diff options
| author | Rene Ladan <rene@FreeBSD.org> | 2020-12-12 15:09:15 +0000 |
|---|---|---|
| committer | Rene Ladan <rene@FreeBSD.org> | 2020-12-12 15:09:15 +0000 |
| commit | 6592a822122a3d2bf252ccd85dd40b85b09dde59 (patch) | |
| tree | 2b93a21c9e067c02f1a583dbc6d8157ffaea1a57 | |
| parent | 693a9581667ca0ab414315d4f29d67c490c480c2 (diff) | |
| download | ports-6592a822122a3d2bf252ccd85dd40b85b09dde59.tar.gz ports-6592a822122a3d2bf252ccd85dd40b85b09dde59.zip | |
MFH: r555585 r557829
security/sssd: update to 1.16.5
This fixes several security vulnerabilities and unexpires
the port because it moves to Python 3.
PR: 241347
Submitted by: lukas.slebodnik@intrak.sk (initial patch)
Security: CVE-2018-16838
Security: CVE-2019-3811
security/sssd: fix SMB option
- use Samba 4.12 instead of the removed Samba 4.10
- use ldb 2.1 instead of ldb 2.0
While here, recognize Kerberos 1.18
PR: 250864
Submitted by: joerg (patch by Richard Frewin)
Approved by: maintainer timeout (14 days)
Notes
Notes:
svn path=/branches/2020Q4/; revision=557830
53 files changed, 1227 insertions, 408 deletions
diff --git a/security/sssd/Makefile b/security/sssd/Makefile index 7a9b0e089ec0..480f9ab6c69b 100644 --- a/security/sssd/Makefile +++ b/security/sssd/Makefile @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= sssd -PORTVERSION= 1.11.7 -PORTREVISION= 22 +PORTVERSION= 1.16.5 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= https://releases.pagure.org/SSSD/${PORTNAME}/ @@ -13,14 +13,11 @@ COMMENT= System Security Services Daemon LICENSE= GPLv3+ LICENSE_FILE= ${WRKSRC}/COPYING -DEPRECATED= Uses deprecated version of python -EXPIRATION_DATE= 2020-09-15 - LIB_DEPENDS= libpopt.so:devel/popt \ libtalloc.so:devel/talloc \ libtevent.so:devel/tevent \ libtdb.so:databases/tdb \ - libldb.so:databases/ldb14 \ + libldb.so:databases/ldb21 \ libcares.so:dns/c-ares \ libdbus-1.so:devel/dbus \ libdhash.so:devel/ding-libs \ @@ -37,33 +34,37 @@ BUILD_DEPENDS= xmlcatalog:textproc/libxml2 \ krb5>=1.10:security/krb5 \ nsupdate:dns/bind-tools -USES= autoreconf cpe gettext gmake iconv libtool pathfix pkgconfig \ - python:2.7 shebangfix gssapi:mit - -USE_LDCONFIG= yes -USE_OPENLDAP= yes - GNU_CONFIGURE= yes -CONFIGURE_ARGS= --with-selinux=no --with-semanage=no \ +CONFIGURE_ARGS= --without-selinux --without-semanage \ + --without-libnl --without-nfsv4-idmapd-plugin \ + --without-autofs --without-secrets --without-kcm \ + --without-python2-bindings \ + --with-init-dir=no \ + --disable-cifs-idmap-plugin \ + --with-unicode-lib=libunistring \ --with-ldb-lib-dir=${LOCALBASE}/lib/shared-modules/ldb \ --with-xml-catalog-path=${LOCALBASE}/share/xml/catalog \ - --with-libnl=no --with-init-dir=no --datadir=${DATADIR} \ - --docdir=${DOCSDIR} --with-pid-path=/var/run \ - --localstatedir=/var --enable-pammoddir=${PREFIX}/lib \ - --with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \ - --with-pubconf-path=/var/run/sss --with-mcache-path=/var/db/sss_mc \ - --with-unicode-lib=libunistring --with-autofs=no \ - --disable-cifs-idmap-plugin --disable-config-lib \ - --with-krb5-conf=/etc/krb5.conf + --datadir=${DATADIR} --docdir=${DOCSDIR} --localstatedir=/var \ + --with-db-path=/var/db/sss/db --with-mcache-path=/var/db/sss/mc \ + --with-pubconf-path=/var/db/sss/pubconf \ + --with-gpo-cache-path=/var/db/sss/gpo_cache \ + --with-pid-path=/var/run --with-pipe-path=/var/run/sss/pipes \ + --with-krb5-conf=/etc/krb5.conf \ + --enable-pammoddir=${PREFIX}/lib CFLAGS+= -fstack-protector-all PLIST_SUB= PYTHON_VER=${PYTHON_VER} #DEBUG_FLAGS= -g MAKE_ENV+= LINGUAS="bg de eu es fr hu id it ja nb nl pl pt ru sv tg tr uk zh_CN zh_TW" SUB_FILES= pkg-message +USES= autoreconf cpe gettext gmake iconv libtool pathfix pkgconfig \ + python:3.7 shebangfix gssapi:mit +USE_LDCONFIG= yes +USE_OPENLDAP= yes INSTALL_TARGET= install-strip CPE_VENDOR= fedoraproject +BINARY_ALIAS= python3=python${PYTHON_VER} SHEBANG_FILES= src/tools/sss_obfuscate \ src/sbus/sbus_codegen @@ -73,18 +74,17 @@ PORTDATA= * OPTIONS_DEFINE= DOCS SMB OPTIONS_SUB= yes -# If the port fails to package with SMB=on due to some missing files from -# pkg-plist, check if there was a version bump of security/krb5 and -# update files/patch-src__external__krb5.m4 accordingly. -# -# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244778 - SMB_DESC= Install IPA and AD providers (requires Samba4) -SMB_USES= samba:lib # libndr-krb5pac libndr-nbt libndr libsamba-util -SMB_CONFIGURE_WITH= samba +SMB_USES= samba:lib +SMB_CONFIGURE_WITH= samba smb-idmap-interface-version=6 +SMB_LIB_DEPENDS= libndr-nbt.so.0:net/samba412 \ + libndr-krb5pac.so.0:net/samba412 \ + libndr-standard.so.0:net/samba412 \ + libndr.so.1:net/samba412 \ + libsamba-util.so.0:net/samba412 \ + libsmbclient.so.0:net/samba412 post-patch: - @${REINPLACE_CMD} -e 's|SIGCLD|SIGCHLD|g' ${WRKSRC}/src/util/signal.c @${REINPLACE_CMD} -e 's|NSS_STATUS_NOTFOUND|NS_NOTFOUND|g' \ -e 's|NSS_STATUS_UNAVAIL|NS_UNAVAIL|g' \ -e 's|NSS_STATUS_TRYAGAIN|NS_TRYAGAIN|g' \ @@ -108,12 +108,9 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/src/examples/sssd-example.conf \ ${STAGEDIR}${ETCDIR}/sssd.conf.sample ${LN} -sf nss_sss.so ${STAGEDIR}${PREFIX}/lib/nss_sss.so.1 -# clean these up from the install; we create them in rc script start_precmd -.for d in db/sss db/sss_mc log/sssd run/sss/krb5.include.d run/sss/private run/sss - @${RMDIR} ${STAGEDIR}/var/${d} -.endfor + # clean unused man dirs -.for i in nl/man1 nl/man5 pt/man1 pt/man5 +.for i in es/man1 nl/man1 nl/man5 pt/man1 pt/man5 sv/man1 @${RMDIR} ${STAGEDIR}${PREFIX}/man/${i} .endfor diff --git a/security/sssd/distinfo b/security/sssd/distinfo index 1e2052772a1b..49b99708187c 100644 --- a/security/sssd/distinfo +++ b/security/sssd/distinfo @@ -1,2 +1,3 @@ -SHA256 (sssd-1.11.7.tar.gz) = ff12d5730a6d7d08fe11140aa58e544900b75c63902b7a07bbbc12d6a99cb5b5 -SIZE (sssd-1.11.7.tar.gz) = 3661227 +TIMESTAMP = 1587639728 +SHA256 (sssd-1.16.5.tar.gz) = 2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0 +SIZE (sssd-1.16.5.tar.gz) = 6639917 diff --git a/security/sssd/files/patch-Makefile.am b/security/sssd/files/patch-Makefile.am index c540e307316a..12e49bf033c6 100644 --- a/security/sssd/files/patch-Makefile.am +++ b/security/sssd/files/patch-Makefile.am @@ -1,22 +1,38 @@ ---- Makefile.am.orig 2020-03-16 18:30:24 UTC +diff --git Makefile.am Makefile.am +index be17d6a59..03386d1f8 100644 +--- Makefile.am +++ Makefile.am -@@ -311,6 +311,7 @@ AM_CPPFLAGS = \ - $(LIBNL_CFLAGS) \ - $(OPENLDAP_CFLAGS) \ - $(GLIB2_CFLAGS) \ -+ -DHOST_NAME_MAX=_POSIX_HOST_NAME_MAX \ - -DLIBDIR=\"$(libdir)\" \ - -DVARDIR=\"$(localstatedir)\" \ - -DSHLIBEXT=\"$(SHLIBEXT)\" \ -@@ -378,6 +379,7 @@ SSSD_LIBS = \ - $(DHASH_LIBS) \ - $(SSS_CRYPT_LIBS) \ - $(OPENLDAP_LIBS) \ -+ $(LTLIBINTL) \ - $(TDB_LIBS) +@@ -61,7 +61,7 @@ sssdapiplugindir = $(sssddatadir)/sssd.api.d + sssdtapscriptdir = $(sssddatadir)/systemtap + dbuspolicydir = $(sysconfdir)/dbus-1/system.d + dbusservicedir = $(datadir)/dbus-1/system-services +-sss_statedir = $(localstatedir)/lib/sss ++sss_statedir = $(localstatedir)/db/sss + runstatedir = @runstatedir@ + localedir = @localedir@ + nsslibdir = @nsslibdir@ +@@ -378,12 +378,6 @@ sssdlib_LTLIBRARIES += \ + libsss_ad.la + endif + +-if HAVE_INOTIFY +-sssdlib_LTLIBRARIES += \ +- libsss_files.la \ +- $(NULL) +-endif # HAVE_INOTIFY +- + ldblib_LTLIBRARIES = \ + memberof.la + +@@ -610,6 +604,7 @@ SSSD_FAILOVER_OBJ = \ - PYTHON_BINDINGS_LIBS = \ -@@ -433,6 +435,7 @@ dist_noinst_HEADERS = \ + SSSD_LIBS = \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(TEVENT_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ +@@ -664,6 +659,7 @@ dist_noinst_HEADERS = \ src/util/sss_ssh.h \ src/util/sss_ini.h \ src/util/sss_format.h \ @@ -24,7 +40,137 @@ src/util/refcount.h \ src/util/find_uid.h \ src/util/user_info_msg.h \ -@@ -1700,9 +1703,10 @@ endif +@@ -1358,6 +1354,7 @@ sssd_LDADD = \ + $(SSSD_LIBS) \ + $(INOTIFY_LIBS) \ + $(LIBNL_LIBS) \ ++ $(LTLIBINTL) \ + $(KEYUTILS_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +@@ -1381,6 +1378,7 @@ sssd_nss_SOURCES = \ + sssd_nss_LDADD = \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + libsss_idmap.la \ + libsss_cert.la \ + $(SYSTEMD_DAEMON_LIBS) \ +@@ -1397,6 +1395,7 @@ sssd_pam_SOURCES = \ + sssd_pam_LDADD = \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SELINUX_LIBS) \ + $(PAM_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ +@@ -1414,6 +1413,7 @@ sssd_sudo_SOURCES = \ + $(SSSD_RESPONDER_OBJ) + sssd_sudo_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + endif +@@ -1426,6 +1426,7 @@ sssd_autofs_SOURCES = \ + $(SSSD_RESPONDER_OBJ) + sssd_autofs_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + endif +@@ -1441,6 +1442,7 @@ sssd_ssh_SOURCES = \ + $(NULL) + sssd_ssh_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_cert.la \ +@@ -1481,6 +1483,7 @@ sssd_ifp_CFLAGS = \ + $(AM_CFLAGS) + sssd_ifp_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_cert.la \ +@@ -1604,6 +1607,7 @@ sssd_be_SOURCES = \ + sssd_be_LDADD = \ + $(LIBADD_DL) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CARES_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +@@ -1726,6 +1730,7 @@ sss_signal_SOURCES = \ + src/tools/common/sss_process.c + $(NULL) + sss_signal_LDADD = \ ++ $(LTLIBINTL) \ + libsss_debug.la \ + $(NULL) + +@@ -2318,6 +2323,7 @@ test_ssh_client_CFLAGS = \ + test_ssh_client_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(NULL) + + if BUILD_DBUS_TESTS +@@ -2602,6 +2608,7 @@ test_authtok_LDADD = \ + $(CMOCKA_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + libsss_debug.la \ + $(NULL) +@@ -2622,6 +2629,7 @@ deskprofile_utils_tests_SOURCES = \ + deskprofile_utils_tests_CFLAGS = \ + $(AM_CFLAGS) + deskprofile_utils_tests_LDADD = \ ++ $(LTLIBINTL) \ + $(CMOCKA_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2654,6 +2662,7 @@ domain_resolution_order_tests_CFLAGS = \ + $(AM_CFLAGS) + domain_resolution_order_tests_LDADD = \ + $(CMOCKA_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +@@ -2738,6 +2747,7 @@ test_search_bases_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ +@@ -3545,6 +3555,7 @@ test_inotify_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(INOTIFY_LIBS) \ + $(LIBADD_DL) \ + libsss_test_common.la \ + $(NULL) +@@ -3637,9 +3648,6 @@ endif + if BUILD_WITH_LIBCURL + noinst_PROGRAMS += tcurl-test-tool + endif +-if BUILD_PAC_RESPONDER +- noinst_PROGRAMS += sssd_pac_test_client +-endif + + if BUILD_AUTOFS + autofs_test_client_SOURCES = \ +@@ -3730,9 +3738,10 @@ intgcheck: # Client Libraries # #################### @@ -37,9 +183,9 @@ src/sss_client/nss_passwd.c \ src/sss_client/nss_group.c \ src/sss_client/nss_netgroup.c \ -@@ -1715,9 +1719,9 @@ libnss_sss_la_SOURCES = \ - src/sss_client/nss_mc_passwd.c \ +@@ -3748,9 +3757,9 @@ libnss_sss_la_SOURCES = \ src/sss_client/nss_mc_group.c \ + src/sss_client/nss_mc_initgr.c \ src/sss_client/nss_mc.h -libnss_sss_la_LIBADD = \ +nss_sss_la_LIBADD = \ @@ -49,20 +195,43 @@ -module \ -version-info 2:0:0 \ -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports -@@ -2086,6 +2090,7 @@ ldap_child_LDADD = \ - $(POPT_LIBS) \ +@@ -3908,6 +3917,7 @@ libsss_ldap_common_la_LIBADD = \ $(OPENLDAP_LIBS) \ $(DHASH_LIBS) \ + $(KRB5_LIBS) \ ++ $(LTLIBINTL) \ + libsss_krb5_common.la \ + libsss_idmap.la \ + libsss_certmap.la \ +@@ -4271,6 +4281,7 @@ ldap_child_CFLAGS = \ + $(KRB5_CFLAGS) + ldap_child_LDADD = \ + libsss_debug.la \ + $(LTLIBINTL) \ - $(KRB5_LIBS) + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ +@@ -4313,6 +4324,7 @@ gpo_child_CFLAGS = \ + $(SMBCLIENT_CFLAGS) + gpo_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ +@@ -4329,6 +4341,7 @@ proxy_child_CFLAGS = \ + proxy_child_LDADD = \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) - proxy_child_SOURCES = \ -@@ -2333,7 +2338,7 @@ else - mkdir -p $(DESTDIR)$(initdir) - endif + p11_child_SOURCES = \ +@@ -4361,6 +4374,7 @@ endif --install-data-hook: -+notinstall-data-hook: - rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \ - $(DESTDIR)/$(nsslibdir)/libnss_sss.so - mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 + p11_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ diff --git a/security/sssd/files/patch-configure.ac b/security/sssd/files/patch-configure.ac index 047820ba0392..26284c2f63d5 100644 --- a/security/sssd/files/patch-configure.ac +++ b/security/sssd/files/patch-configure.ac @@ -1,20 +1,13 @@ ---- configure.ac.orig 2014-09-17 13:01:37 UTC +diff --git configure.ac configure.ac +index 9df463d9c..17d0d9ea7 100644 +--- configure.ac +++ configure.ac -@@ -5,14 +5,14 @@ AC_INIT([sssd], - VERSION_NUMBER, - [sssd-devel@lists.fedorahosted.org]) +@@ -44,8 +44,6 @@ AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + AC_CHECK_HEADERS(stdint.h dlfcn.h) + AC_CONFIG_HEADER(config.h) -+AC_CONFIG_SRCDIR([BUILD.txt]) -+AC_CONFIG_AUX_DIR([build]) -+ - m4_ifdef([AC_USE_SYSTEM_EXTENSIONS], - [AC_USE_SYSTEM_EXTENSIONS], - [AC_GNU_SOURCE]) - - CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" +-AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]]) - --AC_CONFIG_SRCDIR([BUILD.txt]) --AC_CONFIG_AUX_DIR([build]) + m4_include([src/build_macros.m4]) + BUILD_WITH_SHARED_BUILD_DIR - AM_INIT_AUTOMAKE([-Wall foreign subdir-objects tar-pax]) - AM_PROG_CC_C_O diff --git a/security/sssd/files/patch-src-monitor-monitor.c b/security/sssd/files/patch-src-monitor-monitor.c deleted file mode 100644 index f006fe777692..000000000000 --- a/security/sssd/files/patch-src-monitor-monitor.c +++ /dev/null @@ -1,26 +0,0 @@ -Backport a887e33fbd from upstream: -MONITOR: Do not use two configuration databases - ---- src/monitor/monitor.c.orig 2014-09-17 13:01:37 UTC -+++ src/monitor/monitor.c -@@ -2832,6 +2832,20 @@ int main(int argc, const char *argv[]) - ret = server_setup(MONITOR_NAME, flags, monitor->conf_path, &main_ctx); - if (ret != EOK) return 2; - -+ /* Use confd initialized in server_setup. ldb_tdb module (1.4.0) check PID -+ * of process which initialized db for locking purposes. -+ * Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: -+ * Reusing ldb opened by pid 28889 in process 28893 -+ */ -+ talloc_zfree(monitor->cdb); -+ monitor->cdb = main_ctx->confdb_ctx; -+ -+ ret = confdb_get_domains(monitor->cdb, &monitor->domains); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n"); -+ return 4; -+ } -+ - monitor->is_daemon = !opt_interactive; - monitor->parent_pid = main_ctx->parent_pid; - monitor->ev = main_ctx->event_ctx; diff --git a/security/sssd/files/patch-src__confdb__confdb.c b/security/sssd/files/patch-src__confdb__confdb.c index b7bdcdd0cc33..006f9810a3be 100644 --- a/security/sssd/files/patch-src__confdb__confdb.c +++ b/security/sssd/files/patch-src__confdb__confdb.c @@ -1,4 +1,6 @@ ---- src/confdb/confdb.c.orig 2014-09-17 13:01:37 UTC +diff --git src/confdb/confdb.c src/confdb/confdb.c +index e55f88e4e..81fd3417a 100644 +--- src/confdb/confdb.c +++ src/confdb/confdb.c @@ -28,6 +28,11 @@ #include "util/strtonum.h" diff --git a/security/sssd/files/patch-src__external__inotify.m4 b/security/sssd/files/patch-src__external__inotify.m4 index 4dfb7a9c9e09..9acf30c5d281 100644 --- a/security/sssd/files/patch-src__external__inotify.m4 +++ b/security/sssd/files/patch-src__external__inotify.m4 @@ -1,4 +1,6 @@ ---- src/external/inotify.m4.orig 2014-09-17 13:01:37 UTC +diff --git src/external/inotify.m4 src/external/inotify.m4 +index 3ae5ae314..e88bd3ffc 100644 +--- src/external/inotify.m4 +++ src/external/inotify.m4 @@ -20,10 +20,10 @@ int main () { AS_IF([test x"$inotify_works" != xyes], diff --git a/security/sssd/files/patch-src__external__krb5.m4 b/security/sssd/files/patch-src__external__krb5.m4 index f9a5d9333b34..fd36f02e61ee 100644 --- a/security/sssd/files/patch-src__external__krb5.m4 +++ b/security/sssd/files/patch-src__external__krb5.m4 @@ -1,11 +1,13 @@ ---- src/external/krb5.m4.orig 2014-09-17 13:01:37 UTC +diff --git src/external/krb5.m4 src/external/krb5.m4 +index b844c2fbe..856ef56fe 100644 +--- src/external/krb5.m4 +++ src/external/krb5.m4 @@ -9,7 +9,7 @@ if test x$KRB5_CFLAGS != x; then KRB5_PASSED_CFLAGS=$KRB5_CFLAGS fi --AC_PATH_PROG(KRB5_CONFIG, krb5-config) -+AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH]) +-AC_PATH_TOOL(KRB5_CONFIG, krb5-config) ++AC_PATH_TOOL(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH]) AC_MSG_CHECKING(for working krb5-config) if test -x "$KRB5_CONFIG"; then KRB5_CFLAGS="`$KRB5_CONFIG --cflags`" diff --git a/security/sssd/files/patch-src__external__ldap.m4 b/security/sssd/files/patch-src__external__ldap.m4 new file mode 100644 index 000000000000..682de45f5f0d --- /dev/null +++ b/security/sssd/files/patch-src__external__ldap.m4 @@ -0,0 +1,24 @@ +diff --git src/external/ldap.m4 src/external/ldap.m4 +index cd13fde62..73ca93674 100644 +--- src/external/ldap.m4 ++++ src/external/ldap.m4 +@@ -32,8 +32,7 @@ dnl Check for other libraries we need to link with to get the main routines. + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } +-CFLAGS=$SAVE_CFLAGS +-LIBS=$SAVE_LIBS ++ + dnl Recently, we need -lber even though the main routines are elsewhere, + dnl because otherwise we get link errors w.r.t. ber_pvt_opt_on. So just + dnl check for that (it's a variable not a fun but that doesn't seem to +@@ -42,6 +41,9 @@ dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who + dnl #### understands LDAP needs to fix this properly. + test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } + ++CFLAGS=$SAVE_CFLAGS ++LIBS=$SAVE_LIBS ++ + if test "$with_ldap" = "yes"; then + if test "$with_ldap_des" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes" diff --git a/security/sssd/files/patch-src__external__pac_responder.m4 b/security/sssd/files/patch-src__external__pac_responder.m4 new file mode 100644 index 000000000000..a870a179c34c --- /dev/null +++ b/security/sssd/files/patch-src__external__pac_responder.m4 @@ -0,0 +1,23 @@ +diff --git src/external/pac_responder.m4 src/external/pac_responder.m4 +index dc986a1b8..09efdb139 100644 +--- src/external/pac_responder.m4 ++++ src/external/pac_responder.m4 +@@ -7,7 +7,7 @@ AC_ARG_ENABLE([pac-responder], + krb5_version_ok=no + if test x$build_pac_responder = xyes + then +- AC_PATH_PROG(KRB5_CONFIG, krb5-config) ++ AC_PATH_TOOL(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH]) + AC_MSG_CHECKING(for supported MIT krb5 version) + KRB5_VERSION="`$KRB5_CONFIG --version`" + case $KRB5_VERSION in +@@ -19,7 +19,8 @@ + Kerberos\ 5\ release\ 1.14* | \ + Kerberos\ 5\ release\ 1.15* | \ + Kerberos\ 5\ release\ 1.16* | \ +- Kerberos\ 5\ release\ 1.17*) ++ Kerberos\ 5\ release\ 1.17* | \ ++ Kerberos\ 5\ release\ 1.18*) + krb5_version_ok=yes + AC_MSG_RESULT([yes]) + ;; diff --git a/security/sssd/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h b/security/sssd/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h new file mode 100644 index 000000000000..28013210fe9c --- /dev/null +++ b/security/sssd/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h @@ -0,0 +1,13 @@ +diff --git src/lib/winbind_idmap_sss/winbind_idmap_sss.h src/lib/winbind_idmap_sss/winbind_idmap_sss.h +index 868049fff..cb1604ef1 100644 +--- src/lib/winbind_idmap_sss/winbind_idmap_sss.h ++++ src/lib/winbind_idmap_sss/winbind_idmap_sss.h +@@ -29,6 +29,8 @@ + #include <stdbool.h> + + #include <core/ntstatus.h> ++#include <unistd.h> ++#include <time.h> + #include <ndr.h> + #include <gen_ndr/security.h> + diff --git a/security/sssd/files/patch-src__providers__ad__ad_common.c b/security/sssd/files/patch-src__providers__ad__ad_common.c new file mode 100644 index 000000000000..178dfb870821 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ad__ad_common.c @@ -0,0 +1,31 @@ +diff --git src/providers/ad/ad_common.c src/providers/ad/ad_common.c +index 0d154ca57..407d37a37 100644 +--- src/providers/ad/ad_common.c ++++ src/providers/ad/ad_common.c +@@ -419,7 +419,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + char *server; + char *realm; + char *ad_hostname; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + char *case_sensitive_opt; + const char *opt_override; + +@@ -458,7 +458,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + */ + ad_hostname = dp_opt_get_string(opts->basic, AD_HOSTNAME); + if (ad_hostname == NULL) { +- gret = gethostname(hostname, sizeof(hostname)); ++ gret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (gret != 0) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, +@@ -466,7 +466,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + strerror(ret)); + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + DEBUG(SSSDBG_CONF_SETTINGS, + "Setting ad_hostname to [%s].