diff mbox series

[bug#55598] gnu: sssd: Update to 2.7.0.

Message ID 20220523185417.23954-1-timotej.lazar@araneo.si
State Accepted
Headers show
Series [bug#55598] gnu: sssd: Update to 2.7.0. | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch success View Laminar job
cbaines/issue success View issue

Commit Message

Timotej Lazar May 23, 2022, 6:54 p.m. UTC
Add support for renewing AD membership with adcli. Wrap binaries with
LDB_MODULES_PATH. Fix the sss_analyze utility to run without systemd
libraries. Add native inputs to generate man pages and run additional tests
during build.

* gnu/packages/sssd.scm (sssd): Update to 2.7.0.
[patches]: Drop patches applied upstream. Add a patch for sss_analyze.
[inputs]: Add adcli, bash-minimal, jose, keyutils, libnl, pcre2, python.
Drop augeas, pcre.
[native-inputs]: Add cmocka, doxygen, gettext-minimal, libfaketime,
libtool, openssh, po4a, softhsm.
[arguments]: Rewrite in gexp style. Fix configure checks. Remove static
library from install. Wrap binaries to set correct paths.
* gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch,
gnu/packages/patches/sssd-fix-samba-4.15.3.patch,
gnu/packages/patches/sssd-fix-samba.patch: Delete files.
* gnu/packages/patches/sssd-optional-systemd.patch: New file.
* gnu/local.mk (dist_patch_DATA): Update accordingly.
---
Hi,

this updates sssd to the latest version. I adapted the package to the
new style, added inputs for additional features and tests, and wrapped
the binaries with the required environment variables.

The package builds at least for x86-64, i686 and aarch64. I have been
using the updated package (actually the 2.6.0 version for the most part)
for several months to enable AD logins from multiple domains.

Upstream seems to maintain both the 2.x and 1.16.x series; if anyone
needs the older version, I can submit a revision to keep both packages.
Man pages are still not formatted correctly, which seems to be an issue
with docbook reported at https://issues.guix.gnu.org/52909.

Finally, I know that mixing updates with other changes is bad form, but
untangling them now would be less than trivial and more than likely to
introduce bugs in the intermediate commits. :)

Thanks!

 gnu/local.mk                                  |   4 +-
 ...d-collision-with-external-nss-symbol.patch |  71 ---
 .../patches/sssd-fix-samba-4.15.3.patch       | 523 ------------------
 gnu/packages/patches/sssd-fix-samba.patch     |  50 --
 .../patches/sssd-optional-systemd.patch       |  45 ++
 .../patches/sssd-system-directories.patch     |  44 +-
 gnu/packages/sssd.scm                         | 207 ++++---
 7 files changed, 204 insertions(+), 740 deletions(-)
 delete mode 100644 gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch
 delete mode 100644 gnu/packages/patches/sssd-fix-samba-4.15.3.patch
 delete mode 100644 gnu/packages/patches/sssd-fix-samba.patch
 create mode 100644 gnu/packages/patches/sssd-optional-systemd.patch

Comments

Ludovic Courtès May 24, 2022, 1:35 p.m. UTC | #1
Hi,

Timotej Lazar <timotej.lazar@araneo.si> skribis:

> Add support for renewing AD membership with adcli. Wrap binaries with
> LDB_MODULES_PATH. Fix the sss_analyze utility to run without systemd
> libraries. Add native inputs to generate man pages and run additional tests
> during build.
>
> * gnu/packages/sssd.scm (sssd): Update to 2.7.0.
> [patches]: Drop patches applied upstream. Add a patch for sss_analyze.
> [inputs]: Add adcli, bash-minimal, jose, keyutils, libnl, pcre2, python.
> Drop augeas, pcre.
> [native-inputs]: Add cmocka, doxygen, gettext-minimal, libfaketime,
> libtool, openssh, po4a, softhsm.
> [arguments]: Rewrite in gexp style. Fix configure checks. Remove static
> library from install. Wrap binaries to set correct paths.
> * gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch,
> gnu/packages/patches/sssd-fix-samba-4.15.3.patch,
> gnu/packages/patches/sssd-fix-samba.patch: Delete files.
> * gnu/packages/patches/sssd-optional-systemd.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Update accordingly.

Applied!

> this updates sssd to the latest version. I adapted the package to the
> new style, added inputs for additional features and tests, and wrapped
> the binaries with the required environment variables.
>
> The package builds at least for x86-64, i686 and aarch64. I have been
> using the updated package (actually the 2.6.0 version for the most part)
> for several months to enable AD logins from multiple domains.
>
> Upstream seems to maintain both the 2.x and 1.16.x series; if anyone
> needs the older version, I can submit a revision to keep both packages.
> Man pages are still not formatted correctly, which seems to be an issue
> with docbook reported at https://issues.guix.gnu.org/52909.
>
> Finally, I know that mixing updates with other changes is bad form, but
> untangling them now would be less than trivial and more than likely to
> introduce bugs in the intermediate commits. :)

This all sounds reasonable to me.

Thanks for updating it!

