* [git.ipfire.org] IPFire 3.x development tree branch, master, updated. 3cf4b6275e3c396f3b0bce23b873fe99fc603cd1
@ 2023-09-21 7:29 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2023-09-21 7:29 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 24728 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 3.x development tree".
The branch, master has been updated
via 3cf4b6275e3c396f3b0bce23b873fe99fc603cd1 (commit)
via 0553af486522277811d2e6cb4b3125f53bef5f3f (commit)
from d63e0994e5b6afaeb826f3a9191f9dba136bda5b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3cf4b6275e3c396f3b0bce23b873fe99fc603cd1
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Wed Sep 20 22:44:19 2023 +0200
sssd: Update to version 2.9.2-1
- IPFire-3.x
- Update from version 2.8.2-2 to 2.9.2-1
- version 2.8.2-2 was failing to build.
- Initially version 2.9.2-1 failed with the same error messages.
/usr/lib/sssd/sss_analyze [INVALID-INTERPRETER]
There was also the following two messages in the log
"/usr/lib/sssd/sss_analyze: Found command python ((null))
/usr/lib/sssd/sss_analyze: Could not find path for command python"
Based on the above error I checked sss_analyze and found the following first line
"#!/usr/bin/env python" but the python program in IPFire is called python3
Added the sed line to change python to python3 and the build then was successful.
- Changelog
2.9.2
Highlights
SSSD 2.9 branch is now in long-term maintenance (LTM) phase.
General information
libkrb5-1.21 can now be used to build PAC plugin.
sssctl cert-show and cert-show cert-eval-rule can now be run as non-root
user.
Important fixes
SSSD does no longer crash if PIN is introduced but the tactile trigger
isn’t pressed during passkey authentication.
SSSD can now recover if memory-cache files under /var/lib/sss/mc where
truncated while SSSD is running.
Chaining of identical D-Bus requests that run in parallel to avoid
multiple backend queries works again.
Configuration changes
New option local_auth_policy is added to control which offline
authentication methods will be enabled by SSSD. This option is relevant
for authentication methods which have online, and offline capability
such as passkey, and smartcard authentication. The default value match
sets the offline methods to their corresponding online value. This
enables offline authentication when online kerberos pre-authentication
such as PKINIT, or passkey is supported by the backend, note that
online methods will still be attempted first. Option value only can be
used to disable online authentication entirely, or the value
enable:method to explicitly enable specific authentication methods,
e.g. enable:passkey.
Tickets Fixed
#5198 - monatomically should have been monotonically
#6733 - New covscan errors in ‘passkey’ code
#6802 - sss_certmap_test fail in v2.9.1 on Arch Linux
#6803 - [sssd] SSSD enters failed state after heavy load in the system
#6889 - Crash in pam_passkey_auth_done
#6911 - SBUS chaining is broken for getAccountInfo and other internal
D-Bus calls
2.9.1
New features
Passkey: added option to write key mapping data to file.
Important fixes
A regression was fixed that prevented autofs lookups to function
correctly when cache_first is set to True. Since this was set as a
new default value in sssd-2.9.0, it is considered as a regression.
A regression where SSSD failed to properly watch for changes in
‘/etc/resolv.conf’ when it was a symbolic link or was a relative path,
was fixed.
Tickets Fixed
#6442 - PAC errors when no PAC configured
#6652 - IPA: previously cached netgroup member is not remove correctly
after it is removed from ipa
#6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988
error 4 in libc-2.28.so[7f16b5e72000+1bc000]
#6718 - file_watch-tests fail in v2.9.0 on Arch Linux
#6720 - [sssd] User lookup on IPA client fails with ‘s2n get_fqlist
request failed’
#6739 - autofs mounts: Access to non-existent file very slow since 2.9.0
#6744 - sssd-be tends to run out of system resources, hitting the
maximum number of open files
#6766 - [RHEL8] sssd : AD user login problem when modify
ldap_user_name= name and restricted by GPO Policy
#6768 - [RHEL8] sssd attempts LDAP password modify extended op after
BIND failure
2.9.0
General information
sss_simpleifp library is deprecated and might be removed in further
releases. Those who are interested to keep using it awhile should
configure its build explicitly using --with-libsifp ./configure option.
“Files provider” (i.e. id_provider = files) is deprecated and might be
removed in further releases. Those who are interested to keep using it
awhile should configure its build explicitly using
--with-files-provider ./configure option. Or consider using
“Proxy provider” with proxy_lib_name = files instead.
