diff options
80 files changed, 4931 insertions, 0 deletions
diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..5dde0bf --- /dev/null +++ b/debian/README.source @@ -0,0 +1,58 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To configure quilt to use debian/patches instead of patches, you want +either to export QUILT_PATCHES=debian/patches in your environment +or use this snippet in your ~/.quiltrc: + + for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do + if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then + export QUILT_PATCHES=debian/patches + break + fi + done + +To get the fully patched source after unpacking the source package, cd to +the root level of the source package and run: + + quilt push -a + +The last patch listed in debian/patches/series will become the current +patch. + +To add a new set of changes, first run quilt push -a, and then run: + + quilt new <patch> + +where <patch> is a descriptive name for the patch, used as the filename in +debian/patches. Then, for every file that will be modified by this patch, +run: + + quilt add <file> + +before editing those files. You must tell quilt with quilt add what files +will be part of the patch before making changes or quilt will not work +properly. After editing the files, run: + + quilt refresh + +to save the results as a patch. + +Alternately, if you already have an external patch and you just want to +add it to the build system, run quilt push -a and then: + + quilt import -P <patch> /path/to/patch + quilt push -a + +(add -p 0 to quilt import if needed). <patch> as above is the filename to +use in debian/patches. The last quilt push -a will apply the patch to +make sure it works properly. + +To remove an existing patch from the list of patches that will be applied, +run: + + quilt delete <patch> + +You may need to run quilt pop -a to unapply patches first before running +this command. diff --git a/debian/apparmor-profile b/debian/apparmor-profile new file mode 100644 index 0000000..fadfa6c --- /dev/null +++ b/debian/apparmor-profile @@ -0,0 +1,59 @@ +#include <tunables/global> + +/usr/sbin/sssd { + #include <abstractions/base> + #include <abstractions/kerberosclient> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_resource, + + @{PROC} r, + @{PROC}/[0-9]*/net/psched r, + @{PROC}/[0-9]*/status r, + + /etc/krb5.keytab k, + /etc/ldap/ldap.conf r, + /etc/libnl-3/classid r, + /etc/localtime r, + /etc/shells r, + /etc/sssd/sssd.conf r, + /etc/sssd/conf.d/ r, + /etc/sssd/conf.d/** r, + /etc/gss/mech.d/ r, + /etc/gss/mech.d/** r, + /usr/share/sssd/cfg_rules.ini r, + + /usr/lib/@{multiarch}/ldb/modules/ldb/* m, + /usr/lib/@{multiarch}/samba/ldb/* m, + /usr/lib/@{multiarch}/sssd/* rix, + /usr/libexec/sssd/* rmix, + /usr/sbin/sssd rmix, + + /tmp/{,.}krb5cc_* rwk, + + /var/lib/sss/* rw, + /var/lib/sss/db/* rwk, + /var/lib/sss/gpo_cache/* rw, + /var/lib/sss/mc/* rw, + /var/lib/sss/pipes/* rw, + /var/lib/sss/pipes/private/* rw, + /var/lib/sss/pubconf/* rw, + /var/lib/sss/pubconf/krb5.include.d/ r, + /var/lib/sss/pubconf/krb5.include.d/* rw, + /var/log/sssd/* rw, + /var/tmp/host_* rw, + + /{,var/}run/sssd.pid rw, + /{,var/}run/systemd/notify w, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.sssd> +} diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..1d30ec2 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,1363 @@ +sssd (2.9.4-1) unstable; urgency=medium + + [ Sergio Durigan Junior ] + * Improve certificate/smartcard dep8 tests. + - d/t/control: Don't depend on "needs-sudo" restriction, since the + tests don't really use "sudo" selectively but rather rely on a normal + user being setup as a side effect of "needs-sudo". Instead, we can + use "needs-root". + - d/t/sssd-smart-card-pam-auth-configs-tester.sh, + d/t/sssd-softhism2-certificates-tests.sh: Use + "${AUTOPKGTEST_NORMAL_USER}" instead of "$SUDO_USER". + + [ Timo Aaltonen ] + * New upstream release. + * control: Migrate to systemd-dev. (Closes: #1060512) + * rules, install: Use systemdsystemunitdir. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 18 Jan 2024 12:04:33 +0200 + +sssd (2.9.2-1) unstable; urgency=medium + + [ Timo Aaltonen ] + * New upstream release. + * control, rules: Add bc to build-depends, enable tests again. + + [ Marco Trevisan (Treviño) ] + * debian: Add pam-auth-update SSSD Smart card configurations + * debian/tests: Add tests for smart card verification + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 15 Sep 2023 11:18:38 +0300 + +sssd (2.9.1-2) unstable; urgency=medium + + [ Sergio Durigan Junior ] + * Enable files provider. + SSSD 2.9.0 has deprecated "id_provider = files", but that's still + needed for smartcard authentication of local users. + - d/rules: Build with "--with-files-provider". + - d/sssd-common.install: Install libsss_files.so and sssd-files.5. + (Closes: #1041438) (LP: #2028084) + * d/rules: Remove deprecated options "--disable-files-domain". + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 25 Jul 2023 15:01:14 +0300 + +sssd (2.9.1-1) unstable; urgency=medium + + * New upstream release. + * libnss-sss.postinst: Migrate to use 'case' like the other postinsts. + * patches: Drop an upstreamed patch. + * Drop deprecated simple-ifp library and files provider. + * control, rules: Add sssd-passkey, and libfido2-dev to build-depends. + * ci: Allow piuparts to fail, because handling of nsswitch.conf ownership + is broken. + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 04 Jul 2023 08:48:49 +0300 + +sssd (2.8.2-4) unstable; urgency=medium + + [ Sam Morris ] + * Don't add subid to /etc/nsswitch.conf (Closes: #1032990) + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 11 Apr 2023 15:19:36 +0300 + +sssd (2.8.2-3) unstable; urgency=medium + + [ Gioele Barabucci ] + * d/libnss-sss.nss: Update to `database-add` + * d/libsss-sudo.nss: Install `sss` service for sudoers via dh-nss (Closes: #783889) + * d/libsss-sudo.post{inst,rm}: Remove now that the services are installed via dh-nss + * d/sssd-common.nss: Use new directive name `database-add` + * Install dbus policy in /usr instead of /etc (Closes: #1031547) + + [ Sam Morris ] + * sssd-common: add lintian overrides for libsubid_sss.so + + -- Timo Aaltonen <tjaalton@debian.org> Sun, 26 Feb 2023 16:35:48 +0200 + +sssd (2.8.2-2) unstable; urgency=medium + + [ Sam Morris ] + * Ship libsubid_sss.so in sssd-common package + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 14 Feb 2023 17:48:19 +0200 + +sssd (2.8.2-1) unstable; urgency=medium + + * New upstream release. + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 14 Feb 2023 17:40:37 +0200 + +sssd (2.8.1-2) unstable; urgency=medium + + * d/rules: Fix 'find' syntax to remove '*.egg-info' files/directories. + (Closes: #1026490) + + -- Sergio Durigan Junior <sergiodj@debian.org> Tue, 03 Jan 2023 16:36:00 -0500 + +sssd (2.8.1-1) unstable; urgency=medium + + * New upstream release. + * watch: Updated for current github behaviour. + * support-krb5-1.20.diff: Dropped, upstream. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 23 Nov 2022 10:10:41 +0200 + +sssd (2.7.4-1) unstable; urgency=medium + + [ Timo Aaltonen ] + * New upstream release. + * control: Add bind9-dnsutils to sssd-common Recommends, and rename + dnsutils build-dep. (Closes: #1018144) + + [ Sergio Durigan Junior ] + * Simplify logic to add "automount" database into nsswitch. + - d/libnss-sss.nss: Add "automount database" directive. + - d/libnss-sss.postinst: Remove logic to insert "automount" database + into nsswitch; not necessary anymore now that the package uses dh-nss. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 22 Sep 2022 15:34:06 +0300 + +sssd (2.7.3-2) unstable; urgency=medium + + [ Timo Aaltonen ] + * patches: Allow building the pac_responder with krb5 1.20. (Closes: + #1016220) + + [ Gioele Barabucci ] + * d/libnss-sss.post{inst,rm}: Add DPKG_ROOT support + * d/libnss-sss.postinst: Fix use of outdated `automounter` instead of `automount` + * d/libnss-sss.nss: Install NSS service `sss` via dh_installnss + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 17 Aug 2022 16:46:47 +0300 + +sssd (2.7.3-1) unstable; urgency=medium + + * New upstream release. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 06 Jul 2022 08:52:58 +0300 + +sssd (2.7.2-3) unstable; urgency=medium + + * d/p/fix-shebang-on-sss_analyze.patch: Fix shebang on sss_analyze. + + -- Sergio Durigan Junior <sergiodj@debian.org> Wed, 22 Jun 2022 11:00:11 -0400 + +sssd (2.7.2-2) unstable; urgency=medium + + * rules, install: Fix python install directory. (LP: #1979453) + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 22 Jun 2022 16:54:42 +0300 + +sssd (2.7.2-1) unstable; urgency=medium + + * New upstream release. + * pac-relax-default-for-pac_check-option.diff: Dropped, upstream. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 22 Jun 2022 13:19:27 +0300 + +sssd (2.7.1-2) unstable; urgency=medium + + * pac-relax-default-for-pac_check-option.diff: Drop pac_present from + default PAC check. (Closes: #1012502) + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 09 Jun 2022 10:19:37 +0300 + +sssd (2.7.1-1) unstable; urgency=medium + + * New upstream release. + * control: Drop sssd-ipd from sssd-ipa depends. + * sssd-common.install: Add a new manpage. + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 06 Jun 2022 16:32:34 +0300 + +sssd (2.7.0-1) unstable; urgency=medium + + * New upstream release. + * Update signing-key.asc. + * source: Update diff-ignores. + * control, rules: Add sssd-idp package, which includes plugins for + external identity providers. + * control, rules: Enable krb5 config snippets by default. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 25 May 2022 12:59:05 +0300 + +sssd (2.6.3-3) unstable; urgency=medium + + * tests: Dump the daemon status after restart, hoping to see what the + error is if it fails to start. + * rules: Drop --with-ldb-dir, use the default value from the pkgconfig + file. (Closes: #1009223) + + -- Timo Aaltonen <tjaalton@debian.org> Sun, 10 Apr 2022 10:57:30 +0300 + +sssd (2.6.3-2) unstable; urgency=medium + + * rules: Disable lto. + * Rebuild against current python-defaults. (Closes: #1008583) + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 29 Mar 2022 10:04:50 +0300 + +sssd (2.6.3-1) unstable; urgency=medium + + * New upstream release. + * control: Migrate to PCRE2. (Closes: #999951) + * Update signing-key.asc. + * control: Drop python3-click from sssd-tools depends. + * sssd-tools.install: Updated. + * tests: Drop RANDFILE from tests/util. (Closes: #1001476) + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 11 Feb 2022 09:35:43 +0200 + +sssd (2.6.1-1) unstable; urgency=medium + + * New upstream release. + * patches: Dropped upstream patches. + * control: Add libunistring-dev to build-depends. + * sssd-common.install: Drop libsss_secrets, removed upstream. + * tools: Add sss_analyze. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 17 Nov 2021 20:33:29 +0200 + +sssd (2.5.2-5) unstable; urgency=medium + + * control: Fix libsemanage-dev build-dep. (Closes: #998634) + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 08 Nov 2021 21:17:29 +0200 + +sssd (2.5.2-4) unstable; urgency=medium + + * control: Promote libnss-sss and libpam-sss to sssd-common Depends. + (Closes: #995730) + * common: Drop old Breaks/Replaces. + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 11 Oct 2021 17:46:04 +0300 + +sssd (2.5.2-3) unstable; urgency=medium + + * rules: Explicitly set sssd-user as root. + * install: Add sssd-pcsc.rules to -common. + * postinst: Correct file/dir permissions and ownership when the daemon + is run as root. (Closes: #994807) + * 0001-ad-fallback-to-ldap-if-cldap-is-not-available-in-lib.patch: Our + libldap is built without LDAP_CONNECTIONLESS, cope with that. + (Closes: #994879) + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 22 Sep 2021 18:54:07 +0300 + +sssd (2.5.2-2) unstable; urgency=medium + + * rules: Disable tests for now. (Closes: #994479) + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 20 Sep 2021 17:38:19 +0300 + +sssd (2.5.2-1) unstable; urgency=medium + + [ Sergio Durigan Junior ] + * d/apparmor-profile: Update profile: + - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*. + - Add read/execute permission to /usr/libexec/sssd/*. + + [ Timo Aaltonen ] + * New upstream release. (Closes: #978904, #992815, #983795) + * fix-whitespace-test.diff: Refreshed. + * control, rules: Drop libwbclient-sssd-*, support for it was dropped upstream. + * fix_newer_autoconf.patch: Don't unset python prefix/exec-prefix. + * patches: Fix CVE-2021-3621. (Closes: #992710) + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 16 Sep 2021 14:51:42 +0300 + +sssd (2.4.1-2) unstable; urgency=medium + + [ Marco Trevisan (Treviño) ] + * debian/control: Mark test packages as <!nocheck> + - Add missing test dependencies + - Enable libcmocka (and so unit tests) all the archs + * debian/rules: + - Don't run tests if nocheck is set + - Enable tests again + * debian/patches: + - Get libsofthsm2 from right path for each architecture + + [ Timo Aaltonen ] + * test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch: + Dropped, upstream. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Feb 2021 13:49:04 +0200 + +sssd (2.4.1-1) unstable; urgency=medium + + * New upstream release. + * libpam-sss.install: Add pam_sss_gss. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Feb 2021 11:32:35 +0200 + +sssd (2.4.0-1) unstable; urgency=medium + + * New upstream release. + * source: Update diff-ignore. + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 08 Dec 2020 22:36:54 +0200 + +sssd (2.3.1-3) unstable; urgency=medium + + * control: Move libsss-sudo to sssd-common Suggests. (LP: #1249777) + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 06 Oct 2020 15:56:19 +0300 + +sssd (2.3.1-2) unstable; urgency=medium + + * control: Add sssd-dbus to sssd-tools Recommends. (LP: #1895645) + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 17 Sep 2020 14:15:03 +0300 + +sssd (2.3.1-1) unstable; urgency=medium + + * New upstream release. (Closes: #965307, #965143) + * source: Extend diff-ignore. + * rules: Set --with-libwbclient. + * control: Add libsofthsm2 to build-depends for tests. + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 28 Jul 2020 17:14:55 +0300 + +sssd (2.3.0-2) unstable; urgency=medium + + * rules: Drop quilt, autoreconf from dh. + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 13 Jul 2020 15:49:20 +0300 + +sssd (2.3.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #964701, #964240) + * source: Migrate to 3.0 (quilt). + * source/local-options: Add files not found on upstream tarball to + extend-diff-ignore. + * rules: Use journald for logging. (Closes: #960673) + * rules: Use /run for pid-path. + * sssd-common.sssd.default: Add DEBUG_LOGGER but commented out. + * watch: Update url to github. + * Add signing-key from Pavel Březina. + * fix-946847.diff, fix-python3.8-ftbfs.diff: Dropped, upstream. + * control: Use debhelper-compat. + * control, rules: Build with openssl. + * rules: Disable tests until a failing pam upn test is sorted out. + * control: Drop quilt from build-depends. + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 13 Jul 2020 11:35:33 +0300 + +sssd (2.2.3-3) unstable; urgency=medium + + * libnss-sss: Fix a typo in adding the NSS entry for automount. + (LP: #1873752) + * control, watch: Update upstream url to github. + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 20 Apr 2020 17:52:18 +0300 + +sssd (2.2.3-2) unstable; urgency=medium + + * libnss-sss: Add an entry for automounter to nsswitch.conf. This is + needed by ipa-client-automount. + * Added gitlab-ci.yml. + * fix-python3.8-ftbfs.diff: Fix build against python3.8. + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 06 Mar 2020 21:58:28 +0200 + +sssd (2.2.3-1.1) unstable; urgency=medium + + * Non-maintainer upload with maintainer permission. + * Fix sssd_be busy-looping when LDAP connection flickers. + (Closes: #946847) + + -- Thorsten Glaser <tg@mirbsd.de> Fri, 21 Feb 2020 14:04:25 +0100 + +sssd (2.2.3-1) unstable; urgency=medium + + * New upstream release. + * default-to-socket-activated-services.diff: Refreshed. + * sssd-ldap.install: Updated. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 20 Feb 2020 13:06:35 +0200 + +sssd (2.2.2-1) unstable; urgency=medium + + * New upstream release. + * default-to-socket-activated-services.diff: Don't enable any + services when run without a conffile. + * fix-have-systemd.diff: Dropped, upstream. + * default-to-socket-activated-services.diff: Refreshed. + * signing-key: Add key from Michal Židek. + * Get rid of all old pre/postinst file removal fluff, since that's all + obsolete by now. + * Drop python2 support. (Closes: #938566) + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 18 Sep 2019 15:27:44 +0300 + +sssd (2.2.0-4) unstable; urgency=medium + + [ Sam Morris ] + * fix-have-systemd.patch: correct detection of systemd.pc + (Closes: #932080) + * default-to-socket-activated-services.diff: rely on socket activation + to spawn nss and pam responders + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 19 Jul 2019 18:15:41 +0300 + +sssd (2.2.0-3) unstable; urgency=medium + + * common/ipa/krb5-common/proxy.postinst: Use libexec path. (Closes: + #931859) + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 12 Jul 2019 10:01:06 +0300 + +sssd (2.2.0-2) unstable; urgency=medium + + * rules: Override dh_installman, let dh_install handle installing + manpages too. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 11 Jul 2019 00:53:36 +0300 + +sssd (2.2.0-1) unstable; urgency=medium + + * New upstream release. + * control: Bump policy to 4.4.0. + * control, compat, rules: Bump debhelper to 12. + * *.install: Updated, some files moved to /usr/libexec. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Jul 2019 10:14:09 +0300 + +sssd (2.1.0-1) experimental; urgency=medium + + * New upstream release. + * sssd-tools.install: Local domain support is deprecated and not + built by default anymore, so drop the files. + * control, sssd-common.install: Secrets responder is dropped, deprecated. + * control: Add ldap-utils to build-depends, tests need it. + * sssd-common.install: Add new internal libs for iface/sbus. + * fix-whitespace-test.diff: Fix ignoring the debian dir. + * rules: Update the clean target. + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 27 May 2019 13:55:38 +0300 + +sssd (1.16.4-1~exp1) experimental; urgency=medium + + [ Timo Aaltonen ] + * New upstream release. (LP: #1572908) + * Drop patches, all upstream. + * Enable systemd responders. (Closes: #925026, #923882) + + [ Dominik George ] + * Acknowledge NMU. + * Add myself to Uploaders. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 03 Apr 2019 09:56:33 +0300 + +sssd (1.16.3-3.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix copy_ccache test broken by recent krb5 changes. (Closes: #921761) + * Fix PAC responder build with krb5 1.17. (Closes: #923125) + + -- Dominik George <natureshadow@debian.org> Sun, 24 Feb 2019 11:05:55 +0100 + +sssd (1.16.3-3) unstable; urgency=medium + + * fix-curl-ftbfs.diff: Fix build with current curl. (Closes: #913403) + * Rebuild with python3.7. (Closes: #915199, #915168) + + -- Timo Aaltonen <tjaalton@debian.org> Sun, 02 Dec 2018 11:16:57 +0200 + +sssd (1.16.3-2) unstable; urgency=medium + + [ Jeremy Bicha ] + * Don't require libgdm-dev on s390x or non-Linux architectures + (Closes: #913030) + + [ Andreas Hasenack ] + * d/t/{ldap-user-group-ldap-auth,control,login.exp,util,common-tests}: add + LDAP DEP8 test + * d/t/{util,login.exp,ldap-user-group-krb5-auth,control}: add krb5 DEP8 test + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 06 Nov 2018 16:55:34 +0200 + +sssd (1.16.3-1) unstable; urgency=medium + + * New upstream release. + * control: Add python-sss to sssd-tools depends. (Closes: #905220) + * libsss-sudo: Add sss entry to nsswitch only on initial install. + (Closes: #903917) + * control: Update list address. + * disable-tests.diff: Dropped, all tests pass on a proper buildd setup + which should have /etc/{hosts,networks} populated. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 22 Aug 2018 16:34:01 +0300 + +sssd (1.16.2-1) unstable; urgency=medium + + * New upstream release. (LP: #1778554) + * control: Enable tests, add check and libcmocka-dev to build-depends. + * rules: Use samba idmap version 6. + * disable-tests.diff: Disable three tests that are known to fail in + sbuild. + * control: Drop obsolete build-depends. + * control: Update VCS urls. + * control: Drop specifying python versions. + * control: Change priority to optional. + * libsss-sudo.post*: Don't call ldconfig. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 27 Jun 2018 14:07:55 +0300 + +sssd (1.16.1-1) unstable; urgency=medium + + * New upstream release. + * common.dirs, common.postinst: Add dir for secrets with correct + permissions. (Closes: #892315) + * common: Add support for Fleet Commander, create deskprofile dir with + correct permissions. + * control: Add libgdm-dev to build-depends to support multiple + certificates. + * control, rules, common.install: Add support for systemtap. + * control: Bump policy to 4.1.3, no changes. + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 13 Mar 2018 11:25:00 +0200 + +sssd (1.16.0-5) unstable; urgency=medium + + * rules: Disable files domain, it's not useful in Debian. (Closes: + #888207) + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 26 Jan 2018 10:42:17 +0200 + +sssd (1.16.0-4) unstable; urgency=medium + + * Revert installing responder service/socket files again. + (Closes: #886483) + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 22 Jan 2018 16:50:14 +0200 + +sssd (1.16.0-3) unstable; urgency=medium + + * Install responder service and socket files again. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 04 Jan 2018 09:55:41 +0200 + +sssd (1.16.0-2) unstable; urgency=medium + + * Enable default config. (Closes: #858968) + * Enable files domain. + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 25 Dec 2017 21:38:26 +0200 + +sssd (1.16.0-1) unstable; urgency=medium + + * New upstream release. + * sysdb-sanitize-search-filter-input.diff: Dropped, upstream. + * sssd-common.install: Add sssd-session-recording.5. + * control: Depend on python3 pkgs by default. (Closes: #883178) + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 20 Dec 2017 11:58:50 +0200 + +sssd (1.15.3-3) unstable; urgency=medium + + * Rebuild against new libldb. (Closes: #880013) + + -- Timo Aaltonen <tjaalton@debian.org> Sun, 29 Oct 2017 09:13:42 +0200 + +sssd (1.15.3-2) unstable; urgency=medium + + * control: Fix libipa-hbac-dev short description. + * generate-config: Update the config template. (Closes: #872787) + * sysdb-sanitize-search-filter-input.diff: Fix CVE-2017-12173. + (Closes: #877885) + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 12 Oct 2017 08:24:51 +0300 + +sssd (1.15.3-1) unstable; urgency=medium + + * New upstream release. + * apparmor-profile: Add chown capability, allow one to notify systemd. + * control: Add libcurl4-gnutls-dev and uuid-dev to build depends. + * Add libsss-certmap{0,-dev} packages. + * Add sssd-kcm. + * rules: Migrate to dh_missing. + * control: Bump policy to 4.0.0, no changes. + * compat, control, rules: Bump debhelper compat to 10, drop --parallel + as it's the default now. + + -- Timo Aaltonen <tjaalton@debian.org> Sat, 29 Jul 2017 11:50:41 +0300 + +sssd (1.15.2-1) unstable; urgency=medium + + * New upstream release. + * control: Demote adcli to sssd-ad suggests. + * rules, common.install: Fix sssd_krb5_locator_plugin install path. + (LP: #1664566) + * control, copyright, watch: Update upstream URLs. + * common.install: Add libsss_files and socket activation helper. + + -- Timo Aaltonen <tjaalton@debian.org> Mon, 20 Mar 2017 15:17:19 +0200 + +sssd (1.15.0-3) unstable; urgency=medium + + * rules, install: Remove responder service and socket files for now, the + sockets weren't supposed to be enabled anyway and can cause issues. + (Closes: #854048) + + -- Timo Aaltonen <tjaalton@debian.org> Sat, 04 Feb 2017 18:34:06 +0200 + +sssd (1.15.0-2) unstable; urgency=medium + + * import-daemon-opts.diff, sssd.default: Drop the patch modifying sssd + service file, and revert the daemon options for sysvinit. + /etc/default/sssd is now only for the initscript (Closes: #852719) + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 26 Jan 2017 21:29:58 +0200 + +sssd (1.15.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #852450) (LP: #1566508) + * Drop upstreamed patches. + * sssd-common.sssd.default, import-daemon-opts.diff: Change default + daemon options to match current upstream. + * sssd-dbus.install: Drop libsss_config, which was removed. + * sssd-{ad,common,dbus}.install: Add systemd service and socket files + for pac, sudo, ssh, autofs, pam, nss and ifp responders. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 25 Jan 2017 22:46:02 +0200 + +sssd (1.14.2-2.1) unstable; urgency=low + + * Non-maintainer upload with maintainer approval. + * ldap-blocking.diff: Fix ldaps connections by removing NON_BLOCKING from + socket options (Closes: 849756). Patch from upstream pull request #67. + + -- Petter Reinholdtsen <pere@debian.org> Tue, 24 Jan 2017 22:26:17 +0000 + +sssd (1.14.2-2) unstable; urgency=medium + + * fix-prefix-substitution.diff: Fix IFP service file path substitution. + (LP: #1652629) + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 17 Jan 2017 16:39:14 +0200 + +sssd (1.14.2-1) unstable; urgency=medium + + * New upstream release. + * control: Add adcli to sssd-ad Recommends. (LP: #1590471) + * accept-krb5-1.15.diff: Allow building PAC responder with MIT krb5 + 1.15. (Closes: #843385) + * common.install: Add sssd-secrets manpage. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 16 Nov 2016 10:47:15 +0200 + +sssd (1.14.1-1) unstable; urgency=medium + + * New upstream release. + * ipa-terminate-if-view-name-fails.diff, + gpo-add-unity-to-ad-gpo-map-interactive.diff: + Dropped, upstream. + * sssd-common.dirs: Add etc/sssd/conf.d for config snippets. + * control: Add libhttp-parser-dev and libjansson-dev to build-deps. + * sssd-tools.install: Add sssctl. + * sssd-common.install: Add sssd-secrets and winbind idmap plugin. + * Drop the upstart job, it was only shipped on Ubuntu which has + switched to systemd. + * rules, default, import-daemon-opts.diff: Import daemon options from + default/sssd also with systemd. (LP: #1587395) + * rules: Don't install a default config file. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 05 Oct 2016 14:20:37 +0300 + +sssd (1.13.4-3) unstable; urgency=medium + + * common: Add /var/lib/sss/gpo_cache. (LP: #1579092) + * gpo-add-unity-to-ad-gpo-map-interactive.diff: Allow logging in from + unity lockscreen. (LP: #1578415) + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 10 May 2016 10:39:46 +0300 + +sssd (1.13.4-2) unstable; urgency=medium + + * ipa-terminate-if-view-name-fails.diff: Fix support for older IPA + servers. (LP: #1572582) + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 20 Apr 2016 16:55:24 +0300 + +sssd (1.13.4-1) unstable; urgency=medium + + * New upstream release. + * apparmor-profile: Fixed and tidied. + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 30 Mar 2016 19:31:33 +0300 + +sssd (1.13.3-1) unstable; urgency=medium + + * New upstream release. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 17 Dec 2015 13:27:11 +0200 + +sssd (1.13.2-1) unstable; urgency=medium + + * New upstream release. + * patches: Removed fix-obsolete-target.diff, fix-python-modules.diff, + both upstream now. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 03 Dec 2015 21:14:29 +0200 + +sssd (1.13.1-2) unstable; urgency=medium + + * apparmor: Fix access to krb5.include.d. (LP: #1489378) + * {krb5-common,proxy}.postinst: Chmod the correct files. (Closes: + #801537, #801538) + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 13 Oct 2015 16:55:47 +0300 + +sssd (1.13.1-1) unstable; urgency=medium + + * New upstream release. + * {common,ipa,krb5,proxy}.postinst: Create a sssd system user & group, + and migrate various bits to their ownership. + * Add sssd-dbus to libsss-simpleifp0 Depends. + * ipa: Add /var/lib/sss/keytabs. + * common: Add PEM/DER conversion library. + * Add support for python3 modules. + * tools: Add sss_override. + * common: Add p11_child. + * ad: Drop libsss_ad_common, it was for tests only and not shipped + anymore. + * common: Move libsss_krb5_common here from sssd-krb5-common to satisfy + libsss_ldap_common depending on it. + * libsystemd.diff: Dropped, fixed upstream. + * fix-python-modules.diff: Don't add symlinks to python modules, + rename the built modules instead. + * rules, postinst: Avoid running dpkg-architecture in postinst and + instead mangle them in post-dh_installdeb. + * common: Add depends on adduser. + + -- Timo Aaltonen <tjaalton@debian.org> Sat, 03 Oct 2015 08:38:29 +0300 + +sssd (1.12.5-3) unstable; urgency=medium + + * sssd-common.postinst: Drop removing the old logrotate file, handle + it in sssd.maintscript instead. (Closes: #794332) + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 08 Sep 2015 22:47:08 +0300 + +sssd (1.12.5-2) unstable; urgency=medium + + * sssd-common.postinst: Remove duplicate logrotate file on update. + (LP: #1249772) + * control, libsystemd.diff: Transition to libsystemd, thanks Michael + Biebl! (Closes: #791909) + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 21 Jul 2015 15:04:25 +0300 + +sssd (1.12.5-1) unstable; urgency=medium + + * New upstream release. + * Let uscan verify upstream tarballs. + * control: Bump policy to 3.9.6, no changes. + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 12 Jun 2015 22:36:52 +0300 + +sssd (1.12.4-1) experimental; urgency=medium + + * New upstream release. + * apparmor-profile: Updated. (LP: #1421110) + * control: Add new build-depends; cifs-utils, libaugeas-dev, + libnfsidmap-dev, libsmbclient-dev, systemd. + * control, .install: Add libwbclient-sssd{,-dev}. + * control, .install: Add libsss-simpleifp{0,-dev}. + * fix-automake-compat.diff, fix-catchchild.diff: Dropped, upstream. + * rules: Use max-parallel=1 for dh_auto_install. + * sssd-common.install: Add files for NFS v4 client. + * sssd-ad.install: Add new files. + * sssd-ipa.install: Add selinux_child. + * sssd-dbus: Add libsss_config.so. + * sssd-common: Add cifs idmap plugin, semanage library and krb5 + localauth plugin. + * rules: Add a placeholder to not modify permissions of + {krb5,ldap,selinux}_child. + * control: Add libsystemd-login-dev to build-depends. + * control: Add libnss-wrapper and libuid-wrapper to build-depends. + * rules: Use automake native verbosity for tests, and bump + CK_TIMEOUT_MULTIPLIER. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 09 Apr 2015 23:56:01 +0300 + +sssd (1.11.7-3) unstable; urgency=medium + + * libsss-sudo.postrm: Delete sudoers line from nsswitch.conf, if only + files source left. (Closes: #749722) + * libsss-sudo.postinst: Fix comments. + * libsss-sudo.postinst: Check nsswitch sudoers entry unconditionally, + so that it is added on upgrade too if missing. + + -- Timo Aaltonen <tjaalton@debian.org> Fri, 16 Jan 2015 13:53:22 +0200 + +sssd (1.11.7-2) unstable; urgency=medium + + * default, upstart.in: Upstream ticket #2312 is fixed now, so drop the + workaround to run the daemon in the foreground. (Closes: #760353) + * fix-automake-compat.diff: Added an upstream commit to fix configure + with new automake. + * fix-catchchild.diff: Fix build failure with samba 4.1.13, bump + samba-dev build-dependency to match. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 30 Oct 2014 14:49:05 +0200 + +sssd (1.11.7-1) unstable; urgency=medium + + * New upstream release. + * sssd-common.install, sssd-dbus.install: Add new sss_signal helper + and the dbus service using it. + * fix-obsolete-target.diff: Drop syslog.target from the service file. + * libnss-sss.post*: Add sss entry to shadow and services on + nsswitch.conf. (Closes: #761173) + + -- Timo Aaltonen <tjaalton@debian.org> Wed, 24 Sep 2014 07:08:04 +0300 + +sssd (1.11.6-1) unstable; urgency=medium + + * New upstream release. + * control: Update my email. + * control: Update vcs urls. + * libnss-sss.postrm: Check DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT before + removing sss entry from nsswitch.conf. (Closes: #748671) + * libpam-sss.prerm: Check DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT before + running pam-auth-update --remove. + * control: Mark libkeyutils-dev, libselinux-dev, libsemanage-dev, + libnl*-dev build-deps as linux-any, as a preliminary step to build + on kfreebsd-*. + * Run wrap-and-sort. + * sssd-dbus: Add a new subpackage for the D-Bus responder. + * control: Demote libsasl2-modules-ldap to Suggests for sssd-ldap. + * generate-config: Bring it back for convenience, but don't run it on + postinst. + * sssd-common.postinst: Remove obsolete config upgrade. + + -- Timo Aaltonen <tjaalton@debian.org> Tue, 19 Aug 2014 09:15:13 +0300 + +sssd (1.11.5.1-2) unstable; urgency=medium + + * control: Drop libcmocka-dev and check from build-depends again so + that the package will build on every arch. Test failures will be + fixed in a future upload. + + -- Timo Aaltonen <tjaalton@debian.org> Thu, 14 Aug 2014 02:22:57 +0300 + +sssd (1.11.5.1-1) unstable; urgency=medium + + [ Stéphane Graber ] + * Fix upstart job to provide a proper stdin for sssd. + * Update defaults to always pass -i. + + [ Timo Aaltonen ] + * New upstream release. (Closes: #745664) + * control: Bump libkrb5-dev build-dependency to 1.12 due to the OTP + features. + + -- Timo Aaltonen <tjaalton@ubuntu.com> Fri, 09 May 2014 14:50:12 +0300 + +sssd (1.11.5-1) unstable; urgency=medium + + * New upstream bugfix release. (Closes: #729982) + * upstart: Run the daemon in foreground and drop expect fork from the + job, should fix issues with upstart getting confused when a backend + fails to start. + + -- Timo Aaltonen <tjaalton@ubuntu.com> Tue, 08 Apr 2014 23:39:20 +0300 + +sssd (1.11.4-1) unstable; urgency=low + + * New upstream release. + * control, rules: Add libcmocka-dev and re-add check to build-depends. + Override dh_auto_test so that it shows the test error log if they fail. + * rules: Fix the manpage date handling with a bigger hammer, and + enable it for all manpages not just pam_sss.8. (Closes: #734083) + * Drop an obsolete lintian override from libsss-sudo. + + -- Timo Aaltonen <tjaalton@ubuntu.com> Fri, 21 Mar 2014 13:28:38 +0200 + +sssd (1.11.3-1) unstable; urgency=low + + * New upstream release. + * control: Update policy to 3.9.5, no changes. + + -- Timo Aaltonen <tjaalton@ubuntu.com> Fri, 03 Jan 2014 00:01:29 +0200 + +sssd (1.11.2-1) unstable; urgency=low + + * New upstream release. + * rules, sssd-common.install: Use the correct path for the systemd + service file. + * control: Build depend on libpam0g-dev | libpam-dev. + + -- Timo Aaltonen <tjaalton@ubuntu.com> Tue, 19 Nov 2013 15:22:27 +0200 + +sssd (1.11.1-1) unstable; urgency=low + + * New upstream release. + * sssd-common.postinst, generate-config: Don't create a config on install, + drop generate-config. (Closes: #717587) + * sssd-common.postrm: Remove /etc/apparmor.d too, if empty. + * control, rules, sssd-common.install: Install the systemd service + file provided by upstream. + * control: Drop M-A: foreign from sssd-* and add back to sssd instead. + * control: Don't hardcode 'multiarch-support'. + * control: Drop unnecessary multiarch declarations. + * control: Drop obsolete Breaks/Conflicts. + * rules: Enable parallel build. + * control: Add libltdl-dev to build-depends. + * control: Prepare for new unified samba package, adjust build- + dependencies. Thanks, Ivo De Decker! (Closes: #725992) + + -- Timo Aaltonen <tjaalton@ubuntu.com> Tue, 06 Aug 2013 17:04:28 +0300 + +sssd (1.10.0-1) unstable; urgency=low + + [ Timo Aaltonen ] + * New upstream release (Closes: #693054, #705357, #711101) + * Update the packaging for the new version, thanks Esko Järnfors! + - Add libsss-idmap0, libsss-idmap-dev packages + - Add sssd Depends on libsss-idmap0 + - Add /var/lib/sss/mc directory for the new mmap cache + * Split authentication providers to separate packages and make sssd + a metapackage. + * control: Drop libunistring-dev from build-depends and add libglib2.0-dev + for unicode support. + * sssd-*.install: Install new manpages. + * python-sss.install: py-files got moved under SSSDConfig. + * control, rules: Use default build flags, bump dpkg-dev build-dep to + 1.16.1~. + * rules: Install the apparmor profile with -m644. + * python-sss: Add pysss_murmur.so. + * rules, control, sssd-ad-common.install: PAC responder support. + - Add libndr-dev, libndr-standard-dev, libsamba-util-dev, samba4-dev, + libdcerpc-dev to build-depends + - Add -I/usr/include/samba-4.0 to CFLAGS + * control: Mark sssd-common as Multi-Arch: foreign. + * watch: Add a comment about the upstream git tree. + * Replace perl snippet from libnss-sss.post* with sed, drop perl from + Depends. (Closes: #686237) + * compat: Bump compat to 9. + * rules: Set DEB_HOST_MULTIARCH, drop --libdir and remnants of cdbs. + * sssd-common.install: Install the support binaries under the multiarch path. + * rules,sssd-common.postinst: Move generate-config to /usr/share/sssd. + * rules, sssd-common.install: Use the correct install path for the + krb5_locator plugin. + * libnss-sss.postinst: SSSD doesn't handle shadow maps, so don't pretend + that it would. + * libsss-sudo*, control: Remove the soname from the library, move .so to + the libsss-sudo, drop -dev package. + * rules: Pass --datadir, so the path in autogenerated python files is + correctly substituted. (LP: #1079938) + * sssd-krb5-common.dirs: Add krb5 include dir. + * fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream. + * libsss-sudo.postrm: Run ldconfig on remove/purge. + * apparmor-profile: Fix the profile to use the multiarch path for it's + helper location (LP: #1175317). + * Add packaging for libsss-nss-idmap0, libsss-nss-idmap-dev, + python-libsss-nss-idmap. + * watch: Updated to work with alpha/beta releases. + * control: Migrate to libnl-3 now that it's supported. (Closes: #688174) + * sssd-common.