# SSSD SPEC file for Fedora 34+ and RHEL-9+

# Upstream version is using pre-release version with dash as a separator
# since git does not support tilde in tag name. On the other side, Fedora and
# RHEL requires tilde as a separator to correctly order builds.
# For example: 2.10.0-beta1 vs 2.10.0~beta1
%global upstream_version 9.pr7762
%global downstream_version %(echo "9.pr7762" | sed 's/-/~/g')

# define SSSD user
%if 0%{?fedora} >= 41 || 0%{?rhel}
%global use_sssd_user 1
%global sssd_user sssd
%else
%global use_sssd_user 0
%global sssd_user root
%endif

# sysusers depends on presence of sssd user
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
%global use_sysusers 1
%else
%global use_sysusers 0
%endif

%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
%global build_subid 1
%else
%global build_subid 0
%endif

%if 0%{?fedora} >= 34
%global build_kcm_renewals 1
%global krb5_version 1.19.1
%elif 0%{?rhel} >= 8
%global build_kcm_renewals 1
%global krb5_version 1.18.2
%else
%global build_kcm_renewals 0
%endif

%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9
%global build_passkey 1
%else
%global build_passkey 0
%endif

%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
%global build_ssh_known_hosts_proxy 0
%else
%global build_ssh_known_hosts_proxy 1
%endif

# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$

%define _hardened_build 1

# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.2.0

%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})

Name: sssd
Version: %{downstream_version}
Release: 05902%{?dist}
Summary: System Security Services Daemon
License: GPL-3.0-or-later
URL: https://github.com/SSSD/sssd/
Source0: %{url}/archive/%{upstream_version}/%{name}-%{upstream_version}.tar.gz
Source1: sssd.sysusers

### Patches ###
# Place your patches here:
# Patch0001:  0001-patch-file.patch

### Downstream only patches ###
# Place your downstream only patches here:
# Patch0901: 0901-downstream-only-patch-file.patch

### Dependencies ###

Requires: sssd-ad = %{version}-%{release}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-ipa = %{version}-%{release}
Requires: sssd-krb5 = %{version}-%{release}
Requires: sssd-ldap = %{version}-%{release}
Requires: sssd-proxy = %{version}-%{release}
Suggests: logrotate
Suggests: procps-ng
Suggests: python3-sssdconfig = %{version}-%{release}
Suggests: sssd-dbus = %{version}-%{release}

%global servicename sssd
%global sssdstatedir %{_localstatedir}/lib/sss
%global dbpath %{sssdstatedir}/db
%global keytabdir %{sssdstatedir}/keytabs
%global pipepath %{sssdstatedir}/pipes
%global mcpath %{sssdstatedir}/mc
%global pubconfpath %{sssdstatedir}/pubconf
%global gpocachepath %{sssdstatedir}/gpo_cache
%global secdbpath %{sssdstatedir}/secrets
%global deskprofilepath %{sssdstatedir}/deskprofile

