BuildRequire python3-setuptools with Python 3.12+

distutils was removed from the Python standard library, but setuptools can be used instead. See https://peps.python.org/pep-0632/
Rebuild against libunistring 1.1
2023-03-31 21:06:41 +02:00 · 2023-01-26 10:24:04 -05:00 · 2023-01-21 04:01:21 +00:00 · 2023-01-20 17:30:14 +01:00 · 2022-12-09 14:12:55 +01:00 · 2022-11-04 12:27:37 +01:00
13 changed files with 676 additions and 1406 deletions
--- a/.gitignore
+++ b/.gitignore
@ -80,4 +80,28 @@ sssd-1.2.91.tar.gz
 /sssd-1.16.0.tar.gz
 /sssd-1.16.1.tar.gz
 /sssd-1.16.2.tar.gz
-/sssd-1.16.3.tar.gz
+/sssd-2.0.0.tar.gz
+/sssd-2.1.0.tar.gz
+/sssd-2.2.0.tar.gz
+/sssd-2.2.1.tar.gz
+/sssd-2.2.2.tar.gz
+/sssd-2.2.3.tar.gz
+/sssd-2.3.0.tar.gz
+/sssd-2.3.1.tar.gz
+/sssd-2.4.0.tar.gz
+/sssd-2.4.1.tar.gz
+/sssd-2.4.2.tar.gz
+/sssd-2.5.0.tar.gz
+/sssd-2.5.1.tar.gz
+/sssd-2.5.2.tar.gz
+/sssd-2.6.0.tar.gz
+/sssd-2.6.1.tar.gz
+/sssd-2.6.2.tar.gz
+/sssd-2.6.3.tar.gz
+/sssd-2.7.0.tar.gz
+/sssd-2.7.1.tar.gz
+/sssd-2.7.3.tar.gz
+/sssd-2.7.4.tar.gz
+/sssd-2.8.0.tar.gz
+/sssd-2.8.1.tar.gz
+/sssd-2.8.2.tar.gz
--- a/0001-man-sss_ssh_knownhostsproxy-fix-typo-pubkeys-pubkey.patch
+++ b/0001-man-sss_ssh_knownhostsproxy-fix-typo-pubkeys-pubkey.patch
@ -1,37 +0,0 @@
-From 62839f9187dde5b46e198f0cb61204a0613d826d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Sun, 12 Aug 2018 23:56:21 +0200
-Subject: [PATCH 1/7] man/sss_ssh_knownhostsproxy: fix typo pubkeys -> pubkey
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In commit 36f2fe8f63 a discrepancy between the command line option and
-the manpage has been introduced.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/3542
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 2b3b41dad27fcb03478c211ec82d9c2fd9dadcb4)
---
- src/man/sss_ssh_knownhostsproxy.1.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/man/sss_ssh_knownhostsproxy.1.xml b/src/man/sss_ssh_knownhostsproxy.1.xml
-index f84732c..58aeb04 100644
--- a/src/man/sss_ssh_knownhostsproxy.1.xml
-+++ b/src/man/sss_ssh_knownhostsproxy.1.xml
-@@ -86,7 +86,7 @@ GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
-             </varlistentry>
-             <varlistentry>
-                 <term>
-                    <option>-k</option>,<option>--pubkeys</option>
-+                    <option>-k</option>,<option>--pubkey</option>
-                 </term>
-                 <listitem>
-                     <para>
-- 
-2.9.5
-
--- a/0002-krb5_locator-Make-debug-function-internal.patch
+++ b/0002-krb5_locator-Make-debug-function-internal.patch
@ -1,29 +0,0 @@
-From de33a5c07eb8c9f821e684a49c4ee993c25776b9 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Thu, 19 Jul 2018 09:38:22 +0200
-Subject: [PATCH 2/7] krb5_locator: Make debug function internal
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3786
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 86de91f93f51d41d71c504b871c65fea31dd5485)
---
- src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-index 952d487..7800ab0 100644
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
-+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-@@ -82,7 +82,7 @@ struct sssd_ctx {
-     bool disabled;
- };
- 
-void plugin_debug_fn(const char *format, ...)
-+static void plugin_debug_fn(const char *format, ...)
