diff options
Diffstat (limited to 'security/sssd2')
67 files changed, 2916 insertions, 0 deletions
diff --git a/security/sssd2/Makefile b/security/sssd2/Makefile new file mode 100644 index 000000000000..c08fc5aad78d --- /dev/null +++ b/security/sssd2/Makefile @@ -0,0 +1,203 @@ +PORTNAME= sssd +PORTVERSION= 2.9.4 +PORTREVISION= 1 +CATEGORIES= security +PKGNAMESUFFIX= -devel + +MAINTAINER= jhixson@FreeBSD.org +COMMENT= System Security Services Daemon +WWW= https://sssd.io/ + +LICENSE= GPLv3+ +LICENSE_FILE= ${WRKSRC}/COPYING + +BROKEN_FreeBSD_15= fails to compile: linker fails to resolve nss symbols +CONFLICTS_INSTALL?= sssd* + +BUILD_DEPENDS= bash:shells/bash \ + docbook-xsl>=1:textproc/docbook-xsl \ + krb5>=1.20:security/krb5 \ + p11-kit:security/p11-kit \ + nsupdate:dns/bind-tools \ + xmlcatalog:textproc/libxml2 \ + xmlcatmgr:textproc/xmlcatmgr \ + xsltproc:textproc/libxslt + +LIB_DIRS+= ${LOCALBASE}/lib ${LOCALBASE}/lib/sasl2 +LIB_DEPENDS= libcares.so:dns/c-ares \ + libcom_err.so:security/krb5 \ + libcurl.so:ftp/curl \ + libdbus-1.so:devel/dbus \ + libdhash.so:devel/ding-libs \ + libfido2.so:security/libfido2 \ + libgssapi_krb5.so:security/krb5 \ + libinotify.so:devel/libinotify \ + libjansson.so:devel/jansson \ + libjose.so:net/jose \ + libkrb5.so:security/krb5 \ + libldb.so:databases/ldb22 \ + libndr-krb5pac.so:net/samba416 \ + libndr-nbt.so:net/samba416 \ + libndr-standard.so:net/samba416 \ + libndr.so:net/samba416 \ + libnfs.so:net/libnfs \ + libnss3.so:security/nss \ + libp11-kit.so:security/p11-kit \ + libpcre2-posix.so:devel/pcre2 \ + libplds4.so:devel/nspr \ + libpopt.so:devel/popt \ + libsamba-util.so:net/samba416 \ + libsasl2.so:security/cyrus-sasl2 \ + libsmbclient.so:net/samba416 \ + libtalloc.so:devel/talloc \ + libtdb.so:databases/tdb \ + libtevent.so:devel/tevent \ + libunistring.so:devel/libunistring \ + libuuid.so:misc/e2fsprogs-libuuid + +RUN_DEPENDS= cyrus-sasl-gssapi>0:security/cyrus-sasl2-gssapi \ + sudo>0:security/sudo + +USES= autoreconf cpe gettext gmake gssapi:bootstrap,flags,mit iconv ldap \ + libtool localbase:ldflags pathfix pkgconfig python:3.9+ shebangfix ssl + +USE_LDCONFIG= yes +GNU_CONFIGURE= yes + +INSTALL_TARGET= install-strip +CPE_VENDOR= fedoraproject + +DEBUG_FLAGS= -g +STRIP= + +CONFIGURE_ARGS= --disable-dependency-tracking \ + --datadir=${DATADIR} \ + --docdir=${DOCSDIR} \ + --localstatedir=/var \ + --disable-silent-rules \ + --disable-nls \ + --disable-cifs-idmap-plugin \ + --disable-valgrind \ + --disable-systemtap \ + --enable-pammoddir=${PREFIX}/lib \ + --enable-ldb-version-check \ + --enable-pac-responder \ + --with-db-path=/var/db/sss/db \ + --with-os=freebsd \ + --with-plugin-path=${LOCALBASE}/lib/sssd \ + --with-pubconf-path=/var/db/sss/pubconf \ + --with-pid-path=/var/run \ + --with-pipe-path=/var/run/sss/pipes \ + --with-mcache-path=/var/db/sss/mc \ + --with-environment-file=${LOCALBASE}/etc/sssd \ + --with-init-dir=no \ + --with-manpages \ + --with-xml-catalog-path=${LOCALBASE}/share/xml/catalog \ + --with-krb5-plugin-path=${LOCALBASE}/lib/krb5/plugins/libkrb5 \ + --with-krb5authdata-plugin-path=${LOCALBASE}/lib/krb5/plugins/authdata \ + --with-krb5-conf=/etc/krb5.conf \ + --without-python2-bindings \ + --with-winbind-plugin-path=${LOCALBASE}/lib/samba4/modules/idmap \ + --without-selinux \ + --with-gpo-cache-path=/var/db/sss/gpo_cache \ + --without-semanage \ + --with-app-libs=${LOCALBASE}/lib/sssd/modules \ + --without-autofs \ + --with-files-provider \ + --with-passkey \ + --with-libsifp \ + --without-libsifp \ + --with-syslog=syslog \ + --with-samba \ + --without-nfsv4-idmapd-plugin \ + --with-nfs-lib-path=${LOCALBASE}/lib \ + --with-secrets-db-path=/var/lib/sss/secrets \ + --with-kcm \ + --with-oidc-child \ + --with-ldb-lib-dir=${LOCALBASE}/lib/shared-modules/ldb \ + --with-smb-idmap-interface-version=6 \ + --without-libnl \ + --with-nscd-conf=/etc/nscd.conf \ + --with-python_prefix=${PREFIX} \ + --with-unicode-lib=libunistring + +CFLAGS+= -fstack-protector-all +CFLAGS+= -I${LOCALBASE}/include/samba4 + +LIBS+= -L${LOCALBASE}/lib \ + -L${LOCALBASE}/lib/samba4/private \ + -L${LOCALBASE}/lib/sasl2 \ + -linotify -lintl + +KRB5_HOME= ${LOCALBASE} +KRB5_CONFIG= ${LOCALBASE}/bin/krb5-config +KRB5_CFLAGS= -I${LOCALBASE}/include +KRB5_LIBS= -L${LOCALBAse}/lib -lkrb5 -lk5crypto -lcom_err + +GSSAPI_KRB5_CFLAGS= -I${LOCALBASE}/include +GSSAPI_KRB5_LIBS= -L${LOCALBASE}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err + +LDFLAGS+= -lgssapi +LDFLAGS_SL+= -lgssapi + +INCLUDES+= -I${LOCALBASE}/include +CONFIGURE_ENV+= INCLUDES="${INCLUDES}" \ + LDFLAGS_SL="${LDFLAGS_SL}" +MAKE_ENV= MAKELEVEL=0 + +PLIST_SUB= PYTHON_VER=${PYTHON_VER} +MAKE_ENV+= LINGUAS="bg de eu es fr hu id it ja nb nl pl pt ru sv tg tr uk zh_CN zh_TW" +SUB_FILES= pkg-message + +BINARY_ALIAS= python3=python${PYTHON_VER} +SHEBANG_FILES= sbus_generate.sh.in \ + src/tools/analyzer/sss_analyze \ + src/tools/sss_obfuscate \ + src/config/SSSDConfigTest.py \ + src/tests/python-test.py \ + src/tests/pysss-test.py \ + src/tests/cwrap/cwrap_test_setup.sh \ + src/tests/whitespace_test \ + src/tests/pyhbac-test.py \ + src/tests/multihost/data/memcachesize.py \ + src/tests/double_semicolon_test \ + src/tests/pysss_murmur-test.py \ + scripts/release.sh \ + contrib/git/pre-push \ + contrib/ci/rpm-spec-builddeps \ + contrib/ci/clean \ + contrib/ci/valgrind-condense \ + contrib/ci/run-multihost \ + contrib/ci/run \ + contrib/ci/get-matrix.py \ + contrib/vagrant/bootstrap.sh \ + contrib/fedora/make_srpm.sh + +USE_RC_SUBR= ${PORTNAME} + +USE_GITHUB=yes +GH_ACCOUNT=sssd + +post-patch: + @${REINPLACE_CMD} -e 's|/usr/bin/|${PREFIX}/bin/|g' \ + -e 's|/var/lib/sss/pubconf/|/var/db/sss/pubconf/|g' \ + ${WRKSRC}/src/man/sss_ssh_knownhostsproxy.1.xml \ + ${WRKSRC}/src/man/po/*.po || true + @${REINPLACE_CMD} -e 's|/etc/sssd/|${ETCDIR}/|g' \ + -e 's|/etc/openldap/|${LOCALBASE}/etc/openldap/|g' \ + ${WRKSRC}/src/man/*xml || true + @${CP} ${FILESDIR}/sss_bsd_errno.h ${WRKSRC}/src/util/sss_bsd_errno.h + @${CP} ${FILESDIR}/bsdnss.c ${WRKSRC}/src/sss_client/bsdnss.c + +post-install: + ${INSTALL_DATA} ${WRKSRC}/src/examples/sssd-example.conf \ + ${STAGEDIR}${ETCDIR}/sssd.conf.sample + ${MKDIR} ${STAGEDIR}${PREFIX}/share/dbus-1/system.d + ${INSTALL_DATA} ${WRKSRC}/src/responder/ifp/org.freedesktop.sssd.infopipe.conf \ + ${STAGEDIR}${PREFIX}/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf + ${MKDIR} ${STAGEDIR}${PREFIX}/share/dbus-1/system-services + ${INSTALL_DATA} ${WRKSRC}/src/responder/ifp/org.freedesktop.sssd.infopipe.service \ + ${STAGEDIR}${PREFIX}/share/dbus-1/system-services/org.freedesktop.sssd.infopipe.service + ${LN} -sf libnss_sss.so.2 ${STAGEDIR}${PREFIX}/lib/nss_sss.so.1 + +.include <bsd.port.mk> diff --git a/security/sssd2/distinfo b/security/sssd2/distinfo new file mode 100644 index 000000000000..249e6345bf1c --- /dev/null +++ b/security/sssd2/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1706926059 +SHA256 (sssd-sssd-2.9.4_GH0.tar.gz) = 074f4e00283def250d26d3331332cffc8acb61e51282645faf40490eb93a30c4 +SIZE (sssd-sssd-2.9.4_GH0.tar.gz) = 6745896 diff --git a/security/sssd2/files/bsdnss.c b/security/sssd2/files/bsdnss.c new file mode 100644 index 000000000000..6a1152100c67 --- /dev/null +++ b/security/sssd2/files/bsdnss.c @@ -0,0 +1,196 @@ +#include <errno.h> +#include <sys/param.h> +#include <netinet/in.h> +#include <pwd.h> +#include <grp.h> +#include <nss.h> +#include <netdb.h> + +extern enum nss_status _nss_sss_getgrent_r(struct group *, char *, size_t, + int *); +extern enum nss_status _nss_sss_getgrnam_r(const char *, struct group *, + char *, size_t, int *); +extern enum nss_status _nss_sss_getgrgid_r(gid_t gid, struct group *, char *, + size_t, int *); +extern enum nss_status _nss_sss_setgrent(void); +extern enum nss_status _nss_sss_endgrent(void); + +extern enum nss_status _nss_sss_getpwent_r(struct passwd *, char *, size_t, + int *); +extern enum nss_status _nss_sss_getpwnam_r(const char *, struct passwd *, + char *, size_t, int *); +extern enum nss_status _nss_sss_getpwuid_r(gid_t gid, struct passwd *, char *, + size_t, int *); +extern enum nss_status _nss_sss_setpwent(void); +extern enum nss_status _nss_sss_endpwent(void); + +extern enum nss_status _nss_sss_gethostbyname_r(const char *name, + struct hostent * result, + char *buffer, size_t buflen, + int *errnop, + int *h_errnop); + +extern enum nss_status _nss_sss_gethostbyname2_r(const char *name, int af, + struct hostent * result, + char *buffer, size_t buflen, + int *errnop, + int *h_errnop); +extern enum nss_status _nss_sss_gethostbyaddr_r(struct in_addr * addr, int len, + int type, + struct hostent * result, + char *buffer, size_t buflen, + int *errnop, int *h_errnop); + +extern enum nss_status _nss_sss_getgroupmembership(const char *uname, + gid_t agroup, gid_t *groups, + int maxgrp, int *grpcnt); + +NSS_METHOD_PROTOTYPE(__nss_compat_getgroupmembership); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrnam_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrgid_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getgrent_r); +NSS_METHOD_PROTOTYPE(__nss_compat_setgrent); +NSS_METHOD_PROTOTYPE(__nss_compat_endgrent); + +NSS_METHOD_PROTOTYPE(__nss_compat_getpwnam_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getpwuid_r); +NSS_METHOD_PROTOTYPE(__nss_compat_getpwent_r); +NSS_METHOD_PROTOTYPE(__nss_compat_setpwent); +NSS_METHOD_PROTOTYPE(__nss_compat_endpwent); + +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyname); +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyname2); +NSS_METHOD_PROTOTYPE(__nss_compat_gethostbyaddr); + +static ns_mtab methods[] = { +{ NSDB_GROUP, "getgrnam_r", __nss_compat_getgrnam_r, _nss_sss_getgrnam_r }, +{ NSDB_GROUP, "getgrgid_r", __nss_compat_getgrgid_r, _nss_sss_getgrgid_r }, +{ NSDB_GROUP, "getgrent_r", __nss_compat_getgrent_r, _nss_sss_getgrent_r }, +{ NSDB_GROUP, "getgroupmembership", __nss_compat_getgroupmembership, _nss_sss_getgroupmembership }, +{ NSDB_GROUP, "setgrent", __nss_compat_setgrent, _nss_sss_setgrent }, +{ NSDB_GROUP, "endgrent", __nss_compat_endgrent, _nss_sss_endgrent }, + +{ NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, _nss_sss_getpwnam_r }, +{ NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, _nss_sss_getpwuid_r }, +{ NSDB_PASSWD, "getpwent_r", __nss_compat_getpwent_r, _nss_sss_getpwent_r }, +{ NSDB_PASSWD, "setpwent", __nss_compat_setpwent, _nss_sss_setpwent }, +{ NSDB_PASSWD, "endpwent", __nss_compat_endpwent, _nss_sss_endpwent }, + +// { NSDB_HOSTS, "gethostbyname", __nss_compat_gethostbyname, _nss_sss_gethostbyname_r }, +//{ NSDB_HOSTS, "gethostbyaddr", __nss_compat_gethostbyaddr, _nss_sss_gethostbyaddr_r }, +//{ NSDB_HOSTS, "gethostbyname2", __nss_compat_gethostbyname2, _nss_sss_gethostbyname2_r }, + +{ NSDB_GROUP_COMPAT, "getgrnam_r", __nss_compat_getgrnam_r, _nss_sss_getgrnam_r }, +{ NSDB_GROUP_COMPAT, "getgrgid_r", __nss_compat_getgrgid_r, _nss_sss_getgrgid_r }, +{ NSDB_GROUP_COMPAT, "getgrent_r", __nss_compat_getgrent_r, _nss_sss_getgrent_r }, +{ NSDB_GROUP_COMPAT, "setgrent", __nss_compat_setgrent, _nss_sss_setgrent }, +{ NSDB_GROUP_COMPAT, "endgrent", __nss_compat_endgrent, _nss_sss_endgrent }, + +{ NSDB_PASSWD_COMPAT, "getpwnam_r", __nss_compat_getpwnam_r, _nss_sss_getpwnam_r }, +{ NSDB_PASSWD_COMPAT, "getpwuid_r", __nss_compat_getpwuid_r, _nss_sss_getpwuid_r }, +{ NSDB_PASSWD_COMPAT, "getpwent_r", __nss_compat_getpwent_r, _nss_sss_getpwent_r }, +{ NSDB_PASSWD_COMPAT, "setpwent", __nss_compat_setpwent, _nss_sss_setpwent }, +{ NSDB_PASSWD_COMPAT, "endpwent", __nss_compat_endpwent, _nss_sss_endpwent }, + +}; + + +ns_mtab * +nss_module_register(const char *source, unsigned int *mtabsize, + nss_module_unregister_fn *unreg) +{ + *mtabsize = sizeof(methods)/sizeof(methods[0]); + *unreg = NULL; + return (methods); +} + +int __nss_compat_getgroupmembership(void *retval, void *mdata, va_list ap) +{ + int (*fn)(const char *, gid_t, gid_t *, int, int *); + + const char *uname; + gid_t agroup; + gid_t *groups; + int maxgrp; + int *grpcnt; + int errnop = 0; + enum nss_status status; + + fn = mdata; + uname = va_arg(ap, const char *); + agroup = va_arg(ap, gid_t); + groups = va_arg(ap, gid_t *); + maxgrp = va_arg(ap, int); + grpcnt = va_arg(ap, int *); + status = fn(uname, agroup, groups, maxgrp, grpcnt); + status = __nss_compat_result(status, errnop); + return (status); +} + +int __nss_compat_gethostbyname(void *retval, void *mdata, va_list ap) +{ + enum nss_status (*fn)(const char *, struct hostent *, char *, size_t, int *, int *); + const char *name; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + int af; + enum nss_status status; + + fn = mdata; + name = va_arg(ap, const char*); + af = va_arg(ap,int); + result = va_arg(ap,struct hostent *); + status = fn(name, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} + +int __nss_compat_gethostbyname2(void *retval, void *mdata, va_list ap) +{ + enum nss_status (*fn)(const char *, struct hostent *, char *, size_t, int *, int *); + const char *name; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + int af; + enum nss_status status; + + fn = mdata; + name = va_arg(ap, const char*); + af = va_arg(ap,int); + result = va_arg(ap,struct hostent *); + status = fn(name, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} + +int __nss_compat_gethostbyaddr(void *retval, void *mdata, va_list ap) +{ + struct in_addr *addr; + int len; + int type; + struct hostent *result; + char buffer[1024]; + size_t buflen = 1024; + int errnop; + int h_errnop; + enum nss_status (*fn)(struct in_addr *, int, int, struct hostent *, char *, size_t, int *, int *); + enum nss_status status; + + fn = mdata; + addr = va_arg(ap, struct in_addr*); + len = va_arg(ap,int); + type = va_arg(ap,int); + result = va_arg(ap, struct hostent*); + status = fn(addr, len, type, result, buffer, buflen, &errnop, &h_errnop); + status = __nss_compat_result(status,errnop); + h_errno = h_errnop; + return (status); +} diff --git a/security/sssd2/files/patch-Makefile.am b/security/sssd2/files/patch-Makefile.am new file mode 100644 index 000000000000..635c195e729c --- /dev/null +++ b/security/sssd2/files/patch-Makefile.am @@ -0,0 +1,857 @@ +--- Makefile.am.orig 2024-02-12 00:15:58 UTC ++++ Makefile.am +@@ -59,7 +59,7 @@ dbusservicedir = $(datadir)/dbus-1/system-services + krb5snippetsdir = $(sssddatadir)/krb5-snippets + dbuspolicydir = $(datadir)/dbus-1/system.d + dbusservicedir = $(datadir)/dbus-1/system-services +-sss_statedir = $(localstatedir)/lib/sss ++sss_statedir = $(localstatedir)/db/sss + runstatedir = @runstatedir@ + localedir = @localedir@ + nsslibdir = @nsslibdir@ +@@ -642,6 +642,7 @@ SSSD_LIBS = \ + + SSSD_LIBS = \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(TEVENT_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ +@@ -713,6 +714,7 @@ dist_noinst_HEADERS = \ + src/util/sss_ssh.h \ + src/util/sss_ini.h \ + src/util/sss_format.h \ ++ src/util/sss_bsd_errno.h \ + src/util/sss_pam_data.h \ + src/util/refcount.h \ + src/util/file_watch.h \ +@@ -1514,6 +1516,7 @@ sssd_LDADD = \ + $(SSSD_LIBS) \ + $(INOTIFY_LIBS) \ + $(LIBNL_LIBS) \ ++ $(LTLIBINTL) \ + $(KEYUTILS_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ +@@ -1542,6 +1545,7 @@ sssd_nss_LDADD = \ + $(LIBADD_DL) \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + libsss_idmap.la \ + libsss_cert.la \ + $(SYSTEMD_DAEMON_LIBS) \ +@@ -1574,6 +1578,7 @@ sssd_pam_LDADD = \ + $(LIBADD_DL) \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SELINUX_LIBS) \ + $(PAM_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ +@@ -1593,8 +1598,10 @@ sssd_sudo_LDADD = \ + src/responder/sudo/sudosrv_dp.c \ + $(SSSD_RESPONDER_OBJ) + sssd_sudo_LDADD = \ ++ $(GSSAPI_KRB5_LIBS) \ + $(LIBADD_DL) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_iface.la \ +@@ -1610,6 +1617,7 @@ sssd_autofs_LDADD = \ + sssd_autofs_LDADD = \ + $(LIBADD_DL) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_iface.la \ +@@ -1630,6 +1638,7 @@ sssd_ssh_LDADD = \ + sssd_ssh_LDADD = \ + $(LIBADD_DL) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_cert.la \ +@@ -1653,6 +1662,7 @@ sssd_pac_LDADD = \ + $(NDR_KRB5PAC_LIBS) \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_idmap.la \ + $(SSSD_INTERNAL_LTLIBS) \ +@@ -1731,6 +1741,7 @@ sssd_ifp_LDADD = \ + sssd_ifp_LDADD = \ + $(LIBADD_DL) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_cert.la \ +@@ -1794,6 +1805,7 @@ sssd_kcm_LDADD = \ + $(LIBADD_DL) \ + $(KRB5_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(UUID_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ +@@ -1844,6 +1856,7 @@ sssd_be_LDADD = \ + sssd_be_LDADD = \ + $(LIBADD_DL) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CARES_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ +@@ -1905,6 +1918,7 @@ sss_signal_LDADD = \ + src/tools/common/sss_process.c + $(NULL) + sss_signal_LDADD = \ ++ $(LTLIBINTL) \ + libsss_debug.la \ + $(NULL) + +@@ -1961,7 +1975,7 @@ sss_sudo_cli_CFLAGS = $(AM_CFLAGS) + src/sss_client/sudo/sss_sudo_response.c \ + src/sss_client/sudo_testcli/sudo_testcli.c + sss_sudo_cli_CFLAGS = $(AM_CFLAGS) +-sss_sudo_cli_LDADD = $(CLIENT_LIBS) ++sss_sudo_cli_LDADD = $(GSSAPI_KRB5_LIBS) $(CLIENT_LIBS) + endif + + if BUILD_SSH +@@ -2142,6 +2156,7 @@ sysdb_tests_LDADD = \ + $(CHECK_CFLAGS) + sysdb_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2155,6 +2170,7 @@ sysdb_ssh_tests_LDADD = \ + $(CHECK_CFLAGS) + sysdb_ssh_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2167,6 +2183,7 @@ strtonum_tests_LDADD = \ + $(CHECK_CFLAGS) + strtonum_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + libsss_debug.la \ + libsss_test_common.la +@@ -2191,6 +2208,7 @@ krb5_utils_tests_LDADD = \ + $(CHECK_CFLAGS) + krb5_utils_tests_LDADD = \ + $(SSSD_LIBS)\ ++ $(LTLIBINTL) \ + $(CARES_LIBS) \ + $(KRB5_LIBS) \ + $(CHECK_LIBS) \ +@@ -2251,6 +2269,7 @@ resolv_tests_LDADD = \ + -DBUILD_TXT + resolv_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(CARES_LIBS) \ + libsss_debug.la \ +@@ -2264,6 +2283,7 @@ file_watch_tests_LDADD = \ + $(CHECK_CFLAGS) + file_watch_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(INOTIFY_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ +@@ -2277,6 +2297,7 @@ refcount_tests_LDADD = \ + $(CHECK_CFLAGS) + refcount_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2290,6 +2311,7 @@ fail_over_tests_LDADD = \ + $(CHECK_CFLAGS) + fail_over_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(CARES_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ +@@ -2321,6 +2343,7 @@ auth_tests_LDADD = \ + $(CHECK_CFLAGS) + auth_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2373,6 +2396,7 @@ util_tests_LDADD = \ + $(NULL) + util_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ +@@ -2385,6 +2409,7 @@ safe_format_tests_LDADD = \ + $(CHECK_CFLAGS) + safe_format_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2397,6 +2422,7 @@ debug_tests_LDADD = \ + $(CHECK_CFLAGS) + debug_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + libsss_debug.la + +@@ -2420,6 +2446,7 @@ ipa_hbac_tests_LDADD = \ + $(CHECK_CFLAGS) + ipa_hbac_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CHECK_LIBS) \ + libsss_test_common.la \ + libipa_hbac.la +@@ -2454,6 +2481,7 @@ responder_socket_access_tests_LDADD = \ + $(LIBADD_DL) \ + $(CHECK_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ +@@ -2466,6 +2494,7 @@ stress_tests_LDADD = \ + src/tests/stress-tests.c + stress_tests_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la + + krb5_child_test_SOURCES = \ +@@ -2490,6 +2519,7 @@ krb5_child_test_LDADD = \ + $(CHECK_CFLAGS) + krb5_child_test_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CARES_LIBS) \ + $(KRB5_LIBS) \ + $(CHECK_LIBS) \ +@@ -2507,6 +2537,7 @@ test_ssh_client_LDADD = \ + test_ssh_client_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(NULL) + + test_sbus_message_SOURCES = \ +@@ -2602,6 +2633,7 @@ nss_srv_tests_LDADD = \ + $(LIBADD_DL) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ +@@ -2650,6 +2682,7 @@ pam_srv_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(GSSAPI_KRB5_LIBS) \ +@@ -2693,6 +2726,7 @@ ssh_srv_tests_LDADD = \ + $(LIBADD_DL) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ +@@ -2717,6 +2751,7 @@ responder_get_domains_tests_LDADD = \ + $(LIBADD_DL) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ +@@ -2780,6 +2815,7 @@ test_negcache_LDADD = \ + $(LIBADD_DL) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ +@@ -2806,6 +2842,7 @@ test_authtok_LDADD = \ + $(CMOCKA_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + libsss_debug.la \ + $(NULL) +@@ -2821,6 +2858,7 @@ test_prompt_config_LDADD = \ + test_prompt_config_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(NULL) +@@ -2845,6 +2883,7 @@ deskprofile_utils_tests_LDADD = \ + deskprofile_utils_tests_CFLAGS = \ + $(AM_CFLAGS) + deskprofile_utils_tests_LDADD = \ ++ $(LTLIBINTL) \ + $(CMOCKA_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2868,6 +2907,7 @@ dyndns_tests_LDADD = \ + $(CARES_LIBS) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +@@ -2878,6 +2918,7 @@ domain_resolution_order_tests_LDADD = \ + $(AM_CFLAGS) + domain_resolution_order_tests_LDADD = \ + $(CMOCKA_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +@@ -2888,6 +2929,7 @@ fqnames_tests_LDADD = \ + fqnames_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +@@ -2907,6 +2949,7 @@ nestedgroups_tests_LDADD = \ + nestedgroups_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(OPENLDAP_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_idmap.la \ +@@ -2940,6 +2983,7 @@ test_ipa_idmap_LDADD = \ + test_ipa_idmap_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + libsss_idmap.la \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2962,6 +3006,7 @@ test_utils_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la + + test_search_bases_SOURCES = \ +@@ -2970,6 +3015,7 @@ test_search_bases_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ +@@ -2984,6 +3030,7 @@ test_ldap_auth_LDADD = \ + test_ldap_auth_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ +@@ -2997,6 +3044,7 @@ test_ldap_id_cleanup_LDADD = \ + test_ldap_id_cleanup_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ +@@ -3014,6 +3062,7 @@ test_sdap_access_LDADD = \ + test_sdap_access_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ +@@ -3033,6 +3082,7 @@ test_sdap_certmap_LDADD = \ + test_sdap_certmap_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(POPT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ +@@ -3044,6 +3094,7 @@ ad_access_filter_tests_LDADD = \ + ad_access_filter_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ +@@ -3065,6 +3116,7 @@ ad_gpo_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(OPENLDAP_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NDR_NBT_LIBS) \ + libsss_ldap_common.la \ +@@ -3102,6 +3154,7 @@ ad_common_tests_LDADD = \ + ad_common_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(KEYUTILS_LIBS) \ + $(NDR_NBT_LIBS) \ + $(NDR_KRB5PAC_LIBS) \ +@@ -3124,6 +3177,7 @@ dp_opt_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +@@ -3156,6 +3210,7 @@ sdap_tests_LDADD = \ + $(TALLOC_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(OPENLDAP_LIBS) \ + libsss_test_common.la \ +@@ -3176,6 +3231,7 @@ ifp_tests_LDADD = \ + $(LIBADD_DL) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ +@@ -3205,6 +3261,7 @@ sss_sifp_tests_LDADD = \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) + endif # BUILD_LIBSIFP + endif # BUILD_IFP +@@ -3221,6 +3278,7 @@ test_sysdb_views_LDADD = \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) +@@ -3237,6 +3295,7 @@ test_sysdb_ts_cache_LDADD = \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) +@@ -3251,6 +3310,7 @@ test_sysdb_subdomains_LDADD = \ + $(CMOCKA_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ +@@ -3267,6 +3327,8 @@ test_sysdb_certmap_LDADD = \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) +@@ -3282,6 +3344,7 @@ test_sysdb_sudo_LDADD = \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) +@@ -3297,6 +3360,7 @@ test_sysdb_utils_LDADD = \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) +@@ -3328,6 +3392,7 @@ test_be_ptask_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) +@@ -3346,6 +3411,8 @@ test_copy_ccache_LDADD = \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(KRB5_LIBS) \ ++ $(LTLIBINTL) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) +@@ -3400,6 +3467,7 @@ test_child_common_LDADD = \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ ++ $(LTLIBINTL) \ + libsss_debug.la \ + libsss_test_common.la \ + $(NULL) +@@ -3419,6 +3487,7 @@ responder_cache_req_tests_LDADD = \ + $(LIBADD_DL) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ +@@ -3441,6 +3510,7 @@ test_resolv_fake_LDADD = \ + test_resolv_fake_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(CARES_LIBS) \ + $(DHASH_LIBS) \ +@@ -3464,6 +3534,7 @@ test_fo_srv_LDADD = \ + $(TALLOC_LIBS) \ + $(CARES_LIBS) \ + $(DHASH_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) +@@ -3485,6 +3556,7 @@ test_sdap_initgr_LDADD = \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ +@@ -3504,6 +3576,7 @@ test_ad_subdom_LDADD = \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_ldap_common.la \ + libsss_ad_tests.la \ + libsss_idmap.la \ +@@ -3527,6 +3600,7 @@ test_ipa_subdom_util_LDADD = \ + $(TALLOC_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3558,6 +3632,7 @@ test_ipa_subdom_server_LDADD = \ + $(KEYUTILS_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_ldap_common.la \ + libsss_ad_tests.la \ + libsss_test_common.la \ +@@ -3579,6 +3654,7 @@ test_tools_colondb_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3595,6 +3671,7 @@ test_krb5_wait_queue_LDADD = \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3615,6 +3692,7 @@ test_cert_utils_LDADD = \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(CRYPTO_LIBS) \ ++ $(LTLIBINTL) \ + libsss_debug.la \ + libsss_test_common.la \ + libsss_cert.la \ +@@ -3641,6 +3719,7 @@ test_data_provider_be_LDADD = \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + libsss_iface.la \ +@@ -3670,6 +3749,7 @@ test_dp_request_LDADD = \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + if BUILD_SYSTEMTAP +@@ -3696,6 +3776,7 @@ test_dp_builtin_LDADD = \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3710,6 +3791,7 @@ test_ipa_dn_LDADD = \ + $(TEVENT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3723,6 +3805,7 @@ test_iobuf_LDADD = \ + test_iobuf_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(NULL) + + test_confdb_SOURCES = \ +@@ -3737,6 +3820,7 @@ test_confdb_LDADD = \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3757,6 +3841,7 @@ simple_access_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + libsss_iface.la \ +@@ -3774,6 +3859,7 @@ krb5_common_test_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + libsss_krb5_common.la \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ +@@ -3794,6 +3880,7 @@ test_inotify_LDADD = \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3812,6 +3899,7 @@ sss_certmap_test_LDADD = \ + $(TALLOC_LIBS) \ + $(SSS_CERT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + libsss_certmap.la \ + $(NULL) +@@ -3832,6 +3920,7 @@ test_sssd_krb5_locator_plugin_LDADD = \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(KRB5_LIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3883,6 +3972,7 @@ test_passkey_LDADD = \ + test_passkey_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ + $(PASSKEY_LIBS) \ +@@ -3910,6 +4000,7 @@ test_kcm_marshalling_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + $(NULL) + +@@ -3925,6 +4016,7 @@ test_kcm_queue_LDADD = \ + $(LIBADD_DL) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + libsss_iface.la \ +@@ -3942,6 +4034,7 @@ test_krb5_idp_plugin_LDADD = \ + test_krb5_idp_plugin_LDADD = \ + $(CMOCKA_LIBS) \ + $(JANSSON_LIBS) \ ++ $(LTLIBINTL) \ + $(NULL) + + if BUILD_PASSKEY +@@ -3956,6 +4049,7 @@ test_krb5_passkey_plugin_LDADD = \ + test_krb5_passkey_plugin_LDADD = \ + $(CMOCKA_LIBS) \ + $(JANSSON_LIBS) \ ++ $(LTLIBINTL) \ + $(NULL) + endif # BUILD_PASSKEY + +@@ -3988,6 +4082,7 @@ test_kcm_renewals_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + libsss_iface.la \ + libsss_sbus.la \ +@@ -4029,6 +4124,7 @@ test_sssd_krb5_localauth_plugin_LDADD = \ + test_sssd_krb5_localauth_plugin_LDADD = \ + $(CMOCKA_LIBS) \ + $(KRB5_LIBS) \ ++ $(LTLIBINTL) \ + $(NULL) + endif + +@@ -4085,6 +4181,7 @@ libnss_sss_la_SOURCES = \ + nsslib_LTLIBRARIES = libnss_sss.la + libnss_sss_la_SOURCES = \ + src/sss_client/common.c \ ++ src/sss_client/bsdnss.c \ + src/sss_client/nss_passwd.c \ + src/sss_client/nss_group.c \ + src/sss_client/nss_netgroup.c \ +@@ -4183,6 +4280,7 @@ libsss_sudo_la_LIBADD = \ + src/sss_client/sudo/sss_sudo.h \ + src/sss_client/sudo/sss_sudo_private.h + libsss_sudo_la_LIBADD = \ ++ $(GSSAPI_KRB5_LIBS) \ + $(CLIENT_LIBS) + libsss_sudo_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_sudo.exports \ +@@ -4314,6 +4412,7 @@ libsss_ldap_common_la_LIBADD = \ + $(OPENLDAP_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ ++ $(LTLIBINTL) \ + libsss_krb5_common.la \ + libsss_idmap.la \ + libsss_certmap.la \ +@@ -4718,6 +4817,7 @@ ldap_child_LDADD = \ + $(KRB5_CFLAGS) + ldap_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ +@@ -4764,6 +4864,7 @@ gpo_child_LDADD = \ + $(SMBCLIENT_CFLAGS) + gpo_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ +@@ -4780,6 +4881,7 @@ proxy_child_LDADD = \ + proxy_child_LDADD = \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_iface.la \ + libsss_sbus.la \ +@@ -4807,6 +4909,7 @@ p11_child_LDADD = \ + + p11_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ +@@ -4834,6 +4937,7 @@ passkey_child_LDADD = \ + passkey_child_LDADD = \ + libsss_crypt.la \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ +@@ -4862,6 +4966,7 @@ oidc_child_LDADD = \ + $(NULL) + oidc_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(JANSSON_LIBS) \ +@@ -4880,6 +4985,7 @@ memberof_la_LIBADD = \ + $(NULL) + memberof_la_LIBADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(LDB_LIBS) \ + $(DHASH_LIBS) \ +@@ -4943,6 +5049,7 @@ sssd_krb5_idp_plugin_la_LIBADD = \ + $(KRB5_LIBS) \ + $(KRAD_LIBS) \ + $(JANSSON_LIBS) \ ++ $(LTLIBINTL) \ + $(NULL) + sssd_krb5_idp_plugin_la_LDFLAGS = \ + -avoid-version \ diff --git a/security/sssd2/files/patch-configure.ac b/security/sssd2/files/patch-configure.ac new file mode 100644 index 000000000000..e0f0edfceff9 --- /dev/null +++ b/security/sssd2/files/patch-configure.ac @@ -0,0 +1,51 @@ +--- configure.ac.orig 2023-05-05 08:11:07 UTC ++++ configure.ac +@@ -46,8 +46,6 @@ AC_CONFIG_HEADER(config.h) + AC_CHECK_HEADERS([stdatomic.h],,AC_MSG_ERROR([C11 atomic types are not supported])) + AC_CONFIG_HEADER(config.h) + +-AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]]) +- + m4_include([src/build_macros.m4]) + BUILD_WITH_SHARED_BUILD_DIR + +@@ -67,7 +65,20 @@ AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" + LIBS=$SAVE_LIBS + AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) + ++saved_CFLAGS="$CFLAGS" ++CFLAGS="-Werror" ++AC_COMPILE_IFELSE( ++ [AC_LANG_PROGRAM([[#include <string.h>]], ++ [[(void)mempcpy(NULL, NULL, 0);]])], ++ [AC_DEFINE([HAVE_MEMPCPY], [1], [mempcpy() available]) ++ HAVE_MEMPCPY=1 ++ ], ++ [AC_MSG_WARN([mempcpy() not found, will use private implementation])]) + ++CFLAGS="$saved_CFLAGS" ++ ++AM_CONDITIONAL([HAVE_MEMPCPY], [test x"$HAVE_MEMPCPY" != "x"]) ++ + SAVE_LIBS=$LIBS + LIBS= + AC_LINK_IFELSE( +@@ -223,7 +234,6 @@ m4_include([src/external/libkeyutils.m4]) + m4_include([src/external/crypto.m4]) + m4_include([src/external/nsupdate.m4]) + m4_include([src/external/libkeyutils.m4]) +-m4_include([src/external/libkrad.m4]) + m4_include([src/external/libnl.m4]) + m4_include([src/external/systemd.m4]) + m4_include([src/external/pac_responder.m4]) +@@ -390,8 +400,8 @@ them please use argument --without-python3-bindings wh + AM_CHECK_PYTHON_HEADERS([], + AC_MSG_ERROR([Could not find python3 headers])) + +- AC_SUBST([py3execdir], [$pyexecdir]) +- AC_SUBST([python3dir], [$pythondir]) ++ AC_SUBST([py3execdir], [$(eval echo $pyexecdir)]) ++ AC_SUBST([python3dir], [$(eval echo $pythondir)]) + AC_SUBST([PYTHON3_CFLAGS], [$PYTHON_CFLAGS]) + AC_SUBST([PYTHON3_LIBS], [$PYTHON_LIBS]) + AC_SUBST([PYTHON3_INCLUDES], [$PYTHON_INCLUDES]) diff --git a/security/sssd2/files/patch-src__confdb__confdb.c b/security/sssd2/files/patch-src__confdb__confdb.c new file mode 100644 index 000000000000..138966638518 --- /dev/null +++ b/security/sssd2/files/patch-src__confdb__confdb.c @@ -0,0 +1,19 @@ +--- src/confdb/confdb.c.orig 2023-05-05 08:11:07 UTC ++++ src/confdb/confdb.c +@@ -21,6 +21,7 @@ + + #include "config.h" + ++#include <sys/param.h> + #include <ctype.h> + #include "util/util.h" + #include "confdb/confdb.h" +@@ -887,7 +888,7 @@ static char *confdb_get_domain_hostname(TALLOC_CTX *me + struct ldb_result *res, + const char *provider) + { +- char sys[HOST_NAME_MAX + 1] = {'\0'}; ++ char sys[MAXHOSTNAMELEN + 1] = {'\0'}; + const char *opt = NULL; + int ret; + diff --git a/security/sssd2/files/patch-src__external__crypto.m4 b/security/sssd2/files/patch-src__external__crypto.m4 new file mode 100644 index 000000000000..739502c9da13 --- /dev/null +++ b/security/sssd2/files/patch-src__external__crypto.m4 @@ -0,0 +1,21 @@ +--- src/external/crypto.m4.orig 2023-05-05 08:11:07 UTC ++++ src/external/crypto.m4 +@@ -1,6 +1,15 @@ +-AC_DEFUN([AM_CHECK_LIBCRYPTO], +- [PKG_CHECK_MODULES([CRYPTO],[libcrypto]) +- PKG_CHECK_MODULES([SSL],[libssl]) ++CRYPTO_CFLAGS="-I/usr/include" ++CRYPTO_LIBS="-L/usr/lib -lcrypto" ++AC_SUBST(CRYPTO_CFLAGS) ++AC_SUBST(CRYPTO_LIBS) ++ ++SSL_CFLAGS="-I/usr/include" ++SSL_LIBS="-L/usr/lib -lssl" ++AC_SUBST(SSL_CFLAGS) ++AC_SUBST(SSL_LIBS) ++ ++AC_DEFUN([AM_CHECK_LIBCRYPTO], [ ++ AC_MSG_RESULT([yes]) + ]) + + AC_MSG_CHECKING([whether OpenSSL's x400Address is ASN1_STRING]) diff --git a/security/sssd2/files/patch-src__external__inotify.m4 b/security/sssd2/files/patch-src__external__inotify.m4 new file mode 100644 index 000000000000..2dd08bc16be2 --- /dev/null +++ b/security/sssd2/files/patch-src__external__inotify.m4 @@ -0,0 +1,15 @@ +--- src/external/inotify.m4.orig 2023-06-05 03:56:40 UTC ++++ src/external/inotify.m4 +@@ -20,10 +20,10 @@ int main () { + AS_IF([test x"$inotify_works" != xyes], + [AC_CHECK_LIB([inotify], + [inotify_init], +- [INOTIFY_LIBS="$sss_extra_libdir -linotify" ++ [INOTIFY_LIBS="-L$sss_extra_libdir -linotify" + inotify_works=yes], + [inotify_works=no], +- [$sss_extra_libdir])] ++ [-L$sss_extra_libdir])] + ) + + AS_IF([test x"$inotify_works" = xyes], diff --git a/security/sssd2/files/patch-src__external__krb5.m4 b/security/sssd2/files/patch-src__external__krb5.m4 new file mode 100644 index 000000000000..691efaa0dc98 --- /dev/null +++ b/security/sssd2/files/patch-src__external__krb5.m4 @@ -0,0 +1,13 @@ +--- src/external/krb5.m4.orig 2023-05-05 08:11:07 UTC ++++ src/external/krb5.m4 +@@ -1,5 +1,10 @@ ++KRB5_CFLAGS="-I/usr/local/include" ++KRB5_LIBS="-L/usr/local/lib -lkrb5" ++KRB5_CONFIG="/usr/local/bin/krb5-config" ++ + AC_SUBST(KRB5_CFLAGS) + AC_SUBST(KRB5_LIBS) ++AC_SUBST(KRB5_CONFIG) + + if test x$KRB5_LIBS != x; then + KRB5_PASSED_LIBS=$KRB5_LIBS diff --git a/security/sssd2/files/patch-src__external__nsupdate.m4 b/security/sssd2/files/patch-src__external__nsupdate.m4 new file mode 100644 index 000000000000..d75aeeb5673d --- /dev/null +++ b/security/sssd2/files/patch-src__external__nsupdate.m4 @@ -0,0 +1,23 @@ +--- src/external/nsupdate.m4.orig 2024-01-12 12:05:40 UTC ++++ src/external/nsupdate.m4 +@@ -4,13 +4,13 @@ if test -x "$NSUPDATE"; then + AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate]) + AC_MSG_RESULT(yes) + +- AC_MSG_CHECKING(for nsupdate 'realm' support') +- if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then +- AC_MSG_RESULT([yes]) +- else +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate does not support 'realm']) +- fi ++ #AC_MSG_CHECKING(for nsupdate 'realm' support') ++ #if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then ++ # AC_MSG_RESULT([yes]) ++ #else ++ # AC_MSG_RESULT([no]) ++ # AC_MSG_ERROR([nsupdate does not support 'realm']) ++ #fi + + else + AC_MSG_RESULT([no]) diff --git a/security/sssd2/files/patch-src__external__pac_responder.m4 b/security/sssd2/files/patch-src__external__pac_responder.m4 new file mode 100644 index 000000000000..a6403e3c512e --- /dev/null +++ b/security/sssd2/files/patch-src__external__pac_responder.m4 @@ -0,0 +1,11 @@ +--- src/external/pac_responder.m4.orig 2023-05-05 08:11:07 UTC ++++ src/external/pac_responder.m4 +@@ -7,7 +7,7 @@ then + krb5_version_ok=no + if test x$build_pac_responder = xyes + then +- AC_PATH_PROG(KRB5_CONFIG, krb5-config) ++ AC_PATH_PROG(KRB5_CONFIG, /usr/local/bin/krb5-config) + AC_MSG_CHECKING(for supported MIT krb5 version) + KRB5_VERSION="`$KRB5_CONFIG --version`" + case $KRB5_VERSION in diff --git a/security/sssd2/files/patch-src__external__platform.m4 b/security/sssd2/files/patch-src__external__platform.m4 new file mode 100644 index 000000000000..30caaaaf51ae --- /dev/null +++ b/security/sssd2/files/patch-src__external__platform.m4 @@ -0,0 +1,51 @@ +--- src/external/platform.m4.orig 2023-05-05 08:11:07 UTC ++++ src/external/platform.m4 +@@ -1,9 +1,10 @@ AC_ARG_WITH([os], + AC_ARG_WITH([os], +- [AC_HELP_STRING([--with-os=OS_TYPE], [Type of your operation system (fedora|redhat|suse|gentoo)])] ++ [AC_HELP_STRING([--with-os=OS_TYPE], [Type of your operation system (fedora|redhat|suse|gentoo|freebsd)])] + ) + osname="" + if test x"$with_os" != x ; then + if test x"$with_os" = xfedora || \ ++ test x"$with_os" = xfreebsd || \ + test x"$with_os" = xredhat || \ + test x"$with_os" = xsuse || \ + test x"$with_os" = xgentoo || \ +@@ -25,6 +26,8 @@ if test x"$osname" = x ; then + osname="debian" + elif test -f /etc/gentoo-release ; then + osname="gentoo" ++ elif test -f /etc/os-release ; then ++ osname="freebsd" + fi + + AC_MSG_NOTICE([Detected operating system type: $osname]) +@@ -35,6 +38,7 @@ AM_CONDITIONAL([HAVE_GENTOO], [test x"$osname" = xgent + AM_CONDITIONAL([HAVE_SUSE], [test x"$osname" = xsuse]) + AM_CONDITIONAL([HAVE_DEBIAN], [test x"$osname" = xdebian]) + AM_CONDITIONAL([HAVE_GENTOO], [test x"$osname" = xgentoo]) ++AM_CONDITIONAL([HAVE_FREEBSD], [test x"$osname" = xfreebsd]) + + AS_CASE([$osname], + [redhat], [AC_DEFINE_UNQUOTED([HAVE_REDHAT], 1, [Build with redhat config])], +@@ -42,10 +46,18 @@ AS_CASE([$osname], + [suse], [AC_DEFINE_UNQUOTED([HAVE_SUSE], 1, [Build with suse config])], + [gentoo], [AC_DEFINE_UNQUOTED([HAVE_GENTOO], 1, [Build with gentoo config])], + [debian], [AC_DEFINE_UNQUOTED([HAVE_DEBIAN], 1, [Build with debian config])], ++ [freebsd], [AC_DEFINE_UNQUOTED([HAVE_FREEBSD], 1, [Build with freebsd config])], + [AC_MSG_NOTICE([Build with $osname config])]) + +-AC_CHECK_MEMBERS([struct ucred.pid, struct ucred.uid, struct ucred.gid], , , ++if test x"$osname" = x"freebsd"; then ++ AC_CHECK_MEMBERS([struct xucred.cr_pid, struct xucred.cr_uid, struct xucred.cr_gid], , , [[ ++#include <sys/param.h> ++#include <sys/ucred.h> ++]]) ++else ++ AC_CHECK_MEMBERS([struct ucred.pid, struct ucred.uid, struct ucred.gid], , , + [[#include <sys/socket.h>]]) ++fi + + if test x"$ac_cv_member_struct_ucred_pid" = xyes -a \ + x"$ac_cv_member_struct_ucred_uid" = xyes -a \ diff --git a/security/sssd2/files/patch-src__external__samba.m4 b/security/sssd2/files/patch-src__external__samba.m4 new file mode 100644 index 000000000000..7c6b25138b58 --- /dev/null +++ b/security/sssd2/files/patch-src__external__samba.m4 @@ -0,0 +1,32 @@ +--- src/external/samba.m4.orig 2023-05-05 08:11:07 UTC ++++ src/external/samba.m4 +@@ -64,7 +64,7 @@ --without-samba + else + + AC_MSG_CHECKING([Samba's idmap plugin interface version]) +- sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba ++ sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/private + SAVE_CFLAGS=$CFLAGS + SAVE_LIBS=$LIBS + CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS" +@@ -157,12 +157,16 @@ AC_CHECK_MEMBERS([struct PAC_LOGON_INFO.resource_group + SAVE_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS" + AC_CHECK_MEMBERS([struct PAC_LOGON_INFO.resource_groups], , , +- [[ #include <ndr.h> +- #include <gen_ndr/krb5pac.h> ++ [[ #include <sys/types.h> ++ #include <sys/time.h> ++ #include <time.h> ++ #include <ndr.h> + #include <gen_ndr/krb5pac.h>]]) + AC_CHECK_MEMBERS([struct PAC_UPN_DNS_INFO.ex], , + [AC_MSG_NOTICE([union PAC_UPN_DNS_INFO_EX is not available, PAC checks will be limited])], +- [[ #include <ndr.h> +- #include <gen_ndr/krb5pac.h> ++ [[ #include <sys/types.h> ++ #include <sys/time.h> ++ #include <time.h> ++ #include <ndr.h> + #include <gen_ndr/krb5pac.h>]]) + CFLAGS=$SAVE_CFLAGS diff --git a/security/sssd2/files/patch-src__krb5_plugin__common__radius_kdcpreauth.c b/security/sssd2/files/patch-src__krb5_plugin__common__radius_kdcpreauth.c new file mode 100644 index 000000000000..233dd417d8f5 --- /dev/null +++ b/security/sssd2/files/patch-src__krb5_plugin__common__radius_kdcpreauth.c @@ -0,0 +1,19 @@ +--- src/krb5_plugin/common/radius_kdcpreauth.c.orig 2023-05-05 08:11:07 UTC ++++ src/krb5_plugin/common/radius_kdcpreauth.c +@@ -18,6 +18,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/param.h> + #include <errno.h> + #include <stdbool.h> + #include <stdlib.h> +@@ -414,7 +415,7 @@ sss_radiuskdc_client_init(krb5_context kctx, + struct sss_radiuskdc_config *config) + { + struct sss_radiuskdc_client *client; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[MAXHOSTNAMELEN + 1]; + krb5_data data = {0}; + krb5_error_code ret; + diff --git a/security/sssd2/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.c b/security/sssd2/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.c new file mode 100644 index 000000000000..c3e821355d7b --- /dev/null +++ b/security/sssd2/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.c @@ -0,0 +1,11 @@ +--- src/lib/winbind_idmap_sss/winbind_idmap_sss.c.orig 2023-05-05 08:11:07 UTC ++++ src/lib/winbind_idmap_sss/winbind_idmap_sss.c +@@ -22,6 +22,8 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/types.h> ++#include <sys/time.h> + #include <string.h> + #include <errno.h> + diff --git a/security/sssd2/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h b/security/sssd2/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h new file mode 100644 index 000000000000..5fc97a38e37e --- /dev/null +++ b/security/sssd2/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h @@ -0,0 +1,11 @@ +--- src/lib/winbind_idmap_sss/winbind_idmap_sss.h.orig 2023-06-05 04:01:16 UTC ++++ src/lib/winbind_idmap_sss/winbind_idmap_sss.h +@@ -29,6 +29,8 @@ + #include <stdbool.h> + + #include <core/ntstatus.h> ++#include <unistd.h> ++#include <time.h> + #include <ndr.h> + #include <gen_ndr/security.h> + diff --git a/security/sssd2/files/patch-src__p11_child__p11_child_common.c b/security/sssd2/files/patch-src__p11_child__p11_child_common.c new file mode 100644 index 000000000000..4304a8681ba4 --- /dev/null +++ b/security/sssd2/files/patch-src__p11_child__p11_child_common.c @@ -0,0 +1,19 @@ +--- src/p11_child/p11_child_common.c.orig 2023-05-05 08:11:07 UTC ++++ src/p11_child/p11_child_common.c +@@ -27,7 +27,6 @@ + #include <stdlib.h> + #include <string.h> + #include <popt.h> +-#include <sys/prctl.h> + + #include "util/util.h" + #include "util/child_common.h" +@@ -305,8 +304,6 @@ int main(int argc, const char *argv[]) + } + + poptFreeContext(pc); +- +- prctl(PR_SET_DUMPABLE, (dumpable == 0) ? 0 : 1); + + debug_prg_name = talloc_asprintf(NULL, "p11_child[%d]", getpid()); + if (debug_prg_name == NULL) { diff --git a/security/sssd2/files/patch-src__passkey_child__passkey_child_common.c b/security/sssd2/files/patch-src__passkey_child__passkey_child_common.c new file mode 100644 index 000000000000..0854721e7a80 --- /dev/null +++ b/security/sssd2/files/patch-src__passkey_child__passkey_child_common.c @@ -0,0 +1,19 @@ +--- src/passkey_child/passkey_child_common.c.orig 2024-01-12 12:05:40 UTC ++++ src/passkey_child/passkey_child_common.c +@@ -23,7 +23,6 @@ + */ + + #include <popt.h> +-#include <sys/prctl.h> + #include <fido/param.h> + #include <openssl/err.h> + #include <openssl/pem.h> +@@ -272,8 +271,6 @@ parse_arguments(TALLOC_CTX *mem_ctx, int argc, const c + } + + poptFreeContext(pc); +- +- prctl(PR_SET_DUMPABLE, (dumpable == 0) ? 0 : 1); + + if (user_verification != NULL) { + if (strcmp(user_verification, "true") == 0) { diff --git a/security/sssd2/files/patch-src__providers__ad__ad_common.c b/security/sssd2/files/patch-src__providers__ad__ad_common.c new file mode 100644 index 000000000000..d4813193d1b1 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ad__ad_common.c @@ -0,0 +1,41 @@ +--- src/providers/ad/ad_common.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/ad/ad_common.c +@@ -19,6 +19,7 @@ + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ ++#include <sys/param.h> + #include <ctype.h> + + #include "providers/ad/ad_common.h" +@@ -495,8 +496,8 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + char *server; + char *realm; + char *ad_hostname; +- char hostname[HOST_NAME_MAX + 1]; +- char fqdn[HOST_NAME_MAX + 1]; ++ char hostname[MAXHOSTNAMELEN + 1]; ++ char fqdn[MAXHOSTNAMELEN + 1]; + char *case_sensitive_opt; + const char *opt_override; + +@@ -543,7 +544,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + strerror(ret)); + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[MAXHOSTNAMELEN] = '\0'; + + if (strchr(hostname, '.') == NULL) { + ret = ad_try_to_get_fqdn(hostname, fqdn, sizeof(fqdn)); +@@ -552,8 +553,8 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + "The hostname [%s] has been expanded to FQDN [%s]. " + "If sssd should really use the short hostname, please " + "set ad_hostname explicitly.\n", hostname, fqdn); +- strncpy(hostname, fqdn, HOST_NAME_MAX); +- hostname[HOST_NAME_MAX] = '\0'; ++ strncpy(hostname, fqdn, MAXHOSTNAMELEN); ++ hostname[MAXHOSTNAMELEN] = '\0'; + } + } + diff --git a/security/sssd2/files/patch-src__providers__ad__ad_gpo_child.c b/security/sssd2/files/patch-src__providers__ad__ad_gpo_child.c new file mode 100644 index 000000000000..3e5f890b5137 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ad__ad_gpo_child.c @@ -0,0 +1,19 @@ +--- src/providers/ad/ad_gpo_child.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/ad/ad_gpo_child.c +@@ -26,7 +26,6 @@ + #include <ctype.h> + #include <unistd.h> + #include <popt.h> +-#include <sys/prctl.h> + #include <libsmbclient.h> + #include <security/pam_modules.h> + +@@ -699,8 +698,6 @@ main(int argc, const char *argv[]) + } + + poptFreeContext(pc); +- +- prctl(PR_SET_DUMPABLE, (dumpable == 0) ? 0 : 1); + + debug_prg_name = talloc_asprintf(NULL, "gpo_child[%d]", getpid()); + if (debug_prg_name == NULL) { diff --git a/security/sssd2/files/patch-src__providers__ad__ad_pac.h b/security/sssd2/files/patch-src__providers__ad__ad_pac.h new file mode 100644 index 000000000000..f9de3661d985 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ad__ad_pac.h @@ -0,0 +1,11 @@ +--- src/providers/ad/ad_pac.h.orig 2023-06-05 04:04:46 UTC ++++ src/providers/ad/ad_pac.h +@@ -32,6 +32,8 @@ + #ifdef ldb_val + #error Please make sure to include ad_pac.h before ldb.h + #endif ++#include <unistd.h> ++#include <time.h> + #include <ndr.h> + #include <gen_ndr/krb5pac.h> + #include <gen_ndr/ndr_krb5pac.h> diff --git a/security/sssd2/files/patch-src__providers__ad__ad_pac_common.c b/security/sssd2/files/patch-src__providers__ad__ad_pac_common.c new file mode 100644 index 000000000000..ab1c08e07e8b --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ad__ad_pac_common.c @@ -0,0 +1,11 @@ +--- src/providers/ad/ad_pac_common.