Previously deprecated --enable-files-domain configure option, which was
used to manage default value of the enable_files_domain config option,
is now removed.
Long time unused ‘–enable-all-experimental-features’ configure option
was removed.
SSSD will no longer warn about changed defaults when using
ldap_schema = rfc2307 and default autofs mapping. This warning was
introduced in 1.14 to loudly warn about different default values.
New features
New passkey functionality, which will allow the use of FIDO2 compliant
devices to authenticate a centrally managed user locally. Moreover, in
the case of a FreeIPA user, it can also issue a Kerberos ticket
automatically with upcoming FreeIPA version 4.11.
Add support for ldapi:// URLs to allow connections to local LDAP servers
NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname
Note: support for passkey is in its initial phase and the authentication
policy will be adjusted in future versions.
Packaging changes for passkey
Include passkey subpackage and dependency for libfido2.
Configuration changes for passkey
New options to enable and tune passkey behavior: pam_passkey_auth,
ldap_user_passkey, passkey_verification, passkey_child_timeout,
interactive, interactive_prompt, touch and touch_prompt.
--with-passkey is a new configuration option to enable building passkey
authentication.
Important fixes
A regression when running sss_cache when no SSSD domain is enabled
would produce a syslog critical message was fixed.
Configuration changes
Default value of cache_first option was changed to true in case SSSD
is built without files provider.
ipa_access_order parameter introduced. It behaves much like
ldap_access_order but affects IPA domains (id_provider = ipa) and
accepts limited values. Please see sssd-ipa(5) for more information.
Tickets Fixed
#5390 - sssd failing to register dynamic DNS addresses against an AD
server due to unnecessary DNS search
#6383 - sssd is not waiting for network-online.target
#6403 - Add new Active Directory related certificate mapping templates
#6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
#6451 - UPN check cannot be disabled explicitly but requires
krb5_validate = false’ as a work-around
#6479 - Smart Card auth does not work with p11_uri
(with-smartcard-required)
#5080 - [RFE] - Show password expiration warning when IdM users login
with SSH keys
#5390 - sssd failing to register dynamic DNS addresses against an AD
server due to unnecessary DNS search
#6228 - Enable passkey authentication in a centralized environment
#6324 - coredump occurs when I restart sssd-ifp.service with
sssd.service is inactive
#6357 - KCM erroneously changes primary cache when renewing credentials
#6360 - [D-Bus] ListByName() returns several times the same entry
#6361 - [D-Bus] ListByName() fails when not using wildcards
#6383 - sssd is not waiting for network-online.target
#6387 - Fatal errors in log during Anaconda installation:
“CRIT sss_cache:No domains configured, fatal error!”
#6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName()
not working
#6403 - Add new Active Directory related certificate mapping templates
#6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
#6451 - UPN check cannot be disabled explicitly but requires
krb5_validate = false’ as a work-around
#6465 - SBUS:A core dump occurs when dbus_server_get_address()
#6477 - changing password with ldap_password_policy = shadow does not
take effect immediately
#6479 - Smart Card auth does not work with p11_uri
(with-smartcard-required)
#6487 - implicit declaration of function fgetpwent in test_negcache_2.c
#6505 - SSS_CLIENT: general library destructor should cancel
thread-at-exit destructors
#6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to
exist (can be a bogus keytab)
#6544 - AD: Nested group processing can fail or return invalid members
(security issue)
#6548 - sssd-ipa
#6551 - passkey_child cannot be used to register passkey due to too
strict permissions
#6558 - enabling passkey authentication breaks idp support
#6565 - Improvement: sss_client: add ‘getsidbyusername()’ and
‘getsidbygroupname()’ and corresponding python bindings
#6588 - Integration Tests:The sssd_hosts module is missing in release
tarball
#6592 - pid wrapping caused sss_cli_check_socket to close the file
descriptor opened by the process
#6600 - [sssd] Auth fails if client cannot speak to forest root domain
(ldap_sasl_interactive_bind_s failed)
#6610 - BUILD: Clear compilation alarms.
#6612 - MIT Kerberos confusion over password expiry
#6617 - filter_groups doesn’t filter GID from ‘id’ output: AD +
‘ldap_id_mapping = True’ corner case
#6626 - Unable to lookup AD user from child domain
(or “make filtering of the domains more configurable”)
#6635 - sss allows extraneous @ characters prefixed to username
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0553af486522277811d2e6cb4b3125f53bef5f3f
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Wed Sep 20 19:58:37 2023 +0200
shadow-utils: Update to version 4.14.0-1
- IPFire-3.x
- Update from version 4.13-2 to 4.14.0-1
- The build now has --with-libbsd as default yes so --without-libbsd has been added
so that it uses its own readpassphrase code as previously.
