Resolves: rhbz#1561105 - sssd update prevented login using kerberos user

(cherry picked from commit a5e12d6904)
New upstream release 1.16.3
2018-08-21 19:57:01 +02:00 · 2018-08-14 12:20:28 +02:00 · 2018-06-25 10:00:32 +02:00 · 2018-06-25 10:00:09 +02:00 · 2018-06-11 16:11:38 +02:00 · 2018-05-28 10:13:50 +02:00
14 changed files with 1118 additions and 115 deletions
--- a/.gitignore
+++ b/.gitignore
@ -77,3 +77,7 @@ sssd-1.2.91.tar.gz
 /sssd-1.15.1.tar.gz
 /sssd-1.15.2.tar.gz
 /sssd-1.15.3.tar.gz
+/sssd-1.16.0.tar.gz
+/sssd-1.16.1.tar.gz
+/sssd-1.16.2.tar.gz
+/sssd-1.16.3.tar.gz
--- a/0001-man-sss_ssh_knownhostsproxy-fix-typo-pubkeys-pubkey.patch
+++ b/0001-man-sss_ssh_knownhostsproxy-fix-typo-pubkeys-pubkey.patch
@ -0,0 +1,37 @@
+From 62839f9187dde5b46e198f0cb61204a0613d826d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Sun, 12 Aug 2018 23:56:21 +0200
+Subject: [PATCH 1/7] man/sss_ssh_knownhostsproxy: fix typo pubkeys -> pubkey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In commit 36f2fe8f63 a discrepancy between the command line option and
+the manpage has been introduced.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/3542
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 2b3b41dad27fcb03478c211ec82d9c2fd9dadcb4)
+---
+ src/man/sss_ssh_knownhostsproxy.1.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/man/sss_ssh_knownhostsproxy.1.xml b/src/man/sss_ssh_knownhostsproxy.1.xml
+index f84732c..58aeb04 100644
+--- a/src/man/sss_ssh_knownhostsproxy.1.xml
+++ b/src/man/sss_ssh_knownhostsproxy.1.xml
+@@ -86,7 +86,7 @@ GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
+             </varlistentry>
+             <varlistentry>
+                 <term>
+-                    <option>-k</option>,<option>--pubkeys</option>
+                    <option>-k</option>,<option>--pubkey</option>
+                 </term>
+                 <listitem>
+                     <para>
+-- 
+2.9.5
+
--- a/0002-krb5_locator-Make-debug-function-internal.patch
+++ b/0002-krb5_locator-Make-debug-function-internal.patch
@ -0,0 +1,29 @@
+From de33a5c07eb8c9f821e684a49c4ee993c25776b9 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 19 Jul 2018 09:38:22 +0200
+Subject: [PATCH 2/7] krb5_locator: Make debug function internal
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 86de91f93f51d41d71c504b871c65fea31dd5485)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index 952d487..7800ab0 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -82,7 +82,7 @@ struct sssd_ctx {
+     bool disabled;
+ };
+ 
+-void plugin_debug_fn(const char *format, ...)
+static void plugin_debug_fn(const char *format, ...)
+ {
+     va_list ap;
+     char *s = NULL;
+-- 
+2.9.5
+
--- a/0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch
+++ b/0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch
@ -0,0 +1,275 @@
+From 0f44cbdfcbf35278c984a12b22a1c01f38a2c5ab Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 19 Jul 2018 09:44:33 +0200
+Subject: [PATCH 3/7] krb5_locator: Simplify usage of macro PLUGIN_DEBUG
+
+It should look like real function call
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 276f2e345548947b66f7bd3b984628eaf6f4cbd4)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 88 +++++++++++++++---------------
+ 1 file changed, 44 insertions(+), 44 deletions(-)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index 7800ab0..61fee6b 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -63,9 +63,9 @@
+ #define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG"
+ #define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE"
+ #define DEBUG_KEY "[sssd_krb5_locator] "
+-#define PLUGIN_DEBUG(body) do { \
+#define PLUGIN_DEBUG(format, ...) do { \
+     if (ctx->debug) { \
+-        plugin_debug_fn body; \
+        plugin_debug_fn(format, ##__VA_ARGS__); \
+     } \
+ } while(0)
+ 
+@@ -236,26 +236,26 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
+                 port = strtol(port_str, &endptr, 10);
+                 if (errno != 0) {
+                     ret = errno;
+-                    PLUGIN_DEBUG(("strtol failed on [%s]: [%d][%s], "
+-                                "assuming default.\n", port_str, ret,
+-                                                       strerror(ret)));
+                    PLUGIN_DEBUG("strtol failed on [%s]: [%d][%s], "
+                                 "assuming default.\n",
+                                 port_str, ret, strerror(ret));
+                     port = 0;
+                 }
+                 if (*endptr != '\0') {
+-                    PLUGIN_DEBUG(("Found additional characters [%s] in port "
+-                                "number [%s], assuming default.\n", endptr,
+-                                                                    port_str));
+                    PLUGIN_DEBUG("Found additional characters [%s] in port "
+                                 "number [%s], assuming default.\n",
+                                 endptr, port_str);
+                     port = 0;
+                 }
+ 
+                 if (port < 0 || port > 65535) {
+-                    PLUGIN_DEBUG(("Illegal port number [%ld], assuming "
+-                                  "default.\n", port));
+                    PLUGIN_DEBUG("Illegal port number [%ld], assuming "
+                                 "default.\n", port);
+                     port = 0;
+                 }
+             } else {
+-                PLUGIN_DEBUG(("Illegal port number [%s], assuming default.\n",
+-                            port_str));
+                PLUGIN_DEBUG("Illegal port number [%s], assuming default.\n",
+                             port_str);
+                 port = 0;
+             }
+         }
+@@ -270,7 +270,7 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
+             addr_str++;
+         }
+ 
+-        PLUGIN_DEBUG(("Found [%s][%d].\n", addr_str, port));
+        PLUGIN_DEBUG("Found [%s][%d].\n", addr_str, port);
+ 
+         l[c].addr = strdup(addr_str);
+         if (l[c].addr == NULL) {
+@@ -314,7 +314,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+             name_tmpl = KPASSWDINFO_TMPL;
+             break;
+         default:
+-            PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
+            PLUGIN_DEBUG("Unsupported service [%d].\n", svc);
+             return EINVAL;
+     }
+ 
+@@ -323,13 +323,13 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+ 
+     krb5info_name = calloc(1, len + 1);
+     if (krb5info_name == NULL) {
+-        PLUGIN_DEBUG(("malloc failed.\n"));
+        PLUGIN_DEBUG("malloc failed.\n");
+         return ENOMEM;
+     }
+ 
+     ret = snprintf(krb5info_name, len, name_tmpl, realm);
+     if (ret < 0) {
+-        PLUGIN_DEBUG(("snprintf failed.\n"));
+        PLUGIN_DEBUG("snprintf failed.\n");
+         ret = EINVAL;
+         goto done;
+     }
+@@ -337,8 +337,8 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+ 
+     fd = open(krb5info_name, O_RDONLY);
+     if (fd == -1) {
+-        PLUGIN_DEBUG(("open failed [%s][%d][%s].\n",
+-                      krb5info_name, errno, strerror(errno)));
+        PLUGIN_DEBUG("open failed [%s][%d][%s].\n",
+                     krb5info_name, errno, strerror(errno));
+         ret = errno;
+         goto done;
+     }
+@@ -349,15 +349,15 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+     len = sss_atomic_read_s(fd, buf, BUFSIZE);
+     if (len == -1) {
+         ret = errno;
+-        PLUGIN_DEBUG(("read failed [%d][%s].\n", ret, strerror(ret)));
+        PLUGIN_DEBUG("read failed [%d][%s].\n", ret, strerror(ret));
+         close(fd);
+         goto done;
+     }
+     close(fd);
+ 
+     if (len == BUFSIZE) {
+-        PLUGIN_DEBUG(("Content of krb5info file [%s] is [%d] or larger.\n",
+-                      krb5info_name, BUFSIZE));
+        PLUGIN_DEBUG("Content of krb5info file [%s] is [%d] or larger.\n",
+                     krb5info_name, BUFSIZE);
+     }
+ 
+     switch (svc) {
+@@ -376,7 +376,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+             }
+             break;
+         default:
+-            PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
+            PLUGIN_DEBUG("Unsupported service [%d].\n", svc);
