From 0d6aa528cf91701cfc368dc3013d9bba84d2d831 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 27 Mar 2025 21:23:26 +0800 Subject: [PATCH] sssd: upgrade 2.9.2 -> 2.10.2 ChangeLog: https://github.com/SSSD/sssd/releases/tag/2.10.2 * Drop backport patches. * Update sssd.conf and volatile files. * Drop PACKAGECONFIG[infopipe] as it has been removed upstream. Signed-off-by: Yi Zhao Signed-off-by: Armin Kuster --- .../0001-sssctl-add-error-analyzer.patch | 318 ------------------ .../sssd/files/CVE-2023-3758.patch | 219 ------------ .../recipes-security/sssd/files/sssd.conf | 3 +- .../sssd/files/volatiles.99_sssd | 1 - .../sssd/{sssd_2.9.2.bb => sssd_2.10.2.bb} | 36 +- 5 files changed, 18 insertions(+), 559 deletions(-) delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.10.2.bb} (84%) diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch deleted file mode 100644 index 6880405..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch +++ /dev/null @@ -1,318 +0,0 @@ -Backport patch to fix interpreter of sss_analyze. - -Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c] - -Signed-off-by: Kai Kang - -From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001 -From: roy214 -Date: Tue, 25 Apr 2023 20:01:24 +0530 -Subject: [PATCH] sssctl: add error analyzer -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Also removing unused variable and import. - -Reviewed-by: Justin Stephenson -Reviewed-by: Tomáš Halman ---- - src/tools/analyzer/Makefile.am | 2 + - src/tools/analyzer/modules/error.py | 61 +++++++++++++++++++++++++++ - src/tools/analyzer/modules/request.py | 54 +++++------------------- - src/tools/analyzer/sss_analyze | 2 +- - src/tools/analyzer/sss_analyze.py | 3 ++ - src/tools/analyzer/util.py | 44 +++++++++++++++++++ - 6 files changed, 121 insertions(+), 45 deletions(-) - create mode 100644 src/tools/analyzer/modules/error.py - create mode 100644 src/tools/analyzer/util.py - -diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am -index b40043d043..7692af8528 100644 ---- a/src/tools/analyzer/Makefile.am -+++ b/src/tools/analyzer/Makefile.am -@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \ - source_reader.py \ - parser.py \ - sss_analyze.py \ -+ util.py \ - $(NULL) - - modulesdir = $(pkgpythondir)/modules - dist_modules_DATA = \ - modules/__init__.py \ - modules/request.py \ -+ modules/error.py \ - $(NULL) -diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py -new file mode 100644 -index 0000000000..71173670c5 ---- /dev/null -+++ b/src/tools/analyzer/modules/error.py -@@ -0,0 +1,61 @@ -+from sssd import util -+from sssd.parser import SubparsersAction -+from sssd import sss_analyze -+ -+class ErrorAnalyzer: -+ """ -+ An error analyzer module, list if there is any error reported by sssd_be -+ """ -+ module_parser = None -+ print_opts = [] -+ -+ def print_module_help(self, args): -+ """ -+ Print the module parser help output -+ -+ Args: -+ args (Namespace): argparse parsed arguments -+ """ -+ self.module_parser.print_help() -+ -+ def setup_args(self, parser_grp, cli): -+ """ -+ Setup module parser, subcommands, and options -+ -+ Args: -+ parser_grp (argparse.Action): Parser group to nest -+ module and subcommands under -+ """ -+ desc = "Analyze error check module" -+ self.module_parser = parser_grp.add_parser('error', -+ description=desc, -+ help='Error checker') -+ -+ subparser = self.module_parser.add_subparsers(title=None, -+ dest='subparser', -+ action=SubparsersAction, -+ metavar='COMMANDS') -+ -+ subcmd_grp = subparser.add_parser_group('Operation Modes') -+ cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend', -+ self.print_error, self.print_opts) -+ -+ self.module_parser.set_defaults(func=self.print_module_help) -+ -+ return self.module_parser -+ -+ def print_error(self, args): -+ err = 0 -+ utl = util.Utils() -+ source = utl.load(args) -+ component = source.Component.BE -+ source.set_component(component, False) -+ patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG', -+ 'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline', -+ 'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed'] -+ for line in utl.matched_line(source, patterns): -+ err +=1 -+ print(line) -+ if err > 0: -+ print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html") -+ return -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index d661dddb84..e4d5f060c7 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -1,6 +1,6 @@ - import re - import logging -- -+from sssd import util - from sssd.parser import SubparsersAction - from sssd.parser import Option - -@@ -38,7 +38,6 @@ def print_module_help(self, args): - def setup_args(self, parser_grp, cli): - """ - Setup module parser, subcommands, and options -- - Args: - parser_grp (argparse.Action): Parser group to nest - module and subcommands under -@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli): - - return self.module_parser - -- def load(self, args): -- """ -- Load the appropriate source reader. -- -- Args: -- args (Namespace): argparse parsed arguments -- -- Returns: -- Instantiated source object -- """ -- if args.source == "journald": -- from sssd.source_journald import Journald -- source = Journald() -- else: -- from sssd.source_files import Files -- source = Files(args.logdir) -- return source -- -- def matched_line(self, source, patterns): -- """ -- Yield lines which match any number of patterns (OR) in -- provided patterns list. -- -- Args: -- source (Reader): source Reader object -- Yields: -- lines matching the provided pattern(s) -- """ -- for line in source: -- for pattern in patterns: -- re_obj = re.compile(pattern) -- if re_obj.search(line): -- if line.startswith(' * '): -- continue -- yield line -- - def get_linked_ids(self, source, pattern, regex): - """ - Retrieve list of associated REQ_TRACE ids. Filter -@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex): - Returns: - List of linked ids discovered - """ -+ utl = util.Utils() - linked_ids = [] -- for match in self.matched_line(source, pattern): -+ for match in utl.matched_line(source, pattern): - id_re = re.compile(regex) - match = id_re.search(match) - if match: -@@ -250,7 +214,8 @@ def list_requests(self, args): - Args: - args (Namespace): populated argparse namespace - """ -- source = self.load(args) -+ utl = util.Utils() -+ source = utl.load(args) - component = source.Component.NSS - resp = "nss" - # Log messages matching the following regex patterns contain -@@ -266,7 +231,7 @@ def list_requests(self, args): - if args.verbose: - self.print_formatted_verbose(source) - else: -- for line in self.matched_line(source, patterns): -+ for line in utl.matched_line(source, patterns): - if type(source).__name__ == 'Journald': - print(line) - else: -@@ -279,7 +244,8 @@ def track_request(self, args): - Args: - args (Namespace): populated argparse namespace - """ -- source = self.load(args) -+ utl = util.Utils() -+ source = utl.load(args) - cid = args.cid - resp_results = False - be_results = False -@@ -294,7 +260,7 @@ def track_request(self, args): - logger.info(f"******** Checking {resp} responder for Client ID" - f" {cid} *******") - source.set_component(component, args.child) -- for match in self.matched_line(source, pattern): -+ for match in utl.matched_line(source, pattern): - resp_results = self.consume_line(match, source, args.merge) - - logger.info(f"********* Checking Backend for Client ID {cid} ********") -@@ -307,7 +273,7 @@ def track_request(self, args): - pattern.clear() - [pattern.append(f'\\{id}') for id in be_ids] - -- for match in self.matched_line(source, pattern): -+ for match in utl.matched_line(source, pattern): - be_results = self.consume_line(match, source, args.merge) - - if args.merge: -diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze -index 3f1beaf38b..6d4b5b30c6 100755 ---- a/src/tools/analyzer/sss_analyze -+++ b/src/tools/analyzer/sss_analyze -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - - from sssd import sss_analyze - -diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py -index 18b998f380..dafc84fc03 100644 ---- a/src/tools/analyzer/sss_analyze.py -+++ b/src/tools/analyzer/sss_analyze.py -@@ -1,6 +1,7 @@ - import argparse - - from sssd.modules import request -+from sssd.modules import error - from sssd.parser import SubparsersAction - - -@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp): - """ - # Currently only the 'request' module exists - req = request.RequestAnalyzer() -+ err = error.ErrorAnalyzer() - cli = Analyzer() - - req.setup_args(parser_grp, cli) -+ err.setup_args(parser_grp, cli) - - def setup_args(self): - """ -diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py -new file mode 100644 -index 0000000000..2a8d153a71 ---- /dev/null -+++ b/src/tools/analyzer/util.py -@@ -0,0 +1,44 @@ -+import re -+import logging -+ -+from sssd.source_files import Files -+from sssd.source_journald import Journald -+ -+logger = logging.getLogger() -+ -+ -+class Utils: -+ -+ def load(self, args): -+ """ -+ Load the appropriate source reader. -+ -+ Args: -+ args (Namespace): argparse parsed arguments -+ -+ Returns: -+ Instantiated source object -+ """ -+ if args.source == "journald": -+ source = Journald() -+ else: -+ source = Files(args.logdir) -+ return source -+ -+ def matched_line(self, source, patterns): -+ """ -+ Yield lines which match any number of patterns (OR) in -+ provided patterns list. -+ -+ Args: -+ source (Reader): source Reader object -+ Yields: -+ lines matching the provided pattern(s) -+ """ -+ for line in source: -+ for pattern in patterns: -+ re_obj = re.compile(pattern) -+ if re_obj.search(line): -+ if line.startswith(' * '): -+ continue -+ yield line diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch deleted file mode 100644 index 1e9fca5..