### Build Dependencies ###

BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bind-utils
BuildRequires: c-ares-devel
BuildRequires: check-devel
BuildRequires: cifs-utils-devel
BuildRequires: dbus-devel
BuildRequires: docbook-style-xsl
BuildRequires: doxygen
BuildRequires: findutils
BuildRequires: gcc
BuildRequires: gdm-pam-extensions-devel
BuildRequires: gettext-devel
# required for p11_child smartcard tests
BuildRequires: gnutls-utils
BuildRequires: jansson-devel
BuildRequires: libcap-devel
BuildRequires: libcurl-devel
BuildRequires: libjose-devel
BuildRequires: keyutils-libs-devel
BuildRequires: krb5-devel
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libdhash-devel >= 0.4.2
%if %{build_passkey}
BuildRequires: libfido2-devel
%endif
BuildRequires: libini_config-devel >= 1.3
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libnfsidmap-devel
BuildRequires: libnl3-devel
BuildRequires: libselinux-devel
BuildRequires: libsemanage-devel
BuildRequires: libsmbclient-devel
BuildRequires: libtalloc-devel
BuildRequires: libtdb-devel
BuildRequires: libtevent-devel
BuildRequires: libtool
BuildRequires: libunistring
BuildRequires: libunistring-devel
BuildRequires: libuuid-devel
BuildRequires: libxml2
BuildRequires: libxslt
BuildRequires: m4
BuildRequires: make
BuildRequires: nss_wrapper
BuildRequires: openldap-devel
# required for p11_child smartcard tests
BuildRequires: openssh
BuildRequires: openssl >= 1.0.1
BuildRequires: openssl-devel >= 1.0.1
BuildRequires: p11-kit-devel
BuildRequires: pam_wrapper
BuildRequires: pam-devel
BuildRequires: pcre2-devel
BuildRequires: pkgconfig
BuildRequires: popt-devel
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: samba-devel
# required for idmap_sss.so
BuildRequires: samba-winbind
BuildRequires: selinux-policy-targeted
# required for p11_child smartcard tests
BuildRequires: softhsm >= 2.1.0
BuildRequires: bc
BuildRequires: systemd-devel
BuildRequires: systemtap-sdt-devel
%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
BuildRequires: systemtap-sdt-dtrace
%endif
BuildRequires: uid_wrapper
BuildRequires: po4a
BuildRequires: valgrind-devel
%if %{build_subid}
BuildRequires: shadow-utils-subid-devel
%endif
%if %{build_kcm_renewals}
BuildRequires: krb5-libs >= %{krb5_version}
%endif
%if %{use_sysusers} || %{build_passkey}
BuildRequires: systemd-rpm-macros
%{?sysusers_requires_compat}
%endif

%description
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable back end system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.

The sssd subpackage is a meta-package that contains the daemon as well as all
the existing back ends.

%package common
Summary: Common files for the SSSD
License: GPL-3.0-or-later
%if 0%{?rhel} != 9
# libsss_simpleifp is removed starting 2.9.0
Obsoletes: libsss_simpleifp < 2.9.0
Obsoletes: libsss_simpleifp-debuginfo < 2.9.0
%endif
%if 0%{?rhel} != 9
%if %{use_sssd_user}
Obsoletes: sssd-polkit-rules < 2.10.0
%endif
%endif
# Requires
# due to ABI changes in 1.1.30/1.2.0
Requires: libldb >= %{ldb_version}
Requires: sssd-client%{?_isa} = %{version}-%{release}
Requires: (libsss_sudo = %{version}-%{release} if sudo)
Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Requires(post): coreutils
Requires(postun): coreutils
%if %{use_sssd_user}
Requires(pre): shadow-utils
%endif
%{?systemd_requires}

### Provides ###
Provides: libsss_sudo-devel = %{version}-%{release}
Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1

%description common
Common files for the SSSD. The common package includes all the files needed
to run a particular back end, however, the back ends are packaged in separate
subpackages such as sssd-ldap.

%package client
Summary: SSSD Client libraries for NSS and PAM
License: LGPL-3.0-or-later
Requires: libsss_nss_idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires(post):  /usr/sbin/alternatives
Requires(preun): /usr/sbin/alternatives

%description client
Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
service.

%package -n libsss_sudo
Summary: A library to allow communication between SUDO and SSSD
License: LGPL-3.0-or-later
Conflicts: sssd-common < %{version}-%{release}

%description -n libsss_sudo
A utility library to allow communication between SUDO and SSSD

%package -n libsss_autofs
Summary: A library to allow communication between Autofs and SSSD
License: LGPL-3.0-or-later
Conflicts: sssd-common < %{version}-%{release}

%description -n libsss_autofs
A utility library to allow communication between Autofs and SSSD

%package tools
Summary: Userspace tools for use with the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
# for logger=journald support with sss_analyze
Requires: python3-systemd
Requires: sssd-dbus

%description tools
Provides several administrative tools:
    * sss_debuglevel to change the debug level on the fly
    * sss_seed which pre-creates a user entry for use in kickstarts
    * sss_obfuscate for generating an obfuscated LDAP password
    * sssctl -- an sssd status and control utility

%package -n python3-sssdconfig
Summary: SSSD and IPA configuration file manipulation classes and functions
License: GPL-3.0-or-later
BuildArch: noarch
%{?python_provide:%python_provide python3-sssdconfig}

%description -n python3-sssdconfig
Provides python3 files for manipulation SSSD and IPA configuration files.

