--- sssd-1.2.1.orig/debian/rules +++ sssd-1.2.1/debian/rules @@ -0,0 +1,35 @@ +#!/usr/bin/make -f + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/autotools.mk +include /usr/share/cdbs/1/rules/dpatch.mk + +DEB_CONFIGURE_EXTRA_FLAGS = --enable-krb5-locator-plugin + +APIDOCDIR = /usr/share/doc/sssd + +install/libnss-sss:: + mkdir -p $(CURDIR)/debian/tmp/lib/ + mv $(CURDIR)/debian/tmp/usr/lib/libnss_sss.so.2 $(CURDIR)/debian/tmp/lib/libnss_sss.so.2 + install -D debian/libnss-sss.overrides $(CURDIR)/debian/tmp/usr/share/lintian/overrides/libnss-sss + install -D debian/sssd.overrides $(CURDIR)/debian/tmp/usr/share/lintian/overrides/sssd + +install/libpam-sss:: + mkdir -p $(CURDIR)/debian/tmp/lib/security/ + mv $(CURDIR)/debian/tmp/usr/lib/security/pam_sss.so $(CURDIR)/debian/tmp/lib/security/pam_sss.so + mkdir -p $(CURDIR)/debian/libpam-sss/usr/share/pam-configs + install -m644 debian/libpam-sss.pam-auth-update \ + $(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss + +install/sssd:: + mkdir -p $(CURDIR)/debian/sssd$(APIDOCDIR)/sssd.api.d/ + install -D -m640 $(CURDIR)/src/config/etc/sssd.api.conf $(CURDIR)/debian/sssd$(APIDOCDIR)/sssd.api.conf + install -m640 $(CURDIR)/src/config/etc/sssd.api.d/* $(CURDIR)/debian/sssd/$(APIDOCDIR)/sssd.api.d/ + install -D -m755 $(CURDIR)/debian/generate-config $(CURDIR)/debian/sssd/usr/lib/sssd/generate-config + +binary-install/python-sss:: + find $(CURDIR)/debian/python-sss/ -name '*.la' -exec rm '{}' ';' + dh_pycentral -ppython-sss + +clean:: + rm -f src/config/.files --- sssd-1.2.1.orig/debian/sssd.prerm +++ sssd-1.2.1/debian/sssd.prerm @@ -0,0 +1,3 @@ +#! /bin/sh -e + +#DEBHELPER# --- sssd-1.2.1.orig/debian/control +++ sssd-1.2.1/debian/control @@ -0,0 +1,75 @@ +Source: sssd +Section: utils +Priority: extra +Maintainer: Petter Reinholdtsen +Uploaders: Morten Werner Forsbring +Build-Depends: cdbs, debhelper (>= 7), dnsutils, dpatch, + libpopt-dev, libdbus-1-dev, libldap2-dev, + libpam-dev, libnss3-dev, libnspr4-dev, libpcre3-dev, + libselinux1-dev, libsasl2-dev, + libtevent-dev, libldb-dev, libtalloc-dev, libtdb-dev, + xml-core, docbook-xsl, docbook-xml, libxml2-utils, xsltproc, + cvs, krb5-config, libkrb5-dev, libc-ares-dev, + python-dev (>= 2.3.5-11), python-central (>= 0.6), + libsemanage1-dev +Standards-Version: 3.8.4 +XS-Python-Version: current +Vcs-Git: git://git.debian.org/git/collab-maint/pkg-sssd +Vcs-Browser: http://git.debian.org/?p=collab-maint/pkg-sssd.git +Homepage: https://fedorahosted.org/sssd/ + +Package: sssd +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, python, python-sss +Recommends: ldap-utils, bind9-host +Suggests: libnss-sss, libpam-sss +Description: System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provides the daemon. + +Package: libnss-sss +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, perl +Recommends: sssd +Description: Nss library for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide the nss library to connect to the sssd daemon. + +Package: libpam-sss +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 1.0.1-6) +Recommends: sssd +Description: Pam module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide the pam module to connect to the sssd daemon. + +Package: python-sss +Section: python +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends} +Provides: ${python:Provides} +Recommends: sssd +XB-Python-Version: ${python:Versions} +Description: Pam module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide a module to acces the configuration of the sssd daemon. --- sssd-1.2.1.orig/debian/sssd.docs +++ sssd-1.2.1/debian/sssd.docs @@ -0,0 +1 @@ +BUILD.txt --- sssd-1.2.1.orig/debian/compat +++ sssd-1.2.1/debian/compat @@ -0,0 +1 @@ +7 --- sssd-1.2.1.orig/debian/libnss-sss.postinst +++ sssd-1.2.1/debian/libnss-sss.postinst @@ -0,0 +1,54 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +# This