# SSSD SPEC file for Fedora 34+ and RHEL-9+ # Upstream version is using pre-release version with dash as a separator # since git does not support tilde in tag name. On the other side, Fedora and # RHEL requires tilde as a separator to correctly order builds. # For example: 2.10.0-beta1 vs 2.10.0~beta1 %global upstream_version 0 %global downstream_version %(echo "0" | sed 's/-/~/g') # define SSSD user %if 0%{?rhel} %global sssd_user sssd %else %global sssd_user root %endif # Set setuid bit on child helpers if we support non-root user. %if "%{sssd_user}" == "root" %global child_attrs 0750 %else %global child_attrs 4750 %endif %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 %global build_subid 1 %else %global build_subid 0 %endif %if 0%{?fedora} >= 34 %global build_kcm_renewals 1 %global krb5_version 1.19.1 %elif 0%{?rhel} >= 8 %global build_kcm_renewals 1 %global krb5_version 1.18.2 %else %global build_kcm_renewals 0 %endif %if 0%{?fedora} >= 39 || 0%{?rhel} >= 9 %global build_passkey 1 %else %global build_passkey 0 %endif # we don't want to provide private python extension libs %define __provides_exclude_from %{python3_sitearch}/.*\.so$ %define _hardened_build 1 # Determine the location of the LDB modules directory %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) %global ldb_version 1.2.0 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd Version: 2.9.100 Release: 99.20251027132831985980.pr8139.123.gb11715c84%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ Source0: sssd-2.9.100.tar.gz ### Patches ### # Place your patches here: # Patch0001: 0001-patch-file.patch ### Downstream only patches ### # Place your downstream only patches here: # Patch0901: 0901-downstream-only-patch-file.patch ### Dependencies ### Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} Requires: sssd-ipa = %{version}-%{release} Requires: sssd-krb5 = %{version}-%{release} Requires: sssd-ldap = %{version}-%{release} Requires: sssd-proxy = %{version}-%{release} Suggests: logrotate Suggests: procps-ng Suggests: python3-sssdconfig = %{version}-%{release} Suggests: sssd-dbus = %{version}-%{release} %global servicename sssd %global sssdstatedir %{_localstatedir}/lib/sss %global dbpath %{sssdstatedir}/db %global keytabdir %{sssdstatedir}/keytabs %global pipepath %{sssdstatedir}/pipes %global mcpath %{sssdstatedir}/mc %global pubconfpath %{sssdstatedir}/pubconf %global gpocachepath %{sssdstatedir}/gpo_cache %global secdbpath %{sssdstatedir}/secrets %global deskprofilepath %{sssdstatedir}/deskprofile ### Build Dependencies ### BuildRequires: autoconf BuildRequires: automake BuildRequires: bind-utils BuildRequires: c-ares-devel BuildRequires: check-devel BuildRequires: cifs-utils-devel BuildRequires: dbus-devel BuildRequires: docbook-style-xsl BuildRequires: doxygen BuildRequires: findutils BuildRequires: gcc BuildRequires: gdm-pam-extensions-devel BuildRequires: gettext-devel # required for p11_child smartcard tests BuildRequires: gnutls-utils BuildRequires: jansson-devel BuildRequires: libcurl-devel BuildRequires: libjose-devel BuildRequires: keyutils-libs-devel BuildRequires: krb5-devel BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: libdhash-devel >= 0.4.2 %if %{build_passkey} BuildRequires: libfido2-devel %endif BuildRequires: libini_config-devel >= 1.1 BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: libnfsidmap-devel BuildRequires: libnl3-devel BuildRequires: libselinux-devel BuildRequires: libsemanage-devel BuildRequires: libsmbclient-devel BuildRequires: libtalloc-devel BuildRequires: libtdb-devel BuildRequires: libtevent-devel BuildRequires: libtool BuildRequires: libunistring BuildRequires: libunistring-devel BuildRequires: libuuid-devel BuildRequires: libxml2 BuildRequires: libxslt BuildRequires: m4 BuildRequires: make BuildRequires: nss_wrapper BuildRequires: openldap-devel BuildRequires: openssh # required for p11_child smartcard tests BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: p11-kit-devel BuildRequires: pam_wrapper BuildRequires: pam-devel BuildRequires: pcre2-devel BuildRequires: pkgconfig BuildRequires: popt-devel BuildRequires: python3-devel BuildRequires: (python3-setuptools if python3 >= 3.12) BuildRequires: samba-devel # required for idmap_sss.so BuildRequires: samba-winbind BuildRequires: selinux-policy-targeted # required for p11_child smartcard tests BuildRequires: softhsm >= 2.1.0 BuildRequires: bc BuildRequires: systemd-devel BuildRequires: systemtap-sdt-devel BuildRequires: uid_wrapper BuildRequires: po4a %if %{build_subid} BuildRequires: shadow-utils-subid-devel %endif %if %{build_kcm_renewals} BuildRequires: krb5-libs >= %{krb5_version} %endif %description Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. The sssd subpackage is a meta-package that contains the daemon as well as all the existing back ends. %package common Summary: Common files for the SSSD License: GPLv3+ # libsss_simpleifp is removed starting 2.9.0 Obsoletes: libsss_simpleifp < 2.9.0 Obsoletes: libsss_simpleifp-debuginfo < 2.9.0 # Requires # due to ABI changes in 1.1.30/1.2.0 Requires: libldb >= %{ldb_version} Requires: sssd-client%{?