+             ret = EINVAL;
+             goto done;
+     }
+@@ -401,7 +401,7 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
+         ctx->debug = false;
+     } else {
+         ctx->debug = true;
+-        PLUGIN_DEBUG(("sssd_krb5_locator_init called\n"));
+        PLUGIN_DEBUG("sssd_krb5_locator_init called\n");
+     }
+ 
+     dummy = getenv(SSSD_KRB5_LOCATOR_DISABLE);
+@@ -409,7 +409,7 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
+         ctx->disabled = false;
+     } else {
+         ctx->disabled = true;
+-        PLUGIN_DEBUG(("SSSD KRB5 locator plugin is disabled.\n"));
+        PLUGIN_DEBUG("SSSD KRB5 locator plugin is disabled.\n");
+     }
+ 
+     *private_data = ctx;
+@@ -424,7 +424,7 @@ void sssd_krb5_locator_close(void *private_data)
+     if (private_data == NULL) return;
+ 
+     ctx = (struct sssd_ctx *) private_data;
+-    PLUGIN_DEBUG(("sssd_krb5_locator_close called\n"));
+    PLUGIN_DEBUG("sssd_krb5_locator_close called\n");
+ 
+     free_addr_port_list(&(ctx->kdc_addr));
+     free_addr_port_list(&(ctx->kpasswd_addr));
+@@ -460,7 +460,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+     }
+ 
+     if (ctx->disabled) {
+-        PLUGIN_DEBUG(("Plugin disabled, nothing to do.\n"));
+        PLUGIN_DEBUG("Plugin disabled, nothing to do.\n");
+         return KRB5_PLUGIN_NO_HANDLE;
+     }
+ 
+@@ -468,13 +468,13 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+         free(ctx->sssd_realm);
+         ctx->sssd_realm = strdup(realm);
+         if (ctx->sssd_realm == NULL) {
+-            PLUGIN_DEBUG(("strdup failed.\n"));
+            PLUGIN_DEBUG("strdup failed.\n");
+             return KRB5_PLUGIN_NO_HANDLE;
+         }
+ 
+         ret = get_krb5info(realm, ctx, locate_service_kdc);
+         if (ret != EOK) {
+-            PLUGIN_DEBUG(("get_krb5info failed.\n"));
+            PLUGIN_DEBUG("get_krb5info failed.\n");
+             return KRB5_PLUGIN_NO_HANDLE;
+         }
+ 
+@@ -482,22 +482,22 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+             svc == locate_service_master_kdc) {
+             ret = get_krb5info(realm, ctx, locate_service_kpasswd);
+             if (ret != EOK) {
+-                PLUGIN_DEBUG(("reading kpasswd address failed, "
+-                              "using kdc address.\n"));
+                PLUGIN_DEBUG("reading kpasswd address failed, "
+                             "using kdc address.\n");
+                 free_addr_port_list(&(ctx->kpasswd_addr));
+                 ret = copy_addr_port_list(ctx->kdc_addr, true,
+                                           &(ctx->kpasswd_addr));
+                 if (ret != EOK) {
+-                    PLUGIN_DEBUG(("copying address list failed.\n"));
+                    PLUGIN_DEBUG("copying address list failed.\n");
+                     return KRB5_PLUGIN_NO_HANDLE;
+                 }
+             }
+         }
+     }
+ 
+-    PLUGIN_DEBUG(("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] "
+-                  "locate_service[%d]\n", ctx->sssd_realm, realm, family,
+-                                          socktype, svc));
+    PLUGIN_DEBUG("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] "
+                 "locate_service[%d]\n",
+                 ctx->sssd_realm, realm, family, socktype, svc);
+ 
+     switch (svc) {
+         case locate_service_kdc:
+@@ -547,7 +547,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+         memset(port_str, 0, PORT_STR_SIZE);
+         ret = snprintf(port_str, PORT_STR_SIZE-1, "%u", port);
+         if (ret < 0 || ret >= (PORT_STR_SIZE-1)) {
+-            PLUGIN_DEBUG(("snprintf failed.\n"));
+            PLUGIN_DEBUG("snprintf failed.\n");
+             return KRB5_PLUGIN_NO_HANDLE;
+         }
+ 
+@@ -557,31 +557,31 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+ 
+         ret = getaddrinfo(addr[c].addr, port_str, &ai_hints, &ai);
+         if (ret != 0) {
+-            PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", ret,
+-                                                            gai_strerror(ret)));
+            PLUGIN_DEBUG("getaddrinfo failed [%d][%s].\n",
+                         ret, gai_strerror(ret));
+             if (ret == EAI_SYSTEM) {
+-                PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n",
+-                              errno, strerror(errno)));
+                PLUGIN_DEBUG("getaddrinfo failed [%d][%s].\n",
+                             errno, strerror(errno));
+             }
+             return KRB5_PLUGIN_NO_HANDLE;
+         }
+ 
+-        PLUGIN_DEBUG(("addr[%s:%s] family[%d] socktype[%d]\n", addr[c].addr,
+-                     port_str, ai->ai_family, ai->ai_socktype));
+        PLUGIN_DEBUG("addr[%s:%s] family[%d] socktype[%d]\n",
+                     addr[c].addr, port_str, ai->ai_family, ai->ai_socktype);
+ 
+         if ((family == AF_UNSPEC || ai->ai_family == family) &&
+             ai->ai_socktype == socktype) {
+ 
+             ret = cbfunc(cbdata, socktype, ai->ai_addr);
+             if (ret != 0) {
+-                PLUGIN_DEBUG(("cbfunc failed\n"));
+                PLUGIN_DEBUG("cbfunc failed\n");
+                 freeaddrinfo(ai);
+                 return ret;
+             } else {
+-                PLUGIN_DEBUG(("[%s] used\n", addr[c].addr));
+                PLUGIN_DEBUG("[%s] used\n", addr[c].addr);
+             }
+         } else {
+-            PLUGIN_DEBUG(("[%s] NOT used\n", addr[c].addr));
+            PLUGIN_DEBUG("[%s] NOT used\n", addr[c].addr);
+         }
+         freeaddrinfo(ai);
+     }
+-- 
+2.9.5
+
--- a/0004-krb5_locator-Fix-typo-in-debug-message.patch
+++ b/0004-krb5_locator-Fix-typo-in-debug-message.patch
@ -0,0 +1,29 @@
+From f748abb7b773a09c7be279b42774a5692fcb1fbb Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 19 Jul 2018 09:50:12 +0200
+Subject: [PATCH 4/7] krb5_locator: Fix typo in debug message
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 09dc1d9dc10780d126d477c394ae2ef4c0d0cff3)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index 61fee6b..acb20f2 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -323,7 +323,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+ 
+     krb5info_name = calloc(1, len + 1);
+     if (krb5info_name == NULL) {
+-        PLUGIN_DEBUG("malloc failed.\n");
+        PLUGIN_DEBUG("calloc failed.\n");
+         return ENOMEM;
+     }
+ 
+-- 
+2.9.5
+
--- a/0005-krb5_locator-Fix-formatting-of-the-variable-port.patch
+++ b/0005-krb5_locator-Fix-formatting-of-the-variable-port.patch
@ -0,0 +1,29 @@
+From 5c90d3a2890eb121ff6cb5e972b69bb118cbac39 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Sat, 21 Jul 2018 23:50:11 +0200
+Subject: [PATCH 5/7] krb5_locator: Fix formatting of the variable port
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit aefdf70351d01d1dcfe3ebb2769fbd3bb1bd0441)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index acb20f2..4b0b6a1 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -270,7 +270,7 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
+             addr_str++;
+         }
+ 
+-        PLUGIN_DEBUG("Found [%s][%d].\n", addr_str, port);
+        PLUGIN_DEBUG("Found [%s][%ld].\n", addr_str, port);
+ 
+         l[c].addr = strdup(addr_str);
+         if (l[c].addr == NULL) {
+-- 
+2.9.5
+
--- a/0006-krb5_locator-Use-format-string-checking-for-debug-fu.patch
+++ b/0006-krb5_locator-Use-format-string-checking-for-debug-fu.patch
@ -0,0 +1,31 @@
+From d5f87b392f8cefbf37674f410087c8cbe4a50dcd Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 19 Jul 2018 09:53:13 +0200
+Subject: [PATCH 6/7] krb5_locator: Use format string checking for debug
+ function
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 9680ac9ce20511b3f34dc1c8635d0c4435006ce3)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index 4b0b6a1..720878e 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -82,6 +82,9 @@ struct sssd_ctx {
+     bool disabled;
+ };
+ 
+#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT
+__attribute__((format(printf, 1, 2)))
+#endif
+ static void plugin_debug_fn(const char *format, ...)
+ {
+     va_list ap;
+-- 
+2.9.5
+
--- a/0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch
+++ b/0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch
@ -0,0 +1,363 @@
+From 9f5fbbdac3658f5f1695fbf3cf89544b4b578b92 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Wed, 20 Jan 2016 13:15:11 +0100
+Subject: [PATCH 7/7] PAM: Allow to configure pam services for Smartcards
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2926
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3799
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 93caaf294cfd85b4e0d7faa2fc5c2298d6b13020)
+---
+ src/confdb/confdb.h                  |   1 +
+ src/config/SSSDConfig/__init__.py.in |   1 +
+ src/config/cfg_rules.ini             |   1 +
+ src/config/etc/sssd.api.conf         |   1 +
+ src/man/sssd.conf.5.xml              |  76 +++++++++++++++-
+ src/responder/pam/pamsrv.h           |   1 +
+ src/responder/pam/pamsrv_p11.c       | 164 +++++++++++++++++++++++++++++++++--
+ 7 files changed, 237 insertions(+), 8 deletions(-)
+
+diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
+index 8af625f..700ab76 100644
+--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
+@@ -131,6 +131,7 @@
+ #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
+ #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
+ #define CONFDB_PAM_APP_SERVICES "pam_app_services"
+#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
+ 
+ /* SUDO */
+ #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index 32b74e4..2846ea2 100644
+--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
+@@ -103,6 +103,7 @@ option_strings = {
+     'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'),
+     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
+     'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
+    'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
+ 
+     # [sudo]
+     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index 5513227..c18fcbd 100644
+--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
+@@ -126,6 +126,7 @@ option = pam_cert_auth
+ option = pam_cert_db_path
+ option = p11_child_timeout
+ option = pam_app_services
+option = pam_p11_allowed_services
+ 
+ [rule/allowed_sudo_options]
+ validator = ini_allowed_options
+diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
+index 2be2e3e..7156142 100644
+--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
+@@ -75,6 +75,7 @@ pam_cert_auth = bool, None, false
+ pam_cert_db_path = str, None, false
+ p11_child_timeout = int, None, false
+ pam_app_services = str, None, false
+pam_p11_allowed_services = str, None, false
+ 
+ [sudo]
+ # sudo service
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index ed3c100..881ffc6 100644
+--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
+@@ -1389,7 +1389,81 @@ pam_account_locked_message = Account locked, please contact help desk.
+                         </para>
+                     </listitem>
+                 </varlistentry>
+-
+                <varlistentry>
+                    <term>pam_p11_allowed_services (integer)</term>
+                    <listitem>
+                        <para>
+                            A comma-separated list of PAM service names for
+                            which it will be allowed to use Smartcards.
+                        </para>
+                        <para>
+                            It is possible to add another PAM service name to
+                            the default set by using
+                            <quote>+service_name</quote> or to explicitly
+                            remove a PAM service name from the default set by
+                            using <quote>-service_name</quote>. For example,
+                            in order to replace a default PAM service name for
+                            authentication with Smartcards
+                            (e.g. <quote>login</quote>) with a custom PAM
+                            service name (e.g. <quote>my_pam_service</quote>),
+                            you would use the following configuration:
+                            <programlisting>
+pam_p11_allowed_services = +my_pam_service, -login
+                            </programlisting>
+                        </para>
+                        <para>
+                            Default: the default set of PAM service names
+                            includes:
+                            <itemizedlist>
+                                <listitem>
+                                    <para>
+                                        login
+                                    </para>
+                                </listitem>
+                                <listitem>
+                                    <para>
+                                        su
+                                    </para>
+                                </listitem>
+                                <listitem>
+                                    <para>
+                                        su-l
+                                    </para>
+                                </listitem>
+                                <listitem>
+                                    <para>
+                                        gdm-smartcard
+                                    </para>
+                                </listitem>
+                                <listitem>
+                                    <para>
+                                        gdm-password
+                                    </para>
+                                </listitem>
+                                <listitem>
+                                    <para>
+                                        kdm
+                                    </para>
+                                </listitem>
+                                <listitem>
+                                    <para>
+                                        sudo
+                                    </para>
+                                </listitem>
+                                <listitem>
+                                    <para>
+                                        sudo-i
+                                    </para>
+                                </listitem>
+                                <listitem>
+                                    <para>
+                                        gnome-screensaver
+                                    </para>
+                                </listitem>
+                            </itemizedlist>
+                        </para>
+                    </listitem>
+                </varlistentry>
+             </variablelist>
+         </refsect2>
+ 
+diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
+index dfd9821..3325d9b 100644
+--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
+@@ -51,6 +51,7 @@ struct pam_ctx {
+     int p11_child_debug_fd;
+     char *nss_db;
+     struct sss_certmap_ctx *sss_certmap_ctx;
+    char **smartcard_services;
+ };
+ 
+ struct pam_auth_dp_req {
+diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
+index 0b6a162..ddb2def 100644
+--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
+@@ -224,12 +224,148 @@ errno_t p11_child_init(struct pam_ctx *pctx)
+     return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
+ }
+ 
+static inline bool
+service_in_list(char **list, size_t nlist, const char *str)
+{
+    size_t i;
+
+    for (i = 0; i < nlist; i++) {
+        if (strcasecmp(list[i], str) == 0) {
+            break;
+        }
+    }
+
+    return (i < nlist) ? true : false;
+}
+
+static errno_t get_sc_services(TALLOC_CTX *mem_ctx, struct pam_ctx *pctx,
+                               char ***_sc_list)
+{
+    TALLOC_CTX *tmp_ctx;
+    errno_t ret;
+    char *conf_str;
+    char **conf_list;
+    int conf_list_size;
+    char **add_list;
+    char **remove_list;
+    int ai = 0;
+    int ri = 0;
+    int j = 0;
+    char **sc_list;
+    int expected_sc_list_size;
+
+    const char *default_sc_services[] = {
+        "login", "su", "su-l", "gdm-smartcard", "gdm-password", "kdm", "sudo",
+        "sudo-i", "gnome-screensaver", NULL,
+    };
+    const int default_sc_services_size =
+        sizeof(default_sc_services) / sizeof(default_sc_services[0]);
+
+    tmp_ctx = talloc_new(mem_ctx);
+    if (tmp_ctx == NULL) {
