diff options
author | Ryan Steinmetz <zi@FreeBSD.org> | 2011-10-15 02:13:20 +0000 |
---|---|---|
committer | Ryan Steinmetz <zi@FreeBSD.org> | 2011-10-15 02:13:20 +0000 |
commit | 2e567b748dfc85a433ba5880fe1d9394453600c8 (patch) | |
tree | 445605ec8ea8fe34e781283d0abcf0e7fbbdbb41 | |
parent | a62c6c03949509b0df9a8548802d2e2894e541eb (diff) | |
download | ports-2e567b748dfc85a433ba5880fe1d9394453600c8.tar.gz ports-2e567b748dfc85a433ba5880fe1d9394453600c8.zip |
Notes
38 files changed, 2201 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index 3b98b7cffef7..fb2e5edf42c1 100644 --- a/security/Makefile +++ b/security/Makefile @@ -823,6 +823,7 @@ SUBDIR += sslscan SUBDIR += sslsniffer SUBDIR += sslwrap + SUBDIR += sssd SUBDIR += ssss SUBDIR += sst SUBDIR += starttls diff --git a/security/sssd/Makefile b/security/sssd/Makefile new file mode 100644 index 000000000000..02b50c41602d --- /dev/null +++ b/security/sssd/Makefile @@ -0,0 +1,108 @@ +# New ports collection makefile for: sssd +# Date created: Sep 6 2011 +# Whom: Andrew Elble <aweits@rit.edu> +# +# $FreeBSD$ +# + +PORTNAME= sssd +DISTVERSION= 1.6.1 +CATEGORIES= net +MASTER_SITES= https://fedorahosted.org/released/${PORTNAME}/ + +MAINTAINER= aweits@rit.edu +COMMENT= System Security Services Daemon + +LICENSE= GPLv3 + +LIB_DEPENDS= popt.0:${PORTSDIR}/devel/popt \ + talloc.2:${PORTSDIR}/devel/talloc \ + tevent.0:${PORTSDIR}/devel/tevent \ + xslt.2:${PORTSDIR}/textproc/libxslt \ + tdb.1:${PORTSDIR}/databases/tdb \ + ldb:${PORTSDIR}/databases/ldb \ + cares.2:${PORTSDIR}/dns/c-ares \ + dbus:${PORTSDIR}/devel/dbus \ + dhash.1:${PORTSDIR}/devel/ding-libs \ + pcre.0:${PORTSDIR}/devel/pcre \ + unistring.1:${PORTSDIR}/devel/libunistring \ + nss3.1:${PORTSDIR}/security/nss \ + sasl2.2:${PORTSDIR}/security/cyrus-sasl2 \ + xml2:${PORTSDIR}/textproc/libxml2 +BUILD_DEPENDS= xmlcatalog:${PORTSDIR}/textproc/libxml2 \ + docbook-xsl>=0:${PORTSDIR}/textproc/docbook-xsl +RUN_DEPENDS= xmlcatmgr:${PORTSDIR}/textproc/xmlcatmgr + +GNU_CONFIGURE= yes +CONFIGURE_ARGS= --with-selinux=no --with-semanage=no \ + --with-ldb-lib-dir=${LOCALBASE}/lib/ldb \ + --with-xml-catalog-path=${LOCALBASE}/share/xml/catalog \ + --with-libnl=no --with-init-dir=no \ + --docdir=${WRKDIR}/docs --with-pid-path=/var/run \ + --localstatedir=/var --enable-pammoddir=${PREFIX}/lib \ + --with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \ + --with-pubconf-path=/var/run/sss +CFLAGS+= -L${LOCALBASE}/lib -fstack-protector-all +#DEBUG_FLAGS= -g + +USE_AUTOTOOLS= autoconf automake +USE_LDCONFIG= yes +USE_PYTHON= yes +USE_OPENLDAP= yes +USE_GMAKE= yes +USE_GNOME= pkgconfig +USE_GETTEXT= yes +USE_ICONV= yes +USE_PYTHON= yes + +USE_RC_SUBR= ${PORTNAME} +MAN5= sssd-ipa.5 sssd-krb5.5 sssd-ldap.5 sssd-simple.5 \ + sssd.conf.5 +MAN8= pam_sss.8 sss_cache.8 sss_groupadd.8 sss_groupdel.8 \ + sss_groupmod.8 sss_groupshow.8 sss_obfuscate.8 \ + sss_useradd.8 sss_userdel.8 sss_usermod.8 sssd.8 \ + sssd_krb5_locator_plugin.8 + +.include <bsd.port.pre.mk> + +.if ${OSVERSION} < 800107 +IGNORE= is not supported prior to 8.0-RELEASE +.endif + +post-patch: + @${REINPLACE_CMD} -e 's|SIGCLD|SIGCHLD|g' ${WRKSRC}/src/util/signal.c + @${REINPLACE_CMD} -e '/#define SIZE_T_MAX ((size_t) -1)/d' ${WRKSRC}/src/util/util.h + @${REINPLACE_CMD} -e '/pam_misc/d' ${WRKSRC}/src/sss_client/pam_test_client.c + @${REINPLACE_CMD} -e '/ETIME/d' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's| -lpam_misc||g' ${WRKSRC}/Makefile.am ${WRKSRC}/Makefile.in + @${REINPLACE_CMD} -e 's|security/pam_misc.h||g' ${WRKSRC}/configure* ${WRKSRC}/src/external/pam.m4 + @${REINPLACE_CMD} -e 's|NSS_STATUS_NOTFOUND|NS_NOTFOUND|g' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's|NSS_STATUS_UNAVAIL|NS_UNAVAIL|g' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's|NSS_STATUS_TRYAGAIN|NS_TRYAGAIN|g' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's|NSS_STATUS_SUCCESS|NS_SUCCESS|g' ${WRKSRC}/src/sss_client/common.c + @${REINPLACE_CMD} -e 's|security/pam_ext.h|security/pam_appl.h|g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e 's|security/_pam_macros.h|pam_macros.h|g' ${WRKSRC}/src/sss_client/sss_pam_macros.h + @${REINPLACE_CMD} -e 's|#include <security/pam_modutil.h>||g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e 's|PAM_BAD_ITEM|PAM_USER_UNKNOWN|g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e 's|pam_vsyslog(pamh,|vsyslog(|g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e 's|pam_modutil_getlogin(pamh)|getlogin()|g' ${WRKSRC}/src/sss_client/pam_sss.c + @${REINPLACE_CMD} -e '/..MAKE. ..AM_MAKEFLAGS. install-data-hook/d' ${WRKSRC}/Makefile.in + @${REINPLACE_CMD} -e 's|install-data-hook install-dist_initSCRIPTS|install-dist_initSCRIPTS|g' \ + ${WRKSRC}/Makefile.in ${WRKSRC}/Makefile.am + @${REINPLACE_CMD} -e 's|install-data-hook|notinstall-data-hook|g' ${WRKSRC}/Makefile.in \ + ${WRKSRC}/Makefile.am + @${REINPLACE_CMD} -e 's|libdir)/pkgconfig|prefix)/libdata/pkgconfig|' ${WRKSRC}/Makefile.in \ + ${WRKSRC}/Makefile.am + @${REINPLACE_CMD} -e 's|/etc/sssd/|${ETCDIR}/|g' ${WRKSRC}/src/man/*xml + @${REINPLACE_CMD} -e 's|/etc/openldap/|${PREFIX}/etc/openldap/|g' ${WRKSRC}/src/man/*xml + @${CP} ${FILESDIR}/pam_macros.h ${WRKSRC}/pam_macros.h + @${CP} ${FILESDIR}/bsdnss.c ${WRKSRC}/src/sss_client/bsdnss.c + +post-install: + ${INSTALL_DATA} ${WRKSRC}/src/examples/sssd.conf ${ETCDIR}/sssd.conf.sample + (cd ${PREFIX}/lib && ${LN} -s nss_sss.so.2 nss_sss.so.1) + (cd ${PREFIX}/lib && ${LN} -s pam_sss.so pam_sss.so.5) + @${RM} -f ${PREFIX}/lib/ldb/memberof.la + @${CAT} ${PKGMESSAGE} + +.include <bsd.port.post.mk> diff --git a/security/sssd/distinfo b/security/sssd/distinfo new file mode 100644 index 000000000000..2dc947d7be16 --- /dev/null +++ b/security/sssd/distinfo @@ -0,0 +1,2 @@ +SHA256 (sssd-1.6.1.tar.gz) = ba30d8cf7eae1fd66053b4f11e8e5b98bc6db113cf6d2f33e429f2e21d90ade9 +SIZE (sssd-1.6.1.tar.gz) = 1406047 diff --git a/security/sssd/files/bsdnss.c b/security/sssd/files/bsdnss.c new file mode 100644 index 000000000000..147d4554c670 --- /dev/null +++ b/security/sssd/files/bsdnss.c @@ -0,0 +1,187 @@ +#include <errno.h> +#include <sys/param.h> +#include <netinet/in.h> +#include <pwd.h> +#include <grp.h> +#include <nss.h> +#include <netdb.h> + +extern enum nss_status _nss_sss_getgrent_r(struct group *, char *, size_t, + int *); +extern enum nss_status _nss_sss_getgrnam_r(const char *, struct group *, + char *, size_t, int *); +extern enum nss_status _nss_sss_getgrgid_r(gid_t gid, struct group *, char *, + size_t, int *); +extern enum nss_status _nss_sss_setgrent(void); +extern enum nss_status _nss_sss_endgrent(void); + +extern enum nss_status _nss_sss_getpwent_r(struct passwd *, char *, size_t, + int *); +extern enum nss_status _nss_sss_getpwnam_r(const char *, struct passwd *, + char *, size_t, int *); +extern enum nss_status _nss_sss_getpwuid_r(gid_t gid, struct passwd *, char *, + size_t, int *); +extern enum nss_status _nss_sss_setpwent(void); +extern enum nss_status _nss_sss_endpwent(void); + +extern enum nss_status _nss_sss_gethostbyname_r (const char *name, struct hostent * result, + char *buffer, size_t buflen, int *errnop, + int *h_errnop); + +extern enum nss_status _nss_sss_gethostbyname2_r (const char *name, int af, struct hostent * result, + char *buffer, size_t buflen, int *errnop, + int *h_errnop); +extern enum nss_status _nss_sss_gethostbyaddr_r (struct in_addr * addr, int len, int type, + struct hostent * result, char *buffer, + size_t buflen, int *errnop, int *h_errnop); + +extern enum nss_status _nss_sss_getgroupmembership(const char *uname, gid_t agroup, gid_t *groups, + int maxgrp, int *grpcnt); + + +NSS_METHOD_PROTOTYPE(__nss_compat_getgroupmembership); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrnam_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrgid_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrent_r); +NSS_METHOD_PROTOTYPE(__nss_compat_setgrent); +NSS_METHOD_PROTOTYPE(__nss_compat_endgrent); + +NSS_METHOD_PROTOTYPE(__nss_compat_getpwnam_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getpwuid_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getpwent_r); +NSS_METHOD_PROTOTYPE(__nss_compat_setpwent); +NSS_METHOD_PROTOTYPE(__nss_compat_endpwent); + +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyname); +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyname2); +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyaddr); + +static ns_mtab methods[] = { +{ NSDB_GROUP, "getgrnam_r", __nss_compat_getgrnam_r, _nss_sss_getgrnam_r }, +{ NSDB_GROUP, "getgrgid_r", __nss_compat_getgrgid_r, _nss_sss_getgrgid_r }, +{ NSDB_GROUP, "getgrent_r", __nss_compat_getgrent_r, _nss_sss_getgrent_r }, +{ NSDB_GROUP, "getgroupmembership", __nss_compat_getgroupmembership, _nss_sss_getgroupmembership }, +{ NSDB_GROUP, "setgrent", __nss_compat_setgrent, _nss_sss_setgrent }, +{ NSDB_GROUP, "endgrent", __nss_compat_endgrent, _nss_sss_endgrent }, + +{ NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, _nss_sss_getpwnam_r }, +{ NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, _nss_sss_getpwuid_r }, +{ NSDB_PASSWD, "getpwent_r", __nss_compat_getpwent_r, _nss_sss_getpwent_r }, +{ NSDB_PASSWD, "setpwent", __nss_compat_setpwent, _nss_sss_setpwent }, +{ NSDB_PASSWD, "endpwent", __nss_compat_endpwent, _nss_sss_endpwent }, + +// { NSDB_HOSTS, "gethostbyname", __nss_compat_gethostbyname, _nss_sss_gethostbyname_r }, +//{ NSDB_HOSTS, "gethostbyaddr", __nss_compat_gethostbyaddr, _nss_sss_gethostbyaddr_r }, +//{ NSDB_HOSTS, "gethostbyname2", __nss_compat_gethostbyname2, _nss_sss_gethostbyname2_r }, + +{ NSDB_GROUP_COMPAT, "getgrnam_r", __nss_compat_getgrnam_r, _nss_sss_getgrnam_r }, +{ NSDB_GROUP_COMPAT, "getgrgid_r", __nss_compat_getgrgid_r, _nss_sss_getgrgid_r }, +{ NSDB_GROUP_COMPAT, "getgrent_r", __nss_compat_getgrent_r, _nss_sss_getgrent_r }, +{ NSDB_GROUP_COMPAT, "setgrent", __nss_compat_setgrent, _nss_sss_setgrent }, +{ NSDB_GROUP_COMPAT, "endgrent", __nss_compat_endgrent, _nss_sss_endgrent }, + +{ NSDB_PASSWD_COMPAT, "getpwnam_r", __nss_compat_getpwnam_r, _nss_sss_getpwnam_r }, +{ NSDB_PASSWD_COMPAT, "getpwuid_r", __nss_compat_getpwuid_r, _nss_sss_getpwuid_r }, +{ NSDB_PASSWD_COMPAT, "getpwent_r", __nss_compat_getpwent_r, _nss_sss_getpwent_r }, +{ NSDB_PASSWD_COMPAT, "setpwent", __nss_compat_setpwent, _nss_sss_setpwent }, +{ NSDB_PASSWD_COMPAT, "endpwent", __nss_compat_endpwent, _nss_sss_endpwent }, + +}; + + +ns_mtab * +nss_module_register(const char *source, unsigned int *mtabsize, + nss_module_unregister_fn *unreg) +{ + *mtabsize = sizeof(methods)/sizeof(methods[0]); + *unreg = NULL; + return (methods); +} + +int __nss_compat_getgroupmembership(void *retval, void *mdata, va_list ap) +{ + int (*fn)(const char *, gid_t, gid_t *, int, int *); + + const char *uname; + gid_t agroup; + gid_t *groups; + int maxgrp; + int *grpcnt; + int errnop; + enum nss_status status; + + fn = mdata; + uname = va_arg(ap, const char *); + agroup = va_arg(ap, gid_t); + groups = va_arg(ap, gid_t *); + maxgrp = va_arg(ap, int); + grpcnt = va_arg(ap, int *); + status = fn(uname, agroup, groups, maxgrp, grpcnt); + status = __nss_compat_result(status, errnop); + return (status); +} + +int __nss_compat_gethostbyname(void *retval, void *mdata, va_list ap) +{ + enum nss_status (*fn)(const char *, struct hostent *, char *, size_t, int *, int *); + const char *name; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + int af; + enum nss_status status; + fn = mdata; + name = va_arg(ap, const char*); + af = va_arg(ap,int); + result = va_arg(ap,struct hostent *); + status = fn(name, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} + +int __nss_compat_gethostbyname2(void *retval, void *mdata, va_list ap) +{ + enum nss_status (*fn)(const char *, struct hostent *, char *, size_t, int *, int *); + const char *name; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + int af; + enum nss_status status; + fn = mdata; + name = va_arg(ap, const char*); + af = va_arg(ap,int); + result = va_arg(ap,struct hostent *); + status = fn(name, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} + +int __nss_compat_gethostbyaddr(void *retval, void *mdata, va_list ap) +{ + struct in_addr *addr; + int len; + int type; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + enum nss_status (*fn)(struct in_addr *, int, int, struct hostent *, char *, size_t, int *, int *); + enum nss_status status; + fn = mdata; + addr = va_arg(ap, struct in_addr*); + len = va_arg(ap,int); + type = va_arg(ap,int); + result = va_arg(ap, struct hostent*); + status = fn(addr, len, type, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} diff --git a/security/sssd/files/pam_macros.h b/security/sssd/files/pam_macros.h new file mode 100644 index 000000000000..bd107cfb68cb --- /dev/null +++ b/security/sssd/files/pam_macros.h @@ -0,0 +1,196 @@ +#ifndef PAM_MACROS_H +#define PAM_MACROS_H + +/* + * All kind of macros used by PAM, but usable in some other + * programs too. + * Organized by Cristian Gafton <gafton@redhat.com> + */ + +/* a 'safe' version of strdup */ + +#include <stdlib.h> +#include <string.h> + +#define x_strdup(s) ( (s) ? strdup(s):NULL ) + +/* Good policy to strike out passwords with some characters not just + free the memory */ + +#define _pam_overwrite(x) \ +do { \ + register char *__xx__; \ + if ((__xx__=(x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ +} while (0) + +#define _pam_overwrite_n(x,n) \ +do { \ + register char *__xx__; \ + register unsigned int __i__ = 0; \ + if ((__xx__=(x))) \ + for (;__i__<n; __i__++) \ + __xx__[__i__] = 0; \ +} while (0) + +/* + * Don't just free it, forget it too. + */ + +#define _pam_drop(X) \ +do { \ + if (X) { \ + free(X); \ + X=NULL; \ + } \ +} while (0) + +#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ +do { \ + int reply_i; \ + \ + for (reply_i=0; reply_i<replies; ++reply_i) { \ + if (reply[reply_i].resp) { \ + _pam_overwrite(reply[reply_i].resp); \ + free(reply[reply_i].resp); \ + } \ + } \ + if (reply) \ + free(reply); \ +} while (0) + +/* some debugging code */ + +#ifdef DEBUG + +/* + * This provides the necessary function to do debugging in PAM. + * Cristian Gafton <gafton@redhat.com> + */ + +#include <stdio.h> +#include <sys/types.h> +#include <stdarg.h> +#include <errno.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> + +/* + * This is for debugging purposes ONLY. DO NOT use on live systems !!! + * You have been warned :-) - CG + * + * to get automated debugging to the log file, it must be created manually. + * _PAM_LOGFILE must exist and be writable to the programs you debug. + */ + +#ifndef _PAM_LOGFILE +#define _PAM_LOGFILE "/var/run/pam-debug.log" +#endif + +static void _pam_output_debug_info(const char *file, const char *fn + , const int line) +{ + FILE *logfile; + int must_close = 1, fd; + +#ifdef O_NOFOLLOW + if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) { +#else + if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_APPEND)) != -1) { +#endif + if (!(logfile = fdopen(fd,"a"))) { + logfile = stderr; + must_close = 0; + close(fd); + } + } else { + logfile = stderr; + must_close = 0; + } + fprintf(logfile,"[%s:%s(%d)] ",file, fn, line); + fflush(logfile); + if (must_close) + fclose(logfile); +} + +static void _pam_output_debug(const char *format, ...) +{ + va_list args; + FILE *logfile; + int must_close = 1, fd; + + va_start(args, format); + +#ifdef O_NOFOLLOW + if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_NOFOLLOW|O_APPEND)) != -1) { +#else + if ((fd = open(_PAM_LOGFILE, O_WRONLY|O_APPEND)) != -1) { +#endif + if (!(logfile = fdopen(fd,"a"))) { + logfile = stderr; + must_close = 0; + close(fd); + } + } else { + logfile = stderr; + must_close = 0; + } + vfprintf(logfile, format, args); + fprintf(logfile, "\n"); + fflush(logfile); + if (must_close) + fclose(logfile); + + va_end(args); +} + +#define D(x) do { \ + _pam_output_debug_info(__FILE__, __FUNCTION__, __LINE__); \ + _pam_output_debug x ; \ +} while (0) + +#define _pam_show_mem(X,XS) do { \ + int i; \ + register unsigned char *x; \ + x = (unsigned char *)X; \ + fprintf(stderr, " <start at %p>\n", X); \ + for (i = 0; i < XS ; ++x, ++i) { \ + fprintf(stderr, " %02X. <%p:%02X>\n", i, x, *x); \ + } \ + fprintf(stderr, " <end for %p after %d bytes>\n", X, XS); \ +} while (0) + +#define _pam_show_reply(/* struct pam_response * */reply, /* int */replies) \ +do { \ + int reply_i; \ + setbuf(stderr, NULL); \ + fprintf(stderr, "array at %p of size %d\n",reply,replies); \ + fflush(stderr); \ + if (reply) { \ + for (reply_i = 0; reply_i < replies; reply_i++) { \ + fprintf(stderr, " elem# %d at %p: resp = %p, retcode = %d\n", \ + reply_i, reply+reply_i, reply[reply_i].resp, \ + reply[reply_i].resp, _retcode); \ + fflush(stderr); \ + if (reply[reply_i].resp) { \ + fprintf(stderr, " resp[%d] = '%s'\n", \ + strlen(reply[reply_i].resp), reply[reply_i].resp); \ + fflush(stderr); \ + } \ + } \ + } \ + fprintf(stderr, "done here\n"); \ + fflush(stderr); \ +} while (0) + +#else + +#define D(x) do { } while (0) +#define _pam_show_mem(X,XS) do { } while (0) +#define _pam_show_reply(reply, replies) do { } while (0) + +#endif /* DEBUG */ + +#endif /* PAM_MACROS_H */ diff --git a/security/sssd/files/patch-Makefile.am b/security/sssd/files/patch-Makefile.am new file mode 100644 index 000000000000..09c82b62d726 --- /dev/null +++ b/security/sssd/files/patch-Makefile.am @@ -0,0 +1,61 @@ +--- ./Makefile.am.