diff --git security/sssd/Makefile security/sssd/Makefile index dddb1f6c2532..35b4067f8ef9 100644 --- security/sssd/Makefile +++ security/sssd/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= sssd -PORTVERSION= 1.11.7 -PORTREVISION= 19 +PORTVERSION= 1.13.4 CATEGORIES= security MASTER_SITES= https://releases.pagure.org/SSSD/${PORTNAME}/ @@ -34,6 +33,9 @@ BUILD_DEPENDS= xmlcatalog:textproc/libxml2 \ krb5>=1.10:security/krb5 \ nsupdate:dns/bind-tools +USES= autoreconf cpe gettext gmake iconv libtool pathfix pkgconfig \ + shebangfix gssapi:mit + GNU_CONFIGURE= yes CONFIGURE_ARGS= --with-selinux=no --with-semanage=no \ --with-ldb-lib-dir=${LOCALBASE}/lib/shared-modules/ldb \ @@ -41,21 +43,24 @@ CONFIGURE_ARGS= --with-selinux=no --with-semanage=no \ --with-libnl=no --with-init-dir=no --datadir=${DATADIR} \ --docdir=${DOCSDIR} --with-pid-path=/var/run \ --localstatedir=/var --enable-pammoddir=${PREFIX}/lib \ - --with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \ - --with-pubconf-path=/var/run/sss --with-mcache-path=/var/db/sss_mc \ + --with-db-path=/var/db/sss/db \ + --with-gpo-cache-path=/var/db/sss/gpo_cache \ + --with-pipe-path=/var/run/sss \ + --with-pubconf-path=/var/run/sss --with-mcache-path=/var/db/sss/mc \ --with-unicode-lib=libunistring --with-autofs=no \ --disable-cifs-idmap-plugin --disable-config-lib \ --with-krb5-conf=/etc/krb5.conf +# TODO: investigate possible sssd/nfsuserd compatibility +CONFIGURE_ARGS+= --without-nfsv4-idmapd-plugin CFLAGS+= -fstack-protector-all -PLIST_SUB= PYTHON_VER=${PYTHON_VER} +# add __STDC_WANT_LIB_EXT1__ - see https://stackoverflow.com/questions/24206989/error-use-of-undeclared-identifier-errno-t +#CPPFLAGS+= -D__STDC_WANT_LIB_EXT1__ #DEBUG_FLAGS= -g MAKE_ENV+= LINGUAS="bg de eu es fr hu id it ja nb nl pl pt ru sv tg tr uk zh_CN zh_TW" SUB_FILES= pkg-message USE_LDCONFIG= yes USE_OPENLDAP= yes -USES= autoreconf cpe gettext gmake iconv libtool pathfix pkgconfig \ - python:2.7 shebangfix gssapi:mit INSTALL_TARGET= install-strip CPE_VENDOR= fedoraproject @@ -65,12 +70,28 @@ SHEBANG_FILES= src/tools/sss_obfuscate \ USE_RC_SUBR= ${PORTNAME} PORTDATA= * -OPTIONS_DEFINE= DOCS SMB +OPTIONS_DEFINE= DOCS SMB +OPTIONS_DEFAULT= PYTHON3 +OPTIONS_RADIO= PYTHON +OPTIONS_RADIO_PYTHON= PYTHON2 PYTHON3 OPTIONS_SUB= yes +PYTHON2_CONFIGURE_WITH= python2-bindings +PYTHON2_USES= python:2.7 +PYTHON2_VARS= PYTHON2_CMD=${PYTHON_CMD:T} PYTHON3_CMD= +PYTHON3_CONFIGURE_WITH= python3-bindings +PYTHON3_USES= python:3.5+ +PYTHON3_VARS= PYTHON2_CMD= PYTHON3_CMD=${PYTHON_CMD:T} + +PLIST_SUB+= PORTVERSION=${PORTVERSION} \ + PYTHONPREFIX_SITELIBDIR=${PYTHONPREFIX_SITELIBDIR} \ + PYTHON_VER=${PYTHON_VER} + SMB_DESC= Install IPA and AD providers (requires Samba4) SMB_USES= samba:lib # libndr-krb5pac libndr-nbt libndr libsamba-util SMB_CONFIGURE_WITH= samba +# PAC (Privilege Attribute Certificate) responder currently needs samba +SMB_CONFIGURE_ENABLE= pac-responder post-patch: @${REINPLACE_CMD} -e 's|SIGCLD|SIGCHLD|g' ${WRKSRC}/src/util/signal.c @@ -90,6 +111,9 @@ post-patch: @${REINPLACE_CMD} -e 's|/etc/sssd/|${ETCDIR}/|g' \ -e 's|/etc/openldap/|${LOCALBASE}/etc/openldap/|g' \ ${WRKSRC}/src/man/*xml + @${REINPLACE_CMD} 's|%%PYTHON2_CMD%%|${PYTHON2_CMD}|g; \ + s|%%PYTHON3_CMD%%|${PYTHON3_CMD}|g' \ + ${WRKSRC}/configure.ac @${CP} ${FILESDIR}/bsdnss.c ${WRKSRC}/src/sss_client/bsdnss.c @${CP} ${FILESDIR}/sss_bsd_errno.h ${WRKSRC}/src/util/sss_bsd_errno.h @@ -97,13 +121,18 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/src/examples/sssd-example.conf \ ${STAGEDIR}${ETCDIR}/sssd.conf.sample ${LN} -sf nss_sss.so ${STAGEDIR}${PREFIX}/lib/nss_sss.so.1 -# clean these up from the install; we create them in rc script start_precmd -.for d in db/sss db/sss_mc log/sssd run/sss/krb5.include.d run/sss/private run/sss - @${RMDIR} ${STAGEDIR}/var/${d} -.endfor # clean unused man dirs .for i in nl/man1 nl/man5 pt/man1 pt/man5 @${RMDIR} ${STAGEDIR}${PREFIX}/man/${i} .endfor +.include + +.if empty(PORT_OPTIONS:MPYTHON2) && empty(PORT_OPTIONS:MPYTHON3) +PLIST_SUB+= PYTHON="@comment " +USES+= python:3.5+,build +.else +PLIST_SUB+= PYTHON= +.endif + .include diff --git security/sssd/distinfo security/sssd/distinfo index 1e2052772a1b..44031020491e 100644 --- security/sssd/distinfo +++ security/sssd/distinfo @@ -1,2 +1,5 @@ -SHA256 (sssd-1.11.7.tar.gz) = ff12d5730a6d7d08fe11140aa58e544900b75c63902b7a07bbbc12d6a99cb5b5 -SIZE (sssd-1.11.7.tar.gz) = 3661227 +TIMESTAMP = 1560523527 +SHA256 (sssd-1.13.4.tar.gz) = 0a7bba7697088734c5fa1844dbb6de4f1f11afd30df02f0c1dd2579114c0a194 +SIZE (sssd-1.13.4.tar.gz) = 4730392 +SHA256 (sssd-1.13.4.tar.gz.asc) = adf1ebfd023079092748f4998e4d8476014ee78f30ce59e0a464f841aef79afa +SIZE (sssd-1.13.4.tar.gz.asc) = 181 diff --git security/sssd/files/patch-Makefile.am security/sssd/files/patch-Makefile.am index 805866577844..eadb803a1d24 100644 --- security/sssd/files/patch-Makefile.am +++ security/sssd/files/patch-Makefile.am @@ -1,32 +1,49 @@ -diff --git Makefile.am Makefile.am -index fd74d85..4a7e6ae 100644 ---- Makefile.am +--- Makefile.am.orig 2019-04-13 14:48:41 UTC +++ Makefile.am -@@ -311,6 +311,7 @@ AM_CPPFLAGS = \ - $(LIBNL_CFLAGS) \ +@@ -54,7 +54,7 @@ sssddatadir = $(datadir)/sssd + sssdapiplugindir = $(sssddatadir)/sssd.api.d + dbuspolicydir = $(sysconfdir)/dbus-1/system.d + dbusservicedir = $(datadir)/dbus-1/system-services +-sss_statedir = $(localstatedir)/lib/sss ++sss_statedir = $(localstatedir)/db/sss + localedir = @localedir@ + nsslibdir = @nsslibdir@ + pamlibdir = @pammoddir@ +@@ -96,6 +96,9 @@ + -fno-strict-aliasing \ + -std=gnu99 + endif ++if HAVE_ERRNO_T ++ AM_CFLAGS += -D__STDC_WANT_LIB_EXT1__ ++endif + + pkgconfig_DATA = + +@@ -427,6 +427,7 @@ AM_CPPFLAGS = \ $(OPENLDAP_CFLAGS) \ $(GLIB2_CFLAGS) \ + $(JOURNALD_CFLAGS) \ + -DHOST_NAME_MAX=_POSIX_HOST_NAME_MAX \ -DLIBDIR=\"$(libdir)\" \ -DVARDIR=\"$(localstatedir)\" \ - -DSHLIBEXT=\"$(SHLIBEXT)\" \ -@@ -378,6 +379,7 @@ SSSD_LIBS = \ + -DSSS_STATEDIR=\"$(sss_statedir)\" \ +@@ -497,6 +498,7 @@ SSSD_LIBS = \ + $(COLLECTION_LIBS) \ $(DHASH_LIBS) \ - $(SSS_CRYPT_LIBS) \ $(OPENLDAP_LIBS) \ + $(LTLIBINTL) \ $(TDB_LIBS) PYTHON_BINDINGS_LIBS = \ -@@ -433,6 +435,7 @@ dist_noinst_HEADERS = \ +@@ -546,6 +548,7 @@ dist_noinst_HEADERS = \ src/util/sss_ssh.h \ src/util/sss_ini.h \ src/util/sss_format.h \ + src/util/sss_bsd_errno.h \ + src/util/sss_config.h \ src/util/refcount.h \ src/util/find_uid.h \ - src/util/user_info_msg.h \ -@@ -1700,9 +1703,10 @@ endif +@@ -2725,9 +2728,10 @@ intgcheck: # Client Libraries # #################### @@ -39,9 +56,9 @@ index fd74d85..4a7e6ae 100644 src/sss_client/nss_passwd.c \ src/sss_client/nss_group.c \ src/sss_client/nss_netgroup.c \ -@@ -1715,9 +1719,9 @@ libnss_sss_la_SOURCES = \ - src/sss_client/nss_mc_passwd.c \ +@@ -2741,9 +2745,9 @@ libnss_sss_la_SOURCES = \ src/sss_client/nss_mc_group.c \ + src/sss_client/nss_mc_initgr.c \ src/sss_client/nss_mc.h -libnss_sss_la_LIBADD = \ +nss_sss_la_LIBADD = \ @@ -51,11 +68,35 @@ index fd74d85..4a7e6ae 100644 -module \ -version-info 2:0:0 \ -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports -@@ -2086,6 +2090,7 @@ ldap_child_LDADD = \ +@@ -2936,6 +2940,7 @@ libsss_krb5_common_la_CFLAGS = \ + libsss_krb5_common_la_LIBADD = \ + $(KEYUTILS_LIBS) \ + $(DHASH_LIBS) \ ++ $(LTLIBINTL) \ + $(KRB5_LIBS) + libsss_krb5_common_la_LDFLAGS = \ + -avoid-version +@@ -3184,6 +3189,7 @@ ldap_child_LDADD = \ + $(TALLOC_LIBS) \ $(POPT_LIBS) \ - $(OPENLDAP_LIBS) \ $(DHASH_LIBS) \ + $(LTLIBINTL) \ $(KRB5_LIBS) + if BUILD_SEMANAGE +@@ -3223,6 +3229,7 @@ gpo_child_LDADD = \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(INI_CONFIG_LIBS) \ ++ $(LTLIBINTL) \ + $(SMBCLIENT_LIBS) + proxy_child_SOURCES = \ +@@ -3254,6 +3261,7 @@ p11_child_LDADD = \ + $(POPT_LIBS) \ + $(NSS_LIBS) \ + libsss_crypt.la \ ++ $(LTLIBINTL) \ + $(NULL) + + memberof_la_SOURCES = \ diff --git security/sssd/files/patch-configure.ac security/sssd/files/patch-configure.ac index 4ce24d7010f4..e224601dd890 100644 --- security/sssd/files/patch-configure.ac +++ security/sssd/files/patch-configure.ac @@ -1,21 +1,29 @@ ---- configure.ac.orig 2013-11-06 18:35:03 UTC +--- configure.ac.orig 2016-04-13 14:48:41 UTC +++ configure.ac -@@ -5,15 +5,15 @@ AC_INIT([sssd], - VERSION_NUMBER, - [sssd-devel@lists.fedorahosted.org]) +@@ -44,7 +44,8 @@ + AC_CHECK_HEADERS(stdint.h dlfcn.h) + AC_CONFIG_HEADER(config.h) + + AC_CHECK_TYPES([errno_t], [], [], [[#include ]]) ++AM_CONDITIONAL([HAVE_ERRNO_T], [test "$ac_cv_type_errno_t" = yes]) + + m4_include([src/build_macros.m4]) + BUILD_WITH_SHARED_BUILD_DIR +@@ -266,13 +266,13 @@ AM_CONDITIONAL([HAVE_PROFILE_CATALOGS], + AM_CONDITIONAL([HAVE_MANPAGES], [test "x$HAVE_MANPAGES" != "x"]) + AM_CONDITIONAL([HAVE_PO4A], [test "x$PO4A" != "xno"]) -+AC_CONFIG_SRCDIR([BUILD.txt]) -+AC_CONFIG_AUX_DIR([build]) -+ - m4_ifdef([AC_USE_SYSTEM_EXTENSIONS], - [AC_USE_SYSTEM_EXTENSIONS], - [AC_GNU_SOURCE]) +-AC_CHECK_PROG(HAVE_PYTHON2, python2, yes, no) ++AC_CHECK_PROGS(HAVE_PYTHON2, %%PYTHON2_CMD%% python2, yes, no) + AS_IF([test x$HAVE_PYTHON2 = xyes], +- [AC_PATH_PROG(PYTHON2, python2)]) ++ [AC_PATH_PROGS(PYTHON2, %%PYTHON2_CMD%% python2)]) - CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" +-AC_CHECK_PROG(HAVE_PYTHON3, python3, yes, no) ++AC_CHECK_PROGS(HAVE_PYTHON3, %%PYTHON3_CMD%% python3, yes, no) + AS_IF([test x$HAVE_PYTHON3 = xyes], +- [AC_PATH_PROG(PYTHON3, python3)]) ++ [AC_PATH_PROGS(PYTHON3, %%PYTHON3_CMD%% python3)]) --AC_CONFIG_SRCDIR([BUILD.txt]) --AC_CONFIG_AUX_DIR([build]) -- - AM_INIT_AUTOMAKE([-Wall foreign subdir-objects tar-pax]) - AM_PROG_CC_C_O - m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) + if test x$HAVE_PYTHON2_BINDINGS = x1; then + AS_IF([test x$HAVE_PYTHON2 != xyes], diff --git security/sssd/files/patch-src-util-cert-nss-cert.c security/sssd/files/patch-src-util-cert-nss-cert.c new file mode 100644 index 000000000000..0ba84ca7573d --- /dev/null +++ security/sssd/files/patch-src-util-cert-nss-cert.c @@ -0,0 +1,10 @@ +--- src/util/cert/nss/cert.c.orig 2016-04-13 14:48:41 UTC ++++ src/util/cert/nss/cert.c +@@ -31,6 +31,7 @@ + #include "util/crypto/sss_crypto.h" + #include "util/crypto/nss/nss_util.h" + #include "util/cert.h" ++#include "util/sss_endian.h" + + #define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" + #define NS_CERT_TRAILER "-----END CERTIFICATE-----" diff --git security/sssd/files/patch-src-util-util.c security/sssd/files/patch-src-util-util.c new file mode 100644 index 000000000000..12e25af3b782 --- /dev/null +++ security/sssd/files/patch-src-util-util.c @@ -0,0 +1,29 @@ +--- src/util/util.c.orig 2016-04-13 14:48:41 UTC ++++ src/util/util.c +@@ -946,7 +946,7 @@ errno_t sss_utc_to_time_t(const char *st + len = strlen(str); + if (str[len-1] != 'Z') { + DEBUG(SSSDBG_TRACE_INTERNAL, +- "%s does not seem to be in UTZ time zone.\n", str); ++ "%s does not seem to be in UTC time zone.\n", str); + return ERR_TIMESPEC_NOT_SUPPORTED; + } + +@@ -967,15 +967,13 @@ errno_t sss_utc_to_time_t(const char *st + return EINVAL; + } + +- ut = mktime(&tm); ++ ut = timegm(&tm); + if (ut == -1) { + DEBUG(SSSDBG_TRACE_INTERNAL, +- "mktime failed to convert [%s].\n", str); ++ "timegm failed to convert [%s].\n", str); + return EINVAL; + } + +- tzset(); +- ut -= timezone; + *_unix_time = ut; + return EOK; + } diff --git security/sssd/files/patch-src__providers__ldap__ldap_auth.c security/sssd/files/patch-src__providers__ldap__ldap_auth.c index c533586c52fc..463cff1723cd 100644 --- security/sssd/files/patch-src__providers__ldap__ldap_auth.c +++ security/sssd/files/patch-src__providers__ldap__ldap_auth.c @@ -1,6 +1,4 @@ -diff --git src/providers/ldap/ldap_auth.c src/providers/ldap/ldap_auth.c -index 2aacce0..e019cf7 100644 ---- src/providers/ldap/ldap_auth.c +--- src/providers/ldap/ldap_auth.c.orig 2016-04-13 14:48:41 UTC +++ src/providers/ldap/ldap_auth.c @@ -37,7 +37,6 @@ #include @@ -10,9 +8,9 @@ index 2aacce0..e019cf7 100644 #include #include "util/util.h" -@@ -56,6 +55,22 @@ enum pwexpire { - PWEXPIRE_SHADOW - }; +@@ -51,6 +50,22 @@ + + #define LDAP_PWEXPIRE_WARNING_TIME 0 +struct spwd +{ @@ -33,31 +31,20 @@ index 2aacce0..e019cf7 100644 static errno_t add_expired_warning(struct pam_data *pd, long exp_time) { int ret; -@@ -109,6 +124,7 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now, - return EINVAL; - } - -+ tzset(); - expire_time = mktime(&tm); - if (expire_time == -1) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -116,12 +132,10 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now, - return EINVAL; +@@ -96,9 +111,9 @@ static errno_t check_pwexpire_kerberos(c } -- tzset(); -- expire_time -= timezone; DEBUG(SSSDBG_TRACE_ALL, - "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " - "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0], - tzname[1], timezone, daylight, now, expire_time); + "Time info: tzname[0] [%s] tzname[1] [%s] " -+ "now [%ld] expire_time [%ld].