# SSSD SPEC file for Fedora 34+ and RHEL-9+ # Upstream version is using pre-release version with dash as a separator # since git does not support tilde in tag name. On the other side, Fedora and # RHEL requires tilde as a separator to correctly order builds. # For example: 2.10.0-beta1 vs 2.10.0~beta1 %global upstream_version 9.pr7779 %global downstream_version %(echo "9.pr7779" | sed 's/-/~/g') # define SSSD user %if 0%{?fedora} >= 41 || 0%{?rhel} %global use_sssd_user 1 %global sssd_user sssd %else %global use_sssd_user 0 %global sssd_user root %endif # sysusers depends on presence of sssd user %if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 %global use_sysusers 1 %else %global use_sysusers 0 %endif %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 %global build_subid 1 %else %global build_subid 0 %endif %if 0%{?fedora} >= 34 %global build_kcm_renewals 1 %global krb5_version 1.19.1 %elif 0%{?rhel} >= 8 %global build_kcm_renewals 1 %global krb5_version 1.18.2 %else %global build_kcm_renewals 0 %endif %if 0%{?fedora} >= 39 || 0%{?rhel} >= 9 %global build_passkey 1 %else %global build_passkey 0 %endif %if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 %global build_ssh_known_hosts_proxy 0 %else %global build_ssh_known_hosts_proxy 1 %endif # we don't want to provide private python extension libs %define __provides_exclude_from %{python3_sitearch}/.*\.so$ %define _hardened_build 1 # Determine the location of the LDB modules directory %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) %global ldb_version 1.2.0 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd Version: %{downstream_version} Release: 05950%{?dist} Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ Source0: %{url}/archive/%{upstream_version}/%{name}-%{upstream_version}.tar.gz Source1: sssd.sysusers ### Patches ### # Place your patches here: # Patch0001: 0001-patch-file.patch ### Downstream only patches ### # Place your downstream only patches here: # Patch0901: 0901-downstream-only-patch-file.patch ### Dependencies ### Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} Requires: sssd-ipa = %{version}-%{release} Requires: sssd-krb5 = %{version}-%{release} Requires: sssd-ldap = %{version}-%{release} Requires: sssd-proxy = %{version}-%{release} Suggests: logrotate Suggests: procps-ng Suggests: python3-sssdconfig = %{version}-%{release} Suggests: sssd-dbus = %{version}-%{release} %global servicename sssd %global sssdstatedir %{_localstatedir}/lib/sss %global dbpath %{sssdstatedir}/db %global keytabdir %{sssdstatedir}/keytabs %global pipepath %{sssdstatedir}/pipes %global mcpath %{sssdstatedir}/mc %global pubconfpath %{sssdstatedir}/pubconf %global gpocachepath %{sssdstatedir}/gpo_cache %global secdbpath %{sssdstatedir}/secrets %global deskprofilepath %{sssdstatedir}/deskprofile ### Build Dependencies ### BuildRequires: autoconf BuildRequires: automake BuildRequires: bind-utils BuildRequires: c-ares-devel BuildRequires: check-devel BuildRequires: cifs-utils-devel BuildRequires: dbus-devel BuildRequires: docbook-style-xsl BuildRequires: doxygen BuildRequires: findutils BuildRequires: gcc BuildRequires: gdm-pam-extensions-devel BuildRequires: gettext-devel # required for p11_child smartcard tests BuildRequires: gnutls-utils BuildRequires: jansson-devel BuildRequires: libcap-devel BuildRequires: libcurl-devel BuildRequires: libjose-devel BuildRequires: keyutils-libs-devel BuildRequires: krb5-devel BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: libdhash-devel >= 0.4.2 %if %{build_passkey} BuildRequires: libfido2-devel %endif BuildRequires: libini_config-devel >= 1.3 BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: libnfsidmap-devel BuildRequires: libnl3-devel BuildRequires: libselinux-devel BuildRequires: libsemanage-devel BuildRequires: libsmbclient-devel BuildRequires: libtalloc-devel BuildRequires: libtdb-devel BuildRequires: libtevent-devel BuildRequires: libtool BuildRequires: libunistring BuildRequires: libunistring-devel BuildRequires: libuuid-devel BuildRequires: libxml2 BuildRequires: libxslt BuildRequires: m4 