- {
-     va_list ap;
-     char *s = NULL;
-- 
-2.9.5
-
--- a/0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch
+++ b/0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch
@ -1,275 +0,0 @@
-From 0f44cbdfcbf35278c984a12b22a1c01f38a2c5ab Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Thu, 19 Jul 2018 09:44:33 +0200
-Subject: [PATCH 3/7] krb5_locator: Simplify usage of macro PLUGIN_DEBUG
-
-It should look like real function call
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3786
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 276f2e345548947b66f7bd3b984628eaf6f4cbd4)
---
- src/krb5_plugin/sssd_krb5_locator_plugin.c | 88 +++++++++++++++---------------
- 1 file changed, 44 insertions(+), 44 deletions(-)
-
-diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-index 7800ab0..61fee6b 100644
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
-+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-@@ -63,9 +63,9 @@
- #define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG"
- #define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE"
- #define DEBUG_KEY "[sssd_krb5_locator] "
-#define PLUGIN_DEBUG(body) do { \
-+#define PLUGIN_DEBUG(format, ...) do { \
-     if (ctx->debug) { \
-        plugin_debug_fn body; \
-+        plugin_debug_fn(format, ##__VA_ARGS__); \
-     } \
- } while(0)
- 
-@@ -236,26 +236,26 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
-                 port = strtol(port_str, &endptr, 10);
-                 if (errno != 0) {
-                     ret = errno;
-                    PLUGIN_DEBUG(("strtol failed on [%s]: [%d][%s], "
-                                "assuming default.\n", port_str, ret,
-                                                       strerror(ret)));
-+                    PLUGIN_DEBUG("strtol failed on [%s]: [%d][%s], "
-+                                 "assuming default.\n",
-+                                 port_str, ret, strerror(ret));
-                     port = 0;
-                 }
-                 if (*endptr != '\0') {
-                    PLUGIN_DEBUG(("Found additional characters [%s] in port "
-                                "number [%s], assuming default.\n", endptr,
-                                                                    port_str));
-+                    PLUGIN_DEBUG("Found additional characters [%s] in port "
-+                                 "number [%s], assuming default.\n",
-+                                 endptr, port_str);
-                     port = 0;
-                 }
- 
-                 if (port < 0 || port > 65535) {
-                    PLUGIN_DEBUG(("Illegal port number [%ld], assuming "
-                                  "default.\n", port));
-+                    PLUGIN_DEBUG("Illegal port number [%ld], assuming "
-+                                 "default.\n", port);
-                     port = 0;
-                 }
-             } else {
-                PLUGIN_DEBUG(("Illegal port number [%s], assuming default.\n",
-                            port_str));
-+                PLUGIN_DEBUG("Illegal port number [%s], assuming default.\n",
-+                             port_str);
-                 port = 0;
-             }
-         }
-@@ -270,7 +270,7 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
-             addr_str++;
-         }
- 
-        PLUGIN_DEBUG(("Found [%s][%d].\n", addr_str, port));
-+        PLUGIN_DEBUG("Found [%s][%d].\n", addr_str, port);
- 
-         l[c].addr = strdup(addr_str);
-         if (l[c].addr == NULL) {
-@@ -314,7 +314,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
-             name_tmpl = KPASSWDINFO_TMPL;
-             break;
-         default:
-            PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
-+            PLUGIN_DEBUG("Unsupported service [%d].\n", svc);
-             return EINVAL;
-     }
- 
-@@ -323,13 +323,13 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
- 
-     krb5info_name = calloc(1, len + 1);
-     if (krb5info_name == NULL) {
-        PLUGIN_DEBUG(("malloc failed.\n"));
-+        PLUGIN_DEBUG("malloc failed.\n");
-         return ENOMEM;
-     }
- 
-     ret = snprintf(krb5info_name, len, name_tmpl, realm);
-     if (ret < 0) {
-        PLUGIN_DEBUG(("snprintf failed.\n"));
-+        PLUGIN_DEBUG("snprintf failed.\n");
-         ret = EINVAL;