_isa} = %{version}-%{release} Requires: (libsss_sudo = %{version}-%{release} if sudo) Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs) Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap) Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} %if 0%{?rhel} Requires(pre): shadow-utils %endif %{?systemd_requires} ### Provides ### Provides: libsss_sudo-devel = %{version}-%{release} Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1 %description common Common files for the SSSD. The common package includes all the files needed to run a particular back end, however, the back ends are packaged in separate subpackages such as sssd-ldap. %package client Summary: SSSD Client libraries for NSS and PAM License: LGPLv3+ Requires: libsss_nss_idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Requires(post): /usr/sbin/alternatives Requires(preun): /usr/sbin/alternatives %description client Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD service. %package -n libsss_sudo Summary: A library to allow communication between SUDO and SSSD License: LGPLv3+ Conflicts: sssd-common < %{version}-%{release} %description -n libsss_sudo A utility library to allow communication between SUDO and SSSD %package -n libsss_autofs Summary: A library to allow communication between Autofs and SSSD License: LGPLv3+ Conflicts: sssd-common < %{version}-%{release} %description -n libsss_autofs A utility library to allow communication between Autofs and SSSD %package tools Summary: Userspace tools for use with the SSSD License: GPLv3+ Requires: sssd-common = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} # for logger=journald support with sss_analyze Requires: python3-systemd Requires: sssd-dbus %description tools Provides several administrative tools: * sss_debuglevel to change the debug level on the fly * sss_seed which pre-creates a user entry for use in kickstarts * sss_obfuscate for generating an obfuscated LDAP password * sssctl -- an sssd status and control utility %package -n python3-sssdconfig Summary: SSSD and IPA configuration file manipulation classes and functions License: GPLv3+ BuildArch: noarch %{?python_provide:%python_provide python3-sssdconfig} %description -n python3-sssdconfig Provides python3 files for manipulation SSSD and IPA configuration files. %package -n python3-sss Summary: Python3 bindings for sssd License: LGPLv3+ Requires: sssd-common = %{version}-%{release} %{?python_provide:%python_provide python3-sss} %description -n python3-sss Provides python3 bindings: * function for retrieving list of groups user belongs to * class for obfuscation of passwords %package -n python3-sss-murmur Summary: Python3 bindings for murmur hash function License: LGPLv3+ %{?python_provide:%python_provide python3-sss-murmur} %description -n python3-sss-murmur Provides python3 module for calculating the murmur hash version 3 %package ldap Summary: The LDAP back end of the SSSD License: GPLv3+ Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} %description ldap Provides the LDAP back end that the SSSD can utilize to fetch identity data from and authenticate against an LDAP server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPLv3+ Requires: cyrus-sasl-gssapi%{?_isa} Requires: sssd-common = %{version}-%{release} %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication. %package krb5 Summary: The Kerberos authentication back end for the SSSD License: GPLv3+ Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} %description krb5 Provides the Kerberos back end that the SSSD can utilize authenticate against a Kerberos server. %package common-pac Summary: Common files needed for supporting PAC processing License: GPLv3+ Requires: sssd-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} %description common-pac Provides common files needed by SSSD providers such as IPA and Active Directory for handling Kerberos PACs. %package ipa Summary: The IPA back end of the SSSD License: GPLv3+ Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libipa_hbac%{?