sssd-2.4.0-1: Rebase to latest upstream release

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1557622

.gitignore

@@ -85,3 +85,7 @@ sssd-1.2.91.tar.gz
 /sssd-2.2.0.tar.gz
 /sssd-2.2.1.tar.gz
 /sssd-2.2.2.tar.gz
+/sssd-2.2.3.tar.gz
+/sssd-2.3.0.tar.gz
+/sssd-2.3.1.tar.gz
+/sssd-2.4.0.tar.gz

0001-Fix-build-failure-against-samba-4.12.0rc1.patch

@@ -1,48 +0,0 @@
-From 391dc02eafed23892c5752834b18174b6cd54e20 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Fri, 24 Jan 2020 15:17:39 +0100
-Subject: [PATCH] Fix build failure against samba 4.12.0rc1
-
-The ndr_pull_get_switch() function was dropped, but it was just a wrapper
-around the ndr_token_peek() function, so we can use this approach on both
-old and new versions of libndr.
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
----
- src/providers/ad/ad_gpo_ndr.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index d573033494bc5aa3b56bd698a6860261834e58fd..8f405aa62b1b65a5ab9e4e9131c37fda84c5ffba 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
-                                   union security_ace_object_type *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
-                                             union security_ace_object_inherited_type *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
-                                  union security_ace_object_ctr *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
--- 
-2.24.1
-

0001-KCM-Set-kdc_offset-to-zero-initially.patch

@@ -1,41 +0,0 @@
-From 2c9bdcf579e430fa8f7e5595a17cf7242adb5216 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Fri, 11 Oct 2019 09:20:20 +0200
-Subject: [PATCH] KCM: Set kdc_offset to zero initially
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves: https://pagure.io/SSSD/sssd/issue/4100
-
-KCM assumed that the client library would always set the KDC offset, but
-that's not always the case, especially when using multiple krb contexts
-from the client application:
-    https://bugzilla.redhat.com/show_bug.cgi?id=1757224#c64
-
-Heimdal also creates ccaches with zero kdc_offset:
-    https://github.com/heimdal/heimdal/commit/9f58896af958ae5e6e3ebde8c48dad4eda841986
-so we should do the same..
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
-Reviewed-by: Robbie Harwood <rharwood@redhat.com>
----
- src/responder/kcm/kcmsrv_ccache.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
-index e24da9aa2..66e2752ba 100644
---- a/src/responder/kcm/kcmsrv_ccache.c
-+++ b/src/responder/kcm/kcmsrv_ccache.c
-@@ -82,7 +82,7 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
- 
-     cc->owner.uid = cli_creds_get_uid(owner);
-     cc->owner.gid = cli_creds_get_gid(owner);
--    cc->kdc_offset = INT32_MAX;
-+    cc->kdc_offset = 0;
- 
-     talloc_set_destructor(cc, kcm_cc_destructor);
-     *_cc = cc;
--- 
-2.23.0
-

0001-SSS_CLIENT-got-rid-of-using-PRNG.patch

@@ -1,49 +0,0 @@
-From e47f143bcb86d04aa053c17373f9d9991fc63913 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Mon, 14 Oct 2019 11:38:06 +0200
-Subject: [PATCH] SSS_CLIENT: got rid of using PRNG
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-1) no reason to expect "thundering herd issue"
-2) randomization as it was done (strictly 1 or 2 secs)
-   would not help much anyway
-3) usage of PRNG might break app that depends on deterministic
-   PRNG behaviour
-
-Resolves: https://pagure.io/SSSD/sssd/issue/4094
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/sss_client/common.c | 7 +------
- 1 file changed, 1 insertion(+), 6 deletions(-)
-
-diff --git a/src/sss_client/common.c b/src/sss_client/common.c
-index 930efe4a1..270ca8b54 100644
---- a/src/sss_client/common.c
-+++ b/src/sss_client/common.c
-@@ -566,11 +566,6 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
-     /* this piece is adapted from winbind client code */
-     wait_time = 0;
-     sleep_time = 0;
--    /* This is not security relevant functionality and
--     * it is undesirable to pull unnecessary dependency (util/crypto)
--     * so plain srand() & rand() are used here.
--     */
--    srand(time(NULL) * getpid());
-     while (inprogress) {
-         int connect_errno = 0;
-         socklen_t errnosize;
-@@ -605,7 +600,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
-             break;
-         case EAGAIN:
-             if (wait_time < timeout) {
--                sleep_time = rand() % 2 + 1;
-+                sleep_time = 1;
-                 sleep(sleep_time);
-             }
-             break;
--- 
-2.23.0
-

sources

@@ -1 +1 @@
-SHA512 (sssd-2.2.2.tar.gz) = 4cce8fdbcc05d1469dad5ba987cb0f9bc33702b37f85e8e248975461bb50b0740fec92ff213bdb640b506405be7ead936ff253ab02d4a27205ddf20cc0e54801
+SHA512 (sssd-2.4.0.tar.gz) = d9a4b17665ce3a1ea51cfe2fdb53818ac1e265a33c61f657f61699ecc716e1244e45b5b628aeae6c54e601383084f3cac327cb3edd7bea80bca397b1fbe4ab72

sssd.spec

@@ -35,29 +35,15 @@
 %endif
 
 Name: sssd
-Version: 2.2.2
-Release: 6%{?dist}
+Version: 2.4.0
+Release: 1%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
-URL: https://pagure.io/SSSD/sssd/
-Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
+URL: https://github.com/SSSD/sssd/
+Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_4_0/sssd-2.4.0.tar.gz
 