+        return ENOMEM;
+    }
+
+    ret = confdb_get_string(pctx->rctx->cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY,
+                            CONFDB_PAM_P11_ALLOWED_SERVICES, NULL,
+                            &conf_str);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "confdb_get_string failed %d [%s]\n", ret, sss_strerror(ret));
+        goto done;
+    }
+
+    if (conf_str != NULL) {
+        ret = split_on_separator(tmp_ctx, conf_str, ',', true, true,
+                                 &conf_list, &conf_list_size);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Cannot parse list of service names '%s': %d [%s]\n",
+                  conf_str, ret, sss_strerror(ret));
+            goto done;
+        }
+    } else {
+        conf_list = talloc_zero_array(tmp_ctx, char *, 1);
+        conf_list_size = 0;
+    }
+
+    add_list = talloc_zero_array(tmp_ctx, char *, conf_list_size + 1);
+    remove_list = talloc_zero_array(tmp_ctx, char *, conf_list_size + 1);
+
+    if (add_list == NULL || remove_list == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    for (int i = 0; conf_list[i] != NULL; ++i) {
+        switch (conf_list[i][0]) {
+        case '+':
+            add_list[ai] = conf_list[i] + 1;
+            ++ai;
+            break;
+        case '-':
+            remove_list[ri] = conf_list[i] + 1;
+            ++ri;
+            break;
+        default:
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "The option "CONFDB_PAM_P11_ALLOWED_SERVICES" must start"
+                  "with either '+' (for adding service) or '-' (for "
+                  "removing service) got '%s'\n", conf_list[i]);
+            ret = EINVAL;
+            goto done;
+        }
+    }
+
+    expected_sc_list_size = default_sc_services_size + ai + 1;
+
+    sc_list = talloc_zero_array(tmp_ctx, char *, expected_sc_list_size);
+    if (sc_list == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    for (int i = 0; add_list[i] != NULL; ++i) {
+        if (service_in_list(remove_list, ri, add_list[i])) {
+            continue;
+        }
+
+        sc_list[j] = talloc_strdup(sc_list, add_list[i]);
+        if (sc_list[j] == NULL) {
+            ret = ENOMEM;
+            goto done;
+        }
+        ++j;
+    }
+
+    for (int i = 0; default_sc_services[i] != NULL; ++i) {
+        if (service_in_list(remove_list, ri, default_sc_services[i])) {
+            continue;
+        }
+
+        sc_list[j] = talloc_strdup(sc_list, default_sc_services[i]);
+        if (sc_list[j] == NULL) {
+            ret = ENOMEM;
+            goto done;
+        }
+        ++j;
+    }
+
+    if (_sc_list != NULL) {
+        *_sc_list = talloc_steal(mem_ctx, sc_list);
+    }
+
+done:
+    talloc_zfree(tmp_ctx);
+
+    return ret;
+}
+
+ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
+ {
+     size_t c;
+-    const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard",
+-                                  "gdm-password", "kdm", "sudo", "sudo-i",
+-                                  "gnome-screensaver", NULL };
+    errno_t ret;
+
+     if (!pctx->cert_auth) {
+         return false;
+     }
+@@ -244,16 +380,30 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
+         return false;
+     }
+ 
+-    /* TODO: make services configurable */
+     if (pd->service == NULL || *pd->service == '\0') {
+         return false;
+     }
+-    for (c = 0; sc_services[c] != NULL; c++) {
+-        if (strcmp(pd->service, sc_services[c]) == 0) {
+
+    /* Initialize smartcard allowed services just once */
+    if (pctx->smartcard_services == NULL) {
+        ret = get_sc_services(pctx, pctx, &pctx->smartcard_services);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to get p11 allowed services %d[%s]",
+                  ret, sss_strerror(ret));
+            sss_log(SSS_LOG_ERR,
+                    "Failed to evaluate pam_p11_allowed_services option, "
+                    "please check for typos in the SSSD configuration");
+            return false;
+        }
+    }
+
+    for (c = 0; pctx->smartcard_services[c] != NULL; c++) {
+        if (strcmp(pd->service, pctx->smartcard_services[c]) == 0) {
+             break;
+         }
+     }
+-    if  (sc_services[c] == NULL) {
+    if (pctx->smartcard_services[c] == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+               "Smartcard authentication for service [%s] not supported.\n",
+               pd->service);
+-- 
+2.9.5
+
--- a/0501-libwbclient-sssd-update-interface-to-version-0.14.patch
+++ b/0501-libwbclient-sssd-update-interface-to-version-0.14.patch
@ -1,86 +0,0 @@
-From 213dac21410f3c7aaeac660c5fc9c09bd1ab3d59 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 7 Jul 2017 11:15:20 +0200
-Subject: [PATCH] libwbclient-sssd: update interface to version 0.14
-
-The main change is a new member of the wbcAuthErrorInfo struct.
---
- src/conf_macros.m4                          | 4 ++--
- src/sss_client/libwbclient/wbclient.exports | 3 +++
- src/sss_client/libwbclient/wbclient_sssd.h  | 9 +++++++--
- 3 files changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
-index 420997229cb3c244afd8fb21b074e43a21de0eda..bd33d3aee194c23ceac01b3729ba3152d9de9f89 100644
--- a/src/conf_macros.m4
-+++ b/src/conf_macros.m4
-@@ -727,10 +727,10 @@ AC_DEFUN([WITH_LIBWBCLIENT],
-     if test x"$with_libwbclient" = xyes; then
-         AC_DEFINE(BUILD_LIBWBCLIENT, 1, [whether to build SSSD implementation of libwbclient])
- 
-        libwbclient_version="0.13"
-+        libwbclient_version="0.14"
-         AC_SUBST(libwbclient_version)
- 
-        libwbclient_version_info="13:0:13"
-+        libwbclient_version_info="14:0:14"
-         AC_SUBST(libwbclient_version_info)
-     fi
-     AM_CONDITIONAL([BUILD_LIBWBCLIENT], [test x"$with_libwbclient" = xyes])
-diff --git a/src/sss_client/libwbclient/wbclient.exports b/src/sss_client/libwbclient/wbclient.exports
-index 9d3c2040e7d393c0057d44864826cefc2e3f7a31..7abbaba6036c604177f247521e877c86720a1b4d 100644
--- a/src/sss_client/libwbclient/wbclient.exports
-+++ b/src/sss_client/libwbclient/wbclient.exports
-@@ -150,3 +150,6 @@ WBCLIENT_0.13 {
-         wbcUnixIdsToSids;
-         wbcCtxUnixIdsToSids;
- } WBCLIENT_0.12;
-+
-+WBCLIENT_0.14 {
-+} WBCLIENT_0.13;
-diff --git a/src/sss_client/libwbclient/wbclient_sssd.h b/src/sss_client/libwbclient/wbclient_sssd.h
-index 50ba7f84304df5f24a31cbbad857f22d1c70964d..f2fe8fe60e2ff55399e408056ccfbbfff044b88b 100644
--- a/src/sss_client/libwbclient/wbclient_sssd.h
-+++ b/src/sss_client/libwbclient/wbclient_sssd.h
-@@ -74,9 +74,11 @@ const char *wbcErrorString(wbcErr error);
-  *  0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
-  *  0.12: Added wbcCtxCreate and friends
-  *  0.13: Added wbcCtxUnixIdsToSids and wbcUnixIdsToSids
-+ *  0.14: Added "authoritative" to wbcAuthErrorInfo
-+ *        Added WBC_SID_NAME_LABEL
-  **/
- #define WBCLIENT_MAJOR_VERSION 0
-#define WBCLIENT_MINOR_VERSION 13
-+#define WBCLIENT_MINOR_VERSION 14
- #define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
- struct wbcLibraryDetails {
-     uint16_t major_version;
-@@ -138,7 +140,8 @@ enum wbcSidType {
-     WBC_SID_NAME_DELETED=6,
-     WBC_SID_NAME_INVALID=7,
-     WBC_SID_NAME_UNKNOWN=8,
-    WBC_SID_NAME_COMPUTER=9
-+    WBC_SID_NAME_COMPUTER=9,
-+    WBC_SID_NAME_LABEL=10
- };
- 
- /**
-@@ -316,6 +319,7 @@ struct wbcChangePasswordParams {
- #define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT         0x00000020
- #define WBC_MSV1_0_RETURN_PROFILE_PATH                0x00000200
- #define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT    0x00000800
-+#define WBC_MSV1_0_ALLOW_MSVCHAPV2                    0x00010000
- 
- /* wbcAuthUserParams->flags */
- 
-@@ -418,6 +422,7 @@ struct wbcAuthErrorInfo {
-     char *nt_string;
-     int32_t pam_error;
-     char *display_string;
-+    uint8_t authoritative;
- };
- 
- /**
-- 
-2.13.2
-
--- a/0502-SYSTEMD-Use-capabilities.patch
+++ b/0502-SYSTEMD-Use-capabilities.patch
@ -1,5 +1,5 @@
-From 5381ad1bd7693a6681f00bef093241f13e3a2c4f Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
+From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@fedoraproject.org>
 Date: Mon, 12 Dec 2016 21:56:16 +0100
 Subject: [PATCH] SYSTEMD: Use capabilities