_isa} = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} %description ipa Provides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server. %package ad Summary: The AD back end of the SSSD License: GPLv3+ Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Recommends: adcli Suggests: sssd-winbind-idmap = %{version}-%{release} %description ad Provides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server. %package proxy Summary: The proxy back end of the SSSD License: GPLv3+ Requires: sssd-common = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release} %description proxy Provides the proxy back end which can be used to wrap an existing NSS and/or PAM modules to leverage SSSD caching. %package -n libsss_idmap Summary: FreeIPA Idmap library License: LGPLv3+ %description -n libsss_idmap Utility library to convert SIDs to Unix uids and gids %package -n libsss_idmap-devel Summary: FreeIPA Idmap library License: LGPLv3+ Requires: libsss_idmap = %{version}-%{release} %description -n libsss_idmap-devel Utility library to SIDs to Unix uids and gids %package -n libipa_hbac Summary: FreeIPA HBAC Evaluator library License: LGPLv3+ %description -n libipa_hbac Utility library to validate FreeIPA HBAC rules for authorization requests %package -n libipa_hbac-devel Summary: FreeIPA HBAC Evaluator library License: LGPLv3+ Requires: libipa_hbac = %{version}-%{release} %description -n libipa_hbac-devel Utility library to validate FreeIPA HBAC rules for authorization requests %package -n python3-libipa_hbac Summary: Python3 bindings for the FreeIPA HBAC Evaluator library License: LGPLv3+ Requires: libipa_hbac = %{version}-%{release} %{?python_provide:%python_provide python3-libipa_hbac} %description -n python3-libipa_hbac The python3-libipa_hbac contains the bindings so that libipa_hbac can be used by Python applications. %package -n libsss_nss_idmap Summary: Library for SID and certificate based lookups License: LGPLv3+ %description -n libsss_nss_idmap Utility library for SID and certificate based lookups %package -n libsss_nss_idmap-devel Summary: Library for SID and certificate based lookups License: LGPLv3+ Requires: libsss_nss_idmap = %{version}-%{release} %description -n libsss_nss_idmap-devel Utility library for SID and certificate based lookups %package -n python3-libsss_nss_idmap Summary: Python3 bindings for libsss_nss_idmap License: LGPLv3+ Requires: libsss_nss_idmap = %{version}-%{release} %{?python_provide:%python_provide python3-libsss_nss_idmap} %description -n python3-libsss_nss_idmap The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can be used by Python applications. %package dbus Summary: The D-Bus responder of the SSSD License: GPLv3+ Requires: sssd-common = %{version}-%{release} %{?systemd_requires} %description dbus Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus. %if 0%{?rhel} %package polkit-rules Summary: Rules for polkit integration for SSSD Group: Applications/System License: GPLv3+ Requires: polkit >= 0.106 Requires: sssd-common = %{version}-%{release} %description polkit-rules Provides rules for polkit integration with SSSD. This is required for smartcard support. %endif %package winbind-idmap Summary: SSSD's idmap_sss Backend for Winbind License: GPLv3+ and LGPLv3+ Requires: libsss_nss_idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} Conflicts: sssd-common < %{version}-%{release} %description winbind-idmap The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs and SIDs. %package nfs-idmap Summary: SSSD plug-in for NFSv4 rpc.idmapd License: GPLv3+ Conflicts: sssd-common < %{version}-%{release} %description nfs-idmap The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map UIDs/GIDs to names and vice versa. It can be also used for mapping principal (user) name to IDs(UID or GID) or to obtain groups which user are member of. %package -n libsss_certmap Summary: SSSD Certificate Mapping Library License: LGPLv3+ Conflicts: sssd-common < %{version}-%{release} %description -n libsss_certmap Library to map certificates to users based on rules %package -n libsss_certmap-devel Summary: SSSD Certificate Mapping Library License: LGPLv3+ Requires: libsss_certmap = %{version}-%{release} %description -n libsss_certmap-devel Library to map certificates to users based on rules %package kcm Summary: An implementation of a Kerberos KCM server License: GPLv3+ Requires: sssd-common = %{version}-%{release} %if %{build_kcm_renewals} Requires: krb5-libs >= %{krb5_version} %endif %{?systemd_requires} %description kcm An implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache. %package idp Summary: Kerberos plugins and OIDC helper for external identity providers. License: GPLv3+ Requires: sssd-common = %{version}-%{release} %description idp This package provides Kerberos plugins that are required to enable authentication against external identity providers. Additionally a helper program to handle the OAuth 2.0 Device Authorization