-         goto done;
-     }
-@@ -337,8 +337,8 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
- 
-     fd = open(krb5info_name, O_RDONLY);
-     if (fd == -1) {
-        PLUGIN_DEBUG(("open failed [%s][%d][%s].\n",
-                      krb5info_name, errno, strerror(errno)));
-+        PLUGIN_DEBUG("open failed [%s][%d][%s].\n",
-+                     krb5info_name, errno, strerror(errno));
-         ret = errno;
-         goto done;
-     }
-@@ -349,15 +349,15 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
-     len = sss_atomic_read_s(fd, buf, BUFSIZE);
-     if (len == -1) {
-         ret = errno;
-        PLUGIN_DEBUG(("read failed [%d][%s].\n", ret, strerror(ret)));
-+        PLUGIN_DEBUG("read failed [%d][%s].\n", ret, strerror(ret));
-         close(fd);
-         goto done;
-     }
-     close(fd);
- 
-     if (len == BUFSIZE) {
-        PLUGIN_DEBUG(("Content of krb5info file [%s] is [%d] or larger.\n",
-                      krb5info_name, BUFSIZE));
-+        PLUGIN_DEBUG("Content of krb5info file [%s] is [%d] or larger.\n",
-+                     krb5info_name, BUFSIZE);
-     }
- 
-     switch (svc) {
-@@ -376,7 +376,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
-             }
-             break;
-         default:
-            PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
-+            PLUGIN_DEBUG("Unsupported service [%d].\n", svc);
-             ret = EINVAL;
-             goto done;
-     }
-@@ -401,7 +401,7 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
-         ctx->debug = false;
-     } else {
-         ctx->debug = true;
-        PLUGIN_DEBUG(("sssd_krb5_locator_init called\n"));
-+        PLUGIN_DEBUG("sssd_krb5_locator_init called\n");
-     }
- 
-     dummy = getenv(SSSD_KRB5_LOCATOR_DISABLE);
-@@ -409,7 +409,7 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
-         ctx->disabled = false;
-     } else {
-         ctx->disabled = true;
-        PLUGIN_DEBUG(("SSSD KRB5 locator plugin is disabled.\n"));
-+        PLUGIN_DEBUG("SSSD KRB5 locator plugin is disabled.\n");
-     }
- 
-     *private_data = ctx;
-@@ -424,7 +424,7 @@ void sssd_krb5_locator_close(void *private_data)
-     if (private_data == NULL) return;
- 
-     ctx = (struct sssd_ctx *) private_data;
-    PLUGIN_DEBUG(("sssd_krb5_locator_close called\n"));
-+    PLUGIN_DEBUG("sssd_krb5_locator_close called\n");
- 
-     free_addr_port_list(&(ctx->kdc_addr));
-     free_addr_port_list(&(ctx->kpasswd_addr));
-@@ -460,7 +460,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
-     }
- 
-     if (ctx->disabled) {
-        PLUGIN_DEBUG(("Plugin disabled, nothing to do.\n"));
-+        PLUGIN_DEBUG("Plugin disabled, nothing to do.\n");
-         return KRB5_PLUGIN_NO_HANDLE;
-     }
- 
-@@ -468,13 +468,13 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
-         free(ctx->sssd_realm);
-         ctx->sssd_realm = strdup(realm);
-         if (ctx->sssd_realm == NULL) {
-            PLUGIN_DEBUG(("strdup failed.\n"));
-+            PLUGIN_DEBUG("strdup failed.\n");
-             return KRB5_PLUGIN_NO_HANDLE;
-         }
- 
-         ret = get_krb5info(realm, ctx, locate_service_kdc);
-         if (ret != EOK) {
-            PLUGIN_DEBUG(("get_krb5info failed.\n"));
-+            PLUGIN_DEBUG("get_krb5info failed.\n");
-             return KRB5_PLUGIN_NO_HANDLE;
-         }
- 
-@@ -482,22 +482,22 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
-             svc == locate_service_master_kdc) {
-             ret = get_krb5info(realm, ctx, locate_service_kpasswd);
-             if (ret != EOK) {
-                PLUGIN_DEBUG(("reading kpasswd address failed, "
-                              "using kdc address.\n"));
-+                PLUGIN_DEBUG("reading kpasswd address failed, "
-+                             "using kdc address.\n");
-                 free_addr_port_list(&(ctx->kpasswd_addr));
-                 ret = copy_addr_port_list(ctx->kdc_addr, true,
-                                           &(ctx->kpasswd_addr));
-                 if (ret != EOK) {
-                    PLUGIN_DEBUG(("copying address list failed.\n"));
-+                    PLUGIN_DEBUG("copying address list failed.\n");
-                     return KRB5_PLUGIN_NO_HANDLE;
-                 }
-             }
-         }
-     }
- 