%package -n python3-sss
Summary: Python3 bindings for sssd
License: LGPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
%{?python_provide:%python_provide python3-sss}

%description -n python3-sss
Provides python3 bindings:
    * function for retrieving list of groups user belongs to
    * class for obfuscation of passwords

%package -n python3-sss-murmur
Summary: Python3 bindings for murmur hash function
License: LGPL-3.0-or-later
%{?python_provide:%python_provide python3-sss-murmur}

%description -n python3-sss-murmur
Provides python3 module for calculating the murmur hash version 3

%package ldap
Summary: The LDAP back end of the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}

%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch identity data
from and authenticate against an LDAP server.

%package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPL-3.0-or-later
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: sssd-common = %{version}-%{release}

%description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can use for
Kerberos user or host authentication.

%package krb5
Summary: The Kerberos authentication back end for the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}

%description krb5
Provides the Kerberos back end that the SSSD can utilize authenticate
against a Kerberos server.

%package common-pac
Summary: Common files needed for supporting PAC processing
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}

%description common-pac
Provides common files needed by SSSD providers such as IPA and Active Directory
for handling Kerberos PACs.

%package ipa
Summary: The IPA back end of the SSSD
License: GPL-3.0-or-later
Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}

%description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity data
from and authenticate against an IPA server.

%package ad
Summary: The AD back end of the SSSD
License: GPL-3.0-or-later
Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Recommends: adcli
Suggests: sssd-winbind-idmap = %{version}-%{release}

%description ad
Provides the Active Directory back end that the SSSD can utilize to fetch
identity data from and authenticate against an Active Directory server.

%package proxy
Summary: The proxy back end of the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}

%description proxy
Provides the proxy back end which can be used to wrap an existing NSS and/or
PAM modules to leverage SSSD caching.

%package -n libsss_idmap
Summary: FreeIPA Idmap library
License: LGPL-3.0-or-later

%description -n libsss_idmap
Utility library to convert SIDs to Unix uids and gids

%package -n libsss_idmap-devel
Summary: FreeIPA Idmap library
License: LGPL-3.0-or-later
Requires: libsss_idmap = %{version}-%{release}

%description -n libsss_idmap-devel
Utility library to SIDs to Unix uids and gids

%package -n libipa_hbac
Summary: FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later

%description -n libipa_hbac
Utility library to validate FreeIPA HBAC rules for authorization requests

%package -n libipa_hbac-devel
Summary: FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Requires: libipa_hbac = %{version}-%{release}

%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization requests

%package -n python3-libipa_hbac
Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Requires: libipa_hbac = %{version}-%{release}
%{?python_provide:%python_provide python3-libipa_hbac}

%description -n python3-libipa_hbac
The python3-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications.

%package -n libsss_nss_idmap
Summary: Library for SID and certificate based lookups
License: LGPL-3.0-or-later

%description -n libsss_nss_idmap
Utility library for SID and certificate based lookups

%package -n libsss_nss_idmap-devel
Summary: Library for SID and certificate based lookups
License: LGPL-3.0-or-later
Requires: libsss_nss_idmap = %{version}-%{release}

%description -n libsss_nss_idmap-devel
Utility library for SID and certificate based lookups

%package -n python3-libsss_nss_idmap
Summary: Python3 bindings for libsss_nss_idmap
License: LGPL-3.0-or-later
Requires: libsss_nss_idmap = %{version}-%{release}
%{?python_provide:%python_provide python3-libsss_nss_idmap}

%description -n python3-libsss_nss_idmap
The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
be used by Python applications.

%package dbus
Summary: The D-Bus responder of the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
%{?systemd_requires}

%description dbus
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus.

