Adding upstream version 2.9.4.upstream/2.9.4

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 1082 insertions, 0 deletions

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
new file mode 100644
index 0000000..03171a8
--- /dev/null
+++ b/contrib/sssd.spec.in
@@ -0,0 +1,1082 @@
+# SSSD SPEC file for Fedora 34+ and RHEL-9+
+
+# define SSSD user
+%if 0%{?rhel}
+%global sssd_user sssd
+%else
+%global sssd_user root
+%endif
+
+# Set setuid bit on child helpers if we support non-root user.
+%if "%{sssd_user}" == "root"
+%global child_attrs 0750
+%else
+%global child_attrs 4750
+%endif
+
+%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
+%global build_subid 1
+%else
+%global build_subid 0
+%endif
+
+%if 0%{?fedora} >= 34
+%global build_kcm_renewals 1
+%global krb5_version 1.19.1
+%elif 0%{?rhel} >= 8
+%global build_kcm_renewals 1
+%global krb5_version 1.18.2
+%else
+%global build_kcm_renewals 0
+%endif
+
+%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9
+%global build_passkey 1
+%else
+%global build_passkey 0
+%endif
+
+# we don't want to provide private python extension libs
+%define __provides_exclude_from %{python3_sitearch}/.*\.so$
+
+%define _hardened_build 1
+
+# Determine the location of the LDB modules directory
+%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
+%global ldb_version 1.2.0
+
+%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
+
+Name: @PACKAGE_NAME@
+Version: @PACKAGE_VERSION@
+Release: 0@PRERELEASE_VERSION@%{?dist}
+Summary: System Security Services Daemon
+License: GPLv3+
+URL: https://github.com/SSSD/sssd/
+Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+
+### Patches ###
+# Place your patches here:
+# Patch0001:  0001-patch-file.patch
+
+### Downstream only patches ###
+# Place your downstream only patches here:
+# Patch0901: 0901-downstream-only-patch-file.patch
+
+### Dependencies ###
+
+Requires: sssd-ad = %{version}-%{release}
+Requires: sssd-common = %{version}-%{release}
+Requires: sssd-ipa = %{version}-%{release}
+Requires: sssd-krb5 = %{version}-%{release}
+Requires: sssd-ldap = %{version}-%{release}
+Requires: sssd-proxy = %{version}-%{release}
+Suggests: logrotate
+Suggests: procps-ng
+Suggests: python3-sssdconfig = %{version}-%{release}
+Suggests: sssd-dbus = %{version}-%{release}
+
+%global servicename sssd
+%global sssdstatedir %{_localstatedir}/lib/sss
+%global dbpath %{sssdstatedir}/db
+%global keytabdir %{sssdstatedir}/keytabs
+%global pipepath %{sssdstatedir}/pipes
+%global mcpath %{sssdstatedir}/mc
+%global pubconfpath %{sssdstatedir}/pubconf
+%global gpocachepath %{sssdstatedir}/gpo_cache
+%global secdbpath %{sssdstatedir}/secrets
+%global deskprofilepath %{sssdstatedir}/deskprofile
+
+### Build Dependencies ###
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: bind-utils
+BuildRequires: c-ares-devel
+BuildRequires: check-devel
+BuildRequires: cifs-utils-devel
+BuildRequires: dbus-devel
+BuildRequires: docbook-style-xsl
+BuildRequires: doxygen
+BuildRequires: findutils
+BuildRequires: gcc
+BuildRequires: gdm-pam-extensions-devel
+BuildRequires: gettext-devel
+# required for p11_child smartcard tests
+BuildRequires: gnutls-utils
+BuildRequires: jansson-devel
+BuildRequires: libcurl-devel
+BuildRequires: libjose-devel
+BuildRequires: keyutils-libs-devel
+BuildRequires: krb5-devel
+BuildRequires: libcmocka-devel >= 1.0.0
+BuildRequires: libdhash-devel >= 0.4.2
+%if %{build_passkey}
+BuildRequires: libfido2-devel
+%endif
+BuildRequires: libini_config-devel >= 1.1
+BuildRequires: libldb-devel >= %{ldb_version}
+BuildRequires: libnfsidmap-devel
+BuildRequires: libnl3-devel
+BuildRequires: libselinux-devel
+BuildRequires: libsemanage-devel
+BuildRequires: libsmbclient-devel
+BuildRequires: libtalloc-devel
+BuildRequires: libtdb-devel
+BuildRequires: libtevent-devel
+BuildRequires: libtool
+BuildRequires: libunistring
+BuildRequires: libunistring-devel
+BuildRequires: libuuid-devel
+BuildRequires: libxml2
+BuildRequires: libxslt
+BuildRequires: m4
+BuildRequires: make
+BuildRequires: nss_wrapper
+BuildRequires: openldap-devel
+BuildRequires: openssh