- Changelog
4.14.0
This release includes some steps toward preparing for the Y2038 (e.g.
removing lastlog conditionally), a great deal of removal of obsolete
function checks (like rmdir), and overhaul of some string manipulation
functions, of which there is more to come. And a great deal more. The
abbreviated git log follows:
Serge Hallyn: configure.ac: check for strlcpy
Michael Vetter: Remove intree website
Serge Hallyn: 4.14.0-rc4 pre-release
Serge Hallyn: Releases: add etc/shadow-maint to distfiles
Serge Hallyn: 4.14.0-rc3
Iker Pedrosa: libmisc: include freezero
Iker Pedrosa: libmisc: add freezero source code
Iker Pedrosa: libmisc: add readpassphrase source code
Iker Pedrosa: configure: add with-libbsd option
Iker Pedrosa: man: include shadow-man.xsl in tarball
Iker Pedrosa: man: include its.rules in tarball
Iker Pedrosa: autogen: enable lastlog build
Christian Göttsche: Add wrapper for write(2)
Serge Hallyn: tag 4.14.0-rc2
Michael Vetter: Add new files to libmisc_la_SOURCES
Serge Hallyn: Add a make dist CI test
Serge Hallyn: 4.14.0-rc1
Serge Hallyn: remove xmalloc.c from POTFILES.in
Iker Pedrosa: logoutd: add missing <utmp.h> include
Iker Pedrosa: CI: compile old utmp interface in Fedora
Iker Pedrosa: src: add SELINUX library
Iker Pedrosa: libmisc: conditionally compile utmp.c and logind.c
Iker Pedrosa: lib: replace USER_NAME_MAX_LENGTH macro
Iker Pedrosa: libmisc: call active_sessions_count()
Iker Pedrosa: libmisc: implement active_sessions_count()
Iker Pedrosa: utmp: update update_utmp()
Iker Pedrosa: utmp: move update_utmp
Iker Pedrosa: utmp: move failtmp()
Iker Pedrosa: libmisc: implement get_session_host()
Iker Pedrosa: configure: new option enable-logind
xiongshenglan: shadow userdel: add the adaptation to the busybox ps in
01-kill_user_procs.sh
Michael Vetter: chsh: warn if root sets a shell not listed in /etc/shells
Michael Vetter: doc: mention ci workflow file to learn about deps
Serge Hallyn: man/po/Makefile: add a comment to shadow-man-pages.pot
Vegard Nossum: newgrp: fix potential string injection
Todd Zullinger: lastlog: fix alignment of Latest header
Iker Pedrosa: configure: fix lastlog check
Alan D. Salewski: subuid.5: reference newusers(8) rather than newusers(1)
Iker Pedrosa: CI: build lastlog in Fedora
Iker Pedrosa: man: conditionally build lastlog documentation
Iker Pedrosa: usermod: conditionally build lastlog functionality
Iker Pedrosa: useradd: conditionally build lastlog functionality
Iker Pedrosa: login: conditionally build lastlog functionality
Iker Pedrosa: lastlog: stop building by default
Iker Pedrosa: CI: update debian repos
Bernd Kuhls: Fix yescrypt support
Jeffrey Bencteux: chgpasswd: fix segfault in command-line options
Alejandro Colomar: gpasswd(1): Fix password leak
Alejandro Colomar: src/useradd.c: create_mail(): Cosmetic
Alejandro Colomar: src/useradd.c: create_home(): Cosmetic
Alejandro Colomar: src/useradd.c: create_home(): Cosmetic
Alejandro Colomar: src/useradd.c: create_home(): Cosmetic
Alejandro Colomar: src/useradd.c: close_group_files(): Cosmetic
Alejandro Colomar: src/useradd.c: check_uid_range(): Cosmetic
Jaroslav Jindrak: build: link passwd, chpasswd and chage against libdl
Jaroslav Jindrak: configure: check whether fgetpwent_r is available before
marking xprefix_getpwnam_r as reentrant
Jaroslav Jindrak: passwd: fall back to non-PAM code when prefix is used
Jaroslav Jindrak: chpasswd: fall back to non-PAM code when prefix is used
Jaroslav Jindrak: chpasswd: add --prefix/-P options
Jaroslav Jindrak: chage: add --prefix/-P options
Jaroslav Jindrak: passwd: Respect --prefix/-P options
Michael Vetter: prefix: add prefix support
Iker Pedrosa: strtoday: remove unnecessary cast
Alejandro Colomar: Use temporary variable
Alejandro Colomar: realloc(NULL, ...) is equivalent to malloc(...)
