Summary: | security/sssd: support for current krb5 and samba releases / update to sssd 1.15.0 ?? | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | max | ||||||||
Component: | Individual Port(s) | Assignee: | freebsd-ports-bugs (Nobody) <ports-bugs> | ||||||||
Status: | Closed Overcome By Events | ||||||||||
Severity: | Affects Some People | CC: | lukas.slebodnik, lwhsu, max, ndowens04, rainer, timur, vmiller, vrwmiller | ||||||||
Priority: | --- | Keywords: | needs-patch, needs-qa | ||||||||
Version: | Latest | Flags: | lukas.slebodnik:
maintainer-feedback-
|
||||||||
Hardware: | amd64 | ||||||||||
OS: | Any | ||||||||||
Bug Depends on: | |||||||||||
Bug Blocks: | 240708 | ||||||||||
Attachments: |
|
Description
max
2017-03-08 00:50:20 UTC
(In reply to max from comment #0) >The patch from bug 204827 needs to be updated to support the current 1.15.1 >release of krb5. > >Additionally the port installs samba42 even if samba44 is installed - for me it >built successfully with samba 4.4.8. I'm quite new to FreeBSD and do not fully >understand the DEPENDS syntax, but isn't there a way to make it compatible with >samba42, samba43 and samba44? > >One last question: Is there a reason why to keep 1.11.7 - upstream released >1.15.0 lately? I plan to update port to LTM upstream version 1.13.4 or probably 1.13.5 which can be released in a week. Created attachment 185201 [details]
Patch sssd from 1.11.7 to 1.15.3
I deploy sssd on FreeBSD 10.x in conjunction with MIT krb, OpenLDAP, and SASL. The current version of sssd in FreeBSD Ports (1.11.7) contains a bug described in a bug report[1]. It is alleged that sssd 1.15.x contains a fix for this bug. I have, therefore, generated a patch[2] that updates the FreeBSD Port to 1.15.3. It appears to work generally. However, during the configure phase, the port complains and fails due to missing libnfsidmap.h. Can you review and edit the patch attached to PR 217623 and commit to Ports to update sssd to 1.15.3 and make other ancillary changes as required? Our configuration does not utilize NFS and we’d like to disable this feature though it’s understood others may need this feature. So, it is prudent for the Port to support disabling/enabling this feature via `make config`. A few notes about the 1.15.3 patch for sssd: * The patch was generated first by editing the Makefile and distinfo to download the 1.15.3 sources. Subsequent build attempts called out each of the patches that failed. Each one was evaluated individually and compared to the sssd 1.15.3 sources which they patched. Finally, using diff to compare an unedited 1.15.3 source file against an edited 1.15.3 source file produced a patch. * It appeared that patch-configure.ac and patch-src__util__signal.c were not necessary to implement the changes made by them as it appeared the upstream sources already implemented them. However, applying the patch left a zero-byte file that Poudriere choked on and failed when attempting to apply. Removing the zero-byte files allowed the port to proceed to the configure phase. [1] https://pagure.io/SSSD/sssd/issue/2494 [2] https://github.com/freebsd/freebsd-ports/compare/master...vrsnvmiller:master The port passes the configure phase now after adding a number of configure args: --without-nfsv4-idmapd-plugin --without-secrets --without-python3-bindings --without-kcm It fails during the build phase citing the following error message (the entire log is attached). I am not a developer and do not have the expertise necessary to troubleshoot the build failure. It's quite possible it may be a result of the patch submitted. /bin/sh ./libtool --tag=CC --mode=compile cc -DHAVE_CONFIG_H -I. -Wall -I.. -I./src/sss_client -I./src -I. -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/dbus-1.0 -I/usr/local/lib/dbus-1.0/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -DHOST_NAME_MAX=_POSIX_HOST_NAME_MAX -DLIBDIR=\"/usr/local/lib\" -DVARDIR=\"/var\" -DSSS_STATEDIR=\"/var/lib/sss\" -DSYSCONFDIR=\"/usr/local/etc\" -DSHLIBEXT=\"\" -DSSSDDATADIR=\"/usr/local/share/sssd/sssd\" -DSSSD_LIBEXEC_PATH=\"/usr/local/libexec/sssd\" -DSSSD_CONF_DIR=\"/usr/local/etc/sssd\" -DSSS_NSS_MCACHE_DIR=\"/var/db/sss_mc\" -DSSS_NSS_SOCKET_NAME=\"/var/run/sss/nss\" -DSSS_PAM_SOCKET_NAME=\"/var/run/sss/pam\" -DSSS_PAC_SOCKET_NAME=\"/var/run/sss/pac\" -DSSS_PAM_PRIV_SOCKET_NAME=\"/var/run/sss/private/pam\" -DSSS_SEC_SOCKET_NAME=\"/var/run/secrets.socket\" -DSSS_SUDO_SOCKET_NAME=\"/var/run/sss/sudo\" -DSSS_AUTOFS_SOCKET_NAME=\"/var/run/sss/autofs\" -DSSS_SSH_SOCKET_NAME=\"/var/run/sss/ssh\" -DLOCALEDIR=\"/usr/local/share/locale\" -DBASE_FILE_STEM=\"sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin\" -DLIBICONV_PLUG -I/usr/local/include -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wundef -Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99 -I/usr/include -O2 -pipe -fstack-protector-all -DLIBICONV_PLUG -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -MT src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo -MD -MP -MF src/krb5_plugin/.deps/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.Tpo -c -o src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo `test -f 'src/krb5_plugin/sssd_krb5_locator_plugin.c' || echo './'`src/krb5_plugin/sssd_krb5_locator_plugin.c libtool: compile: cc -DHAVE_CONFIG_H -I. -Wall -I.. -I./src/sss_client -I./src -I. -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/dbus-1.0 -I/usr/local/lib/dbus-1.0/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -DHOST_NAME_MAX=_POSIX_HOST_NAME_MAX -DLIBDIR=\"/usr/local/lib\" -DVARDIR=\"/var\" -DSSS_STATEDIR=\"/var/lib/sss\" -DSYSCONFDIR=\"/usr/local/etc\" -DSHLIBEXT=\"\" -DSSSDDATADIR=\"/usr/local/share/sssd/sssd\" -DSSSD_LIBEXEC_PATH=\"/usr/local/libexec/sssd\" -DSSSD_CONF_DIR=\"/usr/local/etc/sssd\" -DSSS_NSS_MCACHE_DIR=\"/var/db/sss_mc\" -DSSS_NSS_SOCKET_NAME=\"/var/run/sss/nss\" -DSSS_PAM_SOCKET_NAME=\"/var/run/sss/pam\" -DSSS_PAC_SOCKET_NAME=\"/var/run/sss/pac\" -DSSS_PAM_PRIV_SOCKET_NAME=\"/var/run/sss/private/pam\" -DSSS_SEC_SOCKET_NAME=\"/var/run/secrets.socket\" -DSSS_SUDO_SOCKET_NAME=\"/var/run/sss/sudo\" -DSSS_AUTOFS_SOCKET_NAME=\"/var/run/sss/autofs\" -DSSS_SSH_SOCKET_NAME=\"/var/run/sss/ssh\" -DLOCALEDIR=\"/usr/local/share/locale\" -DBASE_FILE_STEM=\"sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin\" -DLIBICONV_PLUG -I/usr/local/include -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wundef -Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99 -I/usr/include -O2 -pipe -fstack-protector-all -DLIBICONV_PLUG -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -MT src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo -MD -MP -MF src/krb5_plugin/.deps/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.Tpo -c src/krb5_plugin/sssd_krb5_locator_plugin.c -fPIC -DPIC -o src/krb5_plugin/.libs/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.o In file included from src/krb5_plugin/sssd_krb5_locator_plugin.c:36: In file included from ./src/util/sss_krb5.h:30: /usr/local/include/krb5/krb5.h:112:5: warning: 'TARGET_OS_MAC' is not defined, evaluates to 0 [-Wundef] #if TARGET_OS_MAC ^ /usr/local/include/krb5/krb5.h:8459:5: warning: 'TARGET_OS_MAC' is not defined, evaluates to 0 [-Wundef] #if