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./Makefile.am 2011-10-13 12:13:42.000000000 -0400 +@@ -33,7 +33,7 @@ + systemdunitdir = @systemdunitdir@ + logpath = @logpath@ + pubconfpath = @pubconfpath@ +-pkgconfigdir = $(libdir)/pkgconfig ++pkgconfigdir = $(prefix)/libdata/pkgconfig + + AM_CFLAGS = + if WANT_AUX_INFO +@@ -753,21 +753,22 @@ + + noinst_PROGRAMS = pam_test_client + pam_test_client_SOURCES = src/sss_client/pam_test_client.c +-pam_test_client_LDFLAGS = -lpam -lpam_misc ++pam_test_client_LDFLAGS = -lpam + + #################### + # Client Libraries # + #################### + +-nsslib_LTLIBRARIES = libnss_sss.la +-libnss_sss_la_SOURCES = \ ++nsslib_LTLIBRARIES = nss_sss.la ++nss_sss_la_SOURCES = \ + src/sss_client/common.c \ ++ src/sss_client/bsdnss.c \ + src/sss_client/nss_passwd.c \ + src/sss_client/nss_group.c \ + src/sss_client/nss_netgroup.c \ + src/sss_client/sss_cli.h \ + src/sss_client/nss_compat.h +-libnss_sss_la_LDFLAGS = \ ++nss_sss_la_LDFLAGS = \ + -module \ + -version-info 2:0:0 \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports +@@ -780,6 +781,7 @@ + src/sss_client/sss_pam_macros.h + + pam_sss_la_LDFLAGS = \ ++ -lintl \ + -lpam \ + -module \ + -avoid-version \ +@@ -1122,10 +1124,10 @@ + mkdir -p $(DESTDIR)$(initdir) + endif + +-install-data-hook: +- rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \ +- $(DESTDIR)/$(nsslibdir)/libnss_sss.so +- mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 ++notnotnotnotnotnotnotnotnotnotnotnotnotnotnotnotnotinstall-data-hook: ++ rm $(DESTDIR)/$(nsslibdir)/nss_sss.so.2 \ ++ $(DESTDIR)/$(nsslibdir)/nss_sss.so ++ mv $(DESTDIR)/$(nsslibdir)/nss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/nss_sss.so.2 + + uninstall-hook: + if [ -f $(abs_builddir)/src/config/.files ]; then \ diff --git a/security/sssd/files/patch-src__confdb__confdb.c b/security/sssd/files/patch-src__confdb__confdb.c new file mode 100644 index 000000000000..50fd9bbea268 --- /dev/null +++ b/security/sssd/files/patch-src__confdb__confdb.c @@ -0,0 +1,14 @@ +--- ./src/confdb/confdb.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/confdb/confdb.c 2011-10-13 12:15:03.000000000 -0400 +@@ -28,6 +28,11 @@ + #include "util/strtonum.h" + #include "db/sysdb.h" + ++char *strchrnul(const char *s, int ch) { ++ char *ret = strchr(s, ch); ++ return ret == NULL ? ((char *)s) + strlen(s) : ret; ++} ++ + #define CONFDB_ZERO_CHECK_OR_JUMP(var, ret, err, label) do { \ + if (!var) { \ + ret = err; \ diff --git a/security/sssd/files/patch-src__monitor__monitor.c b/security/sssd/files/patch-src__monitor__monitor.c new file mode 100644 index 000000000000..aa86eeb3bca0 --- /dev/null +++ b/security/sssd/files/patch-src__monitor__monitor.c @@ -0,0 +1,24 @@ +--- ./src/monitor/monitor.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/monitor/monitor.c 2011-10-13 12:15:03.000000000 -0400 +@@ -57,6 +57,10 @@ + + int cmdline_debug_level; + ++errno_t monitor_config_file_fallback(TALLOC_CTX *mem_ctx, ++ struct mt_ctx *ctx, ++ const char *file, ++ monitor_reconf_fn fn); + struct svc_spy; + + struct mt_svc { +@@ -1606,10 +1610,6 @@ + talloc_free(tmp_ctx); + } + +-errno_t monitor_config_file_fallback(TALLOC_CTX *mem_ctx, +- struct mt_ctx *ctx, +- const char *file, +- monitor_reconf_fn fn); + static void rewatch_config_file(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) diff --git a/security/sssd/files/patch-src__providers__data_provider_be.c b/security/sssd/files/patch-src__providers__data_provider_be.c new file mode 100644 index 000000000000..af962a437c96 --- /dev/null +++ b/security/sssd/files/patch-src__providers__data_provider_be.c @@ -0,0 +1,29 @@ +--- ./src/providers/data_provider_be.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/data_provider_be.c 2011-10-13 12:15:03.000000000 -0400 +@@ -512,7 +512,7 @@ + return EIO; + } + +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + pd->domain = talloc_strdup(pd, becli->bectx->domain->name); + if (pd->domain == NULL) { + talloc_free(be_req); +@@ -1013,7 +1013,7 @@ + if (!handle) { + DEBUG(0, ("Unable to load %s module with path (%s), error: %s\n", + mod_name, path, dlerror())); +- ret = ELIBACC; ++ ret = ENOENT; + goto done; + } + +@@ -1033,7 +1033,7 @@ + } else { + DEBUG(0, ("Unable to load init fn %s from module %s, error: %s\n", + mod_init_fn_name, mod_name, dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + } + goto done; + } diff --git a/security/sssd/files/patch-src__providers__fail_over.c b/security/sssd/files/patch-src__providers__fail_over.c new file mode 100644 index 000000000000..07782702e2b9 --- /dev/null +++ b/security/sssd/files/patch-src__providers__fail_over.c @@ -0,0 +1,27 @@ +--- ./src/providers/fail_over.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/fail_over.c 2011-10-13 12:15:03.000000000 -0400 +@@ -1191,7 +1191,7 @@ + *******************************************************************/ + struct resolve_get_domain_state { + char *fqdn; +- char hostname[HOST_NAME_MAX]; ++ char hostname[_POSIX_HOST_NAME_MAX]; + }; + + static void resolve_get_domain_done(struct tevent_req *subreq); +@@ -1211,13 +1211,13 @@ + return NULL; + } + +- ret = gethostname(state->hostname, HOST_NAME_MAX); ++ ret = gethostname(state->hostname, _POSIX_HOST_NAME_MAX); + if (ret) { + ret = errno; + DEBUG(2, ("gethostname() failed: [%d]: %s\n",ret, strerror(ret))); + return NULL; + } +- state->hostname[HOST_NAME_MAX-1] = '\0'; ++ state->hostname[_POSIX_HOST_NAME_MAX-1] = '\0'; + DEBUG(7, ("Host name is: %s\n", state->hostname)); + + subreq = resolv_gethostbyname_send(state, ev, resolv, diff --git a/security/sssd/files/patch-src__providers__ipa__ipa_common.c b/security/sssd/files/patch-src__providers__ipa__ipa_common.c new file mode 100644 index 000000000000..b3ac2f27c938 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ipa__ipa_common.c @@ -0,0 +1,28 @@ +--- ./src/providers/ipa/ipa_common.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ipa/ipa_common.c 2011-10-13 12:15:03.000000000 -0400 +@@ -191,7 +191,7 @@ + char *ipa_hostname; + int ret; + int i; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + + opts = talloc_zero(memctx, struct ipa_options); + if (!opts) return ENOMEM; +@@ -220,14 +220,14 @@ + + ipa_hostname = dp_opt_get_string(opts->basic, IPA_HOSTNAME); + if (ipa_hostname == NULL) { +- ret = gethostname(hostname, HOST_NAME_MAX); ++ ret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (ret != EOK) { + DEBUG(1, ("gethostname failed [%d][%s].\n", errno, + strerror(errno))); + ret = errno; + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + DEBUG(9, ("Setting ipa_hostname to [%s].\n", hostname)); + ret = dp_opt_set_string(opts->basic, IPA_HOSTNAME, hostname); + if (ret != EOK) { diff --git a/security/sssd/files/patch-src__providers__krb5__krb5_child.c b/security/sssd/files/patch-src__providers__krb5__krb5_child.c new file mode 100644 index 000000000000..5664e0c4c782 --- /dev/null +++ b/security/sssd/files/patch-src__providers__krb5__krb5_child.c @@ -0,0 +1,377 @@ +--- ./src/providers/krb5/krb5_child.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/krb5/krb5_child.c 2011-10-13 12:15:03.000000000 -0400 +@@ -39,6 +39,15 @@ + + #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw" + ++typedef struct _krb5_ticket_times { ++ krb5_timestamp authtime; /* XXX ? should ktime in KDC_REP == authtime ++ in ticket? otherwise client can't get this */ ++ krb5_timestamp starttime; /* optional in ticket, if not present, ++ use authtime */ ++ krb5_timestamp endtime; ++ krb5_timestamp renew_till; ++} krb5_ticket_times; ++ + struct krb5_child_ctx { + /* opts taken from kinit */ + /* in seconds */ +@@ -100,10 +109,10 @@ + + static krb5_context krb5_error_ctx; + static const char *__krb5_error_msg; +-#define KRB5_DEBUG(level, krb5_error) do { \ +- __krb5_error_msg = sss_krb5_get_error_message(krb5_error_ctx, krb5_error); \ ++#define KRB5_DEBUG(level, krb5_error, ctx) do { \ ++ __krb5_error_msg = sss_krb5_get_error_message(ctx, krb5_error); \ + DEBUG(level, ("%d: [%d][%s]\n", __LINE__, krb5_error, __krb5_error_msg)); \ +- sss_krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \ ++ sss_krb5_free_error_message(ctx, __krb5_error_msg); \ + } while(0); + + static void sss_krb5_expire_callback_func(krb5_context context, void *data, +@@ -267,13 +276,13 @@ + + kerr = krb5_cc_resolve(ctx, tmp_ccname, &tmp_cc); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + + kerr = krb5_cc_initialize(ctx, tmp_cc, princ); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + if (fd != -1) { +@@ -284,7 +293,7 @@ + if (creds == NULL) { + kerr = create_empty_cred(ctx, princ, &l_cred); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + } else { +@@ -293,13 +302,13 @@ + + kerr = krb5_cc_store_cred(ctx, tmp_cc, l_cred); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + + kerr = krb5_cc_close(ctx, tmp_cc); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + tmp_cc = NULL; +@@ -420,7 +429,7 @@ + talloc_zfree(msg); + } + } else { +- krb5_msg = sss_krb5_get_error_message(krb5_error_ctx, kerr); ++ krb5_msg = sss_krb5_get_error_message(kr->ctx, kerr); + if (krb5_msg == NULL) { + DEBUG(1, ("sss_krb5_get_error_message failed.