code was taken from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +# try to insert sss entries to the passwd, group, shadow and netgroup +# lines in /etc/nsswitch.conf to automatically enable libnss-sss +# support; do not change the configuration if the lines already +# references some sss lookups +insert_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + perl -i -pe ' + sub insert { + # this also splits on tab + my @bits=split(" ", shift); + # do not break configuration if the line already + # references sss + if (grep { $_ eq "sss"} @bits) { + return join " ", @bits; + } + # append sss at the end + push @bits, "sss"; + return join " ",@bits; + } + s/^(passwd:\s+|group:\s+|shadow:\s+|netgroup:\s+)(.*)/$1.insert($2)/e; + ' /etc/nsswitch.conf +} + +action="$1" + +if [ configure = "$action" ]; then + if [ -z "$2" ]; then + log "First installation detected..." + # first install: setup the recommended configuration (unless + # nsswitch.conf already contains sss entries) + insert_nss_entry + else + # upgrade + version="$2" + + # Nothing to do here yet + fi +fi --- sssd-1.2.1.orig/debian/sssd.upstart.ubuntu +++ sssd-1.2.1/debian/sssd.upstart.ubuntu @@ -0,0 +1,16 @@ +# sssd - System Security Services Daemon +# +# Provides a set of daemons to manage access to remote directories and +# authentication mechanisms. It provides an NSS and PAM interface toward +# the system and a pluggable backend system to connect to multiple different +# account sources. + +description "System Security Services Daemon" + +start on filesystem +stop on runlevel [06] + +expect fork +respawn + +exec sssd -D --- sssd-1.2.1.orig/debian/sssd.preinst +++ sssd-1.2.1/debian/sssd.preinst @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +# Remove a no-longer used conffile +# Copied from http://wiki.debian.org/DpkgConffileHandling +rm_conffile() { + local PKGNAME="$1" + local CONFFILE="$2" + + [ -e "$CONFFILE" ] || return 0 + + local md5sum="$(md5sum $CONFFILE | sed -e 's/ .*//')" + local old_md5sum="$(dpkg-query -W -f='${Conffiles}' $PKGNAME | \ + sed -n -e "\' $CONFFILE ' { s/ obsolete$//; s/.* //; p }")" + if [ "$md5sum" != "$old_md5sum" ]; then + echo "Obsolete conffile $CONFFILE has been modified by you." + echo "Saving as $CONFFILE.dpkg-bak ..." + mv -f "$CONFFILE" "$CONFFILE".dpkg-bak + else + echo "Removing obsolete conffile $CONFFILE ..." + mv -f "$CONFFILE" "$CONFFILE".dpkg-del + fi +} + +case "$1" in +install) + ;; +upgrade) + if dpkg --compare-versions "$2" le "1.0.5-1"; then + rm_conffile sssd "/etc/sssd/sssd.api.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-proxy.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-simple.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-ipa.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-local.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-krb5.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-ldap.conf" + fi + ;; +esac + +#DEBHELPER# --- sssd-1.2.1.orig/debian/copyright +++ sssd-1.2.1/debian/copyright @@ -0,0 +1,223 @@ +This package was debianized by Mathias Gug on +Wed, 05 Aug 2009 08:58:56 +0100. + +It was downloaded from https://fedorahosted.org/sssd/ + +Upstream Authors: + Dmitri Pal + Jakub Hrozek + Simo Sorce + Stephen Gallagher + Sumit Bose + +Copyright: + + Copyright (C) Red Hat 2008, 2009 + + Copyright (C) Dmitri Pal 2009 + Copyright (C) Jakub Hrozek 2009 + Copyright (C) Simo Sorce 2007, 2008, 2009 + Copyright (C) Stephen Gallagher 2008,2009 + Copyright (C) Sumit Bose 2009 + + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Andrew Tridgell 1992-2006 + Copyright (C) James J Myers 2003 + Copyright (C) Jelmer Vernooij 2002, 2006, 2007 + Copyright (C) Jeremy Allison 1998-2002, 2007 + Copyright (C) Martin Pool 2002 + Copyright (C) Michael Adam 2008 + Copyright (C) Tim Potter 2000 + Copyright (c) 1997 Kungliga