-    PLUGIN_DEBUG(("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] "
-                  "locate_service[%d]\n", ctx->sssd_realm, realm, family,
-                                          socktype, svc));
-+    PLUGIN_DEBUG("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] "
-+                 "locate_service[%d]\n",
-+                 ctx->sssd_realm, realm, family, socktype, svc);
- 
-     switch (svc) {
-         case locate_service_kdc:
-@@ -547,7 +547,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
-         memset(port_str, 0, PORT_STR_SIZE);
-         ret = snprintf(port_str, PORT_STR_SIZE-1, "%u", port);
-         if (ret < 0 || ret >= (PORT_STR_SIZE-1)) {
-            PLUGIN_DEBUG(("snprintf failed.\n"));
-+            PLUGIN_DEBUG("snprintf failed.\n");
-             return KRB5_PLUGIN_NO_HANDLE;
-         }
- 
-@@ -557,31 +557,31 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
- 
-         ret = getaddrinfo(addr[c].addr, port_str, &ai_hints, &ai);
-         if (ret != 0) {
-            PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", ret,
-                                                            gai_strerror(ret)));
-+            PLUGIN_DEBUG("getaddrinfo failed [%d][%s].\n",
-+                         ret, gai_strerror(ret));
-             if (ret == EAI_SYSTEM) {
-                PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n",
-                              errno, strerror(errno)));
-+                PLUGIN_DEBUG("getaddrinfo failed [%d][%s].\n",
-+                             errno, strerror(errno));
-             }
-             return KRB5_PLUGIN_NO_HANDLE;
-         }
- 
-        PLUGIN_DEBUG(("addr[%s:%s] family[%d] socktype[%d]\n", addr[c].addr,
-                     port_str, ai->ai_family, ai->ai_socktype));
-+        PLUGIN_DEBUG("addr[%s:%s] family[%d] socktype[%d]\n",
-+                     addr[c].addr, port_str, ai->ai_family, ai->ai_socktype);
- 
-         if ((family == AF_UNSPEC || ai->ai_family == family) &&
-             ai->ai_socktype == socktype) {
- 
-             ret = cbfunc(cbdata, socktype, ai->ai_addr);
-             if (ret != 0) {
-                PLUGIN_DEBUG(("cbfunc failed\n"));
-+                PLUGIN_DEBUG("cbfunc failed\n");
-                 freeaddrinfo(ai);
-                 return ret;
-             } else {
-                PLUGIN_DEBUG(("[%s] used\n", addr[c].addr));
-+                PLUGIN_DEBUG("[%s] used\n", addr[c].addr);
-             }
-         } else {
-            PLUGIN_DEBUG(("[%s] NOT used\n", addr[c].addr));
-+            PLUGIN_DEBUG("[%s] NOT used\n", addr[c].addr);
-         }
-         freeaddrinfo(ai);
-     }
-- 
-2.9.5
-
--- a/0004-krb5_locator-Fix-typo-in-debug-message.patch
+++ b/0004-krb5_locator-Fix-typo-in-debug-message.patch
@ -1,29 +0,0 @@
-From f748abb7b773a09c7be279b42774a5692fcb1fbb Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Thu, 19 Jul 2018 09:50:12 +0200
-Subject: [PATCH 4/7] krb5_locator: Fix typo in debug message
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3786
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 09dc1d9dc10780d126d477c394ae2ef4c0d0cff3)
---
- src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-index 61fee6b..acb20f2 100644
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
-+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-@@ -323,7 +323,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
- 
-     krb5info_name = calloc(1, len + 1);
-     if (krb5info_name == NULL) {
-        PLUGIN_DEBUG("malloc failed.\n");
-+        PLUGIN_DEBUG("calloc failed.\n");
-         return ENOMEM;
-     }
- 
-- 
-2.9.5
-
--- a/0005-krb5_locator-Fix-formatting-of-the-variable-port.patch
+++ b/0005-krb5_locator-Fix-formatting-of-the-variable-port.patch
@ -1,29 +0,0 @@
-From 5c90d3a2890eb121ff6cb5e972b69bb118cbac39 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Sat, 21 Jul 2018 23:50:11 +0200
-Subject: [PATCH 5/7] krb5_locator: Fix formatting of the variable port
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3786
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit aefdf70351d01d1dcfe3ebb2769fbd3bb1bd0441)
---
- src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-index acb20f2..4b0b6a1 100644
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
-+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-@@ -270,7 +270,7 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