%if 0%{?rhel} == 9
%if %{use_sssd_user}
%package polkit-rules
Summary: Rules for polkit integration for SSSD
Group: Applications/System
License: GPL-3.0-or-later
Requires: polkit >= 0.106
Requires: sssd-common = %{version}-%{release}

%description polkit-rules
Provides rules for polkit integration with SSSD. This is required
for smartcard support if SSSD service is running as user 'sssd'.
%endif

%package -n libsss_simpleifp
Summary: The SSSD D-Bus responder helper library
License: GPL-3.0-or-later
Requires: sssd-dbus = %{version}-%{release}

%description -n libsss_simpleifp
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.

%package -n libsss_simpleifp-devel
Summary: The SSSD D-Bus responder helper library
License: GPL-3.0-or-later
Requires: dbus-devel
Requires: libsss_simpleifp = %{version}-%{release}

%description -n libsss_simpleifp-devel
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
%endif

%package winbind-idmap
Summary: SSSD's idmap_sss Backend for Winbind
License: GPL-3.0-or-later AND LGPL-3.0-or-later
Requires: libsss_nss_idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Conflicts: sssd-common < %{version}-%{release}

%description winbind-idmap
The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs
and SIDs.

%package nfs-idmap
Summary: SSSD plug-in for NFSv4 rpc.idmapd
License: GPL-3.0-or-later
Conflicts: sssd-common < %{version}-%{release}

%description nfs-idmap
The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
UIDs/GIDs to names and vice versa. It can be also used for mapping principal
(user) name to IDs(UID or GID) or to obtain groups which user are member of.

%package -n libsss_certmap
Summary: SSSD Certificate Mapping Library
License: LGPL-3.0-or-later
Conflicts: sssd-common < %{version}-%{release}

%description -n libsss_certmap
Library to map certificates to users based on rules

%package -n libsss_certmap-devel
Summary: SSSD Certificate Mapping Library
License: LGPL-3.0-or-later
Requires: libsss_certmap = %{version}-%{release}

%description -n libsss_certmap-devel
Library to map certificates to users based on rules

%package kcm
Summary: An implementation of a Kerberos KCM server
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
%if %{build_kcm_renewals}
Requires: krb5-libs >= %{krb5_version}
Requires: sssd-krb5-common = %{version}-%{release}
%endif
%{?systemd_requires}

%description kcm
An implementation of a Kerberos KCM server. Use this package if you want to
use the KCM: Kerberos credentials cache.

%package idp
Summary: Kerberos plugins and OIDC helper for external identity providers.
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}

%description idp
This package provides Kerberos plugins that are required to enable
authentication against external identity providers. Additionally a helper
program to handle the OAuth 2.0 Device Authorization Grant is provided.

%if %{build_passkey}
%package passkey
Summary: SSSD helpers and plugins needed for authentication with passkey token
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: libfido2
%if "%{sssd_user}" != "root"
Requires: acl
%endif

%description passkey
This package provides helper processes and Kerberos plugins that are required to
enable authentication with passkey token.
%endif

%prep
%autosetup -n %{name}-%{upstream_version} -p1

%build

autoreconf -ivf

%configure \
    --runstatedir=%{_rundir} \
    --disable-rpath \
    --disable-static \
    --enable-gss-spnego-for-zero-maxssf \
    --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
    --enable-nsslibdir=%{_libdir} \
    --enable-pammoddir=%{_libdir}/security \
    --enable-sss-default-nss-plugin \
    --enable-systemtap \
    --with-db-path=%{dbpath} \
    --with-gpo-cache-path=%{gpocachepath} \
    --with-init-dir=%{_initrddir} \
    --with-initscript=systemd \
    --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
    --with-mcache-path=%{mcpath} \
    --with-pipe-path=%{pipepath} \
    --with-pubconf-path=%{pubconfpath} \
    --with-sssd-user=%{sssd_user} \
    --with-syslog=journald \
    --with-test-dir=/dev/shm \
%if 0%{?rhel} == 9
    --with-libsifp \
    --with-conf-service-user-support \
    --with-files-provider \
    --with-extended-enumeration-support \
    --with-ssh-known-hosts-proxy \
    --with-allow-remote-domain-local-groups \
%endif
%if %{build_subid}
    --with-subid \
%endif
%if ! %{use_sssd_user}
    --disable-polkit-rules-path \
%endif
%if %{build_passkey}
    --with-passkey \
%endif
%if %{build_ssh_known_hosts_proxy}
    --with-ssh-known-hosts-proxy \
%endif
    %{nil}

