| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Also adds support for the basic LOCAL provider that stores data
on the local machine.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2028
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2247
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
| |
With this plugin winbind can use the same id-mapping as SSSD which makes
it possible to run both together in a consistent way.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are still issues[1,2,3] with ipa and ad provider
which cause failures when sssd is running as non-privileged user.
It's easy to change default root to non-root
mock --resultdir . --rebuild ./sssd-1.13.90-0.fc24.src.rpm --with=sssd_user
or with plain rpmbuild
rpmbuild -ba SPECS/sssd.spec --with sssd_user
[1] https://fedorahosted.org/sssd/ticket/2963
[2] https://fedorahosted.org/sssd/ticket/2965
[3] https://fedorahosted.org/sssd/ticket/3014
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes SSSD possibly useful "out of the box" by allowing
packagers to provide a default config file located in $LIBDIR/sssd/conf
that will be copied by the monitor to /etc/sssd if no file already
exists in that location. This will make it possible to have SSSD set up
to have distribution-specific default configuration, such as enabling
the proxy provider to cache /etc/passwd (such as in the provided
example in this patch).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
libcmocka and cwrap is available in epel
which is used by mock.
This patch also remove superfluous for checking fedora.
Fedora < 20 is not suported for very long time.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do not need to requires specific version of libldb
or libtdb because it is automatically detected from
binary/library dependencies. We also need never version
of that libraries as it was specified in spec file.
e.g.
sh$ rpm -q --requires sssd-common | grep -E "TDB|LDB"
libldb.so.1(LDB_0.9.10)(64bit)
libtdb.so.1(TDB_1.2.1)(64bit)
There is also redundant dependency on sssd-common-pac
sssd -> sssd-ipa -> sssd-common-pac
-> sssd-ad -> sssd-common-pac
-> sssd-common-pac
sh$ rpm -q --whatrequires sssd-common-pac
sssd-ipa-1.13.3-1.fc23.x86_64
sssd-ad-1.13.3-1.fc23.x86_64
sssd-1.13.3-1.fc23.x86_64
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
It will reduce dependency chain in container world.
libsss_autofs.so depends only on libc and requires
sssd unix sockets. And sssd-common has many requirements.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We recently added /usr/share/polkit-1/rules.d to the spec file
to fix issues with unowned directories. However there is conflict
with polkit package. The owner is not root.
Running transaction test
Error: Transaction check error:
file /usr/share/polkit-1/rules.d from install of sssd-common-1.13.90-0.20160125.1503.git1b8858b.master.f
+c23.x86_64 conflicts with file from package polkit-0.113-4.fc23.x86_64
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch removes unnecessary requires of dbus-libs
because it's already detected from library.
However we forgot to call ldconfig after (un)installation.
sh$ rpm -q -p --requires libsss_simpleifp-1.13.90-0.fc23.x86_64.rpm | grep dbus
libdbus-1.so.3()(64bit)
libdbus-1.so.3(LIBDBUS_1_3)(64bit)
sssd-dbus = 1.13.90-0.fc23
sh$ rpm -q --whatprovides "libdbus-1.so.3()(64bit)"
dbus-libs-1.10.6-1.fc23.x86_64
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
rhel5 required to clean buildroot in install section.
The %clean section is not required for F-13 and above, and EPEL 6 and
above. EPEL 5 MUST have a %clean section that cleans the buildroot:
https://fedoraproject.org/wiki/EPEL:Packaging#Prepping_BuildRoot_For_.25install
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
It's better to do not rely on custom scripts
and do not call systemctl directly.
This is exactly purpose of systemd-rpm macros.
All sections are equivalent excluding "%post common".
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
https://fedoraproject.org/wiki/Packaging:UnownedDirectories
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The module ${libdir}/libsss_sudo.so is used only by /usr/bin/sudo.
If libsss_sudo.so was part of sssd-client then 32 bit version would
never be used on 64 bit machine and files in sssd-client can be used
by multilib applications e.g. libnss_sss.so can be indirectly "dlopened"
by 64 bit applications and 32 bit application.