-             addr_str++;
-         }
- 
-        PLUGIN_DEBUG("Found [%s][%d].\n", addr_str, port);
-+        PLUGIN_DEBUG("Found [%s][%ld].\n", addr_str, port);
- 
-         l[c].addr = strdup(addr_str);
-         if (l[c].addr == NULL) {
-- 
-2.9.5
-
--- a/0006-krb5_locator-Use-format-string-checking-for-debug-fu.patch
+++ b/0006-krb5_locator-Use-format-string-checking-for-debug-fu.patch
@ -1,31 +0,0 @@
-From d5f87b392f8cefbf37674f410087c8cbe4a50dcd Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Thu, 19 Jul 2018 09:53:13 +0200
-Subject: [PATCH 6/7] krb5_locator: Use format string checking for debug
- function
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3786
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 9680ac9ce20511b3f34dc1c8635d0c4435006ce3)
---
- src/krb5_plugin/sssd_krb5_locator_plugin.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-index 4b0b6a1..720878e 100644
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
-+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
-@@ -82,6 +82,9 @@ struct sssd_ctx {
-     bool disabled;
- };
- 
-+#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT
-+__attribute__((format(printf, 1, 2)))
-+#endif
- static void plugin_debug_fn(const char *format, ...)
- {
-     va_list ap;
-- 
-2.9.5
-
--- a/0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch
+++ b/0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch
@ -1,363 +0,0 @@
-From 9f5fbbdac3658f5f1695fbf3cf89544b4b578b92 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Wed, 20 Jan 2016 13:15:11 +0100
-Subject: [PATCH 7/7] PAM: Allow to configure pam services for Smartcards
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/2926
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3799
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 93caaf294cfd85b4e0d7faa2fc5c2298d6b13020)
---
- src/confdb/confdb.h                  |   1 +
- src/config/SSSDConfig/__init__.py.in |   1 +
- src/config/cfg_rules.ini             |   1 +
- src/config/etc/sssd.api.conf         |   1 +
- src/man/sssd.conf.5.xml              |  76 +++++++++++++++-
- src/responder/pam/pamsrv.h           |   1 +
- src/responder/pam/pamsrv_p11.c       | 164 +++++++++++++++++++++++++++++++++--
- 7 files changed, 237 insertions(+), 8 deletions(-)
-
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index 8af625f..700ab76 100644
--- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -131,6 +131,7 @@
- #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
- #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
- #define CONFDB_PAM_APP_SERVICES "pam_app_services"
-+#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
- 
- /* SUDO */
- #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
-diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
-index 32b74e4..2846ea2 100644
--- a/src/config/SSSDConfig/__init__.py.in
-+++ b/src/config/SSSDConfig/__init__.py.in
-@@ -103,6 +103,7 @@ option_strings = {
-     'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'),
-     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
-     'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
-+    'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
- 
-     # [sudo]
-     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
-diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
-index 5513227..c18fcbd 100644
--- a/src/config/cfg_rules.ini
-+++ b/src/config/cfg_rules.ini
-@@ -126,6 +126,7 @@ option = pam_cert_auth
- option = pam_cert_db_path
- option = p11_child_timeout
- option = pam_app_services
-+option = pam_p11_allowed_services
- 
- [rule/allowed_sudo_options]
- validator = ini_allowed_options
-diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
-index 2be2e3e..7156142 100644
--- a/src/config/etc/sssd.api.conf
-+++ b/src/config/etc/sssd.api.conf
-@@ -75,6 +75,7 @@ pam_cert_auth = bool, None, false
- pam_cert_db_path = str, None, false
- p11_child_timeout = int, None, false
- pam_app_services = str, None, false
-+pam_p11_allowed_services = str, None, false
- 
- [sudo]
- # sudo service
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index ed3c100..881ffc6 100644
--- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -1389,7 +1389,81 @@ pam_account_locked_message = Account locked, please contact help desk.