%make_build all docs runstatedir=%{_rundir}

%py3_shebang_fix src/tools/analyzer/sss_analyze
sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate

%check
export CK_TIMEOUT_MULTIPLIER=10
%make_build check VERBOSE=yes
unset CK_TIMEOUT_MULTIPLIER

%install

%make_install

# Prepare language files
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd

# Copy default logrotate file
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sssd

# Make sure SSSD is able to run on read-only root
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d
install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd

# Kerberos KCM credential cache by default
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache

# Enable krb5 idp plugins by default (when sssd-idp package is installed)
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp

# Enable krb5 passkey plugins by default (when sssd-passkey package is installed)
%if %{build_passkey}
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
%if "%{sssd_user}" != "root"
install -D -p -m 0644 contrib/90-sssd-token-access.rules %{buildroot}%{_udevrulesdir}/90-sssd-token-access.rules
%endif
%endif

# krb5 configuration snippet
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir

# Create directory for cifs-idmap alternative
# Otherwise this directory could not be owned by sssd-client
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils

# tmpfiles.d config
install -D -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf

# Remove .la files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;

# Suppress developer-only documentation
rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}

# Older versions of rpmbuild can only handle one -f option
# So we need to append to the sssd*.lang file
for file in `find $RPM_BUILD_ROOT/%{python3_sitelib} -maxdepth 1 -name "*.egg-info" 2> /dev/null`
do
    echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang
done

touch sssd.lang
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
                  sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
                  libsss_certmap sssd_kcm
do
    touch $subpackage.lang
done

for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
do
    lang=`echo $man | cut -c 1-2`
    case `basename $man` in
        sss_cache*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
            ;;
        sss_ssh*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
            ;;
        sss_rpcidmapd*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_nfs_idmap.lang
            ;;
        sss_*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
            ;;
        sssctl*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
            ;;
        sssd_krb5_*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
            ;;
        pam_sss*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
            ;;
        sssd-ldap*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang
            ;;
        sssd-krb5*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_krb5.lang
            ;;
        sssd-ipa*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ipa.lang
            ;;
        sssd-ad*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ad.lang
            ;;
        sssd-proxy*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_proxy.lang
            ;;
        sssd-ifp*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang
            ;;
        sssd-kcm*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang
            ;;
        idmap_sss*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang
            ;;
        sss-certmap*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
            ;;
        *)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
            ;;
    esac
done

# Print these to the rpmbuild log
echo "sssd.lang:"
cat sssd.lang

echo "python3_sssdconfig.lang:"
cat python3_sssdconfig.lang

for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
                  sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
                  libsss_certmap sssd_kcm
do
    echo "$subpackage.lang:"
    cat $subpackage.lang
done

%if %{use_sysusers}
install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
%endif

%files
%license COPYING

%files common -f sssd.lang
%license COPYING
%doc src/examples/sssd-example.conf
%{_sbindir}/sssd
%{_unitdir}/sssd.service
%{_unitdir}/sssd-autofs.socket
%{_unitdir}/sssd-autofs.service
%{_unitdir}/sssd-nss.socket
%{_unitdir}/sssd-nss.service
%{_unitdir}/sssd-pac.socket
%{_unitdir}/sssd-pac.service
%{_unitdir}/sssd-pam.socket
%{_unitdir}/sssd-pam.service
%{_unitdir}/sssd-ssh.socket
%{_unitdir}/sssd-ssh.service
%{_unitdir}/sssd-sudo.socket
%{_unitdir}/sssd-sudo.service

