New upstream release 1.15.3
https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html
(cherry picked from commit 39ce513212
)
This commit is contained in:
parent
89124ab716
commit
b263f398aa
1
.gitignore
vendored
1
.gitignore
vendored
@ -76,3 +76,4 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-1.15.0.tar.gz
|
||||
/sssd-1.15.1.tar.gz
|
||||
/sssd-1.15.2.tar.gz
|
||||
/sssd-1.15.3.tar.gz
|
||||
|
@ -1,68 +0,0 @@
|
||||
From 408edbc9ef7b7467c153f2498d7034962222664c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 3 Apr 2017 12:56:01 +0200
|
||||
Subject: [PATCH 1/2] responders: do not leak selinux context on clients
|
||||
destruction
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The SELinux context created in get_client_cred is not talloc bound and
|
||||
we were leaking it if available with each client's destruction.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3360
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/responder/common/responder_common.c | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
|
||||
index 76f43609651217e537ffa515aaf5b5caa98a2e90..b5b4a3284cf288f1bd328fee83877e9ba6cb61e4 100644
|
||||
--- a/src/responder/common/responder_common.c
|
||||
+++ b/src/responder/common/responder_common.c
|
||||
@@ -97,7 +97,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx)
|
||||
SEC_CTX secctx;
|
||||
int ret;
|
||||
|
||||
- cctx->creds = talloc(cctx, struct cli_creds);
|
||||
+ cctx->creds = talloc_zero(cctx, struct cli_creds);
|
||||
if (!cctx->creds) return ENOMEM;
|
||||
|
||||
#ifdef HAVE_UCRED
|
||||
@@ -464,6 +464,22 @@ static void client_fd_handler(struct tevent_context *ev,
|
||||
|
||||
static errno_t setup_client_idle_timer(struct cli_ctx *cctx);
|
||||
|
||||
+static int cli_ctx_destructor(struct cli_ctx *cctx)
|
||||
+{
|
||||
+ if (cctx->creds == NULL) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (cctx->creds->selinux_ctx == NULL) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ SELINUX_context_free(cctx->creds->selinux_ctx);
|
||||
+ cctx->creds->selinux_ctx = NULL;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
struct accept_fd_ctx {
|
||||
struct resp_ctx *rctx;
|
||||
bool is_private;
|
||||
@@ -520,6 +536,8 @@ static void accept_fd_handler(struct tevent_context *ev,
|
||||
return;
|
||||
}
|
||||
|
||||
+ talloc_set_destructor(cctx, cli_ctx_destructor);
|
||||
+
|
||||
len = sizeof(cctx->addr);
|
||||
cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
|
||||
if (cctx->cfd == -1) {
|
||||
--
|
||||
2.12.2
|
||||
|
@ -1,210 +0,0 @@
|
||||
From 3ebb0b03c35c5b733d7bdb53b434950711461bbb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 12:01:37 +0100
|
||||
Subject: [PATCH 2/2] selinux: Do not fail if SELinux is not managed
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Previously we failed if semanage_is_managed returned 0 or -1 (not
|
||||
managed or error). With this patch we only fail in case of error and
|
||||
continue normally if selinux is not managed by libsemanage at all.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3297
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/providers/ipa/selinux_child.c | 9 ++++--
|
||||
src/util/sss_semanage.c | 61 +++++++++++++++++++++++++--------------
|
||||
src/util/util_errors.c | 1 +
|
||||
src/util/util_errors.h | 1 +
|
||||
5 files changed, 49 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 45b04de2638a745a189c0b4e5794ccd29913b10d..fed51a9d09d867856cbf26bfcd99df3b89d4859d 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -3827,6 +3827,7 @@ selinux_child_SOURCES = \
|
||||
src/util/sss_semanage.c \
|
||||
src/util/atomic_io.c \
|
||||
src/util/util.c \
|
||||
+ src/util/util_errors.c \
|
||||
$(NULL)
|
||||
selinux_child_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
||||
index 380005c7ad3269fc8113c62ceef30b076455b5dd..f8dd3954a7244df2dcbb910aabf8888f41306c09 100644
|
||||
--- a/src/providers/ipa/selinux_child.c
|
||||
+++ b/src/providers/ipa/selinux_child.c
|
||||
@@ -174,14 +174,19 @@ static bool seuser_needs_update(struct input_buffer *ibuf)
|
||||
|
||||
ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range);
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
- "get_seuser: ret: %d seuser: %s mls: %s\n",
|
||||
- ret, db_seuser ? db_seuser : "unknown",
|
||||
+ "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n",
|
||||
+ ret, sss_strerror(ret),
|
||||
+ db_seuser ? db_seuser : "unknown",
|
||||
db_mls_range ? db_mls_range : "unknown");
|
||||