 ### Patches ###
 
-# Fix KCM cached tickets behaving as if expired shortly after issue
-# https://github.com/SSSD/sssd/pull/904
-# https://bugzilla.redhat.com/show_bug.cgi?id=1757224
-Patch0: 0001-KCM-Set-kdc_offset-to-zero-initially.patch
-# Workaround a problem setting up replica in containers
-# https://github.com/SSSD/sssd/pull/900
-# https://bugzilla.redhat.com/show_bug.cgi?id=1755643
-Patch1: 0001-SSS_CLIENT-got-rid-of-using-PRNG.patch
-
-
-# Work around samba 4.12.0rc1 dropping a function we use
-Patch2: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
-
-
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 
@@ -86,6 +72,7 @@ Suggests: sssd-dbus = %{version}-%{release}
 
 ### Build Dependencies ###
 
+BuildRequires: make
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
@@ -221,6 +208,7 @@ Requires: sssd-common = %{version}-%{release}
 # required by sss_obfuscate
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
+Recommends: sssd-dbus
 
 %description tools
 Provides userspace tools for manipulating users, groups, and nested groups in
@@ -535,11 +523,13 @@ autoreconf -ivf
     --with-gpo-cache-path=%{gpocachepath} \
     --with-init-dir=%{_initrddir} \
     --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
+    --with-pid-path=%{_rundir} \
     --enable-nsslibdir=%{_libdir} \
     --enable-pammoddir=%{_libdir}/security \
     --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
     --disable-static \
     --disable-rpath \
+    --with-libwbclient \
     --with-initscript=systemd \
     --with-syslog=journald \
     --without-python2-bindings \
@@ -551,7 +541,7 @@ autoreconf -ivf
     %{?with_cifs_utils_plugin_option} \
     %{?enable_systemtap_opt}
 
-make %{?_smp_mflags} all docs
+make %{?_smp_mflags} all docs runstatedir=%{_rundir}
 
 sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
 
@@ -788,6 +778,7 @@ done
 %{_datadir}/sssd/systemtap/id_perf.stp
 %{_datadir}/sssd/systemtap/nested_group_perf.stp
 %{_datadir}/sssd/systemtap/dp_request.stp
+%{_datadir}/sssd/systemtap/ldap_perf.stp
 %dir %{_datadir}/systemtap
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/sssd.stp
@@ -799,6 +790,7 @@ done
 %license COPYING
 %{_libdir}/%{name}/libsss_ldap.so
 %{_mandir}/man5/sssd-ldap.5*
+%{_mandir}/man5/sssd-ldap-attributes.5*
 
 %files krb5-common
 %license COPYING
@@ -1082,6 +1074,68 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Mon Oct 12 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-1
+- Rebase to SSSD 2.4.0
+
+* Mon Jul 27 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.1-2
+- Use correct run dir (RHBZ#1557622)
+
+* Fri Jul 24 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.1-1
+- Rebase to SSSD 2.3.1
+
+* Wed May 20 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.0-1
+- Rebase to SSSD 2.3.0
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-13
+- Resolves: upstream#4159 - p11_child should have an option to skip
+                            C_WaitForSlotEvent if the PKCS#11 module does not
+                            implement it properly
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-12
+- Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in
+                            `sss_ptr_hash_delete_cb()`
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-11
+- Resolves: upstream#4118 - sssd requires timed sudoers ldap entries to be
+  specified up to the seconds
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-11
+- Add sssd-dbus package as a dependency of sssd-tools
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-10
+- Resolves: upstream#4142 - sssd_be frequent crash
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-9
+- Resolves: upstream#4131 Force LDAPS over 636 with AD Provider
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-8
+- Resolves: upstream#3630 - Randomize ldap_connection_expire_timeout either
+                            by default or w/ a configure option
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-7
+- Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in
+                            `sss_ptr_hash_delete_cb()`
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-6
+- Resolves: upstream#4088 - server/be: SIGTERM handling is incorrect
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-5
+- Resolves: upstream##4089 Watchdog implementation or usage is incorrect
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-4
+- Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-3
+- Resolves: upstream#4127 - [Doc]Provide explanation on escape character for
+                            match rules sss-certmap
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-2
+- Resolves: upstream#4129 - sssctl config-check command does not give proper
+                            error messages with line numbers
+
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-1
+- Update to latest released upstream version
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_3.htm
+
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.2-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild