd-1.8.0beta1.tar.gz diff --git a/0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch b/0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch deleted file mode 100644 index afb7a58..0000000 --- a/0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch +++ /dev/null @@ -1,254 +0,0 @@ -From cd59e5d02ec97ea309fd51d4d6a6a4421617cd12 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Wed, 1 Feb 2012 14:03:36 -0500 -Subject: [PATCH] LDAP: Do not fail if RootDSE check cannot determine search - bases - -https://fedorahosted.org/sssd/ticket/1152 - -Conflicts: - - src/providers/ldap/sdap_async_services.c ---- - src/providers/ipa/ipa_netgroups.c | 7 +++++ - src/providers/ldap/ldap_common.c | 5 +-- - src/providers/ldap/sdap.c | 7 ++++- - src/providers/ldap/sdap_async_groups.c | 9 +++++++ - src/providers/ldap/sdap_async_initgroups.c | 35 +++++++++++++++++++++++++++- - src/providers/ldap/sdap_async_netgroups.c | 10 ++++++++ - src/providers/ldap/sdap_async_users.c | 9 +++++++ - src/providers/ldap/sdap_sudo.c | 9 +++++++ - 8 files changed, 86 insertions(+), 5 deletions(-) - -diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c -index 78bcee1b44fec3c8d04fc5ba13b46db26396d1b1..7da1147c7d6fd1dec8872209e442ae99ee810aa1 100644 ---- a/src/providers/ipa/ipa_netgroups.c -+++ b/src/providers/ipa/ipa_netgroups.c -@@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx, - state->base_filter = filter; - state->netgr_base_iter = 0; - -+ if (!ipa_options->id->netgroup_search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("Netgroup lookup request without a search base\n")); -+ ret = EINVAL; -+ goto done; -+ } -+ - ret = sss_hash_create(state, 32, &state->new_netgroups); - if (ret != EOK) goto done; - ret = sss_hash_create(state, 32, &state->new_users); -diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c -index 71921963a768a9975eca6432025704e06f28a2b8..c287b345217befeb872b25521d80d601fc27f0c7 100644 ---- a/src/providers/ldap/ldap_common.c -+++ b/src/providers/ldap/ldap_common.c -@@ -538,9 +538,8 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx, - dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE))); - } - } else { -- /* FIXME: try to discover it later */ -- DEBUG(SSSDBG_OP_FAILURE, ("Error: no SUDO search base set\n")); -- return ENOENT; -+ DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later " -+ "connecting to the LDAP server.\n")); - } - - ret = sdap_parse_search_base(opts, opts->basic, -diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c -index 3ca2e286146e1e88b1fd7abef341fa8c3aa699ad..2b29116949b2f8efae269a994a0f3da64a0ee612 100644 ---- a/src/providers/ldap/sdap.c -+++ b/src/providers/ldap/sdap.c -@@ -748,7 +748,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, - naming_context = get_naming_context(opts->basic, rootdse); - if (naming_context == NULL) { - DEBUG(1, ("get_naming_context failed.\n")); -- ret = EINVAL; -+ -+ /* This has to be non-fatal, since some servers offer -+ * multiple namingContexts entries. We will just -+ * add NULL checks for the search bases in the lookups. -+ */ -+ ret = EOK; - goto done; - } - } -diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c -index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644 ---- a/src/providers/ldap/sdap_async_groups.c -+++ b/src/providers/ldap/sdap_async_groups.c -@@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx, - state->base_iter = 0; - state->search_bases = search_bases; - -+ if (!search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("Group lookup request without a search base\n")); -+ ret = EINVAL; -+ goto done; -+ } -+ - ret = sdap_get_groups_next_base(req); -+ -+done: - if (ret != EOK) { - tevent_req_error(req, ret); - tevent_req_post(req, ev); -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, - state->base_iter = 0; - state->search_bases = opts->group_search_bases; - -+ if (!state->search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("Initgroups lookup request without a group search base\n")); -+ ret = EINVAL; -+ goto done; -+ } -+ - state->name = talloc_strdup(state, name); - if (!state->name) { - talloc_zfree(req); -@@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, - talloc_zfree(clean_name); - - ret = sdap_initgr_rfc2307_next_base(req); -+ -+done: - if (ret != EOK) { - tevent_req_error(req, ret); - tevent_req_post(req, ev); -@@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( - state->base_iter = 0; - state->search_bases = opts->group_search_bases; - -+ if (!state->search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("Initgroups lookup request without a group search base\n")); -+ ret = EINVAL; -+ goto done; -+ } -+ - ret = sss_hash_create(state, 32, &state->group_hash); - if (ret != EOK) { - talloc_free(req); -@@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send( - SDAP_SEARCH_TIMEOUT); - state->base_iter = 0; - state->search_bases = opts->group_search_bases; -- -+ if (!state->search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("Initgroups nested lookup request " -+ "without a group search base\n")); -+ ret = EINVAL; -+ goto done; -+ } - - ret = rfc2307bis_nested_groups_step(req); -+ -+done: - if (ret == EOK) { - /* All parent groups were already processed */ - tevent_req_done(req); -@@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); - state->user_base_iter = 0; - state->user_search_bases = id_ctx->opts->user_search_bases; -+ if (!state->user_search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("Initgroups lookup request without a user search base\n")); -+ ret = EINVAL; -+ goto done; -+ } - - ret = sss_filter_sanitize(state, name, &clean_name); - if (ret != EOK) { -+ talloc_zfree(req); - return NULL; - } - -@@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, - } - - ret = sdap_get_initgr_next_base(req); -+ -+done: - if (ret != EOK) { - tevent_req_error(req, ret); - tevent_req_post(req, ev); -diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c -index 0888c7e2fcf03d0b133bcf93ad017086aedffe16..f3a378f6488cfd46001c22b3a5abf29724f2fd0d 100644 ---- a/src/providers/ldap/sdap_async_netgroups.c -+++ b/src/providers/ldap/sdap_async_netgroups.c -@@ -579,7 +579,17 @@ struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx, - state->base_iter = 0; - state->search_bases = search_bases; - -+ if (!state->search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("Netgroup lookup request without a netgroup search base\n")); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ - ret = sdap_get_netgroups_next_base(req); -+ -+done: - if (ret != EOK) { - tevent_req_error(req, ret); - tevent_req_post(req, state->ev); -diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c -index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644 ---- a/src/providers/ldap/sdap_async_users.c -+++ b/src/providers/ldap/sdap_async_users.c -@@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx, - state->search_bases = search_bases; - state->enumeration = enumeration; - -+ if (!state->search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("User lookup request without a search base\n")); -+ ret = EINVAL; -+ goto done; -+ } -+ - ret = sdap_get_users_next_base(req); -+ -+done: - if (ret != EOK) { - tevent_req_error(req, ret); - tevent_req_post(req, state->ev); -diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c -index 68cb47cd38952594d34ccc81913b7308caf9af10..aeae22eccf2a9adf3fb2fde831a3b492a6c4afb7 100644 ---- a/src/providers/ldap/sdap_sudo.c -+++ b/src/providers/ldap/sdap_sudo.c -@@ -237,6 +237,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, - state->ldap_rules = NULL; - state->ldap_rules_count = 0; - -+ if (!state->search_bases) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("SUDOERS lookup request without a search base\n")); -+ ret = EINVAL; -+ goto done; -+ } -+ - /* create filter */ - state->filter = sdap_sudo_build_filter(state, - state->opts->sudorule_map, -@@ -256,6 +263,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, - - /* begin search */ - ret = sdap_sudo_load_sudoers_next_base(req); -+ -+done: - if (ret != EOK) { - tevent_req_error(req, ret); - tevent_req_post(req, sudo_ctx->be_ctx->ev); --- -1.7.7.6 - diff --git a/0002-DP-Fix-bugs-in-sss_dp_get_account_int.patch b/0002-DP-Fix-bugs-in-sss_dp_get_account_int.patch deleted file mode 100644 index cd58c17..0000000 --- a/0002-DP-Fix-bugs-in-sss_dp_get_account_int.patch +++ /dev/null @@ -1,265 +0,0 @@ -From 707b20e80a5c5b86944dc55bbc652b392a4c6454 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Sat, 21 Jan 2012 12:11:23 -0500 -Subject: [PATCH 5/5] DP: Fix bugs in sss_dp_get_account_int - -The conversion to the tevent_req style introduced numerous bugs -related to memory management of the various client requests. In -some circumstances, this could cause memory corruption and -segmentation faults in the NSS responder. This patch makes the -following changes: - -1) Rename the internal lookup from subreq to sidereq, to indicate -that it is not a sub-request of the current lookup (and therefore -is not cancelled if the current request is). - -2) Change the handling of the callback loops since they call -tevent_req_[done|error], which results in them being freed (and -therefore removed from the cb_list. This was the source of the -memory corruption that would occasionally result in dereferencing -an unreadable request. - -3) Remove the unnecessary sss_dp_get_account_int_recv() function -and change sss_dp_get_account_done() so that it only frees the -sidereq. All of the waiting processes have already been signaled -with the final results from sss_dp_get_account_int_done() ---- - src/responder/common/responder_dp.c | 110 +++++++++++----------------- - src/responder/nss/nsssrv_cmd.c | 1 + - src/responder/pam/pamsrv_cmd.c | 1 + - src/responder/sudo/sudosrv_get_sudorules.c | 1 + - 4 files changed, 47 insertions(+), 66 deletions(-) - -diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c -index f51e2496a165cc2b776af776f2e9d1ea75b8e62c..9219037cc6055899e675eef846af54238d5c61e1 100644 ---- a/src/responder/common/responder_dp.c -+++ b/src/responder/common/responder_dp.c -@@ -92,11 +92,28 @@ static int sss_dp_req_destructor(void *ptr) - /* If there are callbacks that haven't been invoked, return - * an error now. - */ -- DLIST_FOR_EACH(cb, sdp_req->cb_list) { -+ while((cb = sdp_req->cb_list) != NULL) { - state = tevent_req_data(cb->req, struct dp_get_account_state); - state->err_maj = DP_ERR_FATAL; - state->err_min = EIO; -+ -+ /* tevent_req_done/error will free cb */ - tevent_req_error(cb->req, EIO); -+ -+ /* Freeing the cb removes it from the cb_list. -+ * Therefore, the cb_list should now be pointing -+ * at a new callback. If it's not, it means the -+ * callback handler didn't free cb and may leak -+ * memory. Be paranoid and protect against this -+ * situation. -+ */ -+ if (cb == sdp_req->cb_list) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ ("BUG: a callback did not free its request. " -+ "May leak memory\n")); -+ /* Skip to the next since a memory leak is non-fatal */ -+ sdp_req->cb_list = sdp_req->cb_list->next; -+ } - } - - /* Destroy the hash entry */ -@@ -225,14 +242,6 @@ sss_dp_get_account_int_send(struct resp_ctx *rctx, - static void - sss_dp_get_account_done(struct tevent_req *subreq); - --static errno_t --sss_dp_get_account_int_recv(TALLOC_CTX *mem_ctx, -- struct tevent_req *req, -- dbus_uint16_t *err_maj, -- dbus_uint32_t *err_min, -- char **err_msg); -- -- - /* Send a request to the data provider - * Once this function is called, the communication - * with the data provider will always run to -@@ -252,7 +261,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx, - errno_t