(32-bit web browser; ordinary 64bit applications ...)
Resolves:
https://fedorahosted.org/sssd/ticket/2855
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5 domain mapping files are stored to the directory
%{pubconfpath}/krb5.include.d. It can be stored by ipa or ad provider.
However this directory was owned by sub-package sssd-ipa. And ad provider
can be installed without this package. Therefore %{pubconfpath}/krb5.include.d
should be owned by common dependency.
The owner of this directory was also fixed to sssd.
It's already done by make install. It was changed only in spec file.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.
If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.
Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to use different names for python{2,3} modules if we want to build
them in the same time with automake (prefix _py2 and _py3). But resulting name
need to correspond with name of module because it is used in C import function.
We used symbolic links for that purpose but it breaks debian python tools
which rename the real modules making symbolic links to point nowhere
Resolves:
https://fedorahosted.org/sssd/ticket/2814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsss_ad_common.la was a dynamic library and was linked just with unit tests.
It was a workaroud because module libsss_ad.so cannot be linked with tests
without portability issues. But it was addted to pkglib_LTLIBRARIES
and therefore it was installed with other libraries.
This patch changed it and libsss_ad_test.la (old name libsss_ad_common.la)
will be compiled only for unit tests (check_LTLIBRARIES) and will not
be installed with command "make install".
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the tarball is generated with minimal dependencies extracted from spec file
then translated manual pages are not generated due to missing script po4a.
This step is not necessary for regular nightly/developer builds.
The tarball is created faster without such step. However rpm >= 4.13
will fail due to empty manifest file.
Resolves:
https://fedorahosted.org/sssd/ticket/2738
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5_localauth_plugin could be build only with MIT kerberos >= 1.12.
However, this feature was backported in downstream to older version
of kerberos. So there were packaging failures
error: Installed (but unpackaged) file(s) found:
/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
RPM build errors:
Installed (but unpackaged) file(s) found:
/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
Child returncode was: 1
EXCEPTION: Command failed. See logs for output.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2584
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Make sure the directory is only accessible to the sssd user
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.
After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Resolves:
https://fedorahosted.org/sssd/ticket/2655
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsss_ldap_common(sssd-common) requires libsss_krb5_common.so(sssd-krb5-common)
and sssd-krb5-common requires sssd-common.
sh$ nm --dynamic --defined-only /usr/lib64/sssd/libsss_krb5_common.so
000000000000c4d0 T krb5_service_init
000000000000b8c0 T krb5_try_kdcip
000000000000c710 T remove_krb5_info_files
0000000000014960 T select_principal_from_keytab
00000000000141d0 T sss_krb5_get_error_message
sh$ nm --dynamic --undefined-only /usr/lib64/sssd/libsss_ldap_common.so
U krb5_service_init
U krb5_try_kdcip
U remove_krb5_info_files
U select_principal_from_keytab
U sss_krb5_get_error_message
This patch fix cyclic dependency with rpm packaging becuase
it's not simple task to remove krb5 dependency from ldap provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2507
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
- removed unnecessary blank lines (leftover after many changes)
- list manual pages according to section number
- add missing white spaces to shall scripts
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The optional definition of rpm macro with_ccache was removed in patch
"BUILD: Remove unnecessary patch and configure opts"
as a part of ticket https://fedorahosted.org/sssd/ticket/2036.
It is not used anymore so it can be removed.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Old versions of rpmbuild require ghost files to be present in the buildroot.
It was mainly problem of rpmbuild on rhel5 which is not supported anymore.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
This workaround was for libtool in rhel 5
and we dropped support for it few months ago due to missing dependencies.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
|
| |
Some pyhton bindings pysss and pysss_murmur was in package sssd-common.
Therefore package sssd-common had python as a dependency.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
|
| |
RHEL6.6 contains libnl3.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2550
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
| |
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
| |
The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|