SPEC: Add gcc to build dependencies gcc will be removed from buildroot in fedora 29 http://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: simple CA to generate certificates for test To avoid issue with certificate lifetimes a simple OpenSSL based CA is used to generate certificates for tests. To make management easy all related data is kept in src/tests/test_CA. Since some header files will be generated the generation of the needed files is added to BUILT_SOURCES as other generated code. Related to https://pagure.io/SSSD/sssd/issue/3436 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Reduce changes between upstream and downstream python2-devel will install python-devel on el6 and el7. Order of bind-utils was changed because weak dependencies are at the end of "list" on fedora. But we cannot use weak dependencies on <= el7 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Fix systemd executions/requirements The rpm macro systemd_requires is even in el7 and using this macro nicer then using different requires (systemd-units vs systemd) There is a plan to remove provides for systemd-units from rawhide. systemd was added to BuildRequires because it provides rpm macros /usr/lib/rpm/macros.d/macros.systemd and it is unreliable to rely on indirect dependency between systemd-devel and systemd sh$ rpm --eval "%{?systemd_requires}" Requires(post): systemd Requires(preun): systemd Requires(postun): systemd sh$ rpm -q --whatprovides systemd-units systemd-237-1.fc28.x86_64 sh$ rpm -qf /usr/lib/rpm/macros.d/macros.systemd systemd-237-1.fc28.x86_64 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Harden the permission of deskprofilepath After discussing the permissions with Simo, we have agreed on having the deskprofile dir with the minimal set of permissions needed Related: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Fix minor spelling mistakes Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Reduce build time dependencies Total download size: 139 M Installed size: 465 M vs Total size: 11 k Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

pam_sss: refactoring, use struct cert_auth_info Similar as in the PAM responder this patch replaces the individual certificate authentication related attributes by a struct which can be used as a list. With the pam_sss can handle multiple SSS_PAM_CERT_INFO message and place the data in individual list items. If multiple certificates are returned before prompting for the PIN a dialog to select a certificate is shown to the users. If available a GDM PAM extension is used to let the user choose from a list. All coded needed at runtime to check if the extension is available and handle the data is provided by GDM as macros. This means that there are no additional run-time requirements. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

SYSTEMD: Replace parameter --debug-to-files with ${DEBUG_LOGGER} Users can set variable DEBUG_LOGGER in environment files (/etc/sysconfig/sssd or /etc/default/sssd; depending on the distribution) to override default logging to files. e.g. DEBUG_LOGGER=--logger=stderr DEBUG_LOGGER=--logger=journald Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Fix minor spelling mistakes Merges: https://pagure.io/SSSD/sssd/pull-request/3556 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SSSCTL: Replace sss_debuglevel with shell wrapper The sss_debuglevel binary is replaced by a shell wrapper calling sssctl debug-level as part of merging sss_debuglevel into sssctl. The wrapper will redirect sss_debuglevel to the sssctl debug-level command performing the same task. The sss_debuglevel(8) man page is updated to indicate that sss_debuglevel is deprecated and functionality exists now in sssctl. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

SSSCTL: Move sss_debuglevel to sssctl debug-level Move code from sss_debuglevel to sssctl_logs.c and add new debug-logs sssctl command to perform the same task of changing debug level dynamically. POPT_CONTEXT_KEEP_FIRST Flag added to poptGetContext call in sssctl_debug_level() to fix argument parsing. Resolves: https://pagure.io/SSSD/sssd/issue/3057 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

SPEC: Fix detecting of minor release INFO: Installed packages: Start: build phase for sssd-1.15.4-0.el7.src.rpm Start: build setup for sssd-1.15.4-0.el7.src.rpm error: unmatched ( error: unmatched ( error: /builddir/build/SPECS/sssd.spec:56: bad %if condition Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Update owner and mode for /var/lib/sss/deskprofile Directory is part of make list SSSD_USER_DIRS and therefore should have such owner&mode also in spec file Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

MAN: Add sssd-systemtap man page Provide information for administrators and users to utilize SSSD systemtap infrastructure. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONTRIB: Add DP Request analysis script Run this script using stap as root and Ctrl-C to print the summary report stap -v /usr/share/sssd/systemtap/dp_request.stp This script will use the data provider request probe markers to provide elapsed time of each request and more information about the slowest request in the summary report. Resolves: https://pagure.io/SSSD/sssd/issue/3061 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Fix unowned directory https://fedoraproject.org/wiki/Packaging:UnownedDirectories sh$ rpm -qf /usr/lib64/sssd/conf/ /usr/lib64/sssd/conf/sssd.conf file /usr/lib64/sssd/conf is not owned by any package sssd-common-1.15.3-2.fc27.x86_64 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SPEC: rhel8 will have python3 as well Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: require http-parser only on rhel7.4 It was removed from epel Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Use language file for sssd-kcm Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

MAN: Describe session recording configuration Reviewed-by: Pavel Březina <pbrezina@redhat.com>