ret; - int hret; - struct tevent_req *req; -- struct tevent_req *subreq; -+ struct tevent_req *sidereq; - struct dp_get_account_state *state; - struct sss_dp_req *sdp_req; - struct sss_dp_callback *cb; -@@ -343,19 +352,19 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx, - */ - - value.type = HASH_VALUE_PTR; -- subreq = sss_dp_get_account_int_send(rctx, state->key, dom, -+ sidereq = sss_dp_get_account_int_send(rctx, state->key, dom, - be_type, filter); -- if (!subreq) { -+ if (!sidereq) { - ret = ENOMEM; - goto error; - } -- tevent_req_set_callback(subreq, sss_dp_get_account_done, NULL); -+ tevent_req_set_callback(sidereq, sss_dp_get_account_done, NULL); - - /* We should now be able to find the sdp_req in the hash table */ - hret = hash_lookup(rctx->dp_request_table, state->key, &value); - if (hret != HASH_SUCCESS) { - /* Something must have gone wrong with creating the request */ -- talloc_zfree(subreq); -+ talloc_zfree(sidereq); - ret = EIO; - goto error; - } -@@ -402,23 +411,10 @@ error: - } - - static void --sss_dp_get_account_done(struct tevent_req *subreq) -+sss_dp_get_account_done(struct tevent_req *sidereq) - { -- errno_t ret; -- struct tevent_req *req = tevent_req_callback_data(subreq, -- struct tevent_req); -- struct dp_get_account_state *state = -- tevent_req_data(req, struct dp_get_account_state); -- -- ret = sss_dp_get_account_int_recv(state, req, -- &state->err_maj, -- &state->err_min, -- &state->err_msg); -- if (ret != EOK) { -- tevent_req_done(req); -- } else { -- tevent_req_error(req, ret); -- } -+ /* Nothing to do here. The callbacks have already been invoked */ -+ talloc_zfree(sidereq); - } - - errno_t -@@ -599,7 +595,7 @@ static void sss_dp_get_account_int_done(DBusPendingCall *pending, void *ptr) - int ret; - struct tevent_req *req; - struct sss_dp_req *sdp_req; -- struct sss_dp_callback *cb, *prevcb = NULL; -+ struct sss_dp_callback *cb; - struct dp_get_account_int_state *state; - struct dp_get_account_state *cb_state; - -@@ -630,58 +626,40 @@ static void sss_dp_get_account_int_done(DBusPendingCall *pending, void *ptr) - } - - /* Check whether we need to issue any callbacks */ -- DLIST_FOR_EACH(cb, sdp_req->cb_list) { -+ while ((cb = sdp_req->cb_list) != NULL) { - cb_state = tevent_req_data(cb->req, struct dp_get_account_state); - cb_state->err_maj = sdp_req->err_maj; - cb_state->err_min = sdp_req->err_min; - cb_state->err_msg = talloc_strdup(cb_state, sdp_req->err_msg); - /* Don't bother checking for NULL. If it fails due to ENOMEM, -- * we can't really handle it annyway. -+ * we can't really handle it anyway. - */ - -+ /* tevent_req_done/error will free cb */ - if (ret == EOK) { - tevent_req_done(cb->req); - } else { - tevent_req_error(cb->req, ret); - } - -- /* Freeing the request removes it from the list */ -- if (prevcb) talloc_free(prevcb); -- prevcb = cb; -+ /* Freeing the cb removes it from the cb_list. -+ * Therefore, the cb_list should now be pointing -+ * at a new callback. If it's not, it means the -+ * callback handler didn't free cb and may leak -+ * memory. Be paranoid and protect against this -+ * situation. -+ */ -+ if (cb == sdp_req->cb_list) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ ("BUG: a callback did not free its request. " -+ "May leak memory\n")); -+ /* Skip to the next since a memory leak is non-fatal */ -+ sdp_req->cb_list = sdp_req->cb_list->next; -+ } - } -- talloc_free(prevcb); - - /* We're done with this request. Free the sdp_req - * This will clean up the hash table entry as well - */ - talloc_zfree(sdp_req); - } -- --static errno_t --sss_dp_get_account_int_recv(TALLOC_CTX *mem_ctx, -- struct tevent_req *req, -- dbus_uint16_t *err_maj, -- dbus_uint32_t *err_min, -- char **err_msg) --{ -- struct dp_get_account_int_state *state = -- tevent_req_data(req, struct dp_get_account_int_state); -- -- enum tevent_req_state