diff --git a/.gitignore b/.gitignore index 0e3ad54..96cdbdd 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ sssd-1.2.91.tar.gz /sssd-1.9.3.tar.gz /sssd-1.9.4.tar.gz /sssd-1.10.0alpha1.tar.gz +/sssd-1.10.0beta1.tar.gz diff --git a/0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch b/0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch deleted file mode 100644 index bd98652..0000000 --- a/0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 9d890186ec2b511aa30a9574543f29e1ef56e0e8 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Sat, 6 Apr 2013 17:58:53 +0200 -Subject: [PATCH] Fix krbcc dir creation issue with MIT krb5 1.11 - -In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir -exists. If it doesn't exist, than it will be created with process permissions -and not user permissions. - -Function cc_residual_is_used has already checked for non existing -directory, but it wasn't considered to be a failure and therefore next call -of krb5_init_context will create directory with wrong permissions. - -Now if directory doesn't exist, it will be handled like there was not ccache -attribute in sysdb cache. We also check if "primary" file in ccache directory -has right permissions. But we ignore missing "primary" file. - -https://fedorahosted.org/sssd/ticket/1822 ---- - src/providers/krb5/krb5_auth.c | 12 ++++++++- - src/providers/krb5/krb5_utils.c | 60 ++++++++++++++++++++++++++++++++++------- - 2 files changed, 61 insertions(+), 11 deletions(-) - -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index 00025bfc156eaf641217194c6301f4d70a773a73..5baea0bc84bb6991d32300210d4bb4db3bcee5d0 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -106,6 +106,11 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr, - - ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn, - cc_template, active, valid); -+ if (ret == ENOENT) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ ("Saved ccache %s doesn't exist.\n", old_ccache)); -+ return ret; -+ } - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - ("Cannot check if saved ccache %s is active and valid\n", -@@ -617,7 +622,12 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, - ret = check_old_ccache(ccache_file, kr, realm, - &kr->active_ccache, - &kr->valid_tgt); -- if (ret != EOK) { -+ if (ret == ENOENT) { -+ DEBUG(SSSDBG_FUNC_DATA, -+ ("Ignoring ccache attribute [%s], because it doesn't" -+ "exist.\n", ccache_file)); -+ ccache_file = NULL; -+ } else if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("check_if_ccache_file_is_used failed.\n")); - goto done; -diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c -index ad77c7cc8305a98cc263cd7c6222979f361d0155..524568939507dac497ebf373612c40dfac6bf74c 100644 ---- a/src/providers/krb5/krb5_utils.c -+++ b/src/providers/krb5/krb5_utils.c -@@ -776,7 +776,7 @@ cc_residual_is_used(uid_t uid, const char *ccname, - DEBUG(SSSDBG_FUNC_DATA, ("Cache file [%s] does not exist, " - "it will be recreated\n", ccname)); - *result = false; -- return EOK; -+ return ENOENT; - } - - DEBUG(SSSDBG_OP_FAILURE, -@@ -869,10 +869,13 @@ cc_file_check_existing(const char *location, uid_t uid, - - ret = cc_residual_is_used(uid, filename, SSS_KRB5_TYPE_FILE, &active); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. " -- "Will create a new one.\n")); -+ if (ret != ENOENT) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Could not check if ccache is active.\n")); -+ } - cc_check_template(cc_template); - active = false; -+ return ret; - } - - kerr = krb5_init_context(&context); -@@ -998,6 +1001,7 @@ cc_dir_check_existing(const char *location, uid_t uid, - const char *cc_template, bool *_active, bool *_valid) - { - bool active = false; -+ bool active_primary = false; - bool valid = false; - krb5_ccache ccache = NULL; - krb5_context context = NULL; -@@ -1006,7 +1010,9 @@ cc_dir_check_existing(const char *location, uid_t uid, - const char *filename; - const char *dir; - char *tmp; -+ char *primary_file; - errno_t ret; -+ TALLOC_CTX *tmp_ctx; - - type = sss_krb5_get_type(location); - if (type != SSS_KRB5_TYPE_DIR) { -@@ -1027,29 +1033,62 @@ cc_dir_check_existing(const char *location, uid_t uid, - return EINVAL; - } - -- tmp = talloc_strdup(NULL, filename); -- if (!tmp) return ENOMEM; -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, ("talloc_new failed.\n")); -+ return ENOMEM; -+ } -+ -+ tmp = talloc_strdup(tmp_ctx, filename); -+ if (!tmp) { -+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup failed.\n")); -+ ret = ENOMEM; -+ goto done; -+ } - - dir = dirname(tmp); - if (!dir) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Cannot base get directory of %s\n", location)); -- return EINVAL; -+ ret = EINVAL; -+ goto done; - } - - ret = cc_residual_is_used(uid, dir, SSS_KRB5_TYPE_DIR, &active); -- talloc_free(tmp); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. " -- "Will create a new one.\n")); -+ if (ret != ENOENT) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Could not check if ccache is active.\n")); -+ } - cc_check_template(cc_template); - active = false; -+ goto done; -+ } -+ -+ /* If primary file isn't in ccache dir, we will ignore it. -+ * But if primary file has wrong permissions, we will fail. -+ */ -+ primary_file = talloc_asprintf(tmp_ctx, "%s/primary", dir); -+ if (!primary_file) { -+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf failed.\n")); -+ ret = ENOMEM; -+ goto done; -+ } -+ ret = cc_residual_is_used(uid, primary_file, SSS_KRB5_TYPE_FILE, -+ &active_primary); -+ if (ret != EOK && ret != ENOENT) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ ("Could not check if file 'primary' [%s] in dir ccache" -+ " is active.