if (ret == EOK && db_seuser && db_mls_range &&
|
||||
strcmp(db_seuser, ibuf->seuser) == 0 &&
|
||||
strcmp(db_mls_range, ibuf->mls_range) == 0) {
|
||||
needs_update = false;
|
||||
}
|
||||
+ /* OR */
|
||||
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
|
||||
+ needs_update = false;
|
||||
+ }
|
||||
|
||||
talloc_free(db_seuser);
|
||||
talloc_free(db_mls_range);
|
||||
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
|
||||
index fe06bee1dfec3abca3aa3cd5e85e55386ac11343..0da97aad4d8eba733b131c2749932e03ca4242c4 100644
|
||||
--- a/src/util/sss_semanage.c
|
||||
+++ b/src/util/sss_semanage.c
|
||||
@@ -73,7 +73,7 @@ static void sss_semanage_close(semanage_handle_t *handle)
|
||||
semanage_handle_destroy(handle);
|
||||
}
|
||||
|
||||
-static semanage_handle_t *sss_semanage_init(void)
|
||||
+static int sss_semanage_init(semanage_handle_t **_handle)
|
||||
{
|
||||
int ret;
|
||||
semanage_handle_t *handle = NULL;
|
||||
@@ -81,7 +81,8 @@ static semanage_handle_t *sss_semanage_init(void)
|
||||
handle = semanage_handle_create();
|
||||
if (!handle) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
|
||||
- return NULL;
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
semanage_msg_set_callback(handle,
|
||||
@@ -89,28 +90,41 @@ static semanage_handle_t *sss_semanage_init(void)
|
||||
NULL);
|
||||
|
||||
ret = semanage_is_managed(handle);
|
||||
- if (ret != 1) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
|
||||
- goto fail;
|
||||
+ if (ret == 0) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n");
|
||||
+ ret = ERR_SELINUX_NOT_MANAGED;
|
||||
+ goto done;
|
||||
+ } else if (ret == -1) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Call to semanage_is_managed failed\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
ret = semanage_access_check(handle);
|
||||
if (ret < SEMANAGE_CAN_READ) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
|
||||
- goto fail;
|
||||
+ ret = EACCES;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
ret = semanage_connect(handle);
|
||||
if (ret != 0) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Cannot estabilish SELinux management connection\n");
|
||||
- goto fail;
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
- return handle;
|
||||
-fail:
|
||||
- sss_semanage_close(handle);
|
||||
- return NULL;
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ if (ret != EOK) {
|
||||
+ sss_semanage_close(handle);
|
||||
+ } else {
|
||||
+ *_handle = handle;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static int sss_semanage_user_add(semanage_handle_t *handle,
|
||||
@@ -228,10 +242,11 @@ int set_seuser(const char *login_name, const char *seuser_name,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
- handle = sss_semanage_init();
|
||||
- if (!handle) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
|
||||
- ret = EIO;
|
||||
+ ret = sss_semanage_init(&handle);
|
||||
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
|
||||
+ goto done;
|
||||
+ } else if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -295,10 +310,11 @@ int del_seuser(const char *login_name)
|
||||
int ret;
|
||||
int exists = 0;
|
||||
|
||||
- handle = sss_semanage_init();
|
||||
- if (!handle) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
|
||||
- ret = EIO;
|
||||
+ ret = sss_semanage_init(&handle);
|
||||
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
|
||||
+ goto done;
|
||||
+ } else if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -377,10 +393,11 @@ int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
|
||||
semanage_seuser_t *sm_user = NULL;
|
||||
semanage_seuser_key_t *sm_key = NULL;
|
||||
|
||||
- sm_handle = sss_semanage_init();
|
||||
- if (sm_handle == NULL) {
|
||||
+ ret = sss_semanage_init(&sm_handle);
|
||||
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
|
||||
+ goto done;
|
||||
+ } else if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
|
||||
- ret = EIO;
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
||||
index 17388c997db5315c2491af1021e75aff07632488..97a7853827bb3a4a9c49f0306ca52be0f9aa8389 100644
|
||||
--- a/src/util/util_errors.c
|
||||
+++ b/src/util/util_errors.c
|
||||
@@ -74,6 +74,7 @@ struct err_string error_to_str[] = {
|
||||
{ "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
|
||||
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
|
||||
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
|
||||
+ { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
|
||||
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