-                         </para>
-                     </listitem>
-                 </varlistentry>
-
-+                <varlistentry>
-+                    <term>pam_p11_allowed_services (integer)</term>
-+                    <listitem>
-+                        <para>
-+                            A comma-separated list of PAM service names for
-+                            which it will be allowed to use Smartcards.
-+                        </para>
-+                        <para>
-+                            It is possible to add another PAM service name to
-+                            the default set by using
-+                            <quote>+service_name</quote> or to explicitly
-+                            remove a PAM service name from the default set by
-+                            using <quote>-service_name</quote>. For example,
-+                            in order to replace a default PAM service name for
-+                            authentication with Smartcards
-+                            (e.g. <quote>login</quote>) with a custom PAM
-+                            service name (e.g. <quote>my_pam_service</quote>),
-+                            you would use the following configuration:
-+                            <programlisting>
-+pam_p11_allowed_services = +my_pam_service, -login
-+                            </programlisting>
-+                        </para>
-+                        <para>
-+                            Default: the default set of PAM service names
-+                            includes:
-+                            <itemizedlist>
-+                                <listitem>
-+                                    <para>
-+                                        login
-+                                    </para>
-+                                </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        su
-+                                    </para>
-+                                </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        su-l
-+                                    </para>
-+                                </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        gdm-smartcard
-+                                    </para>
-+                                </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        gdm-password
-+                                    </para>
-+                                </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        kdm
-+                                    </para>
-+                                </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        sudo
-+                                    </para>
-+                                </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        sudo-i
-+                                    </para>
-+                                </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        gnome-screensaver
-+                                    </para>
-+                                </listitem>
-+                            </itemizedlist>
-+                        </para>
-+                    </listitem>
-+                </varlistentry>
-             </variablelist>
-         </refsect2>
- 
-diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
-index dfd9821..3325d9b 100644
--- a/src/responder/pam/pamsrv.h
-+++ b/src/responder/pam/pamsrv.h
-@@ -51,6 +51,7 @@ struct pam_ctx {
-     int p11_child_debug_fd;
-     char *nss_db;
-     struct sss_certmap_ctx *sss_certmap_ctx;
-+    char **smartcard_services;
- };
- 
- struct pam_auth_dp_req {
-diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
-index 0b6a162..ddb2def 100644
--- a/src/responder/pam/pamsrv_p11.c
-+++ b/src/responder/pam/pamsrv_p11.c
-@@ -224,12 +224,148 @@ errno_t p11_child_init(struct pam_ctx *pctx)
-     return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
- }
- 
-+static inline bool
-+service_in_list(char **list, size_t nlist, const char *str)
-+{
-+    size_t i;
-+
-+    for (i = 0; i < nlist; i++) {
-+        if (strcasecmp(list[i], str) == 0) {
-+            break;
-+        }
-+    }
-+
-+    return (i < nlist) ? true : false;
-+}
-+
-+static errno_t get_sc_services(TALLOC_CTX *mem_ctx, struct pam_ctx *pctx,
-+                               char ***_sc_list)
-+{
-+    TALLOC_CTX *tmp_ctx;
-+    errno_t ret;
-+    char *conf_str;
-+    char **conf_list;
-+    int conf_list_size;
-+    char **add_list;
-+    char **remove_list;
-+    int ai = 0;
-+    int ri = 0;
-+    int j = 0;