{preinst,postrm}: Install the apparmor profile in force-complain + mode on install, and remove the profile directory on purge (if empty). Also + migrate from previous setup which installed it as disabled. + (Closes: #676140) + * control: Bump policy to 3.9.4, no changes. + * control: Add libpam-pwquality (>= 1.2.2-1) to libpam-sss depends, which + makes the password stack work in all cases. (LP: #1159983) + * control: Drop check from build-depends for now, to work around a linking bug + in check (#712140) that makes the tests fail on (at least) i386. + + [ Stéphane Graber ] + * Add postinst/postrm script for libsss-sudo. Those will add a "sudoers" + entry to /etc/nsswitch.conf upon first installation of the package and + will then take care of adding/removing sss from the stack as required. + * Set CK_DEFAULT_TIMEOUT to 30 so that slower buildds (armhf at least) can + run the tests without hitting the default 4s timeout. + + -- Timo Aaltonen <tjaalton@ubuntu.com> Fri, 05 Jul 2013 14:53:06 +0300 + +sssd (1.8.4-2) unstable; urgency=low + + * fix-cve-2013-0219-1.diff, fix-cve-2013-0219-2.diff, + fix-cve-2013-0220.diff: Upstream commits from the stable tree to fix + recent CVE reports. (Closes: #698871) + + -- Timo Aaltonen <tjaalton@ubuntu.com> Wed, 27 Feb 2013 23:38:28 +0200 + +sssd (1.8.4-1) unstable; urgency=low + + * New upstream bugfix release 1.8.2. + - Several fixes to case-insensitive domain functions + - Fix for GSSAPI binds when the keytab contains unrelated + principals + - Fixed several segfaults + - Workarounds added for LDAP servers with unreadable RootDSE + - SSH knownhostproxy will no longer enter an infinite loop + preventing login + - The provided SYSV init script now starts SSSD earlier at startup + and stops it later during shutdown + - Assorted minor fixes for issues discovered by static analysis + tools + * New upstream bugfix release 1.8.3. + - Numerous manpage and translation updates + - LDAP: Handle situations where the RootDSE isn't available anonymously + - LDAP: Fix regression for users using non-standard LDAP attributes for + user information + * New upstream bugfix release 1.8.4. (LP: #981125, #985031) + - Fix a bug causing AD servers not to fail over properly when the KDC + on the primary server is down + - Fix an endianness bug on big-endian systems when looking up services + - Fix a segfault dealing with nested groups (LP: #981125) + - Make the nowait cache updates work for netgroups + - Fix a regression that broke domains with use_fully_qualified_names = True + (LP: #985031) + * control: Move the dependency of libsasl2-modules-gssapi-mit to + Recommends. + * control: sssd works with Heimdal gssapi modules too, add + libsasl2-modules-gssapi-mit as an option for the Recommends. + (LP: #966146) + * libpam-sss.pam-auth-update: + - Drop the dependency to 128, since pam_sss should always be below + pam_unix. (LP: #957486) + - Drop 'use_authtok' from the password stack, since it only works when + pam_cracklib is installed. This will allow password changes on the + default install. + * sssd.postrm: Try to remove /etc/sssd only if it exists. + (Closes: #666226) + * Add disabled by default Apparmor profile (LP: #933342) + - debian/sssd.upstart.in: load the profile during pre-start + - add debian/apparmor-profile, install to /etc/apparmor.d + - debian/rules: use dh_apparmor to install profile before sssd is + restarted + - debian/control: sssd Suggests apparmor (>= 2.3) + - debian/control: Add dh-apparmor to build-depends + - debian/sssd.preinst: disable profile on clean install or upgrades + from earlier than when we shipped the profile + * rules: Mangle the date stamp on pam_sss.8 so that the compressed file is + identical across all archs. (Closes: #670019) + * control: Add build-depends on libnl-dev to enable Netlink support. + * control: Add build-depends on libkeyutil-dev to enable support for + kernel keyring manipulation. + * sssd.logrotate: Rotate logs weekly, keep four previous rotations. + (Closes: #672984) + * sssd.upstart.in: Delete an invisible control character from the pre-start + script. (LP: #1003845) + + -- Timo Aaltonen <tjaalton@ubuntu.com> Fri, 01 Jun 2012 11:43:42 +0300 + +sssd (1.8.1-1) unstable; urgency=low + + * New maintainer, Debian SSSD Team. (Closes: #660985) + + [ Timo Aaltonen ] + * New upstream release (1.8.1) (Closes: #647980, #624194, #639965) + - Support for the service map in NSS + - Support for setting default SELinux user context from FreeIPA + - Support for retrieving SSH user and host keys from LDAP (Experimental) + - Support for caching autofs LDAP requests (Experimental) + - Support for caching SUDO rules (Experimental) + * Update build-deps: + - Add libunistring-dev, libdhash-dev, libcollection-dev and + libini-config-dev. + - Add check for unit tests. + - Drop cvs and python-central. + - Migrate to dh, drop cdbs build-dep, add quilt, dh-autoreconf and + autopoint to build-deps. + * Add new packages: + - libipa-hbac0, libipa-hbac-dev, libsss-sudo0, libsss-sudo-dev, + and python-libipa-hbac. + - Split sssd-tools: add Breaks/Replaces sssd (<< 1.8.0~beta3-1) and + add to sssd Suggests + * Drop patch to ensure LDAP authentication never accept a zero + length password, which is now included upstream. + * sssd.upstart.ubuntu: + - Don't start before net-device-up. (LP: 812943) + - Source /etc/default/sssd. (LP: 812943) + * sssd.default: Added a file to include the sssd daemon defaults, + currently has '-D -f'. + * sssd.init: Drop separate OPTIONS, '-D' comes from /etc/default/sssd + now.. + * rules: Install the Python API files to /usr/share/sssd, as discussed + with upstream. (LP: 859611) + * fix-python-api-path.dpatch: Use the new location for the API files. + (LP: 859611) + * libpam-sss.pam-auth-update: + - Add 'forward_pass' to auth stack to fix ecryptfs mounts. (LP: 826643) + - Add pam_localuser.so to account stack to allow local users to log in. + (LP: 860488) + * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is + mostly useless without them. (LP: 767337) + * control, compat: Bump debhelper build-dep and compat level to 8. + * Switch patch-system to quilt. + * Do not install a working config file by default. The local domain + definition was broken (upstream #1014). The daemon will need to be + configured by other means before it's usable. + * Add support for Multi-Arch (Closes: #634123). + * Remove unnecessary libnss-sss.links. + * libnss-sss.overrides: Add an override for + "package-name-doesnt-match-sonames". + * Determine the used init system during build, add lsb-release to + build-deps. Default to sysvinit, use upstart if Ubuntu. + * sssd.upstart.in: Test if the config file exists, and exit if not. + * Fail gracefully if invoke-rc.d returns an error on postinst/prerm, like + when the daemon fails to start when there is no config file. + * sssd.init.in: Check that /etc/default/sssd is a real file before sourcing + it (Closes: #587895). + * control: Add libsasl2-modules-gssapi-mit and libsasl2-modules-ldap to + Recommends for sssd. + * rules: Move the rule for purging .la files before dh_install + (Closes: #633206). + * sssd.install: Fix the wildcard for plugins to include .so symlinks. + * rules: Add configure flags + - Disable RPATH + - Disable building static libs + - Enable ssh user and host key retrieval, autofs request + and sudo rules caching. The respective packages need to add support + for these to be useful. + * Drop fix-python-api-path.patch, included upstream. + * sssd.examples: Install the renamed example config. + * rules: Drop special handling of the sssd.api.d, upstream uses + the proper path now. + * rules: Add --fail-missing to dh_install. + * sssd.install: Add new files. + * libpam-sss.install, control: Move pam_sss.8 to the correct package, + add Breaks/Replaces. + * rules: Remove some files we don't want to install, to make dh_install + happy. + * rules: Clean po/*.gmo, po/stamp-po and *.pyc. + * Install lintian overrides using dh_lintian. + * {sssd,libnss-sss}.lintian-overrides: Update. + * Move libsasl2-modules-gssapi to sssd Depends to make sure it gets + installed, as it's needed in most cases. + * control: Update maintainer address and repo location. + * control: Bump the Standards-Version to 3.9.3, no changes. + * control: Bump the debhelper build-dep to 9. + * control: Add ${misc:Depends} to libipa-hbac*, libsss-sudo*. + * control, rules: Migrate to dh_python2 (Closes: #617071). + * control: Add myself to uploaders. + + [ Petter Reinholdtsen ] + * New upstream version 1.2.4: + - Resolves long-standing issues related to group processing with + RFC2307bis LDAP servers. + - Fixed bugs in RFC2307bis group memberships related to initgroups + (Closes: #595564). + - Fix tight-loop bug on systems with older OpenLDAP client + libraries (such as Red Hat Enterprise Linux 5) + * New Upstream Version 1.2.3: + - Resolves CVE-2010-2940. + * New Upstream Version 1.2.2: + - The LDAP provider no longer requires access to the LDAP + RootDSE. If it is unavailable, we will continue on with our best + guess. + - The LDAP provider will now log issues with TLS and GSSAPI to the + syslog. + - Significant performance improvement when performing initgroups + on users who are members of large groups in LDAP. + - The sss_client will now reconnect properly to the SSSD if the + daemon is restarted. + * This resolves an issue causing GDM to crash when logging out + of a user after the SSSD had been restarted. + * Correct package description for python-sss (Closes: #596215). + * Update Standards-Version from 3.8.4 to 3.9.1. No changes needed. + + [ Stéphane Graber ] + * Fix prerm invoke_failure hook to simply return as empty functions + are invalid shell syntax. + + -- Timo Aaltonen <tjaalton@ubuntu.com> Thu, 22 Mar 2012 13:28:27 +0200 + +sssd (1.2.1-4.4) unstable; urgency=low + + * Non-maintainer upload. + * Fix FTBFS with -Werror=format-security. Thanks Philippe De Swert for patch. + (Closes: #643806). + + -- Hector Oron <zumbi@debian.org> Sun, 19 Feb 2012 19:33:04 +0000 + +sssd (1.2.1-4.3) unstable; urgency=medium + + * Non-maintainer upload. + * Adjust install path to consider GNU triplet (Closes: #640626). + + -- Luca Falavigna <dktrkranz@debian.org> Tue, 20 Sep 2011 20:02:34 +0200 + +sssd (1.2.1-4.2) unstable; urgency=low + + * Non-maintainer upload. + * debian/sssd.install + - updated location for ldb modules; Closes: #618159 + + -- Sandro Tosi <morph@debian.org> Fri, 03 Jun 2011 23:53:59 +0200 + +sssd (1.2.1-4.1) unstable; urgency=medium + + * Non-maintainer upload by the Security Team + * Fix CVE-2010-4341 (Closes: #610032) + + -- Moritz Muehlenhoff <jmm@debian.org> Tue, 25 Jan 2011 22:09:21 +0100 + +sssd (1.2.1-4) unstable; urgency=low + + * Add patch from Stephen Gallagher to ensure LDAP authentication + never accept a zero length password (Closes: #594413). Solves + CVE-2010-2940. + + -- Petter Reinholdtsen <pere@debian.org> Wed, 25 Aug 2010 22:33:40 +0200 + +sssd (1.2.1-3) unstable; urgency=low + + [ Petter Reinholdtsen ] + * Look for /etc/default/sssd, not /etc/defaults/sssd in init.d + script (Closes: #588252). + * Make sssd.conf generation more robust, and make sure missing SRV + records are ignored and not handled as host names. + * Add code in generate-config to look up Kerberos realm using + _kerberos TXT record in DNS if it exist. + * Recommend bind9-host used by generate-config for SRV and TXT + lookups. + + [ Morten Werner Forsbring ] + * Check if /etc/default/sssd is a file and executable, not a directory, + before sourcing in init-script. Thanks to lintian. + + -- Morten Werner Forsbring <werner@debian.org> Thu, 12 Aug 2010 16:31:14 +0200 + +sssd (1.2.1-2) unstable; urgency=low + + * Make sure init.d script sources /etc/default/sssd (Closes: #588252). + * Drop /etc/default/sssd from package, to avoid conffile question + from dpkg during upgrades. + * Make sure to only remove obsolete sssd conffiles on upgrades, not + on first time installation. + * Add new script generate-config and call it from the sssd postinst + during first time installation to try to generate the sssd.conf + file dynamically for LDAP and Kerberos using DNS entries, and fall + back to the static example configuration if this fail. + * Let sssd suggest libnss-sss and libpam-sss, to make those + installing sssd aware of the other packages. + * Add netgroup to nsswitch.conf entries added at first time + installation, to make sure those installing now get working + netgroups when sssd get netgroup support + * Let sssd recommend ldap-utils as ldapsearch is used for generating + the configuration. + + -- Petter Reinholdtsen <pere@debian.org> Fri, 06 Aug 2010 23:44:26 +0200 + +sssd (1.2.1-1) unstable; urgency=low + + [ Petter Reinholdtsen ] + * Move calls to pam-auth-update from the package scripts in sssd to + libpam-sss, and correct prerm call to remove the correct pam config. + Add versioned dependency on libpam-runtime to make sure + pam-auth-update is available. + * Add code to the postinst and postrm of libnss-sss to update + passwd, group and shadow entries in /etc/nsswitch.conf. + * Make sure init.d/sssd start after $named, to ensure it can look up + in DNS also when the DNS server is on the local machine. + + [ Morten Werner Forsbring ] + * New upstream release. + + -- Morten Werner Forsbring <werner@debian.org> Thu, 24 Jun 2010 14:16:30 +0200 + +sssd (1.2.0-1) unstable; urgency=low + + [ Petter Reinholdtsen ] + * New upstream release. + - Add libsemanage1-dev as build dependency, as it is now required. + - Drop python-build-with-deb-layout.dpatch, now handled upstream. + - Adjust provide-default-working-sssd-config-file.dpatch to + work with new package source layout and config file content. + - Adjust build rules to cope with server/ changing to src/ in the + source tarball. + - Add --enable-krb5-locator-plugin to keep building the plugin. + * Change the pam-auth-update configuration to make the session + script optional instead of sufficient, to make sure the other + session modules are executed too. + * Change initial pam password entry from requisite to sufficient, + to make sure local users can have their password set even if + sssd is enabled. + * Rename pam-configs/sssd to pam-configs/sss, to have a name that + is consistent with the package name libpam-sss. + * Add VCS links to the GIT repository. + * Move configuration API documentation from /etc/sssd/ to + /usr/share/doc/sssd/. It is not configuration and do not belong + in /etc/. + * Drop autoconf, automake, libtool, m4 and autotools-dev from + build-depends. There is no need to regenerate the build files any + more. + + [ Morten Werner Forsbring ] + * Add dnsutils as build-dependency. + + -- Morten Werner Forsbring <werner@debian.org> Tue, 01 Jun 2010 20:41:59 +0200 + +sssd (1.0.5-1) unstable; urgency=low + + * Initial upload based on package from Ubuntu (Closes: #579593). + * Update standards-version from 3.8.3 to 3.8.4. No changes needed. + * Add init.d script and rename sssd.upstart to sssd.upstart.ubuntu + to make sure init.d script is installed instead of upstart job. + * Add draft pam-auth-update configuration based on proposals in + Launcepad bug #557398. + * Update address to FSF in copyright file. Thanks lintian. + * Set section for python-sss to python after advice from lintian. + * Rewrite python-build-with-deb-layout.dpatch to patch Makefile.in + instead of Makefile.am, to avoid having to run autoreconf. + * Make sssd depend on python for its upgrade script. + * Extend clean rule to remove generated file server/config/.files. + * Make sure sssd.api.conf is installed into the sssd package, and + put it in /etc/sssd/sssd.api.conf. Fixes typo in Ubuntu package. + + -- Petter Reinholdtsen <pere@debian.org> Wed, 05 May 2010 21:53:29 +0200 + +sssd (1.0.5-0ubuntu1) lucid; urgency=low + + * New upstream bugfix release. (LP: #510290) + * sssd.dirs: Add /var/lib/sss/pubconf (LP: #557394) + + -- Timo Aaltonen <tjaalton@ubuntu.com> Fri, 16 Apr 2010 11:37:16 +0300 + +sssd (1.0.2-0ubuntu2) lucid; urgency=low + + * No change rebuild due to libldb downgrade + + -- Scott Kitterman <scott@kitterman.com> Fri, 02 Apr 2010 17:48:19 -0400 + +sssd (1.0.2-0ubuntu1) lucid; urgency=low + + * New upstream release (LP: #473262): + - python API for managing sssd daemon configuration and + native SSSD users. + - support for asynchronous cache refreshes. + - support password changing in LDAP and Kerberos providers. + - support for server failover. + * debian/control: + - update tdb build dependency to use libtdb-dev. + - add libselinux1-dev and libsasl2-dev build dependencies. + * debian/sssd.upstart: replace init script with an upstart job. + * Turn sssd.conf into a configuration file. + * Create sssd log directory. + + -- Mathias Gug <mathiaz@ubuntu.com> Tue, 19 Jan 2010 15:17:13 -0500 + +sssd (0.5.0-0ubuntu2) karmic; urgency=low + + * debian/libnss-sss.overrides, debian/sssd.overrides: + + Fix linitian errors and warnings (LP: #425697): + sssd ships an nss library - these are false-positives. + * debian/fix-dbus-watch.dpatch: Update dbus-patch to final + upstream version. + * debian/fix-proxy-segfault.dpatch: Fix proxy enumeration. + + -- Mathias Gug <mathiaz@ubuntu.com> Wed, 09 Sep 2009 20:21:04 -0400 + +sssd (0.5.0-0ubuntu1) karmic; urgency=low + + * Initial release. + + -- Mathias Gug <mathiaz@ubuntu.com> Mon, 24 Aug 2009 16:35:11 -0400 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..52ab47c --- /dev/null +++ b/debian/control @@ -0,0 +1,415 @@ +Source: sssd +Section: utils +Priority: optional +Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net> +Uploaders: Timo Aaltonen <tjaalton@debian.org>, + Dominik George <natureshadow@debian.org> +Build-Depends: + autopoint, + bc, + check <!nocheck>, + cifs-utils, + debhelper-compat (= 13), + dh-apparmor, + dh-python, + dh-sequence-installnss, + bind9-dnsutils, + docbook-xml, + docbook-xsl, + dpkg-dev (>= 1.16.1~), + faketime <!nocheck>, + gnutls-bin <!nocheck>, + krb5-config, + ldap-utils, + libaugeas-dev, + libc-ares-dev, + libcmocka-dev <!nocheck>, + libcollection-dev, + libcurl4-openssl-dev, + libdbus-1-dev, + libdhash-dev, + libfido2-dev, + libgdm-dev [!s390x !kfreebsd-any !hurd-any], + libglib2.0-dev, + libini-config-dev, + libjansson-dev, + libjose-dev, + libkeyutils-dev [linux-any], + libkrad-dev, + libkrb5-dev (>= 1.12), + libldap2-dev, + libldb-dev, + libltdl-dev, + libnfsidmap-dev, + libnl-3-dev [linux-any], + libnl-route-3-dev [linux-any], + libnss-wrapper <!nocheck>, + libp11-kit-dev, + libpam-wrapper <!nocheck>, + libpam0g-dev | libpam-dev, + libpcre2-dev, + libpopt-dev, + libsasl2-dev, + libselinux1-dev [linux-any], + libsemanage-dev [linux-any], + libsmbclient-dev, + libssl-dev, + libsubid-dev, + libsystemd-dev [linux-any], + libtalloc-dev, + libtdb-dev, + libtevent-dev, + libuid-wrapper <!nocheck>, + libunistring-dev, + libxml2-utils, + lsb-release, + openssh-client <!nocheck>, + openssl <!nocheck>, + pkgconf, + python3-dev, + python3-setuptools, + samba-dev (>= 2:4.1.13), + softhsm2 <!nocheck>, + systemd-dev, + systemtap-sdt-dev, + uuid-dev, + xml-core, + xsltproc +Standards-Version: 4.4.0 +Vcs-Git: https://salsa.debian.org/sssd-team/sssd.git +Vcs-Browser: https://salsa.debian.org/sssd-team/sssd +Homepage: https://github.com/SSSD/sssd + +Package: sssd +Section: metapackages +Architecture: any +Multi-Arch: foreign +Pre-Depends: ${misc:Pre-Depends} +Depends: + python3-sss (= ${binary:Version}), + sssd-ad (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-ipa (= ${binary:Version}), + sssd-krb5 (= ${binary:Version}), + sssd-ldap (= ${binary:Version}), + sssd-proxy (= ${binary:Version}), + ${misc:Depends} +Description: System Security Services Daemon -- metapackage + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package is a metapackage which installs the daemon and existing + authentication back ends. + +Package: sssd-common +Architecture: any +Depends: + libnss-sss (= ${binary:Version}), + libpam-sss (= ${binary:Version}), + python3, + python3-sss, + ${misc:Depends}, + ${shlibs:Depends}, + adduser, +Recommends: + bind9-dnsutils, + bind9-host, +Suggests: + apparmor, + libsss-sudo, + sssd-tools +Description: System Security Services Daemon -- common files + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provides the daemon and other common files needed by the + authentication back ends. + +Package: sssd-ad +Architecture: any +Depends: + libsss-idmap0 (= ${binary:Version}), + sssd-ad-common (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Suggests: + adcli, +Description: System Security Services Daemon -- Active Directory back end + Provides the Active Directory back end that the SSSD can utilize to fetch + identity data from and authenticate against an Active Directory server. + +Package: sssd-ad-common +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Description: System Security Services Daemon -- PAC responder + Provides the PAC responder that the AD and IPA backends can use for + fetching additional attributes from the kerberos ticket. + +Package: sssd-dbus +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Description: System Security Services Daemon -- D-Bus responder + Provides the D-Bus responder