|
||||
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
|
||||
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
|
||||
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
||||
index 7aacad26084a3a2af6333988f07db865f6a4d299..8d0d99b4cc86812d9c67d9319a23055c1c8fa4dc 100644
|
||||
--- a/src/util/util_errors.h
|
||||
+++ b/src/util/util_errors.h
|
||||
@@ -96,6 +96,7 @@ enum sssd_errors {
|
||||
ERR_NO_SYSBUS,
|
||||
ERR_REFERRAL,
|
||||
ERR_SELINUX_CONTEXT,
|
||||
+ ERR_SELINUX_NOT_MANAGED,
|
||||
ERR_REGEX_NOMATCH,
|
||||
ERR_TIMESPEC_NOT_SUPPORTED,
|
||||
ERR_INVALID_CONFIG,
|
||||
--
|
||||
2.12.2
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 16 Mar 2017 20:43:08 +0100
|
||||
Subject: [PATCH] krb5: return to responder that pkinit is not available
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If pkinit is not available for a user but other authentication methods
|
||||
are SSSD should still fall back to local certificate based
|
||||
authentication if Smartcard credentials are provided.
|
||||
|
||||
Resolves https://pagure.io/SSSD/sssd/issue/3343
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/providers/krb5/krb5_child.c | 17 +++++++++++++----
|
||||
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -42,6 +42,10 @@
|
||||
|
||||
#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
|
||||
|
||||
+#define IS_SC_AUTHTOK(tok) ( \
|
||||
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
|
||||
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
|
||||
+
|
||||
enum k5c_fast_opt {
|
||||
K5C_FAST_NEVER,
|
||||
K5C_FAST_TRY,
|
||||
@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
||||
* pre-auth module is missing or no Smartcard is inserted and only
|
||||
* pkinit is available KRB5_PREAUTH_FAILED is returned.
|
||||
* ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
|
||||
- * frontend that local authentication might be tried. */
|
||||
+ * frontend that local authentication might be tried.
|
||||
+ * Same is true if Smartcard credentials are given but only other
|
||||
+ * authentication methods are available. */
|
||||
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& kerr == KRB5_PREAUTH_FAILED
|
||||
- && kr->password_prompting == false
|
||||
- && kr->otp == false
|
||||
- && kr->pkinit_prompting == false) {
|
||||
+ && kr->pkinit_prompting == false
|
||||
+ && (( kr->password_prompting == false
|
||||
+ && kr->otp == false)
|
||||
+ || ((kr->otp == true
|
||||
+ || kr->password_prompting == true)
|
||||
+ && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
|
||||
return ERR_NO_AUTH_METHOD_AVAILABLE;
|
||||
}
|
||||
return kerr;
|
||||
--
|
||||
2.12.2
|
||||
|
@ -1,51 +0,0 @@
|
||||
From 08084b1179bb9fc38bc22b464b3d44907107bfd3 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Tue, 25 Apr 2017 12:39:32 +0000
|
||||
Subject: [PATCH 4/6] ssh tools: The ai structure is not an array,
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This structure is actually a linked list, so do not mislead readers by
|
||||
treating it as an array.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/1498
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
index adb82288d435cefccf7e23e6ed2b2c551798a7f8..310243c2fc8091f711559d4afb412e619af687ad 100644
|
||||
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
@@ -268,10 +268,10 @@ int main(int argc, const char **argv)
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret));
|
||||
} else {
|
||||
- host = ai[0].ai_canonname;
|
||||
+ host = ai->ai_canonname;
|
||||
}
|
||||
} else {
|
||||
- ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen,
|
||||
+ ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
|
||||
canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD);
|
||||
if (ret) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
@@ -295,7 +295,7 @@ int main(int argc, const char **argv)
|
||||
if (pc_args) {
|
||||
ret = connect_proxy_command(discard_const(pc_args));
|
||||
} else if (ai) {
|
||||
- ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen);
|
||||
+ ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
|
||||
} else {
|
||||
ret = EFAULT;
|
||||
}
|
||||
--
|
||||
2.12.2
|
||||
|
@ -1,46 +0,0 @@
|
||||
From 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Tue, 25 Apr 2017 14:00:15 +0000
|
||||
Subject: [PATCH 5/6] ssh tools: Fix issues with multiple IP addresses
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Cycle through all resolved address until one succeed or all fail.