Tekniska Högskolan + + Copyright (c) 1996-2005, The PostgreSQL Global Development Group + Copyright (c) 1994, The Regents of the University of California + Copyright (c) 1996-2007, PostgreSQL Global Development Group + Copyright (C) 1996-2001 Internet Software Consortium. + + +License: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +The Debian packaging is Copyright (C) Canonical Ltd 2009 and is licensed under +the GPL-3 or later, see `/usr/share/common-licenses/GPL-3'. + +======================== +replace/repdir_getdents.c +replace/test/testsuite.c +replace/test/main.c +replace/getpass.c +replace/replace.c +replace/socketpair.c +replace/inet_ntoa.c +replace/strptime.c +replace/inet_aton.c +replace/dlfcn.c +replace/repdir_getdirentries.c +common/collection/* +common/ini/* +======================== +License: LGPL3 or later - see `/usr/share/common-licenses/LGPL-3'. + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see . + + +=================== +sss_client/group.c +sss_client/common.c +sss_client/passwd.c +=================== +License: LGPL (v2.1 or later) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, + USA. + + +===================== +replace/getaddrinfo.c +replace/getaddrinfo.h +===================== + + Permission to use, copy, modify, and distribute this software and its + documentation for any purpose, without fee, and without a written agreement + is hereby granted, provided that the above copyright notice and this paragraph + and the following two paragraphs appear in all copies. + + IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR + DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING + LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, + EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS + ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS + TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. + +=================== +replace/inet_pton.c +replace/inet_ntop.c +=================== +License: ISC + + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +================ +replace/timegm.c +================ +License: BSD (3 clause) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +================== +replace/snprintf.c +================== + + This code is based on code written by Patrick Powell (papowell@astart.com) + It may be used for any purpose as long as this notice remains intact + on all source code distributions + +=========================== +sss_client/sss_cli.h +sss_client/protos.h +sss_client/sss_pam_macros.h +sss_client/sss_errno.h +=========================== + + You can used this header file in any way you see fit provided copyright + notices are preserved. + +============================= +server/resolv/ares/ares_dns.h +============================= + + * Permission to use, copy, modify, and distribute this + * software and its documentation for any purpose and without + * fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright + * notice and this permission notice appear in supporting + * documentation, and that the name of M.I.T. not be used in + * advertising or publicity pertaining to distribution of the + * software without specific, written prior permission. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" + * without express or implied warranty. + +============================= +server/util/nss_sha512crypt.c +============================= + + Released into the Public Domain by Ulrich Drepper . + --- sssd-1.2.1.orig/debian/libnss-sss.overrides +++ sssd-1.2.1/debian/libnss-sss.overrides @@ -0,0 +1,6 @@ +# we ship a shared library that is used for the NSS system +# nobody should directly link to our library +non-dev-pkg-with-shlib-symlink lib/libnss_sss.so.2 lib/libnss_sss.so +shlib-without-versioned-soname lib/libnss_sss.so.2 libnss_sss.so +no-symbols-control-file lib/libnss_sss.so.2 +postinst-must-call-ldconfig lib/libnss_sss.so.2 --- sssd-1.2.1.orig/debian/changelog +++ sssd-1.2.1/debian/changelog @@ -0,0 +1,167 @@ +sssd (1.2.1-4build1) natty; urgency=low + + * Rebuild with python 2.7 as the python default. + + -- Matthias Klose Wed, 08 Dec 2010 15:11:05 +0000 + +sssd (1.2.1-4) unstable; urgency=low + + * Add patch from Stephen Gallagher to ensure LDAP authentication + never accept a zero length password (Closes: #594413). Solves + CVE-2010-2940. + + -- Petter Reinholdtsen Wed, 25 Aug 2010 22:33:40 +0200 + +sssd (1.2.1-3) unstable; urgency=low + + [ Petter Reinholdtsen ] + * Look for /etc/default/sssd, not /etc/defaults/sssd in init.d + script (Closes: #588252). + * Make sssd.conf generation more robust, and make sure missing SRV + records are ignored and not handled as host names. + * Add code in generate-config to look up Kerberos realm using + _kerberos TXT record in DNS if it exist. + * Recommend bind9-host used by generate-config for SRV and TXT + lookups. + + [ Morten Werner Forsbring ] + * Check if /etc/default/sssd is a file and executable, not a directory, + before sourcing in init-script. Thanks to lintian. + + -- Morten Werner Forsbring Thu, 12 Aug 2010 16:31:14 +0200 + +sssd (1.2.1-2) unstable; urgency=low + + * Make sure init.d script sources /etc/default/sssd (Closes: #588252). + * Drop /etc/default/sssd from package, to avoid conffile question + from dpkg during upgrades. + * Make sure to only remove obsolete sssd conffiles on upgrades, not + on first time installation. + * Add new script generate-config and call it from the sssd postinst + during first time installation to try to generate the sssd.conf + file dynamically for LDAP and Kerberos using DNS entries, and fall + back to the static example configuration if this fail. + * Let sssd suggest libnss-sss and libpam-sss, to make those + installing sssd aware of the other packages. + * Add netgroup to nsswitch.conf entries added at first time + installation, to make sure those installing now get working + netgroups when sssd get netgroup support + * Let sssd recommend ldap-utils as ldapsearch is used for generating + the configuration. + + -- Petter Reinholdtsen Fri, 06 Aug 2010 23:44:26 +0200 + +sssd (1.2.1-1) unstable; urgency=low + + [ Petter Reinholdtsen ] + * Move calls to pam-auth-update from the package scripts in sssd to + libpam-sss, and correct prerm call to remove the correct pam config. + Add versioned dependency on libpam-runtime to make sure + pam-auth-update is available. + * Add code to the postinst and postrm of libnss-sss to update + passwd, group and shadow entries in /etc/nsswitch.conf. + * Make sure init.d/sssd start after $named, to ensure it can look up + in DNS also when the DNS server is on the local machine. + + [ Morten Werner Forsbring ] + * New upstream release. + + -- Morten Werner Forsbring Thu, 24 Jun 2010 14:16:30 +0200 + +sssd (1.2.0-1) unstable; urgency=low + + [ Petter Reinholdtsen ] + * New upstream release. + - Add libsemanage1-dev as build dependency, as it is now required. + - Drop python-build-with-deb-layout.dpatch, now handled upstream. + - Adjust provide-default-working-sssd-config-file.dpatch to + work with new package source layout and config file content. + - Adjust build rules to cope with server/ changing to src/ in the + source tarball. + - Add --enable-krb5-locator-plugin to keep building the plugin. + * Change the pam-auth-update configuration to make the session + script optional instead of sufficient, to make sure the other + session modules are executed too. + * Change initial pam password entry from requisite to sufficient, + to make sure local users can have their password set even if + sssd is enabled. + * Rename pam-configs/sssd to pam-configs/sss, to have a name that + is consistent with the package name libpam-sss. + * Add VCS links to the GIT repository. + * Move configuration