\n")); + return NULL; +@@ -429,7 +438,7 @@ + ret = pam_add_response(kr->pd, SSS_PAM_SYSTEM_INFO, + strlen(krb5_msg) + 1, + (const uint8_t *) krb5_msg); +- sss_krb5_free_error_message(krb5_error_ctx, krb5_msg); ++ sss_krb5_free_error_message(kr->ctx, krb5_msg); + } + if (ret != EOK) { + DEBUG(1, ("pam_add_response failed.\n")); +@@ -527,7 +536,7 @@ + break; + } + +- kerr = krb5_free_keytab_entry_contents(kr->ctx, &entry); ++ kerr = krb5_kt_free_entry(kr->ctx, &entry); + if (kerr != 0) { + DEBUG(1, ("Failed to free keytab entry.\n")); + } +@@ -575,7 +584,7 @@ + if (krb5_kt_close(kr->ctx, keytab) != 0) { + DEBUG(1, ("krb5_kt_close failed")); + } +- if (krb5_free_keytab_entry_contents(kr->ctx, &entry) != 0) { ++ if (krb5_kt_free_entry(kr->ctx, &entry) != 0) { + DEBUG(1, ("Failed to free keytab entry.\n")); + } + if (principal != NULL) { +@@ -605,13 +614,13 @@ + kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL, + &options); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + return kerr; + } + + kerr = create_ccache_file(ctx, princ, ccname, &creds); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, ctx); + goto done; + } + kerr = 0; +@@ -633,21 +642,21 @@ + sss_krb5_expire_callback_func, + kr); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + DEBUG(1, ("Failed to set expire callback, continue without.\n")); + } + kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, + password, sss_krb5_prompter, kr, 0, + NULL, kr->options); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + return kerr; + } + + if (kr->validate) { + kerr = validate_tgt(kr); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + return kerr; + } + +@@ -668,7 +677,7 @@ + + kerr = create_ccache_file(kr->ctx, kr->princ, kr->ccname, kr->creds); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + +@@ -692,7 +701,7 @@ + krb5_error_code kerr = 0; + char *pass_str = NULL; + char *newpass_str = NULL; +- int pam_status = PAM_SYSTEM_ERR; ++ int pam_status = PAM_SERVICE_ERR; + int result_code = -1; + krb5_data result_code_string; + krb5_data result_string; +@@ -734,7 +743,7 @@ + changepw_princ, + kr->options); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + if (kerr == KRB5_KDC_UNREACH) { + pam_status = PAM_AUTHINFO_UNAVAIL; + } +@@ -773,7 +782,7 @@ + + if (kerr != 0 || result_code != 0) { + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + } else { + kerr = KRB5KRB_ERR_GENERIC; + } +@@ -825,7 +834,7 @@ + memset(kr->pd->newauthtok, 0, kr->pd->newauthtok_size); + + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + if (kerr == KRB5_KDC_UNREACH) { + pam_status = PAM_AUTHINFO_UNAVAIL; + } +@@ -846,7 +855,7 @@ + krb5_error_code kerr = 0; + char *pass_str = NULL; + char *changepw_princ = NULL; +- int pam_status = PAM_SYSTEM_ERR; ++ int pam_status = PAM_SERVICE_ERR; + + if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) { + pam_status = PAM_CRED_INSUFFICIENT; +@@ -881,7 +890,7 @@ + kr->options, + NULL, NULL); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + DEBUG(1, ("Failed to unset expire callback, continue ...\n")); + } + kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, +@@ -899,7 +908,7 @@ + memset(kr->pd->authtok, 0, kr->pd->authtok_size); + + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + switch (kerr) { + case KRB5_KDC_UNREACH: + pam_status = PAM_AUTHINFO_UNAVAIL; +@@ -911,7 +920,7 @@ + pam_status = PAM_CRED_ERR; + break; + default: +- pam_status = PAM_SYSTEM_ERR; ++ pam_status = PAM_SERVICE_ERR; + } + } + +@@ -981,13 +990,13 @@ + + kerr = krb5_cc_resolve(kr->ctx, ccname, &ccache); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + + kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + if (kerr == KRB5_KDC_UNREACH) { + status = PAM_AUTHINFO_UNAVAIL; + } +@@ -997,7 +1006,7 @@ + if (kr->validate) { + kerr = validate_tgt(kr); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + +@@ -1019,13 +1028,13 @@ + + kerr = krb5_cc_initialize(kr->ctx, ccache, kr->princ); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + + kerr = krb5_cc_store_cred(kr->ctx, ccache, kr->creds); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto done; + } + +@@ -1059,8 +1068,8 @@ + + ret = create_ccache_file(kr->ctx, kr->princ, kr->ccname, NULL); + if (ret != 0) { +- KRB5_DEBUG(1, ret); +- pam_status = PAM_SYSTEM_ERR; ++ KRB5_DEBUG(1, ret, kr->ctx); ++ pam_status = PAM_SERVICE_ERR; + } + + ret = sendresponse(fd, ret, pam_status, kr); +@@ -1375,19 +1384,20 @@ + + kerr = krb5_init_context(&kr->ctx); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ /* FIXME: This sucks */ ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + + kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + + kerr = krb5_unparse_name(kr->ctx, kr->princ, &kr->name); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + +@@ -1400,18 +1410,18 @@ + + kerr = sss_krb5_get_init_creds_opt_alloc(kr->ctx, &kr->options); + if (kerr != 0) { +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + + /* A prompter is used to catch messages about when a password will + * expired. The library shall not use the prompter to ask for a new password + * but shall return KRB5KDC_ERR_KEY_EXP. */ +- krb5_get_init_creds_opt_set_change_password_prompt(kr->options, 0); +- if (kerr != 0) { +- KRB5_DEBUG(1, kerr); +- goto failed; +- } ++ // krb5_get_init_creds_opt_set_change_password_prompt(kr->options, 0); ++ // if (kerr != 0) { ++ // KRB5_DEBUG(1, kerr, kr->ctx); ++ // goto failed; ++ // } + + lifetime_str = getenv(SSSD_KRB5_RENEWABLE_LIFETIME); + if (lifetime_str == NULL) { +@@ -1422,7 +1432,7 @@ + if (kerr != 0) { + DEBUG(1, ("krb5_string_to_deltat failed for [%s].\n", + lifetime_str)); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + krb5_get_init_creds_opt_set_renew_life(kr->options, lifetime); +@@ -1437,7 +1447,7 @@ + if (kerr != 0) { + DEBUG(1, ("krb5_string_to_deltat failed for [%s].\n", + lifetime_str)); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + krb5_get_init_creds_opt_set_tkt_life(kr->options, lifetime); +@@ -1486,7 +1496,7 @@ + kr, &kr->fast_ccname); + if (kerr != 0) { + DEBUG(1, ("check_fast_ccache failed.\n")); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + +@@ -1496,7 +1506,7 @@ + if (kerr != 0) { + DEBUG(1, ("sss_krb5_get_init_creds_opt_set_fast_ccache_name " + "failed.\n")); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + +@@ -1507,7 +1517,7 @@ + if (kerr != 0) { + DEBUG(1, ("sss_krb5_get_init_creds_opt_set_fast_flags " + "failed.\n")); +- KRB5_DEBUG(1, kerr); ++ KRB5_DEBUG(1, kerr, kr->ctx); + goto failed; + } + } diff --git a/security/sssd/files/patch-src__providers__krb5__krb5_utils.c b/security/sssd/files/patch-src__providers__krb5__krb5_utils.c new file mode 100644 index 000000000000..60a59e873a67 --- /dev/null +++ b/security/sssd/files/patch-src__providers__krb5__krb5_utils.c @@ -0,0 +1,17 @@ +--- ./src/providers/krb5/krb5_utils.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/krb5/krb5_utils.c 2011-10-13 12:15:03.000000000 -0400 +@@ -435,10 +435,10 @@ + } + + server_name = talloc_asprintf(NULL, "krbtgt/%.*s@%.*s", +- krb5_princ_realm(ctx, client_princ)->length, +- krb5_princ_realm(ctx, client_princ)->data, +- krb5_princ_realm(ctx, client_princ)->length, +- krb5_princ_realm(ctx, client_princ)->data); ++ krb5_realm_length(krb5_princ_realm(ctx, client_princ)), ++ krb5_princ_realm(ctx, client_princ), ++ krb5_realm_length(krb5_princ_realm(ctx, client_princ)), ++ krb5_princ_realm(ctx, client_princ)); + if (server_name == NULL) { + kerr = KRB5_CC_NOMEM; + DEBUG(1, ("talloc_asprintf failed.\n")); diff --git a/security/sssd/files/patch-src__providers__ldap__ldap_auth.c b/security/sssd/files/patch-src__providers__ldap__ldap_auth.c new file mode 100644 index 000000000000..6e035e808891 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__ldap_auth.c @@ -0,0 +1,197 @@ +--- ./src/providers/ldap/ldap_auth.