Hello Adolf, Yes, this used to be a problem because of a compiler bug in GCC. This afternoon I asked Stefan to have a look at this since he has resolved this before, but it looks like updating the packages does the job as well. I merged your patchset, tested it and it works. So I pushed it just now and hopefully a couple more packages should build as they are waiting for a working version of libtalloc, etc. Best, -Michael > On 21 Sep 2023, at 10:17, Adolf Belka wrote: > > Hi All, > > I see that the x86_64 build of sssd is failing due to lack of > libldb-devel and the aarch64 due to lack of > libtalloc-devel > > Both are listed in the requires section. On my local build system I initially had the same message about libldb-devel but I then cleared my cache and rebuilt sssd, which forced building of all the other packages and then sssd built without any problems. > > This might be the problem we had occasionally over the weekend where the pakfire build took the wrong version or didn't build all the dependencies correctly. > > I am currently working on samba and that is requiring newer versions of libtalloc and libldb and a few others so when i have that working and submitted those dependencies will be newer. Maybe that will also help with sssd. > > Regards, > > Adolf. > > > On 20/09/2023 22:44, Adolf Belka wrote: >> - IPFire-3.x >> - Update from version 2.8.2-2 to 2.9.2-1 >> - version 2.8.2-2 was failing to build. >> - Initially version 2.9.2-1 failed with the same error messages. >> /usr/lib/sssd/sss_analyze [INVALID-INTERPRETER] >> There was also the following two messages in the log >> "/usr/lib/sssd/sss_analyze: Found command python ((null)) >> /usr/lib/sssd/sss_analyze: Could not find path for command python" >> Based on the above error I checked sss_analyze and found the following first line >> "#!/usr/bin/env python" but the python program in IPFire is called python3 >> Added the sed line to change python to python3 and the build then was successful. >> - Changelog >> 2.9.2 >> Highlights >> SSSD 2.9 branch is now in long-term maintenance (LTM) phase. >> General information >> libkrb5-1.21 can now be used to build PAC plugin. >> sssctl cert-show and cert-show cert-eval-rule can now be run as non-root >> user. >> Important fixes >> SSSD does no longer crash if PIN is introduced but the tactile trigger >> isn’t pressed during passkey authentication. >> SSSD can now recover if memory-cache files under /var/lib/sss/mc where >> truncated while SSSD is running. >> Chaining of identical D-Bus requests that run in parallel to avoid >> multiple backend queries works again. >> Configuration changes >> New option local_auth_policy is added to control which offline >> authentication methods will be enabled by SSSD. This option is relevant >> for authentication methods which have online, and offline capability >> such as passkey, and smartcard authentication. The default value match >> sets the offline methods to their corresponding online value. This >> enables offline authentication when online kerberos pre-authentication >> such as PKINIT, or passkey is supported by the backend, note that >> online methods will still be attempted first. Option value only can be >> used to disable online authentication entirely, or the value >> enable:method to explicitly enable specific authentication methods, >> e.g. enable:passkey. >> Tickets Fixed >> #5198 - monatomically should have been monotonically >> #6733 - New covscan errors in ‘passkey’ code >> #6802 - sss_certmap_test fail in v2.9.1 on Arch Linux >> #6803 - [sssd] SSSD enters failed state after heavy load in the system >> #6889 - Crash in pam_passkey_auth_done >> #6911 - SBUS chaining is broken for getAccountInfo and other internal >> D-Bus calls >> 2.9.1 >> New features >> Passkey: added option to write key mapping data to file. >> Important fixes >> A regression was fixed that prevented autofs lookups to function >> correctly when cache_first is set to True. Since this was set as a >> new default value in sssd-2.9.0, it is considered as a regression. >> A regression where SSSD failed to properly watch for changes in >> ‘/etc/resolv.conf’ when it was a symbolic link or was a relative path, >> was fixed. >> Tickets Fixed >> #6442 - PAC errors when no PAC configured >> #6652 - IPA: previously cached netgroup member is not remove correctly >> after it is removed from ipa >> #6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 >> error 4 in libc-2.28.so[7f16b5e72000+1bc000] >> #6718 - file_watch-tests fail in v2.9.0 on Arch Linux >> #6720 - [sssd] User lookup on IPA client fails with ‘s2n get_fqlist >> request failed’ >> #6739 - autofs mounts: Access to non-existent file very slow since 2.9.0 >> #6744 - sssd-be tends to run out of system resources, hitting the >> maximum number of open files >> #6766 - [RHEL8] sssd : AD user login problem when modify >> ldap_user_name= name and restricted by GPO Policy >> #6768 - [RHEL8] sssd attempts LDAP password modify extended op after >> BIND failure >> 2.9.0 >> General information >> sss_simpleifp library is deprecated and might be removed in further >> releases. Those who are interested to keep using it awhile should >> configure its build explicitly using --with-libsifp ./configure option. >> “Files provider” (i.e. id_provider = files) is deprecated and might be >> removed in further releases. Those who are interested to keep using it >> awhile should configure its build explicitly using >> --with-files-provider ./configure option. Or consider using >> “Proxy provider” with proxy_lib_name = files instead. >> Previously deprecated --enable-files-domain configure option, which was >> used to manage default value of the enable_files_domain