@ -9,17 +9,17 @@ copied from selinux policy
 1 file changed, 1 insertion(+)

 diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
-index 05cfd3705084dbff8b46fb07e736612612c58b70..e7bbbdb5093f52e4b71e3c85a9082192013385e8 100644
+index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
 --- a/src/sysv/systemd/sssd.service.in
 +++ b/src/sysv/systemd/sssd.service.in
-@@ -9,6 +9,7 @@ EnvironmentFile=-@environment_file@
- ExecStart=@sbindir@/sssd -i -f
+@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
 Type=notify
 NotifyAccess=main
-+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
+ PIDFile=@localstatedir@/run/sssd.pid
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
 
 [Install]
 WantedBy=multi-user.target
 -- 
-2.11.0
+2.15.1

--- a/0503-Disable-stopping-idle-socket-activated-responders.patch
+++ b/0503-Disable-stopping-idle-socket-activated-responders.patch
@ -0,0 +1,39 @@
+From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@fedoraproject.org>
+Date: Fri, 3 Nov 2017 16:18:14 +0100
+Subject: [PATCH] Disable stopping idle socket activated responders
+
+---
+ src/confdb/confdb.h     | 2 +-
+ src/man/sssd.conf.5.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
+index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
+--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
+@@ -85,7 +85,7 @@
+ /* Responders */
+ #define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
+ #define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
+-#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
+#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
+ #define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
+ #define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
+ #define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
+--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
+@@ -706,7 +706,7 @@
+                             or dbus activated.
+                         </para>
+                         <para>
+-                            Default: 300
+                            Default: 0
+                         </para>
+                     </listitem>
+                 </varlistentry>
+-- 
+2.14.3
+
--- a/1000-SYSDB-Prepend-cached-hash-with-the-salt-identifier-i.patch
+++ b/1000-SYSDB-Prepend-cached-hash-with-the-salt-identifier-i.patch
@ -0,0 +1,44 @@
+From ae98cc4985bd3a19bbcadb5c4b77c5e01819e8ac Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 21 Aug 2018 13:59:33 +0200
+Subject: [PATCH] SYSDB: Prepend cached hash with the salt identifier if it's
+ not there
+
+This is a downstream-only patch for
+https://bugzilla.redhat.com/show_bug.cgi?id=1561105#c13
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/db/sysdb_ops.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index df0fb83c5546809a2d643e2e585153ad61a6a334..3a7e8fed507e9d96301f97112f9230e031cb5896 100644
+--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
+@@ -4516,6 +4516,7 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
+     time_t expire_date = -1;
+     time_t delayed_until = -1;
+     int ret;
+    const char *salt_prefix = "$6$";
+ 
+     if (name == NULL || *name == '\0') {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Missing user name.\n");
+@@ -4601,6 +4602,14 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
+         goto done;
+     }
+ 
+    if (strncmp(userhash, salt_prefix, strlen(salt_prefix)) != 0) {
+        userhash = talloc_asprintf(tmp_ctx, "%s%s", salt_prefix, userhash);
+        if (userhash == NULL) {
+            ret = ENOMEM;
+            goto done;
+        }
+    }
+
+     ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash);
+     if (ret) {
+         DEBUG(SSSDBG_CONF_SETTINGS, "Failed to create password hash.\n");
+-- 
+2.14.4
+
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (sssd-1.15.3.tar.gz) = 92478205ee1b1cebc3d35b733576180db51cee8cc84d0c2cb78386924ffa90ae355b6ad9b7b51e5e5f5a7a4588764d1c7afb0673c035b1fe9b1a283beb79a428
+SHA512 (sssd-1.16.3.tar.gz) = 6165923f652f624bbe3ddc625ae682c4867eb7a20652d0cf74bbb8dda2307c917d3189ede26fd21a4fb5fd5926149271a65fa09f3affe928029ed99e6422b728
--- a/sssd.spec
+++ b/sssd.spec
@ -16,8 +16,6 @@

    %global with_cifs_utils_plugin 1

-    %global with_krb5_localauth_plugin 1
-
 %global enable_systemtap 1
    %global enable_systemtap_opt --enable-systemtap

@ -25,6 +23,12 @@

    %global with_kcm 1

+    %global with_gdm_pam_extensions 1
+
+%if (0%{?fedora} > 28)
+    %global use_openssl 1
+%endif
+
 %global libwbc_alternatives_version 0.14
 %global libwbc_lib_version %{libwbc_alternatives_version}.0
 %global libwbc_alternatives_suffix %nil
@ -33,7 +37,7 @@
 %endif

 Name: sssd
-Version: 1.15.3
+Version: 1.16.3
 Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
@ -43,8 +47,23 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

 ### Patches ###
-Patch0501: 0501-libwbclient-sssd-update-interface-to-version-0.14.patch
+Patch0001: 0001-man-sss_ssh_knownhostsproxy-fix-typo-pubkeys-pubkey.patch
+Patch0002: 0002-krb5_locator-Make-debug-function-internal.patch
+Patch0003: 0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch
+Patch0004: 0004-krb5_locator-Fix-typo-in-debug-message.patch
+Patch0005: 0005-krb5_locator-Fix-formatting-of-the-variable-port.patch
+Patch0006: 0006-krb5_locator-Use-format-string-checking-for-debug-fu.patch
+Patch0007: 0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch
+
+### Dowsntream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
+Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
+
+# Keep this downstream patch for the lifetime of f27 and f28.
+# It fixes offline authentication of users that were cached in sysdb
+# with SSSD version affected by this BZ#1602781. Note that this patch
+# only fixes the offline authentication (not the local provider).
+Patch1000: 1000-SYSDB-Prepend-cached-hash-with-the-salt-identifier-i.patch

 ### Dependencies ###

@ -66,6 +85,7 @@ Suggests: sssd-dbus = %{version}-%{release}
 %global pubconfpath %{sssdstatedir}/pubconf
 %global gpocachepath %{sssdstatedir}/gpo_cache
 %global secdbpath %{sssdstatedir}/secrets
+%global deskprofilepath %{sssdstatedir}/deskprofile

 ### Build Dependencies ###

@ -112,17 +132,26 @@ BuildRequires: uid_wrapper
 BuildRequires: nss_wrapper
 BuildRequires: libnl3-devel
 BuildRequires: systemd-devel
-%if (0%{?with_cifs_utils_plugin} == 1)
 BuildRequires: cifs-utils-devel
-%endif
 BuildRequires: libnfsidmap-devel
 BuildRequires: samba4-devel
 BuildRequires: libsmbclient-devel
+BuildRequires: samba-winbind
 BuildRequires: systemtap-sdt-devel
 BuildRequires: http-parser-devel
 BuildRequires: libuuid-devel
 BuildRequires: jansson-devel
 BuildRequires: libcurl-devel
+BuildRequires: gdm-pam-extensions-devel
+%if (0%{?use_openssl} == 1)
+BuildRequires: p11-kit-devel
+BuildRequires: openssl-devel
+BuildRequires: gnutls-utils
+BuildRequires: softhsm >= 2.1.0
+%endif
+BuildRequires: openssl
+BuildRequires: openssh
+BuildRequires: nss-tools

 %description
 Provides a set of daemons to manage access to remote directories and
@ -153,7 +182,6 @@ Requires(post): systemd-units chkconfig
 Requires(preun): systemd-units chkconfig
 Requires(postun): systemd-units chkconfig

-
 ### Provides ###
 Provides: libsss_sudo-devel = %{version}-%{release}
 Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1
@ -621,11 +649,13 @@ autoreconf -ivf
    --disable-rpath \
    --with-initscript=systemd \
    --with-syslog=journald \
+%if (0%{?use_openssl} == 1)
+    --with-crypto=libcrypto \
+%endif
    --enable-sss-default-nss-plugin \
    --enable-files-domain \
    %{?with_cifs_utils_plugin_option} \
-    %{?enable_systemtap_opt} \
-
+    %{?enable_systemtap_opt}

 make %{?_smp_mflags} all docs

@ -657,11 +687,14 @@ install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/s
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d
 install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd

-%if (0%{?with_cifs_utils_plugin} == 1)
+# Kerberos KCM credential cache by default
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
+
 # Create directory for cifs-idmap alternative
 # Otherwise this directory could not be owned by sssd-client
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
-%endif

 # Remove .la files created by libtool
 find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
@ -828,6 +861,7 @@ done
 %attr(700,root,root) %dir %{dbpath}
 %attr(755,root,root) %dir %{mcpath}
 %attr(700,root,root) %dir %{secdbpath}
+%attr(751,root,root) %dir %{deskprofilepath}
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
@ -838,15 +872,17 @@ done
 %attr(750,root,root) %dir %{_var}/log/%{name}
 %attr(700,root,root) %dir %{_sysconfdir}/sssd
 %attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
+%if (0%{?use_openssl} == 1)
+%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
+%endif
 %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
-%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/sssd.service.d
-%config(noreplace) %{_sysconfdir}/systemd/system/sssd.service.d/journal.conf
 %dir %{_sysconfdir}/logrotate.d
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
 %dir %{_sysconfdir}/rwtab.d
 %config(noreplace) %{_sysconfdir}/rwtab.d/sssd
 %dir %{_datadir}/sssd
 %{_sysconfdir}/pam.d/sssd-shadowutils
+%dir %{_libdir}/%{name}/conf
 %{_libdir}/%{name}/conf/sssd.conf

 %{_datadir}/sssd/cfg_rules.ini
@ -858,16 +894,19 @@ done
 %{_mandir}/man5/sssd-files.5*
 %{_mandir}/man5/sssd-simple.5*
 %{_mandir}/man5/sssd-sudo.5*
+%{_mandir}/man5/sssd-session-recording.5*
 %{_mandir}/man5/sssd-secrets.5*
 %{_mandir}/man8/sssd.8*
 %{_mandir}/man8/sss_cache.8*
 %dir %{_datadir}/sssd/systemtap
 %{_datadir}/sssd/systemtap/id_perf.stp
 %{_datadir}/sssd/systemtap/nested_group_perf.stp
+%{_datadir}/sssd/systemtap/dp_request.stp
 %dir %{_datadir}/systemtap
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/sssd.stp
 %{_datadir}/systemtap/tapset/sssd_functions.stp
+%{_mandir}/man5/sssd-systemtap.5*


 %files ldap -f sssd_ldap.lang
@ -944,17 +983,13 @@ done
 %{_libdir}/security/pam_sss.so
 %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
 %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
-%if (0%{?with_cifs_utils_plugin} == 1)
 %dir %{_libdir}/cifs-utils
 %{_libdir}/cifs-utils/cifs_idmap_sss.so
 %dir %{_sysconfdir}/cifs-utils
 %ghost %{_sysconfdir}/cifs-utils/idmap-plugin
-%endif
-%if (0%{?with_krb5_localauth_plugin} == 1)
 %dir %{_libdir}/%{name}
 %dir %{_libdir}/%{name}/modules
 %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
-%endif
 %{_mandir}/man8/pam_sss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*

@ -1113,6 +1148,7 @@ done

 %files kcm -f sssd_kcm.lang
 %{_libexecdir}/%{servicename}/sssd_kcm
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache
 %dir %{_datadir}/sssd-kcm
 %{_datadir}/sssd-kcm/kcm_default_ccache
 %{_unitdir}/sssd-kcm.socket
@ -1177,7 +1213,6 @@ done
 %systemd_postun_with_restart sssd-kcm.socket
 %systemd_postun_with_restart sssd-kcm.service

-%if (0%{?with_cifs_utils_plugin} == 1)
 %post client
 /sbin/ldconfig
 /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20
@ -1186,9 +1221,6 @@ done
 if [ $1 -eq 0 ] ; then
        /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
 fi
-%else
-%post client -p /sbin/ldconfig
-%endif

 %postun client -p /sbin/ldconfig

@ -1243,6 +1275,183 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Tue Aug 21 2018 Michal Židek <mzidek@redhat.com> - 1.16.3-2
+- Resolves: rhbz#1561105 - sssd update prevented login using kerberos user
+
+* Tue Aug 14 2018 Michal Židek <mzidek@redhat.com> - 1.16.3-1
+- New upstream release 1.16.3
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_3.html
+- Resolves: upstream#2926 - Make list of local PAM services allowed for
+                            Smartcard authentication configurable
+- Related: upstream#3542 - Get host key without proxying connection
+
+* Mon Jun 25 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.2-4
+- Related: upstream#941 - return multiple server addresses to the Kerberos
+                          locator plugin
+- Related: upstream#3652 - kdcinfo doesn't get populated for other domains
+- Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD
+                            closes its end of the pipe before reading all the
+                            SSH keys
+- Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully
+- Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes
+                            stored in AD GC also for regular AD DC queries
+- Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being
+                           able to consume an @-sign in the user/group name.
+- Resolves: upstream#3766 - CVE-2018-10852: information leak from the sssd-sudo
+                            responder
+
+* Thu Jun 21 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.2-3
+- Resolves: rhbz#1591804 - something keeps /lib/libnss_systemd.so.2 open on
+                           minimal appliance image, breaking composes
+
+* Mon Jun 11 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.2-1
+- New upstream release 1.16.2
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html
+
+* Thu May 24 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-9
+- Related: upstream#3742 - Change of: User may not run sudo --> a password is
+                           required
+
+* Thu May 17 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-8
+- Revert 589d1a48 as the builders are back to f27
+
+* Wed May 16 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-7
+- Related: upstream#3436 - Certificates used in unit tests have limited
+                           lifetime
+- Add: "ExcludeArch: armv7hl"
+
+* Mon May 14 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-6
+- Related: upstream#3436 - Add openssl, openssh and nss-tools as BuildRequires
+
+* Mon May 14 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-5
+- Related: upstream#3436 - Certificates used in unit tests have limited
+                           lifetime
+- Resolves: upstream#3725 - sssd not honoring dyndns_server if the DNS update
+                            process is terminated with a signal
+- Resolves: upstream#3726 - SSSD with ID provider 'ad' should give a warning
+                            in case the ldap schema is manually changed to
+                            something different than 'ad'.
+- Related: upstream#2653 - Group renaming issue when "id_provider = ldap" is
+                           set.
+- Resolves: upstream#3719 - The SSSD IPA provider allocates information about
+                            external groups on a long lived memory context,
+                            causing memory growth of the sssd_be process
+- Resolves: upstream#3728 - Request by ID outside the min_id/max_id limit of a
+                            first domain does not reach the second domain
+- Resolves: upstream#3731 - nss_clear_netgroup_hash_table(): only remove
+                            entries from the hash table, do not free them
+- Resolves: upstream#3595 - ID override GID from Default Trust View is not
+                            properly resolved in case domain resolution order
+                            is set
+
+* Sat May 05 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-4
+- Resolves: rhbz#1574778 - sssd fails to download known_hosts from freeipa
+
+* Fri Apr 27 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-3
+- Resolves: upstream#3684 - A group is not updated if its member is removed
+                            with the cleanup task, but the group does not
+                            change
+- Resolves: upstream#3558 - sudo: report error when two rules share cn
+- Tone down shutdown messages for socket activated responders
+- IPA: Qualify the externalUser sudo attribute
+- Resolves: upstream#3550 - refresh_expired_interval does not work with
+                            netgrous in 1.15
+- Resolves: upstream#3402 - Support alternative sources for the files provider
+- Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option
+- Resolves: upstream#3679 - Make nss netgroup requests more robust
+- Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not
+                            configured
+- Resolves: upstream#3469 - extend sss-certmap man page regarding priority
+                            processing
+- Improve docs/debug message about GC detection
+- Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes
+                            list out of bound?
+- Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
+                            set.
+- Document which principal does the AD provider use
+- Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is
+                            defined, but contains no SIDs
+- Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM
+- Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data
+                           Provider returned an error
+                           [org.freedesktop.sssd.Error.DataProvider.Fatal]
+
+* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
+- Resolves: upstream#3573 - sssd won't show netgroups with blank domain
+- Resolves: upstream#3660 - confdb_expand_app_domains() always fails
+- Resolves: upstream#3658 - Application domain is not interpreted correctly
+- Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to
+                            json_loads()
+- Resolves: upstream#3386 - KCM: Payload buffer is too small
+- Resolves: upstream#3666 - Fix usage of str.decode() in our tests
+- A few KCM misc fixes
+
+* Fri Mar  9 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-1
+- New upstream release 1.16.1
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html
+
+* Tue Feb 20 2018 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-8
+- Resolves: upstream#3621 - backport bug fix found by static analyzers
+
+* Wed Feb 14 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.0-7
+- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile
+                           with no specific host/hostgroup set
+- Resolves: upstream#3621 - FleetCommander integration must not require
+                            capability DAC_OVERRIDE
+
+* Wed Feb 07 2018 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-6
+- Resolves: upstream#3618 - selinux_child segfaults in a docker container
+
+* Mon Dec 04 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-5
+- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in
+                            setnetgrent_result_timeout
+- Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
+                            or machine swaps
+- Resolves: failure in glibc tests
+            https://sourceware.org/bugzilla/show_bug.cgi?id=22530
+- Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
+                            auth_provider ldap, login fails if the LDAP server
+                            is not allowing anonymous binds
+- Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
+                            corrected with AD
+- Resolves: upstream#3586 - Give a more detailed debug and system-log message
+                            if krb5_init_context() failed
+- Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
+                           in /etc/systemd/system
+- Backport few upstream features from 1.16.1
+
+* Tue Nov 21 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-4
+- Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next
+
+* Fri Nov 17 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.16.0-3
+- Backport extended NSS API from upstream master branch
+
+* Fri Nov 03 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-2
+- Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade
+
+* Fri Oct 20 2017 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-1
+- New upstream release 1.16.0
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html
+
+* Wed Oct 11 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-5
+- Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when
+                           searching in local cache database access on
+                           the sock_file system_bus_socket
+
+* Mon Sep 11 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-4
+- Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write
+                           access on the sock_file system_bus_socket
+- Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and
+                           fails to download desktop profile data
+- Resolves: upstream#3485 - getsidbyid does not work with 1.15.3
+- Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients
+                            after applying ID Views for them in IPA server
+- Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id
+                            mapping is applied
+
+* Fri Sep 01 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-3
+- Backport few upstream patches/fixes
+
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
Author	SHA1	Message	Date
Michal Židek	5bf25dd87d	Resolves: rhbz#1561105 - sssd update prevented login using kerberos user (cherry picked from commit `a5e12d6904`)	2018-08-21 19:57:01 +02:00
Michal Židek	1d4426f19f	New upstream release 1.16.3 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_3.html - Resolves: upstream#2926 - Make list of local PAM services allowed for Smartcard authentication configurable - Related: upstream#3542 - Get host key without proxying connection (cherry picked from commit `6ea9bfe5bb`)	2018-08-14 12:20:28 +02:00
Fabiano Fidêncio	b1aca931e9	Resolves: upstream#3766 - CVE-2018-10852: information leak from the sssd-sudo responder And also ... - Related: upstream#941 - return multiple server addresses to the Kerberos locator plugin - Related: upstream#3652 - kdcinfo doesn't get populated for other domains - Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys - Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully - Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being able to consume an @-sign in the user/group name. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `68ef824a5f`) (cherry picked from commit `f311832a06`)	2018-06-25 10:00:32 +02:00
Fabiano Fidêncio	efa0c9fd07	Resolves: rhbz#1591804 - something keeps /lib/libnss_systemd.so.2 open on minimal appliance image, breaking composes Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `192e845618`) (cherry picked from commit `1dad4d1fac`)	2018-06-25 10:00:09 +02:00
Fabiano Fidêncio	ff32b0f35f	New upstream release 1.16.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `a36f5fea4b`) (cherry picked from commit `f14161ac08`)	2018-06-11 16:11:38 +02:00
Fabiano Fidêncio	b67161cd28	Related: upstream#3742 - Change of: User may not run sudo --> a password is required Patch 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch has been commented out as it caused some regressions on IPA tests. In order to unblock IPA folks, let's revert this patch from Fedora till we have a proper fix. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `29d69716ad`) (cherry picked from commit `e56517d602`)	2018-05-28 10:13:50 +02:00
Fabiano Fidêncio	fb3a33a26b	Revert "Add: "ExcludeArch: armv7hl"" This reverts commit `bc3790f5a0`. (cherry picked from commit `4979898a6e`) (cherry picked from commit `e428c4af45`)	2018-05-17 17:58:02 +02:00
Fabiano Fidêncio	af12cc5788	Add: "ExcludeArch: armv7hl" For some reason still unclear we're not able to build SSSD on koji's buildroot for armv7hl. Some tests have been done and SSSD was built successfully using real armv7hl hardware, which indicates that we're facing https://bugzilla.redhat.com/show_bug.cgi?id=1576593 As soon as the bug is resolved, this patch could be safely reverted. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `bc3790f5a0`) (cherry picked from commit `38221da669`)	2018-05-16 22:30:57 +02:00
Fabiano Fidêncio	8ad6fab779	Related: upstream#3436 - Certificates used in unit tests have limited lifetime Fix a non harmful warning shown by recent versions of OpenSSL. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `0a2c83fbd0`) (cherry picked from commit `b6ae123d6b`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	b0a6617361	Related: upstream#3436 - Add openssl, openssh and nss-tools as BuildRequires Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `c4f0508af1`) (cherry picked from commit `0302f3db88`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	acfa98c03a	Resolves: upstream#3595 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `5f75f7e4f2`) (cherry picked from commit `b2d97e727b`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	feb088d91c	Resolves: upstream#3731 - nss_clear_netgroup_hash_table(): only remove entries from the hash table, do not free them Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `1511bcd8b2`) (cherry picked from commit `43d49c871d`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	a1fd1c66cf	Resolves: upstream#3728 - Request by ID outside the min_id/max_id limit of a first domain does not reach the second domain Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `3ad9e211eb`) (cherry picked from commit `b2bfd972c9`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	8e3e951bf6	Resolves: upstream#3719 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `ed238e28ff`) (cherry picked from commit `8530c8b24d`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	c99cc5221a	Related: upstream#2653 - Group renaming issue when "id_provider = ldap" is set. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `97a62b83f1`) (cherry picked from commit `d212c95076`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	b23bb96b5d	Resolves: upstream#3726 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `163543f40b`) (cherry picked from commit `681d87c2ae`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	b6d54af437	Resolves: upstream#3725 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `510134aa02`) (cherry picked from commit `e4e9316ad9`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	c6eb48feab	Related: upstream#3436 - Certificates used in unit tests have limited lifetime Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `5e1db8fc3e`) (cherry picked from commit `7dc8777d56`)	2018-05-16 22:29:09 +02:00
Fabiano Fidêncio	35934cf3ef	Resolves: rhbz#1574778 - sssd fails to download known_hosts from freeipa Patch 0018-sysdb-custom-completely-replace-old-object-instead-o.patch caused a regression, caught by lslebodn and reported by a few users. Let's comment out this patch for now and uncomment it when we have a fix that do not cause a regression. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `5254cdcca5`) (cherry picked from commit `c715b8d660`)	2018-05-05 22:00:12 +02:00
Fabiano Fidêncio	ec7c43bb5d	Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM Also ... Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal] Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `90dd145c92`) (cherry picked from commit `99a84c4b16`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	ce98ba4ba6	Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `a305fc11b7`) (cherry picked from commit `e45d803139`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	28ce4615a4	Document which principal does the AD provider use Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `b6696d97c4`) (cherry picked from commit `15af9187cf`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	b103eab96c	Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is set. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `2dd8451396`) (cherry picked from commit `e9424464d1`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	32f84803eb	Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound? Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `209701ef7f`) (cherry picked from commit `bf6526be6c`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	0caad9889d	Improve docs/debug message about GC detection Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `3115154117`) (cherry picked from commit `8ac548e27d`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	2c6ba2bf2b	Resolves: upstream#3469 - extend sss-certmap man page regarding priority processing Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `f47c82bc8d`) (cherry picked from commit `94dacbcff1`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	54dfcbfa15	Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not configured Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `64b69ec813`) (cherry picked from commit `d5953555e4`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	b242978f9f	Resolves: upstream#3679 - Make nss netgroup requests more robust Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `8d67726a47`) (cherry picked from commit `f585ce79e5`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	2d8d8d1c8b	Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `8565df471c`) (cherry picked from commit `d4cc9f09a9`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	eefe33aff1	Resolves: upstream#3402 - Support alternative sources for the files provider Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `9709b73a3f`) (cherry picked from commit `69dd3e36eb`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	c114eb6b3f	Resolves: upstream#3550 - refresh_expired_interval does not work with netgrous in 1.15 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `a7d4f0b3f4`) (cherry picked from commit `1ec14767eb`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	bb5f960239	IPA: Qualify the externalUser sudo attribute Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `ab53ba849a`) (cherry picked from commit `ff80480d02`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	389295064e	Tone down shutdown messages for socket activated responders Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `ef1d48a0c2`) (cherry picked from commit `11342ddfab`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	f338f8cb95	Resolves: upstream#3558 - sudo: report error when two rules share cn Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `fcff118bbf`) (cherry picked from commit `b1ddb6443b`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	b429a75bce	Resolves: upstream#3684 - A group is not updated if its member is removed with the cleanup task, but the group does not change Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `f3d06df50d`) (cherry picked from commit `7809e6eedd`)	2018-04-27 22:29:48 +02:00
Fabiano Fidêncio	89a1543353	A few KCM misc fixes Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `32f2c81e59`) (cherry picked from commit `2540bf426d`)	2018-03-30 15:25:35 +02:00
Fabiano Fidêncio	4a56bc21d2	Resolves: upstream#3666 - Fix usage of str.decode() in our test Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `99da72db23`) (cherry picked from commit `4d8a2ac870`)	2018-03-30 15:25:27 +02:00
Fabiano Fidêncio	97df14ee0f	Resolves: upstream#3386 - KCM: Payload buffer is too small Related to: rhbz#1494843 - KCM Does not work Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `1c7376afc5`) (cherry picked from commit `7d773ed035`)	2018-03-30 15:25:18 +02:00
Fabiano Fidêncio	26eab693bb	Resolves: usptream#3687 - KCM: Don't pass a non null terminated string to json_loads() Related to: rhbz#1494843 - KCM Does not work Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `73735e9522`) (cherry picked from commit `0392642064`)	2018-03-30 15:25:10 +02:00
Fabiano Fidêncio	2a59fc635f	Resolves: upstream#3658 - Application domain is not interpreted correctly Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `563dd33f72`) (cherry picked from commit `4d2103b723`)	2018-03-30 15:24:57 +02:00
Fabiano Fidêncio	44d6f59b93	Resolves: upstream#3660 - confdb_expand_app_domains() always fails Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `2c812f3cba`) (cherry picked from commit `c126b3174c`)	2018-03-30 15:24:44 +02:00
Fabiano Fidêncio	46f52a9bd6	Resolves: upstream#3573 - sssd won't show netgroups with blank domai Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `40fe76feb8`) (cherry picked from commit `928c3e94ab`)	2018-03-30 15:24:32 +02:00
Fabiano Fidêncio	bfc60044d5	New upstream release 1.16.1 https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `62a3258629`) (cherry picked from commit `d11cfce2ff`)	2018-03-09 16:56:17 +01:00
Lukas Slebodnik	21443e5ebe	Resolves: upstream#3621 - backport bug fix found by static analyzers (cherry picked from commit `5eba7a8f1f`)	2018-02-20 15:16:21 +01:00
Fabiano Fidêncio	ca31e2be64	Resolves: upstream#3621: FleetCommander integration must not require capability DAC_OVERRIDE Together with the patches backported from upstream, we're changing the deskprofilepath permissions from 755 to 751, reflecting the upstream spec file changes. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `4b1fe8a0ab`)	2018-02-14 23:03:54 +01:00
Fabiano Fidêncio	47317c5649	Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit `199a72e62a`)	2018-02-14 22:25:04 +01:00
Lukas Slebodnik	c90915394e	Resolves: upstream#3618 - selinux_child segfaults in a docker container (cherry picked from commit `18ae44bc79`)	2018-02-07 22:08:14 +01:00
Lukas Slebodnik	01409e3d48	Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system Backport few upstream features from 1.16.1 (cherry picked from commit `1dedfbb334`)	2017-12-04 21:53:43 +01:00
Lukas Slebodnik	8f047f7ff4	Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next (cherry picked from commit `ce65f7d9ee`)	2017-11-21 18:01:54 +01:00
Lukas Slebodnik	e8791c3999	Revert "Disable nfsplugin due to bug rhbz#1509063" This reverts commit `b5c435b10b`. nfs-utils are fixed (cherry picked from commit `87763840cd`)	2017-11-21 18:01:44 +01:00
Jakub Hrozek	bb0cc30393	Backport extended NSS API from upstream master branch	2017-11-17 19:41:03 +01:00
Lukas Slebodnik	f206fae248	Disable nfsplugin due to bug rhbz#1509063 (cherry picked from commit `b5c435b10b`)	2017-11-03 23:07:25 +01:00
Lukas Slebodnik	da41c905c0	Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade (cherry picked from commit `7ac8b3c4b5`)	2017-11-03 16:27:54 +01:00
Lukas Slebodnik	71b7ed1da0	Add workaround for unit test failures with libldb-1.3	2017-11-03 16:27:27 +01:00
Lukas Slebodnik	ea632499ff	New upstream release 1.16.0 https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html (cherry picked from commit `4f58854911`)	2017-10-20 18:05:32 +02:00
Lukas Slebodnik	4a8ad4c174	Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database access on the sock_file system_bus_socket (cherry picked from commit `7069858231`)	2017-10-11 17:50:14 +02:00
Lukas Slebodnik	e15fc49cbf	Fix few bugs/regressions Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write access on the sock_file system_bus_socket Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and fails to download desktop profile data Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id mapping is applied (cherry picked from commit `8eda442b2e`)	2017-09-12 09:28:42 +02:00
Lukas Slebodnik	323dbdee02	Backport few upstream patches/fixes (cherry picked from commit `fa4807ec45`)	2017-09-01 21:40:30 +02:00
Lukas Slebodnik	2aa9f3bb10	Add krb5 conf snippet for default KCM http://fedoraproject.org/wiki/Releases/27/ChangeSet#Kerberos_KCM_credential_cache_by_default https://bugzilla.redhat.com/show_bug.cgi?id=1421604 (cherry picked from commit `11cd64de1c`)	2017-09-01 21:40:30 +02:00
Lukas Slebodnik	601bb9f4eb	Simplify spec file a little bit The plugin for cifs-utils can be built on all supported versions of fedora. Conditions are required only in upstream spec file for older distributions. Definition of constant with_cifs_utils_plugin is still in the beginning of spec file for simpler comparison of changes between upstream and fedora. (cherry picked from commit `5ce8ae1166`)	2017-09-01 21:40:30 +02:00
Lukas Slebodnik	e89cb59c68	Remove unused if condition krb5 localauth plugin The plugin can be built on all supported versions of fedora. And it was removed also from upstream spec file. (cherry picked from commit `088151887a`)	2017-09-01 21:40:30 +02:00
Ville Skyttä	3b8c6ea1d5	Own the %{_libdir}/%{name}/conf dir https://bugzilla.redhat.com/show_bug.cgi?id=1483517 (cherry picked from commit `308a55f49d`)	2017-09-01 21:40:30 +02:00