Ludo’.
diff mbox series

Patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6274f43566..e458b3e922 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1610,8 +1610,6 @@  dist_patch_DATA =						\
   %D%/packages/patches/sdl-pango-sans-serif.patch		\
   %D%/packages/patches/smalltalk-multiplication-overflow.patch	\
   %D%/packages/patches/sqlite-hurd.patch			\
-  %D%/packages/patches/sssd-collision-with-external-nss-symbol.patch	\
-  %D%/packages/patches/sssd-fix-samba-4.15.3.patch	\
   %D%/packages/patches/strace-readlink-tests.patch		\
   %D%/packages/patches/sunxi-tools-remove-sys-io.patch	\
   %D%/packages/patches/p11-kit-hurd.patch			\
@@ -1825,7 +1823,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/snappy-add-inline-for-GCC.patch		\
   %D%/packages/patches/sphinxbase-fix-doxygen.patch		\
   %D%/packages/patches/spice-vdagent-glib-2.68.patch		\
-  %D%/packages/patches/sssd-fix-samba.patch			\
+  %D%/packages/patches/sssd-optional-systemd.patch		\
   %D%/packages/patches/sssd-system-directories.patch		\
   %D%/packages/patches/steghide-fixes.patch			\
   %D%/packages/patches/suitesparse-mongoose-cmake.patch		\
diff --git a/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch b/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch
deleted file mode 100644
index 9d59ae91be..0000000000
--- a/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch
+++ /dev/null
@@ -1,71 +0,0 @@ 
-From fe9eeb51be06059721e873f77092b1e9ba08e6c1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Thu, 27 Feb 2020 06:50:40 +0100
-Subject: [PATCH] nss: Collision with external nss symbol
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-One of our internal static function names started
-to collide with external nss symbol. Additional
-sss_ suffix was added to avoid the collision.
-
-This is needed to unblock Fedora Rawhide's
-SSSD build.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/responder/nss/nss_cmd.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
-index 356aea1564..02706c4b94 100644
---- a/src/responder/nss/nss_cmd.c
-+++ b/src/responder/nss/nss_cmd.c
-@@ -731,11 +731,13 @@ static void nss_getent_done(struct tevent_req *subreq)
-     talloc_free(cmd_ctx);
- }
- 
--static void nss_setnetgrent_done(struct tevent_req *subreq);
-+static void sss_nss_setnetgrent_done(struct tevent_req *subreq);
- 
--static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
--                               enum cache_req_type type,
--                               nss_protocol_fill_packet_fn fill_fn)
-+/* This function's name started to collide with external nss symbol,
-+ * so it has additional sss_* prefix unlike other functions here. */
-+static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx,
-+                                   enum cache_req_type type,
-+                                   nss_protocol_fill_packet_fn fill_fn)
- {
-     struct nss_ctx *nss_ctx;
-     struct nss_state_ctx *state_ctx;
-@@ -777,7 +779,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
-         goto done;
-     }
- 
--    tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx);
-+    tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx);
- 
-     ret = EOK;
- 
-@@ -790,7 +792,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
-     return EOK;
- }
- 
--static void nss_setnetgrent_done(struct tevent_req *subreq)
-+static void sss_nss_setnetgrent_done(struct tevent_req *subreq)
- {
-     struct nss_cmd_ctx *cmd_ctx;
-     errno_t ret;
-@@ -1040,8 +1042,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx)
- 
- static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx)
- {
--    return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME,
--                           nss_protocol_fill_setnetgrent);
-+    return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME,
-+                               nss_protocol_fill_setnetgrent);
- }
- 
- static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx)
diff --git a/gnu/packages/patches/sssd-fix-samba-4.15.3.patch b/gnu/packages/patches/sssd-fix-samba-4.15.3.patch
deleted file mode 100644
index 731daa0ed9..0000000000
--- a/gnu/packages/patches/sssd-fix-samba-4.15.3.patch
+++ /dev/null
@@ -1,523 +0,0 @@ 
-From 3ba88c317fd64b69b000adbdf881c88383f325d1 Mon Sep 17 00:00:00 2001
-From: Noel Power <noel.power@suse.com>
-Date: Tue, 24 Mar 2020 13:37:07 +0000
-Subject: [PATCH] Use ndr_pull_steal_switch_value for modern samba versions
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit bc56b10aea999284458dcc293b54cf65288e325d attempted to
-fix the build error resulting from removal of 'ndr_pull_get_switch'
-
-This change uses the new replacement method
-'ndr_pull_steal_switch_value' however depending on the samba version
-the ndr_pull_steal_switch_value abi is different.
-
-Note: ndr_pull_steal_switch_value is used since samba 4.10 for
-      the affected methods
-
-Note: the following methods have been refreshed from samba-4.12 generated
-      code;
-
-    o ndr_pull_security_ace_object_type
-    o ndr_pull_security_ace_object_inherited_type
-    o ndr_pull_security_ace_object_ctr
-
-Signed-off-by: Noel Power <noel.power@suse.com>
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc)
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/external/samba.m4         |  9 ++++++-
- src/providers/ad/ad_gpo_ndr.c | 45 ++++++++++++++++++++---------------
- 2 files changed, 34 insertions(+), 20 deletions(-)
-
-diff --git a/src/external/samba.m4 b/src/external/samba.m4
-index 089f602a60..8e06174ead 100644
---- a/src/external/samba.m4
-+++ b/src/external/samba.m4
-@@ -132,8 +132,15 @@ int main(void)
-         AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1,
-                            [Samba's struct idmap_domain has dom_sid member])
-         AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member])
-+        if test $samba_minor_version -ge 12 ; then
-+            AC_DEFINE_UNQUOTED(SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, 1,
-+                               [Samba's new push/pull switch functions])
-+            AC_MSG_NOTICE([Samba has support for new ndr_push_steal_switch_value and ndr_pull_steal_switch_value functions])
-+        else
-+            AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions])
-+        fi
-     else
-         AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member])
-+        AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions])
-     fi
--
- fi
-
- SAVE_CFLAGS=$CFLAGS
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index 49c49d71b2..3d389e513d 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -105,9 +105,14 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
-                                   union security_ace_object_type *r)
- {
-     uint32_t level;
--    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
-+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
-+#else
-+        level = ndr_pull_steal_switch_value(ndr, r);
-+#endif
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-         switch (level) {
-         case SEC_ACE_OBJECT_TYPE_PRESENT: {
-@@ -117,14 +122,6 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
-             break; }
-         }
-     }
--    if (ndr_flags & NDR_BUFFERS) {
--        switch (level) {
--        case SEC_ACE_OBJECT_TYPE_PRESENT:
--            break;
--        default:
--            break;
--        }
--    }
-     return NDR_ERR_SUCCESS;
- }
-
-@@ -135,9 +132,14 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
-                                             union security_ace_object_inherited_type *r)
- {
-     uint32_t level;
--    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
-+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
-+#else
-+        level = ndr_pull_steal_switch_value(ndr, r);
-+#endif
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-         switch (level) {
-         case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: {
-@@ -149,14 +151,6 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
-             break; }
-         }
-     }
--    if (ndr_flags & NDR_BUFFERS) {
--        switch (level) {
--        case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT:
--            break;
--        default:
--            break;
--        }
--    }
-     return NDR_ERR_SUCCESS;
- }
-
-@@ -198,9 +192,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
-                                  union security_ace_object_ctr *r)
- {
-     uint32_t level;
--    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
-+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
-+#else
-+        level = ndr_pull_steal_switch_value(ndr, r);
-+#endif
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-         switch (level) {
-         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: {
-@@ -224,6 +223,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
-         }
-     }
-     if (ndr_flags & NDR_BUFFERS) {
-+        if (!(ndr_flags & NDR_SCALARS)) {
-+            /* We didn't get it above, and the token is not needed after this. */
-+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-+            NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
-+#else
-+            level = ndr_pull_steal_switch_value(ndr, r);
-+#endif
-+        }
-         switch (level) {
-         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
-             NDR_CHECK(ndr_pull_security_ace_object
-From 5285a1896ee19bb8f1ff752380547bc6d7a43334 Mon Sep 17 00:00:00 2001
-From: Noel Power <noel.power@suse.com>
-Date: Tue, 24 Mar 2020 18:14:34 +0000
-Subject: [PATCH] ad_gpo_ndr.c: refresh ndr_ methods from samba-4.12
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Noel Power <noel.power@suse.com>
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit c031adde4f532f39845a0efd78693600f1f8b2f4)
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/providers/ad/ad_gpo_ndr.c | 201 ++++++++++++++++++----------------