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ldap/ldap_auth.c 2011-10-13 12:15:03.000000000 -0400 +@@ -37,7 +37,6 @@ + #include <sys/time.h> + #include <strings.h> + +-#include <shadow.h> + #include <security/pam_modules.h> + + #include "util/util.h" +@@ -46,6 +45,7 @@ + #include "providers/ldap/ldap_common.h" + #include "providers/ldap/sdap_async.h" + ++ + /* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the + * fact that using the expiration time of a Kerberos password with LDAP + * authentication is presumably a rare case a separate config option is not +@@ -59,6 +59,22 @@ + PWEXPIRE_SHADOW + }; + ++struct spwd ++{ ++ char *sp_namp; /* Login name. */ ++ char *sp_pwdp; /* Encrypted password. */ ++ long int sp_lstchg; /* Date of last change. */ ++ long int sp_min; /* Minimum number of days between changes. */ ++ long int sp_max; /* Maximum number of days between changes. */ ++ long int sp_warn; /* Number of days to warn user to change ++ the password. */ ++ long int sp_inact; /* Number of days the account may be ++ inactive. */ ++ long int sp_expire; /* Number of days since 1970-01-01 until ++ account expires. */ ++ unsigned long int sp_flag; /* Reserved. */ ++}; ++ + static errno_t add_expired_warning(struct pam_data *pd, long exp_time) + { + int ret; +@@ -111,17 +127,16 @@ + return EINVAL; + } + ++ tzset(); + expire_time = mktime(&tm); + if (expire_time == -1) { + DEBUG(1, ("mktime failed to convert [%s].\n", expire_date)); + return EINVAL; + } + +- tzset(); +- expire_time -= timezone; +- DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] timezone [%d] " +- "daylight [%d] now [%d] expire_time [%d].\n", tzname[0], +- tzname[1], timezone, daylight, now, expire_time)); ++ DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s]" ++ "now [%d] expire_time [%d].\n", tzname[0], ++ tzname[1], now, expire_time)); + + if (difftime(now, expire_time) > 0.0) { + DEBUG(4, ("Kerberos password expired.\n")); +@@ -742,7 +757,7 @@ + + DEBUG(2, ("starting password change request for user [%s].\n", pd->user)); + +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + + if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) { + DEBUG(2, ("chpass target was called by wrong pam command.\n")); +@@ -799,7 +814,7 @@ + &pw_expire_type, &pw_expire_data); + talloc_zfree(req); + if (ret) { +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + +@@ -819,7 +834,7 @@ + &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_shadow failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -828,14 +843,14 @@ + &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_kerberos failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + + if (result == SDAP_AUTH_PW_EXPIRED) { + DEBUG(1, ("LDAP provider cannot change kerberos " + "passwords.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -844,7 +859,7 @@ + break; + default: + DEBUG(1, ("Unknow pasword expiration type.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + } +@@ -884,7 +899,7 @@ + dp_err = DP_ERR_OFFLINE; + break; + default: +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + } + + done: +@@ -905,7 +920,7 @@ + ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message); + talloc_zfree(req); + if (ret) { +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + +@@ -964,7 +979,7 @@ + goto done; + } + +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: +@@ -1021,7 +1036,7 @@ + &pw_expire_type, &pw_expire_data); + talloc_zfree(req); + if (ret != EOK) { +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + dp_err = DP_ERR_FATAL; + goto done; + } +@@ -1033,7 +1048,7 @@ + state->pd, &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_shadow failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -1042,7 +1057,7 @@ + state->pd, &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_kerberos failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -1050,7 +1065,7 @@ + ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result); + if (ret != EOK) { + DEBUG(1, ("check_pwexpire_ldap failed.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -1058,7 +1073,7 @@ + break; + default: + DEBUG(1, ("Unknow pasword expiration type.\n")); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + } +@@ -1080,7 +1095,7 @@ + state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; + break; + default: +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + dp_err = DP_ERR_FATAL; + } + diff --git a/security/sssd/files/patch-src__providers__ldap__ldap_child.c b/security/sssd/files/patch-src__providers__ldap__ldap_child.c new file mode 100644 index 000000000000..f4ad031850f7 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__ldap_child.c @@ -0,0 +1,43 @@ +--- ./src/providers/ldap/ldap_child.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ldap/ldap_child.c 2011-10-13 12:15:03.000000000 -0400 +@@ -165,7 +165,7 @@ + } + + realm_name = talloc_strdup(memctx, default_realm); +- krb5_free_default_realm(context, default_realm); ++ free(default_realm); + if (!realm_name) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; +@@ -279,20 +279,20 @@ + goto done; + } + +- krberr = krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec); +- if (krberr) { +- DEBUG(2, ("Failed to get KDC time offset: %s\n", +- sss_krb5_get_error_message(context, krberr))); +- kdc_time_offset = 0; +- } else { +- if (kdc_time_offset_usec > 0) { +- kdc_time_offset++; +- } +- } ++ // krberr = krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec); ++ // if (krberr) { ++ // DEBUG(2, ("Failed to get KDC time offset: %s\n", ++ // sss_krb5_get_error_message(context, krberr))); ++ // kdc_time_offset = 0; ++ // } else { ++ // if (kdc_time_offset_usec > 0) { ++ // kdc_time_offset++; ++ // } ++ // } + + krberr = 0; + *ccname_out = ccname; +- *expire_time_out = my_creds.times.endtime - kdc_time_offset; ++ *expire_time_out = my_creds.times.endtime; + + done: + if (keytab) krb5_kt_close(context, keytab); diff --git a/security/sssd/files/patch-src__providers__ldap__ldap_common.c b/security/sssd/files/patch-src__providers__ldap__ldap_common.c new file mode 100644 index 000000000000..400b33e6a3bc --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__ldap_common.c @@ -0,0 +1,11 @@ +--- ./src/providers/ldap/ldap_common.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ldap/ldap_common.c 2011-10-13 12:15:03.000000000 -0400 +@@ -749,7 +749,7 @@ + } + + realm = talloc_strdup(mem_ctx, krb5_realm); +- krb5_free_default_realm(context, krb5_realm); ++ free(krb5_realm); + if (!realm) { + DEBUG(0, ("Out of memory\n")); + goto done; diff --git a/security/sssd/files/patch-src__providers__ldap__sdap_access.c b/security/sssd/files/patch-src__providers__ldap__sdap_access.c new file mode 100644 index 000000000000..d27caf17ee99 --- /dev/null +++ b/security/sssd/files/patch-src__providers__ldap__sdap_access.c @@ -0,0 +1,177 @@ +--- ./src/providers/ldap/sdap_access.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/ldap/sdap_access.c 2011-10-13 12:15:03.000000000 -0400 +@@ -22,9 +22,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +-#define _XOPEN_SOURCE 500 /* for strptime() */ + #include <time.h> +-#undef _XOPEN_SOURCE + #include <sys/param.h> + #include <security/pam_modules.h> + #include <talloc.h> +@@ -119,7 +117,7 @@ + pd); + if (req == NULL) { + DEBUG(1, ("Unable to start sdap_access request\n")); +- sdap_access_reply(breq, PAM_SYSTEM_ERR); ++ sdap_access_reply(breq, PAM_SERVICE_ERR); + return; + } + +@@ -157,7 +155,7 @@ + + state->be_ctx = be_ctx; + state->pd = pd; +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + state->ev = ev; + state->access_ctx = access_ctx; + state->current_rule = 0; +@@ -502,18 +500,17 @@ + return true; + } + ++ tzset(); + expire_time = mktime(&tm); + if (expire_time == -1) { + DEBUG(1, ("mktime failed to convert [%s].\n", exp_time_str)); + return true; + } + +- tzset(); +- expire_time -= timezone; + now = time(NULL); +- DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] timezone [%d] " +- "daylight [%d] now [%d] expire_time [%d].\n", tzname[0], +- tzname[1], timezone, daylight, now, expire_time)); ++ DEBUG(9, ("Time info: tzname[0] [%s] tzname[1] [%s] " ++ "now [%d] expire_time [%d].\n", tzname[0], ++ tzname[1], now, expire_time)); + + if (difftime(now, expire_time) > 0.0) { + DEBUG(4, ("NDS account expired.