Alejandro Colomar: Simplify allocation APIs
Christian Göttsche: Drop alloca(3)
Christian Göttsche: usermod: fix off-by-one issues
Alejandro Colomar: libmisc/csrand.c: Update comments
Alejandro Colomar: lib/nss.c: Fix use of invalid p
Alejandro Colomar: lib/nss.c: Fix use of uninitialized p
Alejandro Colomar: Centralize error handling
Alejandro Colomar: Second verse, it gets worse; it gets no better than this
Alejandro Colomar: ROFL: Rolling on the floor looping
Alejandro Colomar: This ain't no loop
Iker Pedrosa: newusers: Improve error message
Martin Kletzander: ch(g)passwd: Check selinux permissions upon startup
Skyler Ferrante: Check if crypt_method null before dereferencing
Alejandro Colomar: xgetXXbyYY: Simplify elifs
Alejandro Colomar: xgetXXbyYY: Centralize error handling
Alejandro Colomar: xgetXXbyYY: tfix
Samanta Navarro: xgetXXbyYY: Avoid duplicated error handling block
Samanta Navarro: xgetXXbyYY: Handle DUP_FUNCTION failure
Serge Hallyn: sub_[ug]id_{add,remove}: fix return values
Martin Kletzander: usermod: Small optimization using memmove for password
unlock
Alejandro Colomar: Reorder logic to improve comprehensibility
Alejandro Colomar: newusers: Fail early
Alejandro Colomar: newusers: Add missing error handling
Samanta Navarro: libmisc: Use safer chroot/chdir sequence
Samanta Navarro: su: Prevent stack overflow in check_perms
Samanta Navarro: subsystem: Prevent endless loop
Serge Hallyn: def_load: avoid NULL deref
Serge Hallyn: def_load: split the econf from non-econf definition
Tobias Stoeckmann: Plug econf memory leaks
Samanta Navarro: chsh: Verify that login shell path is absolute
Samanta Navarro: process_prefix_flag: Drop privileges
bubu: Update French translations
Samanta Navarro: get_pid.c: Use tighter validation checks
Markus Hiereth: replace inadequate German translation of login error message
Markus Hiereth: Update German translations
Samanta Navarro: Remove some static char arrays
Samanta Navarro: commonio: Use do_lock_file again
Serge Hallyn: Fix broken docbook translations
ed neville: open with O_CREAT when lock path does not exist
Samanta Navarro: commonio_open: Remove fcntl call
Samanta Navarro: commonio_lock_nowait: Remove deprecated code
Samanta Navarro: login_prompt: Simplify login_prompt API
Samanta Navarro: login_prompt: Use _exit in signal handler
Samanta Navarro: login_prompt: Do not parse environment variables
Samanta Navarro: libmisc/yesno.c: Fix regression
Alejandro Colomar: libmisc, man: Drop old check and advice for complex
character sets in passwords
Christian Göttsche: semanage: disconnect to free libsemanage internals
Christian Göttsche: commonio: free removed database entries
ed neville: run_parts for groupadd and groupdel
lilinjie: fix typos
Alejandro Colomar: libmisc/yesno.c: Use getline(3) and rpmatch(3)
Samanta Navarro: newgrp/useradd: always set SIGCHLD to default
Serge Hallyn: Update AUTHORS to add Marek Michałkiewicz
Samanta Navarro: Read whole line in yes_or_no
Christian Göttsche: useradd/usermod: add --selinux-range argument
Alejandro Colomar: CI: Make build logs more readable
Iker Pedrosa: ci: remove explicit fedora dependencies
Iker Pedrosa: README: add reference to contribution guidelines
Iker Pedrosa: doc: add contributions introduction
Iker Pedrosa: doc: add license
Iker Pedrosa: doc: add releases
Iker Pedrosa: doc: add Continuous Integration
Iker Pedrosa: doc: add tests
Iker Pedrosa: doc: add coding style
Iker Pedrosa: doc: add build & install
Serge Hallyn: trivial: vipw.8: fix grammar
Christian Göttsche: sssd: skip flushing if executable does not exist
Christian Göttsche: Overhaul valid_field()
Martin Kletzander: semanage: Do not set default SELinux range
Michael Vetter: Fix typo in groupadd usage
Christian Göttsche: ci: update Differential ShellCheck
tomspiderlabs: Added control character check