-+    char **sc_list;
-+    int expected_sc_list_size;
-+
-+    const char *default_sc_services[] = {
-+        "login", "su", "su-l", "gdm-smartcard", "gdm-password", "kdm", "sudo",
-+        "sudo-i", "gnome-screensaver", NULL,
-+    };
-+    const int default_sc_services_size =
-+        sizeof(default_sc_services) / sizeof(default_sc_services[0]);
-+
-+    tmp_ctx = talloc_new(mem_ctx);
-+    if (tmp_ctx == NULL) {
-+        return ENOMEM;
-+    }
-+
-+    ret = confdb_get_string(pctx->rctx->cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY,
-+                            CONFDB_PAM_P11_ALLOWED_SERVICES, NULL,
-+                            &conf_str);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "confdb_get_string failed %d [%s]\n", ret, sss_strerror(ret));
-+        goto done;
-+    }
-+
-+    if (conf_str != NULL) {
-+        ret = split_on_separator(tmp_ctx, conf_str, ',', true, true,
-+                                 &conf_list, &conf_list_size);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_CRIT_FAILURE,
-+                  "Cannot parse list of service names '%s': %d [%s]\n",
-+                  conf_str, ret, sss_strerror(ret));
-+            goto done;
-+        }
-+    } else {
-+        conf_list = talloc_zero_array(tmp_ctx, char *, 1);
-+        conf_list_size = 0;
-+    }
-+
-+    add_list = talloc_zero_array(tmp_ctx, char *, conf_list_size + 1);
-+    remove_list = talloc_zero_array(tmp_ctx, char *, conf_list_size + 1);
-+
-+    if (add_list == NULL || remove_list == NULL) {
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    for (int i = 0; conf_list[i] != NULL; ++i) {
-+        switch (conf_list[i][0]) {
-+        case '+':
-+            add_list[ai] = conf_list[i] + 1;
-+            ++ai;
-+            break;
-+        case '-':
-+            remove_list[ri] = conf_list[i] + 1;
-+            ++ri;
-+            break;
-+        default:
-+            DEBUG(SSSDBG_OP_FAILURE,
-+                  "The option "CONFDB_PAM_P11_ALLOWED_SERVICES" must start"
-+                  "with either '+' (for adding service) or '-' (for "
-+                  "removing service) got '%s'\n", conf_list[i]);
-+            ret = EINVAL;
-+            goto done;
-+        }
-+    }
-+
-+    expected_sc_list_size = default_sc_services_size + ai + 1;
-+
-+    sc_list = talloc_zero_array(tmp_ctx, char *, expected_sc_list_size);
-+    if (sc_list == NULL) {
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    for (int i = 0; add_list[i] != NULL; ++i) {
-+        if (service_in_list(remove_list, ri, add_list[i])) {
-+            continue;
-+        }
-+
-+        sc_list[j] = talloc_strdup(sc_list, add_list[i]);
-+        if (sc_list[j] == NULL) {
-+            ret = ENOMEM;
-+            goto done;
-+        }
-+        ++j;
-+    }
-+
-+    for (int i = 0; default_sc_services[i] != NULL; ++i) {
-+        if (service_in_list(remove_list, ri, default_sc_services[i])) {
-+            continue;
-+        }
-+
-+        sc_list[j] = talloc_strdup(sc_list, default_sc_services[i]);
-+        if (sc_list[j] == NULL) {
-+            ret = ENOMEM;
-+            goto done;
-+        }
-+        ++j;
-+    }
-+
-+    if (_sc_list != NULL) {
-+        *_sc_list = talloc_steal(mem_ctx, sc_list);
-+    }
-+
-+done:
-+    talloc_zfree(tmp_ctx);
-+
-+    return ret;
-+}
-+
- bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
- {
-     size_t c;
-    const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard",
-                                  "gdm-password", "kdm", "sudo", "sudo-i",
-                                  "gnome-screensaver", NULL };
-+    errno_t ret;
-+
-     if (!pctx->cert_auth) {
-         return false;
-     }
-@@ -244,16 +380,30 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
-         return false;
-     }
- 
-    /* TODO: make services configurable */
-     if (pd->service == NULL || *pd->service == '\0') {
-         return false;
-     }
-    for (c = 0; sc_services[c] != NULL; c++) {
-        if (strcmp(pd->service, sc_services[c]) == 0) {
-+
-+    /* Initialize smartcard allowed services just once */
-+    if (pctx->smartcard_services == NULL) {
-+        ret = get_sc_services(pctx, pctx, &pctx->smartcard_services);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_CRIT_FAILURE,
-+                  "Failed to get p11 allowed services %d[%s]",
-+                  ret, sss_strerror(ret));
-+            sss_log(SSS_LOG_ERR,
-+                    "Failed to evaluate pam_p11_allowed_services option, "