\n")); +@@ -663,7 +660,7 @@ + return NULL; + } + +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + + expire = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic, + SDAP_ACCOUNT_EXPIRE_POLICY); +@@ -747,7 +744,7 @@ + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, ret); + return; + } +@@ -807,7 +804,7 @@ + state->filter = NULL; + state->be_ctx = be_ctx; + state->username = username; +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + state->sdap_ctx = access_ctx->id_ctx; + state->ev = ev; + state->access_ctx = access_ctx; +@@ -953,7 +950,7 @@ + SDAP_SEARCH_TIMEOUT)); + if (subreq == NULL) { + DEBUG(1, ("Could not start LDAP communication\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, EIO); + return; + } +@@ -984,13 +981,13 @@ + if (ret == EOK) { + return; + } +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + } else if (dp_error == DP_ERR_OFFLINE) { + sdap_access_filter_decide_offline(req); + } else { + DEBUG(1, ("sdap_get_generic_send() returned error [%d][%s]\n", + ret, strerror(ret))); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + } + + goto done; +@@ -1009,7 +1006,7 @@ + else if (results == NULL) { + DEBUG(1, ("num_results > 0, but results is NULL\n")); + ret = EIO; +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + goto done; + } + else if (num_results > 1) { +@@ -1018,7 +1015,7 @@ + */ + DEBUG(1, ("Received multiple replies\n")); + ret = EIO; +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + goto done; + } + else { /* Ok, we got a single reply */ +@@ -1106,7 +1103,7 @@ + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, ret); + return; + } +@@ -1247,7 +1244,7 @@ + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, ret); + return; + } +@@ -1274,7 +1271,7 @@ + struct ldb_message_element *el; + unsigned int i; + char *host; +- char hostname[HOST_NAME_MAX+1]; ++ char hostname[_POSIX_HOST_NAME_MAX+1]; + + req = tevent_req_create(mem_ctx, &state, struct sdap_access_host_ctx); + if (!req) { +@@ -1370,7 +1367,7 @@ + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- state->pam_status = PAM_SYSTEM_ERR; ++ state->pam_status = PAM_SERVICE_ERR; + tevent_req_error(req, ret); + return; + } +@@ -1395,7 +1392,7 @@ + static void sdap_access_done(struct tevent_req *req) + { + errno_t ret; +- int pam_status = PAM_SYSTEM_ERR; ++ int pam_status = PAM_SERVICE_ERR; + struct be_req *breq = + tevent_req_callback_data(req, struct be_req); + +@@ -1403,7 +1400,7 @@ + talloc_zfree(req); + if (ret != EOK) { + DEBUG(1, ("Error retrieving access check result.\n")); +- pam_status = PAM_SYSTEM_ERR; ++ pam_status = PAM_SERVICE_ERR; + } + + sdap_access_reply(breq, pam_status); diff --git a/security/sssd/files/patch-src__providers__proxy__proxy_init.c b/security/sssd/files/patch-src__providers__proxy__proxy_init.c new file mode 100644 index 000000000000..cbd6a6f2237b --- /dev/null +++ b/security/sssd/files/patch-src__providers__proxy__proxy_init.c @@ -0,0 +1,97 @@ +--- ./src/providers/proxy/proxy_init.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/providers/proxy/proxy_init.c 2011-10-13 12:15:03.000000000 -0400 +@@ -124,7 +124,7 @@ + if (!ctx->handle) { + DEBUG(0, ("Unable to load %s module with path, error: %s\n", + libpath, dlerror())); +- ret = ELIBACC; ++ ret = ENOENT; + goto done; + } + +@@ -132,7 +132,7 @@ + libname); + if (!ctx->ops.getpwnam_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -140,14 +140,14 @@ + libname); + if (!ctx->ops.getpwuid_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + + ctx->ops.setpwent = proxy_dlsym(ctx->handle, "_nss_%s_setpwent", libname); + if (!ctx->ops.setpwent) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -155,14 +155,14 @@ + libname); + if (!ctx->ops.getpwent_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + + ctx->ops.endpwent = proxy_dlsym(ctx->handle, "_nss_%s_endpwent", libname); + if (!ctx->ops.endpwent) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -170,7 +170,7 @@ + libname); + if (!ctx->ops.getgrnam_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -178,14 +178,14 @@ + libname); + if (!ctx->ops.getgrgid_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + + ctx->ops.setgrent = proxy_dlsym(ctx->handle, "_nss_%s_setgrent", libname); + if (!ctx->ops.setgrent) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + +@@ -193,14 +193,14 @@ + libname); + if (!ctx->ops.getgrent_r) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + + ctx->ops.endgrent = proxy_dlsym(ctx->handle, "_nss_%s_endgrent", libname); + if (!ctx->ops.endgrent) { + DEBUG(0, ("Failed to load NSS fns, error: %s\n", dlerror())); +- ret = ELIBBAD; ++ ret = ENOENT; + goto done; + } + diff --git a/security/sssd/files/patch-src__resolv__async_resolv.c b/security/sssd/files/patch-src__resolv__async_resolv.c new file mode 100644 index 000000000000..ab308eb302c4 --- /dev/null +++ b/security/sssd/files/patch-src__resolv__async_resolv.c @@ -0,0 +1,19 @@ +--- ./src/resolv/async_resolv.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/resolv/async_resolv.c 2011-10-13 12:15:03.000000000 -0400 +@@ -1073,7 +1073,6 @@ + hints.ai_flags = AI_NUMERICHOST; /* No network lookups */ + + ret = getaddrinfo(name, NULL, &hints, &res); +- freeaddrinfo(res); + if (ret != 0) { + if (ret == -2) { + DEBUG(9, ("[%s] does not look like an IP address\n", name)); +@@ -1081,6 +1080,8 @@ + DEBUG(2, ("getaddrinfo failed [%d]: %s\n", + ret, gai_strerror(ret))); + } ++ } else { ++ freeaddrinfo(res); + } + + return ret == 0; diff --git a/security/sssd/files/patch-src__responder__common__responder_common.c b/security/sssd/files/patch-src__responder__common__responder_common.c new file mode 100644 index 000000000000..9a60b2b5aa47 --- /dev/null +++ b/security/sssd/files/patch-src__responder__common__responder_common.c @@ -0,0 +1,11 @@ +--- ./src/responder/common/responder_common.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/responder/common/responder_common.c 2011-10-13 12:15:03.000000000 -0400 +@@ -195,7 +195,7 @@ + talloc_free(cctx); + break; + +- case ENODATA: ++ case ECONNRESET: + DEBUG(5, ("Client disconnected!\n")); + talloc_free(cctx); + break; diff --git a/security/sssd/files/patch-src__responder__common__responder_dp.c b/security/sssd/files/patch-src__responder__common__responder_dp.c new file mode 100644 index 000000000000..a8c08ff19374 --- /dev/null +++ b/security/sssd/files/patch-src__responder__common__responder_dp.c @@ -0,0 +1,20 @@ +--- ./src/responder/common/responder_dp.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/responder/common/responder_dp.c 2011-10-13 12:15:03.000000000 -0400 +@@ -210,7 +210,7 @@ + &sdp_req->err_min, + &sdp_req->err_msg); + if (ret != EOK) { +- if (ret == ETIME) { ++ if (ret == ETIMEDOUT) { + sdp_req->err_maj = DP_ERR_TIMEOUT; + sdp_req->err_min = ret; + sdp_req->err_msg = talloc_strdup(sdp_req, "Request timed out"); +@@ -569,7 +569,7 @@ + case DBUS_MESSAGE_TYPE_ERROR: + if (strcmp(dbus_message_get_error_name(reply), + DBUS_ERROR_NO_REPLY) == 0) { +- err = ETIME; ++ err = ETIMEDOUT; + goto done; + } + DEBUG(0,("The Data Provider returned an error [%s]\n", diff --git a/security/sssd/files/patch-src__responder__common__responder_packet.c b/security/sssd/files/patch-src__responder__common__responder_packet.c new file mode 100644 index 000000000000..30cf77c17248 --- /dev/null +++ b/security/sssd/files/patch-src__responder__common__responder_packet.c @@ -0,0 +1,11 @@ +--- ./src/responder/common/responder_packet.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/responder/common/responder_packet.c 2011-10-13 12:15:03.000000000 -0400 +@@ -192,7 +192,7 @@ + } + + if (rb == 0) { +- return ENODATA; ++ return ECONNRESET; + } + + if (*packet->len > packet->memsize) { diff --git a/security/sssd/files/patch-src__sss_client__common.c b/security/sssd/files/patch-src__sss_client__common.c new file mode 100644 index 000000000000..b5afcd3a3c99 --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__common.c @@ -0,0 +1,63 @@ +--- ./src/sss_client/common.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/sss_client/common.c 2011-10-13 12:15:03.000000000 -0400 +@@ -26,6 +26,7 @@ + #include "config.h" + + #include <nss.h> ++#include <nsswitch.h> + #include <security/pam_modules.h> + #include <errno.h> + #include <sys/types.h> +@@ -111,7 +112,6 @@ + *errnop = error; + break; + case 0: +- *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { +@@ -216,7 +216,6 @@ + *errnop = error; + break; + case 0: +- *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { +@@ -638,7 +637,6 @@ + *errnop = error; + break; + case 0: +- *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { +@@ -688,23 +686,23 @@ + /* avoid looping in the nss daemon */ + envval = getenv("_SSS_LOOPS"); + if (envval && strcmp(envval, "NO") == 0) { +- return NSS_STATUS_NOTFOUND; ++ return NS_NOTFOUND; + } + + ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME); + if (ret != SSS_STATUS_SUCCESS) { +- return NSS_STATUS_UNAVAIL; ++ return NS_UNAVAIL; + } + + ret = sss_cli_make_request_nochecks(cmd, rd, repbuf, replen, errnop); + switch (ret) { + case SSS_STATUS_TRYAGAIN: +- return NSS_STATUS_TRYAGAIN; ++ return NS_TRYAGAIN; + case SSS_STATUS_SUCCESS: +- return NSS_STATUS_SUCCESS; ++ return NS_SUCCESS; + case SSS_STATUS_UNAVAIL: + default: +- return NSS_STATUS_UNAVAIL; ++ return NS_UNAVAIL; + } + } + diff --git a/security/sssd/files/patch-src__sss_client__nss_group.c b/security/sssd/files/patch-src__sss_client__nss_group.c new file mode 100644 index 000000000000..5ba574b5b2d5 --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__nss_group.c @@ -0,0 +1,80 @@ +--- ./src/sss_client/nss_group.