KCM: Modify krb5 snippet file kcm_default_ccache The file kcm_default_ccache must enable KCM ccache by default without any modification of the file. /etc/krb5.conf.d/ is fedora/el7 specific and it is not allowed to enable or start systemd services in scriptlets. It would result in broken krb5 configuration. Therefore krb5 configuration snippet was moved from /etc/krb5.conf.d/ -> /usr/share/sssd-kcm. And each downstream distribution should enable systemd services + change krb5 configuration in it's own way. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Improve error messages for optional dependencies Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Use %license macro Starting with rpm 4.11, it is possible to install the license using a new file macro %license, this will separate the license files from documents and install them in a special directory in /usr/share rpm -q -l -p ./sssd-1.15.3-0.el7.x86_64.rpm /usr/share/licenses/sssd-1.15.3 /usr/share/licenses/sssd-1.15.3/COPYING Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Use macro python_provide conditionally The rpm macro python_provide is defined only in fedora and epel. This is the reason why we have fallback definition in the beginning of spec file otherwise build on rhel would fail. This macro is defined in file /usr/lib/rpm/macros.d/macros.python provided by package python-rpm-macros. sh$ rpm -qf /usr/lib/rpm/macros.d/macros.python python-rpm-macros-3-20.fc26.noarch sh$ grep python_provide /usr/lib/rpm/macros.d/macros.python %python_provide() %{lua: print("%python_provide: ERROR: ") But this package is not installed in minimal chroot and therefore build dependencies cannot be extracted from spec file. sh$ mock --clean --shell 'rpm -q python-rpm-macros' 2>/dev/null package python-rpm-macros is not installed sh$ mock --shell 'rpm --eval "%{python_provide python-test}"' 2>/dev/null %{python_provide python-test} sh$ mock --resultdir . --rebuild sssd-1.15.3-0.fc26.src.rpm ... error: line 295: Unknown tag: %{python_provide python2-sssdconfig} ... This is the reason why it has to be used conditionally in fedora as it is shown in example common spec file in python fedora packaging guidelines http://fedoraproject.org/wiki/Packaging:Python#Example_common_spec_file sh$ rpm -q --whatrequires python-rpm-macros python2-devel-2.7.13-5.fc26.x86_64 python3-devel-3.6.0-22.fc26.x86_64 This patch reduce differences between upstream and fedora spec file. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Call ldconfig in libsss_certmap scriptlets We do it for other libraries. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Move kcm scriptlets to systemd section Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Move files provider files within package It's a cosmetic change to group similar files together (e.g. man pages). The same order is in fedora downstream spec file. It simplifies comparison of changes between spec files. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Use correct package for translated sssd-kcm man pages Resolves: https://pagure.io/SSSD/sssd/issue/3327 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Use correct package for translated sss_certmap man pages This patch also moved sss_certmap.5 from sssd-common to libsss_certmap Resolves: https://pagure.io/SSSD/sssd/issue/3327 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Use correct package for translated idmap_sss man pages Resolves: https://pagure.io/SSSD/sssd/issue/3327 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Use correct package for translated sssctl man pages Resolves: https://pagure.io/SSSD/sssd/issue/3327 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Use correct package for translated sss_ssh* man pages Resolves: https://pagure.io/SSSD/sssd/issue/3327 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Move man page for sss_rpcidmapd to the right package Patch also fixes location of translated manual pages Resolves: https://pagure.io/SSSD/sssd/issue/3327 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Use correct package for translated sssd-ifp man page Resolves: https://pagure.io/SSSD/sssd/issue/3327 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Add missing scriptlets for package sssd-dbus Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Move systemd service sssd-ifp.service to right package The sssd-ifp.service was installed even though sssd_ifp was not installed on systemd. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Update processing of translation in %install Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SPEC: Drop conditional build for krb5_local_auth_plugin It was mainly aimed for time when stable CentOS and rhel nightly had different versions of krb5. Anyway, rhel7.0 and rhel <= 6.6 are already out of support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ci: do not build secrets on rhel6 We require newer libcurl version than is available on rhel6. We don't ship secrets responder in rhel6 so we just disable its build. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KCM: Store ccaches in secrets Adds a new KCM responder ccache back end that forwards all requests to sssd-secrets. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

MAN: Add a manual page for sssd-kcm Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: Implement an internal ccache storage and retrieval API In order for the KCM server to work with ccaches stored in different locations, implement a middle-man between the KCM server and the ccache storage. This module has asynchronous API because we can't assume anything about where the ccaches are stored. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: Initial responder build and packaging Adds the initial build of the Kerberos Cache Manager responder (KCM). This is a deamon that is capable of holding and storing Kerberos ccaches. When KCM is used, the kerberos libraries (invoked through e.g. kinit) are referred to as a 'client' and the KCM deamon is referred to as 'server'. At the moment, only the Heimdal implementation of Kerberos implements the KCM server: https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html This patch adds a KCM server to SSSD. In MIT, only the 'client-side' support was added: http://k5wiki.kerberos.org/wiki/Projects/KCM_client This page also describes the protocol between the client and the server. The client is capable of talking to the server over either UNIX sockets (Linux, most Unixes) or Mach RPC (macOS). Our server only implements the UNIX sockets way and should be socket-activated by systemd, although can in theory be also ran explicitly. The KCM server only builds if the configuration option "--with-kcm" is enabled. It is packaged in a new subpackage sssd-kcm in order to allow distributions to enable the KCM credential caches by installing this subpackage only, without the rest of the SSSD. The sssd-kcm subpackage also includes a krb5.conf.d snippet that allows the admin to just uncomment the KCM defaults and instructs them to start the socket. The server can be configured in sssd.conf in the "[kcm]" section. By default, the server only listens on the same socket path the Heimdal server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is, however, configurable. The file src/responder/kcm/kcm.h is more or less directly imported from the MIT Kerberos tree, with an additional sentinel code and some comments. Not all KCM operations are implemented, only those that also the MIT client implements. That said, this KCM server should also be usable with a Heimdal client, although no special testing was with this hybrid. The patch also adds several error codes that will be used in later patches. Related to: https://pagure.io/SSSD/sssd/issue/2887 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

certmap: add new library libsss_certmap With this library it would be possible to map certificates and users not only by adding the full certificate to the user's LDAP object but by adding e.g. only parts like the issuer and subject name. Additionally the library is also able to flexible select/match certificates based on values in the certificate. Details about mapping and matching rules can be found in the included man page. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSTEMD: Don't mix up responders' socket and monitor activation Let's ensure that in case a responder is explicitly configured in the sssd.conf its socket won't even start. The patchset introduces a new binary that will be distributed and will be called before starting the responders' sockets, ensuring the sockets will only start in case the responder is supposed to be socket-activated and its been configured accordingly. Otherwise the responders' socket startup will fail with a quite helpful debug message leading the admins to choose between using systemd or not and what has to be done to achieve their desire. This suggestion came from Sumit Bose. The reason for adding a new binary instead of a simple python script is to avoid dragging unnecessary dependencies to sssd-common package. Resolves: https://pagure.io/SSSD/sssd/issue/3300 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Use pagure links as a reference to upstream Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