- 1 file changed, 106 insertions(+), 95 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index 3d389e513d..a64b1a0f84 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -177,8 +177,16 @@ ndr_pull_security_ace_object(struct ndr_pull *ndr,
-         NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
-     }
-     if (ndr_flags & NDR_BUFFERS) {
-+        NDR_CHECK(ndr_pull_set_switch_value
-+                  (ndr,
-+                   &r->type,
-+                   r->flags & SEC_ACE_OBJECT_TYPE_PRESENT));
-         NDR_CHECK(ndr_pull_security_ace_object_type
-                   (ndr, NDR_BUFFERS, &r->type));
-+        NDR_CHECK(ndr_pull_set_switch_value
-+                  (ndr,
-+                   &r->inherited_type,
-+                   r->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT));
-         NDR_CHECK(ndr_pull_security_ace_object_inherited_type
-                   (ndr, NDR_BUFFERS, &r->inherited_type));
-     }
-@@ -342,7 +350,7 @@ ndr_pull_security_acl(struct ndr_pull *ndr,
-                   (ndr, NDR_SCALARS, &r->revision));
-         NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
-         NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_aces));
--        if (r->num_aces > 1000) {
-+        if (r->num_aces > 2000) {
-             return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range");
-         }
-         size_aces_0 = r->num_aces;
-@@ -408,107 +416,110 @@ ad_gpo_ndr_pull_security_descriptor(struct ndr_pull *ndr,
-     TALLOC_CTX *_mem_save_sacl_0;
-     uint32_t _ptr_dacl;
-     TALLOC_CTX *_mem_save_dacl_0;
--    uint32_t _flags_save_STRUCT = ndr->flags;
--    uint32_t _relative_save_offset;
--
--    ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN);
--    NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
--    if (ndr_flags & NDR_SCALARS) {
--        NDR_CHECK(ndr_pull_align(ndr, 5));
--        NDR_CHECK(ndr_pull_security_descriptor_revision(ndr,
-+    {
-+        uint32_t _flags_save_STRUCT = ndr->flags;
-+        ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN);
-+        NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-+        if (ndr_flags & NDR_SCALARS) {
-+            NDR_CHECK(ndr_pull_align(ndr, 5));
-+            NDR_CHECK(ndr_pull_security_descriptor_revision(ndr,
-+                                                            NDR_SCALARS,
-+                                                            &r->revision));
-+            NDR_CHECK(ndr_pull_security_descriptor_type(ndr,
-                                                         NDR_SCALARS,
--                                                        &r->revision));
--        NDR_CHECK(ndr_pull_security_descriptor_type(ndr,
--                                                    NDR_SCALARS,
--                                                    &r->type));
--        NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid));
--        if (_ptr_owner_sid) {
--            NDR_PULL_ALLOC(ndr, r->owner_sid);
--            NDR_CHECK(ndr_pull_relative_ptr1(ndr,
--                                             r->owner_sid,
--                                             _ptr_owner_sid));
--        } else {
--            r->owner_sid = NULL;
--        }
--        NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid));
--        if (_ptr_group_sid) {
--            NDR_PULL_ALLOC(ndr, r->group_sid);
--            NDR_CHECK(ndr_pull_relative_ptr1(ndr,
--                                             r->group_sid,
--                                             _ptr_group_sid));
--        } else {
--            r->group_sid = NULL;
--        }
--        NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl));
--        if (_ptr_sacl) {
--            NDR_PULL_ALLOC(ndr, r->sacl);
--            NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl));
--        } else {
--            r->sacl = NULL;
--        }
--        NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl));
--        if (_ptr_dacl) {
--            NDR_PULL_ALLOC(ndr, r->dacl);
--            NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl));
--        } else {
--            r->dacl = NULL;
--        }
--        NDR_CHECK(ndr_pull_trailer_align(ndr, 5));
--    }
--    if (ndr_flags & NDR_BUFFERS) {
--        if (r->owner_sid) {
--            _relative_save_offset = ndr->offset;
--            NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid));
--            _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
--            NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0);
--            NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid));
--            NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0);
--            if (ndr->offset > ndr->relative_highest_offset) {
--                ndr->relative_highest_offset = ndr->offset;
-+                                                        &r->type));
-+            NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid));
-+            if (_ptr_owner_sid) {
-+                NDR_PULL_ALLOC(ndr, r->owner_sid);
-+                NDR_CHECK(ndr_pull_relative_ptr1(ndr,
-+                                                 r->owner_sid,
-+                                                 _ptr_owner_sid));
-+            } else {
-+                r->owner_sid = NULL;
-             }
--            ndr->offset = _relative_save_offset;
--        }
--        if (r->group_sid) {
--            _relative_save_offset = ndr->offset;
--            NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid));
--            _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
--            NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0);
--            NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid));
--            NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0);
--            if (ndr->offset > ndr->relative_highest_offset) {
--                ndr->relative_highest_offset = ndr->offset;
-+            NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid));
-+            if (_ptr_group_sid) {
-+                NDR_PULL_ALLOC(ndr, r->group_sid);
-+                NDR_CHECK(ndr_pull_relative_ptr1(ndr,
-+                                                 r->group_sid,
-+                                                 _ptr_group_sid));
-+            } else {
-+                r->group_sid = NULL;
-             }
--            ndr->offset = _relative_save_offset;
--        }
--        if (r->sacl) {
--            _relative_save_offset = ndr->offset;
--            NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl));
--            _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
--            NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0);
--            NDR_CHECK(ndr_pull_security_acl(ndr,
--                                            NDR_SCALARS|NDR_BUFFERS,
--                                            r->sacl));
--            NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0);
--            if (ndr->offset > ndr->relative_highest_offset) {
--                ndr->relative_highest_offset = ndr->offset;
-+            NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl));
-+            if (_ptr_sacl) {
-+                NDR_PULL_ALLOC(ndr, r->sacl);
-+                NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl));
-+            } else {
-+                r->sacl = NULL;
-             }
--            ndr->offset = _relative_save_offset;
-+            NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl));
-+            if (_ptr_dacl) {
-+                NDR_PULL_ALLOC(ndr, r->dacl);
-+                NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl));
-+            } else {
-+                r->dacl = NULL;
-+            }
-+            NDR_CHECK(ndr_pull_trailer_align(ndr, 5));
-         }
--        if (r->dacl) {
--            _relative_save_offset = ndr->offset;
--            NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl));
--            _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
--            NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0);
--            NDR_CHECK(ndr_pull_security_acl(ndr,
--                                            NDR_SCALARS|NDR_BUFFERS,
--                                            r->dacl));
--            NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0);
--            if (ndr->offset > ndr->relative_highest_offset) {
--                ndr->relative_highest_offset = ndr->offset;
-+        if (ndr_flags & NDR_BUFFERS) {
-+            if (r->owner_sid) {
-+                uint32_t _relative_save_offset;
-+                _relative_save_offset = ndr->offset;
-+                NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid));
-+                _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
-+                NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0);
-+                NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid));
-+                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0);
-+                if (ndr->offset > ndr->relative_highest_offset) {
-+                    ndr->relative_highest_offset = ndr->offset;
-+                }
-+                ndr->offset = _relative_save_offset;
-+            }
-+            if (r->group_sid) {
-+                uint32_t _relative_save_offset;
-+                _relative_save_offset = ndr->offset;
-+                NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid));
-+                _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
-+                NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0);
-+                NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid));
-+                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0);
-+                if (ndr->offset > ndr->relative_highest_offset) {
-+                    ndr->relative_highest_offset = ndr->offset;
-+                }
-+                ndr->offset = _relative_save_offset;
-+            }
-+            if (r->sacl) {
-+                uint32_t _relative_save_offset;
-+                _relative_save_offset = ndr->offset;
-+                NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl));
-+                _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
-+                NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0);
-+                NDR_CHECK(ndr_pull_security_acl(ndr,
-+                                                NDR_SCALARS|NDR_BUFFERS,
-+                                                r->sacl));
-+                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0);
-+                if (ndr->offset > ndr->relative_highest_offset) {
-+                    ndr->relative_highest_offset = ndr->offset;
-+                }
-+                ndr->offset = _relative_save_offset;
-+            }
-+            if (r->dacl) {
-+                uint32_t _relative_save_offset;
-+                _relative_save_offset = ndr->offset;
-+                NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl));
-+                _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
-+                NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0);
-+                NDR_CHECK(ndr_pull_security_acl(ndr,
-+                                                NDR_SCALARS|NDR_BUFFERS,
-+                                                r->dacl));
-+                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0);
-+                if (ndr->offset > ndr->relative_highest_offset) {
-+                    ndr->relative_highest_offset = ndr->offset;
-+                }
-+                ndr->offset = _relative_save_offset;
-             }
--            ndr->offset = _relative_save_offset;
-         }
--
-         ndr->flags = _flags_save_STRUCT;
-     }
-     return NDR_ERR_SUCCESS;
-From d5809f6f41ec0dc3fd38f9e4ae917a38bf7dfa43 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 28 May 2020 15:02:43 +0200
-Subject: [PATCH] ad_gpo_ndr.c: more ndr updates
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch add another update to the ndr code which was previously
-updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and
-1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc.
-
-As missing update in ndr_pull_security_ace() cased
-a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
-added to prevent similar issues in future.
-
-Resolves: https://github.com/SSSD/sssd/issues/5183
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit a7c755672cd277497da3df4714f6d9457b6ac5ae)
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/providers/ad/ad_gpo_ndr.c  |  1 +
- src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++
- 2 files changed, 58 insertions(+)
-
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index a64b1a0f84..9f040dfb03 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr,
-         ndr->offset += pad;
-     }
-     if (ndr_flags & NDR_BUFFERS) {
-+        NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
-         NDR_CHECK(ndr_pull_security_ace_object_ctr
-                   (ndr, NDR_BUFFERS, &r->object));
-     }
-diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c
-index 0589adcc3d..97dbe01794 100644
---- a/src/tests/cmocka/test_ad_gpo.c
-+++ b/src/tests/cmocka/test_ad_gpo.c
-@@ -329,6 +329,60 @@ void test_ad_gpo_ace_includes_client_sid_false(void **state)
-                                         ace_dom_sid, false);
- }
-
-+uint8_t test_sid_data[] = {
-+0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
-+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
-+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
-+0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
-+0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8,
-+0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00,
-+0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55,
-+0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00,
-+0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60,
-+0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
-+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
-+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
-+0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
-+0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00,
-+0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00,
-+0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00,
-+0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11,
-+0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
-+0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00,
-+0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00
-+};
-+
-+void test_ad_gpo_parse_sd(void **state)
-+{
-+    int ret;
-+    struct security_descriptor *sd = NULL;
-+
-+    ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd);
-+    assert_int_equal(ret, EINVAL);
-+
-+    ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd);
-+    assert_int_equal(ret, EOK);
-+    assert_non_null(sd);
-+    assert_int_equal(sd->revision, 1);
-+    assert_int_equal(sd->type, 39940);
-+    assert_null(sd->owner_sid);
-+    assert_null(sd->group_sid);
-+    assert_null(sd->sacl);
-+    assert_non_null(sd->dacl);
-+    assert_int_equal(sd->dacl->revision, 4);
-+    assert_int_equal(sd->dacl->size, 308);
-+    assert_int_equal(sd->dacl->num_aces, 10);
-+    assert_int_equal(sd->dacl->aces[0].type, 0);
-+    assert_int_equal(sd->dacl->aces[0].flags, 0);
-+    assert_int_equal(sd->dacl->aces[0].size, 36);
-+    assert_int_equal(sd->dacl->aces[0].access_mask, 917693);
-+    /* There are more components and ACEs in the security_descriptor struct
-+     * which are not checked here. */
-+
-+    talloc_free(sd);
-+}
-+
- int main(int argc, const char *argv[])
- {
-     poptContext pc;
-@@ -364,6 +418,9 @@ int main(int argc, const char *argv[])
-         cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false,
-                                         ad_gpo_test_setup,
-                                         ad_gpo_test_teardown),
-+        cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd,
-+                                        ad_gpo_test_setup,
-+                                        ad_gpo_test_teardown),
-     };
-
-     /* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/gnu/packages/patches/sssd-fix-samba.patch b/gnu/packages/patches/sssd-fix-samba.patch
deleted file mode 100644
index 714968337a..0000000000
--- a/gnu/packages/patches/sssd-fix-samba.patch
+++ /dev/null
@@ -1,50 +0,0 @@ 
-From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Fri, 24 Jan 2020 15:17:39 +0100
-Subject: [PATCH] Fix build failure against samba 4.12.0rc1
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The ndr_pull_get_switch() function was dropped, but it was just a wrapper
-around the ndr_token_peek() function, so we can use this approach on both
-old and new versions of libndr.
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/providers/ad/ad_gpo_ndr.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index d573033494..8f405aa62b 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
-                                   union security_ace_object_type *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
-                                             union security_ace_object_inherited_type *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
-                                  union security_ace_object_ctr *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
diff --git a/gnu/packages/patches/sssd-optional-systemd.patch b/gnu/packages/patches/sssd-optional-systemd.patch
new file mode 100644
index 0000000000..0784fdc7aa
--- /dev/null
+++ b/gnu/packages/patches/sssd-optional-systemd.patch
@@ -0,0 +1,45 @@ 
+Allow running sss_analyze without Python modules for systemd.
+Upstream PR: https://github.com/SSSD/sssd/pull/6125
+
+diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
+index b96a23c05..28ac2f194 100644
+--- a/src/tools/analyzer/modules/request.py
++++ b/src/tools/analyzer/modules/request.py
+@@ -1,8 +1,6 @@
+ import re
+ import logging
+ 
+-from sssd.source_files import Files
+-from sssd.source_journald import Journald
+ from sssd.parser import SubparsersAction
+ from sssd.parser import Option
+ 
+@@ -77,8 +75,10 @@ class RequestAnalyzer:
+             Instantiated source object
+         """
+         if args.source == "journald":
++            from sssd.source_journald import Journald
+             source = Journald()
+         else:
++            from sssd.source_files import Files
+             source = Files(args.logdir)
+         return source
+ 
+@@ -143,7 +143,7 @@ class RequestAnalyzer:
+             self.consumed_logs.append(line.rstrip(line[-1]))
+         else:
+             # files source includes newline
+-            if isinstance(source, Files):
++            if type(source).__name__ == 'Files':
+                 print(line, end='')
+             else:
+                 print(line)
+@@ -225,7 +225,7 @@ class RequestAnalyzer:
+         source.set_component(component, False)
+         self.done = ""
+         for line in self.matched_line(source, patterns):
+-            if isinstance(source, Journald):
++            if type(source).__name__ == 'Journald':
+                 print(line)
+             else:
+                 self.print_formatted(line, args.verbose)
diff --git a/gnu/packages/patches/sssd-system-directories.patch b/gnu/packages/patches/sssd-system-directories.patch
index f2ab0182e1..ce0dcf5d4d 100644
--- a/gnu/packages/patches/sssd-system-directories.patch
+++ b/gnu/packages/patches/sssd-system-directories.patch
@@ -1,29 +1,29 @@ 
 Do not attempt to create $localstatedir and $sysconfdir (i.e., /var and /etc)
 upon "make install".
 