\n", hostname); + ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname); diff --git a/security/sssd/files/patch-src__providers__ad__ad_gpo_ndr.c b/security/sssd/files/patch-src__providers__ad__ad_gpo_ndr.c new file mode 100644 index 000000000000..7bb5a0c1f476 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ad__ad_gpo_ndr.c @@ -0,0 +1,29 @@ +--- src/providers/ad/ad_gpo_ndr.c-orig 2020-11-28 22:21:39.860006000 +0000 ++++ src/providers/ad/ad_gpo_ndr.c 2020-11-28 22:23:15.849602000 +0000 +@@ -105,7 +105,7 @@ + union security_ace_object_type *r) + { + uint32_t level; +- level = ndr_pull_get_switch_value(ndr, r); ++ level = ndr_token_peek(&ndr->switch_list, r); + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 4)); +@@ -135,7 +135,7 @@ + union security_ace_object_inherited_type *r) + { + uint32_t level; +- level = ndr_pull_get_switch_value(ndr, r); ++ level = ndr_token_peek(&ndr->switch_list, r); + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 4)); +@@ -198,7 +198,7 @@ + union security_ace_object_ctr *r) + { + uint32_t level; +- level = ndr_pull_get_switch_value(ndr, r); ++ level = ndr_token_peek(&ndr->switch_list, r); + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 4)); diff --git a/security/sssd/files/patch-src__providers__ad__ad_pac.h b/security/sssd/files/patch-src__providers__ad__ad_pac.h new file mode 100644 index 000000000000..eb495780b53d --- /dev/null +++ b/security/sssd/files/patch-src__providers__ad__ad_pac.h @@ -0,0 +1,13 @@ +diff --git src/providers/ad/ad_pac.h src/providers/ad/ad_pac.h +index 34f1e92c7..00a53cccd 100644 +--- src/providers/ad/ad_pac.h ++++ src/providers/ad/ad_pac.h +@@ -32,6 +32,8 @@ + #ifdef ldb_val + #error Please make sure to include ad_pac.h before ldb.h + #endif ++#include <unistd.h> ++#include <time.h> + #include <ndr.h> + #include <gen_ndr/krb5pac.h> + #include <gen_ndr/ndr_krb5pac.h> diff --git a/security/sssd/files/patch-src__providers__data_provider_fo.c b/security/sssd/files/patch-src__providers__data_provider_fo.c new file mode 100644 index 000000000000..4be41ef91a87 --- /dev/null +++ b/security/sssd/files/patch-src__providers__data_provider_fo.c @@ -0,0 +1,26 @@ +diff --git src/providers/data_provider_fo.c src/providers/data_provider_fo.c +index 473b667e5..63f2dd131 100644 +--- src/providers/data_provider_fo.c ++++ src/providers/data_provider_fo.c +@@ -235,18 +235,18 @@ errno_t be_fo_set_dns_srv_lookup_plugin(struct be_ctx *be_ctx, + const char *hostname) + { + struct fo_resolve_srv_dns_ctx *srv_ctx = NULL; +- char resolved_hostname[HOST_NAME_MAX + 1]; ++ char resolved_hostname[_POSIX_HOST_NAME_MAX + 1]; + errno_t ret; + + if (hostname == NULL) { +- ret = gethostname(resolved_hostname, sizeof(resolved_hostname)); ++ ret = gethostname(resolved_hostname, _POSIX_HOST_NAME_MAX); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "gethostname() failed: [%d]: %s\n", ret, strerror(ret)); + return ret; + } +- resolved_hostname[HOST_NAME_MAX] = '\0'; ++ resolved_hostname[_POSIX_HOST_NAME_MAX] = '\0'; + hostname = resolved_hostname; + } + diff --git a/security/sssd/files/patch-src__providers__ipa__ipa_common.c b/security/sssd/files/patch-src__providers__ipa__ipa_common.c new file mode 100644 index 000000000000..14c01fff88c9 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ipa__ipa_common.c @@ -0,0 +1,30 @@ +diff --git src/providers/ipa/ipa_common.c src/providers/ipa/ipa_common.c +index 17d14e6b0..681ac8615 100644 +--- src/providers/ipa/ipa_common.c ++++ src/providers/ipa/ipa_common.c +@@ -49,7 +49,7 @@ int ipa_get_options(TALLOC_CTX *memctx, + char *realm; + char *ipa_hostname; + int ret; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + + opts = talloc_zero(memctx, struct ipa_options); + if (!opts) return ENOMEM; +@@ -79,14 +79,14 @@ int ipa_get_options(TALLOC_CTX *memctx, + + ipa_hostname = dp_opt_get_string(opts->basic, IPA_HOSTNAME); + if (ipa_hostname == NULL) { +- ret = gethostname(hostname, sizeof(hostname)); ++ ret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "gethostname failed [%d][%s].\n", errno, + strerror(errno)); + ret = errno; + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + DEBUG(SSSDBG_TRACE_ALL, "Setting ipa_hostname to [%s].\n", hostname); + ret = dp_opt_set_string(opts->basic, IPA_HOSTNAME, hostname); + if (ret != EOK) { diff --git a/security/sssd/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c b/security/sssd/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c new file mode 100644 index 000000000000..91fe3ac37b8b --- /dev/null +++ b/security/sssd/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c @@ -0,0 +1,13 @@ +diff --git src/providers/ipa/ipa_deskprofile_rules_util.c src/providers/ipa/ipa_deskprofile_rules_util.c +index 991c6053d..59483b452 100644 +--- src/providers/ipa/ipa_deskprofile_rules_util.c ++++ src/providers/ipa/ipa_deskprofile_rules_util.c +@@ -25,6 +25,8 @@ + #include "providers/ipa/ipa_rules_common.h" + #include <ctype.h> + #include <fcntl.h> ++#include <sys/types.h> ++#include <signal.h> + + #define DESKPROFILE_GLOBAL_POLICY_MIN_VALUE 1 + #define DESKPROFILE_GLOBAL_POLICY_MAX_VALUE 24 diff --git a/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c b/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c index 4c9b6be07199..84fcfcd99001 100644 --- a/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c +++ b/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c @@ -1,6 +1,8 @@ ---- src/providers/krb5/krb5_delayed_online_authentication.c.orig 2014-09-17 13:01:37 UTC +diff --git src/providers/krb5/krb5_delayed_online_authentication.c src/providers/krb5/krb5_delayed_online_authentication.c +index 1cb7eade0..4aaeb84b2 100644 +--- src/providers/krb5/krb5_delayed_online_authentication.c +++ src/providers/krb5/krb5_delayed_online_authentication.c -@@ -320,6 +320,7 @@ errno_t init_delayed_online_authentication(struct krb5 +@@ -328,6 +328,7 @@ errno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx, struct tevent_context *ev) { int ret; @@ -8,7 +10,7 @@ hash_table_t *tmp_table; ret = get_uid_table(krb5_ctx, &tmp_table); -@@ -339,6 +340,7 @@ errno_t init_delayed_online_authentication(struct krb5 +@@ -347,6 +348,7 @@ errno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx, "hash_destroy failed [%s].\n", hash_error_string(ret)); return EFAULT; } diff --git a/security/sssd/files/patch-src__providers__ldap__ldap_auth.c b/security/sssd/files/patch-src__providers__ldap__ldap_auth.c index c2dd1328a508..ae1bfc922d00 100644 --- a/security/sssd/files/patch-src__providers__ldap__ldap_auth.c +++ b/security/sssd/files/patch-src__providers__ldap__ldap_auth.c @@ -1,4 +1,6 @@ ---- src/providers/ldap/ldap_auth.c.orig 2014-09-17 13:01:37 UTC +diff --git src/providers/ldap/ldap_auth.c src/providers/ldap/ldap_auth.c +index de22689ae..fdfd67cf4 100644 +--- src/providers/ldap/ldap_auth.c +++ src/providers/ldap/ldap_auth.c @@ -37,7 +37,6 @@ #include <sys/time.h> @@ -8,9 +10,9 @@ #include <security/pam_modules.h> #include "util/util.h" -@@ -56,6 +55,22 @@ enum pwexpire { - PWEXPIRE_SHADOW - }; +@@ -52,6 +51,22 @@ + + #define LDAP_PWEXPIRE_WARNING_TIME 0 +struct spwd +{ @@ -31,20 +33,9 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time) { int ret; -@@ -109,6 +124,7 @@ static errno_t check_pwexpire_kerberos(const char *exp - return EINVAL; - } - -+ tzset(); - expire_time = mktime(&tm); - if (expire_time == -1) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -116,12 +132,10 @@ static errno_t check_pwexpire_kerberos(const char *exp - return EINVAL; +@@ -97,9 +112,9 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now, } -- tzset(); -- expire_time -= timezone; DEBUG(SSSDBG_TRACE_ALL, - "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " - "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0], @@ -55,7 +46,59 @@ if (difftime(now, expire_time) > 0.0) { DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n"); -@@ -924,7 +938,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) +@@ -946,14 +961,14 @@ sdap_pam_auth_handler_send(TALLOC_CTX *mem_ctx, + + state->pd = pd; + state->be_ctx = params->be_ctx; +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, false); + if (subreq == NULL) { +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + goto immediately; + } + +@@ -963,14 +978,14 @@ sdap_pam_auth_handler_send(TALLOC_CTX *mem_ctx, + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, true); + if (subreq == NULL) { +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_pam_auth_handler_done, req); + break; + case SSS_PAM_CHAUTHTOK: +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + goto immediately; + + case SSS_PAM_ACCT_MGMT: +@@ -1015,7 +1030,7 @@ static void sdap_pam_auth_handler_done(struct tevent_req *subreq) + state->be_ctx->domain->pwd_expiration_warning); + if (ret == EINVAL) { + /* Unknown password expiration type. */ +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + } +@@ -1049,7 +1064,7 @@ static void sdap_pam_auth_handler_done(struct tevent_req *subreq) + state->pd->pam_status = PAM_BAD_ITEM; + break; + default: +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + break; + } + +@@ -1271,7 +1286,7 @@ sdap_pam_chpass_handler_send(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_OP_FAILURE, "starting password change request for user [%s].