|
||||
This is needed for dual stack systems where either IPv4 or IPv6 are
|
||||
improperly configured or selectively filtered at some point along the
|
||||
route.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/1498
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
index 310243c2fc8091f711559d4afb412e619af687ad..b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29 100644
|
||||
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
@@ -295,7 +295,13 @@ int main(int argc, const char **argv)
|
||||
if (pc_args) {
|
||||
ret = connect_proxy_command(discard_const(pc_args));
|
||||
} else if (ai) {
|
||||
- ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
|
||||
+ /* Try all IP addresses before giving up */
|
||||
+ for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
|
||||
+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
|
||||
+ if (ret == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
} else {
|
||||
ret = EFAULT;
|
||||
}
|
||||
--
|
||||
2.12.2
|
||||
|
@ -1,95 +0,0 @@
|
||||
From 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Tue, 25 Apr 2017 19:19:13 +0000
|
||||
Subject: [PATCH 6/6] ssh tools: Split connect and communication phases
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We can fallback after a connect error, but we cannot easily fall back
|
||||
once we start sending data as we may have consumed part of the buffer so
|
||||
reconnecting and sending what's left would not make sense.
|
||||
|
||||
Therefore we now fallback on connect errors, but we issue a hard fail if
|
||||
error happens after communication has been established.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/1498
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 30 ++++++++++++++++++++--------
|
||||
1 file changed, 22 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
index b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29..976ba86b321923cecad0703214e22b0a773ef585 100644
|
||||
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
|
||||
@@ -40,14 +40,10 @@
|
||||
|
||||
/* connect to server using socket */
|
||||
static int
|
||||
-connect_socket(int family, struct sockaddr *addr, size_t addr_len)
|
||||
+connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd)
|
||||
{
|
||||
int flags;
|
||||
int sock = -1;
|
||||
- struct pollfd fds[2];
|
||||
- char buffer[BUFFER_SIZE];
|
||||
- int i;
|
||||
- ssize_t res;
|
||||
int ret;
|
||||
|
||||
/* set O_NONBLOCK on standard input */
|
||||
@@ -85,6 +81,22 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ *sd = sock;
|
||||
+
|
||||
+done:
|
||||
+ if (ret != 0 && sock >= 0) close(sock);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int proxy_data(int sock)
|
||||
+{
|
||||
+ int flags;
|
||||
+ struct pollfd fds[2];
|
||||
+ char buffer[BUFFER_SIZE];
|
||||
+ int i;
|
||||
+ ssize_t res;
|
||||
+ int ret;
|
||||
+
|
||||
/* set O_NONBLOCK on the socket */
|
||||
flags = fcntl(sock, F_GETFL);
|
||||
if (flags == -1) {
|
||||
@@ -158,8 +170,7 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
|
||||
}
|
||||
|
||||
done:
|
||||
- if (sock >= 0) close(sock);
|
||||
-
|
||||
+ close(sock);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -297,8 +308,11 @@ int main(int argc, const char **argv)
|
||||
} else if (ai) {
|
||||
/* Try all IP addresses before giving up */
|
||||
for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
|
||||
- ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
|
||||
+ int socket_descriptor = -1;
|
||||
+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen,
|
||||
+ &socket_descriptor);
|
||||
if (ret == 0) {
|
||||
+ ret = proxy_data(socket_descriptor);
|
||||
break;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.12.2
|
||||
|
@ -1,174 +0,0 @@
|
||||
From c92e49144978ad3b6c9fffa8803ebdad8f6f5b18 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Sun, 9 Apr 2017 20:50:47 +0200
|
||||
Subject: [PATCH] HBAC: Do not rely on originalMemberOf, use the sysdb memberof
|
||||
links instead
|
||||
|
||||
The IPA HBAC code used to read the group members from the
|
||||
originalMemberOf attribute value for performance reasons. However,
|
||||
especially on IPA clients trusting an AD domain, the originalMemberOf
|
||||
attribute value is often not synchronized correctly.