-diff --git a/Makefile.in b/Makefile.in
-index c32cb7d..77a5c00 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -7991,7 +7991,7 @@ sssdconfdir = $(sysconfdir)/sssd
- sssddatadir = $(datadir)/sssd
+diff --git a/Makefile.am b/Makefile.am
+index 0de53a2c8..51ad57bf1 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -58,7 +58,7 @@ sssddatadir = $(datadir)/sssd
  sssdapiplugindir = $(sssddatadir)/sssd.api.d
  sssdtapscriptdir = $(sssddatadir)/systemtap
+ krb5snippetsdir = $(sssddatadir)/krb5-snippets
 -dbuspolicydir = $(sysconfdir)/dbus-1/system.d
 +dbuspolicydir = $(prefix)/etc/dbus-1/system.d
  dbusservicedir = $(datadir)/dbus-1/system-services
  sss_statedir = $(localstatedir)/lib/sss
- pamlibdir = @pammoddir@
-@@ -8000,7 +8000,7 @@ nfslibdir = @nfsidmaplibdir@
- keytabdir = $(sss_statedir)/keytabs
- pkgconfigdir = $(libdir)/pkgconfig
+ runstatedir = @runstatedir@
+@@ -85,7 +85,7 @@ pkgconfigdir = $(libdir)/pkgconfig
+ krb5rcachedir = @krb5rcachedir@
  sudolibdir = @sudolibpath@
+ polkitdir = @polkitdir@
 -pamconfdir = $(sysconfdir)/pam.d
 +pamconfdir = $(prefix)/etc/pam.d
  systemtap_tapdir = @tapset_dir@
  sssdkcmdatadir = $(datadir)/sssd-kcm
  deskprofilepath = $(sss_statedir)/deskprofile
-@@ -43733,7 +43733,6 @@ installsssddirs::
+@@ -5195,7 +5195,6 @@ installsssddirs::
      $(DESTDIR)$(bindir) \
      $(DESTDIR)$(sbindir) \
      $(DESTDIR)$(mandir) \
@@ -31,15 +31,18 @@  index c32cb7d..77a5c00 100644
      $(DESTDIR)$(pluginpath) \
      $(DESTDIR)$(libdir)/ldb \
      $(DESTDIR)$(dbuspolicydir) \
-@@ -43743,22 +43742,9 @@ installsssddirs::
+@@ -5205,24 +5204,12 @@ installsssddirs::
      $(DESTDIR)$(sssddatadir) \
      $(DESTDIR)$(sudolibdir) \
      $(DESTDIR)$(autofslibdir) \
 -    $(DESTDIR)$(pipepath)/private \
+     $(DESTDIR)$(krb5snippetsdir) \
 -    $(SSSD_USER_DIRS) \
      $(NULL);
- @SSSD_USER_TRUE@	-chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
- @SSSD_USER_TRUE@	-chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
+ if SSSD_USER
+ 	-chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
+ 	-chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
+ endif
 -	$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
 -	    $(DESTDIR)$(keytabdir) \
 -	    $(NULL)
@@ -50,7 +53,14 @@  index c32cb7d..77a5c00 100644
 -	$(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) \
 -                          $(DESTDIR)$(sssdconfdir)/conf.d \
 -                          $(DESTDIR)$(sssdconfdir)/pki
--@BUILD_SECRETS_TRUE@	$(MKDIR_P) $(DESTDIR)$(secdbpath)
  