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch +++ /dev/null @@ -1,219 +0,0 @@ -From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 8 Nov 2023 14:50:24 +0100 -Subject: [PATCH] ad-gpo: use hash to store intermediate results - -Currently after the evaluation of a single GPO file the intermediate -results are stored in the cache and this cache entry is updated until -all applicable GPO files are evaluated. Finally the data in the cache is -used to make the decision of access is granted or rejected. - -If there are two or more access-control request running in parallel one -request might overwrite the cache object with intermediate data while -another request reads the cached data for the access decision and as a -result will do this decision based on intermediate data. - -To avoid this the intermediate results are not stored in the cache -anymore but in hash tables which are specific to the request. Only the -final result is written to the cache to have it available for offline -authentication. - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman -(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a) - -Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726] -CVE: CVE-2023-3758 -Signed-off-by: Hitendra Prajapati - ---- - src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++----- - 1 file changed, 102 insertions(+), 14 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 44e9cbb..cec0cb4 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, - return ret; - } - -+static errno_t -+add_result_to_hash(hash_table_t *hash, const char *key, char *value) -+{ -+ int hret; -+ hash_key_t k; -+ hash_value_t v; -+ -+ if (hash == NULL || key == NULL || value == NULL) { -+ return EINVAL; -+ } -+ -+ k.type = HASH_KEY_CONST_STRING; -+ k.c_str = key; -+ -+ v.type = HASH_VALUE_PTR; -+ v.ptr = value; -+ -+ hret = hash_enter(hash, &k, &v); -+ if (hret != HASH_SUCCESS) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n", -+ key, value, hash_error_string(hret)); -+ return EIO; -+ } -+ -+ return EOK; -+} -+ - /* - * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, - * and stores the allow_key and deny_key of all of the gpo_map_types present -@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, - */ - static errno_t - ad_gpo_store_policy_settings(struct sss_domain_info *domain, -+ hash_table_t *allow_maps, hash_table_t *deny_maps, - const char *filename) - { - struct ini_cfgfile *file_ctx = NULL; -@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - goto done; - } else if (ret != ENOENT) { - const char *value = allow_value ? allow_value : empty_val; -- ret = sysdb_gpo_store_gpo_result_setting(domain, -- allow_key, -- value); -+ ret = add_result_to_hash(allow_maps, allow_key, -+ talloc_strdup(allow_maps, value)); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_gpo_store_gpo_result_setting failed for key:" -- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value, -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " -+ "value: [%s] to allow maps " -+ "[%d][%s].\n", -+ allow_key, value, ret, -+ sss_strerror(ret)); - goto done; - } - } -@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - goto done; - } else if (ret != ENOENT) { - const char *value = deny_value ? deny_value : empty_val; -- ret = sysdb_gpo_store_gpo_result_setting(domain, -- deny_key, -- value); -+ ret = add_result_to_hash(deny_maps, deny_key, -+ talloc_strdup(deny_maps, value)); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_gpo_store_gpo_result_setting failed for key:" -- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value, -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " -+ "value: [%s] to deny maps " -+ "[%d][%s].\n", -+ deny_key, value, ret, -+ sss_strerror(ret)); - goto done; - } - } -@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state { - int num_cse_filtered_gpos; - int cse_gpo_index; - const char *ad_domain; -+ hash_table_t *allow_maps; -+ hash_table_t *deny_maps; - }; - - static void ad_gpo_connect_done(struct tevent_req *subreq); -@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, - goto immediately; - } - -+ ret = sss_hash_create(state, 0, &state->allow_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps " -+ "hash table [%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } -+ -+ ret = sss_hash_create(state, 0, &state->deny_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps " -+ "hash table [%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } - - subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); - if (subreq == NULL) { -@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req) - return EAGAIN; - } - -+static errno_t -+store_hash_maps_in_cache(struct sss_domain_info *domain, -+ hash_table_t *allow_maps, hash_table_t *deny_maps) -+{ -+ int ret; -+ struct hash_iter_context_t *iter; -+ hash_entry_t *entry; -+ size_t c; -+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL}; -+ -+ -+ for (c = 0; hash_list[c] != NULL; c++) { -+ iter = new_hash_iter_context(hash_list[c]); -+ if (iter == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n"); -+ return EINVAL; -+ } -+ -+ while ((entry = iter->next(iter)) != NULL) { -+ ret = sysdb_gpo_store_gpo_result_setting(domain, -+ entry->key.c_str, -+ entry->value.ptr); -+ if (ret != EOK) { -+ free(iter); -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_gpo_store_gpo_result_setting failed for key:" -+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str, -+ (char *) entry->value.ptr, ret, sss_strerror(ret)); -+ return ret; -+ } -+ } -+ talloc_free(iter); -+ } -+ -+ return EOK; -+} -+ - /* - * This cse-specific function (GP_EXT_GUID_SECURITY) increments the - * cse_gpo_index until the policy settings for all applicable GPOs have been -@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) - * (as part of the GPO Result object in the sysdb cache). - */ - ret = ad_gpo_store_policy_settings(state->host_domain, -+ state->allow_maps, state->deny_maps, - cse_filtered_gpo->policy_filename); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, -@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq) - - if (ret == EOK) { - /* ret is EOK only after all GPO policy files have been downloaded */ -+ ret = store_hash_maps_in_cache(state->host_domain, -+ state->allow_maps, state->deny_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps " -+ "[%d][%s].