\n", pd->user); @@ -64,16 +107,61 @@ if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) { DEBUG(SSSDBG_OP_FAILURE, -@@ -1069,7 +1083,7 @@ static void sdap_auth4chpass_done(struct tevent_req *r - dp_err = DP_ERR_OFFLINE; +@@ -1282,7 +1297,7 @@ sdap_pam_chpass_handler_send(TALLOC_CTX *mem_ctx, + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, true); + if (subreq == NULL) { +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + goto immediately; + } + +@@ -1335,7 +1350,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + if (ret == ERR_PASSWORD_EXPIRED) { + DEBUG(SSSDBG_CRIT_FAILURE, "LDAP provider cannot change " + "kerberos passwords.\n"); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -1344,7 +1359,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n"); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + } +@@ -1369,7 +1384,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to change password for " + "%s\n", state->pd->user); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + +@@ -1401,7 +1416,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + be_mark_offline(state->be_ctx); + break; + default: +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + break; + } + +@@ -1437,7 +1452,7 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) + state->pd->pam_status = PAM_AUTHTOK_ERR; break; default: - state->pd->pam_status = PAM_SYSTEM_ERR; + state->pd->pam_status = PAM_SERVICE_ERR; + break; } - done: -@@ -1131,7 +1145,7 @@ static void sdap_pam_chpass_done(struct tevent_req *re +@@ -1463,7 +1478,7 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) state->sh, state->dn, lastchanged_name); if (subreq == NULL) { @@ -82,30 +170,12 @@ goto done; } -@@ -1152,7 +1166,7 @@ static void sdap_lastchange_done(struct tevent_req *re +@@ -1489,7 +1504,7 @@ static void sdap_pam_chpass_handler_last_done(struct tevent_req *subreq) + talloc_free(subreq); - ret = sdap_modify_shadow_lastchange_recv(req); if (ret != EOK) { - state->pd->pam_status = PAM_SYSTEM_ERR; + state->pd->pam_status = PAM_SERVICE_ERR; goto done; } -@@ -1193,7 +1207,7 @@ void sdap_pam_auth_handler(struct be_req *breq) - goto done; - } - -- pd->pam_status = PAM_SYSTEM_ERR; -+ pd->pam_status = PAM_SERVICE_ERR; - - switch (pd->cmd) { - case SSS_PAM_AUTHENTICATE: -@@ -1291,7 +1305,7 @@ static void sdap_pam_auth_done(struct tevent_req *req) - state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; - break; - default: -- state->pd->pam_status = PAM_SYSTEM_ERR; -+ state->pd->pam_status = PAM_SERVICE_ERR; - dp_err = DP_ERR_FATAL; - } - diff --git a/security/sssd/files/patch-src__providers__ldap__ldap_child.c b/security/sssd/files/patch-src__providers__ldap__ldap_child.c new file mode 100644 index 000000000000..745687d00267 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__ldap_child.c @@ -0,0 +1,22 @@ +diff --git src/providers/ldap/ldap_child.c src/providers/ldap/ldap_child.c +index 368bb91e1..1bc86ecb5 100644 +--- src/providers/ldap/ldap_child.c ++++ src/providers/ldap/ldap_child.c +@@ -324,14 +324,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + full_princ = talloc_strdup(tmp_ctx, princ_str); + } + } else { +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + +- ret = gethostname(hostname, sizeof(hostname)); ++ ret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (ret == -1) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + + DEBUG(SSSDBG_TRACE_LIBS, "got hostname: [%s]\n", hostname); + diff --git a/security/sssd/files/patch-src__providers__ldap__sdap_access.c b/security/sssd/files/patch-src__providers__ldap__sdap_access.c index 07fa6a501e35..5b9e5efc1e1e 100644 --- a/security/sssd/files/patch-src__providers__ldap__sdap_access.c +++ b/security/sssd/files/patch-src__providers__ldap__sdap_access.c @@ -1,19 +1,9 @@ ---- src/providers/ldap/sdap_access.c.orig 2014-09-17 13:01:37 UTC +diff --git src/providers/ldap/sdap_access.c src/providers/ldap/sdap_access.c +index dd04ec512..58a3766fc 100644 +--- src/providers/ldap/sdap_access.c +++ src/providers/ldap/sdap_access.c -@@ -499,6 +499,7 @@ static bool nds_check_expired(const char *exp_time_str - return true; - } +@@ -562,9 +562,9 @@ bool nds_check_expired(const char *exp_time_str) -+ tzset(); - expire_time = mktime(&tm); - if (expire_time == -1) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -506,13 +507,11 @@ static bool nds_check_expired(const char *exp_time_str - return true; - } - -- tzset(); -- expire_time -= timezone; now = time(NULL); DEBUG(SSSDBG_TRACE_ALL, - "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " @@ -25,3 +15,27 @@ if (difftime(now, expire_time) > 0.0) { DEBUG(SSSDBG_CONF_SETTINGS, "NDS account expired.\n"); +@@ -1247,7 +1247,7 @@ static errno_t sdap_access_host(struct ldb_message *user_entry) + struct ldb_message_element *el; + unsigned int i; + char *host; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + + el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_HOST); + if (!el || el->num_values == 0) { +@@ -1255,12 +1255,12 @@ static errno_t sdap_access_host(struct ldb_message *user_entry) + return ERR_ACCESS_DENIED; + } + +- if (gethostname(hostname, sizeof(hostname)) == -1) { ++ if (gethostname(hostname, _POSIX_HOST_NAME_MAX) == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to get system hostname. Access denied\n"); + return ERR_ACCESS_DENIED; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + + /* FIXME: PADL's pam_ldap also calls gethostbyname() on the hostname + * in some attempt to get aliases and/or FQDN for the machine. diff --git a/security/sssd/files/patch-src__providers__ldap__sdap_async_groups.c b/security/sssd/files/patch-src__providers__ldap__sdap_async_groups.c new file mode 100644 index 000000000000..4cebe5fbd6c4 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__sdap_async_groups.c @@ -0,0 +1,22 @@ +diff --git src/providers/ldap/sdap_async_groups.c src/providers/ldap/sdap_async_groups.c +index 09e15bc3d..c74e4c3ea 100644 +--- src/providers/ldap/sdap_async_groups.c ++++ src/providers/ldap/sdap_async_groups.c +@@ -505,6 +505,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, + struct sysdb_attrs *group_attrs; + const char *group_name = NULL; + gid_t gid; ++ id_t temp_id; + errno_t ret; + char *usn_value = NULL; + TALLOC_CTX *tmpctx = NULL; +@@ -615,7 +616,8 @@ static int sdap_save_group(TALLOC_CTX *memctx, + group_name, sid_str); + + /* Convert the SID into a UNIX group ID */ +- ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid); ++ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &temp_id); ++ gid = (gid_t) temp_id; + if (ret == ENOTSUP) { + /* ENOTSUP is returned if built-in SID was provided + * => do not store the group, but return EOK */ diff --git a/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups.c b/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups.c new file mode 100644 index 000000000000..2803124e583b --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups.c @@ -0,0 +1,41 @@ +diff --git src/providers/ldap/sdap_async_initgroups.c src/providers/ldap/sdap_async_initgroups.c +index 620782b6f..9831ac1d6 100644 +--- src/providers/ldap/sdap_async_initgroups.c ++++ src/providers/ldap/sdap_async_initgroups.c +@@ -45,6 +45,7 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, + const char *uuid = NULL; + char **missing; + gid_t gid; ++ id_t temp_id; + int ret; + errno_t sret; + bool in_transaction = false; +@@ -146,7 +147,8 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, + + /* Convert the SID into a UNIX group ID */ + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, +- &gid); ++ &temp_id); ++ gid = (gid_t) temp_id; + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Group [%s] has mapped gid [%lu]\n", +@@ -3305,6 +3307,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) + int ret; + TALLOC_CTX *tmp_ctx; + gid_t primary_gid; ++ id_t temp_id; + char *gid; + char *sid_str; + char *dom_sid_str; +@@ -3411,8 +3414,9 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) + + /* Convert the SID into a UNIX group ID */ + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, +- &primary_gid); ++ &temp_id); + if (ret != EOK) goto done; ++ primary_gid = (gid_t) temp_id; + } else { + ret = sysdb_attrs_get_uint32_t(state->orig_user, SYSDB_GIDNUM, + &primary_gid); diff --git a/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups_ad.c b/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups_ad.c new file mode 100644 index 000000000000..b7feb84f1507 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups_ad.c @@ -0,0 +1,22 @@ +diff --git src/providers/ldap/sdap_async_initgroups_ad.c src/providers/ldap/sdap_async_initgroups_ad.c +index 3c58f5bc4..7e0a5169d 100644 +--- src/providers/ldap/sdap_async_initgroups_ad.c ++++ src/providers/ldap/sdap_async_initgroups_ad.c +@@ -851,6 +851,7 @@ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, + size_t i; + time_t now; + gid_t gid; ++ id_t temp_id; + char **groups = NULL; + size_t num_groups; + errno_t ret; +@@ -881,7 +882,8 @@ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, + sid = sids[i]; + DEBUG(SSSDBG_TRACE_LIBS, "Processing membership SID [%s]\n", sid); + +- ret = sdap_idmap_sid_to_unix(idmap_ctx, sid, &gid); ++ ret = sdap_idmap_sid_to_unix(idmap_ctx, sid, &temp_id); ++ gid = (gid_t) temp_id; + if (ret == ENOTSUP) { + DEBUG(SSSDBG_TRACE_FUNC, "Skipping built-in object.