sssd-2.7.4-1: Rebase to latest upstream release

Resolves: rhbz#2094685
(cherry picked from commit ec123cd550)

.gitignore

@@ -94,3 +94,11 @@ sssd-1.2.91.tar.gz
 /sssd-2.5.0.tar.gz
 /sssd-2.5.1.tar.gz
 /sssd-2.5.2.tar.gz
+/sssd-2.6.0.tar.gz
+/sssd-2.6.1.tar.gz
+/sssd-2.6.2.tar.gz
+/sssd-2.6.3.tar.gz
+/sssd-2.7.0.tar.gz
+/sssd-2.7.1.tar.gz
+/sssd-2.7.3.tar.gz
+/sssd-2.7.4.tar.gz

sources

@@ -1 +1 @@
-SHA512 (sssd-2.5.2.tar.gz) = a9bac7b2cc23022dce3bcda314c9c26a0a0914c448f6d5a51c5ba18670f04c1fd1a94cb20173235b6285df1dcc9251cb6b3f3e71a220037b4eb66668e6f33c48
+SHA512 (sssd-2.7.4.tar.gz) = 2c211f7fdc4325c77e2bf61c5c6981a9a7809d6e02f43b564ed3bb63390f91461f4c48910d4bf111484e00f428ce827f2a5b960930c6b95f2662c7e1207af53b

sssd.spec

@@ -14,6 +14,22 @@
 %global child_attrs 4750
 %endif
 
+%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
+%global build_subid 1
+%else
+%global build_subid 0
+%endif
+
+%if 0%{?fedora} >= 34
+%global build_kcm_renewals 1
+%global krb5_version 1.19.1
+%elif 0%{?rhel} >= 8
+%global build_kcm_renewals 1
+%global krb5_version 1.18.2
+%else
+%global build_kcm_renewals 0
+%endif
+
 # we don't want to provide private python extension libs
 %define __provides_exclude_from %{python3_sitearch}/.*\.so$
 
@@ -26,15 +42,14 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
 
 Name: sssd
-Version: 2.5.2
-Release: 4%{?dist}
+Version: 2.7.4
+Release: 1%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
-Source0: https://github.com/SSSD/sssd/releases/download/2.5.2/sssd-2.5.2.tar.gz
+Source0: https://github.com/SSSD/sssd/releases/download/2.7.4/sssd-2.7.4.tar.gz
 
 ### Patches ###
-Patch0001: 0001-Basics-of-subid-ranges-support-for-IPA-provider.patch
 
 ### Dependencies ###
 
@@ -43,8 +58,8 @@ Requires: sssd-common = %{version}-%{release}
 Requires: sssd-ipa = %{version}-%{release}
 Requires: sssd-krb5 = %{version}-%{release}
 Requires: sssd-ldap = %{version}-%{release}
-Recommends: sssd-proxy = %{version}-%{release}
-Recommends: logrotate
+Requires: sssd-proxy = %{version}-%{release}
+Suggests: logrotate
 Suggests: python3-sssdconfig = %{version}-%{release}
 Suggests: sssd-dbus = %{version}-%{release}
 