called InfoPipe, that allows the information + from the SSSD to be transmitted over the system bus. + +Package: sssd-idp +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Description: System Security Services Daemon -- Kerberos plugins for external id providers + Provides Kerberos plugins that are required to enable authentication against + external identity providers. + +Package: sssd-ipa +Architecture: any +Depends: + libipa-hbac0 (= ${binary:Version}), + libsss-idmap0 (= ${binary:Version}), + sssd-ad-common (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Description: System Security Services Daemon -- IPA back end + Provides the IPA back end that the SSSD can utilize to fetch identity data + from and authenticate against an IPA server. + +Package: sssd-kcm +Architecture: any +Depends: + sssd-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Description: System Security Services Daemon -- Kerberos KCM server implementation + Provides an implementation of a Kerberos KCM server. Use this package if + you want to use the KCM: Kerberos credentials cache. + +Package: sssd-krb5 +Architecture: any +Depends: + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Breaks: sssd-common (<< 2.7.0-1) +Replaces: sssd-common (<< 2.7.0-1) +Description: System Security Services Daemon -- Kerberos back end + Provides the Kerberos back end that the SSSD can utilize authenticate + against a Kerberos server. + +Package: sssd-krb5-common +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Recommends: libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal +Description: System Security Services Daemon -- Kerberos helpers + Provides helper processes that the LDAP and Kerberos back ends can use for + Kerberos user or host authentication. + +Package: sssd-ldap +Architecture: any +Depends: + libsss-idmap0 (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Recommends: ldap-utils +Suggests: libsasl2-modules-ldap +Description: System Security Services Daemon -- LDAP back end + Provides the LDAP back end that the SSSD can utilize to fetch identity data + from and authenticate against an LDAP server. + +Package: sssd-passkey +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Description: System Security Services Daemon -- passkey helpers and plugins + Provides the helper processes and Kerberos plugins that are required to + enable authentication with a passkey token. + +Package: sssd-proxy +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Description: System Security Services Daemon -- proxy back end + Provides the proxy back end which can be used to wrap an existing NSS and/or + PAM modules to leverage SSSD caching. + +Package: sssd-tools +Architecture: any +Depends: + python3, + python3-sss, + python3-systemd, + sssd-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Recommends: sssd-dbus +Description: System Security Services Daemon -- tools + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provides tools to manage users, groups and nested groups when + using the local id provider. + +Package: libnss-sss +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Pre-Depends: ${misc:Pre-Depends} +Recommends: sssd +Multi-Arch: same +Description: Nss library for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide the nss library to connect to the sssd daemon. + +Package: libpam-sss +Architecture: any +Depends: + libpam-pwquality (>= 1.2.2-1), + libpam-runtime (>= 1.0.1-6), + ${misc:Depends}, + ${shlibs:Depends} +Recommends: sssd +Multi-Arch: same +Description: Pam module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide the pam module to connect to the sssd daemon. + +Package: libipa-hbac0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: FreeIPA HBAC Evaluator library + Utility library to validate FreeIPA HBAC rules for authorization requests. + +Package: libipa-hbac-dev +Section: libdevel +Architecture: any +Depends: libipa-hbac0 (= ${binary:Version}), ${misc:Depends} +Description: FreeIPA HBAC Evaluator library -- development files + Utility library to validate FreeIPA HBAC rules for authorization requests. + . + This package contains header files and symlinks to develop programs which will + use the libipa-hbac library. + +Package: libsss-certmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, +Description: Certificate mapping library for SSSD + Library to map certificates to users based on rules. + +Package: libsss-certmap-dev +Section: libdevel +Architecture: any +Depends: libsss-certmap0 (= ${binary:Version}), ${misc:Depends} +Description: Certificate mapping library for SSSD -- development files + Utility library to map certificates to users based on rules. + . + This package contains header files and symlinks to develop programs which will + use the libsss-certmap library. + +Package: libsss-idmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: ID mapping library for SSSD + Utility library to convert SIDs to Unix uids and gids. + +Package: libsss-idmap-dev +Section: libdevel +Architecture: any +Depends: libsss-idmap0 (= ${binary:Version}), ${misc:Depends} +Description: ID mapping library for SSSD -- development files + Utility library to convert SIDs to Unix uids and gids. + . + This package contains header files and symlinks to develop programs which will + use the libsss-idmap library. + +Package: libsss-nss-idmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: SID based lookups library for SSSD + Utility library for SID based lookups. + +Package: libsss-nss-idmap-dev +Section: libdevel +Architecture: any +Depends: libsss-nss-idmap0 (= ${binary:Version}), ${misc:Depends} +Description: SID based lookups library for SSSD -- development files + Utility library for SID based lookups. + . + This package contains header files and symlinks to develop programs which will + use the libsss-nss-idmap library. + +Package: libsss-sudo +Section: libs +Architecture: any +Depends: libnss-sudo, ${misc:Depends}, ${shlibs:Depends} +Description: Communicator library for sudo + Utility library to allow communication between sudo and SSSD for caching + sudo rules by SSSD. + +Package: python3-libipa-hbac +Section: python +Architecture: any +Depends: + libipa-hbac0 (= ${binary:Version}), + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Description: Python3 bindings for the FreeIPA HBAC Evaluator library + The libipa_hbac-python contains the bindings so that libipa_hbac can be + used by Python applications. + . + This package installs the library for Python 3. + +Package: python3-libsss-nss-idmap +Section: python +Architecture: any +Depends: + libsss-nss-idmap0 (= ${binary:Version}), + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Description: Python3 bindings for the SID lookups library + This package contains the bindings for libnss_sss_idmap to be used by + Python applications. + . + This package installs the library for Python 3. + +Package: python3-sss +Section: python +Architecture: any +Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends} +Provides: ${python3:Provides} +Recommends: sssd +Description: Python3 module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide a module to access the configuration of the sssd daemon. + . + This package installs the library for Python 3. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..4a80961 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,222 @@ +This package was debianized by Mathias Gug <mathiaz@ubuntu.com> on +Wed, 05 Aug 2009 08:58:56 +0100. + +It was downloaded from https://pagure.io/SSSD/sssd/ + +Upstream Authors: + Dmitri Pal <dpal@redhat.com> + Jakub Hrozek <jhrozek@redhat.com> + Simo Sorce <ssorce@redhat.com> + Stephen Gallagher <sgallagh@redhat.com> + Sumit Bose <sbose@redhat.com> + +Copyright: + + Copyright (C) Red Hat 2008, 2009 + + Copyright (C) Dmitri Pal <dpal@redhat.com> 2009 + Copyright (C) Jakub Hrozek <jhrozek@redhat.com> 2009 + Copyright (C) Simo Sorce <ssorce@redhat.com> 2007, 2008, 2009 + Copyright (C) Stephen Gallagher <sgallagh@redhat.com> 2008,2009 + Copyright (C) Sumit Bose <sbose@redhat.com> 2009 + + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Andrew Tridgell 1992-2006 + Copyright (C) James J Myers 2003 <myersjj@samba.org> + Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2002, 2006, 2007 + Copyright (C) Jeremy Allison 1998-2002, 2007 + Copyright (C) Martin Pool 2002 + Copyright (C) Michael Adam 2008 + Copyright (C) Tim Potter 2000 + Copyright (c) 1997 Kungliga Tekniska Högskolan + + Copyright (c) 1996-2005, The PostgreSQL Global Development Group + Copyright (c) 1994, The Regents of the University of California + Copyright (c) 1996-2007, PostgreSQL Global Development Group + Copyright (C) 1996-2001 Internet Software Consortium. + + +License: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + +The Debian packaging is Copyright (C) Canonical Ltd 2009 and is licensed under +the GPL-3 or later, see `/usr/share/common-licenses/GPL-3'. + +======================== +replace/repdir_getdents.c +replace/test/testsuite.c +replace/test/main.c +replace/getpass.c +replace/replace.c +replace/socketpair.c +replace/inet_ntoa.c +replace/strptime.c +replace/inet_aton.c +replace/dlfcn.c +replace/repdir_getdirentries.c +common/collection/* +common/ini/* +======================== +License: LGPL3 or later - see `/usr/share/common-licenses/LGPL-3'. + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see <http://www.gnu.org/licenses/>. + + +=================== +sss_client/group.c +sss_client/common.c +sss_client/passwd.c +=================== +License: LGPL (v2.1 or later) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, + USA. + + +===================== +replace/getaddrinfo.c +replace/getaddrinfo.h +===================== + + Permission to use, copy, modify, and distribute this software and its + documentation for any purpose, without fee, and without a written agreement + is hereby granted, provided that the above copyright notice and this paragraph + and the following two paragraphs appear in all copies. + + IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR + DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING + LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, + EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS + ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS + TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. + +=================== +replace/inet_pton.c +replace/inet_ntop.c +=================== +License: ISC + + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +================ +replace/timegm.c +================ +License: BSD (3 clause) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +================== +replace/snprintf.c +================== + + This code is based on code written by Patrick Powell (papowell@astart.com) + It may be used for any purpose as long as this notice remains intact + on all source code distributions + +=========================== +sss_client/sss_cli.h +sss_client/protos.h +sss_client/sss_pam_macros.h +sss_client/sss_errno.h +=========================== + + You can used this header file in any way you see fit provided copyright + notices are preserved. + +============================= +server/resolv/ares/ares_dns.h +============================= + + * Permission to use, copy, modify, and distribute this + * software and its documentation for any purpose and without + * fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright + * notice and this permission notice appear in supporting + * documentation, and that the name of M.I.T. not be used in + * advertising or publicity pertaining to distribution of the + * software without specific, written prior permission. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" + * without express or implied warranty. + +============================= +server/util/nss_sha512crypt.c +============================= + + Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>. diff --git a/debian/generate-config b/debian/generate-config new file mode 100755 index 0000000..17ac906 --- /dev/null +++ b/debian/generate-config @@ -0,0 +1,135 @@ +#!/bin/sh + +# Generate sssd.conf setup dynamically based on autodetectet LDAP +# and Kerberos server. + +set -e + +# See if we can find an LDAP server. Prefer ldap.domain, but also +# accept SRV records if no ldap.domain server is found. +lookup_ldap_uri() { + domain="$1" + if ping -c2 ldap.$domain > /dev/null 2>&1; then + echo ldap://ldap.$domain + else + host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1) + if [ "$host" ] ; then + echo ldap://$host | sed 's/\.$//' + fi + fi +} + +lookup_ldap_base() { + ldapuri="$1" + defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext 2>/dev/null | awk '/^defaultNamingContext: / { print $2}')" + if [ -z "$defaultcontext" ] ; then + # If there are several contexts, pick the first one with + # posixAccount or posixGroup objects in it. + for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \ + -s base namingContexts 2>/dev/null | \ + awk '/^namingContexts: / { print $2}') ; do + if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \ + '(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \ + egrep -q '^dn:|^Administrative limit exceeded' ; then + echo $context + return + fi + done + fi + echo $defaultcontext +} + +lookup_kerberos_server() { + domain="$1" + if ping -c2 kerberos.$domain > /dev/null 2>&1; then + echo kerberos.$domain + else + host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1) + if [ "$host" ] ; then + echo $host | sed 's/\.$//' + fi + fi +} + +lookup_kerberos_realm() { + domain="$1" + realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"') + if [ -z "$realm" ] ; then + realm=$(echo $domain | tr a-z A-Z) + fi + echo $realm +} + + +generate_config() { + if [ "$1" ] ; then + domain=$1 + else + domain="$(hostname -d)" + fi + kerberosrealm=$(lookup_kerberos_realm $domain) + ldapuri=$(lookup_ldap_uri "$domain") + if [ -z "$ldapuri" ]; then + # autodetection failed + return + fi + + ldapbase="$(lookup_ldap_base "$ldapuri")" + if [ -z "$ldapbase" ]; then + # autodetection failed + return + fi + kerberosserver=$(lookup_kerberos_server "$domain") + +cat <<EOF +# SSSD configuration generated using $0 +[sssd] +config_file_version = 2 +reconnection_retries = 3 +sbus_timeout = 30 +services = nss, pam +domains = $domain + +[nss] +filter_groups = root +filter_users = root +reconnection_retries = 3 + +[pam] +reconnection_retries = 3 +EOF +if [ "$kerberosserver" ] ; then + auth="krb5" + chpass="krb5" +else + auth="ldap" + chpass="ldap"; +fi + +cat <<EOF + +[domain/$domain] +; Using enumerate = true leads to high load and slow response +enumerate = false +cache_credentials = true + +id_provider = ldap +auth_provider = $auth +chpass_provider = $chpass + +ldap_uri = $ldapuri +ldap_search_base = $ldapbase +ldap_tls_reqcert = demand +ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt +EOF + +if [ "$kerberosserver" ] ; then + cat <<EOF + +krb5_server = $kerberosserver +krb5_realm = $kerberosrealm +krb5_auth_timeout = 15 +EOF +fi +} +generate_config "$@" diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml new file mode 100644 index 0000000..1302079 --- /dev/null +++ b/debian/gitlab-ci.yml @@ -0,0 +1,6 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +piuparts: + allow_failure: true diff --git a/debian/libipa-hbac-dev.install b/debian/libipa-hbac-dev.install new file mode 100644 index 0000000..091b16b --- /dev/null +++ b/debian/libipa-hbac-dev.install @@ -0,0 +1,3 @@ +usr/include/ipa_hbac.h +usr/lib/*/libipa_hbac.so +usr/lib/*/pkgconfig/ipa_hbac.pc diff --git a/debian/libipa-hbac0.install b/debian/libipa-hbac0.install new file mode 100644 index 0000000..bb64866 --- /dev/null +++ b/debian/libipa-hbac0.install @@ -0,0 +1 @@ +usr/lib/*/libipa_hbac.so.* diff --git a/debian/libnss-sss.install b/debian/libnss-sss.install new file mode 100644 index 0000000..655f705 --- /dev/null +++ b/debian/libnss-sss.install @@ -0,0 +1 @@ +lib/*/libnss_sss.so.2 diff --git a/debian/libnss-sss.lintian-overrides b/debian/libnss-sss.lintian-overrides new file mode 100644 index 0000000..ba08eea --- /dev/null +++ b/debian/libnss-sss.lintian-overrides @@ -0,0 +1 @@ +package-name-doesnt-match-sonames libnss-sss2 diff --git a/debian/libnss-sss.nss b/debian/libnss-sss.nss new file mode 100644 index 0000000..ee26a3c --- /dev/null +++ b/debian/libnss-sss.nss @@ -0,0 +1,8 @@ +automount database-add + +passwd last sss +group last sss +shadow last sss +netgroup last sss +services last sss +automount last sss diff --git a/debian/libnss-sss.postinst b/debian/libnss-sss.postinst new file mode 100755 index 0000000..e0e1e66 --- /dev/null +++ b/debian/libnss-sss.postinst @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +case "$1" in + configure) + if [ -n "$2" ]; then + # upgrade + version="$2" + + # fix automount typo + if dpkg --compare-versions $version lt "2.2.3-3"; then + sed -i 's/automounter/automount/' "${DPKG_ROOT}/etc/nsswitch.conf" + fi + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + + +#DEBHELPER# diff --git a/debian/libnss-sss.postrm b/debian/libnss-sss.postrm new file mode 100755 index 0000000..ea36611 --- /dev/null +++ b/debian/libnss-sss.postrm @@ -0,0 +1,35 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +log() { + echo "$*" +} + +remove_nss_automount_db () { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e "${DPKG_ROOT}/etc/nsswitch.conf" ]; then + log "Could not find ${DPKG_ROOT}/etc/nsswitch.conf." + return + fi + + # Remove NSS databases: `automount` and `automounter` (legacy). + sed -i '/^automount/d' "${DPKG_ROOT}/etc/nsswitch.conf" +} + +case "$1" in + remove|purge) + if [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + remove_nss_automount_db + fi + ;; + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac diff --git a/debian/libpam-sss-smart-card-optional.pam-auth-update b/debian/libpam-sss-smart-card-optional.pam-auth-update new file mode 100644 index 0000000..6d846af --- /dev/null +++ b/debian/libpam-sss-smart-card-optional.pam-auth-update @@ -0,0 +1,8 @@ +Name: SSS optional smart card authentication +Default: no +Priority: 264 +Conflicts: sss-smart-card-required + +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_sss.so allow_missing_name try_cert_auth diff --git a/debian/libpam-sss-smart-card-required.pam-auth-update b/debian/libpam-sss-smart-card-required.pam-auth-update new file mode 100644 index 0000000..5f00234 --- /dev/null +++ b/debian/libpam-sss-smart-card-required.pam-auth-update @@ -0,0 +1,8 @@ +Name: SSS required smart card authentication +Default: no +Priority: 264 +Conflicts: sss-smart-card-optional + +Auth-Type: Primary +Auth: + [success=end ignore=ignore default=die] pam_sss.so allow_missing_name require_cert_auth diff --git a/debian/libpam-sss.install b/debian/libpam-sss.install new file mode 100644 index 0000000..907b29c --- /dev/null +++ b/debian/libpam-sss.install @@ -0,0 +1,4 @@ +lib/*/security/pam_sss.so +lib/*/security/pam_sss_gss.so +usr/share/man/man8/pam_sss.8* +usr/share/man/man8/pam_sss_gss.8* diff --git a/debian/libpam-sss.pam-auth-update b/debian/libpam-sss.pam-auth-update new file mode 100644 index 0000000..22e3e24 --- /dev/null +++ b/debian/libpam-sss.pam-auth-update @@ -0,0 +1,22 @@ +Name: SSS authentication +Default: yes +Priority: 128 + +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_sss.so use_first_pass +Auth-Initial: + [success=end default=ignore] pam_sss.so forward_pass +Account-Type: Additional +Account: + sufficient pam_localuser.so + [default=bad success=ok user_unknown=ignore] pam_sss.so +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_sss.so +Password-Type: Primary +Password: + sufficient pam_sss.so use_authtok +Password-Initial: + sufficient pam_sss.so diff --git a/debian/libpam-sss.postinst b/debian/libpam-sss.postinst new file mode 100644 index 0000000..d9d3be5 --- /dev/null +++ b/debian/libpam-sss.postinst @@ -0,0 +1,40 @@ +#!