+# required for p11_child smartcard tests
+BuildRequires: openssl
+BuildRequires: openssl-devel
+BuildRequires: p11-kit-devel
+BuildRequires: pam_wrapper
+BuildRequires: pam-devel
+BuildRequires: pcre2-devel
+BuildRequires: pkgconfig
+BuildRequires: popt-devel
+BuildRequires: python3-devel
+BuildRequires: (python3-setuptools if python3 >= 3.12)
+BuildRequires: samba-devel
+# required for idmap_sss.so
+BuildRequires: samba-winbind
+BuildRequires: selinux-policy-targeted
+# required for p11_child smartcard tests
+BuildRequires: softhsm >= 2.1.0
+BuildRequires: bc
+BuildRequires: systemd-devel
+BuildRequires: systemtap-sdt-devel
+BuildRequires: uid_wrapper
+BuildRequires: po4a
+%if %{build_subid}
+BuildRequires: shadow-utils-subid-devel
+%endif
+%if %{build_kcm_renewals}
+BuildRequires: krb5-libs >= %{krb5_version}
+%endif
+
+%description
+Provides a set of daemons to manage access to remote directories and
+authentication mechanisms. It provides an NSS and PAM interface toward
+the system and a pluggable back end system to connect to multiple different
+account sources. It is also the basis to provide client auditing and policy
+services for projects like FreeIPA.
+
+The sssd subpackage is a meta-package that contains the daemon as well as all
+the existing back ends.
+
+%package common
+Summary: Common files for the SSSD
+License: GPLv3+
+# libsss_simpleifp is removed starting 2.9.0
+Obsoletes: libsss_simpleifp < 2.9.0
+Obsoletes: libsss_simpleifp-debuginfo < 2.9.0
+# Requires
+# due to ABI changes in 1.1.30/1.2.0
+Requires: libldb >= %{ldb_version}
+Requires: sssd-client%{?_isa} = %{version}-%{release}
+Requires: (libsss_sudo = %{version}-%{release} if sudo)
+Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
+Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
+Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
+%if 0%{?rhel}
+Requires(pre): shadow-utils
+%endif
+%{?systemd_requires}
+
+### Provides ###
+Provides: libsss_sudo-devel = %{version}-%{release}
+Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1
+
+%description common
+Common files for the SSSD. The common package includes all the files needed
+to run a particular back end, however, the back ends are packaged in separate
+subpackages such as sssd-ldap.
+
+%package client
+Summary: SSSD Client libraries for NSS and PAM
+License: LGPLv3+
+Requires: libsss_nss_idmap = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
+Requires(post):  /usr/sbin/alternatives
+Requires(preun): /usr/sbin/alternatives
+
+%description client
+Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
+service.
+
+%package -n libsss_sudo
+Summary: A library to allow communication between SUDO and SSSD
+License: LGPLv3+
+Conflicts: sssd-common < %{version}-%{release}
+
+%description -n libsss_sudo
+A utility library to allow communication between SUDO and SSSD
+
+%package -n libsss_autofs
+Summary: A library to allow communication between Autofs and SSSD
+License: LGPLv3+
+Conflicts: sssd-common < %{version}-%{release}
+
+%description -n libsss_autofs
+A utility library to allow communication between Autofs and SSSD
+
+%package tools
+Summary: Userspace tools for use with the SSSD
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+# required by sss_obfuscate
+Requires: python3-sss = %{version}-%{release}
+Requires: python3-sssdconfig = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
+# for logger=journald support with sss_analyze
+Requires: python3-systemd
+Requires: sssd-dbus
+
+%description tools
+Provides several administrative tools:
+    * sss_debuglevel to change the debug level on the fly
+    * sss_seed which pre-creates a user entry for use in kickstarts
+    * sss_obfuscate for generating an obfuscated LDAP password
+    * sssctl -- an sssd status and control utility
+
+%package -n python3-sssdconfig
+Summary: SSSD and IPA configuration file manipulation classes and functions
+License: GPLv3+
+BuildArch: noarch
+%{?python_provide:%python_provide python3-sssdconfig}
+
+%description -n python3-sssdconfig
+Provides python3 files for manipulation SSSD and IPA configuration files.