- @HAVE_DOXYGEN_TRUE@docs:
- @HAVE_DOXYGEN_TRUE@	$(DOXYGEN) src/doxy.config
+ if HAVE_DOXYGEN
+ docs:
+@@ -5338,7 +5325,6 @@ if BUILD_SAMBA
+ endif
+ if BUILD_KCM
+ 	$(MKDIR_P) $(DESTDIR)/$(sssdkcmdatadir)
+-	$(MKDIR_P) $(DESTDIR)$(secdbpath)
+ endif
+ 
+ uninstall-hook:
diff --git a/gnu/packages/sssd.scm b/gnu/packages/sssd.scm
index 5457991952..2b4322d6d8 100644
--- a/gnu/packages/sssd.scm
+++ b/gnu/packages/sssd.scm
@@ -24,22 +24,28 @@  (define-module (gnu packages sssd)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix gexp)
   #:use-module (guix git-download)
   #:use-module (guix utils)
+  #:use-module (guix build utils)
   #:use-module (guix build-system gnu)
   #:use-module (gnu packages)
   #:use-module (gnu packages)
   #:use-module (gnu packages adns)
   #:use-module (gnu packages augeas)
   #:use-module (gnu packages autotools)
+  #:use-module (gnu packages bash)
   #:use-module (gnu packages check)
+  #:use-module (gnu packages crypto)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages cyrus-sasl)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages dns)
   #:use-module (gnu packages docbook)
   #:use-module (gnu packages documentation)
+  #:use-module (gnu packages gettext)
   #:use-module (gnu packages glib)
+  #:use-module (gnu packages jose)
   #:use-module (gnu packages kerberos)
   #:use-module (gnu packages libunistring)
   #:use-module (gnu packages linux)
@@ -49,8 +55,11 @@  (define-module (gnu packages sssd)
   #:use-module (gnu packages pcre)
   #:use-module (gnu packages popt)
   #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages samba)
+  #:use-module (gnu packages security-token)
   #:use-module (gnu packages selinux)
+  #:use-module (gnu packages ssh)
   #:use-module (gnu packages web)
   #:use-module (gnu packages xml))
 