|
||||
|
||||
Instead of going through the work of maintaining both member/memberOf
|
||||
and originalMemberOf, let's just do an ASQ search for the group names of
|
||||
the groups the user is a member of in the cache and read their
|
||||
SYSBD_NAME attribute.
|
||||
|
||||
To avoid clashing between similarly-named groups in IPA and in AD, we
|
||||
look at the container of the group.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3382
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_hbac_common.c | 97 +++++++++++++++++++++++++------------
|
||||
1 file changed, 67 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
|
||||
index b99b75d32..ba677965a 100644
|
||||
--- a/src/providers/ipa/ipa_hbac_common.c
|
||||
+++ b/src/providers/ipa/ipa_hbac_common.c
|
||||
@@ -507,15 +507,15 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
|
||||
struct hbac_request_element **user_element)
|
||||
{
|
||||
errno_t ret;
|
||||
- unsigned int i;
|
||||
unsigned int num_groups = 0;
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
- const char *member_dn;
|
||||
struct hbac_request_element *users;
|
||||
- struct ldb_message *msg;
|
||||
- struct ldb_message_element *el;
|
||||
- const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
|
||||
char *shortname;
|
||||
+ const char *fqgroupname = NULL;
|
||||
+ struct sss_domain_info *ipa_domain;
|
||||
+ struct ldb_dn *ipa_groups_basedn;
|
||||
+ struct ldb_result *res;
|
||||
+ int exp_comp;
|
||||
|
||||
tmp_ctx = talloc_new(mem_ctx);
|
||||
if (tmp_ctx == NULL) return ENOMEM;
|
||||
@@ -533,56 +533,93 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
users->name = talloc_steal(users, shortname);
|
||||
|
||||
- /* Read the originalMemberOf attribute
|
||||
- * This will give us the list of both POSIX and
|
||||
- * non-POSIX groups that this user belongs to.
|
||||
+ ipa_domain = get_domains_head(domain);
|
||||
+ if (ipa_domain == NULL) {
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ipa_groups_basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(domain->sysdb),
|
||||
+ SYSDB_TMPL_GROUP_BASE, ipa_domain->name);
|
||||
+ if (ipa_groups_basedn == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* +1 because there will be a RDN preceding the base DN */
|
||||
+ exp_comp = ldb_dn_get_comp_num(ipa_groups_basedn) + 1;
|
||||
+
|
||||
+ /*
|
||||
+ * Get all the groups the user is a member of.
|
||||
+ * This includes both POSIX and non-POSIX groups.