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/sss_client/nss_group.c 2011-10-13 12:15:03.000000000 -0400 +@@ -248,6 +248,77 @@ + } + + ++#define MIN(a, b)((a) < (b) ? (a) : (b)) ++ ++gr_addgid(gid_t gid, gid_t *groups, int maxgrp, int *grpcnt) ++{ ++ int ret, dupc; ++ ++ for (dupc = 0; dupc < MIN(maxgrp, *grpcnt); dupc++) { ++ if (groups[dupc] == gid) ++ return 1; ++ } ++ ++ ret = 1; ++ if (*grpcnt < maxgrp) ++ groups[*grpcnt] = gid; ++ else ++ ret = 0; ++ ++ (*grpcnt)++; ++ ++ return ret; ++} ++ ++enum nss_status _nss_sss_getgroupmembership(const char *uname, gid_t agroup, gid_t *groups, ++ int maxgrp, int *grpcnt) ++{ ++ struct sss_cli_req_data rd; ++ uint8_t *repbuf; ++ size_t replen; ++ enum nss_status nret; ++ uint32_t *rbuf; ++ uint32_t num_ret; ++ long int l, max_ret; ++ int errnop; ++ ++ rd.len = strlen(uname) +1; ++ rd.data = uname; ++ ++ sss_nss_lock(); ++ ++ nret = sss_nss_make_request(SSS_NSS_INITGR, &rd, ++ &repbuf, &replen, &errnop); ++ if (nret != NSS_STATUS_SUCCESS) { ++ goto out; ++ } ++ ++ /* no results if not found */ ++ num_ret = ((uint32_t *)repbuf)[0]; ++ if (num_ret == 0) { ++ free(repbuf); ++ nret = NSS_STATUS_NOTFOUND; ++ goto out; ++ } ++ max_ret = num_ret; ++ ++ gr_addgid(agroup, groups, maxgrp, grpcnt); ++ ++ rbuf = &((uint32_t *)repbuf)[2]; ++ for (l = 0; l < max_ret; l++) { ++ gr_addgid(rbuf[l], groups, maxgrp, grpcnt); ++ } ++ ++ free(repbuf); ++ nret = NSS_STATUS_SUCCESS; ++ ++out: ++ sss_nss_unlock(); ++ return nret; ++ ++ ++} ++ + enum nss_status _nss_sss_getgrnam_r(const char *name, struct group *result, + char *buffer, size_t buflen, int *errnop) + { diff --git a/security/sssd/files/patch-src__sss_client__pam_test_client.c b/security/sssd/files/patch-src__sss_client__pam_test_client.c new file mode 100644 index 000000000000..106919e56436 --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__pam_test_client.c @@ -0,0 +1,18 @@ +--- ./src/sss_client/pam_test_client.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/sss_client/pam_test_client.c 2011-10-13 12:15:03.000000000 -0400 +@@ -24,12 +24,13 @@ + + #include <stdio.h> + #include <unistd.h> ++#include <string.h> + + #include <security/pam_appl.h> +-#include <security/pam_misc.h> ++#include <security/openpam.h> + + static struct pam_conv conv = { +- misc_conv, ++ openpam_ttyconv, + NULL + }; + diff --git a/security/sssd/files/patch-src__sss_client__sss_nss.exports b/security/sssd/files/patch-src__sss_client__sss_nss.exports new file mode 100644 index 000000000000..8ee95e4e0873 --- /dev/null +++ b/security/sssd/files/patch-src__sss_client__sss_nss.exports @@ -0,0 +1,36 @@ +--- ./src/sss_client/sss_nss.exports.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/sss_client/sss_nss.exports 2011-10-13 12:13:42.000000000 -0400 +@@ -3,6 +3,7 @@ + # public functions + global: + ++ nss_module_register; + _nss_sss_getpwnam_r; + _nss_sss_getpwuid_r; + _nss_sss_setpwent; +@@ -14,8 +15,25 @@ + _nss_sss_setgrent; + _nss_sss_getgrent_r; + _nss_sss_endgrent; ++ _nss_sss_getgroupmembership; + _nss_sss_initgroups_dyn; + ++ __nss_compat_getgrnam_r; ++ __nss_compat_getgrgid_r; ++ __nss_compat_getgrent_r; ++ __nss_compat_setgrent; ++ __nss_compat_endgrent; ++ ++ __nss_compat_getpwnam_r; ++ __nss_compat_getpwuid_r; ++ __nss_compat_getpwent_r; ++ __nss_compat_setpwent; ++ __nss_compat_endpwent; ++ ++ __nss_compat_gethostbyname; ++ __nss_compat_gethostbyname2; ++ __nss_compat_gethostbyaddr; ++ + #_nss_sss_getaliasbyname_r; + #_nss_sss_setaliasent; + #_nss_sss_getaliasent_r; diff --git a/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c b/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c new file mode 100644 index 000000000000..ce04ffd86db6 --- /dev/null +++ b/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c @@ -0,0 +1,20 @@ +--- ./src/util/crypto/libcrypto/crypto_sha512crypt.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/crypto/libcrypto/crypto_sha512crypt.c 2011-10-13 12:15:03.000000000 -0400 +@@ -265,7 +265,7 @@ + goto done; + } + +- cp = __stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); ++ cp = stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); + buflen -= SALT_PREF_SIZE; + + if (rounds_custom) { +@@ -283,7 +283,7 @@ + ret = ERANGE; + goto done; + } +- cp = __stpncpy(cp, salt, salt_len); ++ cp = stpncpy(cp, salt, salt_len); + *cp++ = '$'; + buflen -= salt_len + 1; + diff --git a/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c b/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c new file mode 100644 index 000000000000..12631e967506 --- /dev/null +++ b/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c @@ -0,0 +1,29 @@ +--- ./src/util/crypto/nss/nss_sha512crypt.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/crypto/nss/nss_sha512crypt.c 2011-10-13 12:15:03.000000000 -0400 +@@ -10,7 +10,7 @@ + + #include "config.h" + +-#include <endian.h> ++#include <sys/endian.h> + #include <errno.h> + #include <limits.h> + #include <stdbool.h> +@@ -267,7 +267,7 @@ + goto done; + } + +- cp = __stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); ++ cp = stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); + buflen -= SALT_PREF_SIZE; + + if (rounds_custom) { +@@ -285,7 +285,7 @@ + ret = ERANGE; + goto done; + } +- cp = __stpncpy(cp, salt, salt_len); ++ cp = stpncpy(cp, salt, salt_len); + *cp++ = '$'; + buflen -= salt_len + 1; + diff --git a/security/sssd/files/patch-src__util__find_uid.c b/security/sssd/files/patch-src__util__find_uid.c new file mode 100644 index 000000000000..1b518d45a885 --- /dev/null +++ b/security/sssd/files/patch-src__util__find_uid.c @@ -0,0 +1,31 @@ +--- ./src/util/find_uid.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/find_uid.c 2011-10-13 12:15:03.000000000 -0400 +@@ -67,7 +67,7 @@ + uint32_t num=0; + errno_t error; + +- ret = snprintf(path, PATHLEN, "/proc/%d/status", pid); ++ ret = snprintf(path, PATHLEN, "/compat/linux/proc/%d/status", pid); + if (ret < 0) { + DEBUG(1, ("snprintf failed")); + return EINVAL; +@@ -204,7 +204,7 @@ + hash_key_t key; + hash_value_t value; + +- proc_dir = opendir("/proc"); ++ proc_dir = opendir("/compat/linux/proc"); + if (proc_dir == NULL) { + ret = errno; + DEBUG(1, ("Cannot open proc dir.\n")); +@@ -278,9 +278,8 @@ + + errno_t get_uid_table(TALLOC_CTX *mem_ctx, hash_table_t **table) + { +-#ifdef __linux__ + int ret; +- ++#if 1 + ret = hash_create_ex(INITIAL_TABLE_SIZE, table, 0, 0, 0, 0, + hash_talloc, hash_talloc_free, mem_ctx, + NULL, NULL); diff --git a/security/sssd/files/patch-src__util__server.c b/security/sssd/files/patch-src__util__server.c new file mode 100644 index 000000000000..8d37670929f0 --- /dev/null +++ b/security/sssd/files/patch-src__util__server.c @@ -0,0 +1,22 @@ +--- ./src/util/server.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/server.c 2011-10-13 12:15:03.000000000 -0400 +@@ -296,14 +296,15 @@ + BlockSignals(false, SIGTERM); + + CatchSignal(SIGHUP, sig_hup); +- + #ifndef HAVE_PRCTL + /* If prctl is not defined on the system, try to handle + * some common termination signals gracefully */ +- CatchSignal(SIGSEGV, sig_segv_abrt); +- CatchSignal(SIGABRT, sig_segv_abrt); ++ /* ++ CatchSignal(SIGSEGV, sig_segv_abrt); ++ CatchSignal(SIGABRT, sig_segv_abrt); ++ */ + #endif +- ++ + } + + /* diff --git a/security/sssd/files/patch-src__util__sss_krb5.c b/security/sssd/files/patch-src__util__sss_krb5.c new file mode 100644 index 000000000000..d0403d313f4d --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_krb5.c @@ -0,0 +1,58 @@ +--- ./src/util/sss_krb5.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/sss_krb5.c 2011-10-13 12:15:03.000000000 -0400 +@@ -165,8 +165,8 @@ + + if (_realm) { + *_realm = talloc_asprintf(mem_ctx, "%.*s", +- krb5_princ_realm(ctx, client_princ)->length, +- krb5_princ_realm(ctx, client_princ)->data); ++ krb5_realm_length(krb5_princ_realm(krb_ctx, client_princ)), ++ krb5_princ_realm(krb_ctx, client_princ)); + if (!