/bin/sh +# postinst script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <postinst> `abort-remove' +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + pam-auth-update --package + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/libpam-sss.prerm b/debian/libpam-sss.prerm new file mode 100644 index 0000000..19e23fa --- /dev/null +++ b/debian/libpam-sss.prerm @@ -0,0 +1,11 @@ +#! /bin/sh -e + + +if [ "$1" = remove ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + pam-auth-update --package --remove \ + sss \ + sss-smart-card-optional \ + sss-smart-card-required +fi + +#DEBHELPER# diff --git a/debian/libsss-certmap-dev.install b/debian/libsss-certmap-dev.install new file mode 100644 index 0000000..22c6c53 --- /dev/null +++ b/debian/libsss-certmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_certmap.h +usr/lib/*/libsss_certmap.so +usr/lib/*/pkgconfig/sss_certmap.pc diff --git a/debian/libsss-certmap0.install b/debian/libsss-certmap0.install new file mode 100644 index 0000000..5091759 --- /dev/null +++ b/debian/libsss-certmap0.install @@ -0,0 +1,2 @@ +usr/lib/*/libsss_certmap.so.* +usr/share/man/man5/sss-certmap.5 diff --git a/debian/libsss-idmap-dev.install b/debian/libsss-idmap-dev.install new file mode 100644 index 0000000..ec32d9e --- /dev/null +++ b/debian/libsss-idmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_idmap.h +usr/lib/*/libsss_idmap.so +usr/lib/*/pkgconfig/sss_idmap.pc diff --git a/debian/libsss-idmap0.install b/debian/libsss-idmap0.install new file mode 100644 index 0000000..e181d36 --- /dev/null +++ b/debian/libsss-idmap0.install @@ -0,0 +1 @@ +usr/lib/*/libsss_idmap.so.* diff --git a/debian/libsss-nss-idmap-dev.install b/debian/libsss-nss-idmap-dev.install new file mode 100644 index 0000000..e56b7cc --- /dev/null +++ b/debian/libsss-nss-idmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_nss_idmap.h +usr/lib/*/libsss_nss_idmap.so +usr/lib/*/pkgconfig/sss_nss_idmap.pc diff --git a/debian/libsss-nss-idmap0.install b/debian/libsss-nss-idmap0.install new file mode 100644 index 0000000..63d8e33 --- /dev/null +++ b/debian/libsss-nss-idmap0.install @@ -0,0 +1 @@ +usr/lib/*/libsss_nss_idmap.so.* diff --git a/debian/libsss-sudo.install b/debian/libsss-sudo.install new file mode 100644 index 0000000..5e53fd1 --- /dev/null +++ b/debian/libsss-sudo.install @@ -0,0 +1 @@ +usr/lib/*/libsss_sudo.so diff --git a/debian/libsss-sudo.lintian-overrides b/debian/libsss-sudo.lintian-overrides new file mode 100644 index 0000000..94bc7df --- /dev/null +++ b/debian/libsss-sudo.lintian-overrides @@ -0,0 +1 @@ +shlib-without-versioned-soname usr/lib/*/libsss_sudo.so libsss_sudo.so diff --git a/debian/libsss-sudo.nss b/debian/libsss-sudo.nss new file mode 100644 index 0000000..180f10b --- /dev/null +++ b/debian/libsss-sudo.nss @@ -0,0 +1,3 @@ +sudoers database-require + +sudoers last sss diff --git a/debian/libsss-sudo.triggers b/debian/libsss-sudo.triggers new file mode 100644 index 0000000..dd86603 --- /dev/null +++ b/debian/libsss-sudo.triggers @@ -0,0 +1 @@ +activate-noawait ldconfig diff --git a/debian/patches/default-to-socket-activated-services.diff b/debian/patches/default-to-socket-activated-services.diff new file mode 100644 index 0000000..afcdab5 --- /dev/null +++ b/debian/patches/default-to-socket-activated-services.diff @@ -0,0 +1,20 @@ +--- a/src/examples/sssd.conf ++++ b/src/examples/sssd.conf +@@ -1,5 +1,4 @@ + [sssd] +-services = nss, pam + domains = shadowutils + + [nss] +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -47,8 +47,7 @@ + #define SSSD_MIN_ID 1 + #define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh" + #define CONFDB_FALLBACK_CONFIG \ +- "[sssd]\n" \ +- "services = nss\n" ++ "[sssd]\n" + + + /* Configuration options */ diff --git a/debian/patches/fix-shebang-on-sss_analyze.patch b/debian/patches/fix-shebang-on-sss_analyze.patch new file mode 100644 index 0000000..9eadaf2 --- /dev/null +++ b/debian/patches/fix-shebang-on-sss_analyze.patch @@ -0,0 +1,22 @@ +From: Sergio Durigan Junior <sergiodj@debian.org> +Date: Wed, 22 Jun 2022 10:56:45 -0400 +Subject: Fix shebang on sss_analyze + +s/python/python3/ + +Forwarded: not-needed +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1979453 +--- + src/tools/analyzer/sss_analyze | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze +index 3f1beaf..6d4b5b3 100755 +--- a/src/tools/analyzer/sss_analyze ++++ b/src/tools/analyzer/sss_analyze +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + + from sssd import sss_analyze + diff --git a/debian/patches/fix-whitespace-test.diff b/debian/patches/fix-whitespace-test.diff new file mode 100644 index 0000000..f88e793 --- /dev/null +++ b/debian/patches/fix-whitespace-test.diff @@ -0,0 +1,13 @@ +diff --git a/src/tests/whitespace_test b/src/tests/whitespace_test +index f055ed4c2..fa95494be 100755 +--- a/src/tests/whitespace_test ++++ b/src/tests/whitespace_test +@@ -16,7 +16,7 @@ fi + + { + # Look for lines with trailing whitespace in all files tracked by Git +- git grep -n -I '\s\+$' -- "$(git rev-parse --show-toplevel)" || ++ git grep --full-name -n -I '\s\+$' -- "$(git rev-parse --show-toplevel)" || + # Don't fail if no such lines were found anywhere + [[ $? == 1 ]] + } | diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..cf4c5c2 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +fix-whitespace-test.diff +default-to-socket-activated-services.diff +fix-shebang-on-sss_analyze.patch diff --git a/debian/python3-libipa-hbac.install b/debian/python3-libipa-hbac.install new file mode 100644 index 0000000..923e03d --- /dev/null +++ b/debian/python3-libipa-hbac.install @@ -0,0 +1 @@ +usr/lib/python3/dist-packages/pyhbac.so diff --git a/debian/python3-libsss-nss-idmap.install b/debian/python3-libsss-nss-idmap.install new file mode 100644 index 0000000..a7667d1 --- /dev/null +++ b/debian/python3-libsss-nss-idmap.install @@ -0,0 +1 @@ +usr/lib/python3/dist-packages/pysss_nss_idmap.so diff --git a/debian/python3-sss.install b/debian/python3-sss.install new file mode 100644 index 0000000..1f75e8c --- /dev/null +++ b/debian/python3-sss.install @@ -0,0 +1,3 @@ +usr/lib/python3/dist-packages/SSSDConfig/*.py +usr/lib/python3/dist-packages/pysss.so +usr/lib/python3/dist-packages/pysss_murmur.so diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..d6c2e79 --- /dev/null +++ b/debian/rules @@ -0,0 +1,129 @@ +#!/usr/bin/make -f +%: + dh $@ --with python3 \ + --builddirectory=build + +export DEB_BUILD_MAINT_OPTIONS = optimize=-lto + +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + +CFLAGS = $(shell dpkg-buildflags --get CFLAGS) +CFLAGS += -I/usr/include/samba-4.0 + +export CK_DEFAULT_TIMEOUT=30 +export am_cv_python_pythondir=/usr/lib/python3/dist-packages +export am_cv_python_pyexecdir=/usr/lib/python3/dist-packages +export systemdsystemunitdir=$(shell pkgconf --variable=systemdsystemunitdir systemd | sed s,^/,,) + +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +APIDOCDIR = /usr/share/sssd +DISTRIBUTION = $(shell lsb_release -i | sed 's/.*:\t//') +PKGDATE = $(shell dpkg-parsechangelog | \ + awk -F" " '/^Date/ { print $$4 "/" $$3 "/" $$5 }' | \ + sed 's/Jan/01/;s/Feb/02/;s/Mar/03/;s/Apr/04/;s/May/05/;s/Jun/06/;s/Jul/07/;s/Aug/08/;s/Sep/09/;s/Oct/10/;s/Nov/11/;s/Dec/12/;s/\//\\\//g') +CURDATE = $(shell date +%m/%d/%Y | sed 's/\//\\\//g') +export CK_VERBOSITY=verbose + +override_dh_auto_configure: + dh_auto_configure -- --enable-krb5-locator-plugin \ + --datadir=/usr/share/ \ + --with-environment-file=/etc/default/sssd \ + --with-krb5-plugin-path=/usr/lib/$(DEB_HOST_MULTIARCH)/krb5/plugins/libkrb5 \ + --enable-nsslibdir=/lib/$(DEB_HOST_MULTIARCH) \ + --enable-pammoddir=/lib/$(DEB_HOST_MULTIARCH)/security \ + --enable-systemtap \ + --disable-static \ + --disable-rpath \ + --with-autofs \ + --with-crypto=libcrypto \ + --with-ssh \ + --with-initscript=systemd \ + --with-systemdunitdir=/$(systemdsystemunitdir) \ + --with-files-provider \ + --with-smb-idmap-interface-version=6 \ + --without-python2-bindings \ + --with-syslog=journald \ + --with-pid-path=/run \ + --with-sssd-user=root \ + --with-sudo \ + --with-subid \ + --with-passkey + +override_dh_auto_test: +ifeq ($(filter nocheck,$(DEB_BUILD_OPTIONS)),) + export CK_TIMEOUT_MULTIPLIER=10 + dh_auto_test -- VERBOSE=yes + unset CK_TIMEOUT_MULTIPLIER +endif + +override_dh_auto_install: + dh_auto_install --max-parallel=1 + +override_dh_fixperms: + dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child + +override_dh_install: + install -D -m755 $(CURDIR)/debian/generate-config \ + $(CURDIR)/debian/tmp/usr/share/sssd/generate-config + + mkdir -p $(CURDIR)/debian/libpam-sss/usr/share/pam-configs + install -m644 debian/libpam-sss.pam-auth-update \ + $(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss + install -m644 debian/libpam-sss-smart-card-optional.pam-auth-update \ + $(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss-smart-card-optional + install -m644 debian/libpam-sss-smart-card-required.pam-auth-update \ + $(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss-smart-card-required + install -m644 -D $(CURDIR)/debian/apparmor-profile \ + $(CURDIR)/debian/sssd-common/etc/apparmor.d/usr.sbin.sssd + + # remove files we don't want to install + find $(CURDIR)/debian/tmp/ -name '*.la' -exec rm '{}' ';' + find $(CURDIR)/debian/tmp/ -name '*.pyc' -exec rm '{}' ';' + # We need to use '+' instead of ';' due to the way 'find' and + # 'rm' interact with each other. + find $(CURDIR)/debian/tmp/ -name '*.egg-info' -exec rm -r '{}' '+' + rm -f $(CURDIR)/debian/tmp/etc/rc.d/init.d/sssd + + # match nn/nn/nnnn, replace with the date from changelog + sed -i 's/[0-1][0-9]\/[0-3][0-9]\/[0-9][0-9][0-9][0-9]/${PKGDATE}/g' $(CURDIR)/debian/tmp/usr/share/man/man*/* + + # change the shebang + sed -i -e 's:/usr/bin/python:/usr/bin/python3:' $(CURDIR)/debian/tmp/usr/sbin/sss_obfuscate + + mkdir -p debian/tmp/etc/krb5.conf.d + # Enable krb5 idp plugins by default (when sssd-idp package is installed) + cp debian/tmp/usr/share/sssd/krb5-snippets/sssd_enable_idp \ + debian/tmp/etc/krb5.conf.d/sssd_enable_idp + # Kerberos KCM credential cache by default + cp debian/tmp/usr/share/sssd-kcm/kcm_default_ccache \ + debian/tmp/etc/krb5.conf.d/kcm_default_ccache + # krb5 configuration snippet + cp debian/tmp/usr/share/sssd/krb5-snippets/enable_sssd_conf_dir \ + debian/tmp/etc/krb5.conf.d/enable_sssd_conf_dir + + dh_install + +override_dh_installman: + +override_dh_missing: + dh_missing --fail-missing + +override_dh_installinit: + dh_apparmor -psssd-common --profile-name=usr.sbin.sssd + dh_installinit --name sssd --error-handler=invoke_failure + +override_dh_installdeb: + dh_installdeb + for pkg in sssd-common sssd-ipa sssd-krb5-common sssd-proxy; do \ + sed -i 's/@TRIPLET@/${DEB_HOST_MULTIARCH}/' \ + $(CURDIR)/debian/$$pkg/DEBIAN/postinst; \ + done + +override_dh_auto_clean: + dh_auto_clean + rm -f $(CURDIR)/po/*.gmo + rm -f $(CURDIR)/src/config/*.pyc + rm -f $(CURDIR)/po/stamp-po + rm -f $(CURDIR)/src/sbus/codegen/__pycache__/*.pyc diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/sssd-ad-common.install b/debian/sssd-ad-common.install new file mode 100644 index 0000000..af194e0 --- /dev/null +++ b/debian/sssd-ad-common.install @@ -0,0 +1,3 @@ +${env:systemdsystemunitdir}/sssd-pac.service +${env:systemdsystemunitdir}/sssd-pac.socket +usr/libexec/sssd/sssd_pac diff --git a/debian/sssd-ad.install b/debian/sssd-ad.install new file mode 100644 index 0000000..e9e328a --- /dev/null +++ b/debian/sssd-ad.install @@ -0,0 +1,3 @@ +usr/libexec/sssd/gpo_child +usr/lib/*/sssd/libsss_ad.so +usr/share/man/man5/sssd-ad.5* diff --git a/debian/sssd-common.dirs b/debian/sssd-common.dirs new file mode 100644 index 0000000..25c4eac --- /dev/null +++ b/debian/sssd-common.dirs @@ -0,0 +1,12 @@ +etc/sssd +etc/sssd/conf.d +var/lib/sss +var/lib/sss/db +var/lib/sss/deskprofile +var/lib/sss/gpo_cache +var/lib/sss/mc +var/lib/sss/pipes +var/lib/sss/pipes/private +var/lib/sss/pubconf +var/lib/sss/secrets +var/log/sssd diff --git a/debian/sssd-common.docs b/debian/sssd-common.docs new file mode 100644 index 0000000..216b1c4 --- /dev/null +++ b/debian/sssd-common.docs @@ -0,0 +1 @@ +BUILD.txt diff --git a/debian/sssd-common.examples b/debian/sssd-common.examples new file mode 100644 index 0000000..5ab6a19 --- /dev/null +++ b/debian/sssd-common.examples @@ -0,0 +1 @@ +src/examples/sssd-example.conf diff --git a/debian/sssd-common.install b/debian/sssd-common.install new file mode 100644 index 0000000..c05c05d --- /dev/null +++ b/debian/sssd-common.install @@ -0,0 +1,72 @@ +etc/pam.d/sssd-shadowutils +${env:systemdsystemunitdir}/sssd.service +${env:systemdsystemunitdir}/sssd-sudo.service +${env:systemdsystemunitdir}/sssd-sudo.socket +${env:systemdsystemunitdir}/sssd-ssh.service +${env:systemdsystemunitdir}/sssd-ssh.socket +${env:systemdsystemunitdir}/sssd-autofs.service +${env:systemdsystemunitdir}/sssd-autofs.socket +${env:systemdsystemunitdir}/sssd-pam.service +${env:systemdsystemunitdir}/sssd-pam.socket +${env:systemdsystemunitdir}/sssd-pam-priv.socket +${env:systemdsystemunitdir}/sssd-nss.service +${env:systemdsystemunitdir}/sssd-nss.socket +usr/bin/sss_ssh_authorizedkeys +usr/bin/sss_ssh_knownhostsproxy +usr/lib/*/cifs-utils/cifs_idmap_sss.so +usr/lib/*/krb5/plugins/authdata/sssd_pac_plugin.so +usr/lib/*/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +usr/lib/*/samba/ldb/memberof.so +usr/lib/*/libnfsidmap/sss.so +usr/lib/*/libsubid_sss.so +usr/lib/*/samba/idmap/sss.so +usr/lib/*/sssd/conf/sssd.conf +usr/lib/*/sssd/libifp_iface.so +usr/lib/*/sssd/libifp_iface_sync.so +usr/lib/*/sssd/libsss_cert.so +usr/lib/*/sssd/libsss_child.so +usr/lib/*/sssd/libsss_crypt.so +usr/lib/*/sssd/libsss_debug.so +usr/lib/*/sssd/libsss_files.so +usr/lib/*/sssd/libsss_iface.so +usr/lib/*/sssd/libsss_iface_sync.so +usr/lib/*/sssd/libsss_krb5_common.so +usr/lib/*/sssd/libsss_ldap_common.so +usr/lib/*/sssd/libsss_sbus.so +usr/lib/*/sssd/libsss_sbus_sync.so +usr/lib/*/sssd/libsss_semanage.so +usr/lib/*/sssd/libsss_simple.so +usr/lib/*/sssd/libsss_util.so +usr/lib/*/sssd/modules/libsss_autofs.so +usr/lib/*/sssd/modules/sssd_krb5_localauth_plugin.so +usr/libexec/sssd/p11_child +usr/libexec/sssd/sss_signal +usr/libexec/sssd/sssd_autofs +usr/libexec/sssd/sssd_be +usr/libexec/sssd/sssd_check_socket_activated_responders +usr/libexec/sssd/sssd_nss +usr/libexec/sssd/sssd_pam +usr/libexec/sssd/sssd_ssh +usr/libexec/sssd/sssd_sudo +usr/sbin/sssd +usr/share/locale/*/LC_MESSAGES/* +usr/share/man/man1/sss_ssh_authorizedkeys.1* +usr/share/man/man1/sss_ssh_knownhostsproxy.1* +usr/share/man/man5/sss_rpcidmapd.5* +usr/share/man/man5/sssd-files.5* +usr/share/man/man5/sssd-session-recording.5* +usr/share/man/man5/sssd-simple.5* +usr/share/man/man5/sssd-sudo.5* +usr/share/man/man5/sssd-systemtap.5* +usr/share/man/man5/sssd.conf.5* +usr/share/man/man8/idmap_sss.8* +usr/share/man/man8/sssd.8* +usr/share/man/man8/sssd_krb5_localauth_plugin.8 +usr/share/man/man8/sssd_krb5_locator_plugin.8* +usr/share/polkit-1/rules.d/sssd-pcsc.rules +usr/share/sssd/cfg_rules.ini +usr/share/sssd/generate-config +usr/share/sssd/sssd.api.conf +usr/share/sssd/sssd.api.d +usr/share/sssd/systemtap +usr/share/systemtap diff --git a/debian/sssd-common.lintian-overrides b/debian/sssd-common.lintian-overrides new file mode 100644 index 0000000..57743d1 --- /dev/null +++ b/debian/sssd-common.lintian-overrides @@ -0,0 +1,3 @@ +manpage-has-errors-from-man usr/share/man/man5/sssd-ldap.5.* +lacks-ldconfig-trigger usr/lib/x86_64-linux-gnu/libsubid_sss.so +shared-library-lacks-version usr/lib/x86_64-linux-gnu/libsubid_sss.so libsubid_sss.so diff --git a/debian/sssd-common.logrotate b/debian/sssd-common.logrotate new file mode 100644 index 0000000..f305c87 --- /dev/null +++ b/debian/sssd-common.logrotate @@ -0,0 +1,11 @@ +/var/log/sssd/*.log { + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + postrotate + kill -HUP `cat /var/run/sssd.pid` > /dev/null 2>&1 || true + endscript +} diff --git a/debian/sssd-common.manpages b/debian/sssd-common.manpages new file mode 100644 index 0000000..8e3f513 --- /dev/null +++ b/debian/sssd-common.manpages @@ -0,0 +1 @@ +usr/share/man/man*/* diff --git a/debian/sssd-common.postinst b/debian/sssd-common.postinst new file mode 100644 index 0000000..5687bbf --- /dev/null +++ b/debian/sssd-common.postinst @@ -0,0 +1,83 @@ +#!/bin/sh +# postinst script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <postinst> `abort-remove' +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +OUT=/dev/null +HOME=/var/lib/sss +LIBDIR=/usr/libexec/sssd + +case "$1" in + configure) + if ! getent passwd sssd > $OUT; then + echo "Creating SSSD system user & group..." + adduser --quiet --system --home $HOME \ + --disabled-password --group \ + --gecos "SSSD system user" \ + sssd > $OUT + fi + chown -R root:root \ + $HOME/db \ + $HOME/gpo_cache \ + $HOME/mc \ + $HOME/pipes \ + $HOME/pipes/private \ + $HOME/pubconf \ + $HOME/secrets \ + /etc/sssd \ + /var/log/sssd + + # for easier review keep the same order as on sssd.spec + chmod 700 $HOME/db + chmod 775 $HOME/mc + chmod 700 $HOME/secrets + chmod 751 $HOME/deskprofile + chmod 755 $HOME/pipes + chmod 750 $HOME/pipes/private + chmod 755 $HOME/pubconf + chmod 755 $HOME/gpo_cache + chmod 750 /var/log/sssd + chmod 700 /etc/sssd + chmod 711 /etc/sssd + if [ -f /etc/sssd/sssd.conf ]; then + chown root:root /etc/sssd/sssd.conf + chmod 0600 /etc/sssd/sssd.conf + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +invoke_failure() { + # invoke-rc.d failed, likely because of a missing sssd.conf + if [ ! -s /etc/sssd/sssd.conf ]; then + echo "... because /etc/sssd/sssd.conf is not available yet" + fi +} + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/sssd-common.postrm b/debian/sssd-common.postrm new file mode 100644 index 0000000..c31e446 --- /dev/null +++ b/debian/sssd-common.postrm @@ -0,0 +1,53 @@ +#!