MAN: Add documentation for the files provider The new provider needs a man page. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FILES: Add the files provider Adds a new provider type "files". The provider watches the UNIX password and group databases for changes using inotify and propagates its contents to the sysdb. The files provider is only built on platforms that support the inotify interface, polling or loading the entries on-deman is not supported. During initialization, the files are loaded from the environment variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to /etc/passwd and /etc/group respectively. Loading the files from environment variables is mostly implemented for tests that need to load nss_wrapped files. The files provider is a bit different from other provider types in the sense that it always enumerates full contents of the database. Therefore, the requests from Data Provider are always just replied to with success. Enumerating the contents is done in full at the moment, all users and all groups are removed and added anew. Modifying the passwd and group databses should be rare enough for this to be justified and we can optimize the code later. Since with large databases, the cache update might take a bit of time, we signal the responders to disable the files domain once we receive the inotify notification and re-enable the files domain after the update is finished. The idea is that the NSS configuration would still contain "files" after "sss" so that if the domain is disabled, libc would fall back to a direct "files" lookup. Resolves: https://fedorahosted.org/sssd/ticket/3262 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Make IFP responder dbus-activatable As part of the effort of making all responders socket-activatable (or, in the IFP case, dbus-activatable), let's make the IFP responder ready for this by providing its systemd's units. Related: https://fedorahosted.org/sssd/ticket/2243 Resolves: https://fedorahosted.org/sssd/ticket/3129 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SUDO: Make Sudo responder socket-activatable As part of the effort of making all responder socket-activatable, let's make Sudo responder ready for this by providing its systemd's units. In case the administrators want to use Sudo responder taking advantage of socket-activation they will need to enable sssd-sudo.socket and after a restart of the sssd service, the Sudo socket will be ready waiting for any activity in order to start the Sudo responder. Also, the Sudo responder must be removed from the services line on sssd.conf. The Sudo responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SSH: Make SSH responder socket-activatable As part of the effort of making all responder socket-activatable, let's make SSH responder ready for this by providing its systemd's units. In case the administrators want to use SSH responder taking advantage of socket-activation they will need to enable sssd-ssh.socket and after a restart of the sssd service, the SSH socket will be ready waiting for any activity in order to start the SSH responder. Also, the SSH responder must be removed from the services line on sssd.conf. The SSH responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Make PAM responder socket-activatable As part of the effort of making all responder socket-activatable, let's make PAM responder ready for this by providing its systemd's units. In case the administrators want to use PAM responder taking advantage of socket-activation they will need to enable sssd-pam.socket and after a restart of the sssd service, the PAM socket will be ready waiting for any activity in order to start the PAM responder. Also, the PAM responder must be removed from the services line on sssd.conf. The PAM responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. PAM responder, differently from the others, is a special case as it has two sockets and its private sockets must be owned by root and must have a specifc permission (0600). It's not new, though, and it's following what has been already done in the project.. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAC: Make PAC responder socket-activatable As part of the effort of making all responder socket-activatable, let's make PAC responder ready for this by providing its systemd's units. In case the administrators want to use PAC responder taking advantage of socket-activation they will need to enable sssd-pac.socket and after a restart of the sssd service, the PAC socket will be ready waiting for any activity in order to start the PAC responder. Also, the PAC responder must be removed from the services line on sssd.conf. The PAC responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Make NSS responder socket-activatable As part of the effort of making all responders socket-activatable, let's make the NSS responder ready for this by providing its systemd's units. In case the administrators want to use NSS responder taking advantage of socket-activation they will need to enable sssd-nss.socket and after a restart of the sssd service, the NSS socket will be ready waiting for any activity in order to start the NSS responder. Also, the NSS responder must be removed from the services line on sssd.conf. The NSS responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Is quite important to mention that NSS responder will always run as root. The reason behind this is that systemd calls getpwnam() and getgprnam() when "User="/"Group=" is set to something different than "root". As it's done _before_ starting NSS responder, the clients would end up hanging for a few minutes (due to "default_client_timeout"), which is something that we really want to avoid. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AUTOFS: Make AutoFS responder socket-activatable As part of the effort of making all responders socket-activatable, let's make the AutoFS responder ready for this by providing its systemd's units. In case the administrators want to use AutoFS responder taking advantage of socket-activation they will need to enable sssd-autofs.socket and after a restart of the sssd service, the AutoFS socket will be ready waiting for any activity in order to start the AutoFS responder. Also, the AutoFS responder must be removed from the services line on sssd.conf. The AutoFS responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Drop libsss_config libsss_config has been used only by OpenLMI and the project has been deprecated making, then, no sense to keep the support on SSSD. Distros that, for some reason, are still packing and distributing OpenLMI can stick to SSSD 1.14 branch. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RPM: Require initscripts on non-systemd platforms In order for sssctl to work on platforms that do not use systemd, we need to require /sbin/service them for sssd-tools so that the binary can be invoked. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MAN: sssd-secrets documentation Resolves: https://fedorahosted.org/sssd/ticket/3053 Documents the API and the purpose of the sssd-secrets responder. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SPEC: Rename python packages using macro %python_provide Fedora and epel contains macro %python_provide for simpler renaming of python packages. It will generate correct provides and obsoletes. Reviewed-by: Michal Židek <mzidek@redhat.com>

SPEC: Fix typo in Summary Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Allow to read private pipes for root Root can read anything from any directory even with permissions 000. However SELinux checks discretionary access control (DAC) and deny access if access is not allowed for root by DAC. The pam_sss use different unix socket /var/lib/sss/pipes/private/pam for user with uid 0. Therefore root need to be able read content of directory with private pipes. type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_override } for pid=20257 comm=vsftpd capability=dac_override scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability Resolves: https://fedorahosted.org/sssd/ticket/3143 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Ship systemd service file for sssd-secrets Adds two new files: sssd-secrets.socket and sssd-secrets.service. These can be used to socket-acticate the secrets responder even without explicitly starting it in the sssd config file. The specfile activates the socket after installation which means that the admin would just be able to use the secrets socket and the sssd_secrets responder would be started automatically by systemd. The sssd-secrets responder is started as root, mostly because I didn't think of an easy way to pass the uid/gid to the responders without asking about the sssd user identity in the first place. But nonetheless, the sssd-secrets responder wasn't tested as non-root and at least the initialization should be performed as root for the time being. Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Own the secrets DB path Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Move nfsidmap plugin to separate package Resolves: https://fedorahosted.org/sssd/ticket/3024 Reviewed-by: Noam Meltzer <tsnoam@gmail.com>

sssctl: manual page Resolves: https://fedorahosted.org/sssd/ticket/3055 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add initial providers infrastructure. Also adds support for the basic LOCAL provider that stores data on the local machine. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Secrets: Add initial responder code for secrets service Start implementing the Secrets Service Reponder core. This commit implements stratup and basic conenction handling and HTTP parsing (using the http-parser library). Signed-off-by: Simo Sorce <simo@redhat.com> Related: https://fedorahosted.org/sssd/ticket/2913 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Prepare ini schema with rules for validation Resolves: https://fedorahosted.org/sssd/ticket/2028 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

confdb: Make it possible to use config snippets Resolves: https://fedorahosted.org/sssd/ticket/2247 Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sssctl: new tool Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add winbind idmap plugin With this plugin winbind can use the same id-mapping as SSSD which makes it possible to run both together in a consistent way. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Run sssd as privileged user There are still issues[1,2,3] with ipa and ad provider which cause failures when sssd is running as non-privileged user. It's easy to change default root to non-root mock --resultdir . --rebuild ./sssd-1.13.90-0.fc24.src.rpm --with=sssd_user or with plain rpmbuild rpmbuild -ba SPECS/sssd.spec --with sssd_user [1] https://fedorahosted.org/sssd/ticket/2963 [2] https://fedorahosted.org/sssd/ticket/2965 [3] https://fedorahosted.org/sssd/ticket/3014 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Enable systemtap during RPM build and CI Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss-idmap: add sss_nss_getnamebycert() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONFIG: Use default config when none provided This patch makes SSSD possibly useful "out of the box" by allowing packagers to provide a default config file located in $LIBDIR/sssd/conf that will be copied by the monitor to /etc/sssd if no file already exists in that location. This will make it possible to have SSSD set up to have distribution-specific default configuration, such as enabling the proxy provider to cache /etc/passwd (such as in the provided example in this patch). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Run extra unit tests with epel libcmocka and cwrap is available in epel which is used by mock. This patch also remove superfluous for checking fedora. Fedora < 20 is not suported for very long time. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Remove unnecessary requirements We do not need to requires specific version of libldb or libtdb because it is automatically detected from binary/library dependencies. We also need never version of that libraries as it was specified in spec file. e.g. sh$ rpm -q --requires sssd-common | grep -E "TDB|LDB" libldb.so.1(LDB_0.9.10)(64bit) libtdb.so.1(TDB_1.2.1)(64bit) There is also redundant dependency on sssd-common-pac sssd -> sssd-ipa -> sssd-common-pac -> sssd-ad -> sssd-common-pac -> sssd-common-pac sh$ rpm -q --whatrequires sssd-common-pac sssd-ipa-1.13.3-1.fc23.x86_64 sssd-ad-1.13.3-1.fc23.x86_64 sssd-1.13.3-1.fc23.x86_64 Reviewed-by: Sumit Bose <sbose@redhat.com>