Grant is provided. %if %{build_passkey} %package passkey Summary: SSSD helpers and plugins needed for authentication with passkey token License: GPLv3+ Requires: sssd-common = %{version}-%{release} Requires: libfido2 %description passkey This package provides helper processes and Kerberos plugins that are required to enable authentication with passkey token. %endif %prep %autosetup -n sssd-2.9.100 -p1 %build autoreconf -ivf %configure \ --disable-rpath \ --disable-static \ --enable-gss-spnego-for-zero-maxssf \ --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ --enable-nsslibdir=%{_libdir} \ --enable-pammoddir=%{_libdir}/security \ --enable-sss-default-nss-plugin \ --enable-systemtap \ --with-db-path=%{dbpath} \ --with-gpo-cache-path=%{gpocachepath} \ --with-init-dir=%{_initrddir} \ --with-initscript=systemd \ --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ --with-mcache-path=%{mcpath} \ --with-pid-path=%{_rundir} \ --with-pipe-path=%{pipepath} \ --with-pubconf-path=%{pubconfpath} \ --with-sssd-user=%{sssd_user} \ --with-syslog=journald \ --with-test-dir=/dev/shm \ %if %{build_subid} --with-subid \ %endif %if 0%{?fedora} --disable-polkit-rules-path \ %endif %if %{build_passkey} --with-passkey \ %endif %{nil} %make_build all docs runstatedir=%{_rundir} %py3_shebang_fix src/tools/analyzer/sss_analyze sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate %check export CK_TIMEOUT_MULTIPLIER=10 %make_build check VERBOSE=yes unset CK_TIMEOUT_MULTIPLIER %install %make_install # Prepare language files /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd # Copy default logrotate file mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sssd # Make sure SSSD is able to run on read-only root mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd # Kerberos KCM credential cache by default mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache # Enable krb5 idp plugins by default (when sssd-idp package is installed) cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp # Enable krb5 passkey plugins by default (when sssd-passkey package is installed) %if %{build_passkey} cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey %endif # krb5 configuration snippet cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir # Create directory for cifs-idmap alternative # Otherwise this directory could not be owned by sssd-client mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils # Remove .la files created by libtool find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; # Suppress developer-only documentation rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name} # Older versions of rpmbuild can only handle one -f option # So we need to append to the sssd*.lang file for file in `find $RPM_BUILD_ROOT/%{python3_sitelib} -maxdepth 1 -name "*.egg-info" 2> /dev/null` do echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang done touch sssd.lang for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ libsss_certmap sssd_kcm do touch $subpackage.lang done for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"` do lang=`echo $man | cut -c 1-2` case `basename $man` in sss_cache*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; sss_ssh*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; sss_rpcidmapd*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_nfs_idmap.lang ;; sss_*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang ;; sssctl*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang ;; sssd_krb5_*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang ;; pam_sss*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang ;; sssd-ldap*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang ;; sssd-krb5*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_krb5.lang ;; sssd-ipa*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ipa.lang ;; sssd-ad*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ad.lang ;; sssd-proxy*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_proxy.lang ;; sssd-ifp*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang ;; sssd-kcm*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang ;; idmap_sss*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang ;; sss-certmap*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang ;; *) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; esac done # Print these to the rpmbuild log echo "sssd.lang:" cat sssd.lang echo "python3_sssdconfig.lang:" cat python3_sssdconfig.lang for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ libsss_certmap sssd_kcm do echo "$subpackage.lang:" cat $subpackage.lang done %files %license COPYING %files common -f sssd.lang %license COPYING %doc