/bin/sh +# postrm script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postrm> `remove' +# * <postrm> `purge' +# * <old-postrm> `upgrade' <new-version> +# * <new-postrm> `failed-upgrade' <old-version> +# * <new-postrm> `abort-install' +# * <new-postrm> `abort-install' <old-version> +# * <new-postrm> `abort-upgrade' <old-version> +# * <disappearer's-postrm> `disappear' <overwriter> +# <overwriter-version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge) + rm -f /etc/sssd/sssd.conf + if [ -d /etc/sssd ]; then + rmdir --ignore-fail-on-non-empty /etc/sssd/ + fi + rm -rf /var/log/sssd/ + if getent group dirsrv > /dev/null; then + deluser --system sssd + fi + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +# work around buggy dh_apparmor which doesn't do this for us +if [ "$1" = "purge" ]; then + rmdir /etc/apparmor.d/force-complain 2>/dev/null || true + rmdir /etc/apparmor.d 2>/dev/null || true +fi + +exit 0 diff --git a/debian/sssd-common.preinst b/debian/sssd-common.preinst new file mode 100755 index 0000000..35f602a --- /dev/null +++ b/debian/sssd-common.preinst @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +APP_PROFILE="usr.sbin.sssd" +APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE" +APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE" + +inst_complain_profile() { + # Create a symlink to the yet-to-be-unpacked profile + mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true + ln -sf $APP_CONFFILE $APP_COMPLAIN +} + +case "$1" in +install) + # Force the AppArmor profile to complain mode on install + inst_complain_profile + ;; +upgrade) + if dpkg --compare-versions "$2" le 2.8.2-3; then + # 2.8.2-2 added a line for subid which was premature given that + # libsubid supports only a single database. Let's remove it to avoid + # breaking systems where the user expects /etc/sub[ug]id to continue to + # work. + sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e '/^subid:\s*sss\s*$/d' + fi +esac + +#DEBHELPER# diff --git a/debian/sssd-common.prerm b/debian/sssd-common.prerm new file mode 100644 index 0000000..3122dd8 --- /dev/null +++ b/debian/sssd-common.prerm @@ -0,0 +1,9 @@ +#! /bin/sh -e + +invoke_failure() { + # invoke-rc.d failed + return +} + +#DEBHELPER# + diff --git a/debian/sssd-common.sssd.default b/debian/sssd-common.sssd.default new file mode 100644 index 0000000..af06de7 --- /dev/null +++ b/debian/sssd-common.sssd.default @@ -0,0 +1,8 @@ +# Defaults for sssd, installed at /etc/default/sssd by the maintainer scripts + +# Additional options that are passed to the Daemon. +# This is only used for /etc/init.d/sssd +DAEMON_OPTS="-D -f" + +# Where to direct debug output, valid options are 'files', 'journald', 'stderr'. +#DEBUG_LOGGER=--logger=journald diff --git a/debian/sssd-common.sssd.init b/debian/sssd-common.sssd.init new file mode 100644 index 0000000..390a6e2 --- /dev/null +++ b/debian/sssd-common.sssd.init @@ -0,0 +1,86 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: sssd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Should-Start: $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: System Security Services Daemon +# Description: Provides a set of daemons to manage access to +# remote directories and authentication +# mechanisms. It provides an NSS and PAM interface +# toward the system and a pluggable backend system +# to connect to multiple different account sources. +### END INIT INFO +# start on filesystem +# stop on runlevel [06] + +DESCRIPTION="System Security Services Daemon" +PATH=/bin:/usr/bin:/sbin:/usr/sbin +NAME=sssd +DAEMON_OPTS="" +DAEMON=/usr/sbin/$NAME +PIDFILE=/var/run/$NAME.pid + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +if [ -f /etc/default/sssd ] ; then + . /etc/default/sssd +fi + +initdmain() { + case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESCRIPTION" "$NAME" + start_daemon -p $PIDFILE $DAEMON $DAEMON_OPTS + RC=$? + case "$RC" in + 0) + [ "$VERBOSE" != no ] && log_end_msg $RC + ;; + *) + # Report error also when VERBOSE=no + log_daemon_msg "Starting $DESCRIPTION" "$NAME" + log_end_msg $RC + ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESCRIPTION" "$NAME" + killproc -p $PIDFILE $DAEMON + RC=$? + case "$RC" in + 0) + [ "$VERBOSE" != no ] && log_end_msg $RC + ;; + *) + # Report error also when VERBOSE=no + log_daemon_msg "Stopping $DESCRIPTION" "$NAME" + log_end_msg $RC + ;; + esac + ;; + force-reload|restart) + $0 stop + $0 start + ;; + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|status}" + exit 1 + ;; + esac +} + +initdmain $@ + +exit 0 diff --git a/debian/sssd-dbus.install b/debian/sssd-dbus.install new file mode 100644 index 0000000..47023a3 --- /dev/null +++ b/debian/sssd-dbus.install @@ -0,0 +1,5 @@ +${env:systemdsystemunitdir}/sssd-ifp.service +usr/libexec/sssd/sssd_ifp +usr/share/dbus-1/system-services/org.freedesktop.sssd.infopipe.service +usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +usr/share/man/man5/sssd-ifp.5 diff --git a/debian/sssd-dbus.maintscript b/debian/sssd-dbus.maintscript new file mode 100644 index 0000000..fd8bcc5 --- /dev/null +++ b/debian/sssd-dbus.maintscript @@ -0,0 +1 @@ +rm_conffile /etc/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf 2.8.2-3~ diff --git a/debian/sssd-idp.install b/debian/sssd-idp.install new file mode 100644 index 0000000..eaa41e0 --- /dev/null +++ b/debian/sssd-idp.install @@ -0,0 +1,4 @@ +etc/krb5.conf.d/sssd_enable_idp +usr/lib/*/sssd/modules/sssd_krb5_idp_plugin.so +usr/libexec/sssd/oidc_child +usr/share/sssd/krb5-snippets/sssd_enable_idp diff --git a/debian/sssd-ipa.dirs b/debian/sssd-ipa.dirs new file mode 100644 index 0000000..f2b294d --- /dev/null +++ b/debian/sssd-ipa.dirs @@ -0,0 +1 @@ +var/lib/sss/keytabs diff --git a/debian/sssd-ipa.install b/debian/sssd-ipa.install new file mode 100644 index 0000000..866c449 --- /dev/null +++ b/debian/sssd-ipa.install @@ -0,0 +1,3 @@ +usr/lib/*/sssd/libsss_ipa.so +usr/libexec/sssd/selinux_child +usr/share/man/man5/sssd-ipa.5* diff --git a/debian/sssd-ipa.postinst b/debian/sssd-ipa.postinst new file mode 100644 index 0000000..c7ebc58 --- /dev/null +++ b/debian/sssd-ipa.postinst @@ -0,0 +1,15 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/libexec/sssd + +case "$1" in + configure) + chmod 0750 $LIBDIR/selinux_child + chown -R root:root /var/lib/sss/keytabs + chmod 700 /var/lib/sss/keytabs + ;; +esac + +#DEBHELPER# + diff --git a/debian/sssd-kcm.install b/debian/sssd-kcm.install new file mode 100644 index 0000000..f541575 --- /dev/null +++ b/debian/sssd-kcm.install @@ -0,0 +1,6 @@ +etc/krb5.conf.d/kcm_default_ccache +${env:systemdsystemunitdir}/sssd-kcm.service +${env:systemdsystemunitdir}/sssd-kcm.socket +usr/libexec/sssd/sssd_kcm +usr/share/sssd-kcm/kcm_default_ccache +usr/share/man/man8/sssd-kcm.8 diff --git a/debian/sssd-krb5-common.dirs b/debian/sssd-krb5-common.dirs new file mode 100644 index 0000000..4a2e953 --- /dev/null +++ b/debian/sssd-krb5-common.dirs @@ -0,0 +1,2 @@ +var/lib/sss/pubconf/krb5.include.d + diff --git a/debian/sssd-krb5-common.install b/debian/sssd-krb5-common.install new file mode 100644 index 0000000..804e5c3 --- /dev/null +++ b/debian/sssd-krb5-common.install @@ -0,0 +1,2 @@ +usr/libexec/sssd/krb5_child +usr/libexec/sssd/ldap_child diff --git a/debian/sssd-krb5-common.postinst b/debian/sssd-krb5-common.postinst new file mode 100644 index 0000000..231aa29 --- /dev/null +++ b/debian/sssd-krb5-common.postinst @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/libexec/sssd + +case "$1" in + configure) + chmod 0750 $LIBDIR/krb5_child $LIBDIR/ldap_child + ;; +esac + +#DEBHELPER# + diff --git a/debian/sssd-krb5.install b/debian/sssd-krb5.install new file mode 100644 index 0000000..95f43da --- /dev/null +++ b/debian/sssd-krb5.install @@ -0,0 +1,4 @@ +etc/krb5.conf.d/enable_sssd_conf_dir +usr/lib/*/sssd/libsss_krb5.so +usr/share/man/man5/sssd-krb5.5* +usr/share/sssd/krb5-snippets/enable_sssd_conf_dir diff --git a/debian/sssd-ldap.install b/debian/sssd-ldap.install new file mode 100644 index 0000000..9a1a29d --- /dev/null +++ b/debian/sssd-ldap.install @@ -0,0 +1,3 @@ +usr/lib/*/sssd/libsss_ldap.so +usr/share/man/man5/sssd-ldap.5* +usr/share/man/man5/sssd-ldap-attributes.5* diff --git a/debian/sssd-passkey.install b/debian/sssd-passkey.install new file mode 100644 index 0000000..8fa7ae8 --- /dev/null +++ b/debian/sssd-passkey.install @@ -0,0 +1,3 @@ +usr/lib/*/sssd/modules/sssd_krb5_passkey_plugin.so +usr/libexec/sssd/passkey_child +usr/share/sssd/krb5-snippets/sssd_enable_passkey diff --git a/debian/sssd-proxy.install b/debian/sssd-proxy.install new file mode 100644 index 0000000..526c81e --- /dev/null +++ b/debian/sssd-proxy.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/libsss_proxy.so +usr/libexec/sssd/proxy_child diff --git a/debian/sssd-proxy.postinst b/debian/sssd-proxy.postinst new file mode 100644 index 0000000..3a34f2e --- /dev/null +++ b/debian/sssd-proxy.postinst @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/libexec/sssd + +case "$1" in + configure) + chmod 0750 $LIBDIR/proxy_child + ;; +esac + +#DEBHELPER# diff --git a/debian/sssd-tools.install b/debian/sssd-tools.install new file mode 100644 index 0000000..d6baf09 --- /dev/null +++ b/debian/sssd-tools.install @@ -0,0 +1,14 @@ +usr/sbin/sss_cache +usr/sbin/sss_debuglevel +usr/sbin/sss_obfuscate +usr/sbin/sss_override +usr/sbin/sss_seed +usr/sbin/sssctl +usr/lib/python3/dist-packages/sssd/ +usr/libexec/sssd/sss_analyze +usr/share/man/man8/sss_cache.8* +usr/share/man/man8/sss_debuglevel.8* +usr/share/man/man8/sss_obfuscate.8* +usr/share/man/man8/sss_override.8* +usr/share/man/man8/sss_seed.8* +usr/share/man/man8/sssctl.8* diff --git a/debian/tests/common-tests b/debian/tests/common-tests new file mode 100644 index 0000000..1bb8e1a --- /dev/null +++ b/debian/tests/common-tests @@ -0,0 +1,28 @@ +#!/bin/sh + +run_common_tests() { + echo "Assert local user databases do not have our LDAP test data" + check_local_user "${ldap_user}" + check_local_group "${ldap_user}" + check_local_group "${ldap_group}" + + echo "The LDAP user is known to the system via getent" + check_getent_user "${ldap_user}" + + echo "The LDAP user's private group is known to the system via getent" + check_getent_group "${ldap_user}" + + echo "The LDAP group ${ldap_group} is known to the system via getent" + check_getent_group "${ldap_group}" + + echo "The id(1) command can resolve the group membership of the LDAP user" + #$ id -Gn testuser1 + #testuser1 ldapusers + output=$(id -Gn ${ldap_user}) + # XXX couldn't find a better way to make this comparison using just /bin/sh + if [ "${output}" != "${ldap_user} ${ldap_group}" ]; then + if [ "${output}" != "${ldap_group} ${ldap_user}" ]; then + die "Output doesn't match expected group membership: ${output}" + fi + fi +} diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..0d94a73 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,37 @@ +Tests: ldap-user-group-ldap-auth +Depends: @, slapd, ldap-utils, openssl, expect, lsb-release +Restrictions: isolation-container, needs-root, allow-stderr + +Tests: ldap-user-group-krb5-auth +Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc +Restrictions: isolation-container, needs-root, allow-stderr + +Tests: sssd-softhism2-certificates-tests.sh +Depends: bash, + gnutls-bin, + openssl, + passwd, + softhsm2, + sssd, + util-linux +Restrictions: needs-root, + allow-stderr + +Test-Command: env + OFFLINE_MODE=1 + bash debian/tests/sssd-smart-card-pam-auth-configs-tester.sh +Features: test-name=sssd-smart-card-pam-auth-configs +Depends: bash, + gnutls-bin, + libpam-sss, + openssl, + pamtester, + passwd, + softhsm2, + sssd, + util-linux +Restrictions: breaks-testbed, + isolation-container, + needs-root, + allow-stderr + diff --git a/debian/tests/ldap-user-group-krb5-auth b/debian/tests/ldap-user-group-krb5-auth new file mode 100755 index 0000000..5792279 --- /dev/null +++ b/debian/tests/ldap-user-group-krb5-auth @@ -0,0 +1,35 @@ +#!/bin/sh + +set -ex + +. debian/tests/util +. debian/tests/common-tests + +mydomain="example.com" +myhostname="ldap.${mydomain}" +mysuffix="dc=example,dc=com" +myrealm="EXAMPLE.COM" +admin_dn="cn=admin,${mysuffix}" +admin_pw="secret" +ldap_user="testuser1" +ldap_user_pw="testuser1secret" +kerberos_principal_pw="testuser1kerberos" +ldap_group="ldapusers" + +adjust_hostname "${myhostname}" +reconfigure_slapd +generate_certs "${myhostname}" +enable_ldap_ssl +populate_ldap_rfc2307 +create_realm "${myrealm}" "${myhostname}" +create_krb_principal "${ldap_user}" "${kerberos_principal_pw}" +configure_sssd_ldap_rfc2307_krb5_auth +enable_pam_mkhomedir + +# tests begin here +run_common_tests + +# login works with the kerberos password +echo "The Kerberos principal can login on a terminal" +kdestroy > /dev/null 2>&1 || /bin/true +/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${kerberos_principal_pw}" "${ldap_user}"@"${myrealm}" diff --git a/debian/tests/ldap-user-group-ldap-auth b/debian/tests/ldap-user-group-ldap-auth new file mode 100755 index 0000000..c25cff0 --- /dev/null +++ b/debian/tests/ldap-user-group-ldap-auth @@ -0,0 +1,29 @@ +#!/bin/sh + +set -ex + +. debian/tests/util +. debian/tests/common-tests + +mydomain="example.com" +myhostname="ldap.${mydomain}" +mysuffix="dc=example,dc=com" +admin_dn="cn=admin,${mysuffix}" +admin_pw="secret" +ldap_user="testuser1" +ldap_user_pw="testuser1secret" +ldap_group="ldapusers" + +adjust_hostname "${myhostname}" +reconfigure_slapd +generate_certs "${myhostname}" +enable_ldap_ssl +populate_ldap_rfc2307 +configure_sssd_ldap_rfc2307 +enable_pam_mkhomedir + +# tests begin here +run_common_tests + +echo "The LDAP user can login on a terminal" +/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${ldap_user_pw}" diff --git a/debian/tests/login.exp b/debian/tests/login.exp new file mode 100755 index 0000000..63c25ab --- /dev/null +++ b/debian/tests/login.exp @@ -0,0 +1,74 @@ +#!/usr/bin/expect + +set timeout 10 +set user [lindex $argv 0] +set password [lindex $argv 1] +set principal [lindex $argv 2] + +set distribution [exec "lsb_release" "-is"] + +if { $distribution == "Ubuntu" } { + set welcome "Welcome to" +} elseif { $distribution == "Debian" } { + set welcome "Debian GNU/Linux comes" +} else { + puts "Unsupported linux distribution $distribution" + exit 1 +} + +spawn login +expect "login:" +send "$user\r" +expect "Password:" +send "$password\r" +expect { + timeout + { + puts "Expect error: timeout after password\r\r" + exit 1 + } + "Login incorrect" + { + puts "Expect error: incorrect credentials\r\r" + exit 1 + } + "$welcome" +} +expect { + timeout + { + puts "Expect error: timeout waiting for prompt\r\r" + exit 1 + } + "$ " +} +send "id -un\r" +expect { + timeout + { + puts "Expect error: timeout waiting for 'id' result\r\r" + exit 1 + } + "$user" +} +expect { + timeout + { + puts "Expect error: timeout waiting for prompt\r\r" + exit 1 + } + "$ " +} +if { $principal != "" } { + send "klist\r" + expect { + timeout + { + puts "Expect error: timeout waiting for klist output\r\r" + exit 1 + } + "Default principal: $principal" + } +} +send "logout\r" +exit 0 diff --git a/debian/tests/sssd-smart-card-pam-auth-configs-tester.sh b/debian/tests/sssd-smart-card-pam-auth-configs-tester.sh new file mode 100644 index 0000000..df63833 --- /dev/null +++ b/debian/tests/sssd-smart-card-pam-auth-configs-tester.sh @@ -0,0 +1,247 @@ +#!/usr/bin/env bash +# Copyright 2023 - Marco Trevisan +# Released under the GPLv3 terms +# +# A simple tool to simulate PAM authentication using SSSD smartcard settings. +# +# To be used with softhsm2 smart cards generators from +# https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a +# +# Origin: https://gist.github.com/3v1n0/d7bc0f10cf44a11288648ae9d228430d + +set -xe + +if [ -z "${AUTOPKGTEST_NORMAL_USER}" ]; then + adduser --quiet --disable-password _sssduser + AUTOPKGTEST_NORMAL_USER="_sssduser" +fi + +export DEBIAN_FRONTEND=noninteractive + +required_tools=( + pamtester # debian package: pamtester + softhsm2-util # debian package: softhsm2 + sssd # debian package: sssd +) + +if [[ ! -v OFFLINE_MODE ]]; then + required_tools+=( + wget # debian package: wget + ) +fi + +for cmd in "${required_tools[@]}"; do + if ! command -v "$cmd" > /dev/null; then + echo "Tool $cmd missing" + exit 1 + fi +done + +PIN=${PIN:-123456} +tmpdir=${TEST_TMPDIR:-$(mktemp -d -t "sssd-softhsm2-certs-XXXXXX")} +backupsdir= + +alternative_pam_configs=( + sss-smart-card-optional + sss-smart-card-required +) + +declare -a restore_paths +declare -a delete_paths + +function restore_changes() { + for path in "${restore_paths[@]}"; do + local original_path + original_path="/$(realpath --strip --relative-base="$backupsdir" "$path")" + rm "$original_path" && mv "$path" "$original_path" || true + done + + for path in "${delete_paths[@]}"; do + rm -f "$path" + #find "$(dirname "$path")" -empty -delete || true + done + + pam-auth-update --disable "${alternative_pam_configs[@]}" || return 2 + + if [ -e /etc/sssd/sssd.conf ]; then + chmod 600 /etc/sssd/sssd.conf || return 1 + systemctl restart sssd || true + else + systemctl stop sssd || true + fi + + if [ -e /etc/softhsm/softhsm2.conf ]; then + chmod 600 /etc/softhsm/softhsm2.conf || return 1 + fi + + rm -rf "$tmpdir" +} + +function backup_file() { + if [ -z "$backupsdir" ]; then + backupsdir=$(mktemp -d -t "sssd-softhsm2-backups-XXXXXX") + fi + + if [ -e "$1" ]; then + local back_dir="$backupsdir/$(dirname "$1")" + local back_path="$back_dir/$(basename "$1")" + [ ! -e "$back_path" ] || return 1 + + mkdir -p "$back_dir" || return 1 + cp -a "$1" "$back_path" || return 1 + + restore_paths+=("$back_path") + else + delete_paths+=("$1") + fi +} + +function handle_exit() { + exit_code=$? + + restore_changes || return 1 + + if [ $exit_code = 0 ]; then + rm -rf "$backupsdir" + set +x + echo "Script completed successfully!" + else + set +x + echo "Script failed, check the log!" + echo " Backup preserved at $backupsdir" + echo " PAM Log: /var/log/auth.log" + echo " SSSD PAM Log: /var/log/sssd/sssd_pam.log" + echo " SSSD p11_child Log: /var/log/sssd/p11_child.log" + fi +} + +trap 'handle_exit' EXIT + +tester="$(dirname "$0")"/sssd-softhism2-certificates-tests.sh +if [ ! -e "$tester" ] && [[ ! -v OFFLINE_MODE ]]; then + echo "Required $tester missing, we're downloading it..." + tester="$tmpdir/sssd-softhism2-certificates-tests.sh" + wget -q -c https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-softhism2-certificates-tests.sh \ + -O "$tester" + [ -e "$tester" ] || exit 1 +elif [ ! -e "$tester" ] && [[ -v OFFLINE_MODE ]]; then + echo "Required $tester missing" + exit 1 +fi + +export PIN TEST_TMPDIR="$tmpdir" GENERATE_SMART_CARDS=1 KEEP_TEMPORARY_FILES=1 NO_SSSD_TESTS=1 +bash "$tester" + +find "$tmpdir" -type d -exec chmod 777 {} \; +find "$tmpdir" -type f -exec chmod 666 {} \; + +backup_file /etc/sssd/sssd.conf +rm -f /etc/sssd/sssd.conf + +user_home="$(runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- sh -c 'echo ~')" +mkdir -p "$user_home" +chown "${AUTOPKGTEST_NORMAL_USER}:${AUTOPKGTEST_NORMAL_USER}" "$user_home" + +user_config="$(runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- sh -c 'echo ${XDG_CONFIG_HOME:-~/.config}')" +system_config="/etc" + +softhsm2_conf_paths=( + "${AUTOPKGTEST_NORMAL_USER}:$user_config/softhsm2/softhsm2.conf" + "root:$system_config/softhsm/softhsm2.conf" +) + +for path_pair in "${softhsm2_conf_paths[@]}"; do + IFS=":" read -r -a path <<< "${path_pair}" + path="${path[1]}" + backup_file "$path" + rm -f "$path" +done + +function test_authentication() { + pam_service="$1" + certificate_config="$2" + ca_db="$3" + verification_options="$4" + + mkdir -p -m 700 /etc/sssd + + echo "Using CA DB '$ca_db' with verification options: '$verification_options'" + + cat <<EOF > /etc/sssd/sssd.conf || return 2 +[sssd] +enable_files_domain = True +services = pam +#certificate_verification = $verification_options + +[certmap/implicit_files/${AUTOPKGTEST_NORMAL_USER}] +matchrule = <SUBJECT>.*Test Organization.* + +[pam] +pam_cert_db_path = $ca_db +pam_cert_verification = $verification_options +pam_cert_auth = True +pam_verbosity = 10 +debug_level = 10 +EOF + + chmod 600 /etc/sssd/sssd.conf || return 2 + + for path_pair in "${softhsm2_conf_paths[@]}"; do + IFS=":" read -r -a path <<< "${path_pair}" + user="${path[0]}" + path="${path[1]}" + + runuser -u "$user" -- mkdir -p "$(dirname "$path")" || return 2 + runuser -u "$user" -- ln -sf "$certificate_config" "$path" || return 2 + runuser -u "$user" -- softhsm2-util --show-slots | grep "Test Organization" \ + || return 2 + done + + systemctl restart sssd || return 2 + + pam-auth-update --disable "${alternative_pam_configs[@]}" || return 2 + + for alternative in "${alternative_pam_configs[@]}"; do + pam-auth-update --enable "$alternative" || return 2 + cat /etc/pam.d/common-auth + + echo -n -e "$PIN" | runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- \ + pamtester -v "$pam_service" "${AUTOPKGTEST_NORMAL_USER}" authenticate || return 2 + echo -n -e "$PIN" | runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- \ + pamtester -v "$pam_service" "" authenticate || return 2 + + if echo -n -e "wrong${PIN}" | runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- \ + pamtester -v "$pam_service" "${AUTOPKGTEST_NORMAL_USER}" authenticate; then + echo "Unexpected pass!" + return 2 + fi + + if echo -n -e "wrong${PIN}" | runuser -u "${AUTOPKGTEST_NORMAL_USER}" -- \ + pamtester -v "$pam_service" "" authenticate; then + echo "Unexpected pass!" + return 2 + fi + + if echo -n -e "$PIN" | pamtester -v "$pam_service" root authenticate; then + echo "Unexpected pass!" + return 2 + fi + done +} + +test_authentication \ + login \ + "$tmpdir/softhsm2-test-root-CA-trusted-certificate-0001.conf" \ + "$tmpdir/test-full-chain-CA.pem" + +test_authentication \ + login \ + "$tmpdir/softhsm2-test-sub-intermediate-CA-trusted-certificate-0001.conf" \ + "$tmpdir/test-full-chain-CA.pem" + +test_authentication \ + login \ + "$tmpdir/softhsm2-test-sub-intermediate-CA-trusted-certificate-0001.conf" \ + "$tmpdir/test-sub-intermediate-CA.pem" \ + "partial_chain" + diff --git a/debian/tests/sssd-softhism2-certificates-tests.sh b/debian/tests/sssd-softhism2-certificates-tests.sh new file mode 100644 index 0000000..a067674 --- /dev/null +++ b/debian/tests/sssd-softhism2-certificates-tests.sh @@ -0,0 +1,902 @@ +#!