@@ -136,93 +145,128 @@  (define-public ding-libs
 fundamental object types for C.")
     (license license:lgpl3+)))
 
-;; Note: This package installs modules for ldb and nss.  For the former we
-;; need to set LDB_MODULES_PATH.  For the latter LD_PRELOAD or LD_LIBRARY_PATH
-;; is needed.
 (define-public sssd
   (package
     (name "sssd")
-    (version "1.16.5")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://releases.pagure.org/SSSD/sssd/"
-                                  "sssd-" version ".tar.gz"))
-              (sha256
-               (base32
-                "1h6hwibaf3xa2w6qpzjiiywmfj6zkgbz4r2isf3gd0xm6vq7n6if"))
-              (patches (search-patches "sssd-fix-samba.patch"
-                                       "sssd-system-directories.patch"
-                                       "sssd-collision-with-external-nss-symbol.patch"
-                                       "sssd-fix-samba-4.15.3.patch"))))
+    (version "2.7.0")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/SSSD/sssd")
+             (commit version)))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32 "05pw5lg410vc2yc3k4hqfsbyr9k4k18qb61gbh9xz7fcjpcysqv8"))
+       (patches (search-patches "sssd-optional-systemd.patch"
+                                "sssd-system-directories.patch"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags
-       (list (string-append "DOCBOOK_XSLT="
-                            (assoc-ref %build-inputs "docbook-xsl")
-                            "/xml/xsl/docbook-xsl-"
-                            ,(package-version docbook-xsl)
-                            "/manpages/docbook.xsl")
-             ;; Remove "--postvalid" option, because that requires access to
-             ;; online DTDs.
-             "XMLLINT_FLAGS = --catalogs --nonet --noent --xinclude --noout")
-       #:configure-flags
-       (list "--localstatedir=/var" ;for /var/lib/sss, /var/run/sssd.pid, etc.
-             "--sysconfdir=/etc"    ;/etc/sssd
+     (list
+      #:make-flags
+      #~(list (string-append "CFLAGS=-DRENEWAL_PROG_PATH=\\\""
+                             #$(this-package-input "adcli") "/sbin/adcli"
+                             "\\\"")
+              (string-append "DOCBOOK_XSLT="
+                             #$(this-package-native-input "docbook-xsl")
+                             "/xml/xsl/docbook-xsl-"
+                             #$(package-version (this-package-native-input "docbook-xsl"))
+                             "/manpages/docbook.xsl")
+              ;; Remove "--postvalid" option, because that requires access to
+              ;; online DTDs.
+              "XMLLINT_FLAGS = --catalogs --nonet --noent --xinclude --noout")
+      #:configure-flags
+      #~(list "--localstatedir=/var" ; for /var/lib/sss, /var/run/sssd.pid, etc.
+              "--sysconfdir=/etc"    ; /etc/sssd
 