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/ad/ad_pac_common.c +@@ -20,6 +20,8 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/types.h> ++#include <sys/time.h> + + #include "providers/ad/ad_pac.h" + #include "util/util.h" diff --git a/security/sssd2/files/patch-src__providers__data_provider__dp_modules.c b/security/sssd2/files/patch-src__providers__data_provider__dp_modules.c new file mode 100644 index 000000000000..482a8c334c5b --- /dev/null +++ b/security/sssd2/files/patch-src__providers__data_provider__dp_modules.c @@ -0,0 +1,10 @@ +--- src/providers/data_provider/dp_modules.c.orig 2023-05-25 06:34:10 UTC ++++ src/providers/data_provider/dp_modules.c +@@ -23,6 +23,7 @@ + #include "providers/data_provider/dp.h" + #include "providers/data_provider/dp_private.h" + #include "providers/backend.h" ++#include "util/sss_bsd_errno.h" + #include "util/util.h" + + /* There can be at most the same number of different modules loaded at diff --git a/security/sssd2/files/patch-src__providers__data_provider__dp_targets.c b/security/sssd2/files/patch-src__providers__data_provider__dp_targets.c new file mode 100644 index 000000000000..2a83b5070e9d --- /dev/null +++ b/security/sssd2/files/patch-src__providers__data_provider__dp_targets.c @@ -0,0 +1,10 @@ +--- src/providers/data_provider/dp_targets.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/data_provider/dp_targets.c +@@ -26,6 +26,7 @@ + #include "providers/data_provider/dp_private.h" + #include "providers/data_provider/dp_builtin.h" + #include "providers/backend.h" ++#include "util/sss_bsd_errno.h" + #include "util/util.h" + + #define DP_TARGET_INIT_FN "sssm_%s_%s_init" diff --git a/security/sssd2/files/patch-src__providers__data_provider_be.c b/security/sssd2/files/patch-src__providers__data_provider_be.c new file mode 100644 index 000000000000..527186d6fc73 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__data_provider_be.c @@ -0,0 +1,11 @@ +--- src/providers/data_provider_be.c.orig 2023-05-25 06:24:25 UTC ++++ src/providers/data_provider_be.c +@@ -25,6 +25,8 @@ + #include <sys/types.h> + #include <sys/stat.h> + #include <sys/socket.h> ++#include <netinet/in.h> ++#include <arpa/inet.h> + #include <sys/un.h> + #include <string.h> + #include <sys/time.h> diff --git a/security/sssd2/files/patch-src__providers__data_provider_fo.c b/security/sssd2/files/patch-src__providers__data_provider_fo.c new file mode 100644 index 000000000000..4e4dc0d1da9f --- /dev/null +++ b/security/sssd2/files/patch-src__providers__data_provider_fo.c @@ -0,0 +1,28 @@ +--- src/providers/data_provider_fo.c.orig 2023-05-25 06:28:15 UTC ++++ src/providers/data_provider_fo.c +@@ -19,6 +19,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/param.h> + #include <netdb.h> + #include <arpa/inet.h> + #include "providers/backend.h" +@@ -237,7 +238,7 @@ errno_t be_fo_set_dns_srv_lookup_plugin(struct be_ctx + const char *hostname) + { + struct fo_resolve_srv_dns_ctx *srv_ctx = NULL; +- char resolved_hostname[HOST_NAME_MAX + 1]; ++ char resolved_hostname[MAXHOSTNAMELEN + 1]; + errno_t ret; + + if (hostname == NULL) { +@@ -248,7 +249,7 @@ errno_t be_fo_set_dns_srv_lookup_plugin(struct be_ctx + "gethostname() failed: [%d]: %s\n", ret, strerror(ret)); + return ret; + } +- resolved_hostname[HOST_NAME_MAX] = '\0'; ++ resolved_hostname[MAXHOSTNAMELEN] = '\0'; + hostname = resolved_hostname; + } + diff --git a/security/sssd2/files/patch-src__providers__files__files_ops.c b/security/sssd2/files/patch-src__providers__files__files_ops.c new file mode 100644 index 000000000000..f53f65264139 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__files__files_ops.c @@ -0,0 +1,88 @@ +--- src/providers/files/files_ops.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/files/files_ops.c +@@ -53,8 +53,11 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx, + struct passwd *pwd_iter = NULL; + struct passwd *pwd = NULL; + struct passwd **users = NULL; ++ struct passwd *pbuf = NULL; + FILE *pwd_handle = NULL; + size_t n_users = 0; ++ char *buf = NULL; ++ unsigned int bufsize = 1024; + + pwd_handle = fopen(passwd_file, "r"); + if (pwd_handle == NULL) { +@@ -72,7 +75,19 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx, + goto done; + } + +- while ((pwd_iter = fgetpwent(pwd_handle)) != NULL) { ++ buf = talloc_zero_array(mem_ctx, char, bufsize); ++ if (buf == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ pbuf = talloc_zero(mem_ctx, struct passwd); ++ if (pbuf == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ while (getpwent_r(pbuf, buf, (size_t)bufsize, &pwd_iter) == 0 && pwd_iter != NULL) { + /* FIXME - we might want to support paging of sorts to avoid allocating + * all users atop a memory context or only return users that differ from + * the local storage as a diff to minimize memory spikes +@@ -126,6 +141,9 @@ done: + users[n_users] = NULL; + *_users = users; + done: ++ talloc_free(pbuf); ++ talloc_free(buf); ++ + if (ret != EOK) { + talloc_free(users); + } +@@ -150,8 +168,11 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx, + struct group *grp_iter = NULL; + struct group *grp = NULL; + struct group **groups = NULL; ++ struct group *pbuf = NULL; + size_t n_groups = 0; + FILE *grp_handle = NULL; ++ char *buf = NULL; ++ unsigned int bufsize = 1024; + + grp_handle = fopen(group_file, "r"); + if (grp_handle == NULL) { +@@ -169,7 +190,19 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx, + goto done; + } + +- while ((grp_iter = fgetgrent(grp_handle)) != NULL) { ++ buf = talloc_zero_array(mem_ctx, char, bufsize); ++ if (buf == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ pbuf = talloc_zero(mem_ctx, struct group); ++ if (pbuf == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ while (getgrent_r(pbuf, buf, (size_t)bufsize, &grp_iter) == 0 && grp_iter != NULL) { + DEBUG(SSSDBG_TRACE_LIBS, + "Group found (%s, %"SPRIgid")\n", + grp_iter->gr_name, grp_iter->gr_gid); +@@ -230,6 +263,9 @@ done: + groups[n_groups] = NULL; + *_groups = groups; + done: ++ talloc_free(pbuf); ++ talloc_free(buf); ++ + if (ret != EOK) { + talloc_free(groups); + } diff --git a/security/sssd2/files/patch-src__providers__ipa__ipa_common.c b/security/sssd2/files/patch-src__providers__ipa__ipa_common.c new file mode 100644 index 000000000000..31de8587948c --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ipa__ipa_common.c @@ -0,0 +1,28 @@ +--- src/providers/ipa/ipa_common.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/ipa/ipa_common.c +@@ -22,6 +22,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/param.h> + #include <netdb.h> + #include <ctype.h> + #include <arpa/inet.h> +@@ -51,7 +52,7 @@ int ipa_get_options(TALLOC_CTX *memctx, + char *realm; + char *ipa_hostname; + int ret; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[MAXHOSTNAMELEN + 1]; + + opts = talloc_zero(memctx, struct ipa_options); + if (!opts) return ENOMEM; +@@ -88,7 +89,7 @@ int ipa_get_options(TALLOC_CTX *memctx, + strerror(ret)); + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[MAXHOSTNAMELEN] = '\0'; + DEBUG(SSSDBG_TRACE_ALL, "Setting ipa_hostname to [%s].\n", hostname); + ret = dp_opt_set_string(opts->basic, IPA_HOSTNAME, hostname); + if (ret != EOK) { diff --git a/security/sssd2/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c b/security/sssd2/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c new file mode 100644 index 000000000000..8d29abb6c670 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c @@ -0,0 +1,11 @@ +--- src/providers/ipa/ipa_deskprofile_rules_util.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/ipa/ipa_deskprofile_rules_util.c +@@ -20,6 +20,8 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/types.h> ++#include <signal.h> + #include "providers/ipa/ipa_deskprofile_rules_util.h" + #include "providers/ipa/ipa_deskprofile_private.h" + #include "providers/ipa/ipa_rules_common.h" diff --git a/security/sssd2/files/patch-src__providers__krb5__krb5_child.c b/security/sssd2/files/patch-src__providers__krb5__krb5_child.c new file mode 100644 index 000000000000..a4b4cc9e1660 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__krb5__krb5_child.c @@ -0,0 +1,19 @@ +--- src/providers/krb5/krb5_child.c.orig 2024-01-12 12:05:40 UTC ++++ src/providers/krb5/krb5_child.c +@@ -28,7 +28,6 @@ + #include <fcntl.h> + #include <ctype.h> + #include <popt.h> +-#include <sys/prctl.h> + + #include <security/pam_modules.h> + +@@ -4090,8 +4089,6 @@ int main(int argc, const char *argv[]) + } + + poptFreeContext(pc); +- +- prctl(PR_SET_DUMPABLE, (dumpable == 0) ? 0 : 1); + + debug_prg_name = talloc_asprintf(NULL, "krb5_child[%d]", getpid()); + if (!debug_prg_name) { diff --git a/security/sssd2/files/patch-src__providers__ldap__ldap_auth.c b/security/sssd2/files/patch-src__providers__ldap__ldap_auth.c new file mode 100644 index 000000000000..5fd7eeabc816 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ldap__ldap_auth.c @@ -0,0 +1,46 @@ +--- src/providers/ldap/ldap_auth.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/ldap/ldap_auth.c +@@ -37,7 +37,6 @@ + #include <sys/time.h> + #include <strings.h> + +-#include <shadow.h> + #include <security/pam_modules.h> + + #include "util/util.h" +@@ -51,6 +50,22 @@ + + #define LDAP_PWEXPIRE_WARNING_TIME 0 + ++struct spwd ++{ ++ char *sp_namp; /* Login name. */ ++ char *sp_pwdp; /* Encrypted password. */ ++ long int sp_lstchg; /* Date of last change. */ ++ long int sp_min; /* Minimum number of days between changes. */ ++ long int sp_max; /* Maximum number of days between changes. */ ++ long int sp_warn; /* Number of days to warn user to change ++ the password. */ ++ long int sp_inact; /* Number of days the account may be ++ inactive. */ ++ long int sp_expire; /* Number of days since 1970-01-01 until ++ account expires. */ ++ unsigned long int sp_flag; /* Reserved. */ ++}; ++ + static errno_t add_expired_warning(struct pam_data *pd, long exp_time) + { + int ret; +@@ -96,9 +111,9 @@ static errno_t check_pwexpire_kerberos(const char *exp + } + + DEBUG(SSSDBG_TRACE_ALL, +- "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " +- "daylight [%d] now [%"SPRItime"] expire_time [%"SPRItime"].\n", +- tzname[0], tzname[1], timezone, daylight, now, expire_time); ++ "Time info: tzname[0] [%s] tzname[1] [%s] " ++ "now [%"SPRItime"] expire_time [%"SPRItime"].\n", ++ tzname[0], tzname[1], now, expire_time); + + if (expire_time == 0) { + /* Used by the MIT LDAP KDB plugin to indicate "never" */ diff --git a/security/sssd2/files/patch-src__providers__ldap__ldap_child.c b/security/sssd2/files/patch-src__providers__ldap__ldap_child.c new file mode 100644 index 000000000000..62d313f97392 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ldap__ldap_child.c @@ -0,0 +1,42 @@ +--- src/providers/ldap/ldap_child.c.orig 2024-01-12 12:05:40 UTC ++++ src/providers/ldap/ldap_child.c +@@ -23,11 +23,11 @@ + */ + + #include <sys/types.h> ++#include <sys/param.h> + #include <unistd.h> + #include <sys/stat.h> + #include <signal.h> + #include <popt.h> +-#include <sys/prctl.h> + + #include "util/util.h" + #include "util/sss_krb5.h" +@@ -338,7 +338,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_ + full_princ = talloc_strdup(tmp_ctx, princ_str); + } + } else { +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[MAXHOSTNAMELEN + 1]; + + ret = gethostname(hostname, sizeof(hostname)); + if (ret == -1) { +@@ -347,7 +347,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_ + errno, strerror(errno)); + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[MAXHOSTNAMELEN] = '\0'; + + DEBUG(SSSDBG_TRACE_LIBS, "got hostname: [%s]\n", hostname); + +@@ -661,8 +661,6 @@ int main(int argc, const char *argv[]) + } + + poptFreeContext(pc); +- +- prctl(PR_SET_DUMPABLE, (dumpable == 0) ? 0 : 1); + + debug_prg_name = talloc_asprintf(NULL, "ldap_child[%d]", getpid()); + if (!debug_prg_name) { diff --git a/security/sssd2/files/patch-src__providers__ldap__sdap_access.c b/security/sssd2/files/patch-src__providers__ldap__sdap_access.c new file mode 100644 index 000000000000..2469db8a69d6 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ldap__sdap_access.c @@ -0,0 +1,41 @@ +--- src/providers/ldap/sdap_access.