|
||||
*/
|
||||
- ret = sysdb_search_user_by_name(tmp_ctx, domain, username,
|
||||
- attrs, &msg);
|
||||
+ ret = sysdb_initgroups(tmp_ctx, domain, username, &res);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Could not determine user memberships for [%s]\n",
|
||||
- users->name);
|
||||
+ "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
|
||||
- el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
|
||||
- if (el == NULL || el->num_values == 0) {
|
||||
+ if (res->count == 0) {
|
||||
+ /* This should not happen at this point */
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "User [%s] not found in cache.\n", username);
|
||||
+ ret = ENOENT;
|
||||
+ goto done;
|
||||
+ } else if (res->count == 1) {
|
||||
+ /* The first item is the user entry */
|
||||
DEBUG(SSSDBG_TRACE_LIBS, "No groups for [%s]\n", users->name);
|
||||
ret = create_empty_grouplist(users);
|
||||
goto done;
|
||||
}
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
- "[%d] groups for [%s]\n", el->num_values, users->name);
|
||||
+ "[%u] groups for [%s]\n", res->count - 1, username);
|
||||
|
||||
- users->groups = talloc_array(users, const char *, el->num_values + 1);
|
||||
+ /* This also includes the sentinel, b/c we'll skip the user entry below */
|
||||
+ users->groups = talloc_array(users, const char *, res->count);
|
||||
if (users->groups == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
|
||||
- for (i = 0; i < el->num_values; i++) {
|
||||
- member_dn = (const char *)el->values[i].data;
|
||||
+ /* Start counting from 1 to exclude the user entry */
|
||||
+ for (size_t i = 1; i < res->count; i++) {
|
||||
+ /* Only groups from the IPA domain can be referenced from HBAC rules. To
|
||||
+ * avoid evaluating groups which might even have the same name, but come
|
||||
+ * from a trusted domain, we first copy the DN to a temporary one..
|
||||
+ */
|
||||
+ if (ldb_dn_get_comp_num(res->msgs[i]->dn) != exp_comp
|
||||
+ || ldb_dn_compare_base(ipa_groups_basedn,
|
||||
+ res->msgs[i]->dn) != 0) {
|
||||
+ DEBUG(SSSDBG_FUNC_DATA,
|
||||
+ "Skipping non-IPA group %s\n",
|
||||
+ ldb_dn_get_linearized(res->msgs[i]->dn));
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
- ret = get_ipa_groupname(users->groups, domain->sysdb, member_dn,
|
||||
- &users->groups[num_groups]);
|
||||
- if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
|
||||
+ fqgroupname = ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_NAME, NULL);
|
||||
+ if (fqgroupname == NULL) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
- "Skipping malformed entry [%s]\n", member_dn);
|
||||
+ "Skipping malformed entry [%s]\n",
|
||||
+ ldb_dn_get_linearized(res->msgs[i]->dn));
|
||||
continue;
|
||||
- } else if (ret == EOK) {
|
||||
- DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
|
||||
- users->groups[num_groups], users->name);
|
||||
- num_groups++;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_parse_internal_fqname(tmp_ctx, fqgroupname,
|
||||
+ &shortname, NULL);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "Malformed name %s, skipping!\n", fqgroupname);
|
||||
continue;
|
||||
}
|
||||
- /* Skip entries that are not groups */
|
||||
- DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
- "Skipping non-group memberOf [%s]\n", member_dn);
|
||||
+
|
||||
+ users->groups[num_groups] = talloc_steal(users->groups, shortname);
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
|
||||
+ users->groups[num_groups], users->name);
|
||||
+ num_groups++;
|
||||
}
|
||||
users->groups[num_groups] = NULL;
|
||||
|
||||
- if (num_groups < el->num_values) {
|
||||
+ if (num_groups < (res->count - 1)) {
|
||||
/* Shrink the array memory */
|
||||
users->groups = talloc_realloc(users, users->groups, const char *,
|
||||
num_groups+1);
|
||||
--
|
||||
2.13.0
|
||||
|
@ -1,28 +0,0 @@
|
||||
From 5ecc5585fbe2cf8b3f1efb7fe3473dbcb67ff160 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 27 Jun 2017 15:12:27 +0200
|
||||
Subject: [PATCH] BUILD: Disable tests with expired certificates
|
||||
|
||||
---
|
||||
Makefile.am | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 5635a8c8fd681c4a17d003487e9ea440ab431407..c230d5e69320206778637ee3d30bedf9fe2e000a 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -273,11 +273,9 @@ if HAVE_CMOCKA
|
||||
responder_cache_req-tests \
|
||||
test_sbus_opath \
|
||||
test_fo_srv \
|