BuildRequires: make BuildRequires: nss_wrapper BuildRequires: openldap-devel # required for p11_child smartcard tests BuildRequires: openssh BuildRequires: openssl >= 1.0.1 BuildRequires: openssl-devel >= 1.0.1 BuildRequires: p11-kit-devel BuildRequires: pam_wrapper BuildRequires: pam-devel BuildRequires: pcre2-devel BuildRequires: pkgconfig BuildRequires: popt-devel BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: samba-devel # required for idmap_sss.so BuildRequires: samba-winbind BuildRequires: selinux-policy-targeted # required for p11_child smartcard tests BuildRequires: softhsm >= 2.1.0 BuildRequires: bc BuildRequires: systemd-devel BuildRequires: systemtap-sdt-devel %if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 BuildRequires: systemtap-sdt-dtrace %endif BuildRequires: uid_wrapper BuildRequires: po4a BuildRequires: valgrind-devel %if %{build_subid} BuildRequires: shadow-utils-subid-devel %endif %if %{build_kcm_renewals} BuildRequires: krb5-libs >= %{krb5_version} %endif %if %{use_sysusers} || %{build_passkey} BuildRequires: systemd-rpm-macros %{?sysusers_requires_compat} %endif %description Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. The sssd subpackage is a meta-package that contains the daemon as well as all the existing back ends. %package common Summary: Common files for the SSSD License: GPL-3.0-or-later %if 0%{?rhel} != 9 # libsss_simpleifp is removed starting 2.9.0 Obsoletes: libsss_simpleifp < 2.9.0 Obsoletes: libsss_simpleifp-debuginfo < 2.9.0 %endif %if 0%{?rhel} != 9 %if %{use_sssd_user} Obsoletes: sssd-polkit-rules < 2.10.0 %endif %endif # Requires # due to ABI changes in 1.1.30/1.2.0 Requires: libldb >= %{ldb_version} Requires: sssd-client%{?_isa} = %{version}-%{release} Requires: (libsss_sudo = %{version}-%{release} if sudo) Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs) Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap) Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} Requires(post): coreutils Requires(postun): coreutils %if %{use_sssd_user} Requires(pre): shadow-utils %endif %{?systemd_requires} ### Provides ### Provides: libsss_sudo-devel = %{version}-%{release} Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1 %description common Common files for the SSSD. The common package includes all the files needed to run a particular back end, however, the back ends are packaged in separate subpackages such as sssd-ldap. %package client Summary: SSSD Client libraries for NSS and PAM License: LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Requires(post): /usr/sbin/alternatives Requires(preun): /usr/sbin/alternatives %description client Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD service. %package -n libsss_sudo Summary: A library to allow communication between SUDO and SSSD License: LGPL-3.0-or-later Conflicts: sssd-common < %{version}-%{release} %description -n libsss_sudo A utility library to allow communication between SUDO and SSSD %package -n libsss_autofs Summary: A library to allow communication between Autofs and SSSD License: LGPL-3.0-or-later Conflicts: sssd-common < %{version}-%{release} %description -n libsss_autofs A utility library to allow communication between Autofs and SSSD %package tools Summary: Userspace tools for use with the SSSD License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} # for logger=journald support with sss_analyze Requires: python3-systemd Requires: sssd-dbus %description tools Provides several administrative tools: * sss_debuglevel to change the debug level on the fly * sss_seed which pre-creates a user entry for use in kickstarts * sss_obfuscate for generating an obfuscated LDAP password * sssctl -- an sssd status and control utility %package -n python3-sssdconfig Summary: SSSD and IPA configuration file manipulation classes and functions License: GPL-3.0-or-later BuildArch: noarch %{?python_provide:%python_provide python3-sssdconfig} %description -n python3-sssdconfig Provides python3 files for manipulation SSSD and IPA configuration files. %package -n python3-sss Summary: Python3 bindings for sssd