config option, >> is now removed. >> Long time unused ‘–enable-all-experimental-features’ configure option >> was removed. >> SSSD will no longer warn about changed defaults when using >> ldap_schema = rfc2307 and default autofs mapping. This warning was >> introduced in 1.14 to loudly warn about different default values. >> New features >> New passkey functionality, which will allow the use of FIDO2 compliant >> devices to authenticate a centrally managed user locally. Moreover, in >> the case of a FreeIPA user, it can also issue a Kerberos ticket >> automatically with upcoming FreeIPA version 4.11. >> Add support for ldapi:// URLs to allow connections to local LDAP servers >> NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname >> Note: support for passkey is in its initial phase and the authentication >> policy will be adjusted in future versions. >> Packaging changes for passkey >> Include passkey subpackage and dependency for libfido2. >> Configuration changes for passkey >> New options to enable and tune passkey behavior: pam_passkey_auth, >> ldap_user_passkey, passkey_verification, passkey_child_timeout, >> interactive, interactive_prompt, touch and touch_prompt. >> --with-passkey is a new configuration option to enable building passkey >> authentication. >> Important fixes >> A regression when running sss_cache when no SSSD domain is enabled >> would produce a syslog critical message was fixed. >> Configuration changes >> Default value of cache_first option was changed to true in case SSSD >> is built without files provider. >> ipa_access_order parameter introduced. It behaves much like >> ldap_access_order but affects IPA domains (id_provider = ipa) and >> accepts limited values. Please see sssd-ipa(5) for more information. >> Tickets Fixed >> #5390 - sssd failing to register dynamic DNS addresses against an AD >> server due to unnecessary DNS search >> #6383 - sssd is not waiting for network-online.target >> #6403 - Add new Active Directory related certificate mapping templates >> #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD >> #6451 - UPN check cannot be disabled explicitly but requires >> krb5_validate = false’ as a work-around >> #6479 - Smart Card auth does not work with p11_uri >> (with-smartcard-required) >> #5080 - [RFE] - Show password expiration warning when IdM users login >> with SSH keys >> #5390 - sssd failing to register dynamic DNS addresses against an AD >> server due to unnecessary DNS search >> #6228 - Enable passkey authentication in a centralized environment >> #6324 - coredump occurs when I restart sssd-ifp.service with >> sssd.service is inactive >> #6357 - KCM erroneously changes primary cache when renewing credentials >> #6360 - [D-Bus] ListByName() returns several times the same entry >> #6361 - [D-Bus] ListByName() fails when not using wildcards >> #6383 - sssd is not waiting for network-online.target >> #6387 - Fatal errors in log during Anaconda installation: >> “CRIT sss_cache:No domains configured, fatal error!” >> #6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName() >> not working >> #6403 - Add new Active Directory related certificate mapping templates >> #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD >> #6451 - UPN check cannot be disabled explicitly but requires >> krb5_validate = false’ as a work-around >> #6465 - SBUS:A core dump occurs when dbus_server_get_address() >> #6477 - changing password with ldap_password_policy = shadow does not >> take effect immediately >> #6479 - Smart Card auth does not work with p11_uri >> (with-smartcard-required) >> #6487 - implicit declaration of function fgetpwent in test_negcache_2.c >> #6505 - SSS_CLIENT: general library destructor should cancel >> thread-at-exit destructors >> #6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to >> exist (can be a bogus keytab) >> #6544 - AD: Nested group processing can fail or return invalid members >> (security issue) >> #6548 - sssd-ipa >> #6551 - passkey_child cannot be used to register passkey due to too >> strict permissions >> #6558 - enabling passkey authentication breaks idp support >> #6565 - Improvement: sss_client: add ‘getsidbyusername()’ and >> ‘getsidbygroupname()’ and corresponding python bindings >> #6588 - Integration Tests:The sssd_hosts module is missing in release >> tarball >> #6592 - pid wrapping caused sss_cli_check_socket to close the file >> descriptor opened by the process >> #6600 - [sssd] Auth fails if client cannot speak to forest root domain >> (ldap_sasl_interactive_bind_s failed) >> #6610 - BUILD: Clear compilation alarms. >> #6612 - MIT Kerberos confusion over password expiry >> #6617 - filter_groups doesn’t filter GID from ‘id’ output: AD + >> ‘ldap_id_mapping = True’ corner case >> #6626 - Unable to lookup AD user from child domain >> (or “make filtering of the domains more configurable”) >> #6635 - sss allows extraneous @ characters prefixed to username >> Signed-off-by: Adolf Belka >> --- >> sssd/sssd.nm | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) >> diff --git a/sssd/sssd.nm b/sssd/sssd.nm >> index 90d804469..5f3a4ecd4 100644 >> --- a/sssd/sssd.nm >> +++ b/sssd/sssd.nm >> @@ -4,8 +4,8 @@ >> ############################################################################### >> name = sssd >> -version = 2.8.2 >> -release = 2 >> +version = 2.9.2 >> +release = 1 >> groups = System/Tools >> url = https://github.com/SSSD/sssd >> @@ -95,6 +95,9 @@ build >> # Drop /var/run >> rm -rvf %{BUILDROOT}%{localstatedir}/run >> + >> + # Change python to python3 in sss_analyze file >> + sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python3|g' %{BUILDROOT}/usr/lib/sssd/sss_analyze >> end >> end >> > > -- > Sent from my laptop