SPEC: Move libsss_autofs.so outside sssd-common It will reduce dependency chain in container world. libsss_autofs.so depends only on libc and requires sssd unix sockets. And sssd-common has many requirements. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Move polkit rules into sssd-polkit-rules subpackage We recently added /usr/share/polkit-1/rules.d to the spec file to fix issues with unowned directories. However there is conflict with polkit package. The owner is not root. Running transaction test Error: Transaction check error: file /usr/share/polkit-1/rules.d from install of sssd-common-1.13.90-0.20160125.1503.git1b8858b.master.f +c23.x86_64 conflicts with file from package polkit-0.113-4.fc23.x86_64 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Fix packaging of libsss_simpleifp Patch removes unnecessary requires of dbus-libs because it's already detected from library. However we forgot to call ldconfig after (un)installation. sh$ rpm -q -p --requires libsss_simpleifp-1.13.90-0.fc23.x86_64.rpm | grep dbus libdbus-1.so.3()(64bit) libdbus-1.so.3(LIBDBUS_1_3)(64bit) sssd-dbus = 1.13.90-0.fc23 sh$ rpm -q --whatprovides "libdbus-1.so.3()(64bit)" dbus-libs-1.10.6-1.fc23.x86_64 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

SPEC: Remove unnecessary clean-up of buildroot rhel5 required to clean buildroot in install section. The %clean section is not required for F-13 and above, and EPEL 6 and above. EPEL 5 MUST have a %clean section that cleans the buildroot: https://fedoraproject.org/wiki/EPEL:Packaging#Prepping_BuildRoot_For_.25install Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

SPEC: Use systemd macros It's better to do not rely on custom scripts and do not call systemctl directly. This is exactly purpose of systemd-rpm macros. All sections are equivalent excluding "%post common". Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Fix unowned directories https://fedoraproject.org/wiki/Packaging:UnownedDirectories Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Move libsss_sudo.so outside sssd-common The module ${libdir}/libsss_sudo.so is used only by /usr/bin/sudo. If libsss_sudo.so was part of sssd-client then 32 bit version would never be used on 64 bit machine and files in sssd-client can be used by multilib applications e.g. libnss_sss.so can be indirectly "dlopened" by 64 bit applications and 32 bit application. (32-bit web browser; ordinary 64bit applications ...) Resolves: https://fedorahosted.org/sssd/ticket/2855 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Change package ownership of %{pubconfpath}/krb5.include.d krb5 domain mapping files are stored to the directory %{pubconfpath}/krb5.include.d. It can be stored by ipa or ad provider. However this directory was owned by sub-package sssd-ipa. And ad provider can be installed without this package. Therefore %{pubconfpath}/krb5.include.d should be owned by common dependency. The owner of this directory was also fixed to sssd. It's already done by make install. It was changed only in spec file. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Only install polkit rules if the directory is available Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

p11: allow p11_child to run completely unprivileged To only operation of p11_child which requires special privileges is the communication to pcscd which handles the Smartcard access. pcscd uses policy-kit for access control so access can easily be configured by dropping config snippets into the right directory. If SSSD is configured to run as un-privileged user this patch creates the needed config snippet for policy-kit and installs it in a suitable directory. As a result p11_child does not have to be installed with SETUID or SETGID bits set. Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

spec: Missing initgroups mmap file Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Avoid symlinks with python modules We need to use different names for python{2,3} modules if we want to build them in the same time with automake (prefix _py2 and _py3). But resulting name need to correspond with name of module because it is used in C import function. We used symbolic links for that purpose but it breaks debian python tools which rename the real modules making symbolic links to point nowhere Resolves: https://fedorahosted.org/sssd/ticket/2814 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Do not build libsss_ad_common.la as library libsss_ad_common.la was a dynamic library and was linked just with unit tests. It was a workaroud because module libsss_ad.so cannot be linked with tests without portability issues. But it was addted to pkglib_LTLIBRARIES and therefore it was installed with other libraries. This patch changed it and libsss_ad_test.la (old name libsss_ad_common.la) will be compiled only for unit tests (check_LTLIBRARIES) and will not be installed with command "make install". Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Workaround for build with rpm 4.13 If the tarball is generated with minimal dependencies extracted from spec file then translated manual pages are not generated due to missing script po4a. This step is not necessary for regular nightly/developer builds. The tarball is created faster without such step. However rpm >= 4.13 will fail due to empty manifest file. Resolves: https://fedorahosted.org/sssd/ticket/2738 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add NSS version of p11_child Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

utils: add NSS version of cert utils Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Update spec file for krb5_local_auth_plugin krb5_localauth_plugin could be build only with MIT kerberos >= 1.12. However, this feature was backported in downstream to older version of kerberos. So there were packaging failures error: Installed (but unpackaged) file(s) found: /usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so RPM build errors: Installed (but unpackaged) file(s) found: /usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so Child returncode was: 1 EXCEPTION: Command failed. See logs for output. Reviewed-by: Petr Cech <pcech@redhat.com>

TOOLS: add sss_override for local overrides Resolves: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

certs: add PEM/DER conversion utilities Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Store keytabs in /var/lib/sss/keytabs Make sure the directory is only accessible to the sssd user Reviewed-by: Michal Židek <mzidek@redhat.com>

IPA: Fetch keytab for 1way trusts Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>

PROXY: proxy_child should work in non-root mode According to design page[1], proxy_child should run with root privileges in non-root mode however proxy_child did not have setuid bit. After setting setuid bit proxy_child will be executed with extra privileges. The effective user ID will be 0 but effective group ID will be still the same as egid of sssd_be. Therefore gid of private pipe for proxy_child should be the same. Otherwise proxy_child will fail due to wrong permissions of unix pipe (sbus_client_init -> check_file) [1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD Resolves: https://fedorahosted.org/sssd/ticket/2655 Reviewed-by: Michal Židek <mzidek@redhat.com>