@@ -74,10 +89,11 @@ BuildRequires: findutils
 BuildRequires: gcc
 BuildRequires: gdm-pam-extensions-devel
 BuildRequires: gettext-devel
-BuildRequires: glib2-devel
 # required for p11_child smartcard tests
 BuildRequires: gnutls-utils
 BuildRequires: jansson-devel
+BuildRequires: libcurl-devel
+BuildRequires: libjose-devel
 BuildRequires: keyutils-libs-devel
 BuildRequires: krb5-devel
 BuildRequires: libcmocka-devel >= 1.0.0
@@ -93,6 +109,8 @@ BuildRequires: libtalloc-devel
 BuildRequires: libtdb-devel
 BuildRequires: libtevent-devel
 BuildRequires: libtool
+BuildRequires: libunistring
+BuildRequires: libunistring-devel
 BuildRequires: libuuid-devel
 BuildRequires: libxml2
 BuildRequires: libxslt
@@ -121,6 +139,12 @@ BuildRequires: systemd-devel
 BuildRequires: systemtap-sdt-devel
 BuildRequires: uid_wrapper
 BuildRequires: po4a
+%if %{build_subid}
+BuildRequires: shadow-utils-subid-devel
+%endif
+%if %{build_kcm_renewals}
+BuildRequires: krb5-libs >= %{krb5_version}
+%endif
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -140,9 +164,9 @@ License: GPLv3+
 Requires: libldb >= %{ldb_version}
 Requires: libtevent >= 0.11.0
 Requires: sssd-client%{?_isa} = %{version}-%{release}
-Recommends: libsss_sudo = %{version}-%{release}
-Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
-Recommends: sssd-nfs-idmap = %{version}-%{release}
+Requires: (libsss_sudo = %{version}-%{release} if sudo)
+Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
+Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
 Requires: libsss_idmap = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
 %if 0%{?rhel}
@@ -195,13 +219,12 @@ Requires: sssd-common = %{version}-%{release}
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
-Recommends: sssd-dbus
+# for logger=journald support with sss_analyze
+Requires: python3-systemd
+Requires: sssd-dbus
 
 %description tools
-Provides userspace tools for manipulating users, groups, and nested groups in
-SSSD when using id_provider = local in /etc/sssd/sssd.conf.
-
-Also provides several other administrative tools:
+Provides several administrative tools:
     * sss_debuglevel to change the debug level on the fly
     * sss_seed which pre-creates a user entry for use in kickstarts
     * sss_obfuscate for generating an obfuscated LDAP password
@@ -223,11 +246,8 @@ Requires: sssd-common = %{version}-%{release}
 %{?python_provide:%python_provide python3-sss}
 
 %description -n python3-sss
-Provides python3 module for manipulating users, groups, and nested groups in
-SSSD when using id_provider = local in /etc/sssd/sssd.conf.
-
-Also provides several other useful python3 bindings:
-    * function for retrieving list of groups user belongs to.
+Provides python3 bindings:
+    * function for retrieving list of groups user belongs to
     * class for obfuscation of passwords
 
 %package -n python3-sss-murmur
@@ -468,13 +488,25 @@ Library to map certificates to users based on rules
 Summary: An implementation of a Kerberos KCM server
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
-Requires: krb5-libs >= 1.19.1
+%if %{build_kcm_renewals}
+Requires: krb5-libs >= %{krb5_version}
+%endif
 %{?systemd_requires}
 
 %description kcm
 An implementation of a Kerberos KCM server. Use this package if you want to
 use the KCM: Kerberos credentials cache.
 
+%package idp
+Summary: Kerberos plugins and OIDC helper for external identity providers.
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+
+%description idp
+This package provides Kerberos plugins that are required to enable
+authentication against external identity providers. Additionally a helper
+program to handle the OAuth 2.0 Device Authorization Grant is provided.
+
 %prep
 %autosetup -p1
 
@@ -503,6 +535,9 @@ autoreconf -ivf
     --with-sssd-user=%{sssd_user} \
     --with-syslog=journald \
     --with-test-dir=/dev/shm \
+%if %{build_subid}
+    --with-subid \
+%endif
 %if 0%{?fedora}
     --disable-polkit-rules-path \
 %endif
@@ -510,6 +545,7 @@ autoreconf -ivf
 
 %make_build all docs runstatedir=%{_rundir}
 
+%py3_shebang_fix src/tools/analyzer/sss_analyze
 sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
 
 %check
@@ -537,6 +573,14 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
    $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
 
+# Enable krb5 idp plugins by default (when sssd-idp package is installed)
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
+
+# krb5 configuration snippet
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+
 # Create directory for cifs-idmap alternative
 # Otherwise this directory could not be owned by sssd-client
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
@@ -549,7 +593,7 @@ rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
 