%{_tmpfilesdir}/%{name}.conf

%dir %{_libexecdir}/%{servicename}
%{_libexecdir}/%{servicename}/sssd_be
%{_libexecdir}/%{servicename}/sssd_nss
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/sssd_pam
%{_libexecdir}/%{servicename}/sssd_autofs
%{_libexecdir}/%{servicename}/sssd_ssh
%{_libexecdir}/%{servicename}/sssd_sudo
%{_libexecdir}/%{servicename}/p11_child
%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders

%dir %{_libdir}/%{name}
%if 0%{?rhel} == 9
%{_libdir}/%{name}/libsss_files.so
%endif
%{_libdir}/%{name}/libsss_simple.so

#Internal shared libraries
%{_libdir}/%{name}/libsss_child.so
%{_libdir}/%{name}/libsss_crypt.so
%{_libdir}/%{name}/libsss_cert.so
%{_libdir}/%{name}/libsss_debug.so
%{_libdir}/%{name}/libsss_krb5_common.so
%{_libdir}/%{name}/libsss_ldap_common.so
%{_libdir}/%{name}/libsss_util.so
%{_libdir}/%{name}/libifp_iface.so
%{_libdir}/%{name}/libifp_iface_sync.so
%{_libdir}/%{name}/libsss_iface.so
%{_libdir}/%{name}/libsss_iface_sync.so
%{_libdir}/%{name}/libsss_sbus.so
%{_libdir}/%{name}/libsss_sbus_sync.so

%{ldb_modulesdir}/memberof.so
%{_bindir}/sss_ssh_authorizedkeys
%{_bindir}/sss_ssh_knownhosts
%{_bindir}/sss_ssh_knownhostsproxy
%{_sbindir}/sss_cache
%{_libexecdir}/%{servicename}/sss_signal

%attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
%attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{secdbpath}
%attr(771,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath}
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
%attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
%attr(775,%{sssd_user},%{sssd_user}) %dir %{_rundir}/sssd
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf

%{_datadir}/sssd/cfg_rules.ini
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhosts.1*
%if %{build_ssh_known_hosts_proxy}
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
%endif
%{_mandir}/man5/sssd.conf.5*
%if 0%{?rhel} == 9
%{_mandir}/man5/sssd-files.5*
%endif
%{_mandir}/man5/sssd-simple.5*
%{_mandir}/man5/sssd-sudo.5*
%{_mandir}/man5/sssd-session-recording.5*
%{_mandir}/man8/sssd.8*
%{_mandir}/man8/sss_cache.8*
%dir %{_datadir}/sssd/systemtap
%{_datadir}/sssd/systemtap/id_perf.stp
%{_datadir}/sssd/systemtap/nested_group_perf.stp
%{_datadir}/sssd/systemtap/dp_request.stp
%{_datadir}/sssd/systemtap/ldap_perf.stp
%dir %{_datadir}/systemtap
%dir %{_datadir}/systemtap/tapset
%{_datadir}/systemtap/tapset/sssd.stp
%{_datadir}/systemtap/tapset/sssd_functions.stp
%{_mandir}/man5/sssd-systemtap.5*
%if %{use_sysusers}
%{_sysusersdir}/sssd.conf
%endif
%if %{use_sssd_user}
%if 0%{?rhel} == 9
%files polkit-rules
%endif
%{_datadir}/polkit-1/rules.d/*
%endif


%files ldap -f sssd_ldap.lang
%license COPYING
%{_libdir}/%{name}/libsss_ldap.so
%{_mandir}/man5/sssd-ldap.5*
%{_mandir}/man5/sssd-ldap-attributes.5*

%files krb5-common
%license COPYING
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/ldap_child
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search,cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/krb5_child

%files krb5 -f sssd_krb5.lang
%license COPYING
%{_libdir}/%{name}/libsss_krb5.so
%{_mandir}/man5/sssd-krb5.5*
%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
%dir %{_datadir}/sssd/krb5-snippets
%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir

%files common-pac
%license COPYING
%{_libexecdir}/%{servicename}/sssd_pac

%files ipa -f sssd_ipa.lang
%license COPYING
%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so
%attr(0750,root,%{sssd_user}) %caps(cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5*