TARGET_OS_MAC ^ In file included from src/krb5_plugin/sssd_krb5_locator_plugin.c:36: ./src/util/sss_krb5.h:89:14: error: typedef redefinition with different types ('void (krb5_context, void *, krb5_timestamp, krb5_timestamp, krb5_boolean)' vs 'void (*)(krb5_context, void *, krb5_timestamp, krb5_timestamp, krb5_boolean)') typedef void krb5_expire_callback_func(krb5_context context, void *data, ^ /usr/local/include/krb5/krb5.h:7185:17: note: previous definition is here (KRB5_CALLCONV *krb5_expire_callback_func)(krb5_context context, void *data, ^ In file included from src/krb5_plugin/sssd_krb5_locator_plugin.c:36: ./src/util/sss_krb5.h:112:5: warning: 'HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS' is not defined, evaluates to 0 [-Wundef] #if HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS ^ 3 warnings and 1 error generated. gmake[3]: *** [Makefile:19246: src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo] Error 1 gmake[3]: Leaving directory '/wrkdirs/usr/ports/security/sssd/work/sssd-1.15.3' gmake[2]: *** [Makefile:31837: all-recursive] Error 1 gmake[2]: Leaving directory '/wrkdirs/usr/ports/security/sssd/work/sssd-1.15.3' gmake[1]: *** [Makefile:9575: all] Error 2 gmake[1]: Leaving directory '/wrkdirs/usr/ports/security/sssd/work/sssd-1.15.3' *** Error code 1 Stop. make: stopped in /usr/ports/security/sssd Created attachment 185284 [details]
Log file of build failure
Log file of sssd 1.15.3 build failure after adding configure args.
Created attachment 185285 [details]
[WIP] sssd 1.11.7 -> 1.15.3 patch
This new patch adds configure args:
--without-nfsv4-idmapd-plugin
--without-secrets
--without-python3-bindings
--without-kcm
It permits the Port build to proceed through the configure. Unfortunately, it fails during the build phase, but I lack the expertise to troubleshoot further.
Fixes for CVE-2017-12173 were merged in upstream to 1.13 branch which is a LTM version. BTW CVE-2017-12173 was not in 1.11.7 I assume new 1.13 upstream version will be released soon and I would prefer to keep sssd on LTM version due to fast development in latest version. Can this be closed? I would suggest upgrading SSSD to 1.13.4, the latest LTM release. There isn't a new LTM release yet, but there should be one soon (if I had to guess, 1.16.x branch will end up being LTM). At least getting to 1.13.4 would be beneficial. 1.11.7 is way too old and no longer receives updates or fixes. I tried to build it myself, but it looks like most of the patches may have to be redone (the first ones I ran into are Makefile.am and configure...) Any update here? This issue needs the following to progress, at a minimum: - A completed (not WIP) patch against the latest ports tree, that is - Well QA tested Further, there are additional considerations: - Outstanding security issues, requiring a version update, and vuxml entry There is a tradeoff to be made here, either: 1) Report and address the security and version update separately, unless addressing the original issue reported here *requires* a version update. The separate issue should "Depend On" this issue being committed/resolved/merged first. OR 2) Address all issues in this bug in a single patch. bug #238465 addresses the scope of this PR (w/ exception to the version of SSD to update to) and has seen recent progress. Suggest tracking it as it has a viable patch to commit. There is not any sssd-1.15 branch in upstream It "converged" into sssd-1.16 branch and here is a port to 1.16.4 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241347 I'd suggest to close this PR in favour of #241347 Suppressed by bug241347 |