SPEC: Fix cyclic dependencies between sssd-{krb5,}-common libsss_ldap_common(sssd-common) requires libsss_krb5_common.so(sssd-krb5-common) and sssd-krb5-common requires sssd-common. sh$ nm --dynamic --defined-only /usr/lib64/sssd/libsss_krb5_common.so 000000000000c4d0 T krb5_service_init 000000000000b8c0 T krb5_try_kdcip 000000000000c710 T remove_krb5_info_files 0000000000014960 T select_principal_from_keytab 00000000000141d0 T sss_krb5_get_error_message sh$ nm --dynamic --undefined-only /usr/lib64/sssd/libsss_ldap_common.so U krb5_service_init U krb5_try_kdcip U remove_krb5_info_files U select_principal_from_keytab U sss_krb5_get_error_message This patch fix cyclic dependency with rpm packaging becuase it's not simple task to remove krb5 dependency from ldap provider. Resolves: https://fedorahosted.org/sssd/ticket/2507 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SPEC: Few cosmetic changes - removed unnecessary blank lines (leftover after many changes) - list manual pages according to section number - add missing white spaces to shall scripts Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Remove unused option The optional definition of rpm macro with_ccache was removed in patch "BUILD: Remove unnecessary patch and configure opts" as a part of ticket https://fedorahosted.org/sssd/ticket/2036. It is not used anymore so it can be removed. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Drop workarounds for old rpmbuild Old versions of rpmbuild require ghost files to be present in the buildroot. It was mainly problem of rpmbuild on rhel5 which is not supported anymore. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Drop workaround for old libtool This workaround was for libtool in rhel 5 and we dropped support for it few months ago due to missing dependencies. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RPM: BuildRequire libcmocka >= 1.0 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Build python3 bindings on available platforms Resolves: https://fedorahosted.org/sssd/ticket/2574 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SPEC: Replace python_ macros with python2_ Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

BUILD: Add possibility to build python{2,3} bindings Resolves: https://fedorahosted.org/sssd/ticket/2574 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SPEC: Move python bindings to separate packages Some pyhton bindings pysss and pysss_murmur was in package sssd-common. Therefore package sssd-common had python as a dependency. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SPEC: Use new convention for python packages Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SPEC: Use libnl3 for epel6 RHEL6.6 contains libnl3. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

spec: sifp requires sssd-dbus Resolves: https://fedorahosted.org/sssd/ticket/2550 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Install krb5_child as suid if running under non-privileged user If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Move setting the SELinux context to a child process In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: Install ldap_child and as setuid if running under non-privileged user The ldap_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Reviewed-by: Michal Židek <mzidek@redhat.com>

SPEC: Print testsuite log for failed test Starting from Automake 1.13, the parallel testsuite harness has been made the default one; this harness is quite silent. VERBOSE=yes will displays the logs of the non-passed tests (i.e., only of the failed or skipped ones, or of the ones that passed unexpectedly). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RPM: Change file ownership to sssd.sssd Adds a private SSSD user in the %pre section of SSSD specfile. Also changes the ownership of SSSD private directories to sssd.sssd. Does not change the configure time default, so SSSD will still run as root. The file and directory ownership does not widen, because the directories are still only accessible by the private user (whose shell is /sbin/nologin) and of course the root user. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

RPM: Package the libsss_semanage.so library Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: Add a test to change user IDs Adds a unit test using the nss_wrapper and uid_wrapper libraries that exercises the ability to become another user. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

libwbclient: avoid collision with Samba version Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NFSv4 client: man page changes from previous patch: * fixed idmapd.conf example (sss plugin name) * squahsed the rpm spec into one commit Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Drop old OS conditions from spec file. It can be possible to build current master without samba on rhel5, but the spec file would be very complicated. It is better to simplify spec file. Resolves: https://fedorahosted.org/sssd/ticket/1974 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SPEC: Use netlink library version 3 for rhel7 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NFSv4 client: add to RPM spec Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Roland Mainz <rmainz@redhat.com>

Add conditional build for MIT Kerberos localauth plugin This patch adds everything what is needed to build the MIT Kerberos localauth plugin if the used version of MIT Kerberos supports it. It does not implement the plugin. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

libwbclient: SSSD implementation This patch implements the libwbclient API for Samba daemons and utilities. The main purpose is to map Active Directory users and groups identified by their SID to POSIX users and groups identified by their POSIX UIDs and GIDs respectively. The API is not fully implemented because SSSD does not support some AD features like WINS or NTLM. Additionally this implementation has its focus on the file-server use case and hence does not implement some features which might be needed for a domain controller use case. Some API calls are generic and independent of the backend like e.g. converting binary SIDs and GUIDs into a string representation and back or memory allocation and deallocation. These parts are taken from the original Samba sources together with copyright and authors. Files with'_sssd' as part of the name contain the SSSD related calls. Resolves: https://fedorahosted.org/sssd/ticket/1588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RPM: Restart service in %posttrans, not %post When upgrading from a 1.9 version with monolithic packaging to 1.10 or later with per-provider subpackage, sssd-common can be upgraded (and restarted) before the new sssd-$provider is restarted. This can lead to a startup failure, because the sssd_be process from already upgraded sssd-common would attempt to load a sssd_$provider.so from the legacy sssd package. Restarting the service in %posttrans makes sure all the packages are in place when we restart the service. Resolves: https://fedorahosted.org/sssd/ticket/2399

AD-GPO: Store policy settings in local files Reviewed-by: Sumit Bose <sbose@redhat.com>

BUILD: Add the DBus service activation The system bus has the ability to start services on demant. This patch adds the sysbus service activation file that, currently, only calls the sss_signal tool to signal the monitor. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TOOLS: New helper tool sss_signal A minimal tool whose only purpose is to signal the monitor with SIGUSR2. The tool will be executed by the system bus in order to provide system activation, so it's packaged in libexec. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SPEC: Add gpo_child to package sssd-ad Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: Add gpo-smb implementation in gpo_child process Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_sifp: build https://fedorahosted.org/sssd/ticket/2254 Reviewed-by: Sumit Bose <sbose@redhat.com>

contrib: add BuildRequires libsmbclient-devel to spec file Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SPEC: Add libsss_ad_common.so to the package sssd-ad RPM build errors: error: Installed (but unpackaged) file(s) found: /usr/lib64/sssd/libsss_ad_common.so Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_config: build only when IFP is allowed since the IFP responder is currently the only planned consumer. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_config: build Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SPEC: Remove duplicate sssd_ifp. The file sssd_ifp was installed by two subpackages: sssd-common and sssd-dbus I din't have instaled file org.freedesktop.sssd.infopipe.conf, because it is in package sssd-dbus. Missing conf file caused problem with starting the ifp service. [sssd] [monitor_service_init] (0x0400): Initializing D-BUS Service [sssd] [mt_svc_exit_handler] (0x0040): Child [ifp] exited with code [3] [sssd] [mt_svc_exit_handler] (0x0010): Process [ifp], definitely stopped! [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: Connection ":1.522" is not allowed to own the service "org.freedesktop.sssd.infopipe" due to security policies in the configuration file [sssd[ifp]] [ifp_process_init] (0x0020): Failed to connect to the system message bus [sssd[ifp]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Connect to the system bus Related: https://fedorahosted.org/sssd/ticket/2072 Adds the possibility for the InfoPipe responder to connect to the system bus. At the moment, only a dummy method "Ping" is provided. The method only accepts a single string parameter that has to be 'ping'.

