From 3e59d41df031a86e48f6b8ee1ac7a72d3c183f69 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Mon, 23 May 2022 20:54:18 +0200 Subject: gnu: sssd: Update to 2.7.0. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add support for renewing AD membership with adcli. Wrap binaries with LDB_MODULES_PATH. Fix the sss_analyze utility to run without systemd libraries. Add native inputs to generate man pages and run additional tests during build. * gnu/packages/sssd.scm (sssd): Update to 2.7.0. [patches]: Drop patches applied upstream. Add a patch for sss_analyze. [inputs]: Add adcli, bash-minimal, jose, keyutils, libnl, pcre2, python. Drop augeas, pcre. [native-inputs]: Add cmocka, doxygen, gettext-minimal, libfaketime, libtool, openssh, po4a, softhsm. [arguments]: Rewrite in gexp style. Fix configure checks. Remove static library from install. Wrap binaries to set correct paths. * gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch, gnu/packages/patches/sssd-fix-samba-4.15.3.patch, gnu/packages/patches/sssd-fix-samba.patch: Delete files. * gnu/packages/patches/sssd-optional-systemd.patch: New file. * gnu/local.mk (dist_patch_DATA): Update accordingly. Signed-off-by: Ludovic Courtès --- gnu/local.mk | 4 +- .../sssd-collision-with-external-nss-symbol.patch | 71 --- gnu/packages/patches/sssd-fix-samba-4.15.3.patch | 523 --------------------- gnu/packages/patches/sssd-fix-samba.patch | 50 -- gnu/packages/patches/sssd-optional-systemd.patch | 45 ++ gnu/packages/patches/sssd-system-directories.patch | 44 +- gnu/packages/sssd.scm | 207 +++++--- 7 files changed, 204 insertions(+), 740 deletions(-) delete mode 100644 gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch delete mode 100644 gnu/packages/patches/sssd-fix-samba-4.15.3.patch delete mode 100644 gnu/packages/patches/sssd-fix-samba.patch create mode 100644 gnu/packages/patches/sssd-optional-systemd.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 2a74677509..2cadb8c42c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1614,8 +1614,6 @@ dist_patch_DATA = \ %D%/packages/patches/sdl-pango-sans-serif.patch \ %D%/packages/patches/smalltalk-multiplication-overflow.patch \ %D%/packages/patches/sqlite-hurd.patch \ - %D%/packages/patches/sssd-collision-with-external-nss-symbol.patch \ - %D%/packages/patches/sssd-fix-samba-4.15.3.patch \ %D%/packages/patches/strace-readlink-tests.patch \ %D%/packages/patches/sunxi-tools-remove-sys-io.patch \ %D%/packages/patches/p11-kit-hurd.patch \ @@ -1829,7 +1827,7 @@ dist_patch_DATA = \ %D%/packages/patches/snappy-add-inline-for-GCC.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/spice-vdagent-glib-2.68.patch \ - %D%/packages/patches/sssd-fix-samba.patch \ + %D%/packages/patches/sssd-optional-systemd.patch \ %D%/packages/patches/sssd-system-directories.patch \ %D%/packages/patches/steghide-fixes.patch \ %D%/packages/patches/suitesparse-mongoose-cmake.patch \ diff --git a/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch b/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch deleted file mode 100644 index 9d59ae91be..0000000000 --- a/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch +++ /dev/null @@ -1,71 +0,0 @@ -From fe9eeb51be06059721e873f77092b1e9ba08e6c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Thu, 27 Feb 2020 06:50:40 +0100 -Subject: [PATCH] nss: Collision with external nss symbol -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -One of our internal static function names started -to collide with external nss symbol. Additional -sss_ suffix was added to avoid the collision. - -This is needed to unblock Fedora Rawhide's -SSSD build. - -Reviewed-by: Pavel Březina ---- - src/responder/nss/nss_cmd.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c -index 356aea1564..02706c4b94 100644 ---- a/src/responder/nss/nss_cmd.c -+++ b/src/responder/nss/nss_cmd.c -@@ -731,11 +731,13 @@ static void nss_getent_done(struct tevent_req *subreq) - talloc_free(cmd_ctx); - } - --static void nss_setnetgrent_done(struct tevent_req *subreq); -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq); - --static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, -- enum cache_req_type type, -- nss_protocol_fill_packet_fn fill_fn) -+/* This function's name started to collide with external nss symbol, -+ * so it has additional sss_* prefix unlike other functions here. */ -+static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, -+ enum cache_req_type type, -+ nss_protocol_fill_packet_fn fill_fn) - { - struct nss_ctx *nss_ctx; - struct nss_state_ctx *state_ctx; -@@ -777,7 +779,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, - goto done; - } - -- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); -+ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); - - ret = EOK; - -@@ -790,7 +792,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, - return EOK; - } - --static void nss_setnetgrent_done(struct tevent_req *subreq) -+static void sss_nss_setnetgrent_done(struct tevent_req *subreq) - { - struct nss_cmd_ctx *cmd_ctx; - errno_t ret; -@@ -1040,8 +1042,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) - - static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) - { -- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -- nss_protocol_fill_setnetgrent); -+ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, -+ nss_protocol_fill_setnetgrent); - } - - static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) diff --git a/gnu/packages/patches/sssd-fix-samba-4.15.3.patch b/gnu/packages/patches/sssd-fix-samba-4.15.3.patch deleted file mode 100644 index 731daa0ed9..0000000000 --- a/gnu/packages/patches/sssd-fix-samba-4.15.3.patch +++ /dev/null @@ -1,523 +0,0 @@ -From 3ba88c317fd64b69b000adbdf881c88383f325d1 Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Tue, 24 Mar 2020 13:37:07 +0000 -Subject: [PATCH] Use ndr_pull_steal_switch_value for modern samba versions -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit bc56b10aea999284458dcc293b54cf65288e325d attempted to -fix the build error resulting from removal of 'ndr_pull_get_switch' - -This change uses the new replacement method -'ndr_pull_steal_switch_value' however depending on the samba version -the ndr_pull_steal_switch_value abi is different. - -Note: ndr_pull_steal_switch_value is used since samba 4.10 for - the affected methods - -Note: the following methods have been refreshed from samba-4.12 generated - code; - - o ndr_pull_security_ace_object_type - o ndr_pull_security_ace_object_inherited_type - o ndr_pull_security_ace_object_ctr - -Signed-off-by: Noel Power - -Reviewed-by: Pavel Březina -(cherry picked from commit 1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc) - -Reviewed-by: Pavel Březina ---- - src/external/samba.m4 | 9 ++++++- - src/providers/ad/ad_gpo_ndr.c | 45 ++++++++++++++++++++--------------- - 2 files changed, 34 insertions(+), 20 deletions(-) - -diff --git a/src/external/samba.m4 b/src/external/samba.m4 -index 089f602a60..8e06174ead 100644 ---- a/src/external/samba.m4 -+++ b/src/external/samba.m4 -@@ -132,8 +132,15 @@ int main(void) - AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1, - [Samba's struct idmap_domain has dom_sid member]) - AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member]) -+ if test $samba_minor_version -ge 12 ; then -+ AC_DEFINE_UNQUOTED(SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, 1, -+ [Samba's new push/pull switch functions]) -+ AC_MSG_NOTICE([Samba has support for new ndr_push_steal_switch_value and ndr_pull_steal_switch_value functions]) -+ else -+ AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) -+ fi - else - AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member]) -+ AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) - fi -- - fi - - SAVE_CFLAGS=$CFLAGS -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index 49c49d71b2..3d389e513d 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -105,9 +105,14 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, - union security_ace_object_type *r) - { - uint32_t level; -- level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { -+ /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */ -+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -+ NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level)); -+#else -+ level = ndr_pull_steal_switch_value(ndr, r); -+#endif - NDR_CHECK(ndr_pull_union_align(ndr, 4)); - switch (level) { - case SEC_ACE_OBJECT_TYPE_PRESENT: { -@@ -117,14 +122,6 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, - break; } - } - } -- if (ndr_flags & NDR_BUFFERS) { -- switch (level) { -- case SEC_ACE_OBJECT_TYPE_PRESENT: -- break; -- default: -- break; -- } -- } - return NDR_ERR_SUCCESS; - } - -@@ -135,9 +132,14 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, - union security_ace_object_inherited_type *r) - { - uint32_t level; -- level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { -+ /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */ -+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -+ NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level)); -+#else -+ level = ndr_pull_steal_switch_value(ndr, r); -+#endif - NDR_CHECK(ndr_pull_union_align(ndr, 4)); - switch (level) { - case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: { -@@ -149,14 +151,6 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, - break; } - } - } -- if (ndr_flags & NDR_BUFFERS) { -- switch (level) { -- case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: -- break; -- default: -- break; -- } -- } - return NDR_ERR_SUCCESS; - } - -@@ -198,9 +192,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, - union security_ace_object_ctr *r) - { - uint32_t level; -- level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { -+ /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */ -+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -+ NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level)); -+#else -+ level = ndr_pull_steal_switch_value(ndr, r); -+#endif - NDR_CHECK(ndr_pull_union_align(ndr, 4)); - switch (level) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: { -@@ -224,6 +223,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, - } - } - if (ndr_flags & NDR_BUFFERS) { -+ if (!(ndr_flags & NDR_SCALARS)) { -+ /* We didn't get it above, and the token is not needed after this. */ -+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -+ NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level)); -+#else -+ level = ndr_pull_steal_switch_value(ndr, r); -+#endif -+ } - switch (level) { - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - NDR_CHECK(ndr_pull_security_ace_object -From 5285a1896ee19bb8f1ff752380547bc6d7a43334 Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Tue, 24 Mar 2020 18:14:34 +0000 -Subject: [PATCH] ad_gpo_ndr.c: refresh ndr_ methods from samba-4.12 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Noel Power - -Reviewed-by: Pavel Březina -(cherry picked from commit c031adde4f532f39845a0efd78693600f1f8b2f4) - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 201 ++++++++++++++++++---------------- - 1 file changed, 106 insertions(+), 95 deletions(-) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index 3d389e513d..a64b1a0f84 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -177,8 +177,16 @@ ndr_pull_security_ace_object(struct ndr_pull *ndr, - NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); - } - if (ndr_flags & NDR_BUFFERS) { -+ NDR_CHECK(ndr_pull_set_switch_value -+ (ndr, -+ &r->type, -+ r->flags & SEC_ACE_OBJECT_TYPE_PRESENT)); - NDR_CHECK(ndr_pull_security_ace_object_type - (ndr, NDR_BUFFERS, &r->type)); -+ NDR_CHECK(ndr_pull_set_switch_value -+ (ndr, -+ &r->inherited_type, -+ r->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)); - NDR_CHECK(ndr_pull_security_ace_object_inherited_type - (ndr, NDR_BUFFERS, &r->inherited_type)); - } -@@ -342,7 +350,7 @@ ndr_pull_security_acl(struct ndr_pull *ndr, - (ndr, NDR_SCALARS, &r->revision)); - NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); - NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_aces)); -- if (r->num_aces > 1000) { -+ if (r->num_aces > 2000) { - return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); - } - size_aces_0 = r->num_aces; -@@ -408,107 +416,110 @@ ad_gpo_ndr_pull_security_descriptor(struct ndr_pull *ndr, - TALLOC_CTX *_mem_save_sacl_0; - uint32_t _ptr_dacl; - TALLOC_CTX *_mem_save_dacl_0; -- uint32_t _flags_save_STRUCT = ndr->flags; -- uint32_t _relative_save_offset; -- -- ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN); -- NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); -- if (ndr_flags & NDR_SCALARS) { -- NDR_CHECK(ndr_pull_align(ndr, 5)); -- NDR_CHECK(ndr_pull_security_descriptor_revision(ndr, -+ { -+ uint32_t _flags_save_STRUCT = ndr->flags; -+ ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN); -+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); -+ if (ndr_flags & NDR_SCALARS) { -+ NDR_CHECK(ndr_pull_align(ndr, 5)); -+ NDR_CHECK(ndr_pull_security_descriptor_revision(ndr, -+ NDR_SCALARS, -+ &r->revision)); -+ NDR_CHECK(ndr_pull_security_descriptor_type(ndr, - NDR_SCALARS, -- &r->revision)); -- NDR_CHECK(ndr_pull_security_descriptor_type(ndr, -- NDR_SCALARS, -- &r->type)); -- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid)); -- if (_ptr_owner_sid) { -- NDR_PULL_ALLOC(ndr, r->owner_sid); -- NDR_CHECK(ndr_pull_relative_ptr1(ndr, -- r->owner_sid, -- _ptr_owner_sid)); -- } else { -- r->owner_sid = NULL; -- } -- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid)); -- if (_ptr_group_sid) { -- NDR_PULL_ALLOC(ndr, r->group_sid); -- NDR_CHECK(ndr_pull_relative_ptr1(ndr, -- r->group_sid, -- _ptr_group_sid)); -- } else { -- r->group_sid = NULL; -- } -- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl)); -- if (_ptr_sacl) { -- NDR_PULL_ALLOC(ndr, r->sacl); -- NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl)); -- } else { -- r->sacl = NULL; -- } -- NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl)); -- if (_ptr_dacl) { -- NDR_PULL_ALLOC(ndr, r->dacl); -- NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl)); -- } else { -- r->dacl = NULL; -- } -- NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); -- } -- if (ndr_flags & NDR_BUFFERS) { -- if (r->owner_sid) { -- _relative_save_offset = ndr->offset; -- NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid)); -- _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); -- NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0); -- NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid)); -- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0); -- if (ndr->offset > ndr->relative_highest_offset) { -- ndr->relative_highest_offset = ndr->offset; -+ &r->type)); -+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid)); -+ if (_ptr_owner_sid) { -+ NDR_PULL_ALLOC(ndr, r->owner_sid); -+ NDR_CHECK(ndr_pull_relative_ptr1(ndr, -+ r->owner_sid, -+ _ptr_owner_sid)); -+ } else { -+ r->owner_sid = NULL; - } -- ndr->offset = _relative_save_offset; -- } -- if (r->group_sid) { -- _relative_save_offset = ndr->offset; -- NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid)); -- _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); -- NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0); -- NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid)); -- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0); -- if (ndr->offset > ndr->relative_highest_offset) { -- ndr->relative_highest_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid)); -+ if (_ptr_group_sid) { -+ NDR_PULL_ALLOC(ndr, r->group_sid); -+ NDR_CHECK(ndr_pull_relative_ptr1(ndr, -+ r->group_sid, -+ _ptr_group_sid)); -+ } else { -+ r->group_sid = NULL; - } -- ndr->offset = _relative_save_offset; -- } -- if (r->sacl) { -- _relative_save_offset = ndr->offset; -- NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl)); -- _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr); -- NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0); -- NDR_CHECK(ndr_pull_security_acl(ndr, -- NDR_SCALARS|NDR_BUFFERS, -- r->sacl)); -- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0); -- if (ndr->offset > ndr->relative_highest_offset) { -- ndr->relative_highest_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl)); -+ if (_ptr_sacl) { -+ NDR_PULL_ALLOC(ndr, r->sacl); -+ NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl)); -+ } else { -+ r->sacl = NULL; - } -- ndr->offset = _relative_save_offset; -+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl)); -+ if (_ptr_dacl) { -+ NDR_PULL_ALLOC(ndr, r->dacl); -+ NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl)); -+ } else { -+ r->dacl = NULL; -+ } -+ NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); - } -- if (r->dacl) { -- _relative_save_offset = ndr->offset; -- NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl)); -- _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr); -- NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0); -- NDR_CHECK(ndr_pull_security_acl(ndr, -- NDR_SCALARS|NDR_BUFFERS, -- r->dacl)); -- NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0); -- if (ndr->offset > ndr->relative_highest_offset) { -- ndr->relative_highest_offset = ndr->offset; -+ if (ndr_flags & NDR_BUFFERS) { -+ if (r->owner_sid) { -+ uint32_t _relative_save_offset; -+ _relative_save_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid)); -+ _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); -+ NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0); -+ NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid)); -+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0); -+ if (ndr->offset > ndr->relative_highest_offset) { -+ ndr->relative_highest_offset = ndr->offset; -+ } -+ ndr->offset = _relative_save_offset; -+ } -+ if (r->group_sid) { -+ uint32_t _relative_save_offset; -+ _relative_save_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid)); -+ _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); -+ NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0); -+ NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid)); -+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0); -+ if (ndr->offset > ndr->relative_highest_offset) { -+ ndr->relative_highest_offset = ndr->offset; -+ } -+ ndr->offset = _relative_save_offset; -+ } -+ if (r->sacl) { -+ uint32_t _relative_save_offset; -+ _relative_save_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl)); -+ _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr); -+ NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0); -+ NDR_CHECK(ndr_pull_security_acl(ndr, -+ NDR_SCALARS|NDR_BUFFERS, -+ r->sacl)); -+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0); -+ if (ndr->offset > ndr->relative_highest_offset) { -+ ndr->relative_highest_offset = ndr->offset; -+ } -+ ndr->offset = _relative_save_offset; -+ } -+ if (r->dacl) { -+ uint32_t _relative_save_offset; -+ _relative_save_offset = ndr->offset; -+ NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl)); -+ _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr); -+ NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0); -+ NDR_CHECK(ndr_pull_security_acl(ndr, -+ NDR_SCALARS|NDR_BUFFERS, -+ r->dacl)); -+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0); -+ if (ndr->offset > ndr->relative_highest_offset) { -+ ndr->relative_highest_offset = ndr->offset; -+ } -+ ndr->offset = _relative_save_offset; - } -- ndr->offset = _relative_save_offset; - } -- - ndr->flags = _flags_save_STRUCT; - } - return NDR_ERR_SUCCESS; -From d5809f6f41ec0dc3fd38f9e4ae917a38bf7dfa43 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 28 May 2020 15:02:43 +0200 -Subject: [PATCH] ad_gpo_ndr.c: more ndr updates -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch add another update to the ndr code which was previously -updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and -1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc. - -As missing update in ndr_pull_security_ace() cased -a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was -added to prevent similar issues in future. - -Resolves: https://github.com/SSSD/sssd/issues/5183 - -Reviewed-by: Pavel Březina -(cherry picked from commit a7c755672cd277497da3df4714f6d9457b6ac5ae) - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 1 + - src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++ - 2 files changed, 58 insertions(+) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index a64b1a0f84..9f040dfb03 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr, - ndr->offset += pad; - } - if (ndr_flags & NDR_BUFFERS) { -+ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type)); - NDR_CHECK(ndr_pull_security_ace_object_ctr - (ndr, NDR_BUFFERS, &r->object)); - } -diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c -index 0589adcc3d..97dbe01794 100644 ---- a/src/tests/cmocka/test_ad_gpo.c -+++ b/src/tests/cmocka/test_ad_gpo.c -@@ -329,6 +329,60 @@ void test_ad_gpo_ace_includes_client_sid_false(void **state) - ace_dom_sid, false); - } - -+uint8_t test_sid_data[] = { -+0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, -+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, -+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00, -+0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, -+0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, -+0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, -+0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, -+0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, -+0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, -+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, -+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00, -+0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, -+0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, -+0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00, -+0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11, -+0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, -+0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00 -+}; -+ -+void test_ad_gpo_parse_sd(void **state) -+{ -+ int ret; -+ struct security_descriptor *sd = NULL; -+ -+ ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd); -+ assert_int_equal(ret, EINVAL); -+ -+ ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd); -+ assert_int_equal(ret, EOK); -+ assert_non_null(sd); -+ assert_int_equal(sd->revision, 1); -+ assert_int_equal(sd->type, 39940); -+ assert_null(sd->owner_sid); -+ assert_null(sd->group_sid); -+ assert_null(sd->sacl); -+ assert_non_null(sd->dacl); -+ assert_int_equal(sd->dacl->revision, 4); -+ assert_int_equal(sd->dacl->size, 308); -+ assert_int_equal(sd->dacl->num_aces, 10); -+ assert_int_equal(sd->dacl->aces[0].type, 0); -+ assert_int_equal(sd->dacl->aces[0].flags, 0); -+ assert_int_equal(sd->dacl->aces[0].size, 36); -+ assert_int_equal(sd->dacl->aces[0].access_mask, 917693); -+ /* There are more components and ACEs in the security_descriptor struct -+ * which are not checked here. */ -+ -+ talloc_free(sd); -+} -+ - int main(int argc, const char *argv[]) - { - poptContext pc; -@@ -364,6 +418,9 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false, - ad_gpo_test_setup, - ad_gpo_test_teardown), -+ cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd, -+ ad_gpo_test_setup, -+ ad_gpo_test_teardown), - }; - - /* Set debug level to invalid value so we can decide if -d 0 was used. */ diff --git a/gnu/packages/patches/sssd-fix-samba.patch b/gnu/packages/patches/sssd-fix-samba.patch deleted file mode 100644 index 714968337a..0000000000 --- a/gnu/packages/patches/sssd-fix-samba.patch +++ /dev/null @@ -1,50 +0,0 @@ -From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 24 Jan 2020 15:17:39 +0100 -Subject: [PATCH] Fix build failure against samba 4.12.0rc1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The ndr_pull_get_switch() function was dropped, but it was just a wrapper -around the ndr_token_peek() function, so we can use this approach on both -old and new versions of libndr. - -Signed-off-by: Stephen Gallagher - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index d573033494..8f405aa62b 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, - union security_ace_object_type *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); -@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, - union security_ace_object_inherited_type *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); -@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, - union security_ace_object_ctr *r) - { - uint32_t level; -- level = ndr_pull_get_switch_value(ndr, r); -+ level = ndr_token_peek(&ndr->switch_list, r); - NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_pull_union_align(ndr, 4)); diff --git a/gnu/packages/patches/sssd-optional-systemd.patch b/gnu/packages/patches/sssd-optional-systemd.patch new file mode 100644 index 0000000000..0784fdc7aa --- /dev/null +++ b/gnu/packages/patches/sssd-optional-systemd.patch @@ -0,0 +1,45 @@ +Allow running sss_analyze without Python modules for systemd. +Upstream PR: https://github.com/SSSD/sssd/pull/6125 + +diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py +index b96a23c05..28ac2f194 100644 +--- a/src/tools/analyzer/modules/request.py ++++ b/src/tools/analyzer/modules/request.py +@@ -1,8 +1,6 @@ + import re + import logging + +-from sssd.source_files import Files +-from sssd.source_journald import Journald + from sssd.parser import SubparsersAction + from sssd.parser import Option + +@@ -77,8 +75,10 @@ class RequestAnalyzer: + Instantiated source object + """ + if args.source == "journald": ++ from sssd.source_journald import Journald + source = Journald() + else: ++ from sssd.source_files import Files + source = Files(args.logdir) + return source + +@@ -143,7 +143,7 @@ class RequestAnalyzer: + self.consumed_logs.append(line.rstrip(line[-1])) + else: + # files source includes newline +- if isinstance(source, Files): ++ if type(source).__name__ == 'Files': + print(line, end='') + else: + print(line) +@@ -225,7 +225,7 @@ class RequestAnalyzer: + source.set_component(component, False) + self.done = "" + for line in self.matched_line(source, patterns): +- if isinstance(source, Journald): ++ if type(source).__name__ == 'Journald': + print(line) + else: + self.print_formatted(line, args.verbose) diff --git a/gnu/packages/patches/sssd-system-directories.patch b/gnu/packages/patches/sssd-system-directories.patch index f2ab0182e1..ce0dcf5d4d 100644 --- a/gnu/packages/patches/sssd-system-directories.patch +++ b/gnu/packages/patches/sssd-system-directories.patch @@ -1,29 +1,29 @@ Do not attempt to create $localstatedir and $sysconfdir (i.e., /var and /etc) upon "make install". -diff --git a/Makefile.in b/Makefile.in -index c32cb7d..77a5c00 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -7991,7 +7991,7 @@ sssdconfdir = $(sysconfdir)/sssd - sssddatadir = $(datadir)/sssd +diff --git a/Makefile.am b/Makefile.am +index 0de53a2c8..51ad57bf1 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -58,7 +58,7 @@ sssddatadir = $(datadir)/sssd sssdapiplugindir = $(sssddatadir)/sssd.api.d sssdtapscriptdir = $(sssddatadir)/systemtap + krb5snippetsdir = $(sssddatadir)/krb5-snippets -dbuspolicydir = $(sysconfdir)/dbus-1/system.d +dbuspolicydir = $(prefix)/etc/dbus-1/system.d dbusservicedir = $(datadir)/dbus-1/system-services sss_statedir = $(localstatedir)/lib/sss - pamlibdir = @pammoddir@ -@@ -8000,7 +8000,7 @@ nfslibdir = @nfsidmaplibdir@ - keytabdir = $(sss_statedir)/keytabs - pkgconfigdir = $(libdir)/pkgconfig + runstatedir = @runstatedir@ +@@ -85,7 +85,7 @@ pkgconfigdir = $(libdir)/pkgconfig + krb5rcachedir = @krb5rcachedir@ sudolibdir = @sudolibpath@ + polkitdir = @polkitdir@ -pamconfdir = $(sysconfdir)/pam.d +pamconfdir = $(prefix)/etc/pam.d systemtap_tapdir = @tapset_dir@ sssdkcmdatadir = $(datadir)/sssd-kcm deskprofilepath = $(sss_statedir)/deskprofile -@@ -43733,7 +43733,6 @@ installsssddirs:: +@@ -5195,7 +5195,6 @@ installsssddirs:: $(DESTDIR)$(bindir) \ $(DESTDIR)$(sbindir) \ $(DESTDIR)$(mandir) \ @@ -31,15 +31,18 @@ index c32cb7d..77a5c00 100644 $(DESTDIR)$(pluginpath) \ $(DESTDIR)$(libdir)/ldb \ $(DESTDIR)$(dbuspolicydir) \ -@@ -43743,22 +43742,9 @@ installsssddirs:: +@@ -5205,24 +5204,12 @@ installsssddirs:: $(DESTDIR)$(sssddatadir) \ $(DESTDIR)$(sudolibdir) \ $(DESTDIR)$(autofslibdir) \ - $(DESTDIR)$(pipepath)/private \ + $(DESTDIR)$(krb5snippetsdir) \ - $(SSSD_USER_DIRS) \ $(NULL); - @SSSD_USER_TRUE@ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) - @SSSD_USER_TRUE@ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private + if SSSD_USER + -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) + -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private + endif - $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ - $(DESTDIR)$(keytabdir) \ - $(NULL) @@ -50,7 +53,14 @@ index c32cb7d..77a5c00 100644 - $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) \ - $(DESTDIR)$(sssdconfdir)/conf.d \ - $(DESTDIR)$(sssdconfdir)/pki --@BUILD_SECRETS_TRUE@ $(MKDIR_P) $(DESTDIR)$(secdbpath) - @HAVE_DOXYGEN_TRUE@docs: - @HAVE_DOXYGEN_TRUE@ $(DOXYGEN) src/doxy.config + if HAVE_DOXYGEN + docs: +@@ -5338,7 +5325,6 @@ if BUILD_SAMBA + endif + if BUILD_KCM + $(MKDIR_P) $(DESTDIR)/$(sssdkcmdatadir) +- $(MKDIR_P) $(DESTDIR)$(secdbpath) + endif + + uninstall-hook: diff --git a/gnu/packages/sssd.scm b/gnu/packages/sssd.scm index 5457991952..2b4322d6d8 100644 --- a/gnu/packages/sssd.scm +++ b/gnu/packages/sssd.scm @@ -24,22 +24,28 @@ #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix gexp) #:use-module (guix git-download) #:use-module (guix utils) + #:use-module (guix build utils) #:use-module (guix build-system gnu) #:use-module (gnu packages) #:use-module (gnu packages) #:use-module (gnu packages adns) #:use-module (gnu packages augeas) #:use-module (gnu packages autotools) + #:use-module (gnu packages bash) #:use-module (gnu packages check) + #:use-module (gnu packages crypto) #:use-module (gnu packages curl) #:use-module (gnu packages cyrus-sasl) #:use-module (gnu packages databases) #:use-module (gnu packages dns) #:use-module (gnu packages docbook) #:use-module (gnu packages documentation) + #:use-module (gnu packages gettext) #:use-module (gnu packages glib) + #:use-module (gnu packages jose) #:use-module (gnu packages kerberos) #:use-module (gnu packages libunistring) #:use-module (gnu packages linux) @@ -49,8 +55,11 @@ #:use-module (gnu packages pcre) #:use-module (gnu packages popt) #:use-module (gnu packages pkg-config) + #:use-module (gnu packages python) #:use-module (gnu packages samba) + #:use-module (gnu packages security-token) #:use-module (gnu packages selinux) + #:use-module (gnu packages ssh) #:use-module (gnu packages web) #:use-module (gnu packages xml)) @@ -136,93 +145,128 @@ dynamically-growing, reference-counted array; libbasicobjects, a set of fundamental object types for C.") (license license:lgpl3+))) -;; Note: This package installs modules for ldb and nss. For the former we -;; need to set LDB_MODULES_PATH. For the latter LD_PRELOAD or LD_LIBRARY_PATH -;; is needed. (define-public sssd (package (name "sssd") - (version "1.16.5") - (source (origin - (method url-fetch) - (uri (string-append "https://releases.pagure.org/SSSD/sssd/" - "sssd-" version ".tar.gz")) - (sha256 - (base32 - "1h6hwibaf3xa2w6qpzjiiywmfj6zkgbz4r2isf3gd0xm6vq7n6if")) - (patches (search-patches "sssd-fix-samba.patch" - "sssd-system-directories.patch" - "sssd-collision-with-external-nss-symbol.patch" - "sssd-fix-samba-4.15.3.patch")))) + (version "2.7.0") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/SSSD/sssd") + (commit version))) + (file-name (git-file-name name version)) + (sha256 + (base32 "05pw5lg410vc2yc3k4hqfsbyr9k4k18qb61gbh9xz7fcjpcysqv8")) + (patches (search-patches "sssd-optional-systemd.patch" + "sssd-system-directories.patch")))) (build-system gnu-build-system) (arguments - `(#:make-flags - (list (string-append "DOCBOOK_XSLT=" - (assoc-ref %build-inputs "docbook-xsl") - "/xml/xsl/docbook-xsl-" - ,(package-version docbook-xsl) - "/manpages/docbook.xsl") - ;; Remove "--postvalid" option, because that requires access to - ;; online DTDs. - "XMLLINT_FLAGS = --catalogs --nonet --noent --xinclude --noout") - #:configure-flags - (list "--localstatedir=/var" ;for /var/lib/sss, /var/run/sssd.pid, etc. - "--sysconfdir=/etc" ;/etc/sssd + (list + #:make-flags + #~(list (string-append "CFLAGS=-DRENEWAL_PROG_PATH=\\\"" + #$(this-package-input "adcli") "/sbin/adcli" + "\\\"") + (string-append "DOCBOOK_XSLT=" + #$(this-package-native-input "docbook-xsl") + "/xml/xsl/docbook-xsl-" + #$(package-version (this-package-native-input "docbook-xsl")) + "/manpages/docbook.xsl") + ;; Remove "--postvalid" option, because that requires access to + ;; online DTDs. + "XMLLINT_FLAGS = --catalogs --nonet --noent --xinclude --noout") + #:configure-flags + #~(list "--localstatedir=/var" ; for /var/lib/sss, /var/run/sssd.pid, etc. + "--sysconfdir=/etc" ; /etc/sssd - "--disable-cifs-idmap-plugin" - "--without-nfsv4-idmapd-plugin" - "--without-python2-bindings" - "--without-python3-bindings" - (string-append "--with-plugin-path=" - (assoc-ref %outputs "out") - "/lib/sssd") - (string-append "--with-krb5-plugin-path=" - (assoc-ref %outputs "out") - "/lib/krb5/plugins/libkrb5") - (string-append "--with-cifs-plugin-path=" - (assoc-ref %outputs "out") - "/lib/cifs-utils") - (string-append "--with-init-dir=" - (assoc-ref %outputs "out") - "/etc/init.d") - (string-append "--with-ldb-lib-dir=" - (assoc-ref %outputs "out") - "/lib/ldb/modules/ldb") - (string-append "--with-xml-catalog-path=" - (assoc-ref %build-inputs "docbook-xml") - "/xml/dtd/docbook/catalog.xml")) - #:phases - (modify-phases %standard-phases - (add-after 'unpack 'disable-failing-test - (lambda _ - (substitute* "src/tests/responder_socket_access-tests.c" - (("tcase_add_test\\(tc_utils, resp_str_to_array_test\\);") "")) - #t)) - (add-after 'unpack 'add-config-in - (lambda _ - (let ((config.h (open-file "config.h.in" "a"))) - (display (string-append " -/* Missing in commits on original repo, dunno why but won't work without. */ -#undef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH -") - config.h) - (close config.h)))) - (add-before 'configure 'autoconf - (lambda _ - (invoke "autoconf")))))) + "--disable-cifs-idmap-plugin" + "--without-nfsv4-idmapd-plugin" + (string-append "--with-plugin-path=" + #$output "/lib/sssd") + (string-append "--with-krb5-plugin-path=" + #$output "/lib/krb5/plugins/libkrb5") + (string-append "--with-cifs-plugin-path=" + #$output "/lib/cifs-utils") + (string-append "--with-init-dir=" + #$output "/etc/init.d") + (string-append "--with-ldb-lib-dir=" + #$output "/lib/ldb/modules/ldb") + (string-append "--with-xml-catalog-path=" + #$(this-package-native-input "docbook-xml") + "/xml/dtd/docbook/catalog.xml")) + #:phases + #~(modify-phases %standard-phases + (add-after 'patch-source-shebangs 'patch-more-shebangs + (lambda _ + (substitute* '("src/tools/analyzer/sss_analyze" + "src/tools/sss_obfuscate") + (("#!/usr/bin/.*python") + (string-append "#!" #$(this-package-input "python") "/bin/python3"))))) + (add-before 'bootstrap 'fix-configure-macros + (lambda _ + ;; A configure test for nsupdate realm support fails without this. + (substitute* "src/external/nsupdate.m4" + (("\\$NSUPDATE ") "$NSUPDATE -i ")) + ;; Let tests find softhsm lib. + (substitute* "src/external/test_ca.m4" + (("/usr/lib/softhsm") + (string-append #$(this-package-native-input "softhsm") + "/lib/softhsm"))))) + (add-before 'configure 'disable-failing-tests + (lambda _ + ;; Disable tests that needs /etc/passwd. + (substitute* "Makefile.am" + (("pam-srv-tests") "") + (("test-negcache") "")) + ;; This test fails for unknown reason. + (substitute* "src/tests/responder_socket_access-tests.c" + (("tcase_add_test\\(tc_utils, resp_str_to_array_test\\);") "")))) + (add-before 'check 'set-libpython-path + (lambda _ + (setenv "LD_LIBRARY_PATH" + (string-append #$(this-package-input "python") "/lib")))) + (add-after 'install 'remove-static-libs + (lambda _ + ;; Remove a static library that produces a (harmless) warning + ;; when starting a program that uses sssd’s LDB modules. + (delete-file + (string-append #$output "/lib/ldb/modules/ldb/memberof.la")))) + (add-after 'install 'wrap-binaries + (lambda _ + (with-directory-excursion #$output + ;; Set path to LDB modules for sssd and utilities. + (for-each (lambda (bin) + (wrap-program (string-append "sbin/" bin) + `("LDB_MODULES_PATH" ":" prefix + (,(string-append #$output "/lib/ldb/modules/ldb"))))) + '("sssd" "sssctl" "sss_cache" "sss_override" "sss_seed")) + ;; Set path to sssd’s site-packages for scripts. + (for-each (lambda (script) + (wrap-program script + `("GUIX_PYTHONPATH" ":" prefix + (,(string-append #$output "/lib/python" + #$(version-major+minor + (package-version + (this-package-input "python"))) + "/site-packages"))))) + '("libexec/sssd/sss_analyze" "sbin/sss_obfuscate")))))))) (inputs - (list augeas - `(,isc-bind "utils") + (list adcli + bash-minimal c-ares - curl + curl ; for OpenID Connect support cyrus-sasl dbus ding-libs glib gnutls http-parser + `(,isc-bind "utils") jansson + jose ; for OpenID Connect support + keyutils ldb + libnl libselinux libsemanage libunistring @@ -231,21 +275,32 @@ fundamental object types for C.") nss openldap openssl - pcre + p11-kit ; for PKCS#11 support + pcre2 popt + python samba talloc tdb tevent)) (native-inputs - (list autoconf-2.69 - check-0.14 - docbook-xsl + (list autoconf + automake + check ; for tests + cmocka ; for tests docbook-xml + docbook-xsl + doxygen + gettext-minimal + libfaketime ; for tests + libtool libxml2 ; for xmllint libxslt + openssh ; for tests pkg-config - `(,util-linux "lib"))) ;for uuid.h, reqired for KCM + po4a + softhsm ; for tests + `(,util-linux "lib"))) ; for uuid.h, reqired for KCM (home-page "https://pagure.io/SSSD/sssd/") (synopsis "System security services daemon") (description "SSSD is a system daemon. Its primary function is to provide -- cgit v1.2.3