+
+%package -n python3-sss
+Summary: Python3 bindings for sssd
+License: LGPLv3+
+Requires: sssd-common = %{version}-%{release}
+%{?python_provide:%python_provide python3-sss}
+
+%description -n python3-sss
+Provides python3 bindings:
+    * function for retrieving list of groups user belongs to
+    * class for obfuscation of passwords
+
+%package -n python3-sss-murmur
+Summary: Python3 bindings for murmur hash function
+License: LGPLv3+
+%{?python_provide:%python_provide python3-sss-murmur}
+
+%description -n python3-sss-murmur
+Provides python3 module for calculating the murmur hash version 3
+
+%package ldap
+Summary: The LDAP back end of the SSSD
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+Requires: sssd-krb5-common = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
+
+%description ldap
+Provides the LDAP back end that the SSSD can utilize to fetch identity data
+from and authenticate against an LDAP server.
+
+%package krb5-common
+Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
+License: GPLv3+
+Requires: cyrus-sasl-gssapi%{?_isa}
+Requires: sssd-common = %{version}-%{release}
+
+%description krb5-common
+Provides helper processes that the LDAP and Kerberos back ends can use for
+Kerberos user or host authentication.
+
+%package krb5
+Summary: The Kerberos authentication back end for the SSSD
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+Requires: sssd-krb5-common = %{version}-%{release}
+
+%description krb5
+Provides the Kerberos back end that the SSSD can utilize authenticate
+against a Kerberos server.
+
+%package common-pac
+Summary: Common files needed for supporting PAC processing
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
+
+%description common-pac
+Provides common files needed by SSSD providers such as IPA and Active Directory
+for handling Kerberos PACs.
+
+%package ipa
+Summary: The IPA back end of the SSSD
+License: GPLv3+
+Requires: samba-client-libs >= %{samba_package_version}
+Requires: sssd-common = %{version}-%{release}
+Requires: sssd-krb5-common = %{version}-%{release}
+Requires: libipa_hbac%{?_isa} = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
+Recommends: bind-utils
+Requires: sssd-common-pac = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
+
+%description ipa
+Provides the IPA back end that the SSSD can utilize to fetch identity data
+from and authenticate against an IPA server.
+
+%package ad
+Summary: The AD back end of the SSSD
+License: GPLv3+
+Requires: samba-client-libs >= %{samba_package_version}
+Requires: sssd-common = %{version}-%{release}
+Requires: sssd-krb5-common = %{version}-%{release}
+Requires: sssd-common-pac = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
+Recommends: bind-utils
+Recommends: adcli
+Suggests: sssd-winbind-idmap = %{version}-%{release}
+
+%description ad
+Provides the Active Directory back end that the SSSD can utilize to fetch
+identity data from and authenticate against an Active Directory server.
+
+%package proxy
+Summary: The proxy back end of the SSSD
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
+
+%description proxy
+Provides the proxy back end which can be used to wrap an existing NSS and/or
+PAM modules to leverage SSSD caching.
+
+%package -n libsss_idmap
+Summary: FreeIPA Idmap library
+License: LGPLv3+
+
+%description -n libsss_idmap
+Utility library to convert SIDs to Unix uids and gids
+
+%package -n libsss_idmap-devel
+Summary: FreeIPA Idmap library
+License: LGPLv3+
+Requires: libsss_idmap = %{version}-%{release}
+
+%description -n libsss_idmap-devel
+Utility library to SIDs to Unix uids and gids
+
+%package -n libipa_hbac
+Summary: FreeIPA HBAC Evaluator library
+License: LGPLv3+
+
+%description -n libipa_hbac
+Utility library to validate FreeIPA HBAC rules for authorization requests
+
+%package -n libipa_hbac-devel
+Summary: FreeIPA HBAC Evaluator library
+License: LGPLv3+
+Requires: libipa_hbac = %{version}-%{release}
+
+%description -n libipa_hbac-devel
+Utility library to validate FreeIPA HBAC rules for authorization requests
+
+%package -n python3-libipa_hbac
+Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
+License: LGPLv3+
+Requires: libipa_hbac = %{version}-%{release}
+%{?python_provide:%python_provide python3-libipa_hbac}
+
+%description -n python3-libipa_hbac
+The python3-libipa_hbac contains the bindings so that libipa_hbac can be
+used by Python applications.