src/examples/sssd-example.conf %{_sbindir}/sssd %{_unitdir}/sssd.service %{_unitdir}/sssd-autofs.socket %{_unitdir}/sssd-autofs.service %{_unitdir}/sssd-nss.socket %{_unitdir}/sssd-nss.service %{_unitdir}/sssd-pac.socket %{_unitdir}/sssd-pac.service %{_unitdir}/sssd-pam.socket %{_unitdir}/sssd-pam-priv.socket %{_unitdir}/sssd-pam.service %{_unitdir}/sssd-ssh.socket %{_unitdir}/sssd-ssh.service %{_unitdir}/sssd-sudo.socket %{_unitdir}/sssd-sudo.service %dir %{_libexecdir}/%{servicename} %{_libexecdir}/%{servicename}/sssd_be %{_libexecdir}/%{servicename}/sssd_nss %{_libexecdir}/%{servicename}/sssd_pam %{_libexecdir}/%{servicename}/sssd_autofs %{_libexecdir}/%{servicename}/sssd_ssh %{_libexecdir}/%{servicename}/sssd_sudo %{_libexecdir}/%{servicename}/p11_child %{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders %dir %{_libdir}/%{name} %{_libdir}/%{name}/libsss_simple.so #Internal shared libraries %{_libdir}/%{name}/libsss_child.so %{_libdir}/%{name}/libsss_crypt.so %{_libdir}/%{name}/libsss_cert.so %{_libdir}/%{name}/libsss_debug.so %{_libdir}/%{name}/libsss_krb5_common.so %{_libdir}/%{name}/libsss_ldap_common.so %{_libdir}/%{name}/libsss_util.so %{_libdir}/%{name}/libsss_semanage.so %{_libdir}/%{name}/libifp_iface.so %{_libdir}/%{name}/libifp_iface_sync.so %{_libdir}/%{name}/libsss_iface.so %{_libdir}/%{name}/libsss_iface_sync.so %{_libdir}/%{name}/libsss_sbus.so %{_libdir}/%{name}/libsss_sbus_sync.so %{ldb_modulesdir}/memberof.so %{_bindir}/sss_ssh_authorizedkeys %{_bindir}/sss_ssh_knownhostsproxy %{_sbindir}/sss_cache %{_libexecdir}/%{servicename}/sss_signal %dir %{sssdstatedir} %dir %{_localstatedir}/cache/krb5rcache %attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath} %attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath} %attr(700,root,root) %dir %{secdbpath} %attr(751,root,root) %dir %{deskprofilepath} %ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd %ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group %ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups %attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath} %attr(750,%{sssd_user},root) %dir %{pipepath}/private %attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath} %attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath} %attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name} %attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd %attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d %attr(711,root,root) %dir %{_sysconfdir}/sssd/pki %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %dir %{_sysconfdir}/logrotate.d %config(noreplace) %{_sysconfdir}/logrotate.d/sssd %dir %{_sysconfdir}/rwtab.d %config(noreplace) %{_sysconfdir}/rwtab.d/sssd %dir %{_datadir}/sssd %config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils %dir %{_libdir}/%{name}/conf %{_libdir}/%{name}/conf/sssd.conf %{_datadir}/sssd/cfg_rules.ini %{_mandir}/man1/sss_ssh_authorizedkeys.1* %{_mandir}/man1/sss_ssh_knownhostsproxy.1* %{_mandir}/man5/sssd.conf.5* %{_mandir}/man5/sssd-simple.5* %{_mandir}/man5/sssd-sudo.5* %{_mandir}/man5/sssd-session-recording.5* %{_mandir}/man8/sssd.8* %{_mandir}/man8/sss_cache.8* %dir %{_datadir}/sssd/systemtap %{_datadir}/sssd/systemtap/id_perf.stp %{_datadir}/sssd/systemtap/nested_group_perf.stp %{_datadir}/sssd/systemtap/dp_request.stp %{_datadir}/sssd/systemtap/ldap_perf.stp %dir %{_datadir}/systemtap %dir %{_datadir}/systemtap/tapset %{_datadir}/systemtap/tapset/sssd.stp %{_datadir}/systemtap/tapset/sssd_functions.stp %{_mandir}/man5/sssd-systemtap.5* %if 0%{?rhel} %files polkit-rules %{_datadir}/polkit-1/rules.d/* %endif %files ldap -f sssd_ldap.lang %license COPYING %{_libdir}/%{name}/libsss_ldap.so %{_mandir}/man5/sssd-ldap.5* %{_mandir}/man5/sssd-ldap-attributes.5* %files krb5-common %license COPYING %attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d %attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child %attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child %files krb5 -f sssd_krb5.lang %license COPYING %{_libdir}/%{name}/libsss_krb5.so %{_mandir}/man5/sssd-krb5.5* %config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir %dir %{_datadir}/sssd/krb5-snippets %{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir %files common-pac %license COPYING %{_libexecdir}/%{servicename}/sssd_pac %files ipa -f sssd_ipa.lang %license COPYING %attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so %attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* %files ad -f sssd_ad.lang %license COPYING %{_libdir}/%{name}/libsss_ad.so %{_libexecdir}/%{servicename}/gpo_child %{_mandir}/man5/sssd-ad.5* %files proxy %license COPYING %attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child %{_libdir}/%{name}/libsss_proxy.so %files dbus -f sssd_dbus.lang %license COPYING %{_libexecdir}/%{servicename}/sssd_ifp %{_mandir}/man5/sssd-ifp.5* %{_unitdir}/sssd-ifp.service # InfoPipe DBus plumbing %{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service %files client -f sssd_client.lang %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libnss_sss.so.2 %if %{build_subid} %{_libdir}/libsubid_sss.so %endif %{_libdir}/security/pam_sss.so %{_libdir}/security/pam_sss_gss.