From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] sssd: Update to version 2.9.2-1 Date: Thu, 21 Sep 2023 11:17:20 +0200 Message-ID: In-Reply-To: <20230920204419.415768-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0322321069255610763==" List-Id: --===============0322321069255610763== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi All, I see that the x86_64 build of sssd is failing due to lack of libldb-devel and the aarch64 due to lack of libtalloc-devel Both are listed in the requires section. On my local build system I=20 initially had the same message about libldb-devel but I then cleared my=20 cache and rebuilt sssd, which forced building of all the other packages=20 and then sssd built without any problems. This might be the problem we had occasionally over the weekend where the=20 pakfire build took the wrong version or didn't build all the=20 dependencies correctly. I am currently working on samba and that is requiring newer versions of=20 libtalloc and libldb and a few others so when i have that working and=20 submitted those dependencies will be newer. Maybe that will also help=20 with sssd. Regards, Adolf. On 20/09/2023 22:44, Adolf Belka wrote: > - IPFire-3.x > - Update from version 2.8.2-2 to 2.9.2-1 > - version 2.8.2-2 was failing to build. > - Initially version 2.9.2-1 failed with the same error messages. > /usr/lib/sssd/sss_analyze [INVALID-INTERPRETER] > There was also the following two messages in the log > "/usr/lib/sssd/sss_analyze: Found command python ((null)) > /usr/lib/sssd/sss_analyze: Could not find path for command python" > Based on the above error I checked sss_analyze and found the following f= irst line > "#!/usr/bin/env python" but the python program in IPFire is called pyth= on3 > Added the sed line to change python to python3 and the build then was su= ccessful. > - Changelog > 2.9.2 > Highlights > SSSD 2.9 branch is now in long-term maintenance (LTM) phase. > General information > libkrb5-1.21 can now be used to build PAC plugin. > sssctl cert-show and cert-show cert-eval-rule can now be run as non-ro= ot > user. > Important fixes > SSSD does no longer crash if PIN is introduced but the tactile trigger > isn=E2=80=99t pressed during passkey authentication. > SSSD can now recover if memory-cache files under /var/lib/sss/mc where > truncated while SSSD is running. > Chaining of identical D-Bus requests that run in parallel to avoid > multiple backend queries works again. > Configuration changes > New option local_auth_policy is added to control which offline > authentication methods will be enabled by SSSD. This option is releva= nt > for authentication methods which have online, and offline capability > such as passkey, and smartcard authentication. The default value match > sets the offline methods to their corresponding online value. This > enables offline authentication when online kerberos pre-authentication > such as PKINIT, or passkey is supported by the backend, note that > online methods will still be attempted first. Option value only can be > used to disable online authentication entirely, or the value > enable:method to explicitly enable specific authentication methods, > e.g. enable:passkey. > Tickets Fixed > #5198 - monatomically should have been monotonically > #6733 - New covscan errors in =E2=80=98passkey=E2=80=99 code > #6802 - sss_certmap_test fail in v2.9.1 on Arch Linux > #6803 - [sssd] SSSD enters failed state after heavy load in the system > #6889 - Crash in pam_passkey_auth_done > #6911 - SBUS chaining is broken for getAccountInfo and other internal > D-Bus calls > 2.9.1 > New features > Passkey: added option to write key mapping data to file. > Important fixes > A regression was fixed that prevented autofs lookups to function > correctly when cache_first is set to True. Since this was set as a > new default value in sssd-2.9.0, it is considered as a regression. > A regression where SSSD failed to properly watch for changes in > =E2=80=98/etc/resolv.conf=E2=80=99 when it was a symbolic link or was= a relative path, > was fixed. > Tickets Fixed > #6442 - PAC errors when no PAC configured > #6652 - IPA: previously cached netgroup member is not remove correctly > after it is removed from ipa > #6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 > error 4 in libc-2.28.so[7f16b5e72000+1bc000] > #6718 - file_watch-tests fail in v2.9.0 on Arch Linux > #6720 - [sssd] User lookup on IPA client fails with =E2=80=98s2n get_f= qlist > request failed=E2=80=99 > #6739 - autofs mounts: Access to non-existent file very slow since 2.9= .0 > #6744 - sssd-be tends to run out of system resources, hitting the > maximum number of open files > #6766 - [RHEL8] sssd : AD user login problem when modify > ldap_user_name=3D name and restricted by GPO Policy > #6768 - [RHEL8] sssd attempts LDAP password modify extended op after > BIND failure > 2.9.0 > General information > sss_simpleifp library is deprecated and might be removed in further > releases. Those who are interested to keep using it awhile should > configure its build explicitly using --with-libsifp ./configure optio= n. > =E2=80=9CFiles provider=E2=80=9D (i.e. id_provider =3D files) is depre= cated and might be > removed in further releases. Those who are interested to keep using it > awhile should configure its build explicitly using > --with-files-provider ./configure option. Or consider using > =E2=80=9CProxy provider=E2=80=9D with proxy_lib_name =3D files instea= d. > Previously deprecated --enable-files-domain configure option, which was > used to manage default value of the enable_files_domain config option, > is now removed. > Long time unused =E2=80=98=E2=80=93enable-all-experimental-features=E2= =80=99 configure