IFP: Re-add the InfoPipe server Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.

SPEC: Fix packaging rpms on OSes without systemd Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

BUILD: Simplify enabling journald on installed systems systemd supports overrides of the standard service file to be placed in /etc/systemd/system/<service>.service.d/ With this patch, we will install a commented-out override file to /etc that will instruct the user on how to enable logging to journald. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Build with journald support by default on Fedora The journal provided by systemd gives us structured logging capabilities that we should be taking advantage of. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Spec file changes for cifs-utils plugin

util: Use systemd-login to check user sessions Use systemd-lgin in preference to check if the user is logged in or not. Fall back to the old method if no systemd-login support is available at compile time or if it returns a fatal error, and can't determine the status of the user on its own. This will allow to consider a user really active (in order to reuse or refresh crdentials) only if it really is logged into the system, and not just if one of the user's processes is stuck around. Resolves: https://fedorahosted.org/sssd/ticket/2084

RPM: Add new subpackage for PAC responder It was discovered that duplicating files in two subpackages is not permitted by Fedora packaging guidelines[1]. This patch moves the PAC responder to a new sssd-common-pac subpackage that both the sssd-ipa and sssd-ad subpackages will require. [1] https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#DuplicateFiles

BUILD: Remove unnecessary patch and configure opts Now that we use the libkrb5 defaults for the default ccname template we do not need the patch that changes the man pages defaults nor the configure options to change sssd defaults anymore. Related: https://fedorahosted.org/sssd/ticket/2036

RPM: Require libsss_idmap from sssd-common The NSS responder recently started using libsss_idmap in the getbysid functions. The bug itself was spotted by one of our automated QA tools.

Move sssd_pac binary to the IPA and AD providers This will ensure that we aren't pulling in extra samba4 dependencies for the Kerberos provider.

RPM: Move sssd_pac to the krb5-common subpackage The PAC responder is now used by both IPA and AD providers.

Remove sysv->systemd upgrade routines There are no longer any Fedora platforms running SSSD with SYSV init scripts. We don't need the upgrade logic any more.

Move pre and post scripts to sssd-common

rpm: couple of small fixes * Include localized pam_sss manpages in sssd-client * Call ldconfig after libsss_nss_idmap is installed or removed

rpm: Split providers into separate subpackages https://fedorahosted.org/sssd/ticket/1510 This patch splits the previously monolithic sssd package into sssd-common that contains the deamon and the responders and per-provider packages such as sssd-ldap or sssd-ipa. This split would benefit two parties: 1) security auditors who are often trying to find the smallest package set including dependencies needed for the package to function. They would be able to i.e. install sssd-ldap and not bother about sssd-ipa or sssd-ad pulling in more dependencies. 2) 3rd party programs such as realmd or authconfig that would only be able to require or install on demand the needed packages.

rpm: Use hardened flags for RPM build https://fedorahosted.org/sssd/ticket/1797 This patch adds the _hardened_build macro on platforms where it is defined by the RPM. The macro amounts to compiling with cc --spec=/usr/lib/rpm/redhat/redhat-hardened-cc1 and then linking with ld --spec=/usr/lib/rpm/redhat/redhat-hardened-ld. On Fedora 19, the gcc spec files contain -z now and fPIC or fPIE.

rpm: Fold libsss_sudo and libsss_autofs back into the main SSSD package https://fedorahosted.org/sssd/ticket/1845 libsss_sudo and libsss_autofs are separate packages that contain just a single client library with no additional dependencies. This separation comes from the F-17 timeframe where the feature was really just a tech preview so we didn't want it to be packaged in sssd proper. On the other hand users are getting regularly confused about "sudo not working" when all they really miss is the single library. This patch moves the files owned by the libsss_autofs and libsss_sudo packages back to the main sssd package. We also no longer build the libsss_sudo documentation by default and do not ship the header file as it was just a private one.

Add python interface to libsss_nss_idmap To allow to use libsss_nss_idmap from python applications, e.g. the FreeIPA server, the patch adds pythin bindings to libsss_nss_idmap. The contributed spec file will place the python bindings in a new package called libsss_nss_idmap-python. Alexander Bokovoy <abokovoy@redhat.com> kindly provided the code to check the type of the python objects and loop over the list entries.

Add client library for SID related lookups This patch add a library for client side lookups for a SID or with a SID through the calls: - sss_nss_getsidbyname - sss_nss_getsidbyid - sss_nss_getnamebysid - sss_nss_getidbysid The library is called libsss_nss_idmap and the contributed spec file will create two new packages libsss_nss_idmap and libsss_nss_idmap-devel.

Incorrect *.py[co] files placement Package sssd contains python files. Python files should be installed in noarch package, therefore all python files from directory src/config/SSSDConfig was moved to new noarch package python-sssdconfig. https://fedorahosted.org/sssd/ticket/1839

Provide libnl3 support https://fedorahosted.org/sssd/ticket/812 Update the monitor code to be using the new libnl3 API. Changed configure option --with-libnl By default, it tries to build with libnl3, if not found, then with libnl1, if this isn't found either, build proceeds without libnl, just with warning. Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given version, if not found, configure ends with error.

BUILD: Always run distcheck and RPM tests in /dev/shm Some of the tests (such as the sysdb tests) are highly I/O limited. By running them on a ramdisk, we can significantly speed up the test runs when doing a distcheck or RPM build. https://fedorahosted.org/sssd/ticket/1840

build: require libcmocka on fedora 18+

BUILD: Build shared components as an internal shared library There is a large amount of duplicated code being linked into multiple SSSD binaries. Instead of statically linking this code throughout the SSSD, we should instead create private shared libraries for them and drop this code on the system only once.