\n", primary_file)); -+ active = false; -+ goto done; - } - - krberr = krb5_init_context(&context); - if (krberr) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to init kerberos context\n")); -- return EIO; -+ ret = EIO; -+ goto done; - } - - krberr = krb5_cc_resolve(context, location, &ccache); -@@ -1081,6 +1120,7 @@ cc_dir_check_existing(const char *location, uid_t uid, - - ret = EOK; - done: -+ talloc_free(tmp_ctx); - if (ccache) krb5_cc_close(context, ccache); - krb5_free_context(context); - *_active = active; --- -1.8.1.4 - diff --git a/sources b/sources index f5a0944..fd8ed58 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e7d5b4f2abff70cc280bb16b3fca215a sssd-1.10.0alpha1.tar.gz +7df7667fb8e544e9f766cef4379b5059 sssd-1.10.0beta1.tar.gz diff --git a/sssd.spec b/sssd.spec index 9d55da5..79d857c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -16,16 +16,15 @@ Name: sssd Version: 1.10.0 -Release: 2%{?dist}.alpha1 +Release: 3%{?dist}.beta1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ URL: http://fedorahosted.org/sssd/ -Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}alpha1.tar.gz +Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta1.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch ### Dependencies ### @@ -37,6 +36,7 @@ Requires: sssd-client%{?_isa} = %{version}-%{release} Requires: cyrus-sasl-gssapi%{?_isa} Requires: libipa_hbac%{?_isa} = %{version}-%{release} Requires: libsss_idmap%{?_isa} = %{version}-%{release} +Requires: python-sssdconfig = %{version}-%{release} Requires: krb5-libs%{?_isa} >= 1.10 Requires(post): systemd-units initscripts chkconfig Requires(preun): systemd-units initscripts chkconfig @@ -130,6 +130,15 @@ Also provides several other administrative tools: * sss_seed which pre-creates a user entry for use in kickstarts * sss_obfuscate for generating an obfuscated LDAP password +%package -n python-sssdconfig +Summary: SSSD and IPA configuration file manipulation classes and functions +Group: Applications/System +License: GPLv3+ +BuildArch: noarch + +%description -n python-sssdconfig +Provides python files for manipulation SSSD and IPA configuration files. + %package -n libsss_idmap Summary: FreeIPA Idmap library Group: Development/Libraries @@ -178,6 +187,35 @@ Requires: libipa_hbac = %{version}-%{release} The libipa_hbac-python contains the bindings so that libipa_hbac can be used by Python applications. +%package -n libsss_nss_idmap +Summary: Library for SID based lookups +Group: Development/Libraries +License: LGPLv3+ +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description -n libsss_nss_idmap +Utility library for SID based lookups + +%package -n libsss_nss_idmap-devel +Summary: Library for SID based lookups +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} + +%description -n libsss_nss_idmap-devel +Utility library for SID based lookups + +%package -n libsss_nss_idmap-python +Summary: Python bindings for libsss_nss_idmap +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} + +%description -n libsss_nss_idmap-python +The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can +be used by Python applications. + %package -n libsss_sudo Summary: A library to allow communication between SUDO and SSSD Group: Development/Libraries @@ -214,7 +252,7 @@ UpdateTimestamps() { done } -%setup -q -n %{name}-1.9.91 +%setup -q -n %{name}-1.9.92 for p in %patches ; do @@ -278,10 +316,10 @@ find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name} # Older versions of rpmbuild can only handle one -f option -# So we need to append to the sssd.lang file +# So we need to append to the sssd*.lang file for file in `ls $RPM_BUILD_ROOT/%{python_sitelib}/*.egg-info 2> /dev/null` do - echo %{python_sitelib}/`basename $file` >> sssd.lang + echo %{python_sitelib}/`basename $file` >> python_sssdconfig.lang done touch sssd_tools.lang @@ -397,8 +435,6 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/pysss.so %{python_sitearch}/pysss_murmur.so -%dir %{python_sitelib}/SSSDConfig -%{python_sitelib}/SSSDConfig/*.py* %files client -f sssd_client.lang %defattr(-,root,root,-) @@ -434,6 +470,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sss_debuglevel.8* %{_mandir}/man8/sss_seed.8* +%files -n python-sssdconfig -f python_sssdconfig.lang +%defattr(-,root,root,-) +%dir %{python_sitelib}/SSSDConfig +%{python_sitelib}/SSSDConfig/*.py* + %files -n libsss_idmap %defattr(-,root,root,-) %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER @@ -484,6 +525,27 @@ A utility library to allow communication between Autofs and SSSD %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/sssd/modules/libsss_autofs.so* +%files -n libsss_nss_idmap +%defattr(-,root,root,-) +%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_nss_idmap.so.* + +%files -n libsss_nss_idmap-devel +%defattr(-,root,root,-) +%if 0%{?fedora} +%doc nss_idmap_doc/html +%endif +%if 0%{?rhel} >= 6 +%doc nss_idmap_doc/html +%endif +%{_includedir}/sss_nss_idmap.h +%{_libdir}/libsss_nss_idmap.so +%{_libdir}/pkgconfig/sss_nss_idmap.pc + +%files -n libsss_nss_idmap-python +%defattr(-,root,root,-) +%{python_sitearch}/pysss_nss_idmap.so + %post if [ $1 -ge 1 ] ; then # Initial installation @@ -533,6 +595,10 @@ fi %postun -n libsss_sudo -p /sbin/ldconfig %changelog +* Fri May 3 2013 Jakub Hrozek - 1.10.0-3.beta1 +- New upstream release 1.10 beta1 +- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1 + * Wed Apr 17 2013 Jakub Hrozek - 1.10.0-2.alpha1 - Add a patch to fix krb5 ccache creation issue with krb5 1.11