API documentation from /etc/sssd/ to + /usr/share/doc/sssd/. It is not configuration and do not belong + in /etc/. + * Drop autoconf, automake, libtool, m4 and autotools-dev from + build-depends. There is no need to regenerate the build files any + more. + + [ Morten Werner Forsbring ] + * Add dnsutils as build-dependency. + + -- Morten Werner Forsbring Tue, 01 Jun 2010 20:41:59 +0200 + +sssd (1.0.5-1) unstable; urgency=low + + * Initial upload based on package from Ubuntu (Closes: #579593). + * Update standards-version from 3.8.3 to 3.8.4. No changes needed. + * Add init.d script and rename sssd.upstart to sssd.upstart.ubuntu + to make sure init.d script is installed instead of upstart job. + * Add draft pam-auth-update configuration based on proposals in + Launcepad bug #557398. + * Update address to FSF in copyright file. Thanks lintian. + * Set section for python-sss to python after advice from lintian. + * Rewrite python-build-with-deb-layout.dpatch to patch Makefile.in + instead of Makefile.am, to avoid having to run autoreconf. + * Make sssd depend on python for its upgrade script. + * Extend clean rule to remove generated file server/config/.files. + * Make sure sssd.api.conf is installed into the sssd package, and + put it in /etc/sssd/sssd.api.conf. Fixes typo in Ubuntu package. + + -- Petter Reinholdtsen Wed, 05 May 2010 21:53:29 +0200 + +sssd (1.0.5-0ubuntu1) lucid; urgency=low + + * New upstream bugfix release. (LP: #510290) + * sssd.dirs: Add /var/lib/sss/pubconf (LP: #557394) + + -- Timo Aaltonen Fri, 16 Apr 2010 11:37:16 +0300 + +sssd (1.0.2-0ubuntu2) lucid; urgency=low + + * No change rebuild due to libldb downgrade + + -- Scott Kitterman Fri, 02 Apr 2010 17:48:19 -0400 + +sssd (1.0.2-0ubuntu1) lucid; urgency=low + + * New upstream release (LP: #473262): + - python API for managing sssd daemon configuration and + native SSSD users. + - support for asynchronous cache refreshes. + - support password changing in LDAP and Kerberos providers. + - support for server failover. + * debian/control: + - update tdb build dependency to use libtdb-dev. + - add libselinux1-dev and libsasl2-dev build dependencies. + * debian/sssd.upstart: replace init script with an upstart job. + * Turn sssd.conf into a configuration file. + * Create sssd log directory. + + -- Mathias Gug Tue, 19 Jan 2010 15:17:13 -0500 + +sssd (0.5.0-0ubuntu2) karmic; urgency=low + + * debian/libnss-sss.overrides, debian/sssd.overrides: + + Fix linitian errors and warnings (LP: #425697): + sssd ships an nss library - these are false-positives. + * debian/fix-dbus-watch.dpatch: Update dbus-patch to final + upstream version. + * debian/fix-proxy-segfault.dpatch: Fix proxy enumeration. + + -- Mathias Gug Wed, 09 Sep 2009 20:21:04 -0400 + +sssd (0.5.0-0ubuntu1) karmic; urgency=low + + * Initial release. + + -- Mathias Gug Mon, 24 Aug 2009 16:35:11 -0400 --- sssd-1.2.1.orig/debian/generate-config +++ sssd-1.2.1/debian/generate-config @@ -0,0 +1,136 @@ +#!/bin/sh + +# Generate sssd.conf setup dynamically based on autodetectet LDAP +# and Kerberos server. + +set -e + +# See if we can find an LDAP server. Prefer ldap.domain, but also +# accept SRV records if no ldap.domain server is found. +lookup_ldap_uri() { + domain="$1" + if ping -c2 ldap.$domain > /dev/null 2>&1; then + echo ldap://ldap.$domain + else + host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1) + if [ "$host" ] ; then + echo ldap://$host | sed 's/\.$//' + fi + fi +} + +lookup_ldap_base() { + ldapuri="$1" + defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext 2>/dev/null | awk '/^defaultNamingContext: / { print $2}')" + if [ -z "$defaultcontext" ] ; then + # If there are several contexts, pick the first one with + # posixAccount or posixGroup objects in it. + for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \ + -s base namingContexts 2>/dev/null | \ + awk '/^namingContexts: / { print $2}') ; do + if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \ + '(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \ + egrep -q '^dn:|^Administrative limit exceeded' ; then + echo $context + return + fi + done + fi + echo $defaultcontext +} + +lookup_kerberos_server() { + domain="$1" + if ping -c2 kerberos.