License: LGPL-3.0-or-later Requires: sssd-common = %{version}-%{release} %{?python_provide:%python_provide python3-sss} %description -n python3-sss Provides python3 bindings: * function for retrieving list of groups user belongs to * class for obfuscation of passwords %package -n python3-sss-murmur Summary: Python3 bindings for murmur hash function License: LGPL-3.0-or-later %{?python_provide:%python_provide python3-sss-murmur} %description -n python3-sss-murmur Provides python3 module for calculating the murmur hash version 3 %package ldap Summary: The LDAP back end of the SSSD License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} %description ldap Provides the LDAP back end that the SSSD can utilize to fetch identity data from and authenticate against an LDAP server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPL-3.0-or-later Requires: cyrus-sasl-gssapi%{?_isa} Requires: sssd-common = %{version}-%{release} %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication. %package krb5 Summary: The Kerberos authentication back end for the SSSD License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} %description krb5 Provides the Kerberos back end that the SSSD can utilize authenticate against a Kerberos server. %package common-pac Summary: Common files needed for supporting PAC processing License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} %description common-pac Provides common files needed by SSSD providers such as IPA and Active Directory for handling Kerberos PACs. %package ipa Summary: The IPA back end of the SSSD License: GPL-3.0-or-later Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libipa_hbac%{?_isa} = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} %description ipa Provides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server. %package ad Summary: The AD back end of the SSSD License: GPL-3.0-or-later Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Recommends: adcli Suggests: sssd-winbind-idmap = %{version}-%{release} %description ad Provides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server. %package proxy Summary: The proxy back end of the SSSD License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} %description proxy Provides the proxy back end which can be used to wrap an existing NSS and/or PAM modules to leverage SSSD caching. %package -n libsss_idmap Summary: FreeIPA Idmap library License: LGPL-3.0-or-later %description -n libsss_idmap Utility library to convert SIDs to Unix uids and gids %package -n libsss_idmap-devel Summary: FreeIPA Idmap library License: LGPL-3.0-or-later Requires: libsss_idmap = %{version}-%{release} %description -n libsss_idmap-devel Utility library to SIDs to Unix uids and gids %package -n libipa_hbac Summary: FreeIPA HBAC Evaluator library License: LGPL-3.0-or-later %description -n libipa_hbac Utility library to validate FreeIPA HBAC rules for authorization requests %package -n libipa_hbac-devel Summary: FreeIPA HBAC Evaluator library License: LGPL-3.0-or-later Requires: libipa_hbac = %{version}-%{release} %description -n libipa_hbac-devel Utility library to validate FreeIPA HBAC rules for authorization requests %package -n python3-libipa_hbac Summary: Python3 bindings for the FreeIPA HBAC Evaluator library License: LGPL-3.0-or-later Requires: libipa_hbac = %{version}-%{release} %{?python_provide:%python_provide python3-libipa_hbac} %description -n python3-libipa_hbac The python3-libipa_hbac contains the bindings so that libipa_hbac can be used by Python applications. %package -n libsss_nss_idmap Summary: Library for SID and certificate based lookups License: LGPL-3.0-or-later %description -n libsss_nss_idmap Utility library for SID and certificate based lookups %package -n libsss_nss_idmap-devel Summary: Library for SID and certificate based lookups License: LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} %description -n libsss_nss_idmap-devel Utility library for SID and certificate based lookups %package -n python3-libsss_nss_idmap Summary: Python3 bindings for libsss_nss_idmap License: LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} %{?python_provide:%python_provide python3-libsss_nss_idmap} %description -n python3-libsss_nss_idmap The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can be used by Python applications. %package dbus Summary: The D-Bus responder of the SSSD License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} %{?systemd_requires} %description dbus Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus. %if 0%{?rhel} == 9 %if %{use_sssd_user} %package polkit-rules Summary: Rules for polkit integration for SSSD Group: Applications/System License: GPL-3.0-or-later Requires: polkit >= 0.106 Requires: sssd-common = %{version}-%{release} %description polkit-rules Provides rules for polkit integration with SSSD. This is required for smartcard support if SSSD service is running as user 'sssd'. %endif %package -n libsss_simpleifp Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later Requires: sssd-dbus = %{version}-%{release} %description -n libsss_simpleifp Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. %package -n libsss_simpleifp-devel Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later Requires: dbus-devel Requires: libsss_simpleifp = %{version}-%{release} %description -n libsss_simpleifp-devel Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. %endif %package winbind-idmap Summary: SSSD's idmap_sss Backend for Winbind License: GPL-3.0-or-later AND LGPL-3.0-or-later Requires: libsss_nss_idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Conflicts: sssd-common < %{version}-%{release} %description winbind-idmap The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs and SIDs. %package nfs-idmap Summary: SSSD plug-in for NFSv4 rpc.idmapd License: GPL-3.0-or-later Conflicts: sssd-common < %{version}-%{release} %description nfs-idmap The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map UIDs/GIDs to names and vice versa. It can be also used for mapping principal (user) name to IDs(UID or GID) or to obtain groups which user are member of. %package -n libsss_certmap Summary: SSSD Certificate Mapping Library License: LGPL-3.0-or-later Conflicts: sssd-common < %{version}-%{release} %description -n libsss_certmap Library to map certificates to users based on rules %package -n libsss_certmap-devel Summary: SSSD Certificate Mapping Library License: LGPL-3.0-or-later Requires: libsss_certmap = %{version}-%{release} %description -n libsss_certmap-devel Library to map certificates to users based on rules %package kcm Summary: An implementation of a Kerberos KCM server License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} %if %{build_kcm_renewals} Requires: krb5-libs >= %{krb5_version} Requires: sssd-krb5-common = %{version}-%{release} %endif %{?systemd_requires} %description kcm An implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache. %package idp Summary: Kerberos plugins and OIDC helper for external identity providers. License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} %description idp This package provides Kerberos plugins that are required to enable authentication against external identity providers. Additionally a helper program to handle the OAuth 2.0 Device Authorization Grant is provided. %if %{build_passkey} %package passkey Summary: SSSD helpers and plugins needed for authentication with passkey token License: GPL-3.0-or-later Requires: sssd-common = %{version}-%{release} Requires: libfido2 %if "%{sssd_user}" != "root" Requires: acl %endif %description passkey This package provides helper processes and Kerberos plugins that are required to enable authentication with passkey token. %endif %prep %autosetup -n %{name}-%{upstream_version} -p1 %build autoreconf -ivf %configure \ --runstatedir=%{_rundir} \ --disable-rpath \ --disable-static \ --enable-gss-spnego-for-zero-maxssf \ --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ --enable-nsslibdir=%{_libdir} \ --enable-pammoddir=%{_libdir}/security \ --enable-sss-default-nss-plugin \ --enable-systemtap \ --with-db-path=%{dbpath} \ --with-gpo-cache-path=%{gpocachepath} \ --with-init-dir=%{_initrddir} \ --with-initscript=systemd \ --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ --with-mcache-path=%{mcpath} \ --with-pipe-path=%{pipepath} \ --with-pubconf-path=%{pubconfpath} \ --with-sssd-user=%{sssd_user} \ --with-syslog=journald \ --with-test-dir=/dev/shm \ %if 0%{?rhel} == 9 --with-libsifp \ --with-conf-service-user-support \ --with-files-provider \ --with-extended-enumeration-support \ --with-ssh-known-hosts-proxy \ --with-allow-remote-domain-local-groups \ %endif %if %{build_subid} --with-subid \ %endif %if ! %{use_sssd_user} --disable-polkit-rules-path \ %endif %if %{build_passkey} --with-passkey \ %endif %if %{build_ssh_known_hosts_proxy} --with-ssh-known-hosts-proxy \ %endif %{nil} %make_build all docs runstatedir=%{_rundir} %py3_shebang_fix src/tools/analyzer/sss_analyze sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate %check export CK_TIMEOUT_MULTIPLIER=10 %make_build check VERBOSE=yes unset CK_TIMEOUT_MULTIPLIER %install %make_install # Prepare language files /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd # Copy default logrotate file mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sssd # Make sure SSSD is able to run on read-only root mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd # Kerberos KCM credential cache by default mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache # Enable krb5 idp plugins by default (when sssd-idp package is installed) cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp # Enable krb5 passkey plugins by default (when sssd-passkey package is installed) %if %{build_passkey} cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey %if "%{sssd_user}" != "root" install -D -p -m 0644 contrib/90-sssd-token-access.rules %{buildroot}%{_udevrulesdir}/90-sssd-token-access.rules %endif %endif # krb5 configuration snippet cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir # Create directory for cifs-idmap alternative # Otherwise this directory could not be owned by sssd-client mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils # tmpfiles.d config install -D -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf # Remove .la files created by libtool find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; # Suppress developer-only documentation rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name} # Older versions of rpmbuild can only handle one -f option # So we need to append to the sssd*.lang file for file in `find $RPM_BUILD_ROOT/%{python3_sitelib} -maxdepth 1 -name "*.egg-info" 2> /dev/null` do echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang done touch sssd.lang for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ libsss_certmap sssd_kcm do touch $subpackage.lang done for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"` do lang=`echo $man | cut -c 1-2` case `basename $man` in sss_cache*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; sss_ssh*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; sss_rpcidmapd*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_nfs_idmap.lang ;; sss_*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang ;; sssctl*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang ;; sssd_krb5_*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang ;; pam_sss*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang ;; sssd-ldap*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang ;; sssd-krb5*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_krb5.lang ;; sssd-ipa*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ipa.lang ;; sssd-ad*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ad.lang ;; sssd-proxy*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_proxy.lang ;; sssd-ifp*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang ;; sssd-kcm*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang ;; idmap_sss*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang ;; sss-certmap*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang ;; *) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; esac done # Print these to the rpmbuild