Bump the version and reset release back to 0

Fix errors reported by rpmlint

Use systemd by default on Fedora 16+ https://fedorahosted.org/sssd/ticket/1437

RPMS: Move sss_cache tool to main package https://fedorahosted.org/sssd/ticket/1481

Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo

Couple of specfile fixes

RPM: Create ghost files during install

autofs, sudo, ssh and PAC are not experimental anymore

Mark the fastcache files in the spec file as %ghost https://fedorahosted.org/sssd/ticket/1487

rpm: put localized sssd_krb5_locator_plugin manpages into client Localized sssd_krb5_locator_plugin manpages were added into main sssd package instead of client. https://fedorahosted.org/sssd/ticket/1394

RPM: BuildRequire selinux-policy-targeted selinux-policy-targeted contains the /etc/selinux/targeted/logins directory that is checked during build time to determine if the platform supports SELinux user logins.

libsss_sudo should have a versioned dependency on SSSD https://fedorahosted.org/sssd/ticket/1509

RPM: Always include the patch file

RPM: Switch the default ccache location https://fedorahosted.org/sssd/ticket/1500

Add python bindings for murmurhash3

Create a domain-realm mapping for krb5.conf to be included When new subdomains are discovered, the SSSD creates a file that includes the domain-realm mappings. This file can in turn be included in the krb5.conf using the includedir directive, such as: includedir /var/lib/sss/pubconf/realm_mappings

First-boot sss_seed tool

Require and call ldconfig from subpackages if appropriate The SSSD subpackages were not calling ldconfig even though they contain shared libraries.

manpage: sssd-sudo - documents how sudo works with sssd https://fedorahosted.org/sssd/ticket/1418

Add missing "%" to specfile

RPM: Own several directories

AD: Add manpages and SSSDConfig entries

AD: Add AD provider to the spec file

BUILD: Change default unicode library to glib2 This patch also removes the references to 'cvs' and 'nscd' from BUILD.txt, as they are no longer necessary.

Try to build PAC responder only if all dependencies are available

PAC responder: support in spec file

Make krb5_ccname_template and krb5_ccachedir configurable

SSSDConfig: Make SSSDConfig a package We were polluting the primary Python space with several dependencies. We will now install them their own directory/module.

RPM: Allow running 'make rpms' on RHEL 5 machines Our previous detection for this was flawed, because the %{rhel} macro did not exist on the version of RPM shipped with RHEL 5, but it worked when building for RHEL 5 through mock. This new patch relies on grepping /etc/redhat-release for the version information. https://fedorahosted.org/sssd/ticket/1206

Fix typo in spec file

Install and uninstall all documentation Every directory listed in SSSD_DOCS in Makefile.am will be installed as documentation.

Add idmap library

nsssrv: shared memory cache server initialization

Build experimental features by default in RPMs

Make RPM spec more explicit It will be easier to catch errors at build-time

Prune python provides correctly

Eliminate build-time requirement for nscd We will now use the autodetected location if available, or else fall back to a value provided by --with-nscd in configure and finally resort to a hard-coded default of /usr/sbin/nscd.

Fix missing %endif in sssd.spec.in

Move sss_ssh_* binaries to the main 'sssd' package The sssd-client subpackage is multilib, so it cannot contain conflicting /usr/bin executables.

SSH: Build man pages conditionally https://fedorahosted.org/sssd/ticket/1175

Make sudo installation path configurable, install into libdir by default

SSH: OpenSSH known_hosts client

SSH: OpenSSH authorized_keys client

AUTOFS: a client library This is the library the autofs client is using. automounter dlopen()s the library so there is no header file, no pkgconfig file and the library is in the libsss_autofs package, not in -devel. The library provides the following interface: * _sss_setautomntent() - select the map for processing * _sss_getautomntent_r() - iterates through key/value pairs in the selected map. The key is usually the mount point, the value is mount information (server:/export) * _sss_getautomntbyname_r() - returns value for a specific key. * _sss_endautomntent() deselect a map, clean up

SUDO: Provide documentation for the SUDO API

SSSDConfigAPI: Move sssd.api.* to /usr/share/sssd https://fedorahosted.org/sssd/ticket/1158

Add a new Makefile target to build RPMs with the experimental flag

Update spec file to build with Glib on RHEL 5

Fix typo in specfile

Do not build documentation on RHEL 5 RHEL 5 has a very old version of doxygen that does not search the correct locations for documentation.

Add libipa_hbac documentation to the -devel package

Remove all libtool .la files from RPM

sss_debuglevel - change the debug levels on the fly https://fedorahosted.org/sssd/ticket/950

Fix typo in %configure

Add option to specify the kerberos replay cache dir Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980

Fix broken RHEL5 build RPM in RHEL 5 requires %ghost entries to be present in the build root.

Remove private shared object Provides: for pysss.so and pyhbac.so

Include the configuration file as a %ghost entry The recent change to cease installing the sample configuration file caused existing config files to be removed on upgrade. This will prevent that from happening.

Rename sssd.conf to sssd-example.conf This file should not be installed by default. It leads to user confusion. We will instead install it as documentation. Fix incorrect example of entry_cache_nowait_percentage

Require matched version and release for libipa_hbac

libipa_hbac: Support case-insensitive comparisons with UTF8

Provide python bindings for the HBAC evaluator library

Add HBAC evaluator and tests

Ensure that SSSD always Requires: the primary-arch sssd-client https://bugzilla.redhat.com/show_bug.cgi?id=709333

Add support for openldap24 package on RHEL 5.7

Include manpage for sss_cache

Cache cleaning tool

Fix specfile for RHEL5 RHEL5 uses an old libtool. We need to forcibly remove certain m4 files before running autoreconf to ensure that they get replaced with the appropriate old versions.

Detect the proper location for memberof.so

Minor specfile changes We should be using BuildRequires: gettext-devel Also, for best compatibility across multiple RPM-based distros, we should be running autoreconf before configure.

Make SSSDConfig API configuration readable Previously, only root could read these files, but it makes sense to allow non-root users to prototype sssd.conf files.

Fix handling of translated man pages in spec file If po4a is not available 'make rpms' will fail because the spec file expects that some translated man pages are present. This patch tries to detect which translated man pages are available and adds them to the corresponding file list.

Add missing gettext BuildRequires

Add uk translation to specfile

Remove unnecessary po4a BuildRequires

Build and install translated man pages by default

Add Czech translation Translated a couple of strings from manpages into Czech. Makes the manpage translation patch testable.

Make manual pages translatable Utilizes PO4A to extract translatable strings from Docbook XML sources and allows translators to submit ordinary .PO files. PO4A then generates translated Docbook documents that can be used to generate translated end user documentation. https://fedorahosted.org/sssd/ticket/297

Move sss_* tools into their own subpackage

Assorted specfile changes Several problems with the specfile were fixed in the SSSD release in certain RPM-based distributions. This patch pulls them into the example specfile

Rename upgrade_config.py and build it properly Previously, we were just copying the script into the libexec dir during installation. However, this causes problems for packaging multilib on several distributions. https://fedorahosted.org/sssd/ticket/641

Fix assorted specfile issues 1) Pam modules should be explicitly built for /lib64/security 2) The krb5 locator plugin is always built; remove the conditional 3) The krb5 locator plugin belongs in the sssd-client package 4) The sss_obfuscate manpage was not packaged

sss_obfuscate tool A tool to add obfuscated passwords into the SSSD config file

Build SSSD RPMs with external libraries

Use netlink to detect going online Integrates libnl to detect adding routes. When a route is added, the offline status of all back ends is reset. This patch adds no heuristics to detect whether back end went offline. Fixes: #456

Replace %define with %global in example spec

Fixing types in queue and stack interfaces

Bump libini_config version to 0.6.0

Drop release requirement from versions

Add support for delayed kinit if offline If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.