TRROEstate; -- uint64_t TRROEerr; -- -- *err_maj = state->sdp_req->err_maj; -- *err_min = state->sdp_req->err_min; -- *err_msg = talloc_steal(mem_ctx, state->sdp_req->err_msg); -- -- if (tevent_req_is_error(req, &TRROEstate, &TRROEerr)) { -- if (TRROEstate == TEVENT_REQ_USER_ERROR) { -- *err_maj = DP_ERR_FATAL; -- *err_min = TRROEerr; -- } else { -- return EIO; -- } -- } -- -- return EOK; --} -diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c -index 3bc30ab8641b1787ded15165890e61836e46e802..fc2dca8d7a9e9dc1e5d68c98f95a5d3d67231f4a 100644 ---- a/src/responder/nss/nsssrv_cmd.c -+++ b/src/responder/nss/nsssrv_cmd.c -@@ -700,6 +700,7 @@ static void nsssrv_dp_send_acct_req_done(struct tevent_req *req) - ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req, - &err_maj, &err_min, - &err_msg); -+ talloc_zfree(req); - if (ret != EOK) { - NSS_CMD_FATAL_ERROR(cb_ctx->cctx); - } -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 3b2d509e237b12516e1234a34a8542ae09752c43..2e544cd5aa5a566e5557f2d9280b57b24f39befd 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -994,6 +994,7 @@ static void pam_dp_send_acct_req_done(struct tevent_req *req) - ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req, - &err_maj, &err_min, - &err_msg); -+ talloc_zfree(req); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Fatal error, killing connection!\n")); -diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c -index 5d54f95ab78bc43338dd55205e85dbba7bd5f437..1723fd42c8222e72e46498a3b83e427099243369 100644 ---- a/src/responder/sudo/sudosrv_get_sudorules.c -+++ b/src/responder/sudo/sudosrv_get_sudorules.c -@@ -181,6 +181,7 @@ static void sudosrv_dp_send_acct_req_done(struct tevent_req *req) - ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req, - &err_maj, &err_min, - &err_msg); -+ talloc_zfree(req); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Fatal error, killing connection!\n")); --- -1.7.4.1 - diff --git a/sources b/sources index cf39ce3..d229788 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1fbc9c99df8f2883513cb4b767d4b7d4 sssd-1.7.0.tar.gz +e6fddc180edbf69fddcb4151701b2d5c sssd-1.8.0beta1.tar.gz diff --git a/sssd.spec b/sssd.spec index a5bb221..d72d1a9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,28 +18,27 @@ %global ldb_version 1.1.4 Name: sssd -Version: 1.7.0 -Release: 5%{?dist} +Version: 1.8.0 +Release: 1%{?dist}.beta1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ URL: http://fedorahosted.org/sssd/ -Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz +Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta1.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch -Patch0002: 0002-DP-Fix-bugs-in-sss_dp_get_account_int.patch - ### Dependencies ### Conflicts: selinux-policy < 3.10.0-46 Requires: libldb = %{ldb_version} Requires: libtdb >= 1.1.3 Requires: sssd-client%{?_isa} = %{version}-%{release} -Requires: cyrus-sasl-gssapi +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: libipa_hbac%{?_isa} = %{version}-%{release} Requires: krb5-libs >= 1.9 +Requires: keyutils-libs Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig Requires(preun): systemd-units initscripts chkconfig Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig @@ -92,6 +91,7 @@ BuildRequires: keyutils-libs-devel BuildRequires: libnl-devel BuildRequires: nscd BuildRequires: gettext-devel +BuildRequires: pkgconfig BuildRequires: libunistring-devel BuildRequires: findutils @@ -151,6 +151,22 @@ Requires: libipa_hbac = %{version}-%{release} The libipa_hbac-python contains the bindings so that libipa_hbac can be used by Python applications. +%package -n libsss_sudo +Summary: A library to allow communication between SUDO and SSSD +Group: Development/Libraries +License: LGPLv3+ + +%description -n libsss_sudo +A utility library to allow communication between SUDO and SSSD + +%package -n libsss_sudo-devel +Summary: A