$domain > /dev/null 2>&1; then + echo kerberos.$domain + else + host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1) + if [ "$host" ] ; then + echo $host | sed 's/\.$//' + fi + fi +} + +lookup_kerberos_realm() { + domain="$1" + realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"') + if [ -z "$realm" ] ; then + realm=$(echo $domain | tr a-z A-Z) + fi + echo $realm +} + + +generate_config() { + if [ "$1" ] ; then + domain=$1 + else + domain="$(hostname -d)" + fi + kerberosrealm=$(lookup_kerberos_realm $domain) + ldapuri=$(lookup_ldap_uri "$domain") + if [ -z "$ldapuri" ]; then + # autodetection failed + return + fi + + ldapbase="$(lookup_ldap_base "$ldapuri")" + if [ -z "$ldapbase" ]; then + # autodetection failed + return + fi + kerberosserver=$(lookup_kerberos_server "$domain") + +cat < `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge) + rm -f /etc/sssd/sssd.conf + rmdir --ignore-fail-on-non-empty /etc/sssd/ + rm -rf /var/log/sssd/ + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- sssd-1.2.1.orig/debian/libpam-sss.prerm +++ sssd-1.2.1/debian/libpam-sss.prerm @@ -0,0 +1,5 @@ +#! /bin/sh -e + +pam-auth-update --package --remove sss + +#DEBHELPER# --- sssd-1.2.1.orig/debian/README.source +++ sssd-1.2.1/debian/README.source @@ -0,0 +1,38 @@ +This package uses dpatch to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To get the fully patched source after unpacking the source package, cd +to the root level of the source package and run: + + debian/rules patch + +Removing a patch is as simple as removing its entry from the +debian/patches/00list file, and please also remove the patch file +itself. + +Creating a new patch is done with "dpatch-edit-patch patch XX_patchname" +where you should replace XX with a new number and patchname with a +descriptive shortname of the patch. You can then simply edit all the +files your patch wants to edit, and then simply "exit 0" from the shell +to actually create the patch file. + +To tweak an already existing patch, call "dpatch-edit-patch XX_patchname" +and replace XX_patchname with the actual filename from debian/patches +you want to use. + +To clean up afterwards again, "debian/rules unpatch" will do the +work for you - or you can of course choose to call +"fakeroot debian/rules clean" all together. + + +--- + +this documentation is part of dpatch package, and may be used by +packages using dpatch to comply with policy on README.source. This +documentation is meant to be useful to users who are not proficient in +dpatch in doing work with dpatch-based packages. Please send any +improvements to the BTS of dpatch package. + +original text by Gerfried Fuchs, edited by Junichi Uekawa +10 Aug 2008. --- sssd-1.2.1.orig/debian/libpam-sss.install +++ sssd-1.2.1/debian/libpam-sss.install @@ -0,0 +1 @@ +lib/security/pam_sss.so --- sssd-1.2.1.orig/debian/sssd.install +++ sssd-1.2.1/debian/sssd.install @@ -0,0 +1,14 @@ +usr/lib/sssd/* +usr/lib/lib*.so.* +usr/lib/ldb/memberof.so +usr/lib/krb5/plugins/libkrb5/* +usr/share/locale/*/LC_MESSAGES/* +usr/sbin/sssd +usr/sbin/sss_useradd +usr/sbin/sss_userdel +usr/sbin/sss_usermod +usr/sbin/sss_groupadd +usr/sbin/sss_groupdel +usr/sbin/sss_groupmod +usr/share/man/man*/* +usr/share/lintian/overrides/sssd --- sssd-1.2.1.orig/debian/sssd.init +++ sssd-1.2.1/debian/sssd.init @@ -0,0 +1,87 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: sssd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Should-Start: $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: System Security Services Daemon +# Description: Provides a set of daemons to manage access to +# remote directories and authentication +# mechanisms. It provides an NSS and PAM interface +# toward the system and a pluggable backend system +# to connect to multiple different account sources. +### END INIT INFO +# start on filesystem +# stop on runlevel [06] + +DESCRIPTION="System Security Services Daemon" +PATH=/bin:/usr/bin:/sbin:/usr/sbin +NAME=sssd +OPTIONS="-D" +DAEMON_OPTS="" +DAEMON=/usr/sbin/$NAME +PIDFILE=/var/run/$NAME.pid + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +if [ -x /etc/default/sssd ] ; then + . /etc/default/sssd +fi + +initdmain() { + case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESCRIPTION" "$NAME" + start_daemon -p $PIDFILE $DAEMON $OPTIONS $DAEMON_OPTS + RC=$? + case "$RC" in + 0) + [ "$VERBOSE" != no ] && log_end_msg $RC + ;; + *) + # Report error also when VERBOSE=no + log_daemon_msg "Starting $DESCRIPTION" "$NAME" + log_end_msg $RC + ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESCRIPTION" "$NAME" + killproc -p $PIDFILE $DAEMON + RC=$? + case "$RC" in + 0) + [ "$VERBOSE" != no ] && log_end_msg $RC + ;; + *) + # Report error also when VERBOSE=no + log_daemon_msg "Stopping $DESCRIPTION" "$NAME" + log_end_msg $RC + ;; + esac + ;; + force-reload|restart) + $0 stop + $0 start + ;; + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|status}" + exit 1 + ;; + esac +} + +initdmain $@ + +exit 0 --- sssd-1.2.1.orig/debian/libpam-sss.pam-auth-update +++ sssd-1.2.1/debian/libpam-sss.pam-auth-update @@ -0,0 +1,21 @@ +Name: SSS authentication +Default: yes +Priority: 832 + +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_sss.so use_first_pass +Auth-Initial: + [success=end default=ignore] pam_sss.so +Account-Type: Additional +Account: + [default=bad success=ok user_unknown=ignore] pam_sss.so +Password-Type: Primary +Password: + sufficient pam_sss.so use_authtok +Password-Initial: + sufficient pam_sss.so +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_sss.so --- sssd-1.2.1.orig/debian/sssd.examples +++ sssd-1.2.1/debian/sssd.examples @@ -0,0 +1 @@ +src/examples/sssd.conf --- sssd-1.2.1.orig/debian/libnss-sss.postrm +++ sssd-1.2.1/debian/libnss-sss.postrm @@ -0,0 +1,38 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +# This code was taken from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +remove_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + perl -i -pe ' + my @remove=( + "sss", + ); + sub remove { + my $s=shift; + foreach my $bit (@remove) { + $s=~s/\s+\Q$bit\E//g; + } + return $s; + } + s/^(passwd:|group:|shadow:|netgroup:)(.*)/$1.remove($2)/e; + ' /etc/nsswitch.conf +} + +action="$1" + +if [ "$action" = remove ]; then + remove_nss_entry +fi --- sssd-1.2.1.orig/debian/sssd.overrides +++ sssd-1.2.1/debian/sssd.overrides @@ -0,0 +1,4 @@ +# seems that dh_makeshlibs/cdbs adds these automatically to the maintainer +# scripts +postinst-has-useless-call-to-ldconfig +postrm-has-useless-call-to-ldconfig --- sssd-1.2.1.orig/debian/libpam-sss.postinst +++ sssd-1.2.1/debian/libpam-sss.postinst @@ -0,0 +1,40 @@ +#!/bin/sh +# postinst script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + pam-auth-update --package + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- sssd-1.2.1.orig/debian/sssd.postinst +++ sssd-1.2.1/debian/sssd.postinst @@ -0,0 +1,54 @@ +#!