\n", ret, sss_strerror(ret)); -+ goto done; -+ } - ret = ad_gpo_perform_hbac_processing(state, - state->gpo_mode, - state->gpo_map_type, --- -2.25.1 diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf index 1e8b537..2c9c6fc 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf @@ -7,7 +7,8 @@ domains = shadowutils [pam] [domain/shadowutils] -id_provider = files +id_provider = proxy +proxy_lib_name = files auth_provider = proxy proxy_pam_target = sssd-shadowutils diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd deleted file mode 100644 index 2a82413..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd +++ /dev/null @@ -1 +0,0 @@ -d root root 0750 /var/log/sssd none diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb similarity index 84% rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb index f35d0c8..0ed62b8 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb +++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb @@ -18,16 +18,13 @@ DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \ file://sssd.conf \ - file://volatiles.99_sssd \ file://no_gen.patch \ file://fix_gid.patch \ file://drop_ntpdate_chk.patch \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ - file://0001-sssctl-add-error-analyzer.patch \ - file://CVE-2023-3758.patch \ " -SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba" +SRC_URI[sha256sum] = "e8aa5e6b48ae465bea7064048715ce7e9c53b50ec6a9c69304f59e0d35be40ff" UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases" @@ -42,24 +39,23 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ ac_cv_prog_HAVE_PYTHON3=yes \ " -PACKAGECONFIG ?= "nss autofs sudo infopipe" +PACKAGECONFIG ?= "nss autofs sudo" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" PACKAGECONFIG[crypto] = ", , libcrypto" PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" -PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" PACKAGECONFIG[nss] = ", ,nss," PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child" PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings python3dir=${PYTHON_SITEPACKAGES_DIR}, python3-setuptools-native" PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no, libselinux" PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv,,python3-systemd" +PACKAGECONFIG[systemd] = "--with-initscript=systemd --with-systemdunitdir=${systemd_system_unitdir} --with-systemdconfdir=${sysconfdir}/systemd/system, --with-initscript=sysv,,python3-systemd" EXTRA_OECONF += " \ --disable-cifs-idmap-plugin \ @@ -68,11 +64,11 @@ EXTRA_OECONF += " \ --without-python2-bindings \ --enable-pammoddir=${base_libdir}/security \ --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ - --with-pid-path=/run \ + --with-pid-path=/run/sssd \ --with-os=fedora \ " -do_configure:prepend() { +do_configure:prepend () { mkdir -p ${AUTOTOOLS_AUXDIR}/build cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ @@ -84,6 +80,7 @@ do_compile:prepend () { sed -i -e "s/__useconds_t/useconds_t/g" ${S}/src/tools/tools_mc_util.c echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h } + do_install () { oe_runmake install DESTDIR="${D}" rmdir --ignore-fail-on-non-empty "${D}/${bindir}" @@ -99,12 +96,14 @@ do_install () { if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + echo "d /var/log/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" > ${D}${sysconfdir}/tmpfiles.d/sssd.conf + echo "d /run/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" >> ${D}${sysconfdir}/tmpfiles.d/sssd.conf fi if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then install -d ${D}${sysconfdir}/default/volatiles - echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN} + echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/log/sssd none" > ${D}${sysconfdir}/default/volatiles/99_sssd + echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/run/sssd none" >> ${D}${sysconfdir}/default/volatiles/99_sssd fi if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then @@ -112,15 +111,13 @@ do_install () { fi # Remove /run as it is created on startup - rm -rf ${D}/run - - rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* + rm -rf ${D}/run ${D}/var/run } pkg_postinst_ontarget:${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi + if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf } @@ -131,12 +128,11 @@ INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." SYSTEMD_SERVICE:${PN} = " \ ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-ifp.service \ sssd-nss.service \ sssd-nss.socket \ - sssd-pam-priv.socket \ sssd-pam.service \ sssd-pam.socket \ sssd.service \