||||
- pam-srv-tests \
|
||||
test_ipa_subdom_util \
|
||||
test_tools_colondb \
|
||||
test_krb5_wait_queue \
|
||||
- test_cert_utils \
|
||||
test_ldap_id_cleanup \
|
||||
test_data_provider_be \
|
||||
test_dp_request_table \
|
||||
--
|
||||
2.13.0
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (sssd-1.15.2.tar.gz) = e0ed648155641261e53cff338aaa1bad72bd8051170b6f42e9c9427d46d747902a828cbbab680e16e5c248b901f01303678540ec9621f33bb8dcf60d7a4d1921
|
||||
SHA512 (sssd-1.15.3.tar.gz) = 92478205ee1b1cebc3d35b733576180db51cee8cc84d0c2cb78386924ffa90ae355b6ad9b7b51e5e5f5a7a4588764d1c7afb0673c035b1fe9b1a283beb79a428
|
||||
|
117
sssd.spec
117
sssd.spec
@ -21,6 +21,10 @@
|
||||
%global enable_systemtap 1
|
||||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
%global with_secrets 1
|
||||
|
||||
%global with_kcm 1
|
||||
|
||||
%global libwbc_alternatives_version 0.13
|
||||
%global libwbc_lib_version %{libwbc_alternatives_version}.0
|
||||
%global libwbc_alternatives_suffix %nil
|
||||
@ -29,8 +33,8 @@
|
||||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 1.15.2
|
||||
Release: 6%{?dist}
|
||||
Version: 1.15.3
|
||||
Release: 1%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -39,18 +43,8 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-responders-do-not-leak-selinux-context-on-clients-de.patch
|
||||
Patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
|
||||
Patch0003: 0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch
|
||||
Patch0004: 0004-ssh-tools-The-ai-structure-is-not-an-array.patch
|
||||
Patch0005: 0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch
|
||||
Patch0006: 0006-ssh-tools-Split-connect-and-communication-phases.patch
|
||||
Patch0007: 0007-HBAC-Do-not-rely-on-originalMemberOf-use-the-sysdb-m.patch
|
||||
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
# Simpler is to disable unit tests then patching binary files
|
||||
# Remove me with 1.15.3
|
||||
Patch0510: 0510-BUILD-Disable-tests-with-expired-certificates.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
@ -126,7 +120,9 @@ BuildRequires: samba4-devel
|
||||
BuildRequires: libsmbclient-devel
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: http-parser-devel
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: libcurl-devel
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
@ -145,6 +141,9 @@ License: GPLv3+
|
||||
# Conflicts
|
||||
Conflicts: selinux-policy < 3.10.0-46
|
||||
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
|
||||
# due to ABI changes in rawhide(1.1.30/1.2.0)
|
||||
# f26 <= will never have libldb 1.2.0 due to samba-4.6.x
|
||||
Conflicts: libldb >= 1.1.30
|
||||
# Requires
|
||||
Requires: sssd-client%{?_isa} = %{version}-%{release}
|
||||
Recommends: libsss_sudo = %{version}-%{release}
|
||||
@ -551,6 +550,36 @@ The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
|
||||
UIDs/GIDs to names and vice versa. It can be also used for mapping principal
|
||||
(user) name to IDs(UID or GID) or to obtain groups which user are member of.
|
||||
|
||||
%package -n libsss_certmap
|
||||
Summary: SSSD Certficate Mapping Library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
Conflicts: sssd-common < %{version}-%{release}
|
||||
|
||||
%description -n libsss_certmap
|
||||
Library to map certificates to users based on rules
|
||||
|
||||
%package -n libsss_certmap-devel
|
||||
Summary: SSSD Certficate Mapping Library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
|
||||
%description -n libsss_certmap-devel
|
||||
Library to map certificates to users based on rules
|
||||
|
||||
%package kcm
|
||||
Summary: An implementation of a Kerberos KCM server
|
||||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
%description kcm
|
||||
An implementation of a Kerberos KCM server. Use this package if you want to
|
||||
use the KCM: Kerberos credentials cache.
|
||||
|
||||
%prep
|
||||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||||
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
||||
@ -611,8 +640,7 @@ sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
|
||||
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
|
||||
if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version}
|
||||
]
|
||||
if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ]
|
||||
then
|
||||
echo "Expected libwbclient version not found, please check if version has changed."