-+                    "please check for typos in the SSSD configuration");
-+            return false;
-+        }
-+    }
-+
-+    for (c = 0; pctx->smartcard_services[c] != NULL; c++) {
-+        if (strcmp(pd->service, pctx->smartcard_services[c]) == 0) {
-             break;
-         }
-     }
-    if  (sc_services[c] == NULL) {
-+    if (pctx->smartcard_services[c] == NULL) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
-               "Smartcard authentication for service [%s] not supported.\n",
-               pd->service);
-- 
-2.9.5
-
--- a/0502-SYSTEMD-Use-capabilities.patch
+++ b/0502-SYSTEMD-Use-capabilities.patch
@ -1,25 +0,0 @@
-From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@fedoraproject.org>
-Date: Mon, 12 Dec 2016 21:56:16 +0100
-Subject: [PATCH] SYSTEMD: Use capabilities
-
-copied from selinux policy
---
- src/sysv/systemd/sssd.service.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
-index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
--- a/src/sysv/systemd/sssd.service.in
-+++ b/src/sysv/systemd/sssd.service.in
-@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
- Type=notify
- NotifyAccess=main
- PIDFile=@localstatedir@/run/sssd.pid
-+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
- 
- [Install]
- WantedBy=multi-user.target
-- 
-2.15.1
-
--- a/0503-Disable-stopping-idle-socket-activated-responders.patch
+++ b/0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1,39 +0,0 @@
-From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@fedoraproject.org>
-Date: Fri, 3 Nov 2017 16:18:14 +0100
-Subject: [PATCH] Disable stopping idle socket activated responders
-
---
- src/confdb/confdb.h     | 2 +-
- src/man/sssd.conf.5.xml | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
--- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -85,7 +85,7 @@
- /* Responders */
- #define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
- #define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
-#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
-+#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
- #define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
- #define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
- #define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
--- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -706,7 +706,7 @@
-                             or dbus activated.
-                         </para>
-                         <para>
-                            Default: 300
-+                            Default: 0
-                         </para>
-                     </listitem>
-                 </varlistentry>
-- 
-2.14.3
-
--- a/1000-SYSDB-Prepend-cached-hash-with-the-salt-identifier-i.patch
+++ b/1000-SYSDB-Prepend-cached-hash-with-the-salt-identifier-i.patch
@ -1,44 +0,0 @@
-From ae98cc4985bd3a19bbcadb5c4b77c5e01819e8ac Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 21 Aug 2018 13:59:33 +0200
-Subject: [PATCH] SYSDB: Prepend cached hash with the salt identifier if it's
- not there
-
-This is a downstream-only patch for
-https://bugzilla.redhat.com/show_bug.cgi?id=1561105#c13
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
---
- src/db/sysdb_ops.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index df0fb83c5546809a2d643e2e585153ad61a6a334..3a7e8fed507e9d96301f97112f9230e031cb5896 100644
--- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -4516,6 +4516,7 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
-     time_t expire_date = -1;
-     time_t delayed_until = -1;
-     int ret;
-+    const char *salt_prefix = "$6$";
- 
-     if (name == NULL || *name == '\0') {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Missing user name.\n");
-@@ -4601,6 +4602,14 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
-         goto done;
-     }
- 
-+    if (strncmp(userhash, salt_prefix, strlen(salt_prefix)) != 0) {
-+        userhash = talloc_asprintf(tmp_ctx, "%s%s", salt_prefix, userhash);
-+        if (userhash == NULL) {
-+            ret = ENOMEM;
-+            goto done;
-+        }
-+    }
-+
-     ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash);
-     if (ret) {
-         DEBUG(SSSDBG_CONF_SETTINGS, "Failed to create password hash.\n");
-- 
-2.14.4
-
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (sssd-1.16.3.tar.gz) = 6165923f652f624bbe3ddc625ae682c4867eb7a20652d0cf74bbb8dda2307c917d3189ede26fd21a4fb5fd5926149271a65fa09f3affe928029ed99e6422b728
+SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55
--- a/sssd.spec
+++ b/sssd.spec