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so %dir %{_libdir}/cifs-utils %{_libdir}/cifs-utils/cifs_idmap_sss.so %dir %{_sysconfdir}/cifs-utils %ghost %{_sysconfdir}/cifs-utils/idmap-plugin %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/modules %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so %{_mandir}/man8/pam_sss.8* %{_mandir}/man8/pam_sss_gss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* %{_mandir}/man8/sssd_krb5_localauth_plugin.8* %files -n libsss_sudo %license src/sss_client/COPYING %{_libdir}/libsss_sudo.so* %files -n libsss_autofs %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %dir %{_libdir}/%{name}/modules %{_libdir}/%{name}/modules/libsss_autofs.so %files tools -f sssd_tools.lang %license COPYING %{_sbindir}/sss_obfuscate %{_sbindir}/sss_override %{_sbindir}/sss_debuglevel %{_sbindir}/sss_seed %{_sbindir}/sssctl %{_libexecdir}/%{servicename}/sss_analyze %{python3_sitelib}/sssd/ %{_mandir}/man8/sss_obfuscate.8* %{_mandir}/man8/sss_override.8* %{_mandir}/man8/sss_debuglevel.8* %{_mandir}/man8/sss_seed.8* %{_mandir}/man8/sssctl.8* %files -n python3-sssdconfig -f python3_sssdconfig.lang %dir %{python3_sitelib}/SSSDConfig %{python3_sitelib}/SSSDConfig/*.py* %dir %{python3_sitelib}/SSSDConfig/__pycache__ %{python3_sitelib}/SSSDConfig/__pycache__/*.py* %dir %{_datadir}/sssd %{_datadir}/sssd/sssd.api.conf %{_datadir}/sssd/sssd.api.d %files -n python3-sss %{python3_sitearch}/pysss.so %files -n python3-sss-murmur %{python3_sitearch}/pysss_murmur.so %files -n libsss_idmap %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_idmap.so.* %files -n libsss_idmap-devel %doc idmap_doc/html %{_includedir}/sss_idmap.h %{_libdir}/libsss_idmap.so %{_libdir}/pkgconfig/sss_idmap.pc %files -n libipa_hbac %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libipa_hbac.so.* %files -n libipa_hbac-devel %doc hbac_doc/html %{_includedir}/ipa_hbac.h %{_libdir}/libipa_hbac.so %{_libdir}/pkgconfig/ipa_hbac.pc %files -n libsss_nss_idmap %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_nss_idmap.so.* %files -n libsss_nss_idmap-devel %doc nss_idmap_doc/html %{_includedir}/sss_nss_idmap.h %{_libdir}/libsss_nss_idmap.so %{_libdir}/pkgconfig/sss_nss_idmap.pc %files -n python3-libsss_nss_idmap %{python3_sitearch}/pysss_nss_idmap.so %files -n python3-libipa_hbac %{python3_sitearch}/pyhbac.so %files winbind-idmap -f sssd_winbind_idmap.lang %dir %{_libdir}/samba/idmap %{_libdir}/samba/idmap/sss.so %{_mandir}/man8/idmap_sss.8* %files nfs-idmap -f sssd_nfs_idmap.lang %{_mandir}/man5/sss_rpcidmapd.5* %{_libdir}/libnfsidmap/sss.so %files -n libsss_certmap -f libsss_certmap.lang %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_certmap.so.* %{_mandir}/man5/sss-certmap.5* %files -n libsss_certmap-devel %doc certmap_doc/html %{_includedir}/sss_certmap.h %{_libdir}/libsss_certmap.so %{_libdir}/pkgconfig/sss_certmap.pc %files kcm -f sssd_kcm.lang %{_libexecdir}/%{servicename}/sssd_kcm %config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache %dir %{_datadir}/sssd-kcm %{_datadir}/sssd-kcm/kcm_default_ccache %{_unitdir}/sssd-kcm.socket %{_unitdir}/sssd-kcm.service %{_mandir}/man8/sssd-kcm.8* %files idp %{_libexecdir}/%{servicename}/oidc_child %{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so %{_datadir}/sssd/krb5-snippets/sssd_enable_idp %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp %if %{build_passkey} %files passkey %attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child %{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so %{_datadir}/sssd/krb5-snippets/sssd_enable_passkey %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey %endif %if 0%{?rhel} %pre common getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd %endif %post common %systemd_post sssd.service %systemd_post sssd-autofs.socket %systemd_post sssd-nss.socket %systemd_post sssd-pac.socket %systemd_post sssd-pam.socket %systemd_post sssd-pam-priv.socket %systemd_post sssd-ssh.socket %systemd_post sssd-sudo.socket %preun common %systemd_preun sssd.service %systemd_preun sssd-autofs.socket %systemd_preun sssd-nss.socket %systemd_preun sssd-pac.socket %systemd_preun sssd-pam.socket %systemd_preun sssd-pam-priv.socket %systemd_preun sssd-ssh.socket %systemd_preun sssd-sudo.socket %postun common %systemd_postun_with_restart sssd-autofs.socket %systemd_postun_with_restart sssd-nss.socket %systemd_postun_with_restart sssd-pac.socket %systemd_postun_with_restart sssd-pam.socket %systemd_postun_with_restart sssd-pam-priv.socket %systemd_postun_with_restart sssd-ssh.socket %systemd_postun_with_restart sssd-sudo.socket # Services have RefuseManualStart=true, therefore we can't request restart. %systemd_postun sssd-autofs.service %systemd_postun sssd-nss.service %systemd_postun sssd-pac.service %systemd_postun sssd-pam.service %systemd_postun sssd-ssh.service %systemd_postun sssd-sudo.service %post dbus %systemd_post sssd-ifp.service %preun dbus %systemd_preun sssd-ifp.service %postun dbus %systemd_postun_with_restart sssd-ifp.service %post kcm %systemd_post sssd-kcm.socket %preun kcm %systemd_preun sssd-kcm.socket %postun kcm %systemd_postun_with_restart sssd-kcm.socket %systemd_postun_with_restart sssd-kcm.service %post client /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20 %preun client if [ $1 -eq 0 ] ; then /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so fi %posttrans common %systemd_postun_with_restart sssd.service %changelog * Mon Oct 27 2025 Packit - 2.9.100-99.20251027132831985980.pr8139.123.gb11715c84 - build(deps): bump actions/setup-python from 5 to 6 (dependabot[bot]) - build(deps): bump actions/checkout from 4 to 5 (dependabot[bot]) - ci: Override shell builtin bash options for get-changed script (Justin Stephenson) - CI: stop running intgcheck (Iker Pedrosa) - gpo_child: don't include 'util/signal.c' (Alexey Tikhonov) - krb5: disable Kerberos localauth an2ln plugin for AD/IPA (Sumit Bose) - Makefile: fix installation issue (Iker Pedrosa) - tests: remove failing test (Iker Pedrosa) - packit: only run upstream jobs for centos-9 (Iker Pedrosa) - Tests: Skip tests unstable on other architectures. (Jakub Vávra) - CI: only run sssd-2-9-4 branch in centos-8 (Iker Pedrosa) - sssd-badversion.conf: fix pre-commit issue (Iker Pedrosa) - CI: remove FreeBSD as they don't rely on sssd-2-9-4 (Iker Pedrosa) - CI: install dependencies (Iker Pedrosa) - CI: target sssd-2-9-4 branch in workflows (Iker Pedrosa) - ci: get changed script handle run for master push (non-PR) (Justin Stephenson) - oidc_child: use CURLOPT_PROTOCOLS_STR if available (Sumit Bose) - tests: stabilize test_sudo__refresh_random_offset (Pavel Březina) - cert util: add support build with OpenSSL older than 3.0 (Evgeny Sinelnikov) - Require OpenSSL >= 1.0.1 (Alexey Tikhonov) - cert util: replace deprecated OpenSSL calls (Sumit Bose) - CLIENT: fix thread unsafe access to autofs struct. (Alexey Tikhonov) - CLIENT:PAM: replace deprecated `_pam_overwrite` (Alexey Tikhonov) - RESOLV: supress deprecation warnings (Alexey Tikhonov) - ci: remove custom copr builds (Pavel Březina) - packit: get version from version.m4 for upstream builds (Pavel Březina) - ci: add packit configuration (Pavel Březina) - ci: use parallel build (Pavel Březina) - ci: only run changed tests for test only changes (Pavel Březina) - ci: move build to standalone workflow (Pavel Březina) - ci: add automation for creating new release (Pavel Březina) - scripts: switch back to dash for pre-releases (Pavel Březina) - version: replace dash with tilda (Pavel Březina) - scripts: add support for beta and rc versions (Pavel Březina) - build(deps): bump vapier/coverity-scan-action from 1.7.0 to 1.8.0 (dependabot[bot]) - dependapot: add ci prefix to commit messages (Pavel Březina) - CI: Add dependabot to get updates of github actions (Justin Stephenson) - ci: Update python version to latest minor version (Justin Stephenson) - ci: Remove intgcheck on debian-latest (Justin Stephenson) - RESPONDER: use proper context for getDomains() (Alexey Tikhonov) - ci: constraints - pin to branch for pylibssh workaround (Justin Stephenson) - Tests: Update polarion team name (Jakub Vávra) - Test: HBAC affecting AD-users ipa-group membership (shridhargadekar) - tests: test removal of external group membership (Sumit Bose) - ipa: improve handling of external group memberships (Sumit Bose) - tests: update test_sudo network utilities (Justin Stephenson) - tests: housekeeping - test_trusts.py -> test_ipa_trusts.py (Dan Lavu) - p11_child: Add timeout parameter (Tomas Halman) - ci: Install libssh-dev (Justin Stephenson) - ci: Workaround pylibssh Failed to open session (Justin Stephenson) - Tests: Make multihost custom-log more resilient. (Jakub Vávra) - ipa: improve handling of external group memberships (Sumit Bose) - sysdb: add sysdb_get_direct_parents_ex() (Sumit Bose) - 'gemini-code-assist' config (Alexey Tikhonov) - Tests: Add missing markers for ticket plugin (Jakub Vávra) - tests: skipping simple access control tests that have been rewritten. (Dan Lavu) - adding pytest markers to help keep track of transformation status (Dan Lavu) - CI: drop "missingInclude" from cppcheck (Alexey Tikhonov) - Revert "sdap: include sub-domain memberships in updates" (Sumit Bose) - Tests: Add importance marker sssctl test (shridhargadekar) - ci: print duration of each test case (Pavel Březina) - ci: grab ipa logs from ipa host (Pavel Březina) - sdap: include sub-domain memberships in updates (Sumit Bose) - tests: removed overlapping test scenarios from authentication tests (Dan Lavu) - tests: adding generic password change tests (Dan Lavu) - tests: Update mhc.yaml for relocated /data and /enrollment (Jakub Vávra) - tests: Move /exports to /var/exports for autofs tests (Jakub Vávra) - UTIL: mark non string array properly (Alexey Tikhonov) - TESTS: fix issue reported by black (Alexey Tikhonov) - SYSDB: don't add group members if 'ignore_group_members == true' (Alexey Tikhonov) - KCM: another memory leak fixed (Alexey Tikhonov) - KCM: fix memory leak (Alexey Tikhonov) - SYSDB: Use SYSDB_NAME from cached entry when updating users and groups (Samuel Cabrero) - ci: Add workflow for 'coverity' label in PRs (Justin Stephenson) - ci: Remove internal covscan workflow (Justin Stephenson) - tests: improve feature presence automation (Iker Pedrosa) - tests: add feature presence automation (Iker Pedrosa) - Tests: Update sst to rhel-sst-idm-sssd for polarion. (Jakub Vávra) - ldap_child: make sure invalid krb5 context is not used (Sumit Bose) - DEBUG: reduce log level in case a responder asks for unknown domain (Alexey Tikhonov) - ldap: add 'exop_force' value for ldap_pwmodify_mode (Sumit Bose) - sysdb: do not fail to add non-posix user to MPG domain (Sumit Bose) - ad: use default user_map when looking of host groups for GPO (Sumit Bose) - sdap: allow to provide user_map when looking up group memberships (Sumit Bose) - TESTS: Also test default_dyndns_opts (Alejandro López) - OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET (Alejandro López) - TESTS only: backport `sync_files_provider()` from b9c1d7d667d49080c27641fb4a800bd4c2612d43 (Alexey Tikhonov) - failover: add failover_primary_timeout option (Pavel Březina) - ad: refresh root domain when read directly (Sumit Bose) - ad-gpo: use hash to store intermediate results (Sumit Bose) - pam: fix SC auth with multiple certs and missing login name (Sumit Bose) - sdap: add naming_context as new member of struct sdap_domain (Sumit Bose) - sdap: add search_bases option to groups_by_user_send() (Sumit Bose) - sssd: adding mail as case insensitive (Andre Boscatto) - build(deps): bump actions/upload-artifact from 3 to 4 (dependabot[bot]) - CI: copr: only build 2.9.4 on F40 and C9S as best available options (Alexey Tikhonov) - build(deps): bump actions/download-artifact from 3 to 4 (dependabot[bot]) - Bump version to satisfy ipa req of sssd-2.9.5+ (Alexey Tikhonov) - Exclude F39 because it is going out of support (Alexey Tikhonov) - CI: SYSTEM: clear SSSD cache during package installation (Alexey Tikhonov) - Setup CI for 'sssd-2-9-4' branch (Alexey Tikhonov) - ci: explicitly set which topologies are already provisioned (Pavel Březina) - krb5_child: fix order of calloc arguments (Pavel Březina) - tests: Drop -extensions from openssl command if there is no -x509 (Sebastian Andrzej Siewior) - Fix the build with Samba 4.20 (Günther Deschner) - ci deps: do not use -- to denote positional arguments anymore (Pavel Březina) - CI: remove http-parser dependency (Alexey Tikhonov) - CI: remove unused stuff (lcov, ...) (Alexey Tikhonov) - tests: updating makefile.am to include tests (Dan Lavu) - tests: update the tests to work with latest pytest-mh (Pavel Březina) - Fix formating issues reported by 'black' (Alexey Tikhonov) - ci: Exclude fedora-38, fedora-41, fedora-42, fedora-rawhide, c8s and c10s from build of sssd-2-9 (Jakub Vávra) - tests: remove multihost basic tests (Dan Lavu) - CI: capture full 'config.log' from ./configure (Alexey Tikhonov) - ci: disable show-capture in system tests (Pavel Březina) - ci: do not collect pytest-mh logs in separate file (Pavel Březina) - build(deps): bump actions/setup-python from 4 to 5 (dependabot[bot]) - ci: use python 3.11 for system tests (Pavel Březina) - Tests: Update reference to polarion.yaml (Jakub Vavra) - Tests: Move polarion.yaml to src/tests/ (Jakub Vavra) - CI: Add sssd testlib to pythonpath for prci multihost (Jakub Vavra) - build(deps): bump DamianReeves/write-file-action from 1.2 to 1.3 (dependabot[bot]) * Thu Jan 21 2021 Pavel Březina - sssd-0-99 - Built from upstream sources.