log echo "sssd.lang:" cat sssd.lang echo "python3_sssdconfig.lang:" cat python3_sssdconfig.lang for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ libsss_certmap sssd_kcm do echo "$subpackage.lang:" cat $subpackage.lang done %if %{use_sysusers} install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %endif %files %license COPYING %files common -f sssd.lang %license COPYING %doc src/examples/sssd-example.conf %{_sbindir}/sssd %{_unitdir}/sssd.service %{_unitdir}/sssd-autofs.socket %{_unitdir}/sssd-autofs.service %{_unitdir}/sssd-nss.socket %{_unitdir}/sssd-nss.service %{_unitdir}/sssd-pac.socket %{_unitdir}/sssd-pac.service %{_unitdir}/sssd-pam.socket %{_unitdir}/sssd-pam.service %{_unitdir}/sssd-ssh.socket %{_unitdir}/sssd-ssh.service %{_unitdir}/sssd-sudo.socket %{_unitdir}/sssd-sudo.service %{_tmpfilesdir}/%{name}.conf %dir %{_libexecdir}/%{servicename} %{_libexecdir}/%{servicename}/sssd_be %{_libexecdir}/%{servicename}/sssd_nss %attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/sssd_pam %{_libexecdir}/%{servicename}/sssd_autofs %{_libexecdir}/%{servicename}/sssd_ssh %{_libexecdir}/%{servicename}/sssd_sudo %{_libexecdir}/%{servicename}/p11_child %{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders %dir %{_libdir}/%{name} %if 0%{?rhel} == 9 %{_libdir}/%{name}/libsss_files.so %endif %{_libdir}/%{name}/libsss_simple.so #Internal shared libraries %{_libdir}/%{name}/libsss_child.so %{_libdir}/%{name}/libsss_crypt.so %{_libdir}/%{name}/libsss_cert.so %{_libdir}/%{name}/libsss_debug.so %{_libdir}/%{name}/libsss_krb5_common.so %{_libdir}/%{name}/libsss_ldap_common.so %{_libdir}/%{name}/libsss_util.so %{_libdir}/%{name}/libifp_iface.so %{_libdir}/%{name}/libifp_iface_sync.so %{_libdir}/%{name}/libsss_iface.so %{_libdir}/%{name}/libsss_iface_sync.so %{_libdir}/%{name}/libsss_sbus.so %{_libdir}/%{name}/libsss_sbus_sync.so %{ldb_modulesdir}/memberof.so %{_bindir}/sss_ssh_authorizedkeys %{_bindir}/sss_ssh_knownhosts %{_bindir}/sss_ssh_knownhostsproxy %{_sbindir}/sss_cache %{_libexecdir}/%{servicename}/sss_signal %attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir} %dir %{_localstatedir}/cache/krb5rcache %attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath} %attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath} %attr(770,%{sssd_user},%{sssd_user}) %dir %{secdbpath} %attr(771,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath} %attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath} %attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath} %attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath} %attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name} %attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd %attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d %attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd/pki %ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %dir %{_sysconfdir}/logrotate.d %config(noreplace) %{_sysconfdir}/logrotate.d/sssd %dir %{_sysconfdir}/rwtab.d %config(noreplace) %{_sysconfdir}/rwtab.d/sssd %dir %{_datadir}/sssd %attr(775,%{sssd_user},%{sssd_user}) %dir %{_rundir}/sssd %config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils %dir %{_libdir}/%{name}/conf %{_libdir}/%{name}/conf/sssd.conf %{_datadir}/sssd/cfg_rules.ini %{_mandir}/man1/sss_ssh_authorizedkeys.1* %{_mandir}/man1/sss_ssh_knownhosts.1* %if %{build_ssh_known_hosts_proxy} %{_mandir}/man1/sss_ssh_knownhostsproxy.1* %endif %{_mandir}/man5/sssd.conf.5* %if 0%{?rhel} == 9 %{_mandir}/man5/sssd-files.5* %endif %{_mandir}/man5/sssd-simple.5* %{_mandir}/man5/sssd-sudo.5* %{_mandir}/man5/sssd-session-recording.5* %{_mandir}/man8/sssd.8* %{_mandir}/man8/sss_cache.8* %dir %{_datadir}/sssd/systemtap %{_datadir}/sssd/systemtap/id_perf.stp %{_datadir}/sssd/systemtap/nested_group_perf.stp %{_datadir}/sssd/systemtap/dp_request.stp %{_datadir}/sssd/systemtap/ldap_perf.stp %dir %{_datadir}/systemtap %dir %{_datadir}/systemtap/tapset %{_datadir}/systemtap/tapset/sssd.stp %{_datadir}/systemtap/tapset/sssd_functions.stp %{_mandir}/man5/sssd-systemtap.5* %if %{use_sysusers} %{_sysusersdir}/sssd.conf %endif %if %{use_sssd_user} %if 0%{?rhel} == 9 %files polkit-rules %endif %{_datadir}/polkit-1/rules.d/* %endif %files ldap -f sssd_ldap.lang %license COPYING %{_libdir}/%{name}/libsss_ldap.so %{_mandir}/man5/sssd-ldap.5* %{_mandir}/man5/sssd-ldap-attributes.5* %files krb5-common %license COPYING %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d %attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/ldap_child %attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search,cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang %license COPYING %{_libdir}/%{name}/libsss_krb5.so %{_mandir}/man5/sssd-krb5.5* %config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir %dir %{_datadir}/sssd/krb5-snippets %{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir %files common-pac %license COPYING %{_libexecdir}/%{servicename}/sssd_pac %files ipa -f sssd_ipa.lang %license COPYING %attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so %attr(0750,root,%{sssd_user}) %caps(cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* %files ad -f sssd_ad.lang %license COPYING %{_libdir}/%{name}/libsss_ad.so %{_libexecdir}/%{servicename}/gpo_child %{_mandir}/man5/sssd-ad.5* %files proxy %license COPYING %attr(0750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child %{_libdir}/%{name}/libsss_proxy.so %files dbus -f sssd_dbus.lang %license COPYING %{_libexecdir}/%{servicename}/sssd_ifp %{_mandir}/man5/sssd-ifp.5* %{_unitdir}/sssd-ifp.service # InfoPipe DBus plumbing %{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service %if 0%{?rhel} == 9 %files -n libsss_simpleifp %{_libdir}/libsss_simpleifp.so.* %files -n libsss_simpleifp-devel %doc sss_simpleifp_doc/html %{_includedir}/sss_sifp.h %{_includedir}/sss_sifp_dbus.h %{_libdir}/libsss_simpleifp.so %{_libdir}/pkgconfig/sss_simpleifp.pc %endif %files client -f sssd_client.lang %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libnss_sss.so.2 %if %{build_subid} %{_libdir}/libsubid_sss.so %endif %{_libdir}/security/pam_sss.so %{_libdir}/security/pam_sss_gss.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so %dir %{_libdir}/cifs-utils %{_libdir}/cifs-utils/cifs_idmap_sss.so %dir %{_sysconfdir}/cifs-utils %ghost %{_sysconfdir}/cifs-utils/idmap-plugin %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/modules %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so %{_mandir}/man8/pam_sss.8* %{_mandir}/man8/pam_sss_gss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* %{_mandir}/man8/sssd_krb5_localauth_plugin.8* %files -n libsss_sudo %license src/sss_client/COPYING %{_libdir}/libsss_sudo.so* %files -n libsss_autofs %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %dir %{_libdir}/%{name}/modules %{_libdir}/%{name}/modules/libsss_autofs.so %files tools -f sssd_tools.lang %license COPYING %{_sbindir}/sss_obfuscate %{_sbindir}/sss_override %{_sbindir}/sss_debuglevel %{_sbindir}/sss_seed %{_sbindir}/sssctl %{_libexecdir}/%{servicename}/sss_analyze %{python3_sitelib}/sssd/ %{_mandir}/man8/sss_obfuscate.8* %{_mandir}/man8/sss_override.8* %{_mandir}/man8/sss_debuglevel.8* %{_mandir}/man8/sss_seed.8* %{_mandir}/man8/sssctl.8* %files -n python3-sssdconfig -f python3_sssdconfig.lang %dir %{python3_sitelib}/SSSDConfig %{python3_sitelib}/SSSDConfig/*.py* %dir %{python3_sitelib}/SSSDConfig/__pycache__ %{python3_sitelib}/SSSDConfig/__pycache__/*.py* %dir %{_datadir}/sssd %{_datadir}/sssd/sssd.api.conf %{_datadir}/sssd/sssd.api.d %files -n python3-sss %{python3_sitearch}/pysss.so %files -n python3-sss-murmur %{python3_sitearch}/pysss_murmur.so %files -n libsss_idmap %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_idmap.so.* %files -n libsss_idmap-devel %doc idmap_doc/html %{_includedir}/sss_idmap.h %{_libdir}/libsss_idmap.so %{_libdir}/pkgconfig/sss_idmap.pc %files -n libipa_hbac %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libipa_hbac.so.* %files -n libipa_hbac-devel %doc hbac_doc/html %{_includedir}/ipa_hbac.h %{_libdir}/libipa_hbac.so %{_libdir}/pkgconfig/ipa_hbac.pc %files -n libsss_nss_idmap %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_nss_idmap.so.