\n"); + continue; diff --git a/security/sssd/files/patch-src__providers__ldap__sdap_async_sudo_hostinfo.c b/security/sssd/files/patch-src__providers__ldap__sdap_async_sudo_hostinfo.c new file mode 100644 index 000000000000..78deda7d99fa --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__sdap_async_sudo_hostinfo.c @@ -0,0 +1,30 @@ +diff --git src/providers/ldap/sdap_async_sudo_hostinfo.c src/providers/ldap/sdap_async_sudo_hostinfo.c +index a3c3e1068..f33299304 100644 +--- src/providers/ldap/sdap_async_sudo_hostinfo.c ++++ src/providers/ldap/sdap_async_sudo_hostinfo.c +@@ -357,7 +357,7 @@ static struct tevent_req *sdap_sudo_get_hostnames_send(TALLOC_CTX *mem_ctx, + struct tevent_req *subreq = NULL; + struct sdap_sudo_get_hostnames_state *state = NULL; + char *dot = NULL; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + int ret; + + req = tevent_req_create(mem_ctx, &state, +@@ -380,14 +380,14 @@ static struct tevent_req *sdap_sudo_get_hostnames_send(TALLOC_CTX *mem_ctx, + /* get hostname */ + + errno = 0; +- ret = gethostname(hostname, sizeof(hostname)); ++ ret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve machine hostname " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + + state->hostnames[0] = talloc_strdup(state->hostnames, hostname); + if (state->hostnames[0] == NULL) { diff --git a/security/sssd/files/patch-src__providers__ldap__sdap_async_users.c b/security/sssd/files/patch-src__providers__ldap__sdap_async_users.c new file mode 100644 index 000000000000..4e5fcbb6008c --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__sdap_async_users.c @@ -0,0 +1,48 @@ +diff --git src/providers/ldap/sdap_async_users.c src/providers/ldap/sdap_async_users.c +index 92eeda1d3..8847be79b 100644 +--- src/providers/ldap/sdap_async_users.c ++++ src/providers/ldap/sdap_async_users.c +@@ -61,7 +61,8 @@ sdap_get_idmap_primary_gid(struct sdap_options *opts, + { + errno_t ret; + TALLOC_CTX *tmpctx = NULL; +- gid_t gid, primary_gid; ++ id_t gid; ++ gid_t primary_gid; + char *group_sid_str; + + tmpctx = talloc_new(NULL); +@@ -108,7 +109,7 @@ sdap_get_idmap_primary_gid(struct sdap_options *opts, + if (ret != EOK) goto done; + + ret = EOK; +- *_gid = gid; ++ *_gid = (gid_t) gid; + done: + talloc_free(tmpctx); + return ret; +@@ -188,6 +189,7 @@ int sdap_save_user(TALLOC_CTX *memctx, + const char *orig_dn = NULL; + uid_t uid = 0; + gid_t gid = 0; ++ id_t temp_id; + struct sysdb_attrs *user_attrs; + char *upn = NULL; + size_t i; +@@ -331,7 +333,7 @@ int sdap_save_user(TALLOC_CTX *memctx, + "Mapping user [%s] objectSID [%s] to unix ID\n", user_name, sid_str); + + /* Convert the SID into a UNIX user ID */ +- ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid); ++ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &temp_id); + if (ret == ENOTSUP) { + DEBUG(SSSDBG_TRACE_FUNC, "Skipping built-in object.\n"); + ret = EOK; +@@ -339,6 +341,7 @@ int sdap_save_user(TALLOC_CTX *memctx, + } else if (ret != EOK) { + goto done; + } ++ uid = (uid_t) temp_id; + + /* Store the UID in the ldap_attrs so it doesn't get + * treated as a missing attribute from LDAP and removed. diff --git a/security/sssd/files/patch-src__resolv__async_resolv_utils.c b/security/sssd/files/patch-src__resolv__async_resolv_utils.c new file mode 100644 index 000000000000..27457a3399d6 --- /dev/null +++ b/security/sssd/files/patch-src__resolv__async_resolv_utils.c @@ -0,0 +1,30 @@ +diff --git src/resolv/async_resolv_utils.c src/resolv/async_resolv_utils.c +index f86181b91..25323cf7a 100644 +--- src/resolv/async_resolv_utils.c ++++ src/resolv/async_resolv_utils.c +@@ -45,7 +45,7 @@ resolv_get_domain_send(TALLOC_CTX *mem_ctx, + struct resolv_get_domain_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; +- char system_hostname[HOST_NAME_MAX + 1]; ++ char system_hostname[_POSIX_HOST_NAME_MAX + 1]; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, +@@ -57,14 +57,14 @@ resolv_get_domain_send(TALLOC_CTX *mem_ctx, + + if (hostname == NULL) { + /* use system hostname */ +- ret = gethostname(system_hostname, sizeof(system_hostname)); ++ ret = gethostname(system_hostname, _POSIX_HOST_NAME_MAX); + if (ret) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "gethostname() failed: [%d]: %s\n", + ret, strerror(ret)); + goto immediately; + } +- system_hostname[HOST_NAME_MAX] = '\0'; ++ system_hostname[_POSIX_HOST_NAME_MAX] = '\0'; + hostname = system_hostname; + } + diff --git a/security/sssd/files/patch-src__sbus__sbus_codegen b/security/sssd/files/patch-src__sbus__sbus_codegen new file mode 100644 index 000000000000..3e82500c9165 --- /dev/null +++ b/security/sssd/files/patch-src__sbus__sbus_codegen @@ -0,0 +1,10 @@ +diff --git src/sbus/sbus_codegen src/sbus/sbus_codegen +index a97a92591..fb3b6d9b3 100755 +--- src/sbus/sbus_codegen ++++ src/sbus/sbus_codegen +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + + # + # Authors: diff --git a/security/sssd/files/patch-src__sss_client__common.c b/security/sssd/files/patch-src__sss_client__common.c index e9ec13a2d56c..59dcc448fd7c 100644 --- a/security/sssd/files/patch-src__sss_client__common.c +++ b/security/sssd/files/patch-src__sss_client__common.c @@ -1,4 +1,6 @@ ---- src/sss_client/common.c.orig 2014-09-17 13:01:37 UTC +diff --git src/sss_client/common.c src/sss_client/common.c +index d8effb6dd..edeb4a159 100644 +--- src/sss_client/common.c +++ src/sss_client/common.c @@ -25,6 +25,7 @@ #include "config.h" @@ -8,15 +10,15 @@ #include <security/pam_modules.h> #include <errno.h> #include <sys/types.h> -@@ -43,6 +44,7 @@ - #include <libintl.h> +@@ -44,6 +45,7 @@ #define _(STRING) dgettext (PACKAGE, STRING) #include "sss_cli.h" + #include "common_private.h" +#include "util/sss_bsd_errno.h" #if HAVE_PTHREAD #include <pthread.h> -@@ -124,7 +126,6 @@ static enum sss_status sss_cli_send_req(enum sss_cli_c +@@ -126,7 +128,6 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, *errnop = error; break; case 0: @@ -24,7 +26,7 @@ break; case 1: if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -@@ -232,7 +233,6 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_c +@@ -235,7 +236,6 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, *errnop = error; break; case 0: @@ -32,7 +34,7 @@ break; case 1: if (pfd.revents & (POLLHUP)) { -@@ -669,7 +669,6 @@ static enum sss_status sss_cli_check_socket(int *errno +@@ -679,7 +679,6 @@ static enum sss_status sss_cli_check_socket(int *errnop, *errnop = error; break; case 0: @@ -40,7 +42,7 @@ break; case 1: if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -@@ -719,23 +718,23 @@ enum nss_status sss_nss_make_request(enum sss_cli_comm +@@ -730,7 +729,7 @@ enum nss_status sss_nss_make_request_timeout(enum sss_cli_command cmd, /* avoid looping in the nss daemon */ envval = getenv("_SSS_LOOPS"); if (envval && strcmp(envval, "NO") == 0) { @@ -48,42 +50,21 @@ + return NS_NOTFOUND; } - ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME); - if (ret != SSS_STATUS_SUCCESS) { -- return NSS_STATUS_UNAVAIL; -+ return NS_UNAVAIL; - } - - ret = sss_cli_make_request_nochecks(cmd, rd, repbuf, replen, errnop); - switch (ret) { - case SSS_STATUS_TRYAGAIN: -- return NSS_STATUS_TRYAGAIN; -+ return NS_TRYAGAIN; - case SSS_STATUS_SUCCESS: -- return NSS_STATUS_SUCCESS; -+ return NS_SUCCESS; - case SSS_STATUS_UNAVAIL: - default: -- return NSS_STATUS_UNAVAIL; -+ return NS_UNAVAIL; - } - } - -@@ -750,23 +749,23 @@ int sss_pac_make_request(enum sss_cli_command cmd, - /* avoid looping in the nss daemon */ - envval = getenv("_SSS_LOOPS"); - if (envval && strcmp(envval, "NO") == 0) { + ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME, timeout); +@@ -738,9 +737,9 @@ enum nss_status sss_nss_make_request_timeout(enum sss_cli_command cmd, + #ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR + *errnop = 0; + errno = 0; - return NSS_STATUS_NOTFOUND; + return NS_NOTFOUND; - } - - ret = sss_cli_check_socket(errnop, SSS_PAC_SOCKET_NAME); - if (ret != SSS_STATUS_SUCCESS) { + #else - return NSS_STATUS_UNAVAIL; + return NS_UNAVAIL; + #endif } - ret = sss_cli_make_request_nochecks(cmd, rd, repbuf, replen, errnop); +@@ -765,17 +764,17 @@ enum nss_status sss_nss_make_request_timeout(enum sss_cli_command cmd, + } switch (ret) { case SSS_STATUS_TRYAGAIN: - return NSS_STATUS_TRYAGAIN; @@ -93,8 +74,14 @@ + return NS_SUCCESS; case SSS_STATUS_UNAVAIL: default: + #ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR + *errnop = 0; + errno = 0; +- return NSS_STATUS_NOTFOUND; ++ return NS_NOTFOUND; + #else - return NSS_STATUS_UNAVAIL; + return NS_UNAVAIL; + #endif } } - diff --git a/security/sssd/files/patch-src__sss_client__nss_group.c b/security/sssd/files/patch-src__sss_client__nss_group.c index 03fa0ed414c9..0deefe48139c 100644 --- a/security/sssd/files/patch-src__sss_client__nss_group.c +++ b/security/sssd/files/patch-src__sss_client__nss_group.c @@ -1,6 +1,8 @@ ---- src/sss_client/nss_group.c.orig 2014-09-17 13:01:37 UTC +diff --git src/sss_client/nss_group.c src/sss_client/nss_group.c +index 5ab2bdf78..69ba75dcb 100644 +--- src/sss_client/nss_group.c +++ src/sss_client/nss_group.c -@@ -343,6 +343,76 @@ out: +@@ -390,6 +390,76 @@ out: } diff --git a/security/sssd/files/patch-src__sss_client__pam_sss.c b/security/sssd/files/patch-src__sss_client__pam_sss.c new file mode 100644 index 000000000000..1e34b7ee9ffd --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__pam_sss.c @@ -0,0 +1,16 @@ +diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c +index f634f7659..1de88fefe 100644 +--- src/sss_client/pam_sss.c ++++ src/sss_client/pam_sss.c +@@ -263,9 +263,9 @@ static int do_pam_conversation(pam_handle_t *pamh, const int msg_style, + + pam_msg->msg_style = msg_style; + if (state == SSS_PAM_CONV_REENTER) { +- pam_msg->msg = reenter_msg; ++ pam_msg->msg = (char *)(intptr_t)reenter_msg; + } else { +- pam_msg->msg = msg; ++ pam_msg->msg = (char *)(intptr_t)msg; + } + + mesg[0] = (const struct pam_message *) pam_msg; diff --git a/security/sssd/files/patch-src__sss_client__sss_nss.exports b/security/sssd/files/patch-src__sss_client__sss_nss.exports index af51900099ac..ceeb55742553 100644 --- a/security/sssd/files/patch-src__sss_client__sss_nss.exports +++ b/security/sssd/files/patch-src__sss_client__sss_nss.exports @@ -1,4 +1,6 @@ ---- src/sss_client/sss_nss.exports.orig 2014-09-17 13:01:37 UTC +diff --git src/sss_client/sss_nss.exports src/sss_client/sss_nss.exports +index 1eefea8d5..8e85a0541 100644 +--- src/sss_client/sss_nss.exports +++ src/sss_client/sss_nss.exports @@ -3,6 +3,7 @@ EXPORTED { # public functions @@ -8,13 +10,13 @@ _nss_sss_getpwnam_r; _nss_sss_getpwuid_r; _nss_sss_setpwent; -@@ -14,7 +15,24 @@ EXPORTED { +@@ -14,8 +15,25 @@ EXPORTED { _nss_sss_setgrent; _nss_sss_getgrent_r; _nss_sss_endgrent; + _nss_sss_getgroupmembership; _nss_sss_initgroups_dyn; -+ + + __nss_compat_getgrnam_r; + __nss_compat_getgrgid_r; + __nss_compat_getgrent_r; @@ -30,6 +32,7 @@ + __nss_compat_gethostbyname; + __nss_compat_gethostbyname2; + __nss_compat_gethostbyaddr; - ++ #_nss_sss_getaliasbyname_r; #_nss_sss_setaliasent; + #_nss_sss_getaliasent_r; diff --git a/security/sssd/files/patch-src__tests__cmocka__test_authtok.c b/security/sssd/files/patch-src__tests__cmocka__test_authtok.c new file mode 100644 index 000000000000..ef3344e4b559 --- /dev/null +++ b/security/sssd/files/patch-src__tests__cmocka__test_authtok.c @@ -0,0 +1,12 @@ +diff --git src/tests/cmocka/test_authtok.c src/tests/cmocka/test_authtok.c +index 9422f96bc..8492e186a 100644 +--- src/tests/cmocka/test_authtok.c ++++ src/tests/cmocka/test_authtok.c +@@ -28,6 +28,7 @@ + #include "tests/cmocka/common_mock.h" + + #include "util/authtok.h" ++#include "util/sss_endian.h" + + + struct test_state { diff --git a/security/sssd/files/patch-src__tests__cmocka__test_pam_srv.c b/security/sssd/files/patch-src__tests__cmocka__test_pam_srv.c new file mode 100644 index 000000000000..b88a33513a5b --- /dev/null +++ b/security/sssd/files/patch-src__tests__cmocka__test_pam_srv.c @@ -0,0 +1,13 @@ +diff --git src/tests/cmocka/test_pam_srv.c src/tests/cmocka/test_pam_srv.c +index 446985d5d..f53f84be2 100644 +--- src/tests/cmocka/test_pam_srv.c ++++ src/tests/cmocka/test_pam_srv.c +@@ -1177,7 +1177,7 @@ void test_pam_open_session(void **state) + + /* make sure pam_status is not touched by setting it to a value which is + * not used by SSSD. */ +- pam_test_ctx->exp_pam_status = _PAM_RETURN_VALUES; ++ pam_test_ctx->exp_pam_status = PAM_NUM_ERRORS; + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_OPEN_SESSION, + pam_test_ctx->pam_cmds); diff --git a/security/sssd/files/patch-src__tests__cwrap__test_responder_common.c b/security/sssd/files/patch-src__tests__cwrap__test_responder_common.c new file mode 100644 index 000000000000..d759d7f224b3 --- /dev/null +++ b/security/sssd/files/patch-src__tests__cwrap__test_responder_common.c @@ -0,0 +1,18 @@ +diff --git src/tests/cwrap/test_responder_common.c src/tests/cwrap/test_responder_common.c +index 11cc3abd8..191310143 100644 +--- src/tests/cwrap/test_responder_common.c ++++ src/tests/cwrap/test_responder_common.c +@@ -136,11 +136,13 @@ void check_sock_properties(struct create_pipe_ctx *ctx, mode_t mode) + assert_true(S_ISSOCK(sbuf.st_mode)); + assert_true((sbuf.st_mode & ~S_IFMT) == mode); + ++#ifdef SO_DOMAIN + /* Check it's a UNIX socket */ + optlen = sizeof(optval); + ret = getsockopt(ctx->fd, SOL_SOCKET, SO_DOMAIN, &optval, &optlen); + assert_int_equal(ret, 0); + assert_int_equal(optval, AF_UNIX); ++#endif + + optlen = sizeof(optval); + ret = getsockopt(ctx->fd, SOL_SOCKET, SO_TYPE, &optval, &optlen); diff --git a/security/sssd/files/patch-src__tests__cwrap__test_server.c b/security/sssd/files/patch-src__tests__cwrap__test_server.c new file mode 100644 index 000000000000..66b4c6198f16 --- /dev/null +++ b/security/sssd/files/patch-src__tests__cwrap__test_server.c @@ -0,0 +1,12 @@ +diff --git src/tests/cwrap/test_server.c src/tests/cwrap/test_server.c +index 85ecb7f74..a2ddc595f 100644 +--- src/tests/cwrap/test_server.c ++++ src/tests/cwrap/test_server.c +@@ -23,6 +23,7 @@ + #include <sys/types.h> + #include <sys/stat.h> + #include <fcntl.h> ++#include <signal.h> + + #include <popt.h> + #include "util/util.h" diff --git a/security/sssd/files/patch-src__tests__dlopen-tests.c b/security/sssd/files/patch-src__tests__dlopen-tests.c new file mode 100644 index 000000000000..0ee773744daf --- /dev/null +++ b/security/sssd/files/patch-src__tests__dlopen-tests.c @@ -0,0 +1,22 @@ +diff --git src/tests/dlopen-tests.c src/tests/dlopen-tests.c +index 9a5d3597f..4b469726b 100644 +--- src/tests/dlopen-tests.c ++++ src/tests/dlopen-tests.c +@@ -44,7 +44,7 @@ struct so { + { "libipa_hbac.so", { LIBPFX"libipa_hbac.so", NULL } }, + { "libsss_idmap.so", { LIBPFX"libsss_idmap.so", NULL } }, + { "libsss_nss_idmap.so", { LIBPFX"libsss_nss_idmap.so", NULL } }, +- { "libnss_sss.so", { LIBPFX"libnss_sss.so", NULL } }, ++ { "nss_sss.so", { LIBPFX"nss_sss.so", NULL } }, + { "libsss_certmap.so", { LIBPFX"libsss_certmap.so", NULL } }, + { "pam_sss.so", { LIBPFX"pam_sss.so", NULL } }, + #ifdef BUILD_LIBWBCLIENT +@@ -82,8 +82,6 @@ struct so { + { "libsss_util.so", { LIBPFX"libsss_util.so", NULL } }, + { "libsss_simple.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_simple.so", NULL } }, +- { "libsss_files.so", { LIBPFX"libdlopen_test_providers.so", +- LIBPFX"libsss_files.so", NULL } }, + #ifdef BUILD_SAMBA + { "libsss_ad.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_ad.so", NULL } }, diff --git a/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c b/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c index 4a5d0aed9fd7..323eef4fb139 100644 --- a/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c +++ b/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c @@ -1,15 +1,16 @@ ---- src/util/crypto/libcrypto/crypto_sha512crypt.c.orig 2014-09-17 13:01:37 UTC +diff --git src/util/crypto/libcrypto/crypto_sha512crypt.c src/util/crypto/libcrypto/crypto_sha512crypt.c +index 2275ccd96..c1e418917 100644 +--- src/util/crypto/libcrypto/crypto_sha512crypt.c +++ src/util/crypto/libcrypto/crypto_sha512crypt.c -@@ -28,6 +28,12 @@ - #include <openssl/evp.h> - #include <openssl/rand.h> +@@ -30,6 +30,11 @@ + + #include "sss_openssl.h" +void * +mempcpy (void *dest, const void *src, size_t n) +{ + return (char *) memcpy (dest, src, n) + n; +} -+ + /* Define our magic string to mark salt for SHA512 "encryption" replacement. */ const char sha512_salt_prefix[] = "$6$"; - #define SALT_PREF_SIZE (sizeof(sha512_salt_prefix) - 1) diff --git a/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c b/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c index a258a7db646b..aa1efee665b3 100644 --- a/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c +++ b/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c @@ -1,4 +1,6 @@ ---- src/util/crypto/nss/nss_sha512crypt.c.orig 2014-09-17 13:01:37 UTC +diff --git src/util/crypto/nss/nss_sha512crypt.c src/util/crypto/nss/nss_sha512crypt.c +index 4d0594d9f..49801222d 100644 +--- src/util/crypto/nss/nss_sha512crypt.c +++ src/util/crypto/nss/nss_sha512crypt.c @@ -29,6 +29,12 @@ #include <sechash.h> diff --git a/security/sssd/files/patch-src__util__find_uid.c b/security/sssd/files/patch-src__util__find_uid.c index 2baa338a1154..3e2cbd902dcc 100644 --- a/security/sssd/files/patch-src__util__find_uid.c +++ b/security/sssd/files/patch-src__util__find_uid.c @@ -1,15 +1,17 @@ ---- src/util/find_uid.c.orig 2014-09-17 13:01:37 UTC +diff --git src/util/find_uid.c src/util/find_uid.c +index 215c0d338..42a1df729 100644 +--- src/util/find_uid.c +++ src/util/find_uid.c -@@ -67,7 +67,7 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t +@@ -72,7 +72,7 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid) uint32_t num=0; errno_t error; - ret = snprintf(path, PATHLEN, "/proc/%d/status", pid); + ret = snprintf(path, PATHLEN, "/compat/linux/proc/%d/status", pid); if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "snprintf failed"); + DEBUG(SSSDBG_CRIT_FAILURE, "snprintf failed\n"); return EINVAL; -@@ -207,12 +207,12 @@ static errno_t get_active_uid_linux(hash_table_t *tabl +@@ -218,12 +218,12 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid) struct dirent *dirent; int ret, err; pid_t pid = -1; @@ -24,7 +26,7 @@ if (proc_dir == NULL) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, "Cannot open proc dir.\n"); -@@ -287,9 +287,8 @@ done: +@@ -298,9 +298,8 @@ done: errno_t get_uid_table(TALLOC_CTX *mem_ctx, hash_table_t **table) { diff --git a/security/sssd/files/patch-src__util__nss_dl_load.c b/security/sssd/files/patch-src__util__nss_dl_load.c new file mode 100644 index 000000000000..1eb41aaf011e --- /dev/null +++ b/security/sssd/files/patch-src__util__nss_dl_load.c @@ -0,0 +1,30 @@ +--- src/util/nss_dl_load.c-orig 2020-10-22 17:57:10.433049000 +0100 ++++ src/util/nss_dl_load.c 2020-11-01 13:25:22.636487000 +0000 +@@ -24,6 +24,7 @@ + #include "util/util_errors.h" + #include "util/debug.h" + #include "nss_dl_load.h" ++#include "util/sss_bsd_errno.h" + + + #define NSS_FN_NAME "_nss_%s_%s" +@@ -36,7 +37,8 @@ + char *funcname; + void *funcptr; + +- funcname = talloc_asprintf(NULL, NSS_FN_NAME, libname, name); ++/* funcname = talloc_asprintf(NULL, NSS_FN_NAME, libname, name); */ ++ funcname = talloc_asprintf(NULL, "%s", name); + if (funcname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return NULL; +@@ -78,7 +80,8 @@ + {(void**)&ops->endservent, "endservent"} + }; + +- libpath = talloc_asprintf(NULL, "libnss_%s.so.2", libname); ++/* libpath = talloc_asprintf(NULL, "libnss_%s.so.2", libname); */ ++ libpath = talloc_asprintf(NULL, "/lib/libc.so.7", libname); + if (libpath == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return ENOMEM; diff --git a/security/sssd/files/patch-src__util__server.c b/security/sssd/files/patch-src__util__server.c index 7279c0b6a347..1d46e15ef9c9 100644 --- a/security/sssd/files/patch-src__util__server.c +++ b/security/sssd/files/patch-src__util__server.c @@ -1,10 +1,10 @@ ---- src/util/server.c.orig 2014-09-17 13:01:37 UTC +diff --git src/util/server.c src/util/server.c +index f34bf49f6..7cb3864af 100644 +--- src/util/server.c +++ src/util/server.c -@@ -322,12 +322,14 @@ static void setup_signals(void) +@@ -311,10 +311,13 @@ static void setup_signals(void) BlockSignals(false, SIGTERM); - CatchSignal(SIGHUP, sig_hup); -- #ifndef HAVE_PRCTL - /* If prctl is not defined on the system, try to handle - * some common termination signals gracefully */ diff --git a/security/sssd/files/patch-src__util__signal.c b/security/sssd/files/patch-src__util__signal.c deleted file mode 100644 index 06ac4f33802f..000000000000 --- a/security/sssd/files/patch-src__util__signal.c +++ /dev/null @@ -1,71 +0,0 @@ ---- src/util/signal.c.orig 2014-09-17 13:01:37 UTC -+++ src/util/signal.c -@@ -28,45 +28,6 @@ - * @brief Signal handling - */ - --/**************************************************************************** -- Catch child exits and reap the child zombie status. --****************************************************************************/ -- --static void sig_cld(int signum) --{ -- while (waitpid((pid_t)-1,(int *)NULL, WNOHANG) > 0) -- ; -- -- /* -- * Turns out it's *really* important not to -- * restore the signal handler here if we have real POSIX -- * signal handling. If we do, then we get the signal re-delivered -- * immediately - hey presto - instant loop ! JRA. -- */ -- --#if !defined(HAVE_SIGACTION) -- CatchSignal(SIGCLD, sig_cld); --#endif --} -- --/**************************************************************************** --catch child exits - leave status; --****************************************************************************/ -- --static void sig_cld_leave_status(int signum) --{ -- /* -- * Turns out it's *really* important not to -- * restore the signal handler here if we have real POSIX -- * signal handling. If we do, then we get the signal re-delivered -- * immediately - hey presto - instant loop ! JRA. -- */ -- --#if !defined(HAVE_SIGACTION) -- CatchSignal(SIGCLD, sig_cld_leave_status); --#endif --} -- - /** - Block sigs. - **/ -@@ -125,22 +86,4 @@ void (*CatchSignal(int signum,void (*handler)(int )))( - /* FIXME: need to handle sigvec and systems with broken signal() */ - return signal(signum, handler); - #endif --} -- --/** -- Ignore SIGCLD via whatever means is necessary for this OS. --**/ -- --void CatchChild(void) --{ -- CatchSignal(SIGCLD, sig_cld); --} -- --/** -- Catch SIGCLD but leave the child around so it's status can be reaped. --**/ -- --void CatchChildLeaveStatus(void) --{ -- CatchSignal(SIGCLD, sig_cld_leave_status); - } diff --git a/security/sssd/files/patch-src__util__sss_endian.h b/security/sssd/files/patch-src__util__sss_endian.h new file mode 100644 index 000000000000..fe2c66ef198b --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_endian.h @@ -0,0 +1,23 @@ +diff --git src/util/sss_endian.h src/util/sss_endian.h +index 834c35980..d0bc1d338 100644 +--- src/util/sss_endian.h ++++ src/util/sss_endian.h +@@ -29,6 +29,18 @@ + # include <sys/endian.h> + #endif /* !HAVE_ENDIAN_H && !HAVE_SYS_ENDIAN_H */ + ++#if defined(_BYTE_ORDER) && !defined(__BYTE_ORDER) ++#define __BYTE_ORDER _BYTE_ORDER ++#endif ++ ++#if defined(_LITTLE_ENDIAN) && !defined(__LITTLE_ENDIAN) ++#define __LITTLE_ENDIAN _LITTLE_ENDIAN ++#endif ++ ++#if defined(_BIG_ENDIAN) && !defined(__BIG_ENDIAN) ++#define __BIG_ENDIAN _BIG_ENDIAN ++#endif ++ + /* Endianness-compatibility for systems running older versions of glibc */ + + #ifndef le32toh diff --git a/security/sssd/files/patch-src__util__sss_krb5.c b/security/sssd/files/patch-src__util__sss_krb5.c new file mode 100644 index 000000000000..8ee54b4c358b --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_krb5.c @@ -0,0 +1,12 @@ +diff --git src/util/sss_krb5.c src/util/sss_krb5.c +index c0cc28a75..88e6e6008 100644 +--- src/util/sss_krb5.c ++++ src/util/sss_krb5.c +@@ -28,6 +28,7 @@ + #include "util/sss_iobuf.h" + #include "util/util.h" + #include "util/sss_krb5.h" ++#include "util/sss_endian.h" + + static char * + sss_krb5_get_primary(TALLOC_CTX *mem_ctx, diff --git a/security/sssd/files/patch-src__util__sss_ldap.c b/security/sssd/files/patch-src__util__sss_ldap.c deleted file mode 100644 index c3b3eae7f44d..000000000000 --- a/security/sssd/files/patch-src__util__sss_ldap.c +++ /dev/null @@ -1,21 +0,0 @@ ---- src/util/sss_ldap.c.orig 2014-09-17 13:01:37 UTC -+++ src/util/sss_ldap.c -@@ -206,6 +206,9 @@ static void sdap_async_sys_connect_done(struct tevent_ - errno = 0; - ret = connect(state->fd, (struct sockaddr *) &state->addr, - state->addr_len); -+ if (errno == EISCONN) { -+ ret = EOK; -+ } - if (ret != EOK) { - ret = errno; - if (ret == EINPROGRESS || ret == EINTR) { -@@ -346,7 +349,7 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ - "Using file descriptor [%d] for LDAP connection.\n", state->sd); - - subreq = sdap_async_sys_connect_send(state, ev, state->sd, -- (struct sockaddr *) addr, addr_len); -+ (struct sockaddr *) addr, sizeof(struct sockaddr)); - if (subreq == NULL) { - ret = ENOMEM; - DEBUG(SSSDBG_CRIT_FAILURE, "sdap_async_sys_connect_send failed.\n"); diff --git a/security/sssd/files/patch-src__util__sss_sockets.c b/security/sssd/files/patch-src__util__sss_sockets.c new file mode 100644 index 000000000000..5e90879b246f --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_sockets.c @@ -0,0 +1,45 @@ +--- src/util/sss_sockets.c.orig 2020-03-17 13:31:28.000000000 +0000 ++++ src/util/sss_sockets.c 2020-10-22 19:39:46.454834000 +0100 +@@ -120,14 +120,16 @@ + } + + milli = timeout * 1000; /* timeout in milliseconds */ +- ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &milli, +- sizeof(milli)); +- if (ret != 0) { +- ret = errno; +- DEBUG(SSSDBG_FUNC_DATA, +- "setsockopt TCP_USER_TIMEOUT failed.[%d][%s].\n", ret, +- strerror(ret)); +- } ++ /* FreeBSD does not have TCP_USER_TIMEOUT option yet .... ++ * ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &milli, ++ * sizeof(milli)); ++ * if (ret != 0) { ++ * ret = errno; ++ * DEBUG(SSSDBG_FUNC_DATA, ++ * "setsockopt TCP_USER_TIMEOUT failed.[%d][%s].\n", ret, ++ * strerror(ret)); ++ * } ++ */ + } + + return EOK; +@@ -230,7 +232,7 @@ + + talloc_zfree(fde); + +- if (ret == EOK) { ++ if (ret == EOK || ret == EISCONN) { + tevent_req_done(req); + } else { + ret = errno; +@@ -313,7 +315,7 @@ + "Using file descriptor [%d] for the connection.\n", state->sd); + + subreq = sssd_async_connect_send(state, ev, state->sd, +- (struct sockaddr *) addr, addr_len); ++ (struct sockaddr *) addr, sizeof(struct sockaddr)); + if (subreq == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "sssd_async_connect_send failed.\n"); diff --git a/security/sssd/files/patch-src__util__util.c b/security/sssd/files/patch-src__util__util.c new file mode 100644 index 000000000000..f9380a2c16c9 --- /dev/null +++ b/security/sssd/files/patch-src__util__util.c @@ -0,0 +1,22 @@ +--- src/util/util.c 2020-10-20 19:31:51.466783000 +0100 ++++ src/util/util.c 2020-10-20 19:33:20.832098000 +0100 +@@ -830,6 +830,19 @@ + return EOK; + } + ++ ++#ifdef __FreeBSD__ ++int flb_timezone(void) ++{ ++ struct tm tm; ++ time_t t = 0; ++ tzset(); ++ localtime_r(&t, &tm); ++ return -(tm.tm_gmtoff); ++} ++#define timezone (flb_timezone()) ++#endif ++ + /* Convert GeneralizedTime (http://en.wikipedia.org/wiki/GeneralizedTime) + * to unix time (seconds since epoch). Use UTC time zone. + */ diff --git a/security/sssd/files/patch-src__util__util.h b/security/sssd/files/patch-src__util__util.h index 331fefd5010d..62f6792018c0 100644 --- a/security/sssd/files/patch-src__util__util.h +++ b/security/sssd/files/patch-src__util__util.h @@ -1,18 +1,11 @@ ---- src/util/util.h.orig 2014-09-17 13:01:37 UTC +diff --git src/util/util.h src/util/util.h +index 1e36bf02a..e883f322f 100644 +--- src/util/util.h +++ src/util/util.h -@@ -227,8 +227,6 @@ void sig_term(int sig); - #include <signal.h> - void BlockSignals(bool block, int signum); - void (*CatchSignal(int signum,void (*handler)(int )))(int); --void CatchChild(void); --void CatchChildLeaveStatus(void); +@@ -733,4 +733,6 @@ errno_t create_preauth_indicator(void); + #define N_ELEMENTS(arr) (sizeof(arr) / sizeof(arr[0])) + #endif - /* from memory.c */ - typedef int (void_destructor_fn_t)(void *); -@@ -542,5 +540,6 @@ char * sss_replace_space(TALLOC_CTX *mem_ctx, - char * sss_reverse_replace_space(TALLOC_CTX *mem_ctx, - const char *orig_name, - const char replace_char); +#include "util/sss_bsd_errno.h" - ++ #endif /* __SSSD_UTIL_H__ */ diff --git a/security/sssd/files/patch-src_external_pac__responder.m4 b/security/sssd/files/patch-src_external_pac__responder.m4 deleted file mode 100644 index 291a04fbf182..000000000000 --- a/security/sssd/files/patch-src_external_pac__responder.m4 +++ /dev/null @@ -1,25 +0,0 @@ ---- src/external/pac_responder.m4.orig 2014-09-17 13:01:37 UTC -+++ src/external/pac_responder.m4 -@@ -14,14 +14,20 @@ then - PKG_CHECK_MODULES(NDR_KRB5PAC, ndr_krb5pac, ndr_krb5pac_ok=yes, - AC_MSG_WARN([Cannot build pac responder without libndr_krb5pac])) - -- AC_PATH_PROG(KRB5_CONFIG, krb5-config) -+ AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH]) - AC_MSG_CHECKING(for supported MIT krb5 version) - KRB5_VERSION="`$KRB5_CONFIG --version`" - case $KRB5_VERSION in - Kerberos\ 5\ release\ 1.9* | \ - Kerberos\ 5\ release\ 1.10* | \ - Kerberos\ 5\ release\ 1.11* | \ -- Kerberos\ 5\ release\ 1.12*) -+ Kerberos\ 5\ release\ 1.12* | \ -+ Kerberos\ 5\ release\ 1.13* | \ -+ Kerberos\ 5\ release\ 1.14* | \ -+ Kerberos\ 5\ release\ 1.15* | \ -+ Kerberos\ 5\ release\ 1.16* | \ -+ Kerberos\ 5\ release\ 1.17* | \ -+ Kerberos\ 5\ release\ 1.18*) - krb5_version_ok=yes - AC_MSG_RESULT([yes]) - ;; diff --git a/security/sssd/files/pkg-message.in b/security/sssd/files/pkg-message.in index 43614925c6c1..1b06ff5ba86b 100644 --- a/security/sssd/files/pkg-message.in +++ b/security/sssd/files/pkg-message.in @@ -1,6 +1,4 @@ -[ -{ type: install - message: <<EOM +================================================================================ Copy %%PREFIX%%/etc/sssd/sssd.conf.sample to %%PREFIX%%/etc/sssd/sssd.conf and edit %%PREFIX%%/etc/sssd/sssd.conf (see man sssd.conf for details) @@ -20,6 +18,4 @@ For additional details, please see the man pages for pam.conf and nsswitch.conf An sssd