+
+%package -n libsss_nss_idmap
+Summary: Library for SID and certificate based lookups
+License: LGPLv3+
+
+%description -n libsss_nss_idmap
+Utility library for SID and certificate based lookups
+
+%package -n libsss_nss_idmap-devel
+Summary: Library for SID and certificate based lookups
+License: LGPLv3+
+Requires: libsss_nss_idmap = %{version}-%{release}
+
+%description -n libsss_nss_idmap-devel
+Utility library for SID and certificate based lookups
+
+%package -n python3-libsss_nss_idmap
+Summary: Python3 bindings for libsss_nss_idmap
+License: LGPLv3+
+Requires: libsss_nss_idmap = %{version}-%{release}
+%{?python_provide:%python_provide python3-libsss_nss_idmap}
+
+%description -n python3-libsss_nss_idmap
+The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
+be used by Python applications.
+
+%package dbus
+Summary: The D-Bus responder of the SSSD
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+%{?systemd_requires}
+
+%description dbus
+Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
+the information from the SSSD to be transmitted over the system bus.
+
+%if 0%{?rhel}
+%package polkit-rules
+Summary: Rules for polkit integration for SSSD
+Group: Applications/System
+License: GPLv3+
+Requires: polkit >= 0.106
+Requires: sssd-common = %{version}-%{release}
+
+%description polkit-rules
+Provides rules for polkit integration with SSSD. This is required
+for smartcard support.
+%endif
+
+%package winbind-idmap
+Summary: SSSD's idmap_sss Backend for Winbind
+License: GPLv3+ and LGPLv3+
+Requires: libsss_nss_idmap = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
+Conflicts: sssd-common < %{version}-%{release}
+
+%description winbind-idmap
+The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs
+and SIDs.
+
+%package nfs-idmap
+Summary: SSSD plug-in for NFSv4 rpc.idmapd
+License: GPLv3+
+Conflicts: sssd-common < %{version}-%{release}
+
+%description nfs-idmap
+The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
+UIDs/GIDs to names and vice versa. It can be also used for mapping principal
+(user) name to IDs(UID or GID) or to obtain groups which user are member of.
+
+%package -n libsss_certmap
+Summary: SSSD Certificate Mapping Library
+License: LGPLv3+
+Conflicts: sssd-common < %{version}-%{release}
+
+%description -n libsss_certmap
+Library to map certificates to users based on rules
+
+%package -n libsss_certmap-devel
+Summary: SSSD Certificate Mapping Library
+License: LGPLv3+
+Requires: libsss_certmap = %{version}-%{release}
+
+%description -n libsss_certmap-devel
+Library to map certificates to users based on rules
+
+%package kcm
+Summary: An implementation of a Kerberos KCM server
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+%if %{build_kcm_renewals}
+Requires: krb5-libs >= %{krb5_version}
+%endif
+%{?systemd_requires}
+
+%description kcm
+An implementation of a Kerberos KCM server. Use this package if you want to
+use the KCM: Kerberos credentials cache.
+
+%package idp
+Summary: Kerberos plugins and OIDC helper for external identity providers.
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+
+%description idp
+This package provides Kerberos plugins that are required to enable
+authentication against external identity providers. Additionally a helper
+program to handle the OAuth 2.0 Device Authorization Grant is provided.
+
+%if %{build_passkey}
+%package passkey
+Summary: SSSD helpers and plugins needed for authentication with passkey token
+License: GPLv3+
+Requires: sssd-common = %{version}-%{release}
+Requires: libfido2
+
+%description passkey
+This package provides helper processes and Kerberos plugins that are required to
+enable authentication with passkey token.