/usr/bin/env bash +# Copyright 2023 - Marco Trevisan +# Released under the GPLv3 terms +# +# A simple tool to generate CA certificates signed by both a root cert authority +# and by an intermediate one, to verify smartcard usage using softhism2. +# Used to verify p11_child usage in SSSD. +set -xe + +if [ -z "${AUTOPKGTEST_NORMAL_USER}" ]; then + adduser --quiet --disable-password _sssduser + AUTOPKGTEST_NORMAL_USER="_sssduser" +fi + +required_tools=( + p11tool # debian package: gnutls-bin + openssl # debian package: openssl + softhsm2-util # debian package: softhsm2 +) + +for cmd in "${required_tools[@]}"; do + if ! command -v "$cmd" > /dev/null; then + echo "Tool $cmd missing" + exit 1 + fi +done + +PIN=${PIN:-053350} +SOFTHSM2_MODULE=${SOFTHSM2_MODULE:-$(realpath "$(find /usr/lib/*softhsm/libsofthsm2.so | head -n 1)")} +SSSD_P11_CHILD=${SSSD_P11_CHILD:-/usr/libexec/sssd/p11_child} +TOKEN_ID=${TOKEN_ID:-00112233445566778899FFAABBCCDDEEFF012345} + +if [ ! -v NO_SSSD_TESTS ]; then + if [ ! -x "$SSSD_P11_CHILD" ]; then + if [ ! -e "$SSSD_P11_CHILD" ]; then + echo "Cannot find $SSSD_P11_CHILD" + else + echo "Cannot execute $SSSD_P11_CHILD, try using sudo..." + fi + exit 1 + else + ca_db_arg="ca_db" + p11_child_help=$("$SSSD_P11_CHILD" --help &>/dev/stdout) + if echo "$p11_child_help" | grep nssdb -qs; then + ca_db_arg=nssdb + fi + + echo "$p11_child_help" | grep -qs -- "--${ca_db_arg}" + fi +fi + +if [ ! -e "$SOFTHSM2_MODULE" ]; then + echo "Cannot find softhsm2-module at $SOFTHSM2_MODULE" + exit 1 +fi + +tmpdir=${TEST_TMPDIR:-$(mktemp -d -t "sssd-softhsm2-XXXXXX")} +keys_size=1024 + +if [[ ! -v KEEP_TEMPORARY_FILES ]]; then + trap 'rm -rf "$tmpdir"' EXIT +fi +trap 'set +x; echo -e "\nUnexpected failure!!!"' ERR + +echo -n 01 > "$tmpdir/serial" +touch "$tmpdir/index.txt" +mkdir -p "$tmpdir/new_certs" + +function expect_fail() { + local cmd="$1" + shift + + if "$cmd" "$@"; then + echo "Unexpected failure!" + exit 1 + fi +} + + +## Root CA certificate generation + +cat <<EOF > "$tmpdir/test-root-CA.config" +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = $tmpdir +database = \$dir/index.txt +new_certs_dir = \$dir/new_certs + +certificate = \$dir/test-root-CA.pem +serial = \$dir/serial +private_key = \$dir/test-root-CA-key.pem +RANDFILE = \$dir/rand + +default_days = 365 +default_crl_days = 30 +default_md = sha256 + +policy = policy_any +email_in_dn = no + +name_opt = ca_default +cert_opt = ca_default +copy_extensions = copy + +[ usr_cert ] +authorityKeyIdentifier = keyid, issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_any ] +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Root CA +EOF + +root_ca_key_pass="pass:random-root-CA-password-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-root-CA-key.pem" \ + -passout "$root_ca_key_pass" \ + "$keys_size" + +openssl req -passin "$root_ca_key_pass" \ + -batch -config "$tmpdir/test-root-CA.config" -x509 -new -nodes \ + -key "$tmpdir/test-root-CA-key.pem" -sha256 -days 1024 -set_serial 0 \ + -extensions v3_ca -out "$tmpdir/test-root-CA.pem" + +openssl x509 -noout -in "$tmpdir/test-root-CA.pem" + + +## Intermediate CA certificate generation + +cat <<EOF > "$tmpdir/test-intermediate-CA.config" +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = $tmpdir +database = \$dir/index.txt +new_certs_dir = \$dir/new_certs + +certificate = \$dir/test-intermediate-CA.pem +serial = \$dir/serial +private_key = \$dir/test-intermediate-CA-key.pem +RANDFILE = \$dir/rand + +default_days = 365 +default_crl_days = 30 +default_md = sha256 + +policy = policy_any +email_in_dn = no + +name_opt = ca_default +cert_opt = ca_default +copy_extensions = copy + +[ usr_cert ] +authorityKeyIdentifier = keyid, issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_any ] +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Intermediate CA +EOF + +intermediate_ca_key_pass="pass:random-intermediate-CA-password-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-intermediate-CA-key.pem" \ + -passout "$intermediate_ca_key_pass" \ + "$keys_size" + +openssl req \ + -batch -new -nodes \ + -passin "$intermediate_ca_key_pass" \ + -config "$tmpdir/test-intermediate-CA.config" \ + -key "$tmpdir/test-intermediate-CA-key.pem" \ + -passout "$root_ca_key_pass" \ + -sha256 \ + -extensions v3_ca \ + -out "$tmpdir/test-intermediate-CA-certificate-request.pem" + +openssl req -text -noout -in "$tmpdir/test-intermediate-CA-certificate-request.pem" + +openssl ca \ + -batch -notext \ + -config "$tmpdir/test-root-CA.config" \ + -passin "$root_ca_key_pass"\ + -keyfile "$tmpdir/test-root-CA-key.pem" \ + -in "$tmpdir/test-intermediate-CA-certificate-request.pem" \ + -days 365 -extensions v3_intermediate_ca -out "$tmpdir/test-intermediate-CA.pem" + +openssl x509 -noout -in "$tmpdir/test-intermediate-CA.pem" +openssl verify -CAfile "$tmpdir/test-root-CA.pem" "$tmpdir/test-intermediate-CA.pem" + + +## Sub-Intermediate CA certificate generation + +cat <<EOF > "$tmpdir/test-sub-intermediate-CA.config" +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = $tmpdir +database = \$dir/index.txt +new_certs_dir = \$dir/new_certs + +certificate = \$dir/test-sub-intermediate-CA.pem +serial = \$dir/serial +private_key = \$dir/test-sub-intermediate-CA-key.pem +RANDFILE = \$dir/rand + +default_days = 365 +default_crl_days = 30 +default_md = sha256 + +policy = policy_any +email_in_dn = no + +name_opt = ca_default +cert_opt = ca_default +copy_extensions = copy + +[ usr_cert ] +authorityKeyIdentifier = keyid, issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_any ] +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Sub Intermediate CA +EOF + +sub_intermediate_ca_key_pass="pass:random-sub-intermediate-CA-password-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-sub-intermediate-CA-key.pem" \ + -passout "$sub_intermediate_ca_key_pass" \ + "$keys_size" + +openssl req \ + -batch -new -nodes \ + -passin "$sub_intermediate_ca_key_pass" \ + -config "$tmpdir/test-sub-intermediate-CA.config" \ + -key "$tmpdir/test-sub-intermediate-CA-key.pem" \ + -passout "$intermediate_ca_key_pass" \ + -sha256 \ + -extensions v3_ca \ + -out "$tmpdir/test-sub-intermediate-CA-certificate-request.pem" + +openssl req -text -noout -in "$tmpdir/test-sub-intermediate-CA-certificate-request.pem" + +openssl ca \ + -batch -notext \ + -config "$tmpdir/test-intermediate-CA.config" \ + -passin "$intermediate_ca_key_pass"\ + -keyfile "$tmpdir/test-intermediate-CA-key.pem" \ + -in "$tmpdir/test-sub-intermediate-CA-certificate-request.pem" \ + -days 365 -extensions v3_intermediate_ca -out "$tmpdir/test-sub-intermediate-CA.pem" + +openssl x509 -noout -in "$tmpdir/test-sub-intermediate-CA.pem" +openssl verify \ + -partial_chain \ + -CAfile "$tmpdir/test-intermediate-CA.pem" "$tmpdir/test-sub-intermediate-CA.pem" + +expect_fail\ + openssl verify \ + -CAfile "$tmpdir/test-root-CA.pem" "$tmpdir/test-sub-intermediate-CA.pem" + + +## Root CA Trusted Certificate generation + +cat <<"EOF" > "$tmpdir/test-root-CA-trusted-certificate-0001.config" +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Root Trusted Certificate 0001 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "Test Organization Root CA trusted Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection +subjectAltName = email:mail@3v1n0.net,URI:https://github.com/3v1n0/ +EOF + +root_ca_trusted_cert_0001_key_pass="pass:random-root-ca-trusted-cert-0001-${RANDOM}" +openssl genrsa -aes256 \ + -out "$tmpdir/test-root-CA-trusted-certificate-0001-key.pem" \ + -passout "$root_ca_trusted_cert_0001_key_pass" \ + "$keys_size" + +openssl req \ + -new -nodes \ + -reqexts req_exts \ + -passin "$root_ca_trusted_cert_0001_key_pass" \ + -key "$tmpdir/test-root-CA-trusted-certificate-0001-key.pem" \ + -config "$tmpdir/test-root-CA-trusted-certificate-0001.config" \ + -out "$tmpdir/test-root-CA-trusted-certificate-0001-request.pem" + +openssl req -text -noout \ + -in "$tmpdir/test-root-CA-trusted-certificate-0001-request.pem" + +openssl ca \ + -batch -notext \ + -config "$tmpdir/test-root-CA.config" \ + -passin "$root_ca_key_pass" \ + -keyfile "$tmpdir/test-root-CA-key.pem" \ + -in "$tmpdir/test-root-CA-trusted-certificate-0001-request.pem" \ + -days 365 -extensions usr_cert \ + -out "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + +openssl x509 -noout \ + -in "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + +openssl verify -CAfile \ + "$tmpdir/test-root-CA.pem" \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + +expect_fail \ + openssl verify -CAfile \ + "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + + +## Intermediate CA Trusted Certificate generation + +cat <<"EOF" > "$tmpdir/test-intermediate-CA-trusted-certificate-0001.config" +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Intermediate Trusted Certificate 0001 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "Test Organization Intermediate CA trusted Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection +subjectAltName = email:mail@3v1n0.net,URI:https://github.com/3v1n0/ +EOF + +intermediate_ca_trusted_cert_0001_key_pass="pass:random-intermediate-ca-trusted-cert-0001-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-intermediate-CA-trusted-certificate-0001-key.pem" \ + -passout "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$keys_size" + +openssl req \ + -new -nodes \ + -reqexts req_exts \ + -passin "$intermediate_ca_trusted_cert_0001_key_pass" \ + -key "$tmpdir/test-intermediate-CA-trusted-certificate-0001-key.pem" \ + -config "$tmpdir/test-intermediate-CA-trusted-certificate-0001.config" \ + -out "$tmpdir/test-intermediate-CA-trusted-certificate-0001-request.pem" + +openssl req -text -noout \ + -in "$tmpdir/test-intermediate-CA-trusted-certificate-0001-request.pem" + +openssl ca \ + -passin "$intermediate_ca_key_pass" \ + -config "$tmpdir/test-intermediate-CA.config" -batch -notext \ + -keyfile "$tmpdir/test-intermediate-CA-key.pem" \ + -in "$tmpdir/test-intermediate-CA-trusted-certificate-0001-request.pem" \ + -days 365 -extensions usr_cert \ + -out "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + +openssl x509 -noout \ + -in "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + +echo "This certificate should not be trusted fully" +expect_fail \ + openssl verify \ + -CAfile "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + +openssl verify -partial_chain \ + -CAfile "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + + +## Sub Intermediate CA Trusted Certificate generation + +cat <<"EOF" > "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.config" +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = Test Organization +OU = Test Organization Unit +CN = Test Organization Sub Intermediate Trusted Certificate 0001 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "Test Organization Sub Intermediate CA trusted Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection +subjectAltName = email:mail@3v1n0.net,URI:https://github.com/3v1n0/ +EOF + +sub_intermediate_ca_trusted_cert_0001_key_pass="pass:random-sub-intermediate-ca-trusted-cert-0001-${RANDOM}" + +openssl genrsa -aes256 \ + -out "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-key.pem" \ + -passout "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$keys_size" + +openssl req \ + -new -nodes \ + -reqexts req_exts \ + -passin "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + -key "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-key.pem" \ + -config "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.config" \ + -out "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-request.pem" + +openssl req -text -noout \ + -in "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-request.pem" + +openssl ca \ + -passin "$sub_intermediate_ca_key_pass" \ + -config "$tmpdir/test-sub-intermediate-CA.config" -batch -notext \ + -keyfile "$tmpdir/test-sub-intermediate-CA-key.pem" \ + -in "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001-request.pem" \ + -days 365 -extensions usr_cert \ + -out "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +openssl x509 -noout \ + -in "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +echo "This certificate should not be trusted fully" +expect_fail \ + openssl verify \ + -CAfile "$tmpdir/test-sub-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +expect_fail \ + openssl verify \ + -CAfile "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +openssl verify -partial_chain \ + -CAfile "$tmpdir/test-sub-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +expect_fail \ + openssl verify -partial_chain \ + -CAfile "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + + +## Full chain verification tests + +echo "Building a the full-chain CA file..." +cat \ + "$tmpdir/test-root-CA.pem" \ + "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA.pem" \ + > "$tmpdir/test-full-chain-CA.pem" + +cat \ + "$tmpdir/test-root-CA.pem" \ + "$tmpdir/test-intermediate-CA.pem" \ + > "$tmpdir/test-root-intermediate-chain-CA.pem" + +cat \ + "$tmpdir/test-intermediate-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA.pem" \ + > "$tmpdir/test-intermediate-sub-chain-CA.pem" + +openssl crl2pkcs7 \ + -nocrl -certfile "$tmpdir/test-full-chain-CA.pem" \ + | openssl pkcs7 -print_certs -noout + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-intermediate-CA.pem" + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-root-intermediate-chain-CA.pem" + +openssl verify \ + -CAfile "$tmpdir/test-full-chain-CA.pem" \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" + +echo "Certificates generation completed!" + +function prepare_softhsm2_card() { + local certificate="$1" + local key_pass="$2" + + local key_cn + local key_name + local tokens_dir + local output_cert_file + + token_name= + key_name="$(basename "$certificate" .pem)" + key_cn="$(openssl x509 -noout -subject -nameopt multiline -in "$certificate" \ + | sed -n 's/ *commonName *= //p')" + + if [ -v SOFTHSM2_ISOLATED_CONFIGS ]; then + key_name+="-${RANDOM}" + fi + + export SOFTHSM2_CONF="$tmpdir/softhsm2-${key_name}.conf" + + tokens_dir="$tmpdir/$(basename "$SOFTHSM2_CONF" .conf)" + token_name="${key_cn:0:25} Token" + + if [ ! -e "$SOFTHSM2_CONF" ] || [ ! -d "$tokens_dir" ]; then + local key_file + local decrypted_key + + mkdir -p "$tokens_dir" + + key_file="$tmpdir/${key_name}-key.pem" + decrypted_key="$tmpdir/${key_name}-key-decrypted.pem" + + cat <<EOF > "$SOFTHSM2_CONF" +directories.tokendir = $tokens_dir +objectstore.backend = file +slots.removable = true +EOF + + softhsm2-util --init-token \ + --label "$token_name" \ + --pin "$PIN" --so-pin "$PIN" --free || return 2 + + softhsm2-util --show-slots || return 2 + + p11tool \ + --provider="$SOFTHSM2_MODULE" \ + --write \ + --no-mark-private \ + --load-certificate="$certificate" \ + --login --set-pin="$PIN" \ + --label "$key_cn" \ + --id "$TOKEN_ID" || return 2 + + openssl rsa \ + -passin "$key_pass" \ + -in "$key_file" \ + -out "$decrypted_key" || return 2 + + p11tool \ + --provider="$SOFTHSM2_MODULE" \ + --write \ + --load-privkey="$decrypted_key" \ + --login --set-pin="$PIN" \ + --label "$key_cn Key" \ + --id "$TOKEN_ID" || return 2 + + rm "$decrypted_key" + + p11tool \ + --provider="$SOFTHSM2_MODULE" \ + --list-all || return 2 + fi + + echo "$token_name" +} + +function check_certificate() { + local certificate="$1" + local key_pass="$2" + local key_ring="$3" + local verify_option="$4" + + prepare_softhsm2_card "$certificate" "$key_pass" || return 2 + + if [ -n "$verify_option" ]; then + local verify_arg="--verify=$verify_option" + fi + + local output_base_name="SSSD-child-${RANDOM}" + local output_file="$tmpdir/$output_base_name.output" + output_cert_file="$tmpdir/$output_base_name.pem" + + "$SSSD_P11_CHILD" \ + --pre -d 10 \ + --logger=stderr \ + --debug-fd=2 \ + --module_name="$SOFTHSM2_MODULE" \ + "$verify_arg" \ + --${ca_db_arg}="$key_ring" > "$output_file" || return 2 + + grep -qs "$TOKEN_ID" "$output_file" || return 2 + + echo "-----BEGIN CERTIFICATE-----" > "$output_cert_file" + tail -n1 "$output_file" >> "$output_cert_file" + echo "-----END CERTIFICATE-----" >> "$output_cert_file" + + openssl x509 -text -noout -in "$output_cert_file" || return 2 + + local found_md5 expected_md5 + expected_md5=$(openssl x509 -noout -modulus -in "$certificate") + found_md5=$(openssl x509 -noout -modulus -in "$output_cert_file") + + if [ "$expected_md5" != "$found_md5" ]; then + echo "Unexpected certificate found: $found_md5" + return 3 + fi + + # Try to authorize now! + + output_file="$tmpdir/${output_base_name}-auth.output" + output_cert_file="$tmpdir/$(basename "$output_file" .output).pem" + + echo -n "$PIN" | "$SSSD_P11_CHILD" \ + --auth -d 10 --debug-fd=2 \ + --${ca_db_arg}="$key_ring" \ + --pin \ + --key_id "$TOKEN_ID" \ + "$verify_arg" \ + --token_name "$token_name" \ + --module_name "$SOFTHSM2_MODULE" > "$output_file" || return 2 + + grep -qs "$TOKEN_ID" "$output_file" || return 2 + + echo "-----BEGIN CERTIFICATE-----" > "$output_cert_file" + tail -n1 "$output_file" >> "$output_cert_file" + echo "-----END CERTIFICATE-----" >> "$output_cert_file" + + openssl x509 -text -noout -in "$output_cert_file" || return 2 + + found_md5=$(openssl x509 -noout -modulus -in "$output_cert_file") + + if [ "$expected_md5" != "$found_md5" ]; then + echo "Unexpected certificate found: $found_md5" + return 3 + fi +} + +function valid_certificate() { + if ! check_certificate "$@"; then + echo "Unexpected failure!" + exit 2 + fi +} + + +function invalid_certificate() { + if check_certificate "$@"; then + echo "Unexpected pass!" + exit 2 + fi +} + +if [[ -v NO_SSSD_TESTS ]]; then + if [[ -v GENERATE_SMART_CARDS ]]; then + prepare_softhsm2_card \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" + + prepare_softhsm2_card \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" + + prepare_softhsm2_card \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" + fi + + echo "Certificates generation completed!" + exit 0 +fi + +## Checking that Root CA Trusted certificate is accepted + +invalid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + /dev/null + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + /dev/null \ + "no_verification" + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" + +valid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" \ + "partial_chain" + +invalid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-CA.pem" + +invalid_certificate \ + "$tmpdir/test-root-CA-trusted-certificate-0001.pem" \ + "$root_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-CA.pem" \ + "partial_chain" + + +## Checking that Intermediate CA Trusted certificate is accepted + +invalid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + /dev/null + +valid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + /dev/null \ + "no_verification" + +invalid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" + +invalid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" + +valid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" \ + "partial_chain" + +invalid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-CA.pem" + +valid_certificate \ + "$tmpdir/test-intermediate-CA-trusted-certificate-0001.pem" \ + "$intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-CA.pem" \ + "partial_chain" + + +## Checking that Sub Intermediate CA Trusted certificate is accepted + +invalid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" + +invalid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" + +valid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-full-chain-CA.pem" \ + "partial_chain" + +invalid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-sub-intermediate-CA.pem" + +invalid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-root-intermediate-chain-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-sub-intermediate-CA.pem" \ + "partial_chain" + +valid_certificate \ + "$tmpdir/test-sub-intermediate-CA-trusted-certificate-0001.pem" \ + "$sub_intermediate_ca_trusted_cert_0001_key_pass" \ + "$tmpdir/test-intermediate-sub-chain-CA.pem" \ + "partial_chain" + +set +x + +echo +echo "Test completed, Root CA and intermediate issued certificates verified!" diff --git a/debian/tests/util b/debian/tests/util new file mode 100644 index 0000000..3d72970 --- /dev/null +++ b/debian/tests/util @@ -0,0 +1,264 @@ +#!