HOWTO is also available: https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 -EOM -} -] +================================================================================ diff --git a/security/sssd/files/sssd.in b/security/sssd/files/sssd.in index b33a9b51609a..44891b11e7cb 100644 --- a/security/sssd/files/sssd.in +++ b/security/sssd/files/sssd.in @@ -34,7 +34,8 @@ start_precmd=sssd_prestart sssd_prestart() { - for i in db/sss db/sss_mc log/sssd run/sss/krb5.include.d run/sss/private run/sss; do + + for i in db/sss/db db/sss/gpo_cache db/sss/keytabs db/sss/mc db/sss/pubconf/krb5.include.d/ db/sss/secrets log/sssd run/sss/pipes/private; do if [ ! -d var/${i} ]; then mkdir -p /var/${i}; fi done } diff --git a/security/sssd/pkg-plist b/security/sssd/pkg-plist index c453f9447929..0d560e328627 100644 --- a/security/sssd/pkg-plist +++ b/security/sssd/pkg-plist @@ -1,40 +1,52 @@ bin/sss_ssh_authorizedkeys bin/sss_ssh_knownhostsproxy etc/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +etc/pam.d/sssd-shadowutils %%ETCDIR%%/sssd.conf.sample include/ipa_hbac.h +include/sss_certmap.h include/sss_idmap.h include/sss_nss_idmap.h +include/sss_sifp.h +include/sss_sifp_dbus.h +include/wbclient_sssd.h %%SMB%%lib/krb5/plugins/authdata/sssd_pac_plugin.so lib/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so lib/libipa_hbac.so lib/libipa_hbac.so.0 -lib/libipa_hbac.so.0.0.1 +lib/libipa_hbac.so.0.1.0 +lib/libsss_certmap.so +lib/libsss_certmap.so.0 +lib/libsss_certmap.so.0.0.0 lib/libsss_idmap.so lib/libsss_idmap.so.0 -lib/libsss_idmap.so.0.4.0 +lib/libsss_idmap.so.0.5.1 lib/libsss_nss_idmap.so lib/libsss_nss_idmap.so.0 -lib/libsss_nss_idmap.so.0.0.1 +lib/libsss_nss_idmap.so.0.5.0 +lib/libsss_simpleifp.so +lib/libsss_simpleifp.so.0 +lib/libsss_simpleifp.so.0.1.1 lib/libsss_sudo.so lib/nss_sss.so lib/nss_sss.so.1 lib/nss_sss.so.2 lib/nss_sss.so.2.0.0 lib/pam_sss.so -%%PYTHON_SITELIBDIR%%/SSSDConfig-1.11.7-py%%PYTHON_VER%%.egg-info +%%PYTHON_SITELIBDIR%%/SSSDConfig-1.16.5-py%%PYTHON_VER%%.egg-info %%PYTHON_SITELIBDIR%%/SSSDConfig/__init__.py -%%PYTHON_SITELIBDIR%%/SSSDConfig/__init__.pyc +%%PYTHON_SITELIBDIR%%/SSSDConfig/__pycache__/__init__.cpython-37.pyc +%%PYTHON_SITELIBDIR%%/SSSDConfig/__pycache__/ipachangeconf.cpython-37.pyc %%PYTHON_SITELIBDIR%%/SSSDConfig/ipachangeconf.py -%%PYTHON_SITELIBDIR%%/SSSDConfig/ipachangeconf.pyc -%%PYTHON_SITELIBDIR%%/SSSDConfig/sssd_upgrade_config.py -%%PYTHON_SITELIBDIR%%/SSSDConfig/sssd_upgrade_config.pyc %%PYTHON_SITELIBDIR%%/pyhbac.so %%PYTHON_SITELIBDIR%%/pysss.so %%PYTHON_SITELIBDIR%%/pysss_murmur.so %%PYTHON_SITELIBDIR%%/pysss_nss_idmap.so +%%SMB%%lib/samba/idmap/winbind_idmap_sss.so lib/shared-modules/ldb/memberof.so %%SMB%%lib/sssd/libsss_ad.so +lib/sssd/conf/sssd.conf +lib/sssd/libsss_cert.so lib/sssd/libsss_child.so lib/sssd/libsss_crypt.so lib/sssd/libsss_debug.so @@ -44,13 +56,23 @@ lib/sssd/libsss_krb5_common.so lib/sssd/libsss_ldap.so lib/sssd/libsss_ldap_common.so lib/sssd/libsss_proxy.so +lib/sssd/libsss_semanage.so lib/sssd/libsss_simple.so lib/sssd/libsss_util.so +lib/sssd/modules/libwbclient.so +lib/sssd/modules/libwbclient.so.0 +lib/sssd/modules/libwbclient.so.0.14.0 +lib/sssd/modules/sssd_krb5_localauth_plugin.so libdata/pkgconfig/ipa_hbac.pc +libdata/pkgconfig/sss_certmap.pc libdata/pkgconfig/sss_idmap.pc libdata/pkgconfig/sss_nss_idmap.pc +libdata/pkgconfig/sss_simpleifp.pc +libdata/pkgconfig/wbclient_sssd.pc +%%SMB%%libexec/sssd/gpo_child libexec/sssd/krb5_child libexec/sssd/ldap_child +libexec/sssd/p11_child libexec/sssd/proxy_child libexec/sssd/sss_signal libexec/sssd/sssd_be @@ -60,15 +82,27 @@ libexec/sssd/sssd_nss libexec/sssd/sssd_pam libexec/sssd/sssd_ssh libexec/sssd/sssd_sudo -man/es/man1/sss_ssh_authorizedkeys.1.gz -man/es/man1/sss_ssh_knownhostsproxy.1.gz +man/de/man1/sss_ssh_knownhostsproxy.1.gz +man/de/man5/sssd-ifp.5.gz +man/de/man5/sssd-krb5.5.gz +man/de/man5/sssd-ldap.5.gz +man/de/man5/sssd-simple.5.gz +man/de/man5/sssd-sudo.5.gz +man/de/man8/sss_groupadd.8.gz +man/de/man8/sss_groupdel.8.gz +man/de/man8/sss_groupmod.8.gz +man/de/man8/sss_groupshow.8.gz +man/de/man8/sss_obfuscate.8.gz +man/de/man8/sss_seed.8.gz +man/de/man8/sss_useradd.8.gz +man/de/man8/sss_userdel.8.gz +man/de/man8/sss_usermod.8.gz +man/de/man8/sssd.8.gz man/es/man5/sssd-ldap.5.gz +man/es/man5/sssd.conf.5.gz man/es/man5/sssd-simple.5.gz man/es/man5/sssd-sudo.5.gz -man/es/man5/sssd.conf.5.gz man/es/man8/pam_sss.8.gz -man/es/man8/sss_cache.8.gz -man/es/man8/sss_debuglevel.8.gz man/es/man8/sss_groupadd.8.gz man/es/man8/sss_groupdel.8.gz man/es/man8/sss_groupmod.8.gz @@ -80,17 +114,11 @@ man/es/man8/sss_userdel.8.gz man/es/man8/sss_usermod.8.gz man/es/man8/sssd.8.gz man/es/man8/sssd_krb5_locator_plugin.8.gz -man/fr/man1/sss_ssh_authorizedkeys.1.gz man/fr/man1/sss_ssh_knownhostsproxy.1.gz -man/fr/man5/sssd-ad.5.gz man/fr/man5/sssd-krb5.5.gz man/fr/man5/sssd-ldap.5.gz man/fr/man5/sssd-simple.5.gz man/fr/man5/sssd-sudo.5.gz -man/fr/man5/sssd.conf.5.gz -man/fr/man8/pam_sss.8.gz -man/fr/man8/sss_cache.8.gz -man/fr/man8/sss_debuglevel.8.gz man/fr/man8/sss_groupadd.8.gz man/fr/man8/sss_groupdel.8.gz man/fr/man8/sss_groupmod.8.gz @@ -101,16 +129,8 @@ man/fr/man8/sss_useradd.8.gz man/fr/man8/sss_userdel.8.gz man/fr/man8/sss_usermod.8.gz man/fr/man8/sssd.8.gz -man/fr/man8/sssd_krb5_locator_plugin.8.gz -man/ja/man1/sss_ssh_authorizedkeys.1.gz man/ja/man1/sss_ssh_knownhostsproxy.1.gz -man/ja/man5/sssd-krb5.5.gz -man/ja/man5/sssd-ldap.5.gz man/ja/man5/sssd-simple.5.gz -man/ja/man5/sssd.conf.5.gz -man/ja/man8/pam_sss.8.gz -man/ja/man8/sss_cache.8.gz -man/ja/man8/sss_debuglevel.8.gz man/ja/man8/sss_groupadd.8.gz man/ja/man8/sss_groupdel.8.gz man/ja/man8/sss_groupmod.8.gz @@ -120,17 +140,20 @@ man/ja/man8/sss_useradd.8.gz man/ja/man8/sss_userdel.8.gz man/ja/man8/sss_usermod.8.gz man/ja/man8/sssd.8.gz -man/ja/man8/sssd_krb5_locator_plugin.8.gz man/man1/sss_ssh_authorizedkeys.1.gz man/man1/sss_ssh_knownhostsproxy.1.gz -man/man5/sssd-ad.5.gz +man/man5/sss-certmap.5.gz +%%SMB%%man/man5/sssd-ad.5.gz +man/man5/sssd-files.5.gz man/man5/sssd-ifp.5.gz -man/man5/sssd-ipa.5.gz +%%SMB%%man/man5/sssd-ipa.5.gz man/man5/sssd-krb5.5.gz man/man5/sssd-ldap.5.gz +man/man5/sssd-session-recording.5.gz man/man5/sssd-simple.5.gz man/man5/sssd-sudo.5.gz man/man5/sssd.conf.5.gz +man/man8/idmap_sss.8.gz man/man8/pam_sss.8.gz man/man8/sss_cache.8.gz man/man8/sss_debuglevel.8.gz @@ -139,24 +162,58 @@ man/man8/sss_groupdel.8.gz man/man8/sss_groupmod.8.gz man/man8/sss_groupshow.8.gz man/man8/sss_obfuscate.8.gz +man/man8/sss_override.8.gz man/man8/sss_seed.8.gz man/man8/sss_useradd.8.gz man/man8/sss_userdel.8.gz man/man8/sss_usermod.8.gz +man/man8/sssctl.8.gz man/man8/sssd.8.gz man/man8/sssd_krb5_locator_plugin.8.gz man/nl/man8/sss_groupmod.8.gz man/pt/man8/sss_groupdel.8.gz man/pt/man8/sss_groupmod.8.gz +man/sv/man5/sssd.conf.5.gz +man/sv/man5/sssd-ad.5.gz +man/sv/man5/sssd-ifp.5.gz +man/sv/man5/sssd-ipa.5.gz +man/sv/man5/sssd-krb5.5.gz +man/sv/man5/sssd-ldap.5.gz +man/sv/man5/sssd-simple.5.gz +man/sv/man5/sssd-sudo.5.gz +man/sv/man5/sss-certmap.5.gz +man/sv/man8/pam_sss.8.gz +man/sv/man8/sss_cache.8.gz +man/sv/man8/sss_debuglevel.8.gz +man/sv/man8/sss_groupadd.8.gz +man/sv/man8/sss_groupdel.8.gz +man/sv/man8/sss_groupmod.8.gz +man/sv/man8/sss_groupshow.8.gz +man/sv/man8/sss_obfuscate.8.gz +man/sv/man8/sss_override.8.gz +man/sv/man8/sss_seed.8.gz +man/sv/man8/sss_useradd.8.gz +man/sv/man8/sss_userdel.8.gz +man/sv/man8/sss_usermod.8.gz +man/sv/man8/sssd.8.gz +man/sv/man8/sssd_krb5_locator_plugin.8.gz man/uk/man1/sss_ssh_authorizedkeys.1.gz man/uk/man1/sss_ssh_knownhostsproxy.1.gz +man/uk/man5/sss-certmap.5.gz +man/uk/man5/sss_rpcidmapd.5.gz man/uk/man5/sssd-ad.5.gz +man/uk/man5/sssd-files.5.gz man/uk/man5/sssd-ifp.5.gz +man/uk/man5/sssd-ipa.5.gz man/uk/man5/sssd-krb5.5.gz man/uk/man5/sssd-ldap.5.gz +man/uk/man5/sssd-secrets.5.gz +man/uk/man5/sssd-session-recording.5.gz man/uk/man5/sssd-simple.5.gz man/uk/man5/sssd-sudo.5.gz +man/uk/man5/sssd-systemtap.5.gz man/uk/man5/sssd.conf.5.gz +man/uk/man8/idmap_sss.8.gz man/uk/man8/pam_sss.8.gz man/uk/man8/sss_cache.8.gz man/uk/man8/sss_debuglevel.8.gz @@ -165,10 +222,13 @@ man/uk/man8/sss_groupdel.8.gz man/uk/man8/sss_groupmod.8.gz man/uk/man8/sss_groupshow.8.gz man/uk/man8/sss_obfuscate.8.gz +man/uk/man8/sss_override.8.gz man/uk/man8/sss_seed.8.gz man/uk/man8/sss_useradd.8.gz man/uk/man8/sss_userdel.8.gz man/uk/man8/sss_usermod.8.gz +man/uk/man8/sssctl.8.gz +man/uk/man8/sssd-kcm.8.gz man/uk/man8/sssd.8.gz man/uk/man8/sssd_krb5_locator_plugin.8.gz sbin/sss_cache @@ -178,19 +238,30 @@ sbin/sss_groupdel sbin/sss_groupmod sbin/sss_groupshow sbin/sss_obfuscate +sbin/sss_override sbin/sss_seed sbin/sss_useradd sbin/sss_userdel sbin/sss_usermod +sbin/sssctl sbin/sssd +@dir %%ETCDIR%%/conf.d +@dir %%ETCDIR%%/pki @dir lib/ldb -@dir lib/sssd/modules %%PORTDOCS%%@dir %%DOCSDIR%%/doc %%PORTDOCS%%@dir %%DOCSDIR%%/hbac_doc %%PORTDOCS%%@dir %%DOCSDIR%%/idmap_doc -%%PORTDOCS%%@dir %%DOCSDIR%%/libsss_sudo_doc %%PORTDOCS%%@dir %%DOCSDIR%%/nss_idmap_doc -@postexec if [ -d %%ETCDIR%% ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf %%ETCDIR%%`` to remove any configuration files."; fi -@postexec if [ -d /var/db/sss ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/db/sss`` to remove any additional files."; fi -@postexec if [ -d /var/db/sss_mc ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/db/sss_mc`` to remove any additional files."; fi -@postexec if [ -d /var/run/sss ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/run/sss`` to remove any additional files."; fi +%%PORTDOCS%%@dir %%DOCSDIR%%/sss_simpleifp_doc +@dir /var/db/sss/db +@dir /var/db/sss/deskprofile +@dir /var/db/sss/gpo_cache +@dir /var/db/sss/keytabs +@dir /var/db/sss/mc +@dir /var/db/sss/pubconf/krb5.include.d +@dir /var/db/sss/pubconf +@dir /var/db/sss +@dir /var/log/sssd +@dir /var/run/sss/pipes/private +@dir /var/run/sss/pipes +@dir /var/run/sss |