* %files -n libsss_nss_idmap-devel %doc nss_idmap_doc/html %{_includedir}/sss_nss_idmap.h %{_libdir}/libsss_nss_idmap.so %{_libdir}/pkgconfig/sss_nss_idmap.pc %files -n python3-libsss_nss_idmap %{python3_sitearch}/pysss_nss_idmap.so %files -n python3-libipa_hbac %{python3_sitearch}/pyhbac.so %files winbind-idmap -f sssd_winbind_idmap.lang %dir %{_libdir}/samba/idmap %{_libdir}/samba/idmap/sss.so %{_mandir}/man8/idmap_sss.8* %files nfs-idmap -f sssd_nfs_idmap.lang %{_mandir}/man5/sss_rpcidmapd.5* %{_libdir}/libnfsidmap/sss.so %files -n libsss_certmap -f libsss_certmap.lang %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_certmap.so.* %{_mandir}/man5/sss-certmap.5* %files -n libsss_certmap-devel %doc certmap_doc/html %{_includedir}/sss_certmap.h %{_libdir}/libsss_certmap.so %{_libdir}/pkgconfig/sss_certmap.pc %files kcm -f sssd_kcm.lang %{_libexecdir}/%{servicename}/sssd_kcm %config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache %dir %{_datadir}/sssd-kcm %{_datadir}/sssd-kcm/kcm_default_ccache %{_unitdir}/sssd-kcm.socket %{_unitdir}/sssd-kcm.service %{_mandir}/man8/sssd-kcm.8* %files idp %{_libexecdir}/%{servicename}/oidc_child %{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so %{_datadir}/sssd/krb5-snippets/sssd_enable_idp %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp %if %{build_passkey} %files passkey %{_libexecdir}/%{servicename}/passkey_child %{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so %{_datadir}/sssd/krb5-snippets/sssd_enable_passkey %if "%{sssd_user}" != "root" %{_udevrulesdir}/90-sssd-token-access.rules %endif %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey %endif %if %{use_sssd_user} %pre common ! getent passwd sssd >/dev/null || usermod sssd -d /run/sssd >/dev/null || true %if %{use_sysusers} %sysusers_create_compat %{SOURCE1} %else getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologin -c "User for sssd" sssd %endif %endif %post common %systemd_post sssd.service %systemd_post sssd-autofs.socket %systemd_post sssd-nss.socket %systemd_post sssd-pac.socket %systemd_post sssd-pam.socket %systemd_post sssd-ssh.socket %systemd_post sssd-sudo.socket %__rm -f %{mcpath}/passwd %__rm -f %{mcpath}/group %__rm -f %{mcpath}/initgroups %__rm -f %{mcpath}/sid %__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true %__chmod -f -R g+r %{_sysconfdir}/sssd || true %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true %__chown -f -R %{sssd_user}:%{sssd_user} %{gpocachepath} || true %preun common %systemd_preun sssd.service %systemd_preun sssd-autofs.socket %systemd_preun sssd-nss.socket %systemd_preun sssd-pac.socket %systemd_preun sssd-pam.socket %systemd_preun sssd-ssh.socket %systemd_preun sssd-sudo.socket %postun common %__rm -f %{mcpath}/passwd %__rm -f %{mcpath}/group %__rm -f %{mcpath}/initgroups %__rm -f %{mcpath}/sid %systemd_postun_with_restart sssd-autofs.socket %systemd_postun_with_restart sssd-nss.socket %systemd_postun_with_restart sssd-pac.socket %systemd_postun_with_restart sssd-pam.socket %systemd_postun_with_restart sssd-ssh.socket %systemd_postun_with_restart sssd-sudo.socket # Services have RefuseManualStart=true, therefore we can't request restart. %systemd_postun sssd-autofs.service %systemd_postun sssd-nss.service %systemd_postun sssd-pac.service %systemd_postun sssd-pam.service %systemd_postun sssd-ssh.service %systemd_postun sssd-sudo.service %post dbus %systemd_post sssd-ifp.service %preun dbus %systemd_preun sssd-ifp.service %postun dbus %systemd_postun_with_restart sssd-ifp.service %post kcm %systemd_post sssd-kcm.socket %preun kcm %systemd_preun sssd-kcm.socket %postun kcm %systemd_postun_with_restart sssd-kcm.socket %systemd_postun_with_restart sssd-kcm.service %post client /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20 %preun client if [ $1 -eq 0 ] ; then /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so || true fi %posttrans common %systemd_postun_with_restart sssd.service %changelog * Thu Jan 21 2021 Pavel Březina - sssd-9.pr7779-05950 - Built from upstream sources.