library to allow communication between SUDO and SSSD +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_sudo = %{version}-%{release} + +%description -n libsss_sudo-devel +A utility library to allow communication between SUDO and SSSD %prep # Update timestamps on the files touched by a patch, to avoid non-equal @@ -168,7 +184,7 @@ UpdateTimestamps() { done } -%setup -q +%setup -q -n %{name}-1.7.91 for p in %patches ; do %__patch -p1 -i $p @@ -187,7 +203,8 @@ autoreconf -ivf --enable-pammoddir=/%{_lib}/security \ --disable-static \ --disable-rpath \ - --with-test-dir=/dev/shm + --with-test-dir=/dev/shm \ + --enable-all-experimental-features make %{?_smp_mflags} all docs @@ -204,11 +221,9 @@ make install DESTDIR=$RPM_BUILD_ROOT # Prepare language files /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd -# Copy SSSDConfig API files +# Prepare empty config file mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd touch $RPM_BUILD_ROOT/%{_sysconfdir}/sssd/sssd.conf -install -m400 src/config/etc/sssd.api.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.conf -install -m400 src/config/etc/sssd.api.d/* $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d/ # Copy default logrotate file mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d @@ -243,7 +258,7 @@ do case `basename $man` in sss_*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang - ;; + ;; *) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; @@ -273,9 +288,8 @@ rm -rf $RPM_BUILD_ROOT %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %config(noreplace) %{_sysconfdir}/logrotate.d/sssd %config(noreplace) %{_sysconfdir}/rwtab.d/sssd -%config %{_sysconfdir}/sssd/sssd.api.conf -%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d -%config %{_sysconfdir}/sssd/sssd.api.d/* +%{_datadir}/sssd/sssd.api.conf +%{_datadir}/sssd/sssd.api.d %{_mandir}/man5/sssd.conf.5* %{_mandir}/man5/sssd-ipa.5* %{_mandir}/man5/sssd-krb5.5* @@ -285,16 +299,20 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/pysss.so %{python_sitelib}/*.py* -%files client -f sssd_tools.lang +%files client %defattr(-,root,root,-) %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +%{_bindir}/sss_ssh_authorizedkeys +%{_bindir}/sss_ssh_knownhostsproxy +%{_mandir}/man1/sss_ssh_authorizedkeys.1* +%{_mandir}/man1/sss_ssh_knownhostsproxy.1* %{_mandir}/man8/pam_sss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* -%files tools +%files tools -f sssd_tools.lang %defattr(-,root,root,-) %doc COPYING %{_sbindir}/sss_useradd @@ -334,6 +352,30 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root,-) %{python_sitearch}/pyhbac.so +%package -n libsss_autofs +Summary: A library to allow communication between Autofs and SSSD +Group: Development/Libraries +License: LGPLv3+ + +%description -n libsss_autofs +A utility library to allow communication between Autofs and SSSD + +%files -n libsss_sudo +%defattr(-,root,root,-) +%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_sudo.so.* + +%files -n libsss_sudo-devel +%doc libsss_sudo_doc/html +%{_includedir}/sss_sudo.h +%{_libdir}/libsss_sudo.so +%{_libdir}/pkgconfig/libsss_sudo.pc + +%files -n libsss_autofs +%defattr(-,root,root,-) +%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/sssd/modules/libsss_autofs.so* + %post /sbin/ldconfig @@ -380,6 +422,15 @@ fi %postun -n libipa_hbac -p /sbin/ldconfig %changelog +* Mon Feb 06 2012 Stephen Gallagher - 1.8.0-1.beta1 +- New upstream release +- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 +- Support for the service map in NSS +- Support for setting default SELinux user context from FreeIPA +- Support for retrieving SSH user and host keys from LDAP (Experimental) +- Support for caching autofs LDAP requests (Experimental) +- Support for caching SUDO rules (Experimental) + * Wed Feb 01 2012 Stephen Gallagher - 1.7.0-5 - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well