%files ad -f sssd_ad.lang
%license COPYING
%{_libdir}/%{name}/libsss_ad.so
%{_libexecdir}/%{servicename}/gpo_child
%{_mandir}/man5/sssd-ad.5*

%files proxy
%license COPYING
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
%{_libdir}/%{name}/libsss_proxy.so

%files dbus -f sssd_dbus.lang
%license COPYING
%{_libexecdir}/%{servicename}/sssd_ifp
%{_mandir}/man5/sssd-ifp.5*
%{_unitdir}/sssd-ifp.service
# InfoPipe DBus plumbing
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service

%if 0%{?rhel} == 9
%files -n libsss_simpleifp
%{_libdir}/libsss_simpleifp.so.*

%files -n libsss_simpleifp-devel
%doc sss_simpleifp_doc/html
%{_includedir}/sss_sifp.h
%{_includedir}/sss_sifp_dbus.h
%{_libdir}/libsss_simpleifp.so
%{_libdir}/pkgconfig/sss_simpleifp.pc
%endif

%files client -f sssd_client.lang
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libnss_sss.so.2
%if %{build_subid}
%{_libdir}/libsubid_sss.so
%endif
%{_libdir}/security/pam_sss.so
%{_libdir}/security/pam_sss_gss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
%dir %{_libdir}/cifs-utils
%{_libdir}/cifs-utils/cifs_idmap_sss.so
%dir %{_sysconfdir}/cifs-utils
%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
%dir %{_libdir}/%{name}
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
%{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/pam_sss_gss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
%{_mandir}/man8/sssd_krb5_localauth_plugin.8*

%files -n libsss_sudo
%license src/sss_client/COPYING
%{_libdir}/libsss_sudo.so*

%files -n libsss_autofs
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/libsss_autofs.so

%files tools -f sssd_tools.lang
%license COPYING
%{_sbindir}/sss_obfuscate
%{_sbindir}/sss_override
%{_sbindir}/sss_debuglevel
%{_sbindir}/sss_seed
%{_sbindir}/sssctl
%{_libexecdir}/%{servicename}/sss_analyze
%{python3_sitelib}/sssd/
%{_mandir}/man8/sss_obfuscate.8*
%{_mandir}/man8/sss_override.8*
%{_mandir}/man8/sss_debuglevel.8*
%{_mandir}/man8/sss_seed.8*
%{_mandir}/man8/sssctl.8*

%files -n python3-sssdconfig -f python3_sssdconfig.lang
%dir %{python3_sitelib}/SSSDConfig
%{python3_sitelib}/SSSDConfig/*.py*
%dir %{python3_sitelib}/SSSDConfig/__pycache__
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
%dir %{_datadir}/sssd
%{_datadir}/sssd/sssd.api.conf
%{_datadir}/sssd/sssd.api.d

%files -n python3-sss
%{python3_sitearch}/pysss.so

%files -n python3-sss-murmur
%{python3_sitearch}/pysss_murmur.so

%files -n libsss_idmap
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_idmap.so.*

%files -n libsss_idmap-devel
%doc idmap_doc/html
%{_includedir}/sss_idmap.h
%{_libdir}/libsss_idmap.so
%{_libdir}/pkgconfig/sss_idmap.pc

%files -n libipa_hbac
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libipa_hbac.so.*

%files -n libipa_hbac-devel
%doc hbac_doc/html
%{_includedir}/ipa_hbac.h
%{_libdir}/libipa_hbac.so
%{_libdir}/pkgconfig/ipa_hbac.pc

%files -n libsss_nss_idmap
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_nss_idmap.so.*

%files -n libsss_nss_idmap-devel
%doc nss_idmap_doc/html
%{_includedir}/sss_nss_idmap.h
%{_libdir}/libsss_nss_idmap.so
%{_libdir}/pkgconfig/sss_nss_idmap.pc