+%endif
+
+%prep
+%autosetup -p1
+
+%build
+
+autoreconf -ivf
+
+%configure \
+    --disable-rpath \
+    --disable-static \
+    --enable-gss-spnego-for-zero-maxssf \
+    --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
+    --enable-nsslibdir=%{_libdir} \
+    --enable-pammoddir=%{_libdir}/security \
+    --enable-sss-default-nss-plugin \
+    --enable-systemtap \
+    --with-db-path=%{dbpath} \
+    --with-gpo-cache-path=%{gpocachepath} \
+    --with-init-dir=%{_initrddir} \
+    --with-initscript=systemd \
+    --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
+    --with-mcache-path=%{mcpath} \
+    --with-pid-path=%{_rundir} \
+    --with-pipe-path=%{pipepath} \
+    --with-pubconf-path=%{pubconfpath} \
+    --with-sssd-user=%{sssd_user} \
+    --with-syslog=journald \
+    --with-test-dir=/dev/shm \
+%if %{build_subid}
+    --with-subid \
+%endif
+%if 0%{?fedora}
+    --disable-polkit-rules-path \
+%endif
+%if %{build_passkey}
+    --with-passkey \
+%endif
+    %{nil}
+
+%make_build all docs runstatedir=%{_rundir}
+
+%py3_shebang_fix src/tools/analyzer/sss_analyze
+sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
+
+%check
+export CK_TIMEOUT_MULTIPLIER=10
+%make_build check VERBOSE=yes
+unset CK_TIMEOUT_MULTIPLIER
+
+%install
+
+%make_install
+
+# Prepare language files
+/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
+
+# Copy default logrotate file
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
+install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sssd
+
+# Make sure SSSD is able to run on read-only root
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d
+install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd
+
+# Kerberos KCM credential cache by default
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
+
+# Enable krb5 idp plugins by default (when sssd-idp package is installed)
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
+
+# Enable krb5 passkey plugins by default (when sssd-passkey package is installed)
+%if %{build_passkey}
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
+%endif
+
+# krb5 configuration snippet
+cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
+   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+
+# Create directory for cifs-idmap alternative
+# Otherwise this directory could not be owned by sssd-client
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
+
+# Remove .la files created by libtool
+find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
+
+# Suppress developer-only documentation
+rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
+
+# Older versions of rpmbuild can only handle one -f option
+# So we need to append to the sssd*.lang file
+for file in `find $RPM_BUILD_ROOT/%{python3_sitelib} -maxdepth 1 -name "*.egg-info" 2> /dev/null`
+do
+    echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang
+done
+
+touch sssd.lang
+for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
+                  sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
+                  libsss_certmap sssd_kcm
+do
+    touch $subpackage.lang
+done
+
+for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
+do
+    lang=`echo $man | cut -c 1-2`
+    case `basename $man` in
+        sss_cache*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
+            ;;
+        sss_ssh*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
+            ;;
+        sss_rpcidmapd*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_nfs_idmap.lang
+            ;;
+        sss_*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
+            ;;
+        sssctl*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
+            ;;
+        sssd_krb5_*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
+            ;;
+        pam_sss*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
+            ;;
+        sssd-ldap*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang
+            ;;