Add dynamic DNS updates to FreeIPA This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).

Revert "Add dynamic DNS updates to FreeIPA" This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7. While this patch applied cleanly, it was uncompilable. Reverting until it can be properly merged.

Add dynamic DNS updates to FreeIPA This adds two new options: ipa_dyndns_update: Boolean value to select whether this client should automatically update its IP address in FreeIPA DNS. ipa_dyndns_iface: Choose an interface manually to use for updating dynamic DNS. Default is to use the interface associated with the LDAP connection to FreeIPA. This patch supports A and AAAA records. It relies on the presence of the nsupdate tool from the bind-utils package to perform the actual update step. The location of this utility is set at build time, but its availability is determined at runtime (so clients that do not require dynamic update capability do not need to meet this dependency).

Remove the NSS_LIBS and KRB5_LIBS variables from sssd.spec Due to the way RPM processes the %configure macro, these variables were not actually being passed down to recursive configure invocations. In other words, they were useless. Futhermore, in more recent Fedora versions (13+), some of the dependencies have moved from -lnss to -lnspr4. As a result, it is safer to rely on the complete output of 'pkg-config nss --libs' instead of restricting to -lnss. The downside to this is that it may result in linking unnecessarily against other NSS components such as libsmime3 and libplc4 (among others). However, since these are already dependencies of libnss itself, there should be no risk of them being unavailable on the platform when installed.

Fixing spec file to match version.

Adding interface documentation Package refarray documentation by default

SELinux login management Adds a new option -Z to sss_useradd and sss_usermod. This option allows user to specify the SELinux login context for the user. On deleting the user with sss_userdel, the login mapping is deleted, so subsequent adding of the same user would result in the default login context unless -Z is specified again. MLS security is not supported as of this patch.

Allow running with read only root Packages /etc/rwtab.d/sssd file that allows SSSD to run on a read-only root filesystem. Fixes: #428

Generate doxygen documentation for path_utils

Build and package libini_config docs

Clean up changelog for sssd.spec Since we don't keep the changelog up to date, it makes more sense to simply truncate it to always report that it is an automated build.

Use correct python macros in sssd.spec This patch brings our spec file into compliance with Fedora python requirements. See http://fedoraproject.org/wiki/Packaging/Python#Macros for more details

Add simple access provider

Add BuildRequires for doxygen This is needed to create the collection documentation

Package libcollection documentation into libcollection-devel

Package example logrotate script

Run 'make check' during rpmbuild

Disable rpath support in the linker The Fedora Package Guidelines forbid the use of rpaths

Fix bad merge Merging ba8937d83675c7d69808d1d3df8f823afdc5ce2a left the COPYING and COPYING.LESSER files in the now-defunct sss_client directory. This patch moves them into the right location and fixes the spec file to look for them correctly.

Fix licensing issues for sss_client

Rename server/ directory to src/ Also update BUILD.txt

Merge sss_client and sss_daemon translations together

Make collection_queue.h and collection_stack.h into public headers

Package libref_array and libref_array-devel

Package libini_config and libini_config-devel

Package libcollection and libcollection-devel

Package libpath_utils and libpath_utils-devel

Update the url in the spec files

Split off libdhash into a shared library Right now, the pkg-config checks for the system version of libdhash are forcibly disabled, requiring the SSSD to build it from its own tree. In the future, when we split the libraries off from the SSSD, it will be easy to switch this check to the external library.

sss_groupshow - a utility to print properties of a local group This patch adds a utility called sss_groupshow that allows user to print properties of a group in the local domain. Fixes: #306

Fix egg-info file generation in the spec file We were actually listing files that are on the system, not those that we created in the $RPM_BUILD_ROOT. Also, by doing an echo with the regular expression, we put more than one file on one line. Rpmbuild doesn't like that and will not generate the rpms.

Fix RPM spec for RHEL6

Make packaging of *.egg-info files more flexible

Do not include libsss_ipa.la in rpm package

Read KDC info from file instead from environment Then name or IP adress of the KDC is written into the pubconf directory into a file named kdcinfo.REALM. The locator plugin will then read this file and pass the data to the kerberos libraries.

Fix Requires: sssd-client line in specfile

Update sssd.spec to use only the required KRB5_LIBS and NSS_LIBS

Add Requires: cyrus-sasl-gssapi This is needed by LDAP GSSAPI binds.

Fix RPM builds on older versions of rpmbuild Older versions of rpmbuild do not accept multiple '-f' options being specified, so we'll add the krb5_locator_plugin.so to the sss_daemon.lang filelist instead of putting it in its own file.

Start implementing ipa specific options. First step generate ldap options from ipa options. Add sssd-ipa man page too.

Clean up rpmlint errors and warnings in sssd-client package - Run ldconfig in sssd-client post and postun - Version libnss_sss.so as libnss_sss.so.2 (to set the correct SONAME)

Better detect installed language files

Use Python 3-compatible sitearch and sitelib

add missing %defattr to the filelist of the client package

Package SSSDConfig API

Change requirement on libldb to libldb >= 0.9.3

Tighten up permission. SSSD may contain passwords and other sensitive data, make sure we always keep its permission tight. Also make /etc/sssd permission very strict, just in case, admins may inadvertently copy an sssd.conf file without checking it's permissions.

Convert the example config to v2 format, upgrade config on update only

Send debug messages to logfile Introduces a new option --debug-to-files which makes SSSD output its debug information to a file instead of stderr, which is still the default. Also introduces a new confdb option debug_to_files which does the same, but can be specified per-service in the config file. The logfiles are stored in /var/log/sssd by default. Changes the initscript to log to files by default.

Split out an sssd-clients package

script to upgrade config to v2

added support for older MIT kerberos versions - make the build of the locator plugin optional - added a man page for the locator plugin - use krb5.h if krb5/krb5.h cannot be found - added alternatives for missing functions - set -DDBUS_API_SUBJECT_TO_CHANGE if libdbus version is lesser than 1.0.0

Provide python bindings for sysdb Implement a set of python bindings for the sysdb with feature set similar to what is available in the tools. The primary consumers would be applications like system-config-users. Resolves: Ticket #102

Add PRERELEASE_VERSION variable for use in sssd.spec.in This will add a second, optional line to the VERSION file that will be used by the automated build scripts to create snapshot versions.

Move RPM specfiles into contrib/ Support RHEL 5 in the spec file