From patchwork Mon May 23 18:54:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Timotej Lazar X-Patchwork-Id: 39581 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9D7D127BBEA; Mon, 23 May 2022 20:04:07 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1B8D927BBE9 for ; Mon, 23 May 2022 20:04:05 +0100 (BST) Received: from localhost ([::1]:48132 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ntDLY-0001aG-8j for patchwork@mira.cbaines.net; Mon, 23 May 2022 15:04:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50346) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ntDKY-0001YB-PR for guix-patches@gnu.org; Mon, 23 May 2022 15:03:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:56322) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ntDKX-0005ME-Qk for guix-patches@gnu.org; Mon, 23 May 2022 15:03:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ntDKX-0000GA-Lc for guix-patches@gnu.org; Mon, 23 May 2022 15:03:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55598] [PATCH] gnu: sssd: Update to 2.7.0. Resent-From: Timotej Lazar Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 23 May 2022 19:03:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 55598 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55598@debbugs.gnu.org Cc: Timotej Lazar X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165333253532596 (code B ref -1); Mon, 23 May 2022 19:03:01 +0000 Received: (at submit) by debbugs.gnu.org; 23 May 2022 19:02:15 +0000 Received: from localhost ([127.0.0.1]:50216 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ntDJe-0008MV-1o for submit@debbugs.gnu.org; Mon, 23 May 2022 15:02:14 -0400 Received: from lists.gnu.org ([209.51.188.17]:48174) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ntDJX-0008Hm-Sj for submit@debbugs.gnu.org; Mon, 23 May 2022 15:02:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50240) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ntDJX-0001Jy-Lm for guix-patches@gnu.org; Mon, 23 May 2022 15:01:59 -0400 Received: from araneo.si ([2001:15c0:2110:3400::2]:38818) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ntDJS-0005Ik-Ja for guix-patches@gnu.org; Mon, 23 May 2022 15:01:59 -0400 Received: from araneo.si (localhost.lan [127.0.0.1]) by araneo.si (OpenSMTPD) with ESMTP id 0b261d8a for ; Mon, 23 May 2022 19:01:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=araneo.si; h=from:to:cc :subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=20180623; bh=L3GMEZKBWhg9jRFzO6dRi pnGFGM=; b=AjHenHqdxVqyd0sScc2ZraU2YKRQbueZ5L0Biu+THmE+a/aEAGZLQ +6/sI4j6AC4Aa0q6cLSyh87GtNbtZ729LVSqCFDJGwp2qI/E9kfbcgn4HwbnE0b8 r6g/PX1g4X6AhC6ti8A7oChvX0g3VDYzJJ34cYyxdmTPUwh0Ka/wiksw4V0GEFKn It0NvCUPyQoMgZABqg4Vf1zM7MpDtH0gTrP0bxi8lmu+fok2k0GIy7mZPnsdi64C JgO3Gq411L7vhSHIPp43cTIREvpLK7d/vQjDW5Lh1KRnc4OKnzgpt1dnwdGqkues KhkxnbgO1w+DVTjONagiwrmvxVTX1gfhg== Received: by araneo.si (OpenSMTPD) with ESMTPSA id 057dc580 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 23 May 2022 19:01:49 +0000 (UTC) From: Timotej Lazar Date: Mon, 23 May 2022 20:54:18 +0200 Message-Id: <20220523185417.23954-1-timotej.lazar@araneo.si> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Received-SPF: pass client-ip=2001:15c0:2110:3400::2; envelope-from=timotej.lazar@araneo.si; helo=araneo.si X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Add support for renewing AD membership with adcli. Wrap binaries with LDB_MODULES_PATH. Fix the sss_analyze utility to run without systemd libraries. Add native inputs to generate man pages and run additional tests during build. * gnu/packages/sssd.scm (sssd): Update to 2.7.0. [patches]: Drop patches applied upstream. Add a patch for sss_analyze. [inputs]: Add adcli, bash-minimal, jose, keyutils, libnl, pcre2, python. Drop augeas, pcre. [native-inputs]: Add cmocka, doxygen, gettext-minimal, libfaketime, libtool, openssh, po4a, softhsm. [arguments]: Rewrite in gexp style. Fix configure checks. Remove static library from install. Wrap binaries to set correct paths. * gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch, gnu/packages/patches/sssd-fix-samba-4.15.3.patch, gnu/packages/patches/sssd-fix-samba.patch: Delete files. * gnu/packages/patches/sssd-optional-systemd.patch: New file. * gnu/local.mk (dist_patch_DATA): Update accordingly. --- Hi, this updates sssd to the latest version. I adapted the package to the new style, added inputs for additional features and tests, and wrapped the binaries with the required environment variables. The package builds at least for x86-64, i686 and aarch64. I have been using the updated package (actually the 2.6.0 version for the most part) for several months to enable AD logins from multiple domains. Upstream seems to maintain both the 2.x and 1.16.x series; if anyone needs the older version, I can submit a revision to keep both packages. Man pages are still not formatted correctly, which seems to be an issue with docbook reported at https://issues.guix.gnu.org/52909. Finally, I know that mixing updates with other changes is bad form, but untangling them now would be less than trivial and more than likely to introduce bugs in the intermediate commits. :) Thanks! gnu/local.mk | 4 +- ...d-collision-with-external-nss-symbol.patch | 71 --- .../patches/sssd-fix-samba-4.15.3.patch | 523 ------------------ gnu/packages/patches/sssd-fix-samba.patch | 50 -- .../patches/sssd-optional-systemd.patch | 45 ++ .../patches/sssd-system-directories.patch | 44 +- gnu/packages/sssd.scm | 207 ++++--- 7 files changed, 204 insertions(+), 740 deletions(-) delete mode 100644 gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch delete mode 100644 gnu/packages/patches/sssd-fix-samba-4.15.3.patch delete mode 100644 gnu/packages/patches/sssd-fix-samba.patch create mode 100644 gnu/packages/patches/sssd-optional-systemd.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6274f43566..e458b3e922 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1610,8 +1610,6 @@ dist_patch_DATA = \ %D%/packages/patches/sdl-pango-sans-serif.patch \ %D%/packages/patches/smalltalk-multiplication-overflow.patch \ %D%/packages/patches/sqlite-hurd.patch \ - %D%/packages/patches/sssd-collision-with-external-nss-symbol.patch \ - %D%/packages/patches/sssd-fix-samba-4.15.3.patch \ %D%/packages/patches/strace-readlink-tests.patch \ %D%/packages/patches/sunxi-tools-remove-sys-io.patch \ %D%/packages/patches/p11-kit-hurd.patch \ @@ -1825,7 +1823,7 @@ dist_patch_DATA = \ %D%/packages/patches/snappy-add-inline-for-GCC.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/spice-vdagent-glib-2.68.patch \ - %D%/packages/patches/sssd-fix-samba.patch \ + %D%/packages/patches/sssd-optional-systemd.patch \ %D%/packages/patches/sssd-system-directories.patch \ %D%/packages/patches/steghide-fixes.patch \ %D%/packages/patches/suitesparse-mongoose-cmake.patch \ diff --git a/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch b/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch deleted file mode 100644 index 9d59ae91be..0000000000 --- a/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch +++ /dev/null @@ -1,71 +0,0 @@ -From fe9eeb51be06059721e873f77092b1e9ba08e6c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Thu, 27 Feb 2020 06:50:40 +0100 -Subject: [PATCH] nss: Collision with external nss symbol -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -One of our internal static function names started -to collide with external nss symbol. Additional -sss_ suffix was added to avoid the collision. - -This is needed to unblock Fedora Rawhide's -SSSD build. - -Reviewed-by: Pavel Březina ---- - src/responder/nss/nss_cmd.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c -index 356aea1564..02706c4b94 100644 ---- a/src/responder/nss/nss_cmd.c -+++ b/src/responder/nss/nss_cmd.c -@@ -731,11 +731,13 @@ static void nss_getent_done(struct tevent_req *subreq) - talloc_free(cmd_ctx); - } - --static void nss_setnetgrent_done(struct tevent_req *subreq); -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq); - --static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, -- enum cache_req_type type, -- nss_protocol_fill_packet_fn fill_fn) -+/* This function's name started to collide with external nss symbol, -+ * so it has additional sss_* prefix unlike other functions here. */ -+static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, -+ enum cache_req_type type, -+ nss_protocol_fill_packet_fn fill_fn) - { - struct nss_ctx *nss_ctx; - struct nss_state_ctx *state_ctx; -@@ -777,7 +779,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, - goto done; - } - -- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); -+ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); - - ret = EOK; - -@@ -790,7 +792,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, - return EOK; - } - --static void nss_setnetgrent_done(struct tevent_req *subreq) -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq) - { - struct nss_cmd_ctx *cmd_ctx; - errno_t ret; -@@ -1040,8 +1042,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) - - static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) - { -- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -- nss_protocol_fill_setnetgrent); -+ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -+ nss_protocol_fill_setnetgrent); - } - - static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) diff --git a/gnu/packages/patches/sssd-fix-samba-4.15.3.patch b/gnu/packages/patches/sssd-fix-samba-4.15.3.patch deleted file mode 100644 index 731daa0ed9..0000000000 --- a/gnu/packages/patches/sssd-fix-samba-4.15.3.patch +++ /dev/null @@ -1,523 +0,0 @@ -From 3ba88c317fd64b69b000adbdf881c88383f325d1 Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Tue, 24 Mar 2020 13:37:07 +0000 -Subject: [PATCH] Use ndr_pull_steal_switch_value for modern samba versions -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit bc56b10aea999284458dcc293b54cf65288e325d attempted to -fix the build error resulting from removal of 'ndr_pull_get_switch' - -This change uses the new replacement method -'ndr_pull_steal_switch_value' however depending on the samba version -the ndr_pull_steal_switch_value abi is different. - -Note: ndr_pull_steal_switch_value is used since samba 4.10 for - the affected methods - -Note: the following methods have been refreshed from samba-4.12 generated - code; - - o ndr_pull_security_ace_object_type - o ndr_pull_security_ace_object_inherited_type - o ndr_pull_security_ace_object_ctr - -Signed-off-by: Noel Power - -Reviewed-by: Pavel Březina -(cherry picked from commit 1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc) - -Reviewed-by: Pavel Březina ---- - src/external/samba.m4 | 9 ++++++- - src/providers/ad/ad_gpo_ndr.c | 45 ++++++++++++++++++++--------------- - 2 files changed, 34 insertions(+), 20 deletions(-) - -diff --git a/src/external/samba.m4 b/src/external/samba.m4 -index 089f602a60..8e06174ead 100644 ---- a/src/external/samba.m4 -+++ b/src/external/samba.m4 -@@ -132,8 +132,15 @@ int main(void) - AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1, - [Samba's struct idmap_domain has dom_sid member]) - AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member]) -+ if test $samba_minor_version -ge 12 ; then -+ AC_DEFINE_UNQUOTED(SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, 1, -+ [Samba's new push/pull switch functions]) -+ AC_MSG_NOTICE([Samba has support for new ndr_push_steal_switch_value and ndr_pull_steal_switch_value functions]) -+ else -+ AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) -+ fi - else - AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member]) -+ AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) - fi -- - fi - - SAVE_CFLAGS=$CFLAGS -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index 49c49d71b2..3d389e513d 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -105,9 +105,14 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, - union security_ace_object_type *r) - { - uint32_t level; -- level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { -+ /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */ -+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -+ NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level)); -+#else -+ level = ndr_pull_steal_switch_value(ndr, r); -+#endif - NDR_CHECK(ndr_pull_union_align(ndr, 4)); - switch (level) { - case SEC_ACE_OBJECT_TYPE_PRESENT: { -@@ -117,14 +122,6 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, - break; } - } - } -- if (ndr_flags & NDR_BUFFERS) { -- switch (level) { -- case SEC_ACE_OBJECT_TYPE_PRESENT: -- break; -- default: -- break; -- } -- } - return NDR_ERR_SUCCESS; - } - -@@ -135,9 +132,14 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, - union security_ace_object_inherited_type *r) - { - uint32_t level; -- level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { -+ /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */ -+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -+ NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level)); -+#else -+ level = ndr_pull_steal_switch_value(ndr, r); -+#endif - NDR_CHECK(ndr_pull_union_align(ndr, 4)); - switch (level) { - case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: { -@@ -149,14 +151,6 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, - break; } - } - } -- if (ndr_flags & NDR_BUFFERS) { -- switch (level) { -- case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: -- break; -- default: -- break; -- } -- } - return NDR_ERR_SUCCESS; - } - -@@ -198,9 +192,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, - union security_ace_object_ctr *r) - { - uint32_t level; -- level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { -+ /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */ -+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -+ NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level)); -+#else -+ level = ndr_pull_steal_switch_value(ndr, r); -+#endif - NDR_CHECK(ndr_pull_union_align(ndr, 4)); - switch (level) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: { -@@ -224,6 +223,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, - } - } - if (ndr_flags & NDR_BUFFERS) { -+ if (!(ndr_flags & NDR_SCALARS)) { -+ /* We didn't get it above, and the token is not needed after this. */ -+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -+ NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level)); -+#else -+ level = ndr_pull_steal_switch_value(ndr, r); -+#endif -+ } - switch (level) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - NDR_CHECK(ndr_pull_security_ace_object -From 5285a1896ee19bb8f1ff752380547bc6d7a43334 Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Tue, 24 Mar 2020 18:14:34 +0000 -Subject: [PATCH] ad_gpo_ndr.c: refresh ndr_ methods from samba-4.12 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Noel Power - -Reviewed-by: Pavel Březina -(cherry picked from commit c031adde4f532f39845a0efd78693600f1f8b2f4) - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 201 ++++++++++++++++++---------------- - 1 file changed, 106 insertions(+), 95 deletions(-) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index 3d389e513d..a64b1a0f84 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -177,8 +177,16 @@ ndr_pull_security_ace_object(struct ndr_pull *ndr, - NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); - } - if (ndr_flags & NDR_BUFFERS) { -+ NDR_CHECK(ndr_pull_set_switch_value -+ (ndr, -+ &r->type, -+ r->flags & SEC_ACE_OBJECT_TYPE_PRESENT)); - NDR_CHECK(ndr_pull_security_ace_object_type - (ndr, NDR_BUFFERS, &r->type)); -+ NDR_CHECK(ndr_pull_set_switch_value -+ (ndr, -+ &r->inherited_type, -+ r->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)); - NDR_CHECK(ndr_pull_security_ace_object_inherited_type - (ndr, NDR_BUFFERS, &r->inherited_type)); - } -@@ -342,7 +350,7 @@ ndr_pull_security_acl(struct ndr_pull *ndr, - (ndr, NDR_SCALARS, &r->revision)); - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_aces)); -- if (r->num_aces > 1000) { -+ if (r->num_aces > 2000) { - return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); - } - size_aces_0 = r->num_aces; -@@ -408,107 +416,110 @@ ad_gpo_ndr_pull_security_descriptor(struct ndr_pull *ndr, - TALLOC_CTX *_mem_save_sacl_0; - uint32_t _ptr_dacl; - TALLOC_CTX *_mem_save_dacl_0; -- uint32_t _flags_save_STRUCT = ndr->flags; -- uint32_t _relative_save_offset; -- -- ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN); -- NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); -- if (ndr_flags & NDR_SCALARS) { -- NDR_CHECK(ndr_pull_align(ndr, 5)); -- NDR_CHECK(ndr_pull_security_descriptor_revision(ndr, -+ { -+ uint32_t _flags_save_STRUCT = ndr->flags; -+ ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN); -+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); -+ if (ndr_flags & NDR_SCALARS) { -+ NDR_CHECK(ndr_pull_align(ndr, 5)); -+ NDR_CHECK(ndr_pull_security_descriptor_revision(ndr, -+ NDR_SCALARS, -+ &r->revision)); -+ NDR_CHECK(ndr_pull_security_descriptor_type(ndr, - NDR_SCALARS, -- &r->revision)); -- NDR_CHECK(ndr_pull_security_descriptor_type(ndr, -- NDR_SCALARS, -- &r->type)); -- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid)); -- if (_ptr_owner_sid) { -- NDR_PULL_ALLOC(ndr, r->owner_sid); -- NDR_CHECK(ndr_pull_relative_ptr1(ndr, -- r->owner_sid, -- _ptr_owner_sid)); -- } else { -- r->owner_sid = NULL; -- } -- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid)); -- if (_ptr_group_sid) { -- NDR_PULL_ALLOC(ndr, r->group_sid); -- NDR_CHECK(ndr_pull_relative_ptr1(ndr, -- r->group_sid, -- _ptr_group_sid)); -- } else { -- r->group_sid = NULL; -- } -- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl)); -- if (_ptr_sacl) { -- NDR_PULL_ALLOC(ndr, r->sacl); -- NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl)); -- } else { -- r->sacl = NULL; -- } -- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl)); -- if (_ptr_dacl) { -- NDR_PULL_ALLOC(ndr, r->dacl); -- NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl)); -- } else { -- r->dacl = NULL; -- } -- NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); -- } -- if (ndr_flags & NDR_BUFFERS) { -- if (r->owner_sid) { -- _relative_save_offset = ndr->offset; -- NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid)); -- _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); -- NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0); -- NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid)); -- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0); -- if (ndr->offset > ndr->relative_highest_offset) { -- ndr->relative_highest_offset = ndr->offset; -+ &r->type)); -+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid)); -+ if (_ptr_owner_sid) { -+ NDR_PULL_ALLOC(ndr, r->owner_sid); -+ NDR_CHECK(ndr_pull_relative_ptr1(ndr, -+ r->owner_sid, -+ _ptr_owner_sid)); -+ } else { -+ r->owner_sid = NULL; - } -- ndr->offset = _relative_save_offset; -- } -- if (r->group_sid) { -- _relative_save_offset = ndr->offset; -- NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid)); -- _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); -- NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0); -- NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid)); -- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0); -- if (ndr->offset > ndr->relative_highest_offset) { -- ndr->relative_highest_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid)); -+ if (_ptr_group_sid) { -+ NDR_PULL_ALLOC(ndr, r->group_sid); -+ NDR_CHECK(ndr_pull_relative_ptr1(ndr, -+ r->group_sid, -+ _ptr_group_sid)); -+ } else { -+ r->group_sid = NULL; - } -- ndr->offset = _relative_save_offset; -- } -- if (r->sacl) { -- _relative_save_offset = ndr->offset; -- NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl)); -- _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr); -- NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0); -- NDR_CHECK(ndr_pull_security_acl(ndr, -- NDR_SCALARS|NDR_BUFFERS, -- r->sacl)); -- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0); -- if (ndr->offset > ndr->relative_highest_offset) { -- ndr->relative_highest_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl)); -+ if (_ptr_sacl) { -+ NDR_PULL_ALLOC(ndr, r->sacl); -+ NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl)); -+ } else { -+ r->sacl = NULL; - } -- ndr->offset = _relative_save_offset; -+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl)); -+ if (_ptr_dacl) { -+ NDR_PULL_ALLOC(ndr, r->dacl); -+ NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl)); -+ } else { -+ r->dacl = NULL; -+ } -+ NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); - } -- if (r->dacl) { -- _relative_save_offset = ndr->offset; -- NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl)); -- _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr); -- NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0); -- NDR_CHECK(ndr_pull_security_acl(ndr, -- NDR_SCALARS|NDR_BUFFERS, -- r->dacl)); -- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0); -- if (ndr->offset > ndr->relative_highest_offset) { -- ndr->relative_highest_offset = ndr->offset; -+ if (ndr_flags & NDR_BUFFERS) { -+ if (r->owner_sid) { -+ uint32_t _relative_save_offset; -+ _relative_save_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid)); -+ _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); -+ NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0); -+ NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid)); -+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0); -+ if (ndr->offset > ndr->relative_highest_offset) { -+ ndr->relative_highest_offset = ndr->offset; -+ } -+ ndr->offset = _relative_save_offset; -+ } -+ if (r->group_sid) { -+ uint32_t _relative_save_offset; -+ _relative_save_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid)); -+ _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); -+ NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0); -+ NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid)); -+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0); -+ if (ndr->offset > ndr->relative_highest_offset) { -+ ndr->relative_highest_offset = ndr->offset; -+ } -+ ndr->offset = _relative_save_offset; -+ } -+ if (r->sacl) { -+ uint32_t _relative_save_offset; -+ _relative_save_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl)); -+ _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr); -+ NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0); -+ NDR_CHECK(ndr_pull_security_acl(ndr, -+ NDR_SCALARS|NDR_BUFFERS, -+ r->sacl)); -+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0); -+ if (ndr->offset > ndr->relative_highest_offset) { -+ ndr->relative_highest_offset = ndr->offset; -+ } -+ ndr->offset = _relative_save_offset; -+ } -+ if (r->dacl) { -+ uint32_t _relative_save_offset; -+ _relative_save_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl)); -+ _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr); -+ NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0); -+ NDR_CHECK(ndr_pull_security_acl(ndr, -+ NDR_SCALARS|NDR_BUFFERS, -+ r->dacl)); -+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0); -+ if (ndr->offset > ndr->relative_highest_offset) { -+ ndr->relative_highest_offset = ndr->offset; -+ } -+ ndr->offset = _relative_save_offset; - } -- ndr->offset = _relative_save_offset; - } -- - ndr->flags = _flags_save_STRUCT; - } - return NDR_ERR_SUCCESS; -From d5809f6f41ec0dc3fd38f9e4ae917a38bf7dfa43 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 28 May 2020 15:02:43 +0200 -Subject: [PATCH] ad_gpo_ndr.c: more ndr updates -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch add another update to the ndr code which was previously -updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and -1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc. - -As missing update in ndr_pull_security_ace() cased -a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was -added to prevent similar issues in future. - -Resolves: https://github.com/SSSD/sssd/issues/5183 - -Reviewed-by: Pavel Březina -(cherry picked from commit a7c755672cd277497da3df4714f6d9457b6ac5ae) - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 1 + - src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++ - 2 files changed, 58 insertions(+) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index a64b1a0f84..9f040dfb03 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr, - ndr->offset += pad; - } - if (ndr_flags & NDR_BUFFERS) { -+ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type)); - NDR_CHECK(ndr_pull_security_ace_object_ctr - (ndr, NDR_BUFFERS, &r->object)); - } -diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c -index 0589adcc3d..97dbe01794 100644 ---- a/src/tests/cmocka/test_ad_gpo.c -+++ b/src/tests/cmocka/test_ad_gpo.c -@@ -329,6 +329,60 @@ void test_ad_gpo_ace_includes_client_sid_false(void **state) - ace_dom_sid, false); - } - -+uint8_t test_sid_data[] = { -+0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, -+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, -+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00, -+0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, -+0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, -+0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, -+0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, -+0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, -+0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, -+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, -+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00, -+0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, -+0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, -+0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00, -+0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11, -+0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, -+0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00 -+}; -+ -+void test_ad_gpo_parse_sd(void **state) -+{ -+ int ret; -+ struct security_descriptor *sd = NULL; -+ -+ ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd); -+ assert_int_equal(ret, EINVAL); -+ -+ ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd); -+ assert_int_equal(ret, EOK); -+ assert_non_null(sd); -+ assert_int_equal(sd->revision, 1); -+ assert_int_equal(sd->type, 39940); -+ assert_null(sd->owner_sid); -+ assert_null(sd->group_sid); -+ assert_null(sd->sacl); -+ assert_non_null(sd->dacl); -+ assert_int_equal(sd->dacl->revision, 4); -+ assert_int_equal(sd->dacl->size, 308); -+ assert_int_equal(sd->dacl->num_aces, 10); -+ assert_int_equal(sd->dacl->aces[0].type, 0); -+ assert_int_equal(sd->dacl->aces[0].flags, 0); -+ assert_int_equal(sd->dacl->aces[0].size, 36); -+ assert_int_equal(sd->dacl->aces[0].access_mask, 917693); -+ /* There are more components and ACEs in the security_descriptor struct -+ * which are not checked here. */ -+ -+ talloc_free(sd); -+} -+ - int main(int argc, const char *argv[]) - { - poptContext pc; -@@ -364,6 +418,9 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false, - ad_gpo_test_setup, - ad_gpo_test_teardown), -+ cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd, -+ ad_gpo_test_setup, -+ ad_gpo_test_teardown), - }; - - /* Set debug level to invalid value so we can decide if -d 0 was used. */ diff --git a/gnu/packages/patches/sssd-fix-samba.patch b/gnu/packages/patches/sssd-fix-samba.patch deleted file mode 100644 index 714968337a..0000000000 --- a/gnu/packages/patches/sssd-fix-samba.patch +++ /dev/null @@ -1,50 +0,0 @@ -From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 24 Jan 2020 15:17:39 +0100 -Subject: [PATCH] Fix build failure against samba 4.12.0rc1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The ndr_pull_get_switch() function was dropped, but it was just a wrapper -around the ndr_token_peek() function, so we can use this approach on both -old and new versions of libndr. - -Signed-off-by: Stephen Gallagher - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index d573033494..8f405aa62b 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, - union security_ace_object_type *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); -@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, - union security_ace_object_inherited_type *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); -@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, - union security_ace_object_ctr *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); diff --git a/gnu/packages/patches/sssd-optional-systemd.patch b/gnu/packages/patches/sssd-optional-systemd.patch new file mode 100644 index 0000000000..0784fdc7aa --- /dev/null +++ b/gnu/packages/patches/sssd-optional-systemd.patch @@ -0,0 +1,45 @@ +Allow running sss_analyze without Python modules for systemd. +Upstream PR: https://github.com/SSSD/sssd/pull/6125 + +diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py +index b96a23c05..28ac2f194 100644 +--- a/src/tools/analyzer/modules/request.py ++++ b/src/tools/analyzer/modules/request.py +@@ -1,8 +1,6 @@ + import re + import logging + +-from sssd.source_files import Files +-from sssd.source_journald import Journald + from sssd.parser import SubparsersAction + from sssd.parser import Option + +@@ -77,8 +75,10 @@ class RequestAnalyzer: + Instantiated source object + """ + if args.source == "journald": ++ from sssd.source_journald import Journald + source = Journald() + else: ++ from sssd.source_files import Files + source = Files(args.logdir) + return source + +@@ -143,7 +143,7 @@ class RequestAnalyzer: + self.consumed_logs.append(line.rstrip(line[-1])) + else: + # files source includes newline +- if isinstance(source, Files): ++ if type(source).__name__ == 'Files': + print(line, end='') + else: + print(line) +@@ -225,7 +225,7 @@ class RequestAnalyzer: + source.set_component(component, False) + self.done = "" + for line in self.matched_line(source, patterns): +- if isinstance(source, Journald): ++ if type(source).__name__ == 'Journald': + print(line) + else: + self.print_formatted(line, args.verbose) diff --git a/gnu/packages/patches/sssd-system-directories.patch b/gnu/packages/patches/sssd-system-directories.patch index f2ab0182e1..ce0dcf5d4d 100644 --- a/gnu/packages/patches/sssd-system-directories.patch +++ b/gnu/packages/patches/sssd-system-directories.patch @@ -1,29 +1,29 @@ Do not attempt to create $localstatedir and $sysconfdir (i.e., /var and /etc) upon "make install". -diff --git a/Makefile.in b/Makefile.in -index c32cb7d..77a5c00 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -7991,7 +7991,7 @@ sssdconfdir = $(sysconfdir)/sssd - sssddatadir = $(datadir)/sssd +diff --git a/Makefile.am b/Makefile.am +index 0de53a2c8..51ad57bf1 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -58,7 +58,7 @@ sssddatadir = $(datadir)/sssd sssdapiplugindir = $(sssddatadir)/sssd.api.d sssdtapscriptdir = $(sssddatadir)/systemtap + krb5snippetsdir = $(sssddatadir)/krb5-snippets -dbuspolicydir = $(sysconfdir)/dbus-1/system.d +dbuspolicydir = $(prefix)/etc/dbus-1/system.d dbusservicedir = $(datadir)/dbus-1/system-services sss_statedir = $(localstatedir)/lib/sss - pamlibdir = @pammoddir@ -@@ -8000,7 +8000,7 @@ nfslibdir = @nfsidmaplibdir@ - keytabdir = $(sss_statedir)/keytabs - pkgconfigdir = $(libdir)/pkgconfig + runstatedir = @runstatedir@ +@@ -85,7 +85,7 @@ pkgconfigdir = $(libdir)/pkgconfig + krb5rcachedir = @krb5rcachedir@ sudolibdir = @sudolibpath@ + polkitdir = @polkitdir@ -pamconfdir = $(sysconfdir)/pam.d +pamconfdir = $(prefix)/etc/pam.d systemtap_tapdir = @tapset_dir@ sssdkcmdatadir = $(datadir)/sssd-kcm deskprofilepath = $(sss_statedir)/deskprofile -@@ -43733,7 +43733,6 @@ installsssddirs:: +@@ -5195,7 +5195,6 @@ installsssddirs:: $(DESTDIR)$(bindir) \ $(DESTDIR)$(sbindir) \ $(DESTDIR)$(mandir) \ @@ -31,15 +31,18 @@ index c32cb7d..77a5c00 100644 $(DESTDIR)$(pluginpath) \ $(DESTDIR)$(libdir)/ldb \ $(DESTDIR)$(dbuspolicydir) \ -@@ -43743,22 +43742,9 @@ installsssddirs:: +@@ -5205,24 +5204,12 @@ installsssddirs:: $(DESTDIR)$(sssddatadir) \ $(DESTDIR)$(sudolibdir) \ $(DESTDIR)$(autofslibdir) \ - $(DESTDIR)$(pipepath)/private \ + $(DESTDIR)$(krb5snippetsdir) \ - $(SSSD_USER_DIRS) \ $(NULL); - @SSSD_USER_TRUE@ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) - @SSSD_USER_TRUE@ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private + if SSSD_USER + -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) + -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private + endif - $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ - $(DESTDIR)$(keytabdir) \ - $(NULL) @@ -50,7 +53,14 @@ index c32cb7d..77a5c00 100644 - $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) \ - $(DESTDIR)$(sssdconfdir)/conf.d \ - $(DESTDIR)$(sssdconfdir)/pki --@BUILD_SECRETS_TRUE@ $(MKDIR_P) $(DESTDIR)$(secdbpath) - @HAVE_DOXYGEN_TRUE@docs: - @HAVE_DOXYGEN_TRUE@ $(DOXYGEN) src/doxy.config + if HAVE_DOXYGEN + docs: +@@ -5338,7 +5325,6 @@ if BUILD_SAMBA + endif + if BUILD_KCM + $(MKDIR_P) $(DESTDIR)/$(sssdkcmdatadir) +- $(MKDIR_P) $(DESTDIR)$(secdbpath) + endif + + uninstall-hook: diff --git a/gnu/packages/sssd.scm b/gnu/packages/sssd.scm index 5457991952..2b4322d6d8 100644 --- a/gnu/packages/sssd.scm +++ b/gnu/packages/sssd.scm @@ -24,22 +24,28 @@ (define-module (gnu packages sssd) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix gexp) #:use-module (guix git-download) #:use-module (guix utils) + #:use-module (guix build utils) #:use-module (guix build-system gnu) #:use-module (gnu packages) #:use-module (gnu packages) #:use-module (gnu packages adns) #:use-module (gnu packages augeas) #:use-module (gnu packages autotools) + #:use-module (gnu packages bash) #:use-module (gnu packages check) + #:use-module (gnu packages crypto) #:use-module (gnu packages curl) #:use-module (gnu packages cyrus-sasl) #:use-module (gnu packages databases) #:use-module (gnu packages dns) #:use-module (gnu packages docbook) #:use-module (gnu packages documentation) + #:use-module (gnu packages gettext) #:use-module (gnu packages glib) + #:use-module (gnu packages jose) #:use-module (gnu packages kerberos) #:use-module (gnu packages libunistring) #:use-module (gnu packages linux) @@ -49,8 +55,11 @@ (define-module (gnu packages sssd) #:use-module (gnu packages pcre) #:use-module (gnu packages popt) #:use-module (gnu packages pkg-config) + #:use-module (gnu packages python) #:use-module (gnu packages samba) + #:use-module (gnu packages security-token) #:use-module (gnu packages selinux) + #:use-module (gnu packages ssh) #:use-module (gnu packages web) #:use-module (gnu packages xml)) @@ -136,93 +145,128 @@ (define-public ding-libs fundamental object types for C.") (license license:lgpl3+))) -;; Note: This package installs modules for ldb and nss. For the former we -;; need to set LDB_MODULES_PATH. For the latter LD_PRELOAD or LD_LIBRARY_PATH -;; is needed. (define-public sssd (package (name "sssd") - (version "1.16.5") - (source (origin - (method url-fetch) - (uri (string-append "https://releases.pagure.org/SSSD/sssd/" - "sssd-" version ".tar.gz")) - (sha256 - (base32 - "1h6hwibaf3xa2w6qpzjiiywmfj6zkgbz4r2isf3gd0xm6vq7n6if")) - (patches (search-patches "sssd-fix-samba.patch" - "sssd-system-directories.patch" - "sssd-collision-with-external-nss-symbol.patch" - "sssd-fix-samba-4.15.3.patch")))) + (version "2.7.0") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/SSSD/sssd") + (commit version))) + (file-name (git-file-name name version)) + (sha256 + (base32 "05pw5lg410vc2yc3k4hqfsbyr9k4k18qb61gbh9xz7fcjpcysqv8")) + (patches (search-patches "sssd-optional-systemd.patch" + "sssd-system-directories.patch")))) (build-system gnu-build-system) (arguments - `(#:make-flags - (list (string-append "DOCBOOK_XSLT=" - (assoc-ref %build-inputs "docbook-xsl") - "/xml/xsl/docbook-xsl-" - ,(package-version docbook-xsl) - "/manpages/docbook.xsl") - ;; Remove "--postvalid" option, because that requires access to - ;; online DTDs. - "XMLLINT_FLAGS = --catalogs --nonet --noent --xinclude --noout") - #:configure-flags - (list "--localstatedir=/var" ;for /var/lib/sss, /var/run/sssd.pid, etc. - "--sysconfdir=/etc" ;/etc/sssd + (list + #:make-flags + #~(list (string-append "CFLAGS=-DRENEWAL_PROG_PATH=\\\"" + #$(this-package-input "adcli") "/sbin/adcli" + "\\\"") + (string-append "DOCBOOK_XSLT=" + #$(this-package-native-input "docbook-xsl") + "/xml/xsl/docbook-xsl-" + #$(package-version (this-package-native-input "docbook-xsl")) + "/manpages/docbook.xsl") + ;; Remove "--postvalid" option, because that requires access to + ;; online