option > was removed. > SSSD will no longer warn about changed defaults when using > ldap_schema =3D rfc2307 and default autofs mapping. This warning was > introduced in 1.14 to loudly warn about different default values. > New features > New passkey functionality, which will allow the use of FIDO2 compliant > devices to authenticate a centrally managed user locally. Moreover, in > the case of a FreeIPA user, it can also issue a Kerberos ticket > automatically with upcoming FreeIPA version 4.11. > Add support for ldapi:// URLs to allow connections to local LDAP serve= rs > NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname > Note: support for passkey is in its initial phase and the authentication > policy will be adjusted in future versions. > Packaging changes for passkey > Include passkey subpackage and dependency for libfido2. > Configuration changes for passkey > New options to enable and tune passkey behavior: pam_passkey_auth, > ldap_user_passkey, passkey_verification, passkey_child_timeout, > interactive, interactive_prompt, touch and touch_prompt. > --with-passkey is a new configuration option to enable building passkey > authentication. > Important fixes > A regression when running sss_cache when no SSSD domain is enabled > would produce a syslog critical message was fixed. > Configuration changes > Default value of cache_first option was changed to true in case SSSD > is built without files provider. > ipa_access_order parameter introduced. It behaves much like > ldap_access_order but affects IPA domains (id_provider =3D ipa) and > accepts limited values. Please see sssd-ipa(5) for more information. > Tickets Fixed > #5390 - sssd failing to register dynamic DNS addresses against an AD > server due to unnecessary DNS search > #6383 - sssd is not waiting for network-online.target > #6403 - Add new Active Directory related certificate mapping templates > #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD > #6451 - UPN check cannot be disabled explicitly but requires > krb5_validate =3D false=E2=80=99 as a work-around > #6479 - Smart Card auth does not work with p11_uri > (with-smartcard-required) > #5080 - [RFE] - Show password expiration warning when IdM users login > with SSH keys > #5390 - sssd failing to register dynamic DNS addresses against an AD > server due to unnecessary DNS search > #6228 - Enable passkey authentication in a centralized environment > #6324 - coredump occurs when I restart sssd-ifp.service with > sssd.service is inactive > #6357 - KCM erroneously changes primary cache when renewing credentials > #6360 - [D-Bus] ListByName() returns several times the same entry > #6361 - [D-Bus] ListByName() fails when not using wildcards > #6383 - sssd is not waiting for network-online.target > #6387 - Fatal errors in log during Anaconda installation: > =E2=80=9CCRIT sss_cache:No domains configured, fatal error!=E2=80=9D > #6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName() > not working > #6403 - Add new Active Directory related certificate mapping templates > #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD > #6451 - UPN check cannot be disabled explicitly but requires > krb5_validate =3D false=E2=80=99 as a work-around > #6465 - SBUS:A core dump occurs when dbus_server_get_address() > #6477 - changing password with ldap_password_policy =3D shadow does not > take effect immediately > #6479 - Smart Card auth does not work with p11_uri > (with-smartcard-required) > #6487 - implicit declaration of function fgetpwent in test_negcache_2.c > #6505 - SSS_CLIENT: general library destructor should cancel > thread-at-exit destructors > #6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to > exist (can be a bogus keytab) > #6544 - AD: Nested group processing can fail or return invalid members > (security issue) > #6548 - sssd-ipa > #6551 - passkey_child cannot be used to register passkey due to too > strict permissions > #6558 - enabling passkey authentication breaks idp support > #6565 - Improvement: sss_client: add =E2=80=98getsidbyusername()=E2=80= =99 and > =E2=80=98getsidbygroupname()=E2=80=99 and corresponding python bindin= gs > #6588 - Integration Tests=EF=BC=9AThe sssd_hosts module is missing in = release > tarball > #6592 - pid wrapping caused sss_cli_check_socket to close the file > descriptor opened by the process > #6600 - [sssd] Auth fails if client cannot speak to forest root domain > (ldap_sasl_interactive_bind_s failed) > #6610 - BUILD: Clear compilation alarms. > #6612 - MIT Kerberos confusion over password expiry > #6617 - filter_groups doesn=E2=80=99t filter GID from =E2=80=98id=E2= =80=99 output: AD + > =E2=80=98ldap_id_mapping =3D True=E2=80=99 corner case > #6626 - Unable to lookup AD user from child domain > (or =E2=80=9Cmake filtering of the domains more configurable=E2=80=9D) > #6635 - sss allows extraneous @ characters prefixed to username >=20 > Signed-off-by: Adolf Belka > --- > sssd/sssd.nm | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) >=20 > diff --git a/sssd/sssd.nm b/sssd/sssd.nm > index 90d804469..5f3a4ecd4 100644 > --- a/sssd/sssd.nm > +++ b/sssd/sssd.nm > @@ -4,8 +4,8 @@ > #########################################################################= ###### > =20 > name =3D sssd > -version =3D 2.8.2 > -release =3D 2 > +version =3D 2.9.2 > +release =3D 1 > =20 > groups =3D System/Tools > url =3D https://github.com/SSSD/sssd > @@ -95,6 +95,9 @@ build > =20 > # Drop /var/run > rm -rvf %{BUILDROOT}%{localstatedir}/run > + =09 > + # Change python to python3 in sss_analyze file > + sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python3|g' %{BUILDROOT}/u= sr/lib/sssd/sss_analyze > end > end > =20 --=20 Sent from my laptop --===============0322321069255610763==--