-             "--disable-cifs-idmap-plugin"
-             "--without-nfsv4-idmapd-plugin"
-             "--without-python2-bindings"
-             "--without-python3-bindings"
-             (string-append "--with-plugin-path="
-                            (assoc-ref %outputs "out")
-                            "/lib/sssd")
-             (string-append "--with-krb5-plugin-path="
-                            (assoc-ref %outputs "out")
-                            "/lib/krb5/plugins/libkrb5")
-             (string-append "--with-cifs-plugin-path="
-                            (assoc-ref %outputs "out")
-                            "/lib/cifs-utils")
-             (string-append "--with-init-dir="
-                            (assoc-ref %outputs "out")
-                            "/etc/init.d")
-             (string-append "--with-ldb-lib-dir="
-                            (assoc-ref %outputs "out")
-                            "/lib/ldb/modules/ldb")
-             (string-append "--with-xml-catalog-path="
-                            (assoc-ref %build-inputs "docbook-xml")
-                            "/xml/dtd/docbook/catalog.xml"))
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'disable-failing-test
-           (lambda _
-             (substitute* "src/tests/responder_socket_access-tests.c"
-               (("tcase_add_test\\(tc_utils, resp_str_to_array_test\\);") ""))
-             #t))
-         (add-after 'unpack 'add-config-in
-           (lambda _
-             (let ((config.h (open-file "config.h.in" "a")))
-               (display (string-append "
-/* Missing in commits on original repo, dunno why but won't work without. */
-#undef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-")
-                        config.h)
-               (close config.h))))
-         (add-before 'configure 'autoconf
-           (lambda _
-             (invoke "autoconf"))))))
+              "--disable-cifs-idmap-plugin"
+              "--without-nfsv4-idmapd-plugin"
+              (string-append "--with-plugin-path="
+                             #$output "/lib/sssd")
+              (string-append "--with-krb5-plugin-path="
+                             #$output "/lib/krb5/plugins/libkrb5")
+              (string-append "--with-cifs-plugin-path="
+                             #$output "/lib/cifs-utils")
+              (string-append "--with-init-dir="
+                             #$output "/etc/init.d")
+              (string-append "--with-ldb-lib-dir="
+                             #$output "/lib/ldb/modules/ldb")
+              (string-append "--with-xml-catalog-path="
+                             #$(this-package-native-input "docbook-xml")
+                             "/xml/dtd/docbook/catalog.xml"))
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'patch-source-shebangs 'patch-more-shebangs
+            (lambda _
+              (substitute* '("src/tools/analyzer/sss_analyze"
+                             "src/tools/sss_obfuscate")
+                (("#!/usr/bin/.*python")
+                 (string-append "#!" #$(this-package-input "python") "/bin/python3")))))
+          (add-before 'bootstrap 'fix-configure-macros
+            (lambda _
+              ;; A configure test for nsupdate realm support fails without this.
+              (substitute* "src/external/nsupdate.m4"
+                (("\\$NSUPDATE ") "$NSUPDATE -i "))
+              ;; Let tests find softhsm lib.
+              (substitute* "src/external/test_ca.m4"
+                (("/usr/lib/softhsm")
+                 (string-append #$(this-package-native-input "softhsm")
+                                "/lib/softhsm")))))
+          (add-before 'configure 'disable-failing-tests
+            (lambda _
+              ;; Disable tests that needs /etc/passwd.
+              (substitute* "Makefile.am"
+                (("pam-srv-tests") "")
+                (("test-negcache") ""))
+              ;; This test fails for unknown reason.
+              (substitute* "src/tests/responder_socket_access-tests.c"
+                (("tcase_add_test\\(tc_utils, resp_str_to_array_test\\);") ""))))
+          (add-before 'check 'set-libpython-path
+            (lambda _
+              (setenv "LD_LIBRARY_PATH"
+                      (string-append #$(this-package-input "python") "/lib"))))
+          (add-after 'install 'remove-static-libs
+            (lambda _
+              ;; Remove a static library that produces a (harmless) warning
+              ;; when starting a program that uses sssd’s LDB modules.
+              (delete-file
+               (string-append #$output "/lib/ldb/modules/ldb/memberof.la"))))
+          (add-after 'install 'wrap-binaries
+            (lambda _
+              (with-directory-excursion #$output
+                ;; Set path to LDB modules for sssd and utilities.
+                (for-each (lambda (bin)
+                            (wrap-program (string-append "sbin/" bin)
+                              `("LDB_MODULES_PATH" ":" prefix
+                                (,(string-append #$output "/lib/ldb/modules/ldb")))))
+                          '("sssd" "sssctl" "sss_cache" "sss_override" "sss_seed"))
+                ;; Set path to sssd’s site-packages for scripts.
+                (for-each (lambda (script)
+                            (wrap-program script
+                              `("GUIX_PYTHONPATH" ":" prefix
+                                (,(string-append #$output "/lib/python"
+                                                 #$(version-major+minor
+                                                    (package-version
+                                                     (this-package-input "python")))
+                                                 "/site-packages")))))
+                          '("libexec/sssd/sss_analyze" "sbin/sss_obfuscate"))))))))
     (inputs
-     (list augeas
-           `(,isc-bind "utils")
+     (list adcli
+           bash-minimal
            c-ares
-           curl
+           curl ; for OpenID Connect support
            cyrus-sasl
            dbus
            ding-libs
            glib
            gnutls
            http-parser
+           `(,isc-bind "utils")
            jansson
+           jose ; for OpenID Connect support
+           keyutils
            ldb
+           libnl
            libselinux
            libsemanage
            libunistring
@@ -231,21 +275,32 @@  (define-public sssd
            nss
            openldap
            openssl
-           pcre
+           p11-kit ; for PKCS#11 support
+           pcre2
            popt
+           python
            samba
            talloc
            tdb
            tevent))
     (native-inputs
-     (list autoconf-2.69
-           check-0.14
-           docbook-xsl
+     (list autoconf
+           automake
+           check ; for tests
+           cmocka ; for tests
            docbook-xml
+           docbook-xsl
+           doxygen
+           gettext-minimal
+           libfaketime ; for tests
+           libtool
            libxml2 ; for xmllint
            libxslt
+           openssh ; for tests
            pkg-config
-           `(,util-linux "lib"))) ;for uuid.h, reqired for KCM
+           po4a
+           softhsm ; for tests
+           `(,util-linux "lib"))) ; for uuid.h, reqired for KCM
     (home-page "https://pagure.io/SSSD/sssd/")
     (synopsis "System security services daemon")
     (description "SSSD is a system daemon.  Its primary function is to provide