 # Older versions of rpmbuild can only handle one -f option
 # So we need to append to the sssd*.lang file
-for file in `ls $RPM_BUILD_ROOT/%{python3_sitelib}/*.egg-info 2> /dev/null`
+for file in `find $RPM_BUILD_ROOT/%{python3_sitelib} -maxdepth 1 -name "*.egg-info" 2> /dev/null`
 do
     echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang
 done
@@ -763,6 +807,9 @@ done
 %license COPYING
 %{_libdir}/%{name}/libsss_krb5.so
 %{_mandir}/man5/sssd-krb5.5*
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+%dir %{_datadir}/sssd/krb5-snippets
+%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
 
 %files common-pac
 %license COPYING
@@ -808,6 +855,9 @@ done
 %files client -f sssd_client.lang
 %license src/sss_client/COPYING src/sss_client/COPYING.LESSER
 %{_libdir}/libnss_sss.so.2
+%if %{build_subid}
+%{_libdir}/libsubid_sss.so
+%endif
 %{_libdir}/security/pam_sss.so
 %{_libdir}/security/pam_sss_gss.so
 %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
@@ -822,6 +872,7 @@ done
 %{_mandir}/man8/pam_sss.8*
 %{_mandir}/man8/pam_sss_gss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*
+%{_mandir}/man8/sssd_krb5_localauth_plugin.8*
 
 %files -n libsss_sudo
 %license src/sss_client/COPYING
@@ -839,6 +890,8 @@ done
 %{_sbindir}/sss_debuglevel
 %{_sbindir}/sss_seed
 %{_sbindir}/sssctl
+%{_libexecdir}/%{servicename}/sss_analyze
+%{python3_sitelib}/sssd/
 %{_mandir}/man8/sss_obfuscate.8*
 %{_mandir}/man8/sss_override.8*
 %{_mandir}/man8/sss_debuglevel.8*
@@ -924,7 +977,12 @@ done
 %{_unitdir}/sssd-kcm.socket
 %{_unitdir}/sssd-kcm.service
 %{_mandir}/man8/sssd-kcm.8*
-%{_libdir}/%{name}/libsss_secrets.so
+
+%files idp
+%{_libexecdir}/%{servicename}/oidc_child
+%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
+%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
 
 %if 0%{?rhel}
 %pre common
@@ -1000,6 +1058,44 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Fri Aug 26 2022 Pavel Březina <pbrezina@redhat.com> - 2.7.4-1
+- Rebase to SSSD 2.7.4
+
+* Mon Jul 4 2022 Pavel Březina <pbrezina@redhat.com> - 2.7.3-1
+- Rebase to SSSD 2.7.3
+
+* Thu Jun 9 2022 Pavel Březina <pbrezina@redhat.com> - 2.7.1-2
+- Fix regression in IPA provider (#2094685)
+
+* Thu Jun 2 2022 Pavel Březina <pbrezina@redhat.com> - 2.7.1-1
+- Rebase to SSSD 2.7.1
+
+* Thu Apr 14 2022 Pavel Březina <pbrezina@redhat.com> - 2.7.0-1
+- Rebase to SSSD 2.7.0
+
+* Tue Jan 25 2022 Pavel Březina <pbrezina@redhat.com> - 2.6.3-1
+- Rebase to SSSD 2.6.3
+
+* Tue Jan 04 2022 Iker Pedrosa <ipedrosa@redhat.com> - 2.6.2-2
+- Fix IPA reply socket of selinux_child
+
+* Thu Dec 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2.6.2-1
+- Rebase to SSSD 2.6.2
+
+* Tue Nov 09 2021 Pavel Březina <pbrezina@redhat.com> - 2.6.1-1
+- Rebase to SSSD 2.6.1
+
+* Mon Nov 01 2021 Pavel Březina <pbrezina@redhat.com> - 2.6.0-2
+- Add additional patches on top of 2.6.0
+- Fix KCM upgrade from older releases
+- Enable subid ranges
+
+* Thu Oct 14 2021 Pavel Březina <pbrezina@redhat.com> - 2.6.0-1
+- Rebase to SSSD 2.6.0
+
+* Mon Aug 16 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.2-5
+- Fix CVE-2021-3621
+
 * Mon Aug 09 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.2-4
 - Disable running files provider by default
 - Support subid ranges managed by FreeIPA