DTDs. + "XMLLINT_FLAGS = --catalogs --nonet --noent --xinclude --noout") + #:configure-flags + #~(list "--localstatedir=/var" ; for /var/lib/sss, /var/run/sssd.pid, etc. + "--sysconfdir=/etc" ; /etc/sssd - "--disable-cifs-idmap-plugin" - "--without-nfsv4-idmapd-plugin" - "--without-python2-bindings" - "--without-python3-bindings" - (string-append "--with-plugin-path=" - (assoc-ref %outputs "out") - "/lib/sssd") - (string-append "--with-krb5-plugin-path=" - (assoc-ref %outputs "out") - "/lib/krb5/plugins/libkrb5") - (string-append "--with-cifs-plugin-path=" - (assoc-ref %outputs "out") - "/lib/cifs-utils") - (string-append "--with-init-dir=" - (assoc-ref %outputs "out") - "/etc/init.d") - (string-append "--with-ldb-lib-dir=" - (assoc-ref %outputs "out") - "/lib/ldb/modules/ldb") - (string-append "--with-xml-catalog-path=" - (assoc-ref %build-inputs "docbook-xml") - "/xml/dtd/docbook/catalog.xml")) - #:phases - (modify-phases %standard-phases - (add-after 'unpack 'disable-failing-test - (lambda _ - (substitute* "src/tests/responder_socket_access-tests.c" - (("tcase_add_test\\(tc_utils, resp_str_to_array_test\\);") "")) - #t)) - (add-after 'unpack 'add-config-in - (lambda _ - (let ((config.h (open-file "config.h.in" "a"))) - (display (string-append " -/* Missing in commits on original repo, dunno why but won't work without. */ -#undef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -") - config.h) - (close config.h)))) - (add-before 'configure 'autoconf - (lambda _ - (invoke "autoconf")))))) + "--disable-cifs-idmap-plugin" + "--without-nfsv4-idmapd-plugin" + (string-append "--with-plugin-path=" + #$output "/lib/sssd") + (string-append "--with-krb5-plugin-path=" + #$output "/lib/krb5/plugins/libkrb5") + (string-append "--with-cifs-plugin-path=" + #$output "/lib/cifs-utils") + (string-append "--with-init-dir=" + #$output "/etc/init.d") + (string-append "--with-ldb-lib-dir=" + #$output "/lib/ldb/modules/ldb") + (string-append "--with-xml-catalog-path=" + #$(this-package-native-input "docbook-xml") + "/xml/dtd/docbook/catalog.xml")) + #:phases + #~(modify-phases %standard-phases + (add-after 'patch-source-shebangs 'patch-more-shebangs + (lambda _ + (substitute* '("src/tools/analyzer/sss_analyze" + "src/tools/sss_obfuscate") + (("#!/usr/bin/.*python") + (string-append "#!" #$(this-package-input "python") "/bin/python3"))))) + (add-before 'bootstrap 'fix-configure-macros + (lambda _ + ;; A configure test for nsupdate realm support fails without this. + (substitute* "src/external/nsupdate.m4" + (("\\$NSUPDATE ") "$NSUPDATE -i ")) + ;; Let tests find softhsm lib. + (substitute* "src/external/test_ca.m4" + (("/usr/lib/softhsm") + (string-append #$(this-package-native-input "softhsm") + "/lib/softhsm"))))) + (add-before 'configure 'disable-failing-tests + (lambda _ + ;; Disable tests that needs /etc/passwd. + (substitute* "Makefile.am" + (("pam-srv-tests") "") + (("test-negcache") "")) + ;; This test fails for unknown reason. + (substitute* "src/tests/responder_socket_access-tests.c" + (("tcase_add_test\\(tc_utils, resp_str_to_array_test\\);") "")))) + (add-before 'check 'set-libpython-path + (lambda _ + (setenv "LD_LIBRARY_PATH" + (string-append #$(this-package-input "python") "/lib")))) + (add-after 'install 'remove-static-libs + (lambda _ + ;; Remove a static library that produces a (harmless) warning + ;; when starting a program that uses sssd’s LDB modules. + (delete-file + (string-append #$output "/lib/ldb/modules/ldb/memberof.la")))) + (add-after 'install 'wrap-binaries + (lambda _ + (with-directory-excursion #$output + ;; Set path to LDB modules for sssd and utilities. + (for-each (lambda (bin) + (wrap-program (string-append "sbin/" bin) + `("LDB_MODULES_PATH" ":" prefix + (,(string-append #$output "/lib/ldb/modules/ldb"))))) + '("sssd" "sssctl" "sss_cache" "sss_override" "sss_seed")) + ;; Set path to sssd’s site-packages for scripts. + (for-each (lambda (script) + (wrap-program script + `("GUIX_PYTHONPATH" ":" prefix + (,(string-append #$output "/lib/python" + #$(version-major+minor + (package-version + (this-package-input "python"))) + "/site-packages"))))) + '("libexec/sssd/sss_analyze" "sbin/sss_obfuscate")))))))) (inputs - (list augeas - `(,isc-bind "utils") + (list adcli + bash-minimal c-ares - curl + curl ; for OpenID Connect support cyrus-sasl dbus ding-libs glib gnutls http-parser + `(,isc-bind "utils") jansson + jose ; for OpenID Connect support + keyutils ldb + libnl libselinux libsemanage libunistring @@ -231,21 +275,32 @@ (define-public sssd nss openldap openssl - pcre + p11-kit ; for PKCS#11 support + pcre2 popt + python samba talloc tdb tevent)) (native-inputs - (list autoconf-2.69 - check-0.14 - docbook-xsl + (list autoconf + automake + check ; for tests + cmocka ; for tests docbook-xml + docbook-xsl + doxygen + gettext-minimal + libfaketime ; for tests + libtool libxml2 ; for xmllint libxslt + openssh ; for tests pkg-config - `(,util-linux "lib"))) ;for uuid.h, reqired for KCM + po4a + softhsm ; for tests + `(,util-linux "lib"))) ; for uuid.h, reqired for KCM (home-page "https://pagure.io/SSSD/sssd/") (synopsis "System security services daemon") (description "SSSD is a system daemon. Its primary function is to provide