/bin/sh + +reconfigure_slapd() { + debconf-set-selections << EOF +slapd slapd/domain string ${mydomain} +slapd shared/organization string ${mydomain} +slapd slapd/password1 password ${admin_pw} +slapd slapd/password2 password ${admin_pw} +EOF + rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb + dpkg-reconfigure -fnoninteractive -pcritical slapd +} + +die() { + echo "ERROR" + echo "$@" + exit 1 +} + +enable_pam_mkhomedir() { + if ! grep -qE "^session.*pam_mkhomedir\.so" /etc/pam.d/common-session; then + echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common-session + fi +} + +adjust_hostname() { + local myhostname="$1" + + echo "${myhostname}" > /etc/hostname + hostname "${myhostname}" + if ! grep -qE "${myhostname}" /etc/hosts; then + # just so it's resolvable + echo "127.0.1.10 ${myhostname}" >> /etc/hosts + fi +} + +generate_certs() { + local cn="$1" + local cert="/etc/ldap/server.pem" + local key="/etc/ldap/server.key" + local cnf="/etc/ldap/openssl.cnf" + + cat > "$cnf" <<EOF +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +prompt = no +policy = policy_anything + +[ req_distinguished_name ] +commonName = ${cn} +EOF + openssl req -new -x509 -nodes -out "$cert" -keyout "$key" -config "$cnf" + chmod 0640 "$key" + chgrp openldap "$key" + if [ ! -f "$cert" ]; then + echo "ERROR, failed to generate certificate for ldap test" + exit 1 + fi + if [ ! -f "$key" ]; then + echo "ERROR, failed to generate key for ldap test" + exit 1 + fi +} + +enable_ldap_ssl() { + cat > /etc/ldap/ldap.conf <<EOF +BASE ${mysuffix} +URI ldap://${myhostname} +TLS_CACERT /etc/ldap/server.pem +EOF + { + cat <<EOF +dn: cn=config +add: olcTLSCACertificateFile +olcTLSCACertificateFile: /etc/ldap/server.pem +- +add: olcTLSCertificateFile +olcTLSCertificateFile: /etc/ldap/server.pem +- +add: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: /etc/ldap/server.key +EOF + } | ldapmodify -H ldapi:/// -Y EXTERNAL -Q +} + +populate_ldap_rfc2307() { + { + cat <<EOF +dn: ou=People,${mysuffix} +ou: People +objectClass: organizationalUnit + +dn: ou=Group,${mysuffix} +ou: Group +objectClass: organizationalUnit + +dn: uid=${ldap_user},ou=People,${mysuffix} +uid: ${ldap_user} +objectClass: inetOrgPerson +objectClass: posixAccount +cn: ${ldap_user} +sn: ${ldap_user} +givenName: ${ldap_user} +mail: ${ldap_user}@${mydomain} +userPassword: ${ldap_user_pw} +uidNumber: 10001 +gidNumber: 10001 +loginShell: /bin/bash +homeDirectory: /home/${ldap_user} + +dn: cn=${ldap_user},ou=Group,${mysuffix} +cn: ${ldap_user} +objectClass: posixGroup +gidNumber: 10001 +memberUid: ${ldap_user} + +dn: cn=${ldap_group},ou=Group,${mysuffix} +cn: ${ldap_group} +objectClass: posixGroup +gidNumber: 10100 +memberUid: ${ldap_user} +EOF + } | ldapadd -x -D "${admin_dn}" -w "${admin_pw}" +} + +configure_sssd_ldap_rfc2307_krb5_auth() { + cat > /etc/sssd/sssd.conf <<EOF +[sssd] +config_file_version = 2 +services = nss, pam +domains = LDAP + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://${myhostname} +auth_provider = krb5 +krb5_server = ${myhostname} +krb5_realm = ${myrealm} +cache_credentials = True +ldap_search_base = ${mysuffix} +EOF + chmod 0600 /etc/sssd/sssd.conf + systemctl restart sssd || { + systemctl status --lines 100 sssd + false + } +} + +configure_sssd_ldap_rfc2307() { + cat > /etc/sssd/sssd.conf <<EOF +[sssd] +config_file_version = 2 +services = nss, pam +domains = LDAP + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://${myhostname} +cache_credentials = True +ldap_search_base = ${mysuffix} +EOF + chmod 0600 /etc/sssd/sssd.conf + systemctl restart sssd || { + systemctl status --lines 100 sssd + false + } +} + +check_local_user() { + local local_user="$1" + + if grep -q "^${local_user}" /etc/passwd; then + die "Found ${local_user} in /etc/passwd" + fi +} + +check_local_group() { + local local_group="$1" + + if grep -q "^${local_group}" /etc/group; then + die "Found ${local_group} in /etc/group" + fi +} + +check_getent_user() { + local getent_user="$1" + local output + + output=$(getent passwd ${getent_user}) + if [ -z "${output}" ]; then + die "${getent_user} not found via getent passwd" + fi +} + +check_getent_group() { + local getent_group="$1" + local output + + output=$(getent group ${getent_group}) + if [ -z "${output}" ]; then + die "${getent_group} not found via getent group" + fi +} + +create_realm() { + local realm_name="$1" + local kerberos_server="$2" + + # start fresh + rm -rf /var/lib/krb5kdc/* + rm -rf /etc/krb5kdc/* + rm -f /etc/krb5.keytab + + # setup some defaults + cat > /etc/krb5kdc/kdc.conf <<EOF +[kdcdefaults] + kdc_ports = 750,88 +[realms] + ${realm_name} = { + database_name = /var/lib/krb5kdc/principal + admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab + acl_file = /etc/krb5kdc/kadm5.acl + key_stash_file = /etc/krb5kdc/stash + kdc_ports = 750,88 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des3-hmac-sha1 + #supported_enctypes = aes256-cts:normal aes128-cts:normal + default_principal_flags = +preauth + } +EOF + + cat > /etc/krb5.conf <<EOF +[libdefaults] + default_realm = ${realm_name} + kdc_timesync = 1 + ccache_type = 4 + forwardable = true + proxiable = true + fcc-mit-ticketflags = true +[realms] + ${realm_name} = { + kdc = ${kerberos_server} + admin_server = ${kerberos_server} + } +EOF + echo "# */admin *" > /etc/krb5kdc/kadm5.acl + + # create the realm + kdb5_util create -s -P secretpassword + + # restart services + systemctl restart krb5-kdc.service krb5-admin-server.service +} + +create_krb_principal() { + local principal="$1" + local password="$2" + + kadmin.local -q "addprinc -pw ${password} ${principal}" +} + diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..a6812fa --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,204 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.3 + +mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MUXQDAKJM7 +MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0R+OiWh8d7ChCG6ri +v/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWXqZoZrm4lPlBZQltfhzdmvn8D +/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjgq9Knn4sE9lnGjtG4RCYMT2Sideognk9A +h5nWOGynwta6cluCEqlF6ORJPKpAeqG1a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/ +XtMoHSSyPi/Xum6R+jwISv7nTMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlS +B6tAqN0G7VL6AFcsiOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KN +tbnCrhS+Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv +emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iEYEEBECAAYFAkoAZ+EACgkQeiVVYja6o6PaUgCc +C1uIdzSouXkz/Hpc8WIq5bbdMCkAoIi6PtlzQuiCQgzN39VcFzIdnUfuiEYEEBECAAYFAkoA +aA0ACgkQWAkQHAJrbG8paQCgle0IkEHUEpBG3T+despZYg2KaIwAnRRsCazy6CeJfOuP0IVG +Y8FKWedYiEYEEBECAAYFAkoAcQUACgkQGliNByGNTpdfzgCfVdjXUF5AXkDJ78q2N9biKECo +GTEAoJWdxJJAI6kE54tSCay6LkqU49etiEgEEBECAAkFAkoAZiECBwAACgkQUDGHpI6P4rpH +YgCWJtMmuHsk2/znWsUfqALeXL3LXQCgpmRUJbjVee51ja2KSLRqslUZZ1KIXwQTEQIAIAUC +RcN19QIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEB7Gq3Uy57wlIcEAoKNgX8eyFiQn +ylJlOKUs7TJsxY4XAJiU6oXuJwZUMVPjZbcKiot+BqMKiQIcBBABAgAGBQJKAGrfAAoJEKqM +a5A1GvYd/CsP/1eHH2Ogbp9ycbPBc7pO5iLwBDPE81a4SMXqLcs0VS4Ps5d4gpjGo6CilNb6 +gi5GTK4gmpQqFHYmzRSacO5aYnwSeueGYpI+jMxDeQcbabwA9oquOhckYuQ4tM6Cmnwdiym4 +0RsIA+8zEnZuzQywUD7h/b1xRjoEeLAe24UPdF0qMypChdF0EGXhosaapmxhXe31F/qqa2uH +LUpECwJb417y9aVxDxtq4tnWh3kjpFMrLkX8NA2qMkBO9csI0lRVkDu+Ofs0V7yc3MjART2k +azYI7VkpVbqRc4QHnzfD3MLR2sgycEc5HQzJZYhe84AYATz8bqwptJlDi2pfEx11rHpVeGGN +/I2hjitsARsNUIopYyNdXpbwCk4xv2U+uZzGpgzpt/siU4t1oKHc+P2gJ5xrazRan3gEd6QF +XrWHq1+sdV4pUFM2R3UZt8z8NquRposHPn9ldNEpxNVkjbTZiY6D+f3yIUa43z6f4B2gWSuI +Gq2ayIVGSKaf+hxzFa9sFsMJ1VeGsYt9g3zxnWRFEJRup0/VasVCqkMan0YoXOJB5+R2Ie73 +WWfoLlv2KozPDL91D1sXhxschxHHnQ8ro3Nl80s+yCNINhBK3+UUZsE/THlU7KQvq2j8dy85 +frWvjPylNddJsXGRzBVTu629Gkhm3glVMPrfi5CEZkuRC4FOiQIcBBABAgAGBQJNsBsGAAoJ +EK184QA5M3MO9bMP/R4d3Xvhx65ayuLTehyoi0CAdaCU6wbxvO922rzSu57i0JY2Ef14ZXF2 +2RDrkAPgbw6S+wF8GRT4NKvfYaVx9oYunvD1OTa5EfEjG2KvJrKOsOKUCD7yQxKXGhP7K8sc +AiuZk4rCgfX9+O4RpqRdl1/EqCEBzUZaU79RN/KLqapddtF0H4tyLWpWSyrQs8PjGRJmeh3J +7RuD7ZYC4XRtvpx3IDqn6+RCQFhb/EpGX7EwxbKgapmpD+9W2vqLHbM655w6/hc68J4bnE80 +DnZKc659HuNvRGitzS7ShbI+8h5TUHcxsEsQCnfKkrkfdQo79878IKBmlJKC1WqUBZbbvdIT +fVToL9dtShHiNoy4jVuxUoizEAXEIjdi52MHhAY5I6wWyrDOV9Ftg9ZLwa6MbH31EKUbRMmP +75y0ID4RQCINqP7HMu5vlHRBKAKC1Tf3DqRZJIU61v4A3WR6IMGNXaoVFbQwB6YXsOkJPiN1 +vgrqo42Z+rNRFFkCj341RJO2KNpjeUdeKVSyDmEb22wiRLEgXnmk902uOJN1HFcj7/JjlXGR +R24Zu0C97B+HNdlmWVnxJx/aNx2zkGnjdAjMLy1bosMJSPyAJVWnKU3TmrsB4raPeawbk8OS +mwzRCiIl9VDlBjaDK4E4+0I05/BNMWvsEMOeGeJdKU/OhWYPnoBWuQINBEXDdgAQCAC6qjQX +EfVe106L+pbq/61Z2pgcuP9/RWiqPVxulL5w4M1NpfX9d/gme/q+biU4bmAiSoPV7lQKkbmk +Mm8ySuljSVhGvlEagLb20dlhd8QFUSR2G5TtlNJBFqiK0rlNLCM6Ploq8VIcSMysJZwZJRqM +QJCREfBlvccrbCqoFasmOOM+2P7lxCD6wqntmnrFTeJmUyhV91iL/MZ6e6YKnlIybwJlnmBy +w1mGMi2RPDDkr/83orPjWgxjIeWCHTb0kPQsc+Appw/cp4QQPNIMTH9JIQXjMP8R8sMd6GBr ++fRmKw2bF3G578EjYubuqoY0O1X6prXukgnp899p9tIAphq3AAQLB/9K4yRk3fpQOyg6fTqo +itiLkkGyzew5+F4kSepQgQ7QkKnJv5+qKx2qhMkzQbmAWkK+5k4AKnPNW/RaOGUwjI+X/tS4 +/gpgjosaoABGo3GwdPsU3FPRS/pBHx8Y9CpV0UsUF3roQEv0+c63dENjC0mUP1ww1Q2nNYRe +MndEKTSVkXZ6WOk+W7Q6vnc66KiaaeGZyaPFHmC8x/ikupRGERnZTTKVGJOJMiTRjIgBKwOc +B/QEKUVfPiLipIPqMmWgqitELsy7zvGLUMbgwv4VgL/Z3ncjw6ocFGG01S38Zty2GwcPEWrm +JWk3HAMBfW+vrk9a/3ym9MycmaMgOF+DAkx0iEkEGBECAAkFAkXDdgACGwwACgkQHsardTLn +vCWU5wCgqQcHeUMVaVQ1xIt1EJDF+wILLvMAn0YtJTYbQdH6FBUyLY42isSL8TJM +=+iK5 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFmtFkYBCAChY0X55Q+SUoPPMxTZAs3RMIt0Ljxe61thEl8M1uqY5REZhCJR +CSECM+/cWNPcSINFkAy+SBndORpk/FARplZExkuB/ySkLsm/q2wey0uLIlQl00Lg +zpF2n4maN19TKA3RZVZutkO0NiKrelZ41XZFQEnR/h7QLZ/Rp6RYhDo+C2KUYg1U +hbDMicxgQ+x+HrYdut7v6ESxCZtapnMtAfQI/+keusb18sJG+XuK8gUDNuVQSZkx +BHEPVTFD3C3XBxRVI4V7F1H475GCi/HmzydfxZ1KgiGYOrslp0hDfbzYP5NzbLfo +sDFhafuTr4ShkbCdkrAOADTo5Mmt+mmQquW7ABEBAAG0K01pY2hhbCDFvWlkZWsg +KHJoX3dvcmspIDxtemlkZWtAcmVkaGF0LmNvbT6JAT0EEwEIACcFAlmtFkYCGwMF +CQHhM4AFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQuogAD+Y5gnKHfwf9G9e1 +8jQZDkHrVzAQdz+TNW+4Iu0P45vPhjaG23CbpMj4JHcH5V1Cz4uOFw95K04x2Kho +lnVmCLWbqXUG7zzNpQt1xEAt/c41h2zzS4KN3tKjb41otwzc//8nkTloA2LATavg +iT+HX8z12o/GgE/CoyhErdIOemZfr544RIl1B3/RHMmie60CGUiQ1UkTr7FBodyd +xzGWXUUlLcPEoAf3ZiSANcwwVgVcX//xeAnC1MPs0jBJgvJpuBbTEkL8LLzo4YTf +lNT4kC9HBjnF40CC20Zm/JQ6jPRYpLfwmB6zvo6uAGXeCGbzI8SuHS4P38DunprJ +ksA8i38pWZ/R1kHo7w== +=02ao +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF65FqQBCADQQUcPSux/eX7fpP05HOW1HE32tBPWs5MPktMdzErrG7DTOaUo +XxMhorPSHgt2Q5mX/LV4Yk2cRHk2uStWTtIVhtC62DPqstqfr0aC3TJ36LrsAr/s +YaG2ktD26xADA5j67oP4lHN4+rjSbKfRLiLpSsABb4fx85SS066MsDQOQFEs1bsG +UAqavdlRGUYXSA5uwwbJRRfI5ryeWyOpfpIIdJeyNDx6ZSuc8kgLm/PhNpwChiY2 +h7Qs4nekVT1c9ujyPTUQ+x8lnGblP8Kwb+ZtOp+aWMWZlxk2ifwFr+u1pKTr8we5 +DarQxMTjBwrRRuBk7RwYKXdj91jwMGSx6ZaRABEBAAG0JFBhdmVsIELFmWV6aW5h +IDxwYnJlemluYUByZWRoYXQuY29tPokBTgQTAQgAOBYhBBpB3GdQX4mjMIKLZq/+ +dd3oUI4SBQJeuRakAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEK/+dd3o +UI4SupUH/RRKqwHSYSIf37pFz6tsE5+7ASiCdVVdtOPtaXu43sRNLrCSu4CjisBu +rdFPmd57jwQneyh5RUEXbY5jq4KK4nuHZppjlaGqs/8LIVl13x01zD+V/hlDZXfr +BEDaE2PjUtacP+NvJWtYO/tHlTqxfFssFh7btO9EOYSfc7IhQ+hReKkX9K1dNLJM +SYCDaDQRSxJeAnYX7E3mXoaIC7JXH0ZF1NS0a3SP/q7u+WsQ+j58Z0xMdP6lBd1M +7ntNQ+BHz4+jlEgN9GXRTn7PIucpvVCEwTYysklIKbWJHi7J+C6ZV+4nDnaA0Z6J +m+XGsbvc7/P1b4FpU9YAmBd7VqQG8Ve5AQ0EXrkWpAEIAKVIiPI6sZXhnrpKxYO0 +nNAazIkA0WtqTVeSPE0AkNXAW4wtbhluwfBEsYr6wU8ieDGU/KdIpwZprsKf4x3r +kFgRRwnNpB9AhGNex4tzoHlNoAX601OOjhy44DaRrJKY1Zg+V2ljx6cySsX2zsQp +/pKA5uN7Y4mWfZMPmlpljqYRXMIAZWf7F0dJTdh+Vv646ZBYg7mBfaVs3E5AKRZ+ +xNnxna7Se+OihyOcmMwtotMF8tlU8/yGyWTCoNu/86+eAVXWIpu358f1Q1Ez9bXI +/neav857DTCGTXY5NNigunscMPje5MLEp9T1ozZl0ZK3LUcfh7w8IMLCB2YK/7zF +NpcAEQEAAYkBNgQYAQgAIBYhBBpB3GdQX4mjMIKLZq/+dd3oUI4SBQJeuRakAhsM +AAoJEK/+dd3oUI4S8FAH/0bHCGi6+sWnJqOqYwJIHPeYR33zb3D09jQYXWzadNGX +F6nuGzNgqCUZ3+GK73hDXq/v9WyUhaLLvd7XGryQ5DGGO0ZkHD3Td+YMeoSdDVbQ +PiTZS3DyQB0qHp6pKgjvDlbMYeqSVoletsa6ruSvFtE2kb+W6fRn6K8QeTyMA8Rn +NIUOSaSwQjcETaexMuD2oyRmzDmdWTUOS/Q/Tn3HE7Yz8670CLM1yN70MfAHpeUt +dIkFm9g3ZPTING+gC98iylLAFR1QKqz4HRWd8ofmnHemPpzAPGMITztwnZsLIPDj +nZ/57dk9LQVekGFjWm5GYThUwrHWYRyzjGz/xOmjJoM= +=b5K7 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF677TsBEAC6lxykcx6Ao4J0D6KiQ0+fi+NrsJkHgBT+4IRsVwanSOtVhGOb +wkQqEeFlOgTExHE1A6THiMb0D4LVsuvjSIwwSOusdbPokp7iX2QyFIUJGfeFq6/V +FEm3pAn+Rx2453uLqYtf6eISbHC6sWZxJ0+32rT173nQCbOKkWgcsClvjiLu7frA +LweDaygWCjHwNrkm4brV7O3GHIgOYo6E/+0oxG4kcCvQw9IFlM8lf+eCw1Fn60Jt +TVTos9tdlwF1kK/VQJvfPYsIgtA4QnDGjI6DvPflPIzL9vVzuGarjAYP1B+Wtjif +JmHam2bYMk8u3hgkSh+fQTQ5SnmznIH6bqFfnwQRq2JL60JUaM3hcogSxA0RTsTO +j9fBU+zJJuaX9RnfS9qlOfMY3sE3lEGNOAGtLRbeyOnfUttNQa9e0tKXJnXECmTL +gKo8AD4Ulv9Y7i4Ap/WsDAJHLlH9K7AVGNB4OrL4gk/soQ54J60WuAUDsy3o2oby +vNmy4FeKEVgHmOINe9jRVWgv4ao1w3AwNPtwznLcxLc7CXQwfDrlG63NMCFpWJ5p +ih7rVODCuwOBzVJiD3aMEVyKud0gFpJbPFSqYJ29iiD0iPkvkKf17Iaf1iUsFdU9 +UpvPdoJYTm/CVf8rRueXgcOvaoDMhES0dlSD3Yoxz+eFHm4qpru6exWWMwARAQAB +tCVBbGV4ZXkgVGlraG9ub3YgPGF0aWtob25vQHJlZGhhdC5jb20+iQJOBBMBCAA4 +FiEEkwIBqrQt0ZRyELeDjXMmNRpyYhEFAl677TsCGwMFCwkIBwIGFQoJCAsCBBYC +AwECHgECF4AACgkQjXMmNRpyYhGL2A/8DBY1zfi+LL2bU6mnuI1ZGJURKD9WPstg +tRv41sEQHphKQo6etiuUZ1p5q2yAkBNu7nl7MK3KfS1OGGaXf2dvTWI/MfHvfL7E +WswbaHkGAnuZ2q2VET4EoXa5txp/reGpzas08anAaEjO+Xdax35Etv+KbfWCPNrZ +/3Uu0L+kxWRrg0SBto9/1n76+8Hj3uyPMTQ9iPRc1wP55zRjhkvI5QLfO/7sf6zs +iBt6mwVBbmQG0Yd7UvnNJvjVtVsxBb+y/jb5iPj6FGECbm60zy6yPcdO5oNnoW53 +d90figFAp2CRsbnO0n/HG6LFl68QJ0rhmZlK9NQXJKzuJTV6E0XRPGy53W904Rvy +9ohPw7JKCrpHZ883A8BrSkmkLFkan4ZB2t2wjcbTMGy/+GyS4hYVKB8A6NEcLX/C +WXTz7j2mUFJw18JwEB76YYalBmqDltYzuQN/cp0etkAjLYHXqrimlGd0nj/Y4yjU +5hXMir8fyhUj73K737l2WD46SwNdAJFCZbux8rdQkoU1+qPFwsnExiUN1T6hhyb4 +FIirxtegzGqK4YALDewOUZuiGV1eOtBEldqmVG/AccMG9Pc2/ndHJKA3IsMhxE51 +9jRJ/83MxUM93bimd+iDSbJ7BArpPZI+E5xaaBkJGLmCRTTOCAfN7H0zgNyysjSy ++ezwINWq6F+5Ag0EXrvtOwEQANR5ZaGw75+6AyG42nBV+rKeJJPZYSnM+YWtkfbo +Hk2ZF7qPWN5ZvanoyCrKKZl+tb00dGgjD19aKkpXX/P/erzG0iERhI+GthVZEEmU +7Z0TQRGOA2CazwSNF7r4HApO47B2IE0xhHu0ceqmO0c0oObvOeuETXZHoynfa0Ge +6IRX1exirc81PffFn1yNSc57BBwXCrx6ET9ZCEZyrm0tMpFoEquORZv2V2HBU8Sa +cyrO3dsmg1O3+7Gc5wTec7SnHBQpi9Gnf40Q3AqC8D+ktjKnFXknK4ByTUb1G6tl +KeWTYjvixBxUAfH25GDmGj/zyNabkRNrHGFECVBoSEY2TDMp7KSdIOQuOxQIOjl9 +L2Btt4bi1CLFu6jSZP8wWVhs7P6kez/K6RokXM+7zf3iGaF6EshDvtKKagq66J3Q +WM3Hf6X4BhfaGO+/c+wdcUsIR+6dpOewq/vh4rZUxducWAQP+EQGmO7EqDNmuzYt +MigIxPEJ4SToYLOr9O4nT3Ebdp6k+Kvncoszya/e8ZjURQqQK+7GlSp4g7YkxoPb +cpkvHCK7UBWBVIqk3o7nTgAtcJbMwDKVGWC8F9gAJyMy5JVUMC2NU7C1FaJZIX13 +C1nP0MERxMFBj5IF37xY8jTtQeNastimiYcm3yVDDKayo8BN5PGZ3wRu2r+K7V9J +kM0pABEBAAGJAjYEGAEIACAWIQSTAgGqtC3RlHIQt4ONcyY1GnJiEQUCXrvtOwIb +DAAKCRCNcyY1GnJiEfd3D/49oGcBAelVx1pHEhwpg7P9anTvkNr9WndJf3P+jBNX +aZk9pqo4MdxZ0kizW4Kww8+zXelMMD+zXt5igKwh/Yf0o/DIfsVWT4HAdZCYLrPT +vU9sFDoIWUNQrQSNSxSAldz8xrd6DUjTo4lJowZToS4HFmUxwyWz9sAOnlDhO0bz +mfQ/RmaCRFn9JaYQt6IaiKBQVzC2ZJbPJfJPZnSkr/qfgvT+o07V69Qk7DMEMEkU +1th0T0USH6gFwLrSsHKN/P5+8V3xyP2BnQy6J/dOi8W5aEAptb2FIEroFsZHysz3 +25FAAkdxTS8IT9Da7XFtxRgTnBYGT5Fh5zSRHC45H+h4Krv1+Qs0eLXit74dC509 +xdqAqNFwniOUJvGIjZFPnWeiqU20/hW7TTaEr3xcEWdsvKXP+0GVLagq7YMDPgos +W/GDajWT78l3nq6qkkU/vLlj81YMF5tnFP3oIsDPJTKEnqdommZNNf0yBvM4uhyK +djlL2k2JFJfdPJ05BSXBD+TKsftZfxkAT+zSbK060nuIk2EGfH+0QIGcdUUYZtOw +2o22jImdLfC6t8DEp4w5OlGC3K7i6K+5brfqYtzu8vNSbrBZaBf1yp6s8wg69dx/ +zqWpv28ZZ2lzjuHncw+QuHhA53EJs5McrCu6f0+kehBpOu7SNeDTnqjytZP/rE1N +nQ== +=uvJr +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGI9m7YBEACjfmpZrW6wpmz+QRfnx1UuOABpTmsBi6ElTqx+ZzLU2R3N4KLl +PDycp6Pm5PqnLRLoC0TzHh1MjpVWiCfrnlTm6yD2Y6A37c6/elFjiZlbY93zUJi9 +mE3OXyxe3RQHVjEYiQZ+DCcgQe5r2mFL8prK2OBIIoJJK2t46EjcjsJJkOIgT9H0 +7FaLWfT2MHhO0mg6EqwqOsSKI392sVhJ0GTDULiI1ZlRULZwn3oWdXglO5O9KAhu +jSAIrKuX6QsIxXfVDG1wmOR99yyuiXpJhlKbgdw3Y37IcHRD9DLbqCnp//3WkW9W +k5Mn/bYK1TIed92U4CWNqz557lGnQxwPyyaNkJW9L1kNWO6P9Kl8RgxuX0689Zb0 +sqooxTK//O+BBOso1iSRsdyqo2KSIBF06Fe9x5i+jwX2N3hHbzODfT0rHOokPj5p +jT/o6NFQ0lMqYQJxQA7/71Dk/6EkkxE3kHTkFNHBii1pt0msyQij8URmTTN39V1f +n+HlxDOrzDSccrs5x0b+cT5wuB1tSp9JhkmmAk5rb8vsHL+iPRM4ZDIOJNm/Qlg6 +pQ+V4FEamntO9undQro0hSShEq69JDbBhT+fmHcAH2a03buTdyu3aqok3OSdxMj/ +aprl84eFxE3cwlCXzsu0qf8ue9UjFWynmwsDQgR4EMMbVDwInd/rrV+wOwARAQAB +tElTU1NEIFByb2plY3QgKGh0dHBzOi8vc3NzZC5pbykgPHNzc2QtbWFpbnRhaW5l +cnNAbGlzdHMuZmVkb3JhcHJvamVjdC5vcmc+iQJOBBMBCAA4FiEEwTzQf/stsUCO +RXo809IbKRDPZ1kFAmI9m7YCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +09IbKRDPZ1nmShAAlEZD+l7OSTb8uOQDj9wHXjkJbrz2vp3vfHiUo69NIssEQRUE +WRpygejjCsc3XlS8XivWwLIqrDOczenyCVVNSSWfaQpBc2ZR+XXBKMpxa1PlFduQ +wax2cbPXVdo47t3gVWAzicO0zxeAQVEZHUKyoWmaKtuFdN1ZJpNCvFJcr6yEFY5k +vQy5Caf6G1oDS9XYsx4YZZT0YhMo3d/8awJLJuVfnqsC/mTOaC7Khms31c2SC+50 ++i+gE9HOVkLqanYkQcmdWIMN/oOljAd3zCFBNw5cXXuNmjp32URcm4khLKuxgV12 +RetW63SAMydavCp8jMpjuE1pBo6s+/ZcvHe0IhS5fcAbXnIuxqhB2FfeJVg3Udx8 +u+zZjwtndUZ9NCETomHa77Beq3h/0A/hiEmNl6xAYttNRvF/bbNg9k3o6lZydDYM +zhdmGh+VfZhuyyGJXWsrK0ZzJ0zXjorIKPlCi32cMrOPlYd94N4aWZaHC+uDZSMW +Xwjl79Tt92psOIiQwSSm1vaRvXV9w3HzyZtOIlK+Nc7T6qTOIHGgCuQI5zXNorNb +sdmzOR+ZrnYBk/E6hiaU8b4hQS2HJyr9YqERi2LjB9VICC+KHhsjba/hxIoVZR/v +Hg+WM/NBpOoaiScxLaqWNuoxY84SNJCgupWlCmBEDxWG+Q0ku/xgyRARCt25Ag0E +Yj2btgEQALITn9g5EYyZioqSwM8Vk1Rbu6d6NRbtdO4tIxesj2a7ywVdPy2o9Al6 +1jFoqJmpfGJLrna7Vectl/emzi3o4g0dK5PrVfDVnpK+Gf6j5bNOad+d5qGTULOO +XOzn2q/dhfAsp9/Czsfm8a45Od6yBPJYkkbUDTCl6Fxmwj6tTMLqYPCKnWtLGhy4 +URPocrZ4ykCjUHhXtcsLqyuHcfMI2vkAHlSSMxYC5CqNSuoi3o518872aph//D4K +gjYeFV5vAOMhe2g7mdWM9SdxvSVQSxVaID0LfFaL+mTal3ed+Raz4/SIk1i634JD +AZodXz6CbBItRTD9+towBJjkVXEt1IcpnjTZDppLK6T3eTtRDuJUi5mk52NYBJaC +QBMzkoRAdFWu3Z6e6ufqhgFja1KPNeZtOIJpoIbSnwIG0O8IjFM/PhjS5pZxsgcv +PeTROvj7OSj88R2HuosI7zcEk9/v9tXEYEzKfGQApdeAGV+OUW2rsoyluIz6qd0/ +dImmOVvQCcjucJXUq8R5b6gg765DY/ACXIXJXSl/whg54jRI39HdBIovwKOXNIjC +tpSgKTv2HeEmAE8b0PgBLDF5I+auJj21uE22xVQJP1hmB/GsmDxvNm85t6eD7YiS +cpvEPOz+GeQ1Du5bHYYZ6rsFhnV5PBy1azDdXxV6OI8HIkSNC949ABEBAAGJAjYE +GAEIACAWIQTBPNB/+y2xQI5FejzT0hspEM9nWQUCYj2btgIbDAAKCRDT0hspEM9n +WZt4D/9hg+9ugRSOn+qpcrxcSBwQvfcz65YklC5y6G0ESN/ACVCbb02o7ojef1xu +4g1dG00xRrCTzosyi4SSF7GpSZKDs00O7U2qnfbIefwwwmM4+zK7oBlCKdChPxQq +dQyq+aowUmKi28NvaPZo/3IvQ+MKIR7JiSTduXagZJ0wPgDijgPQ9Skta37D7dhs +bnyIFrM8P8XCIaF7xM7sQCbcjt1hngSsAt2ZPqm0Jb3Qgb0Ad8oJlO9owHQ1f8iS +x8n0MTAyCwXQfCXHl2ZOKf258Up+EoVzBXloNeUSxgMypPajvP2X/tRM1eeTpUb9 +BcWFGMEM+1A2SBmjN7VVXmK0aYGxUT5z2VG2v7pg8nTgIMO/11cMjR4Z0/FWZ8NN +Ha0c634s5gjDi6awgPf+pDNiW6hTHkKm53jmpoFGOrv+IT4omBIirGAFNeRXf0Lx +PiBesNFGOUGw5whzs/rJRWrIKUTHKdDUEAlIS5473kK3FdXZu0rFKRnYLKFW2NHF +blM59B2+sU+56jELXuzJBOyUz+YqToMFEcmu6WWo8ttKJ4oQnJxIyTNrcFUiGLSF +099V8FGdJh7yNEWYEhH5xefIA6QOQ+pYrur+JwZUOkk+66e14ffW9e78pwOsvsZV +GPYsPXfpeVrWyAZQRtiYt8ge9iaqHUNclC+egDJQUpoFYSlIGA== +=mD4u +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..c7aaead --- /dev/null +++ b/debian/watch @@ -0,0 +1,6 @@ +#git=https://github.com/SSSD/sssd +version=4 +opts="uversionmangle=s/alpha/~alpha/;s/beta/~beta/,pgpsigurlmangle=s/$/.asc/, \ + filenamemangle=s#@ANY_VERSION@$#$1.tar.gz#, \ + downloadurlmangle=s#/tag/#/download/#;s#@ANY_VERSION@$#$1/@PACKAGE@-$1.tar.gz#" \ +https://github.com/SSSD/sssd/tags .*/releases/tag/@ANY_VERSION@ |