+        sssd-krb5*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_krb5.lang
+            ;;
+        sssd-ipa*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ipa.lang
+            ;;
+        sssd-ad*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ad.lang
+            ;;
+        sssd-proxy*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_proxy.lang
+            ;;
+        sssd-ifp*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang
+            ;;
+        sssd-kcm*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang
+            ;;
+        idmap_sss*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang
+            ;;
+        sss-certmap*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
+            ;;
+        *)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
+            ;;
+    esac
+done
+
+# Print these to the rpmbuild log
+echo "sssd.lang:"
+cat sssd.lang
+
+echo "python3_sssdconfig.lang:"
+cat python3_sssdconfig.lang
+
+for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
+                  sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
+                  libsss_certmap sssd_kcm
+do
+    echo "$subpackage.lang:"
+    cat $subpackage.lang
+done
+
+%files
+%license COPYING
+
+%files common -f sssd.lang
+%license COPYING
+%doc src/examples/sssd-example.conf
+%{_sbindir}/sssd
+%{_unitdir}/sssd.service
+%{_unitdir}/sssd-autofs.socket
+%{_unitdir}/sssd-autofs.service
+%{_unitdir}/sssd-nss.socket
+%{_unitdir}/sssd-nss.service
+%{_unitdir}/sssd-pac.socket
+%{_unitdir}/sssd-pac.service
+%{_unitdir}/sssd-pam.socket
+%{_unitdir}/sssd-pam-priv.socket
+%{_unitdir}/sssd-pam.service
+%{_unitdir}/sssd-ssh.socket
+%{_unitdir}/sssd-ssh.service
+%{_unitdir}/sssd-sudo.socket
+%{_unitdir}/sssd-sudo.service
+
+%dir %{_libexecdir}/%{servicename}
+%{_libexecdir}/%{servicename}/sssd_be
+%{_libexecdir}/%{servicename}/sssd_nss
+%{_libexecdir}/%{servicename}/sssd_pam
+%{_libexecdir}/%{servicename}/sssd_autofs
+%{_libexecdir}/%{servicename}/sssd_ssh
+%{_libexecdir}/%{servicename}/sssd_sudo
+%{_libexecdir}/%{servicename}/p11_child
+%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders
+
+%dir %{_libdir}/%{name}
+%{_libdir}/%{name}/libsss_simple.so
+
+#Internal shared libraries
+%{_libdir}/%{name}/libsss_child.so
+%{_libdir}/%{name}/libsss_crypt.so
+%{_libdir}/%{name}/libsss_cert.so
+%{_libdir}/%{name}/libsss_debug.so
+%{_libdir}/%{name}/libsss_krb5_common.so
+%{_libdir}/%{name}/libsss_ldap_common.so
+%{_libdir}/%{name}/libsss_util.so
+%{_libdir}/%{name}/libsss_semanage.so
+%{_libdir}/%{name}/libifp_iface.so
+%{_libdir}/%{name}/libifp_iface_sync.so
+%{_libdir}/%{name}/libsss_iface.so
+%{_libdir}/%{name}/libsss_iface_sync.so
+%{_libdir}/%{name}/libsss_sbus.so
+%{_libdir}/%{name}/libsss_sbus_sync.so
+
+%{ldb_modulesdir}/memberof.so
+%{_bindir}/sss_ssh_authorizedkeys
+%{_bindir}/sss_ssh_knownhostsproxy
+%{_sbindir}/sss_cache
+%{_libexecdir}/%{servicename}/sss_signal
+
+%dir %{sssdstatedir}
+%dir %{_localstatedir}/cache/krb5rcache
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
+%attr(700,root,root) %dir %{secdbpath}
+%attr(751,root,root) %dir %{deskprofilepath}
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
+%attr(750,%{sssd_user},root) %dir %{pipepath}/private
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
+%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
+%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
+%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
+%dir %{_sysconfdir}/logrotate.d
+%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
+%dir %{_sysconfdir}/rwtab.d
+%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
+%dir %{_datadir}/sssd
+%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
+%dir %{_libdir}/%{name}/conf
+%{_libdir}/%{name}/conf/sssd.conf
+
+%{_datadir}/sssd/cfg_rules.ini
+%{_mandir}/man1/sss_ssh_authorizedkeys.1*
+%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
+%{_mandir}/man5/sssd.conf.5*
+%{_mandir}/man5/sssd-simple.5*
+%{_mandir}/man5/sssd-sudo.5*