|
||||
exit -1
|
||||
@ -654,10 +682,11 @@ do
|
||||
done
|
||||
|
||||
touch sssd.lang
|
||||
for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \
|
||||
winbind_idmap
|
||||
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
|
||||
sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
|
||||
libsss_certmap sssd_kcm
|
||||
do
|
||||
touch sssd_$subpackage.lang
|
||||
touch $subpackage.lang
|
||||
done
|
||||
|
||||
for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
|
||||
@ -703,9 +732,15 @@ do
|
||||
sssd-ifp*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang
|
||||
;;
|
||||
sssd-kcm*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang
|
||||
;;
|
||||
idmap_sss*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang
|
||||
;;
|
||||
sss-certmap*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
|
||||
;;
|
||||
*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
|
||||
;;
|
||||
@ -722,11 +757,12 @@ cat python2_sssdconfig.lang
|
||||
echo "python3_sssdconfig.lang:"
|
||||
cat python3_sssdconfig.lang
|
||||
|
||||
for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \
|
||||
winbind_idmap
|
||||
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
|
||||
sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
|
||||
libsss_certmap sssd_kcm
|
||||
do
|
||||
echo "sssd_$subpackage.lang:"
|
||||
cat sssd_$subpackage.lang
|
||||
echo "$subpackage.lang:"
|
||||
cat $subpackage.lang
|
||||
done
|
||||
|
||||
%files
|
||||
@ -1062,6 +1098,27 @@ done
|
||||
%{_mandir}/man5/sss_rpcidmapd.5*
|
||||
%{_libdir}/libnfsidmap/sss.so
|
||||
|
||||
%files -n libsss_certmap -f libsss_certmap.lang
|
||||
%defattr(-,root,root,-)
|
||||
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
%{_libdir}/libsss_certmap.so.*
|
||||
%{_mandir}/man5/sss-certmap.5*
|
||||
|
||||
%files -n libsss_certmap-devel
|
||||
%defattr(-,root,root,-)
|
||||
%doc certmap_doc/html
|
||||
%{_includedir}/sss_certmap.h
|
||||
%{_libdir}/libsss_certmap.so
|
||||
%{_libdir}/pkgconfig/sss_certmap.pc
|
||||
|
||||
%files kcm -f sssd_kcm.lang
|
||||
%{_libexecdir}/%{servicename}/sssd_kcm
|
||||
%dir %{_datadir}/sssd-kcm
|
||||
%{_datadir}/sssd-kcm/kcm_default_ccache
|
||||
%{_unitdir}/sssd-kcm.socket
|
||||
%{_unitdir}/sssd-kcm.service
|
||||
%{_mandir}/man8/sssd-kcm.8*
|
||||
|
||||
%post common
|
||||
%systemd_post sssd.service
|
||||
%systemd_post sssd-autofs.socket
|
||||
@ -1110,6 +1167,16 @@ done
|
||||
%postun dbus
|
||||
%systemd_postun_with_restart sssd-ifp.service
|
||||
|
||||
%post kcm
|
||||
%systemd_post sssd-kcm.socket
|
||||
|
||||
%preun kcm
|
||||
%systemd_preun sssd-kcm.socket
|
||||
|
||||
%postun kcm
|
||||
%systemd_postun_with_restart sssd-kcm.socket
|
||||
%systemd_postun_with_restart sssd-kcm.service
|
||||
|
||||
%if (0%{?with_cifs_utils_plugin} == 1)
|
||||
%post client
|
||||
/sbin/ldconfig
|
||||
@ -1145,6 +1212,10 @@ fi
|
||||
|
||||
%postun -n libsss_simpleifp -p /sbin/ldconfig
|
||||
|
||||
%post -n libsss_certmap -p /sbin/ldconfig
|
||||
|
||||
%postun -n libsss_certmap -p /sbin/ldconfig
|
||||
|
||||
%posttrans common
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
@ -1172,6 +1243,10 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Tue Jul 25 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-1
|
||||
- New upstream release 1.15.3
|
||||
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html
|
||||
|
||||
* Tue Jun 27 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.2-6
|
||||
Fix build issues: Disable unit tests with expided certificates
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user