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/ldap/sdap_access.c +@@ -24,6 +24,7 @@ + + #include "config.h" + ++#include <sys/param.h> + #include <time.h> + #include <security/pam_modules.h> + #include <talloc.h> +@@ -568,9 +569,9 @@ bool nds_check_expired(const char *exp_time_str) + + now = time(NULL); + DEBUG(SSSDBG_TRACE_ALL, +- "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " +- "daylight [%d] now [%"SPRItime"] expire_time [%"SPRItime"].\n", +- tzname[0], tzname[1], timezone, daylight, now, expire_time); ++ "Time info: tzname[0] [%s] tzname[1] [%s] " ++ "now [%"SPRItime"] expire_time [%"SPRItime"].\n", ++ tzname[0], tzname[1], now, expire_time); + + if (difftime(now, expire_time) > 0.0) { + DEBUG(SSSDBG_CONF_SETTINGS, "NDS account expired.\n"); +@@ -1286,7 +1287,7 @@ static errno_t sdap_access_host(struct ldb_message *us + { + errno_t ret; + struct ldb_message_element *el; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[MAXHOSTNAMELEN + 1]; + struct addrinfo *res = NULL; + struct addrinfo hints; + +@@ -1301,7 +1302,7 @@ static errno_t sdap_access_host(struct ldb_message *us + "Unable to get system hostname. Access denied\n"); + return ERR_ACCESS_DENIED; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[MAXHOSTNAMELEN] = '\0'; + + /* Canonicalize the hostname */ + memset(&hints, 0, sizeof(struct addrinfo)); diff --git a/security/sssd2/files/patch-src__providers__ldap__sdap_async_sudo_hostinfo.c b/security/sssd2/files/patch-src__providers__ldap__sdap_async_sudo_hostinfo.c new file mode 100644 index 000000000000..b305369d3aaf --- /dev/null +++ b/security/sssd2/files/patch-src__providers__ldap__sdap_async_sudo_hostinfo.c @@ -0,0 +1,28 @@ +--- src/providers/ldap/sdap_async_sudo_hostinfo.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/ldap/sdap_async_sudo_hostinfo.c +@@ -18,6 +18,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/param.h> + #include <errno.h> + #include <tevent.h> + #include <talloc.h> +@@ -357,7 +358,7 @@ static struct tevent_req *sdap_sudo_get_hostnames_send + struct tevent_req *subreq = NULL; + struct sdap_sudo_get_hostnames_state *state = NULL; + char *dot = NULL; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[MAXHOSTNAMELEN + 1]; + int ret; + + req = tevent_req_create(mem_ctx, &state, +@@ -387,7 +388,7 @@ static struct tevent_req *sdap_sudo_get_hostnames_send + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[MAXHOSTNAMELEN] = '\0'; + + state->hostnames[0] = talloc_strdup(state->hostnames, hostname); + if (state->hostnames[0] == NULL) { diff --git a/security/sssd2/files/patch-src__providers__proxy__proxy_child.c b/security/sssd2/files/patch-src__providers__proxy__proxy_child.c new file mode 100644 index 000000000000..adafcdd35676 --- /dev/null +++ b/security/sssd2/files/patch-src__providers__proxy__proxy_child.c @@ -0,0 +1,29 @@ +--- src/providers/proxy/proxy_child.c.orig 2023-05-05 08:11:07 UTC ++++ src/providers/proxy/proxy_child.c +@@ -30,6 +30,7 @@ + #include <sys/stat.h> + #include <sys/socket.h> + #include <sys/un.h> ++#include <stdlib.h> + #include <string.h> + #include <sys/time.h> + #include <errno.h> +@@ -469,6 +470,18 @@ int proxy_child_process_init(TALLOC_CTX *mem_ctx, cons + + return EOK; + } ++ ++ ++#if (defined(__FreeBSD__) && (__FreeBSD__ < 14)) ++extern char **environ; ++ ++static int ++clearenv(void) ++{ ++ *environ = NULL; ++ return 0; ++} ++#endif + + int main(int argc, const char *argv[]) + { diff --git a/security/sssd2/files/patch-src__resolv__async_resolv_utils.c b/security/sssd2/files/patch-src__resolv__async_resolv_utils.c new file mode 100644 index 000000000000..12587842f8ce --- /dev/null +++ b/security/sssd2/files/patch-src__resolv__async_resolv_utils.c @@ -0,0 +1,28 @@ +--- src/resolv/async_resolv_utils.c.orig 2023-05-05 08:11:07 UTC ++++ src/resolv/async_resolv_utils.c +@@ -18,6 +18,7 @@ + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include <sys/param.h> + #include <string.h> + #include <talloc.h> + #include <tevent.h> +@@ -45,7 +46,7 @@ resolv_get_domain_send(TALLOC_CTX *mem_ctx, + struct resolv_get_domain_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; +- char system_hostname[HOST_NAME_MAX + 1]; ++ char system_hostname[MAXHOSTNAMELEN + 1]; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, +@@ -64,7 +65,7 @@ resolv_get_domain_send(TALLOC_CTX *mem_ctx, + ret, strerror(ret)); + goto immediately; + } +- system_hostname[HOST_NAME_MAX] = '\0'; ++ system_hostname[MAXHOSTNAMELEN] = '\0'; + hostname = system_hostname; + } + diff --git a/security/sssd2/files/patch-src__responder__common__cache_req__plugins__cache_req_ip_host_by_addr.c b/security/sssd2/files/patch-src__responder__common__cache_req__plugins__cache_req_ip_host_by_addr.c new file mode 100644 index 000000000000..9354c7f1e9b7 --- /dev/null +++ b/security/sssd2/files/patch-src__responder__common__cache_req__plugins__cache_req_ip_host_by_addr.c @@ -0,0 +1,10 @@ +--- src/responder/common/cache_req/plugins/cache_req_ip_host_by_addr.c.orig 2023-05-05 08:11:07 UTC ++++ src/responder/common/cache_req/plugins/cache_req_ip_host_by_addr.c +@@ -23,6 +23,7 @@ + #include <talloc.h> + #include <ldb.h> + #include <arpa/inet.h> ++#include <sys/socket.h> + + #include "db/sysdb.h" + #include "db/sysdb_iphosts.h" diff --git a/security/sssd2/files/patch-src__responder__common__cache_req__plugins__cache_req_ip_network_by_addr.c b/security/sssd2/files/patch-src__responder__common__cache_req__plugins__cache_req_ip_network_by_addr.c new file mode 100644 index 000000000000..4dd2c8bf8452 --- /dev/null +++ b/security/sssd2/files/patch-src__responder__common__cache_req__plugins__cache_req_ip_network_by_addr.c @@ -0,0 +1,10 @@ +--- src/responder/common/cache_req/plugins/cache_req_ip_network_by_addr.c.orig 2023-05-05 08:11:07 UTC ++++ src/responder/common/cache_req/plugins/cache_req_ip_network_by_addr.c +@@ -23,6 +23,7 @@ + #include <talloc.h> + #include <ldb.h> + #include <arpa/inet.h> ++#include <sys/socket.h> + + #include "db/sysdb.h" + #include "db/sysdb_ipnetworks.h" diff --git a/security/sssd2/files/patch-src__responder__common__responder_common.c b/security/sssd2/files/patch-src__responder__common__responder_common.c new file mode 100644 index 000000000000..9fd169f000cd --- /dev/null +++ b/security/sssd2/files/patch-src__responder__common__responder_common.c @@ -0,0 +1,10 @@ +--- src/responder/common/responder_common.c.orig 2023-05-05 08:11:07 UTC ++++ src/responder/common/responder_common.c +@@ -33,6 +33,7 @@ + #include <popt.h> + #include <dbus/dbus.h> + ++#include "util/sss_bsd_errno.h" + #include "util/util.h" + #include "util/strtonum.h" + #include "db/sysdb.h" diff --git a/security/sssd2/files/patch-src__responder__common__responder_packet.c b/security/sssd2/files/patch-src__responder__common__responder_packet.c new file mode 100644 index 000000000000..464724ba2e87 --- /dev/null +++ b/security/sssd2/files/patch-src__responder__common__responder_packet.c @@ -0,0 +1,10 @@ +--- src/responder/common/responder_packet.c.orig 2023-05-05 08:11:07 UTC ++++ src/responder/common/responder_packet.c +@@ -25,6 +25,7 @@ + #include <errno.h> + #include <talloc.h> + ++#include "util/sss_bsd_errno.h" + #include "util/util.h" + #include "responder/common/responder_packet.h" + diff --git a/security/sssd2/files/patch-src__responder__kcm__kcmsrv_ccache_secdb.c b/security/sssd2/files/patch-src__responder__kcm__kcmsrv_ccache_secdb.c new file mode 100644 index 000000000000..95f5f0bf764e --- /dev/null +++ b/security/sssd2/files/patch-src__responder__kcm__kcmsrv_ccache_secdb.c @@ -0,0 +1,23 @@ +--- src/responder/kcm/kcmsrv_ccache_secdb.c.orig 2024-01-12 12:05:40 UTC ++++ src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -21,6 +21,9 @@ + + #include "config.h" + ++#include <sys/param.h> ++#include <sys/ucred.h> ++ + #include <talloc.h> + #include <stdio.h> + +@@ -871,8 +874,8 @@ static errno_t ccdb_secdb_get_cc_for_uuid(TALLOC_CTX * + continue; + } + +- cli_cred.ucred.uid = pwd->pw_uid; +- cli_cred.ucred.gid = pwd->pw_gid; ++ cli_cred.ucred.cr_uid = pwd->pw_uid; ++ cli_cred.ucred.cr_gid = pwd->pw_gid; + + ret = key_by_uuid(tmp_ctx, secdb->sctx, &cli_cred, uuid, &secdb_key); + if (ret != EOK) { diff --git a/security/sssd2/files/patch-src__responder__kcm__kcmsrv_cmd.c b/security/sssd2/files/patch-src__responder__kcm__kcmsrv_cmd.c new file mode 100644 index 000000000000..3ec6e7f08ac2 --- /dev/null +++ b/security/sssd2/files/patch-src__responder__kcm__kcmsrv_cmd.c @@ -0,0 +1,15 @@ +--- src/responder/kcm/kcmsrv_cmd.c.orig 2023-05-05 08:11:07 UTC ++++ src/responder/kcm/kcmsrv_cmd.c +@@ -20,10 +20,12 @@ + */ + + #include <sys/uio.h> ++#include <sys/endian.h> + #include <krb5/krb5.h> + + #include "config.h" + #include "util/util.h" ++#include "util/sss_bsd_errno.h" + #include "responder/common/responder.h" + #include "responder/kcm/kcmsrv_pvt.h" + #include "responder/kcm/kcmsrv_ops.h" diff --git a/security/sssd2/files/patch-src__responder__kcm__kcmsrv_ops.c b/security/sssd2/files/patch-src__responder__kcm__kcmsrv_ops.c new file mode 100644 index 000000000000..332c86980118 --- /dev/null +++ b/security/sssd2/files/patch-src__responder__kcm__kcmsrv_ops.c @@ -0,0 +1,10 @@ +--- src/responder/kcm/kcmsrv_ops.c.orig 2023-05-05 08:11:07 UTC ++++ src/responder/kcm/kcmsrv_ops.c +@@ -21,6 +21,7 @@ + + #include "config.h" + ++#include <sys/endian.h> + #include <krb5/krb5.h> + #include <dhash.h> + diff --git a/security/sssd2/files/patch-src__responder__nss__nsssrv_mmap_cache.c b/security/sssd2/files/patch-src__responder__nss__nsssrv_mmap_cache.c new file mode 100644 index 000000000000..31ea4cd969b2 --- /dev/null +++ b/security/sssd2/files/patch-src__responder__nss__nsssrv_mmap_cache.c @@ -0,0 +1,27 @@ +--- src/responder/nss/nsssrv_mmap_cache.c.orig 2024-01-12 12:05:40 UTC ++++ src/responder/nss/nsssrv_mmap_cache.c +@@ -23,6 +23,7 @@ + #include "util/crypto/sss_crypto.h" + #include "confdb/confdb.h" + #include <sys/mman.h> ++#include <unistd.h> + #include <fcntl.h> + #include "util/mmap_cache.h" + #include "sss_client/idmap/sss_nss_idmap.h" +@@ -1474,8 +1475,14 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const + /* Attempt allocation several times, in case of EINTR */ + for (int i = 0; i < POSIX_FALLOCATE_ATTEMPTS; i++) { + ret = posix_fallocate(mc_ctx->fd, 0, mc_ctx->mmap_size); +- if (ret != EINTR) +- break; ++ if (ret != EINTR && ret == EINVAL) { ++ /* posix_fallocate doesn't work on ZFS */ ++ ret = ftruncate(mc_ctx->fd, mc_ctx->mmap_size); ++ if (ret != 0) { ++ break; ++ } ++ } else if (ret != EINTR) ++ break; + } + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate file %s: %d(%s)\n", diff --git a/security/sssd2/files/patch-src__sbus__sbus_errors.c b/security/sssd2/files/patch-src__sbus__sbus_errors.c new file mode 100644 index 000000000000..a5b721c0e9b0 --- /dev/null +++ b/security/sssd2/files/patch-src__sbus__sbus_errors.c @@ -0,0 +1,11 @@ +--- src/sbus/sbus_errors.c.orig 2023-05-05 08:11:07 UTC ++++ src/sbus/sbus_errors.c +@@ -53,7 +53,7 @@ static const struct { + { DBUS_ERROR_LIMITS_EXCEEDED, ERANGE}, + { DBUS_ERROR_ACCESS_DENIED, EPERM}, + { DBUS_ERROR_AUTH_FAILED, EACCES}, +- { DBUS_ERROR_NO_NETWORK, ENONET}, ++ { DBUS_ERROR_NO_NETWORK, EHOSTDOWN}, + { DBUS_ERROR_DISCONNECTED, ERR_OFFLINE}, + { DBUS_ERROR_INVALID_ARGS, EINVAL}, + diff --git a/security/sssd2/files/patch-src__sss_client__common.c b/security/sssd2/files/patch-src__sss_client__common.c new file mode 100644 index 000000000000..fe1b56881cef --- /dev/null +++ b/security/sssd2/files/patch-src__sss_client__common.c @@ -0,0 +1,29 @@ +--- src/sss_client/common.c.orig 2024-01-12 12:05:40 UTC ++++ src/sss_client/common.c +@@ -170,7 +170,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_c + *errnop = error; + break; + case 0: +- *errnop = ETIME; ++ *errnop = ETIMEDOUT; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP)) { +@@ -282,7 +282,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_c + *errnop = error; + break; + case 0: +- *errnop = ETIME; ++ *errnop = ETIMEDOUT; + break; + case 1: + if (pfd.revents & (POLLHUP)) { +@@ -781,7 +781,7 @@ static enum sss_status sss_cli_check_socket(int *errno + *errnop = error; + break; + case 0: +- *errnop = ETIME; ++ *errnop = ETIMEDOUT; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP)) { diff --git a/security/sssd2/files/patch-src__sss_client__nss_group.c b/security/sssd2/files/patch-src__sss_client__nss_group.c new file mode 100644 index 000000000000..bf7724ad8f4a --- /dev/null +++ b/security/sssd2/files/patch-src__sss_client__nss_group.c @@ -0,0 +1,78 @@ +--- src/sss_client/nss_group.c.orig 2023-06-05 03:48:03 UTC ++++ src/sss_client/nss_group.c +@@ -403,6 +403,75 @@ out: + return nret; + } + ++#define MIN(a, b)((a) < (b) ? (a) : (b)) ++ ++int gr_addgid(gid_t gid, gid_t *groups, int maxgrp, int *grpcnt) ++{ ++ int ret, dupc; ++ ++ for (dupc = 0; dupc < MIN(maxgrp, *grpcnt); dupc++) { ++ if (groups[dupc] == gid) ++ return 1; ++ } ++ ++ ret = 1; ++ if (*grpcnt < maxgrp) ++ groups[*grpcnt] = gid; ++ else ++ ret = 0; ++ ++ (*grpcnt)++; ++ ++ return ret; ++} ++ ++enum nss_status _nss_sss_getgroupmembership(const char *uname, gid_t agroup, ++ gid_t *groups, int maxgrp, ++ int *grpcnt) ++{ ++ struct sss_cli_req_data rd; ++ uint8_t *repbuf; ++ size_t replen; ++ enum nss_status nret; ++ uint32_t *rbuf; ++ uint32_t num_ret; ++ long int l, max_ret; ++ int errnop; ++ ++ rd.len = strlen(uname) +1; ++ rd.data = uname; ++ ++ sss_nss_lock(); ++ ++ nret = sss_nss_make_request(SSS_NSS_INITGR, &rd, ++ &repbuf, &replen, &errnop); ++ if (nret != NSS_STATUS_SUCCESS) { ++ goto done; ++ } ++ ++ /* no results if not found */ ++ num_ret = ((uint32_t *)repbuf)[0]; ++ if (num_ret == 0) { ++ free(repbuf); ++ nret = NSS_STATUS_NOTFOUND; ++ goto done; ++ } ++ max_ret = num_ret; ++ ++ gr_addgid(agroup, groups, maxgrp, grpcnt); ++ ++ rbuf = &((uint32_t *)repbuf)[2]; ++ for (l = 0; l < max_ret; l++) { ++ gr_addgid(rbuf[l], groups, maxgrp, grpcnt); ++ } ++ ++ free(repbuf); ++ nret = NSS_STATUS_SUCCESS; ++ ++done: ++ sss_nss_unlock(); ++ return nret; ++} + + enum nss_status _nss_sss_getgrnam_r(const char *name, struct group *result, + char *buffer, size_t buflen, int *errnop) diff --git a/security/sssd2/files/patch-src__sss_client__nss_hosts.c b/security/sssd2/files/patch-src__sss_client__nss_hosts.c new file mode 100644 index 000000000000..2067ddab6d35 --- /dev/null +++ b/security/sssd2/files/patch-src__sss_client__nss_hosts.c @@ -0,0 +1,12 @@ +--- src/sss_client/nss_hosts.c.orig 2023-05-05 08:11:07 UTC ++++ src/sss_client/nss_hosts.c +@@ -22,6 +22,9 @@ + + #include "config.h" + ++#include <sys/types.h> ++#include <sys/socket.h> ++#include <netinet/in.h> + #include <nss.h> + #include <netdb.h> + #include <resolv.h> diff --git a/security/sssd2/files/patch-src__sss_client__nss_ipnetworks.c b/security/sssd2/files/patch-src__sss_client__nss_ipnetworks.c new file mode 100644 index 000000000000..f8ea2ab02944 --- /dev/null +++ b/security/sssd2/files/patch-src__sss_client__nss_ipnetworks.c @@ -0,0 +1,12 @@ +--- src/sss_client/nss_ipnetworks.c.orig 2023-05-05 08:11:07 UTC ++++ src/sss_client/nss_ipnetworks.c +@@ -22,6 +22,9 @@ + + #include "config.h" + ++#include <sys/types.h> ++#include <sys/socket.h> ++#include <netinet/in.h> + #include <nss.h> + #include <netdb.h> + #include <resolv.h> diff --git a/security/sssd2/files/patch-src__sss_client__pam_sss.c b/security/sssd2/files/patch-src__sss_client__pam_sss.c new file mode 100644 index 000000000000..35b39859499d --- /dev/null +++ b/security/sssd2/files/patch-src__sss_client__pam_sss.c @@ -0,0 +1,11 @@ +--- src/sss_client/pam_sss.c.orig 2024-01-12 12:05:40 UTC ++++ src/sss_client/pam_sss.c +@@ -1444,7 +1444,7 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t + + pi->cli_pid = getpid(); + +- pi->login_name = pam_modutil_getlogin(pamh); ++ pi->login_name = getlogin(); + if (pi->login_name == NULL) pi->login_name=""; + + pi->domain_name = NULL; diff --git a/security/sssd2/files/patch-src__sss_client__pam_sss_gss.c b/security/sssd2/files/patch-src__sss_client__pam_sss_gss.c new file mode 100644 index 000000000000..f4721aee3f5a --- /dev/null +++ b/security/sssd2/files/patch-src__sss_client__pam_sss_gss.c @@ -0,0 +1,19 @@ +--- src/sss_client/pam_sss_gss.c.orig 2023-05-05 08:11:07 UTC ++++ src/sss_client/pam_sss_gss.c +@@ -22,7 +22,7 @@ + #include <stddef.h> + #include <stdbool.h> + #include <security/pam_modules.h> +-#include <security/pam_ext.h> ++#include <security/pam_appl.h> + #include <gssapi.h> + #include <gssapi/gssapi_ext.h> + #include <gssapi/gssapi_generic.h> +@@ -46,7 +46,6 @@ bool debug_enabled; + #define ERROR(pamh, fmt, ...) do { \ + if (debug_enabled) { \ + pam_error(pamh, "pam_sss_gss: " fmt, ## __VA_ARGS__); \ +- pam_syslog(pamh, LOG_ERR, fmt, ## __VA_ARGS__); \ + } \ + } while (0) + diff --git a/security/sssd2/files/patch-src__sss_client__sss_nss.exports b/security/sssd2/files/patch-src__sss_client__sss_nss.exports new file mode 100644 index 000000000000..29f97f8540b4 --- /dev/null +++ b/security/sssd2/files/patch-src__sss_client__sss_nss.exports @@ -0,0 +1,35 @@ +--- src/sss_client/sss_nss.exports.orig 2023-06-05 03:42:12 UTC ++++ src/sss_client/sss_nss.exports +@@ -3,6 +3,7 @@ EXPORTED { + # public functions + global: + ++ nss_module_register; + _nss_sss_getpwnam_r; + _nss_sss_getpwuid_r; + _nss_sss_setpwent; +@@ -14,7 +15,24 @@ EXPORTED { + _nss_sss_setgrent; + _nss_sss_getgrent_r; + _nss_sss_endgrent; ++ _nss_sss_getgroupmembership; + _nss_sss_initgroups_dyn; ++ ++ __nss_compat_getgrnam_r; ++ __nss_compat_getgrgid_r; ++ __nss_compat_getgrent_r; ++ __nss_compat_setgrent; ++ __nss_compat_endgrent; ++ ++ __nss_compat_getpwnam_r; ++ __nss_compat_getpwuid_r; ++ __nss_compat_getpwent_r; ++ __nss_compat_setpwent; ++ __nss_compat_endpwent; ++ ++ __nss_compat_gethostbyname; ++ __nss_compat_gethostbyname2; ++ __nss_compat_gethostbyaddr; + + #_nss_sss_getaliasbyname_r; + #_nss_sss_setaliasent; diff --git a/security/sssd2/files/patch-src__sss_client__sss_pac_responder_client.c b/security/sssd2/files/patch-src__sss_client__sss_pac_responder_client.c new file mode 100644 index 000000000000..048eb430f9dd --- /dev/null +++ b/security/sssd2/files/patch-src__sss_client__sss_pac_responder_client.c @@ -0,0 +1,19 @@ +--- src/sss_client/sss_pac_responder_client.c.orig 2023-05-05 08:11:07 UTC ++++ src/sss_client/sss_pac_responder_client.c +@@ -23,6 +23,7 @@ + #include <unistd.h> + #include <sys/types.h> + #include <errno.h> ++#include <pthread_np.h> + + #include <sys/syscall.h> + +@@ -97,7 +98,7 @@ static void *pac_client(void *arg) + size_t c; + + fprintf(stderr, "[%"SPRItime"][%d][%ld][%s] started\n", +- time(NULL), getpid(), syscall(SYS_gettid), (char *) arg); ++ time(NULL), getpid(), pthread_getthreadid_np(), (char *) arg); + for (c = 0; c < 1000; c++) { + /* sss_pac_make_request() does not protect the client's file + * descriptor to the PAC responder. With this one thread will miss a diff --git a/security/sssd2/files/patch-src__util__child_common.c b/security/sssd2/files/patch-src__util__child_common.c new file mode 100644 index 000000000000..d27163112a1b --- /dev/null +++ b/security/sssd2/files/patch-src__util__child_common.c @@ -0,0 +1,21 @@ +--- src/util/child_common.c.orig 2024-01-12 12:05:40 UTC ++++ src/util/child_common.c +@@ -28,7 +28,6 @@ + #include <tevent.h> + #include <sys/wait.h> + #include <errno.h> +-#include <sys/prctl.h> + + #include "util/util.h" + #include "util/find_uid.h" +@@ -806,8 +805,8 @@ static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx, + goto fail; + } + +- argv[--argc] = talloc_asprintf(argv, "--dumpable=%d", +- prctl(PR_GET_DUMPABLE)); ++ argv[--argc] = talloc_asprintf(argv, "--dumpable=%d", 0); ++ + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; diff --git a/security/sssd2/files/patch-src__util__nss_dl_load.c b/security/sssd2/files/patch-src__util__nss_dl_load.c new file mode 100644 index 000000000000..a3d9496d5b85 --- /dev/null +++ b/security/sssd2/files/patch-src__util__nss_dl_load.c @@ -0,0 +1,28 @@ +--- src/util/nss_dl_load.c.orig 2023-05-05 08:11:07 UTC ++++ src/util/nss_dl_load.c +@@ -24,6 +24,7 @@ + #include "util/util_errors.h" + #include "util/debug.h" + #include "nss_dl_load.h" ++#include "util/sss_bsd_errno.h" + + + #define NSS_FN_NAME "_nss_%s_%s" +@@ -36,7 +37,7 @@ static void *proxy_dlsym(void *handle, + char *funcname; + void *funcptr; + +- funcname = talloc_asprintf(NULL, NSS_FN_NAME, libname, name); ++ funcname = talloc_asprintf(NULL, "%s", name); + if (funcname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return NULL; +@@ -56,7 +57,7 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, + char *libpath; + size_t i; + +- libpath = talloc_asprintf(NULL, "libnss_%s.so.2", libname); ++ libpath = talloc_asprintf(NULL, "/lib/libc.so.7", libname); + if (libpath == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return ENOMEM; diff --git a/security/sssd2/files/patch-src__util__server.c b/security/sssd2/files/patch-src__util__server.c new file mode 100644 index 000000000000..b8901158149c --- /dev/null +++ b/security/sssd2/files/patch-src__util__server.c @@ -0,0 +1,53 @@ +--- src/util/server.c.orig 2024-01-12 12:05:40 UTC ++++ src/util/server.c +@@ -30,17 +30,12 @@ + #include <fcntl.h> + #include <unistd.h> + #include <signal.h> +-#include <sys/prctl.h> + #include <ldb.h> + #include "util/util.h" + #include "confdb/confdb.h" + #include "util/sss_chain_id.h" + #include "util/sss_chain_id_tevent.h" + +-#ifdef HAVE_PRCTL +-#include <sys/prctl.h> +-#endif +- + static TALLOC_CTX *autofree_ctx; + + static void server_atexit(void) +@@ -317,10 +312,13 @@ static void setup_signals(void) + BlockSignals(false, SIGTERM); + + #ifndef HAVE_PRCTL +- /* If prctl is not defined on the system, try to handle +- * some common termination signals gracefully */ ++ /* If prctl is not defined on the system, try to handle ++ * some common termination signals gracefully */ ++ (void) sig_segv_abrt; /* unused */ ++ /* + CatchSignal(SIGSEGV, sig_segv_abrt); + CatchSignal(SIGABRT, sig_segv_abrt); ++ */ + #endif + + } +@@ -749,6 +747,8 @@ int server_setup(const char *name, bool is_responder, + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to determine "CONFDB_MONITOR_DUMPABLE"\n"); + return ret; + } ++ ++#ifdef HAVE_PRCTL + ret = prctl(PR_SET_DUMPABLE, dumpable ? 1 : 0); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set PR_SET_DUMPABLE\n"); +@@ -756,6 +756,7 @@ int server_setup(const char *name, bool is_responder, + } else if (!dumpable) { + DEBUG(SSSDBG_IMPORTANT_INFO, "Core dumps are disabled!\n"); + } ++#endif + + sss_chain_id_setup(ctx->event_ctx); + diff --git a/security/sssd2/files/patch-src__util__sss_krb5.c b/security/sssd2/files/patch-src__util__sss_krb5.c new file mode 100644 index 000000000000..fdf463bdad02 --- /dev/null +++ b/security/sssd2/files/patch-src__util__sss_krb5.c @@ -0,0 +1,11 @@ +--- src/util/sss_krb5.c.orig 2023-05-05 08:11:07 UTC ++++ src/util/sss_krb5.c +@@ -17,6 +17,8 @@ + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ ++#include <sys/types.h> ++#include <sys/endian.h> + #include <ctype.h> + #include <stdio.h> + #include <errno.h> diff --git a/security/sssd2/files/patch-src__util__sss_pam_data.h b/security/sssd2/files/patch-src__util__sss_pam_data.h new file mode 100644 index 000000000000..d915f987ea78 --- /dev/null +++ b/security/sssd2/files/patch-src__util__sss_pam_data.h @@ -0,0 +1,10 @@ +--- src/util/sss_pam_data.h.orig 2023-05-05 08:11:07 UTC ++++ src/util/sss_pam_data.h +@@ -24,6 +24,7 @@ + #include "config.h" + #include <stdbool.h> + #include <stdint.h> ++#include <string.h> + #ifdef USE_KEYRING + #include <sys/types.h> + #include <keyutils.h> diff --git a/security/sssd2/files/patch-src__util__sss_sockets.c b/security/sssd2/files/patch-src__util__sss_sockets.c new file mode 100644 index 000000000000..39b90227f06a --- /dev/null +++ b/security/sssd2/files/patch-src__util__sss_sockets.c @@ -0,0 +1,30 @@ +--- src/util/sss_sockets.c.orig 2023-05-05 08:11:07 UTC ++++ src/util/sss_sockets.c +@@ -144,18 +144,6 @@ errno_t set_fd_common_opts(int fd, int timeout) + "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret, + strerror(ret)); + } +- +- if (domain != AF_UNIX && type == SOCK_STREAM) { +- milli = timeout * 1000; /* timeout in milliseconds */ +- ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &milli, +- sizeof(milli)); +- if (ret != 0) { +- ret = errno; +- DEBUG(SSSDBG_FUNC_DATA, +- "setsockopt TCP_USER_TIMEOUT failed.[%d][%s].\n", ret, +- strerror(ret)); +- } +- } + } + + return EOK; +@@ -258,7 +246,7 @@ static void sssd_async_connect_done(struct tevent_cont + + talloc_zfree(fde); + +- if (ret == EOK) { ++ if (ret == EOK || ret == EISCONN) { + tevent_req_done(req); + } else { + ret = errno; diff --git a/security/sssd2/files/patch-src__util__util.c b/security/sssd2/files/patch-src__util__util.c new file mode 100644 index 000000000000..31a50f2879eb --- /dev/null +++ b/security/sssd2/files/patch-src__util__util.c @@ -0,0 +1,19 @@ +--- src/util/util.c.orig 2024-01-12 12:05:40 UTC ++++ src/util/util.c +@@ -786,6 +786,16 @@ errno_t sss_fd_nonblocking(int fd) + return EOK; + } + ++int flb_timezone(void) ++{ ++ struct tm tm; ++ time_t t = 0; ++ tzset(); ++ localtime_r(&t, &tm); ++ return -(tm.tm_gmtoff); ++} ++#define timezone (flb_timezone()) ++ + /* Convert GeneralizedTime (http://en.wikipedia.org/wiki/GeneralizedTime) + * to unix time (seconds since epoch). Use UTC time zone. + */ diff --git a/security/sssd2/files/patch-src__util__util_creds.h b/security/sssd2/files/patch-src__util__util_creds.h new file mode 100644 index 000000000000..5fbec01ffe22 --- /dev/null +++ b/security/sssd2/files/patch-src__util__util_creds.h @@ -0,0 +1,20 @@ +--- src/util/util_creds.h.orig 2023-05-05 08:11:07 UTC ++++ src/util/util_creds.h +@@ -73,6 +73,17 @@ struct cli_creds { + #define cli_creds_get_uid(x) (x->ucred.uid) + #define cli_creds_get_gid(x) (x->ucred.gid) + ++#elif HAVE_FREEBSD ++#include <sys/param.h> ++#include <sys/ucred.h> ++struct cli_creds { ++ struct xucred ucred; ++ SELINUX_CTX selinux_ctx; ++}; ++ ++#define cli_creds_get_uid(x) (x->ucred.cr_uid) ++#define cli_creds_get_gid(x) (x->ucred.cr_gid) ++ + #else /* not HAVE_UCRED */ + struct cli_creds { + SELINUX_CTX selinux_ctx; diff --git a/security/sssd2/files/patch-src_tests_cmocka_test__authtok.c b/security/sssd2/files/patch-src_tests_cmocka_test__authtok.c new file mode 100644 index 000000000000..74dd25f945d4 --- /dev/null +++ b/security/sssd2/files/patch-src_tests_cmocka_test__authtok.c @@ -0,0 +1,10 @@ +--- src/tests/cmocka/test_authtok.c.orig 2023-05-05 08:11:07 UTC ++++ src/tests/cmocka/test_authtok.c +@@ -28,6 +28,7 @@ + #include "tests/cmocka/common_mock.h" + + #include "util/authtok.h" ++#include "util/sss_endian.h" + + + struct test_state { diff --git a/security/sssd2/files/pkg-message.in b/security/sssd2/files/pkg-message.in new file mode 100644 index 000000000000..7e20c0c872d2 --- /dev/null +++ b/security/sssd2/files/pkg-message.in @@ -0,0 +1,27 @@ +[ +{ type: install + message: <<EOM +================================================================================ +Copy %%PREFIX%%/etc/sssd/sssd.conf.sample to %%PREFIX%%/etc/sssd/sssd.conf +and edit %%PREFIX%%/etc/sssd/sssd.conf (see man sssd.conf for details) + +To load sssd at startup, add sssd_enable="YES" to /etc/rc.conf + +To enable pam integration, add a line similar to the following to +/etc/pam.d/system: + +login auth sufficient %%PREFIX%%/lib/pam_sss.so + +To enable NSS integration, update /etc/nsswitch.conf as follows: + +group: sss files +passwd: sss files + +For additional details, please see the man pages for pam.conf and nsswitch.conf + +An sssd HOWTO is also available: +https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 +================================================================================ +EOM +} +] diff --git a/security/sssd2/files/sss_bsd_errno.h b/security/sssd2/files/sss_bsd_errno.h new file mode 100644 index 000000000000..b7bd215249f3 --- /dev/null +++ b/security/sssd2/files/sss_bsd_errno.h @@ -0,0 +1,58 @@ +/* + SSSD + + Authors: + Lukas Slebodnik <lslebodn@redhat.com> + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef SSS_BSD_ERRNO_H_ +#define SSS_BSD_ERRNO_H_ + +#include <errno.h> + +#define BSD_ERR_MASK (0xB5DE <<16) + +#ifndef EUCLEAN +#define EUCLEAN (BSD_ERR_MASK | 117) +#endif +#ifndef EMEDIUMTYPE +#define EMEDIUMTYPE (BSD_ERR_MASK | 124) +#endif +#ifndef EOWNERDEAD +#define EOWNERDEAD (BSD_ERR_MASK | 130) +#endif +#ifndef ECONNRESET +#define ECONNRESET (BSD_ERR_MASK | 104) +#endif +#ifndef ETIMEDOUT +#define ETIMEDOUT (BSD_ERR_MASK | 110) +#endif +#ifndef ENODATA +#define ENODATA (BSD_ERR_MASK | 61) +#endif +#ifndef ETIME +#define ETIME (BSD_ERR_MASK | 62) +#endif +#ifndef ELIBACC +#define ELIBACC (BSD_ERR_MASK | 79) +#endif +#ifndef ELIBBAD +#define ELIBBAD (BSD_ERR_MASK | 80) +#endif + +#endif /* SSS_BSD_ERRNO_H_ */ diff --git a/security/sssd2/files/sssd.in b/security/sssd2/files/sssd.in new file mode 100644 index 000000000000..4afded5b21d9 --- /dev/null +++ b/security/sssd2/files/sssd.in @@ -0,0 +1,40 @@ +#!/bin/sh + +# PROVIDE: sssd +# REQUIRE: DAEMON +# BEFORE: LOGIN +# KEYWORD: shutdown + +# Add the following lines to /etc/rc.conf to enable `sssd': +# +# sssd_enable="YES" +# +# See sssd(8) for sssd_flags +# + +. /etc/rc.subr + +name=sssd +rcvar=sssd_enable + +# read configuration and set defaults +load_rc_config "$name" + +: ${sssd_enable:=NO} +: ${sssd_conf="%%PREFIX%%/etc/sssd/sssd.conf"} +: ${sssd_flags="-D"} + +command="%%PREFIX%%/sbin/$name" +pidfile="/var/run/$name.pid" +required_files="${sssd_conf}" +start_precmd=sssd_prestart + +sssd_prestart() +{ + + for i in db/sss/db db/sss/gpo_cache db/sss/keytabs db/sss/mc db/sss/pubconf/krb5.include.d/ db/sss/secrets log/sssd run/sss/pipes/private; do + if [ ! -d var/${i} ]; then mkdir -p /var/${i}; fi + done +} + +run_rc_command "$1" diff --git a/security/sssd2/pkg-descr b/security/sssd2/pkg-descr new file mode 100644 index 000000000000..1c1539f84dd2 --- /dev/null +++ b/security/sssd2/pkg-descr @@ -0,0 +1,7 @@ +This project provides a set of daemons to manage access to remote +directories and authentication mechanisms, it provides an NSS and +PAM interface toward the system and a pluggable backend system to +connect to multiple different account sources. It is also the +basis to provide client auditing and policy services for projects +like FreeIPA. sssd also features caching, which can allow for +offline use to assist laptop users. diff --git a/security/sssd2/pkg-plist b/security/sssd2/pkg-plist new file mode 100644 index 000000000000..e313518b270c --- /dev/null +++ b/security/sssd2/pkg-plist @@ -0,0 +1,166 @@ +bin/sss_ssh_authorizedkeys +bin/sss_ssh_knownhostsproxy +etc/pam.d/sssd-shadowutils +%%ETCDIR%%/sssd.conf.sample +include/ipa_hbac.h +include/sss_certmap.h +include/sss_idmap.h +include/sss_nss_idmap.h +lib/krb5/plugins/authdata/sssd_pac_plugin.so +lib/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +lib/libipa_hbac.so +lib/libipa_hbac.so.0 +lib/libipa_hbac.so.0.1.0 +lib/libnss_sss.so.2 +lib/libsss_certmap.so +lib/libsss_certmap.so.0 +lib/libsss_certmap.so.0.2.0 +lib/libsss_idmap.so +lib/libsss_idmap.so.0 +lib/libsss_idmap.so.0.5.1 +lib/libsss_nss_idmap.so +lib/libsss_nss_idmap.so.0 +lib/libsss_nss_idmap.so.0.6.0 +lib/libsss_sudo.so +lib/nss_sss.so.1 +lib/pam_sss.so +lib/pam_sss_gss.so +%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.4-py%%PYTHON_VER%%.egg-info/PKG-INFO +%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.4-py%%PYTHON_VER%%.egg-info/SOURCES.txt +%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.4-py%%PYTHON_VER%%.egg-info/dependency_links.txt +%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.4-py%%PYTHON_VER%%.egg-info/top_level.txt +%%PYTHON_SITELIBDIR%%/SSSDConfig/__init__.py +%%PYTHON_SITELIBDIR%%/SSSDConfig/__pycache__/__init__%%PYTHON_EXT_SUFFIX%%.pyc +%%PYTHON_SITELIBDIR%%/SSSDConfig/__pycache__/ipachangeconf%%PYTHON_EXT_SUFFIX%%.pyc +%%PYTHON_SITELIBDIR%%/SSSDConfig/__pycache__/sssdoptions%%PYTHON_EXT_SUFFIX%%.pyc +%%PYTHON_SITELIBDIR%%/SSSDConfig/ipachangeconf.py +%%PYTHON_SITELIBDIR%%/SSSDConfig/sssdoptions.py +%%PYTHON_SITELIBDIR%%/pyhbac.so +%%PYTHON_SITELIBDIR%%/pysss.so +%%PYTHON_SITELIBDIR%%/pysss_murmur.so +%%PYTHON_SITELIBDIR%%/pysss_nss_idmap.so +%%PYTHON_SITELIBDIR%%/sssd/__init__.py +%%PYTHON_SITELIBDIR%%/sssd/modules/__init__.py +%%PYTHON_SITELIBDIR%%/sssd/modules/request.py +%%PYTHON_SITELIBDIR%%/sssd/parser.py +%%PYTHON_SITELIBDIR%%/sssd/source_files.py +%%PYTHON_SITELIBDIR%%/sssd/source_journald.py +%%PYTHON_SITELIBDIR%%/sssd/source_reader.py +%%PYTHON_SITELIBDIR%%/sssd/sss_analyze.py +lib/samba4/modules/idmap/sss.so +lib/shared-modules/ldb/memberof.so +lib/sssd/conf/sssd.conf +lib/sssd/libifp_iface.so +lib/sssd/libifp_iface_sync.so +lib/sssd/libsss_ad.so +lib/sssd/libsss_cert.so +lib/sssd/libsss_child.so +lib/sssd/libsss_crypt.so +lib/sssd/libsss_debug.so +lib/sssd/libsss_files.so +lib/sssd/libsss_iface.so +lib/sssd/libsss_iface_sync.so +lib/sssd/libsss_ipa.so +lib/sssd/libsss_krb5.so +lib/sssd/libsss_krb5_common.so +lib/sssd/libsss_ldap.so +lib/sssd/libsss_ldap_common.so +lib/sssd/libsss_proxy.so +lib/sssd/libsss_sbus.so +lib/sssd/libsss_sbus_sync.so +lib/sssd/libsss_semanage.so +lib/sssd/libsss_simple.so +lib/sssd/libsss_util.so +lib/sssd/modules/sssd_krb5_idp_plugin.so +lib/sssd/modules/sssd_krb5_localauth_plugin.so +lib/sssd/modules/sssd_krb5_passkey_plugin.so +libdata/pkgconfig/ipa_hbac.pc +libdata/pkgconfig/sss_certmap.pc +libdata/pkgconfig/sss_idmap.pc +libdata/pkgconfig/sss_nss_idmap.pc +libexec/sssd/gpo_child +libexec/sssd/krb5_child +libexec/sssd/ldap_child +libexec/sssd/oidc_child +libexec/sssd/p11_child +libexec/sssd/passkey_child +libexec/sssd/proxy_child +libexec/sssd/sss_analyze +libexec/sssd/sss_signal +libexec/sssd/sssd_be +libexec/sssd/sssd_ifp +libexec/sssd/sssd_kcm +libexec/sssd/sssd_nss +libexec/sssd/sssd_pac +libexec/sssd/sssd_pam +libexec/sssd/sssd_ssh +libexec/sssd/sssd_sudo +man/man1/sss_ssh_authorizedkeys.1.gz +man/man1/sss_ssh_knownhostsproxy.1.gz +man/man5/sss-certmap.5.gz +man/man5/sssd-ad.5.gz +man/man5/sssd-files.5.gz +man/man5/sssd-ifp.5.gz +man/man5/sssd-ipa.5.gz +man/man5/sssd-krb5.5.gz +man/man5/sssd-ldap-attributes.5.gz +man/man5/sssd-ldap.5.gz +man/man5/sssd-session-recording.5.gz +man/man5/sssd-simple.5.gz +man/man5/sssd-sudo.5.gz +man/man5/sssd.conf.5.gz +man/man8/idmap_sss.8.gz +man/man8/pam_sss.8.gz +man/man8/pam_sss_gss.8.gz +man/man8/sss_cache.8.gz +man/man8/sss_debuglevel.8.gz +man/man8/sss_obfuscate.8.gz +man/man8/sss_override.8.gz +man/man8/sss_seed.8.gz +man/man8/sssctl.8.gz +man/man8/sssd-kcm.8.gz +man/man8/sssd.8.gz +man/man8/sssd_krb5_localauth_plugin.8.gz +man/man8/sssd_krb5_locator_plugin.8.gz +sbin/sss_cache +sbin/sss_debuglevel +sbin/sss_obfuscate +sbin/sss_override +sbin/sss_seed +sbin/sssctl +sbin/sssd +share/dbus-1/system-services/org.freedesktop.sssd.infopipe.service +share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%%DATADIR%%/dbus-1/system-services/org.freedesktop.sssd.infopipe.service +%%DATADIR%%/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%%DATADIR%%/sssd-kcm/kcm_default_ccache +%%DATADIR%%/sssd/cfg_rules.ini +%%DATADIR%%/sssd/krb5-snippets/enable_sssd_conf_dir +%%DATADIR%%/sssd/krb5-snippets/sssd_enable_idp +%%DATADIR%%/sssd/krb5-snippets/sssd_enable_passkey +%%DATADIR%%/sssd/sssd.api.conf +%%DATADIR%%/sssd/sssd.api.d/sssd-ad.conf +%%DATADIR%%/sssd/sssd.api.d/sssd-files.conf +%%DATADIR%%/sssd/sssd.api.d/sssd-ipa.conf +%%DATADIR%%/sssd/sssd.api.d/sssd-krb5.conf +%%DATADIR%%/sssd/sssd.api.d/sssd-ldap.conf +%%DATADIR%%/sssd/sssd.api.d/sssd-proxy.conf +%%DATADIR%%/sssd/sssd.api.d/sssd-simple.conf +@dir %%ETCDIR%%/conf.d +@dir %%ETCDIR%%/pki +@dir lib/ldb +@dir /var/db/sss/db +@dir /var/db/sss/deskprofile +@dir /var/db/sss/gpo_cache +@dir /var/db/sss/keytabs +@dir /var/db/sss/mc +@dir /var/db/sss/pubconf/krb5.include.d +@dir /var/db/sss/pubconf +@dir /var/db/sss +@dir /var/lib/sss/secrets +@dir /var/lib/sss +@dir /var/lib +@dir /var/log/sssd +@dir /var/run/sss/pipes/private +@dir /var/run/sss/pipes +@dir /var/run/sss |