\n", tzname[0], -+ tzname[1], now, expire_time); ++ "now [%ld] expire_time [%ld].\n", tzname[0], ++ tzname[1], now, expire_time); if (difftime(now, expire_time) > 0.0) { DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n"); -@@ -924,7 +938,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) +@@ -945,7 +960,7 @@ void sdap_pam_chpass_handler(struct be_r DEBUG(SSSDBG_OP_FAILURE, "starting password change request for user [%s].\n", pd->user); @@ -66,7 +53,7 @@ index 2aacce0..e019cf7 100644 if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) { DEBUG(SSSDBG_OP_FAILURE, -@@ -1069,7 +1083,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req) +@@ -1094,7 +1109,7 @@ static void sdap_auth4chpass_done(struct dp_err = DP_ERR_OFFLINE; break; default: @@ -75,7 +62,7 @@ index 2aacce0..e019cf7 100644 } done: -@@ -1131,7 +1145,7 @@ static void sdap_pam_chpass_done(struct tevent_req *req) +@@ -1156,7 +1171,7 @@ static void sdap_pam_chpass_done(struct state->sh, state->dn, lastchanged_name); if (subreq == NULL) { @@ -84,7 +71,7 @@ index 2aacce0..e019cf7 100644 goto done; } -@@ -1152,7 +1166,7 @@ static void sdap_lastchange_done(struct tevent_req *req) +@@ -1177,7 +1192,7 @@ static void sdap_lastchange_done(struct ret = sdap_modify_shadow_lastchange_recv(req); if (ret != EOK) { @@ -93,7 +80,7 @@ index 2aacce0..e019cf7 100644 goto done; } -@@ -1193,7 +1207,7 @@ void sdap_pam_auth_handler(struct be_req *breq) +@@ -1218,7 +1233,7 @@ void sdap_pam_auth_handler(struct be_req goto done; } @@ -102,8 +89,8 @@ index 2aacce0..e019cf7 100644 switch (pd->cmd) { case SSS_PAM_AUTHENTICATE: -@@ -1291,7 +1305,7 @@ static void sdap_pam_auth_done(struct tevent_req *req) - state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; +@@ -1307,7 +1322,7 @@ static void sdap_pam_auth_done(struct te + state->pd->pam_status = PAM_PERM_DENIED; break; default: - state->pd->pam_status = PAM_SYSTEM_ERR; diff --git security/sssd/files/patch-src__providers__ldap__sdap_access.c security/sssd/files/patch-src__providers__ldap__sdap_access.c index 5bc72a8fd902..6399c194b6ef 100644 --- security/sssd/files/patch-src__providers__ldap__sdap_access.c +++ security/sssd/files/patch-src__providers__ldap__sdap_access.c @@ -1,29 +1,15 @@ -diff --git src/providers/ldap/sdap_access.c src/providers/ldap/sdap_access.c -index 880735e..d349dcf 100644 ---- src/providers/ldap/sdap_access.c +--- src/providers/ldap/sdap_access.c.orig 2016-04-13 14:48:41 UTC +++ src/providers/ldap/sdap_access.c -@@ -499,6 +499,7 @@ static bool nds_check_expired(const char *exp_time_str) - return true; - } +@@ -557,9 +557,9 @@ bool nds_check_expired(const char *exp_t -+ tzset(); - expire_time = mktime(&tm); - if (expire_time == -1) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -506,13 +507,11 @@ static bool nds_check_expired(const char *exp_time_str) - return true; - } - -- tzset(); -- expire_time -= timezone; now = time(NULL); DEBUG(SSSDBG_TRACE_ALL, - "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " - "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0], - tzname[1], timezone, daylight, now, expire_time); + "Time info: tzname[0] [%s] tzname[1] [%s] " -+ "now [%ld] expire_time [%ld].\n", tzname[0], -+ tzname[1], now, expire_time); ++ "now [%ld] expire_time [%ld].\n", tzname[0], ++ tzname[1], now, expire_time); if (difftime(now, expire_time) > 0.0) { DEBUG(SSSDBG_CONF_SETTINGS, "NDS account expired.\n"); diff --git security/sssd/files/patch-src__sss_client__common.c security/sssd/files/patch-src__sss_client__common.c index 87a4b8d472bd..5ac4156a00f4 100644 --- security/sssd/files/patch-src__sss_client__common.c +++ security/sssd/files/patch-src__sss_client__common.c @@ -1,6 +1,4 @@ -diff --git src/sss_client/common.c src/sss_client/common.c -index ec5c708..5d17eed 100644 ---- src/sss_client/common.c +--- src/sss_client/common.c.orig 2016-04-13 14:48:41 UTC +++ src/sss_client/common.c @@ -25,6 +25,7 @@ #include "config.h" @@ -18,7 +16,7 @@ index ec5c708..5d17eed 100644 #if HAVE_PTHREAD #include -@@ -124,7 +126,6 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, +@@ -124,7 +126,6 @@ static enum sss_status sss_cli_send_req( *errnop = error; break; case 0: @@ -26,7 +24,7 @@ index ec5c708..5d17eed 100644 break; case 1: if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -@@ -232,7 +233,6 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, +@@ -232,7 +233,6 @@ static enum sss_status sss_cli_recv_rep( *errnop = error; break; case 0: @@ -34,7 +32,7 @@ index ec5c708..5d17eed 100644 break; case 1: if (pfd.revents & (POLLHUP)) { -@@ -669,7 +669,6 @@ static enum sss_status sss_cli_check_socket(int *errnop, const char *socket_name +@@ -669,7 +669,6 @@ static enum sss_status sss_cli_check_soc *errnop = error; break; case 0: @@ -42,7 +40,7 @@ index ec5c708..5d17eed 100644 break; case 1: if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -@@ -719,23 +718,23 @@ enum nss_status sss_nss_make_request(enum sss_cli_command cmd, +@@ -719,7 +718,7 @@ enum nss_status sss_nss_make_request(enu /* avoid looping in the nss daemon */ envval = getenv("_SSS_LOOPS"); if (envval && strcmp(envval, "NO") == 0) { @@ -51,12 +49,78 @@ index ec5c708..5d17eed 100644 } ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME); +@@ -727,9 +726,9 @@ enum nss_status sss_nss_make_request(enu + #ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR + *errnop = 0; + errno = 0; +- return NSS_STATUS_NOTFOUND; ++ return NS_NOTFOUND; + #else +- return NSS_STATUS_UNAVAIL; ++ return NS_UNAVAIL; + #endif + } + +@@ -741,9 +740,9 @@ enum nss_status sss_nss_make_request(enu + #ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR + *errnop = 0; + errno = 0; +- return NSS_STATUS_NOTFOUND; ++ return NS_NOTFOUND; + #else +- return NSS_STATUS_UNAVAIL; ++ return NS_UNAVAIL; + #endif + } + +@@ -752,17 +751,17 @@ enum nss_status sss_nss_make_request(enu + } + switch (ret) { + case SSS_STATUS_TRYAGAIN: +- return NSS_STATUS_TRYAGAIN; ++ return NS_TRYAGAIN; + case SSS_STATUS_SUCCESS: +- return NSS_STATUS_SUCCESS; ++ return NS_SUCCESS; + case SSS_STATUS_UNAVAIL: + default: + #ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR + *errnop = 0; + errno = 0; +- return NSS_STATUS_NOTFOUND; ++ return NS_NOTFOUND; + #else +- return NSS_STATUS_UNAVAIL; ++ return NS_UNAVAIL; + #endif + } + } +@@ -791,12 +790,12 @@ int sss_pac_make_request(enum sss_cli_co + /* avoid looping in the nss daemon */ + envval = getenv("_SSS_LOOPS"); + if (envval && strcmp(envval, "NO") == 0) { +- return NSS_STATUS_NOTFOUND; ++ return NS_NOTFOUND; + } + + ret = sss_cli_check_socket(errnop, SSS_PAC_SOCKET_NAME); if (ret != SSS_STATUS_SUCCESS) { - return NSS_STATUS_UNAVAIL; + return NS_UNAVAIL; } ret = sss_cli_make_request_nochecks(cmd, rd, repbuf, replen, errnop); +@@ -804,7 +803,7 @@ int sss_pac_make_request(enum sss_cli_co + /* try reopen socket */ + ret = sss_cli_check_socket(errnop, SSS_PAC_SOCKET_NAME); + if (ret != SSS_STATUS_SUCCESS) { +- return NSS_STATUS_UNAVAIL; ++ return NS_UNAVAIL; + } + + /* and make request one more time */ +@@ -812,12 +811,12 @@ int sss_pac_make_request(enum sss_cli_co + } switch (ret) { case SSS_STATUS_TRYAGAIN: - return NSS_STATUS_TRYAGAIN; diff --git security/sssd/files/patch-src__util__server.c security/sssd/files/patch-src__util__server.c index 8c80dfd2864c..cf8f45db853e 100644 --- security/sssd/files/patch-src__util__server.c +++ security/sssd/files/patch-src__util__server.c @@ -1,19 +1,11 @@ -diff --git src/util/server.c src/util/server.c -index 343668c..f8a1627 100644 ---- src/util/server.c +--- src/util/server.c.orig 2016-04-13 14:48:41 UTC +++ src/util/server.c -@@ -322,12 +322,14 @@ static void setup_signals(void) - BlockSignals(false, SIGTERM); - - CatchSignal(SIGHUP, sig_hup); -- +@@ -308,8 +308,11 @@ static void setup_signals(void) #ifndef HAVE_PRCTL -- /* If prctl is not defined on the system, try to handle -- * some common termination signals gracefully */ + /* If prctl is not defined on the system, try to handle + * some common termination signals gracefully */ - CatchSignal(SIGSEGV, sig_segv_abrt); - CatchSignal(SIGABRT, sig_segv_abrt); -+ /* If prctl is not defined on the system, try to handle -+ * some common termination signals gracefully */ + (void) sig_segv_abrt; /* unused */ + /* + CatchSignal(SIGSEGV, sig_segv_abrt); diff --git security/sssd/files/patch-src__util__signal.c security/sssd/files/patch-src__util__signal.c deleted file mode 100644 index 85e2ae9d5431..000000000000 --- security/sssd/files/patch-src__util__signal.c +++ /dev/null @@ -1,72 +0,0 @@ -diff --git src/util/signal.c src/util/signal.c -index 053457b..bb8f8be 100644 ---- src/util/signal.c -+++ src/util/signal.c -@@ -28,45 +28,6 @@ - * @brief Signal handling - */ - --/**************************************************************************** -- Catch child exits and reap the child zombie status. --****************************************************************************/ -- --static void sig_cld(int signum) --{ -- while (waitpid((pid_t)-1,(int *)NULL, WNOHANG) > 0) -- ; -- -- /* -- * Turns out it's *really* important not to -- * restore the signal handler here if we have real POSIX -- * signal handling. If we do, then we get the signal re-delivered -- * immediately - hey presto - instant loop ! JRA. -- */ -- --#if !defined(HAVE_SIGACTION) -- CatchSignal(SIGCLD, sig_cld); --#endif --} -- --/**************************************************************************** --catch child exits - leave status; --****************************************************************************/ -- --static void sig_cld_leave_status(int signum) --{ -- /* -- * Turns out it's *really* important not to -- * restore the signal handler here if we have real POSIX -- * signal handling. If we do, then we get the signal re-delivered -- * immediately - hey presto - instant loop ! JRA. -- */ -- --#if !defined(HAVE_SIGACTION) -- CatchSignal(SIGCLD, sig_cld_leave_status); --#endif --} -- - /** - Block sigs. - **/ -@@ -126,21 +87,3 @@ void (*CatchSignal(int signum,void (*handler)(int )))(int) - return signal(signum, handler); - #endif - } -- --/** -- Ignore SIGCLD via whatever means is necessary for this OS. --**/ -- --void CatchChild(void) --{ -- CatchSignal(SIGCLD, sig_cld); --} -- --/** -- Catch SIGCLD but leave the child around so it's status can be reaped. --**/ -- --void CatchChildLeaveStatus(void) --{ -- CatchSignal(SIGCLD, sig_cld_leave_status); --} diff --git security/sssd/files/patch-src__util__util.h security/sssd/files/patch-src__util__util.h index f10b498e5d82..4a33fe4a8a6d 100644 --- security/sssd/files/patch-src__util__util.h +++ security/sssd/files/patch-src__util__util.h @@ -1,20 +1,13 @@ -diff --git src/util/util.h src/util/util.h -index 7a66846..5e63275 100644 ---- src/util/util.h +--- src/util/util.h.orig 2016-04-13 14:48:41 UTC +++ src/util/util.h -@@ -227,8 +227,6 @@ void sig_term(int sig); - #include - void BlockSignals(bool block, int signum); - void (*CatchSignal(int signum,void (*handler)(int )))(int); --void CatchChild(void); --void CatchChildLeaveStatus(void); - - /* from memory.c */ - typedef int (void_destructor_fn_t)(void *); -@@ -542,5 +540,6 @@ char * sss_replace_space(TALLOC_CTX *mem_ctx, - char * sss_reverse_replace_space(TALLOC_CTX *mem_ctx, - const char *orig_name, - const char replace_char); +@@ -586,5 +586,10 @@ + * so that it's guaranteed the file is removed. + */ + int sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl); +#include "util/sss_bsd_errno.h" ++ ++#ifndef N_ELEMENTS ++#define N_ELEMENTS(arr) (sizeof(arr) / sizeof(arr[0])) ++#endif #endif /* __SSSD_UTIL_H__ */ diff --git security/sssd/files/patch-src_external_pac__responder.m4 security/sssd/files/patch-src_external_pac__responder.m4 index 73782d6b4d7e..7d319c08ac09 100644 --- security/sssd/files/patch-src_external_pac__responder.m4 +++ security/sssd/files/patch-src_external_pac__responder.m4 @@ -1,6 +1,6 @@ ---- src/external/pac_responder.m4.orig 2014-09-17 13:01:37 UTC +--- src/external/pac_responder.m4.orig 2016-04-13 14:48:41 UTC +++ src/external/pac_responder.m4 -@@ -14,14 +14,19 @@ then +@@ -14,7 +14,7 @@ then PKG_CHECK_MODULES(NDR_KRB5PAC, ndr_krb5pac, ndr_krb5pac_ok=yes, AC_MSG_WARN([Cannot build pac responder without libndr_krb5pac])) @@ -9,12 +9,11 @@ AC_MSG_CHECKING(for supported MIT krb5 version) KRB5_VERSION="`$KRB5_CONFIG --version`" case $KRB5_VERSION in - Kerberos\ 5\ release\ 1.9* | \ - Kerberos\ 5\ release\ 1.10* | \ +@@ -23,7 +23,10 @@ then Kerberos\ 5\ release\ 1.11* | \ -- Kerberos\ 5\ release\ 1.12*) -+ Kerberos\ 5\ release\ 1.12* | \ -+ Kerberos\ 5\ release\ 1.13* | \ + Kerberos\ 5\ release\ 1.12* | \ + Kerberos\ 5\ release\ 1.13* | \ +- Kerberos\ 5\ release\ 1.14*) + Kerberos\ 5\ release\ 1.14* | \ + Kerberos\ 5\ release\ 1.15* | \ + Kerberos\ 5\ release\ 1.16* | \ diff --git security/sssd/files/patch-src_providers_ad_ad__gpo__ndr.c security/sssd/files/patch-src_providers_ad_ad__gpo__ndr.c new file mode 100644 index 000000000000..609405567694 --- /dev/null +++ security/sssd/files/patch-src_providers_ad_ad__gpo__ndr.c @@ -0,0 +1,11 @@ +--- src/providers/ad/ad_gpo_ndr.c.orig 2019-10-02 15:20:18 UTC ++++ src/providers/ad/ad_gpo_ndr.c +@@ -258,7 +258,7 @@ ndr_pull_dom_sid(struct ndr_pull *ndr, + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num)); + NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths)); +- if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) { ++ if (r->num_auths < 0 || r->num_auths > N_ELEMENTS(r->sub_auths)) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); diff --git security/sssd/files/sssd.in security/sssd/files/sssd.in index b33a9b51609a..e1c206ba0671 100644 --- security/sssd/files/sssd.in +++ security/sssd/files/sssd.in @@ -34,7 +34,7 @@ start_precmd=sssd_prestart sssd_prestart() { - for i in db/sss db/sss_mc log/sssd run/sss/krb5.include.d run/sss/private run/sss; do + for i in db/sss db/sss/db db/sss/gpo_cache db/sss/mc log/sssd run/sss/krb5.include.d run/sss/private run/sss; do if [ ! -d var/${i} ]; then mkdir -p /var/${i}; fi done } diff --git security/sssd/pkg-plist security/sssd/pkg-plist index aac862acf899..1bf1eb903441 100644 --- security/sssd/pkg-plist +++ security/sssd/pkg-plist @@ -5,6 +5,9 @@ etc/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf include/ipa_hbac.h include/sss_idmap.h include/sss_nss_idmap.h +include/sss_sifp_dbus.h +include/sss_sifp.h +include/wbclient_sssd.h %%SMB%%lib/krb5/plugins/authdata/sssd_pac_plugin.so lib/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so lib/libipa_hbac.so @@ -12,29 +15,36 @@ lib/libipa_hbac.so.0 lib/libipa_hbac.so.0.0.1 lib/libsss_idmap.so lib/libsss_idmap.so.0 -lib/libsss_idmap.so.0.4.0 +lib/libsss_idmap.so.0.5.0 lib/libsss_nss_idmap.so lib/libsss_nss_idmap.so.0 -lib/libsss_nss_idmap.so.0.0.1 +lib/libsss_nss_idmap.so.0.1.0 +lib/libsss_simpleifp.so +lib/libsss_simpleifp.so.0 +lib/libsss_simpleifp.so.0.0.1 lib/libsss_sudo.so lib/nss_sss.so lib/nss_sss.so.1 lib/nss_sss.so.2 lib/nss_sss.so.2.0.0 lib/pam_sss.so -%%PYTHON_SITELIBDIR%%/SSSDConfig-1.11.7-py%%PYTHON_VER%%.egg-info -%%PYTHON_SITELIBDIR%%/SSSDConfig/__init__.py -%%PYTHON_SITELIBDIR%%/SSSDConfig/__init__.pyc -%%PYTHON_SITELIBDIR%%/SSSDConfig/ipachangeconf.py -%%PYTHON_SITELIBDIR%%/SSSDConfig/ipachangeconf.pyc -%%PYTHON_SITELIBDIR%%/SSSDConfig/sssd_upgrade_config.py -%%PYTHON_SITELIBDIR%%/SSSDConfig/sssd_upgrade_config.pyc -%%PYTHON_SITELIBDIR%%/pyhbac.so -%%PYTHON_SITELIBDIR%%/pysss.so -%%PYTHON_SITELIBDIR%%/pysss_murmur.so -%%PYTHON_SITELIBDIR%%/pysss_nss_idmap.so +%%PYTHON%%%%PYTHONPREFIX_SITELIBDIR%%/pyhbac.so +%%PYTHON%%%%PYTHONPREFIX_SITELIBDIR%%/pysss_murmur.so +%%PYTHON%%%%PYTHONPREFIX_SITELIBDIR%%/pysss_nss_idmap.so +%%PYTHON%%%%PYTHONPREFIX_SITELIBDIR%%/pysss.so +%%PYTHON%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig-%%PORTVERSION%%-py%%PYTHON_VER%%.egg-info +%%PYTHON%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/__init__.py +%%PYTHON%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/ipachangeconf.py +%%PYTHON%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/sssd_upgrade_config.py +%%PYTHON2%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/__init__.pyc +%%PYTHON2%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/ipachangeconf.pyc +%%PYTHON2%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/sssd_upgrade_config.pyc +%%PYTHON3%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/__pycache__/__init__.cpython-36.pyc +%%PYTHON3%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/__pycache__/ipachangeconf.cpython-36.pyc +%%PYTHON3%%%%PYTHONPREFIX_SITELIBDIR%%/SSSDConfig/__pycache__/sssd_upgrade_config.cpython-36.pyc lib/shared-modules/ldb/memberof.so %%SMB%%lib/sssd/libsss_ad.so +lib/sssd/libsss_cert.so lib/sssd/libsss_child.so lib/sssd/libsss_crypt.so lib/sssd/libsss_debug.so @@ -46,11 +56,20 @@ lib/sssd/libsss_ldap_common.so lib/sssd/libsss_proxy.so lib/sssd/libsss_simple.so lib/sssd/libsss_util.so +lib/sssd/libsss_semanage.so +lib/sssd/modules/libwbclient.so +lib/sssd/modules/libwbclient.so.0 +lib/sssd/modules/libwbclient.so.0.12.0 +lib/sssd/modules/sssd_krb5_localauth_plugin.so libdata/pkgconfig/ipa_hbac.pc libdata/pkgconfig/sss_idmap.pc libdata/pkgconfig/sss_nss_idmap.pc +libdata/pkgconfig/sss_simpleifp.pc +libdata/pkgconfig/wbclient_sssd.pc +%%SMB%%libexec/sssd/gpo_child libexec/sssd/krb5_child libexec/sssd/ldap_child +libexec/sssd/p11_child libexec/sssd/proxy_child libexec/sssd/sss_signal libexec/sssd/sssd_be @@ -60,13 +79,32 @@ libexec/sssd/sssd_nss libexec/sssd/sssd_pam libexec/sssd/sssd_ssh libexec/sssd/sssd_sudo -man/es/man1/sss_ssh_authorizedkeys.1.gz +man/de/man1/sss_ssh_authorizedkeys.1.gz +man/de/man1/sss_ssh_knownhostsproxy.1.gz +man/de/man5/sssd-ifp.5.gz +man/de/man5/sssd-krb5.5.gz +man/de/man5/sssd-ldap.5.gz +man/de/man5/sssd-simple.5.gz +man/de/man5/sssd-sudo.5.gz +man/de/man5/sssd.conf.5.gz +man/de/man8/pam_sss.8.gz +man/de/man8/sss_cache.8.gz +man/de/man8/sss_debuglevel.8.gz +man/de/man8/sss_groupadd.8.gz +man/de/man8/sss_groupdel.8.gz +man/de/man8/sss_groupmod.8.gz +man/de/man8/sss_groupshow.8.gz +man/de/man8/sss_obfuscate.8.gz +man/de/man8/sss_seed.8.gz +man/de/man8/sss_useradd.8.gz +man/de/man8/sss_userdel.8.gz +man/de/man8/sss_usermod.8.gz +man/de/man8/sssd_krb5_locator_plugin.8.gz +man/de/man8/sssd.8.gz man/es/man1/sss_ssh_knownhostsproxy.1.gz man/es/man5/sssd-ldap.5.gz man/es/man5/sssd-simple.5.gz man/es/man5/sssd-sudo.5.gz -man/es/man5/sssd.conf.5.gz -man/es/man8/pam_sss.8.gz man/es/man8/sss_cache.8.gz man/es/man8/sss_debuglevel.8.gz man/es/man8/sss_groupadd.8.gz @@ -82,7 +120,6 @@ man/es/man8/sssd.8.gz man/es/man8/sssd_krb5_locator_plugin.8.gz man/fr/man1/sss_ssh_authorizedkeys.1.gz man/fr/man1/sss_ssh_knownhostsproxy.1.gz -man/fr/man5/sssd-ad.5.gz man/fr/man5/sssd-krb5.5.gz man/fr/man5/sssd-ldap.5.gz man/fr/man5/sssd-simple.5.gz @@ -105,10 +142,7 @@ man/fr/man8/sssd_krb5_locator_plugin.8.gz man/ja/man1/sss_ssh_authorizedkeys.1.gz man/ja/man1/sss_ssh_knownhostsproxy.1.gz man/ja/man5/sssd-krb5.5.gz -man/ja/man5/sssd-ldap.5.gz man/ja/man5/sssd-simple.5.gz -man/ja/man5/sssd.conf.5.gz -man/ja/man8/pam_sss.8.gz man/ja/man8/sss_cache.8.gz man/ja/man8/sss_debuglevel.8.gz man/ja/man8/sss_groupadd.8.gz @@ -123,9 +157,9 @@ man/ja/man8/sssd.8.gz man/ja/man8/sssd_krb5_locator_plugin.8.gz man/man1/sss_ssh_authorizedkeys.1.gz man/man1/sss_ssh_knownhostsproxy.1.gz -man/man5/sssd-ad.5.gz +%%SMB%%man/man5/sssd-ad.5.gz man/man5/sssd-ifp.5.gz -man/man5/sssd-ipa.5.gz +%%SMB%%man/man5/sssd-ipa.5.gz man/man5/sssd-krb5.5.gz man/man5/sssd-ldap.5.gz man/man5/sssd-simple.5.gz @@ -139,6 +173,7 @@ man/man8/sss_groupdel.8.gz man/man8/sss_groupmod.8.gz man/man8/sss_groupshow.8.gz man/man8/sss_obfuscate.8.gz +man/man8/sss_override.8.gz man/man8/sss_seed.8.gz man/man8/sss_useradd.8.gz man/man8/sss_userdel.8.gz @@ -150,8 +185,10 @@ man/pt/man8/sss_groupdel.8.gz man/pt/man8/sss_groupmod.8.gz man/uk/man1/sss_ssh_authorizedkeys.1.gz man/uk/man1/sss_ssh_knownhostsproxy.1.gz +man/uk/man5/sss_rpcidmapd.5.gz man/uk/man5/sssd-ad.5.gz man/uk/man5/sssd-ifp.5.gz +man/uk/man5/sssd-ipa.5.gz man/uk/man5/sssd-krb5.5.gz man/uk/man5/sssd-ldap.5.gz man/uk/man5/sssd-simple.5.gz @@ -169,15 +206,16 @@ man/uk/man8/sss_seed.8.gz man/uk/man8/sss_useradd.8.gz man/uk/man8/sss_userdel.8.gz man/uk/man8/sss_usermod.8.gz -man/uk/man8/sssd.8.gz man/uk/man8/sssd_krb5_locator_plugin.8.gz +man/uk/man8/sssd.8.gz sbin/sss_cache sbin/sss_debuglevel sbin/sss_groupadd sbin/sss_groupdel sbin/sss_groupmod sbin/sss_groupshow -sbin/sss_obfuscate +%%PYTHON%%sbin/sss_obfuscate +sbin/sss_override sbin/sss_seed sbin/sss_useradd sbin/sss_userdel @@ -190,7 +228,13 @@ sbin/sssd %%PORTDOCS%%@dir %%DOCSDIR%%/idmap_doc %%PORTDOCS%%@dir %%DOCSDIR%%/libsss_sudo_doc %%PORTDOCS%%@dir %%DOCSDIR%%/nss_idmap_doc -@unexec if [ -d %%ETCDIR%% ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf %%ETCDIR%%`` to remove any configuration files."; fi -@unexec if [ -d /var/db/sss ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/db/sss`` to remove any additional files."; fi -@unexec if [ -d /var/db/sss_mc ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/db/sss_mc`` to remove any additional files."; fi -@unexec if [ -d /var/run/sss ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf /var/run/sss`` to remove any additional files."; fi +%%PORTDOCS%%@dir %%DOCSDIR%%/sss_simpleifp_doc +@dir /var/db/sss +@dir /var/db/sss/db +@dir /var/db/sss/gpo_cache +@dir /var/db/sss/keytabs +@dir /var/db/sss/mc +@dir /var/log/sssd +@dir /var/run/sss +@dir /var/run/sss/krb5.include.d +@dir /var/run/sss/private