Mike Gilbert: usermod: respect --prefix for --gid option
Alejandro Colomar: Fix su(1) silent truncation
Alejandro Colomar: Simplify is_my_tty()
Alejandro Colomar: Fix is_my_tty() buffer overrun
Alejandro Colomar: Add STRLEN(): a constexpr strlen(3) for string literals
Alejandro Colomar: Fix crash with large timestamps
Paul Eggert: Prefer strcpy(3) to strlcpy(3) when either works
Paul Eggert: Fix change_field() buffer underrun
Paul Eggert: Omit unneeded test in change_field()
Paul Eggert: Simplify change_field() by using strcpy
skyler-ferrante: Fix null dereference in basename
Iker Pedrosa: CI: script for local container build
Iker Pedrosa: CI: build project in containers
Iker Pedrosa: container: add fedora
Iker Pedrosa: container: add debian
Iker Pedrosa: container: add alpine
Iker Pedrosa: SECURITY.md: add Iker Pedrosa
Christian Göttsche: selinux: use type safe function pointer assignment
Christian Göttsche: Use strict prototype in definition
Vinícius dos Santos Oliveira: Add .editorconfig
Serge Hallyn: run_some: fix shellcheck warning
Serge Hallyn: fail on any run_some test failure
Serge Hallyn: ignore first test in run_some
Serge Hallyn: swap first two tests - does the first one still fail?
Serge Hallyn: tests: remove some github runner PATH tweaking
Alejandro Colomar: tests: Support git-worktree(1)
Serge Hallyn: tests: newuidmap and newgidmap: update expected fail message
Serge Hallyn: libsubid: include alloc.h
Serge Hallyn: run_some: log stderr
Vinícius dos Santos Oliveira: Validate fds created by the user
Serge Hallyn: get_pidfd_from_fd: return -1 on error, not 0
Serge Hallyn: g-h-a workflow: workaround
Serge Hallyn: Fix regression in some translation strings
Iker Pedrosa: lib: bit_ceil_wrapul(): stop recursion
Iker Pedrosa: lib: define ULONG_WIDTH if non-existent
maqi: Update translation
Serge Hallyn: newuidmap and newgidmap: support passing pid as fd
Alejandro Colomar: Fix use-after-free of pointer after realloc(3)
Alejandro Colomar: Use safer allocation macros
Alejandro Colomar: libmisc: Add safer allocation macros
Alejandro Colomar: Use xreallocarray() instead of its pattern
Alejandro Colomar: Use reallocarrayf() instead of its pattern
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
shadow-utils/shadow-utils.nm | 7 ++++---
sssd/sssd.nm | 7 +++++--
2 files changed, 9 insertions(+), 5 deletions(-)
Difference in files:
diff --git a/shadow-utils/shadow-utils.nm b/shadow-utils/shadow-utils.nm
index fcc4fd5fd..a16b88a2c 100644
--- a/shadow-utils/shadow-utils.nm
+++ b/shadow-utils/shadow-utils.nm
@@ -4,8 +4,8 @@
###############################################################################
name = shadow-utils
-version = 4.13
-release = 2
+version = 4.14.0
+release = 1
thisapp = shadow-%{version}
groups = System/Base
@@ -52,7 +52,8 @@ build
--without-audit \
--without-selinux \
--without-su \
- --with-fcaps
+ --with-fcaps \
+ --without-libbsd
install_cmds
rm -vf \
diff --git a/sssd/sssd.nm b/sssd/sssd.nm
index 90d804469..5f3a4ecd4 100644
--- a/sssd/sssd.nm
+++ b/sssd/sssd.nm
@@ -4,8 +4,8 @@
###############################################################################
name = sssd
-version = 2.8.2
-release = 2
+version = 2.9.2
+release = 1
groups = System/Tools
url = https://github.com/SSSD/sssd
@@ -95,6 +95,9 @@ build
# Drop /var/run
rm -rvf %{BUILDROOT}%{localstatedir}/run
+
+ # Change python to python3 in sss_analyze file
+ sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python3|g' %{BUILDROOT}/usr/lib/sssd/sss_analyze
end
end
hooks/post-receive
--
IPFire 3.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-09-21 7:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-21 7:29 [git.ipfire.org] IPFire 3.x development tree branch, master, updated. 3cf4b6275e3c396f3b0bce23b873fe99fc603cd1 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox