Re: [PATCH] sssd: Update to version 2.9.2-1

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 12587 bytes --]

Hello Adolf,

Yes, this used to be a problem because of a compiler bug in GCC.

This afternoon I asked Stefan to have a look at this since he has resolved this before, but it looks like updating the packages does the job as well.

I merged your patchset, tested it and it works. So I pushed it just now and hopefully a couple more packages should build as they are waiting for a working version of libtalloc, etc.

Best,
-Michael

> On 21 Sep 2023, at 10:17, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi All,
> 
> I see that the x86_64 build of sssd is failing due to lack of
> libldb-devel and the aarch64 due to lack of
> libtalloc-devel
> 
> Both are listed in the requires section. On my local build system I initially had the same message about libldb-devel but I then cleared my cache and rebuilt sssd, which forced building of all the other packages and then sssd built without any problems.
> 
> This might be the problem we had occasionally over the weekend where the pakfire build took the wrong version or didn't build all the dependencies correctly.
> 
> I am currently working on samba and that is requiring newer versions of libtalloc and libldb and a few others so when i have that working and submitted those dependencies will be newer. Maybe that will also help with sssd.
> 
> Regards,
> 
> Adolf.
> 
> 
> On 20/09/2023 22:44, Adolf Belka wrote:
>> - IPFire-3.x
>> - Update from version 2.8.2-2 to 2.9.2-1
>> - version 2.8.2-2 was failing to build.
>> - Initially version 2.9.2-1 failed with the same error messages.
>>    /usr/lib/sssd/sss_analyze [INVALID-INTERPRETER]
>>    There was also the following two messages in the log
>>    "/usr/lib/sssd/sss_analyze: Found command python ((null))
>>     /usr/lib/sssd/sss_analyze: Could not find path for command python"
>>   Based on the above error I checked sss_analyze and found the following first line
>>    "#!/usr/bin/env python" but the python program in IPFire is called python3
>>   Added the sed line to change python to python3 and the build then was successful.
>> - Changelog
>>     2.9.2
>> Highlights
>> SSSD 2.9 branch is now in long-term maintenance (LTM) phase.
>> General information
>>     libkrb5-1.21 can now be used to build PAC plugin.
>>     sssctl cert-show and cert-show cert-eval-rule can now be run as non-root
>>      user.
>> Important fixes
>>     SSSD does no longer crash if PIN is introduced but the tactile trigger
>>      isn’t pressed during passkey authentication.
>>     SSSD can now recover if memory-cache files under /var/lib/sss/mc where
>>      truncated while SSSD is running.
>>     Chaining of identical D-Bus requests that run in parallel to avoid
>>      multiple backend queries works again.
>> Configuration changes
>>     New option local_auth_policy is added to control which offline
>>      authentication methods will be enabled by SSSD. This option is relevant
>>      for authentication methods which have online, and offline capability
>>      such as passkey, and smartcard authentication. The default value match
>>      sets the offline methods to their corresponding online value. This
>>      enables offline authentication when online kerberos pre-authentication
>>      such as PKINIT, or passkey is supported by the backend, note that
>>      online methods will still be attempted first. Option value only can be
>>      used to disable online authentication entirely, or the value
>>      enable:method to explicitly enable specific authentication methods,
>>      e.g. enable:passkey.
>> Tickets Fixed
>>     #5198 - monatomically should have been monotonically
>>     #6733 - New covscan errors in ‘passkey’ code
>>     #6802 - sss_certmap_test fail in v2.9.1 on Arch Linux
>>     #6803 - [sssd] SSSD enters failed state after heavy load in the system
>>     #6889 - Crash in pam_passkey_auth_done
>>     #6911 - SBUS chaining is broken for getAccountInfo and other internal
>>             D-Bus calls
>>     2.9.1
>> New features
>>     Passkey: added option to write key mapping data to file.
>> Important fixes
>>     A regression was fixed that prevented autofs lookups to function
>>      correctly when cache_first is set to True. Since this was set as a
>>      new default value in sssd-2.9.0, it is considered as a regression.
>>     A regression where SSSD failed to properly watch for changes in
>>      ‘/etc/resolv.conf’ when it was a symbolic link or was a relative path,
>>      was fixed.
>> Tickets Fixed
>>     #6442 - PAC errors when no PAC configured
>>     #6652 - IPA: previously cached netgroup member is not remove correctly
>>     after it is removed from ipa
>>     #6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988
>>     error 4 in libc-2.28.so[7f16b5e72000+1bc000]
>>     #6718 - file_watch-tests fail in v2.9.0 on Arch Linux
>>     #6720 - [sssd] User lookup on IPA client fails with ‘s2n get_fqlist
>>     request failed’
>>     #6739 - autofs mounts: Access to non-existent file very slow since 2.9.0
>>     #6744 - sssd-be tends to run out of system resources, hitting the
>>     maximum number of open files
>>     #6766 - [RHEL8] sssd : AD user login problem when modify
>>     ldap_user_name= name and restricted by GPO Policy
>>     #6768 - [RHEL8] sssd attempts LDAP password modify extended op after
>>     BIND failure
>>     2.9.0
>> General information
>>     sss_simpleifp library is deprecated and might be removed in further
>>      releases. Those who are interested to keep using it awhile should
>>      configure its build explicitly using --with-libsifp ./configure option.
>>     “Files provider” (i.e. id_provider = files) is deprecated and might be
>>      removed in further releases. Those who are interested to keep using it
>>      awhile should configure its build explicitly using
>>      --with-files-provider ./configure option. Or consider using
>>      “Proxy provider” with proxy_lib_name = files instead.
>>     Previously deprecated --enable-files-domain configure option, which was
>>      used to manage default value of the enable_files_domain config option,
>>      is now removed.
>>     Long time unused ‘–enable-all-experimental-features’ configure option
>>      was removed.
>>     SSSD will no longer warn about changed defaults when using
>>      ldap_schema = rfc2307 and default autofs mapping. This warning was
>>      introduced in 1.14 to loudly warn about different default values.
>> New features
>>     New passkey functionality, which will allow the use of FIDO2 compliant
>>      devices to authenticate a centrally managed user locally. Moreover, in
>>      the case of a FreeIPA user, it can also issue a Kerberos ticket
>>      automatically with upcoming FreeIPA version 4.11.
>>     Add support for ldapi:// URLs to allow connections to local LDAP servers
>>     NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname
>> Note: support for passkey is in its initial phase and the authentication
>>       policy will be adjusted in future versions.
>> Packaging changes for passkey
>>     Include passkey subpackage and dependency for libfido2.
>> Configuration changes for passkey
>>     New options to enable and tune passkey behavior: pam_passkey_auth,
>>      ldap_user_passkey, passkey_verification, passkey_child_timeout,
>>      interactive, interactive_prompt, touch and touch_prompt.
>>     --with-passkey is a new configuration option to enable building passkey
>>      authentication.
>> Important fixes
>>     A regression when running sss_cache when no SSSD domain is enabled
>>      would produce a syslog critical message was fixed.
>> Configuration changes
>>     Default value of cache_first option was changed to true in case SSSD
>>      is built without files provider.
>>     ipa_access_order parameter introduced. It behaves much like
>>      ldap_access_order but affects IPA domains (id_provider = ipa) and
>>      accepts limited values. Please see sssd-ipa(5) for more information.
>> Tickets Fixed
>>     #5390 - sssd failing to register dynamic DNS addresses against an AD
>>     server due to unnecessary DNS search
>>     #6383 - sssd is not waiting for network-online.target
>>     #6403 - Add new Active Directory related certificate mapping templates
>>     #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
>>     #6451 - UPN check cannot be disabled explicitly but requires
>>     krb5_validate = false’ as a work-around
>>     #6479 - Smart Card auth does not work with p11_uri
>>     (with-smartcard-required)
>>     #5080 - [RFE] - Show password expiration warning when IdM users login
>>     with SSH keys
>>     #5390 - sssd failing to register dynamic DNS addresses against an AD
>>     server due to unnecessary DNS search
>>     #6228 - Enable passkey authentication in a centralized environment
>>     #6324 - coredump occurs when I restart sssd-ifp.service with
>>     sssd.service is inactive
>>     #6357 - KCM erroneously changes primary cache when renewing credentials
>>     #6360 - [D-Bus] ListByName() returns several times the same entry
>>     #6361 - [D-Bus] ListByName() fails when not using wildcards
>>     #6383 - sssd is not waiting for network-online.target
>>     #6387 - Fatal errors in log during Anaconda installation:
>>     “CRIT sss_cache:No domains configured, fatal error!”
>>     #6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName()
>>     not working
>>     #6403 - Add new Active Directory related certificate mapping templates
>>     #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
>>     #6451 - UPN check cannot be disabled explicitly but requires
>>     krb5_validate = false’ as a work-around
>>     #6465 - SBUS:A core dump occurs when dbus_server_get_address()
>>     #6477 - changing password with ldap_password_policy = shadow does not
>>     take effect immediately
>>     #6479 - Smart Card auth does not work with p11_uri
>>     (with-smartcard-required)
>>     #6487 - implicit declaration of function fgetpwent in test_negcache_2.c
>>     #6505 - SSS_CLIENT: general library destructor should cancel
>>     thread-at-exit destructors
>>     #6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to
>>     exist (can be a bogus keytab)
>>     #6544 - AD: Nested group processing can fail or return invalid members
>>     (security issue)
>>     #6548 - sssd-ipa
>>     #6551 - passkey_child cannot be used to register passkey due to too
>>     strict permissions
>>     #6558 - enabling passkey authentication breaks idp support
>>     #6565 - Improvement: sss_client: add ‘getsidbyusername()’ and
>>     ‘getsidbygroupname()’ and corresponding python bindings
>>     #6588 - Integration Tests：The sssd_hosts module is missing in release
>>     tarball
>>     #6592 - pid wrapping caused sss_cli_check_socket to close the file
>>     descriptor opened by the process
>>     #6600 - [sssd] Auth fails if client cannot speak to forest root domain
>>     (ldap_sasl_interactive_bind_s failed)
>>     #6610 - BUILD: Clear compilation alarms.
>>     #6612 - MIT Kerberos confusion over password expiry
>>     #6617 - filter_groups doesn’t filter GID from ‘id’ output: AD +
>>     ‘ldap_id_mapping = True’ corner case
>>     #6626 - Unable to lookup AD user from child domain
>>     (or “make filtering of the domains more configurable”)
>>     #6635 - sss allows extraneous @ characters prefixed to username
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>>  sssd/sssd.nm | 7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
>> diff --git a/sssd/sssd.nm b/sssd/sssd.nm
>> index 90d804469..5f3a4ecd4 100644
>> --- a/sssd/sssd.nm
>> +++ b/sssd/sssd.nm
>> @@ -4,8 +4,8 @@
>>  ###############################################################################
>>    name       = sssd
>> -version    = 2.8.2
>> -release    = 2
>> +version    = 2.9.2
>> +release    = 1
>>    groups     = System/Tools
>>  url        = https://github.com/SSSD/sssd
>> @@ -95,6 +95,9 @@ build
>>     # Drop /var/run
>>   rm -rvf %{BUILDROOT}%{localstatedir}/run
>> + 
>> + # Change python to python3 in sss_analyze file
>> + sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python3|g' %{BUILDROOT}/usr/lib/sssd/sss_analyze
>>   end
>>  end
>>  
> 
> -- 
> Sent from my laptop