/bin/sh +# postinst script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + configure) + # Install default configuration file on package install + if [ -z "$2" ] && [ ! -e /etc/sssd/sssd.conf ]; then + /usr/lib/sssd/generate-config > /etc/sssd/sssd.conf.new + if [ ! -s /etc/sssd/sssd.conf.new ] ; then + rm /etc/sssd/sssd.conf.new + # autodetection failed, use static example + cat /usr/share/doc/sssd/examples/sssd.conf > /etc/sssd/sssd.conf + else + mv /etc/sssd/sssd.conf.new /etc/sssd/sssd.conf + fi + chmod 0600 /etc/sssd/sssd.conf + fi + # Fix configuration file on package upgrade + if dpkg --compare-versions "$2" lt-nl 1.0.2-0ubuntu1; then + /usr/lib/sssd/sssd/upgrade_config.py + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- sssd-1.2.1.orig/debian/libnss-sss.links +++ sssd-1.2.1/debian/libnss-sss.links @@ -0,0 +1 @@ +/lib/libnss_sss.so.2 /lib/libnss_sss.so --- sssd-1.2.1.orig/debian/libnss-sss.install +++ sssd-1.2.1/debian/libnss-sss.install @@ -0,0 +1,2 @@ +lib/libnss_sss.so.2 +usr/share/lintian/overrides/libnss-sss --- sssd-1.2.1.orig/debian/sssd.dirs +++ sssd-1.2.1/debian/sssd.dirs @@ -0,0 +1,7 @@ +etc/sssd +var/lib/sss +var/lib/sss/db +var/lib/sss/pipes +var/lib/sss/pipes/private +var/lib/sss/pubconf +var/log/sssd --- sssd-1.2.1.orig/debian/patches/ldap-reject-zerolen-pwd.dpatch +++ sssd-1.2.1/debian/patches/ldap-reject-zerolen-pwd.dpatch @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +@DPATCH@ +Patch fetched from 'https://bugzilla.redhat.com/attachment.cgi?id=439496' +CVE-2010-2940 + +From 8eeb47279a5a4559d9d7f911250d6164ab120897 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Wed, 18 Aug 2010 12:57:43 -0400 +Subject: [PATCH 9/9] Treat a zero-length password as a failure + +Some LDAP servers allow binding with blank passwords. We should +not allow a blank password to authenticate the SSSD. +--- + src/providers/ldap/ldap_auth.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index b05e3075ce117fad17b87ffde257c80fc035b8c4..1a959d4cc45980fe5dd12db3460cc23f341466fd 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -557,6 +557,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx, + req = tevent_req_create(memctx, &state, struct auth_state); + if (!req) return NULL; + ++ /* Treat a zero-length password as a failure */ ++ if (password.length == 0) { ++ state->result = SDAP_AUTH_FAILED; ++ tevent_req_done(req); ++ return tevent_req_post(req, ev); ++ } ++ + state->ev = ev; + state->ctx = ctx; + state->username = username; +-- +1.7.2.1 --- sssd-1.2.1.orig/debian/patches/00list +++ sssd-1.2.1/debian/patches/00list @@ -0,0 +1,2 @@ +provide-default-working-sssd-config-file.dpatch +ldap-reject-zerolen-pwd.dpatch --- sssd-1.2.1.orig/debian/patches/provide-default-working-sssd-config-file.dpatch +++ sssd-1.2.1/debian/patches/provide-default-working-sssd-config-file.dpatch @@ -0,0 +1,38 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## provide-default-working-sssd-config-file.dpatch by Mathias Gug +## +## All lines beginning with `## DP:' are a description of the patch. +## Description: Provide a default configuration that is working. + +@DPATCH@ +diff -urNad l-new-upstream~/server/examples/sssd.conf l-new-upstream/server/examples/sssd.conf +--- l-new-upstream~/src/examples/sssd.conf 2010-01-18 13:09:10.000000000 -0500 ++++ l-new-upstream/src/examples/sssd.conf 2010-01-18 13:18:18.000000000 -0500 +@@ -13,7 +13,7 @@ + # Add new domain configurations as [domain/] sections, and + # then add the list of domains (in the order you want them to be + # queried) to the "domains" attribute below and uncomment it. +-; domains = LOCAL,LDAP ++domains = LOCAL + + [nss] + # The following prevents SSSD from searching for the root user/group in +@@ -45,12 +45,12 @@ + # Example LOCAL domain that stores all users natively in the SSSD internal + # directory. These local users and groups are not visible in /etc/passwd; it + # now contains only root and system accounts. +-; [domain/LOCAL] +-; description = LOCAL Users domain +-; id_provider = local +-; enumerate = true +-; min_id = 500 +-; max_id = 999 ++[domain/LOCAL] ++description = LOCAL Users domain ++id_provider = local ++enumerate = true ++min_id = 500 ++max_id = 999 + + # Example native LDAP domain + # ldap_schema can be set to "rfc2307", which uses the "memberuid" attribute