+%{_mandir}/man5/sssd-session-recording.5*
+%{_mandir}/man8/sssd.8*
+%{_mandir}/man8/sss_cache.8*
+%dir %{_datadir}/sssd/systemtap
+%{_datadir}/sssd/systemtap/id_perf.stp
+%{_datadir}/sssd/systemtap/nested_group_perf.stp
+%{_datadir}/sssd/systemtap/dp_request.stp
+%{_datadir}/sssd/systemtap/ldap_perf.stp
+%dir %{_datadir}/systemtap
+%dir %{_datadir}/systemtap/tapset
+%{_datadir}/systemtap/tapset/sssd.stp
+%{_datadir}/systemtap/tapset/sssd_functions.stp
+%{_mandir}/man5/sssd-systemtap.5*
+
+%if 0%{?rhel}
+%files polkit-rules
+%{_datadir}/polkit-1/rules.d/*
+%endif
+
+%files ldap -f sssd_ldap.lang
+%license COPYING
+%{_libdir}/%{name}/libsss_ldap.so
+%{_mandir}/man5/sssd-ldap.5*
+%{_mandir}/man5/sssd-ldap-attributes.5*
+
+%files krb5-common
+%license COPYING
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
+
+%files krb5 -f sssd_krb5.lang
+%license COPYING
+%{_libdir}/%{name}/libsss_krb5.so
+%{_mandir}/man5/sssd-krb5.5*
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+%dir %{_datadir}/sssd/krb5-snippets
+%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
+
+%files common-pac
+%license COPYING
+%{_libexecdir}/%{servicename}/sssd_pac
+
+%files ipa -f sssd_ipa.lang
+%license COPYING
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
+%{_libdir}/%{name}/libsss_ipa.so
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
+%{_mandir}/man5/sssd-ipa.5*
+
+%files ad -f sssd_ad.lang
+%license COPYING
+%{_libdir}/%{name}/libsss_ad.so
+%{_libexecdir}/%{servicename}/gpo_child
+%{_mandir}/man5/sssd-ad.5*
+
+%files proxy
+%license COPYING
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
+%{_libdir}/%{name}/libsss_proxy.so
+
+%files dbus -f sssd_dbus.lang
+%license COPYING
+%{_libexecdir}/%{servicename}/sssd_ifp
+%{_mandir}/man5/sssd-ifp.5*
+%{_unitdir}/sssd-ifp.service
+# InfoPipe DBus plumbing
+%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
+%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
+
+%files client -f sssd_client.lang
+%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libnss_sss.so.2
+%if %{build_subid}
+%{_libdir}/libsubid_sss.so
+%endif
+%{_libdir}/security/pam_sss.so
+%{_libdir}/security/pam_sss_gss.so
+%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
+%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
+%dir %{_libdir}/cifs-utils
+%{_libdir}/cifs-utils/cifs_idmap_sss.so
+%dir %{_sysconfdir}/cifs-utils
+%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
+%dir %{_libdir}/%{name}
+%dir %{_libdir}/%{name}/modules
+%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
+%{_mandir}/man8/pam_sss.8*
+%{_mandir}/man8/pam_sss_gss.8*
+%{_mandir}/man8/sssd_krb5_locator_plugin.8*
+%{_mandir}/man8/sssd_krb5_localauth_plugin.8*
+
+%files -n libsss_sudo
+%license src/sss_client/COPYING
+%{_libdir}/libsss_sudo.so*
+
+%files -n libsss_autofs
+%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%dir %{_libdir}/%{name}/modules
+%{_libdir}/%{name}/modules/libsss_autofs.so
+
+%files tools -f sssd_tools.lang
+%license COPYING
+%{_sbindir}/sss_obfuscate
+%{_sbindir}/sss_override
+%{_sbindir}/sss_debuglevel
+%{_sbindir}/sss_seed
+%{_sbindir}/sssctl
+%{_libexecdir}/%{servicename}/sss_analyze
+%{python3_sitelib}/sssd/
+%{_mandir}/man8/sss_obfuscate.8*
+%{_mandir}/man8/sss_override.8*
+%{_mandir}/man8/sss_debuglevel.8*
+%{_mandir}/man8/sss_seed.8*
+%{_mandir}/man8/sssctl.8*
+
+%files -n python3-sssdconfig -f python3_sssdconfig.lang
+%dir %{python3_sitelib}/SSSDConfig
+%{python3_sitelib}/SSSDConfig/*.py*
+%dir %{python3_sitelib}/SSSDConfig/__pycache__
+%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
+%dir %{_datadir}/sssd
+%{_datadir}/sssd/sssd.api.conf
+%{_datadir}/sssd/sssd.api.d
+
+%files -n python3-sss
+%{python3_sitearch}/pysss.so
+
+%files -n python3-sss-murmur
+%{python3_sitearch}/pysss_murmur.so
+
+%files -n libsss_idmap
+%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libsss_idmap.so.*
+
+%files -n libsss_idmap-devel
+%doc idmap_doc/html
+%{_includedir}/sss_idmap.h
+%{_libdir}/libsss_idmap.so