%files -n python3-libsss_nss_idmap
%{python3_sitearch}/pysss_nss_idmap.so

%files -n python3-libipa_hbac
%{python3_sitearch}/pyhbac.so

%files winbind-idmap -f sssd_winbind_idmap.lang
%dir %{_libdir}/samba/idmap
%{_libdir}/samba/idmap/sss.so
%{_mandir}/man8/idmap_sss.8*

%files nfs-idmap -f sssd_nfs_idmap.lang
%{_mandir}/man5/sss_rpcidmapd.5*
%{_libdir}/libnfsidmap/sss.so

%files -n libsss_certmap -f libsss_certmap.lang
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_certmap.so.*
%{_mandir}/man5/sss-certmap.5*

%files -n libsss_certmap-devel
%doc certmap_doc/html
%{_includedir}/sss_certmap.h
%{_libdir}/libsss_certmap.so
%{_libdir}/pkgconfig/sss_certmap.pc

%files kcm -f sssd_kcm.lang
%{_libexecdir}/%{servicename}/sssd_kcm
%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache
%dir %{_datadir}/sssd-kcm
%{_datadir}/sssd-kcm/kcm_default_ccache
%{_unitdir}/sssd-kcm.socket
%{_unitdir}/sssd-kcm.service
%{_mandir}/man8/sssd-kcm.8*

%files idp
%{_libexecdir}/%{servicename}/oidc_child
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp

%if %{build_passkey}
%files passkey
%{_libexecdir}/%{servicename}/passkey_child
%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
%if "%{sssd_user}" != "root"
%{_udevrulesdir}/90-sssd-token-access.rules
%endif
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
%endif

%if %{use_sssd_user}
%pre common
! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null || true
%if %{use_sysusers}
%sysusers_create_compat %{SOURCE1}
%else
getent group sssd >/dev/null || groupadd -r sssd
getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologin -c "User for sssd" sssd
%endif
%endif

%post common
%systemd_post sssd.service
%systemd_post sssd-autofs.socket
%systemd_post sssd-nss.socket
%systemd_post sssd-pac.socket
%systemd_post sssd-pam.socket
%systemd_post sssd-ssh.socket
%systemd_post sssd-sudo.socket
%__rm -f %{mcpath}/passwd
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
%__chmod -f -R g+r %{_sysconfdir}/sssd || true
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
%__chown -f -R %{sssd_user}:%{sssd_user} %{gpocachepath} || true

%preun common
%systemd_preun sssd.service
%systemd_preun sssd-autofs.socket
%systemd_preun sssd-nss.socket
%systemd_preun sssd-pac.socket
%systemd_preun sssd-pam.socket
%systemd_preun sssd-ssh.socket
%systemd_preun sssd-sudo.socket

%postun common
%__rm -f %{mcpath}/passwd
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%systemd_postun_with_restart sssd-autofs.socket
%systemd_postun_with_restart sssd-nss.socket
%systemd_postun_with_restart sssd-pac.socket
%systemd_postun_with_restart sssd-pam.socket
%systemd_postun_with_restart sssd-ssh.socket
%systemd_postun_with_restart sssd-sudo.socket

# Services have RefuseManualStart=true, therefore we can't request restart.
%systemd_postun sssd-autofs.service
%systemd_postun sssd-nss.service
%systemd_postun sssd-pac.service
%systemd_postun sssd-pam.service
%systemd_postun sssd-ssh.service
%systemd_postun sssd-sudo.service

%post dbus
%systemd_post sssd-ifp.service

%preun dbus
%systemd_preun sssd-ifp.service

%postun dbus
%systemd_postun_with_restart sssd-ifp.service

%post kcm
%systemd_post sssd-kcm.socket

%preun kcm
%systemd_preun sssd-kcm.socket

%postun kcm
%systemd_postun_with_restart sssd-kcm.socket
%systemd_postun_with_restart sssd-kcm.service

%post client
/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20

%preun client
if [ $1 -eq 0 ] ; then
        /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so || true
fi

%posttrans common
%systemd_postun_with_restart sssd.service

%changelog
* Thu Jan 21 2021 Pavel Březina <pbrezina@redhat.com> - sssd-9.pr7762-05902
- Built from upstream sources.