*_realm) { + DEBUG(1, ("talloc_asprintf failed")); + if (_principal) talloc_zfree(*_principal); +@@ -243,7 +243,7 @@ + } + + realm_name = talloc_strdup(tmp_ctx, default_realm); +- krb5_free_default_realm(context, default_realm); ++ free(default_realm); + if (!realm_name) { + ret = ENOMEM; + goto done; +@@ -322,7 +322,7 @@ + found = true; + } + free(kt_principal); +- krberr = krb5_free_keytab_entry_contents(context, &entry); ++ krberr = krb5_kt_free_entry(context, &entry); + if (krberr) { + /* This should never happen. The API docs for this function + * specify only success for this function +@@ -466,7 +466,7 @@ + break; + } + +- kerr = krb5_free_keytab_entry_contents(ctx, &entry); ++ kerr = krb5_kt_free_entry(ctx, &entry); + if (kerr != 0) { + DEBUG(1, ("Failed to free keytab entry.\n")); + } +@@ -504,7 +504,7 @@ + kerr = 0; + + done: +- kerr_d = krb5_free_keytab_entry_contents(ctx, &entry); ++ kerr_d = krb5_kt_free_entry(ctx, &entry); + if (kerr_d != 0) { + DEBUG(1, ("Failed to free keytab entry.\n")); + } +@@ -540,7 +540,7 @@ + void KRB5_CALLCONV sss_krb5_free_error_message(krb5_context ctx, const char *s) + { + #ifdef HAVE_KRB5_GET_ERROR_MESSAGE +- krb5_free_error_message(ctx, s); ++ free(s); + #else + free(s); + #endif diff --git a/security/sssd/files/patch-src__util__sss_krb5.h b/security/sssd/files/patch-src__util__sss_krb5.h new file mode 100644 index 000000000000..2e028c3c4bd6 --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_krb5.h @@ -0,0 +1,11 @@ +--- ./src/util/sss_krb5.h.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/sss_krb5.h 2011-10-13 12:15:09.000000000 -0400 +@@ -34,6 +34,8 @@ + + #include "util/util.h" + ++#define KRB5_CALLCONV ++ + const char * KRB5_CALLCONV sss_krb5_get_error_message (krb5_context, + krb5_error_code); + diff --git a/security/sssd/files/patch-src__util__sss_ldap.c b/security/sssd/files/patch-src__util__sss_ldap.c new file mode 100644 index 000000000000..290a931692e3 --- /dev/null +++ b/security/sssd/files/patch-src__util__sss_ldap.c @@ -0,0 +1,20 @@ +--- ./src/util/sss_ldap.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/sss_ldap.c 2011-10-13 12:15:03.000000000 -0400 +@@ -267,7 +267,7 @@ + strerror(ret))); + } + +- ret = setsockopt(fd, SOL_TCP, TCP_NODELAY, &dummy, sizeof(dummy)); ++ ret = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &dummy, sizeof(dummy)); + if (ret != 0) { + ret = errno; + DEBUG(5, ("setsockopt TCP_NODELAY failed.[%d][%s].\n", ret, +@@ -340,7 +340,7 @@ + DEBUG(9, ("Using file descriptor [%d] for LDAP connection.\n", state->sd)); + + subreq = sdap_async_sys_connect_send(state, ev, state->sd, +- (struct sockaddr *) addr, addr_len); ++ (struct sockaddr *) addr, sizeof(struct sockaddr)); + if (subreq == NULL) { + ret = ENOMEM; + DEBUG(1, ("sdap_async_sys_connect_send failed.\n")); diff --git a/security/sssd/files/patch-src__util__util.c b/security/sssd/files/patch-src__util__util.c new file mode 100644 index 000000000000..f421e6da53fd --- /dev/null +++ b/security/sssd/files/patch-src__util__util.c @@ -0,0 +1,10 @@ +--- ./src/util/util.c.orig 2011-08-29 11:39:05.000000000 -0400 ++++ ./src/util/util.c 2011-10-13 12:15:03.000000000 -0400 +@@ -18,6 +18,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/socket.h> + #include <ctype.h> + #include <netdb.h> + diff --git a/security/sssd/files/sssd.in b/security/sssd/files/sssd.in new file mode 100644 index 000000000000..23596ffb19a5 --- /dev/null +++ b/security/sssd/files/sssd.in @@ -0,0 +1,32 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: sssd +# REQUIRE: DAEMON +# BEFORE: LOGIN +# KEYWORD: shutdown + +# Add the following lines to /etc/rc.conf to enable `sssd': +# +# sssd_enable="YES" +# +# See sssd(8) for sssd_flags +# + +. /etc/rc.subr + +name="sssd" +rcvar=`set_rcvar` + +command="%%PREFIX%%/sbin/$name" +sssd_flags="-D" +pidfile="/var/run/$name.pid" +required_files="%%PREFIX%%/etc/$name/$name.conf" + +# read configuration and set defaults +load_rc_config "$name" +: ${sssd_enable="NO"} + +run_rc_command "$1" diff --git a/security/sssd/pkg-descr b/security/sssd/pkg-descr new file mode 100644 index 000000000000..526c666af2fc --- /dev/null +++ b/security/sssd/pkg-descr @@ -0,0 +1,9 @@ +This project provides a set of daemons to manage access to remote +directories and authentication mechanisms, it provides an NSS and +PAM interface toward the system and a pluggable backend system to +connect to multiple different account sources. It is also the +basis to provide client auditing and policy services for projects +like FreeIPA. sssd also features caching, which can allow for +offline use to assist laptop users. + +WWW: https://fedorahosted.org/sssd/ diff --git a/security/sssd/pkg-message b/security/sssd/pkg-message new file mode 100644 index 000000000000..1b06ff5ba86b --- /dev/null +++ b/security/sssd/pkg-message @@ -0,0 +1,21 @@ +================================================================================ +Copy %%PREFIX%%/etc/sssd/sssd.conf.sample to %%PREFIX%%/etc/sssd/sssd.conf +and edit %%PREFIX%%/etc/sssd/sssd.conf (see man sssd.conf for details) + +To load sssd at startup, add sssd_enable="YES" to /etc/rc.conf + +To enable pam integration, add a line similar to the following to +/etc/pam.d/system: + +login auth sufficient %%PREFIX%%/lib/pam_sss.so + +To enable NSS integration, update /etc/nsswitch.conf as follows: + +group: sss files +passwd: sss files + +For additional details, please see the man pages for pam.conf and nsswitch.conf + +An sssd HOWTO is also available: +https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 +================================================================================ diff --git a/security/sssd/pkg-plist b/security/sssd/pkg-plist new file mode 100644 index 000000000000..f7664573ff55 --- /dev/null +++ b/security/sssd/pkg-plist @@ -0,0 +1,84 @@ +share/locale/zh_TW/LC_MESSAGES/sssd.mo +share/locale/uk/LC_MESSAGES/sssd.mo +share/locale/sv/LC_MESSAGES/sssd.mo +share/locale/ru/LC_MESSAGES/sssd.mo +share/locale/pt/LC_MESSAGES/sssd.mo +share/locale/pl/LC_MESSAGES/sssd.mo +share/locale/nl/LC_MESSAGES/sssd.mo +share/locale/ja/LC_MESSAGES/sssd.mo +share/locale/it/LC_MESSAGES/sssd.mo +share/locale/id/LC_MESSAGES/sssd.mo +share/locale/fr/LC_MESSAGES/sssd.mo +share/locale/es/LC_MESSAGES/sssd.mo +share/locale/de/LC_MESSAGES/sssd.mo +sbin/sssd +sbin/sss_usermod +sbin/sss_userdel +sbin/sss_useradd +sbin/sss_obfuscate +sbin/sss_groupshow +sbin/sss_groupmod +sbin/sss_groupdel +sbin/sss_groupadd +sbin/sss_cache +libexec/sssd/sssd_pam +libexec/sssd/sssd_nss +libexec/sssd/sssd_be +libexec/sssd/proxy_child +libexec/sssd/ldap_child +libexec/sssd/krb5_child +libdata/pkgconfig/ipa_hbac.pc +lib/sssd/libsss_simple.so +lib/sssd/libsss_simple.la +lib/sssd/libsss_proxy.so +lib/sssd/libsss_proxy.la +lib/sssd/libsss_ldap.so +lib/sssd/libsss_ldap.la +lib/sssd/libsss_krb5.so +lib/sssd/libsss_krb5.la +lib/sssd/libsss_ipa.so +lib/sssd/libsss_ipa.la +lib/pam_sss.so.5 +lib/pam_sss.so +lib/pam_sss.la +lib/nss_sss.so.2 +lib/nss_sss.so.1 +lib/nss_sss.so +lib/nss_sss.la +lib/libipa_hbac.so.0 +lib/libipa_hbac.so +lib/libipa_hbac.la +lib/ldb/memberof.so +lib/%%PYTHON_VERSION%%/site-packages/sssd_upgrade_config.pyc +lib/%%PYTHON_VERSION%%/site-packages/sssd_upgrade_config.py +lib/%%PYTHON_VERSION%%/site-packages/pysss.so +lib/%%PYTHON_VERSION%%/site-packages/pysss.la +lib/%%PYTHON_VERSION%%/site-packages/pyhbac.so +lib/%%PYTHON_VERSION%%/site-packages/pyhbac.la +lib/%%PYTHON_VERSION%%/site-packages/ipachangeconf.pyc +lib/%%PYTHON_VERSION%%/site-packages/ipachangeconf.py +lib/%%PYTHON_VERSION%%/site-packages/SSSDConfig.pyc +lib/%%PYTHON_VERSION%%/site-packages/SSSDConfig.py +lib/%%PYTHON_VERSION%%/site-packages/SSSDConfig-1-py2.7.egg-info +include/ipa_hbac.h +etc/sssd/sssd.api.d/sssd-simple.conf +etc/sssd/sssd.api.d/sssd-proxy.conf +etc/sssd/sssd.api.d/sssd-local.conf +etc/sssd/sssd.api.d/sssd-ldap.conf +etc/sssd/sssd.api.d/sssd-krb5.conf +etc/sssd/sssd.api.d/sssd-ipa.conf +etc/sssd/sssd.api.conf +etc/sssd/sssd.conf.sample +@dirrmtry lib/pkgconfig +@dirrmtry lib/ldb +@dirrmtry etc/sssd/sssd.api.d +@dirrmtry etc/sssd +@dirrm share/sssd/introspect +@dirrm share/sssd +@dirrm libexec/sssd +@dirrm lib/sssd +@unexec if cmp -s %D/etc/sssd/sssd.conf.sample %D/etc/sssd/sssd.conf; then rm -f %D/etc/sssd/sssd.conf; fi +@exec if [ ! -f %D/etc/sssd/sssd.conf ]; then cp -p %D/%F %B/sssd.conf; fi +@unexec if [ -d %%ETCDIR%% ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf %%ETCDIR%%`` to remove any configuration files."; fi +@unexec if [ -d /var/db/sss ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/db/sss`` to remove any additional files."; fi +@unexec if [ -d /var/run/sss ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/run/sss`` to remove any additional files."; fi |