+%{_libdir}/pkgconfig/sss_idmap.pc
+
+%files -n libipa_hbac
+%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libipa_hbac.so.*
+
+%files -n libipa_hbac-devel
+%doc hbac_doc/html
+%{_includedir}/ipa_hbac.h
+%{_libdir}/libipa_hbac.so
+%{_libdir}/pkgconfig/ipa_hbac.pc
+
+%files -n libsss_nss_idmap
+%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libsss_nss_idmap.so.*
+
+%files -n libsss_nss_idmap-devel
+%doc nss_idmap_doc/html
+%{_includedir}/sss_nss_idmap.h
+%{_libdir}/libsss_nss_idmap.so
+%{_libdir}/pkgconfig/sss_nss_idmap.pc
+
+%files -n python3-libsss_nss_idmap
+%{python3_sitearch}/pysss_nss_idmap.so
+
+%files -n python3-libipa_hbac
+%{python3_sitearch}/pyhbac.so
+
+%files winbind-idmap -f sssd_winbind_idmap.lang
+%dir %{_libdir}/samba/idmap
+%{_libdir}/samba/idmap/sss.so
+%{_mandir}/man8/idmap_sss.8*
+
+%files nfs-idmap -f sssd_nfs_idmap.lang
+%{_mandir}/man5/sss_rpcidmapd.5*
+%{_libdir}/libnfsidmap/sss.so
+
+%files -n libsss_certmap -f libsss_certmap.lang
+%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libsss_certmap.so.*
+%{_mandir}/man5/sss-certmap.5*
+
+%files -n libsss_certmap-devel
+%doc certmap_doc/html
+%{_includedir}/sss_certmap.h
+%{_libdir}/libsss_certmap.so
+%{_libdir}/pkgconfig/sss_certmap.pc
+
+%files kcm -f sssd_kcm.lang
+%{_libexecdir}/%{servicename}/sssd_kcm
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache
+%dir %{_datadir}/sssd-kcm
+%{_datadir}/sssd-kcm/kcm_default_ccache
+%{_unitdir}/sssd-kcm.socket
+%{_unitdir}/sssd-kcm.service
+%{_mandir}/man8/sssd-kcm.8*
+
+%files idp
+%{_libexecdir}/%{servicename}/oidc_child
+%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
+%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
+
+%if %{build_passkey}
+%files passkey
+%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child
+%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
+%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
+%endif
+
+%if 0%{?rhel}
+%pre common
+getent group sssd >/dev/null || groupadd -r sssd
+getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+%endif
+
+%post common
+%systemd_post sssd.service
+%systemd_post sssd-autofs.socket
+%systemd_post sssd-nss.socket
+%systemd_post sssd-pac.socket
+%systemd_post sssd-pam.socket
+%systemd_post sssd-pam-priv.socket
+%systemd_post sssd-ssh.socket
+%systemd_post sssd-sudo.socket
+
+%preun common
+%systemd_preun sssd.service
+%systemd_preun sssd-autofs.socket
+%systemd_preun sssd-nss.socket
+%systemd_preun sssd-pac.socket
+%systemd_preun sssd-pam.socket
+%systemd_preun sssd-pam-priv.socket
+%systemd_preun sssd-ssh.socket
+%systemd_preun sssd-sudo.socket
+
+%postun common
+%systemd_postun_with_restart sssd-autofs.socket
+%systemd_postun_with_restart sssd-nss.socket
+%systemd_postun_with_restart sssd-pac.socket
+%systemd_postun_with_restart sssd-pam.socket
+%systemd_postun_with_restart sssd-pam-priv.socket
+%systemd_postun_with_restart sssd-ssh.socket
+%systemd_postun_with_restart sssd-sudo.socket
+
+# Services have RefuseManualStart=true, therefore we can't request restart.
+%systemd_postun sssd-autofs.service
+%systemd_postun sssd-nss.service
+%systemd_postun sssd-pac.service
+%systemd_postun sssd-pam.service
+%systemd_postun sssd-ssh.service
+%systemd_postun sssd-sudo.service
+
+%post dbus
+%systemd_post sssd-ifp.service
+
+%preun dbus
+%systemd_preun sssd-ifp.service
+
+%postun dbus
+%systemd_postun_with_restart sssd-ifp.service
+
+%post kcm
+%systemd_post sssd-kcm.socket
+
+%preun kcm
+%systemd_preun sssd-kcm.socket
+
+%postun kcm
+%systemd_postun_with_restart sssd-kcm.socket
+%systemd_postun_with_restart sssd-kcm.service
+
+%post client
+/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20
+
+%preun client
+if [ $1 -eq 0 ] ; then
+        /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
+fi
+
+%posttrans common
+%systemd_postun_with_restart sssd.service
+
+%changelog
+* Thu Jan 21 2021 Pavel Březina <pbrezina@redhat.com> - @PACKAGE_NAME@-@PACKAGE_VERSION@-0@PRERELEASE_VERSION@
+- Built from upstream sources.