Bug 244778

Summary: security/sssd: fails to package
Product: Ports & Packages Reporter: Tommy P <tommyhp2>
Component: Individual Port(s)Assignee: Fernando Apesteguía <fernape>
Status: Closed FIXED    
Severity: Affects Only Me CC: fernape, joerg, lukas.slebodnik
Priority: --- Flags: bugzilla: maintainer-feedback? (lukas.slebodnik)
fernape: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241347
Attachments:
Description Flags
patch for pkg-plist
none
additional improvements on top of submitter's patch
fernape: maintainer-approval?
Build log showing sssd_pac is being built.
none
Patch to the ports tree fernape: maintainer-approval? (lukas.slebodnik)

Description Tommy P 2020-03-12 21:43:49 UTC
install  -m 0644 /wrkdirs/usr/ports/security/sssd/work/sssd-1.11.7/src/examples/sssd-example.conf  /wrkdirs/usr/ports/security/sssd/work/stage/usr/local/etc/sssd/sssd.conf.sample
/bin/ln -sf nss_sss.so /wrkdirs/usr/ports/security/sssd/work/stage/usr/local/lib/nss_sss.so.1
====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
-----------------------------------------------------------------------
...security/sssd # make showconfig
===> The following configuration options are available for sssd-1.11.7_19:
     DOCS=off: Build and/or install documentation
     SMB=on: Install IPA and AD providers (requires Samba4)
===> Use 'make config' to modify these settings
-----------------------------------------------------------------------
...security/sssd # make package
===>  Building package for sssd-1.11.7_19
pkg-static: Unable to access file /wrkdirs/usr/ports/security/sssd/work/stageusr/local/lib/krb5/plugins/authdata/sssd_pac_plugin.so:No such file or directory
pkg-static: Unable to access file /wrkdirs/usr/ports/security/sssd/work/stageusr/local/libexec/sssd/sssd_pac:No such file or directory
pkg-static: Warning: @unexec is deprecated, please use @[pre|post]unexec
*** Error code 1

Stop.
make: stopped in /usr/ports/security/sssd
Comment 1 Tommy P 2020-03-12 21:44:22 UTC
Created attachment 212367 [details]
patch for pkg-plist
Comment 2 Fernando Apesteguía freebsd_committer 2020-03-16 17:39:35 UTC
Created attachment 212446 [details]
additional improvements on top of submitter's patch

I added some improvements:

* Regenerate patches with make makepatch
* Reorder some variables in Makefile
* use @postexec instead of @unexec
Comment 3 Fernando Apesteguía freebsd_committer 2020-03-16 17:40:46 UTC
(In reply to Tommy P from comment #1)

Thanks for bringing this to our attention! I attached a new patch with a few more changes. My intention is to commit them in a couple of days if the maintainer doesn't show up first.

Cheers.
Comment 4 Fernando Apesteguía freebsd_committer 2020-03-19 11:31:31 UTC
There's a PR opened to update the port. I think we should go with that and close this one.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241347
Comment 5 commit-hook freebsd_committer 2020-03-29 18:17:19 UTC
A commit references this bug:

Author: fernape
Date: Sun Mar 29 18:16:35 UTC 2020
New revision: 529824
URL: https://svnweb.freebsd.org/changeset/ports/529824

Log:
  security/sssd: fix package with SMB=on

  When the option SMB is ON, the port fails to package.

  While here:

   * Reorder Makefile variables
   * Change obsolete @unexec to @postexec
   * Rework patches to comply with makepatch format

  PR:	244778
  Submitted by:	tommyhp2@gmail.com
  Approved by:	lukas.slebodnik@intrak.sk (maintainer, timeout)

Changes:
  head/security/sssd/Makefile
  head/security/sssd/files/patch-Makefile.am
  head/security/sssd/files/patch-configure.ac
  head/security/sssd/files/patch-src__confdb__confdb.c
  head/security/sssd/files/patch-src__external__inotify.m4
  head/security/sssd/files/patch-src__external__krb5.m4
  head/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c
  head/security/sssd/files/patch-src__providers__ldap__ldap_auth.c
  head/security/sssd/files/patch-src__providers__ldap__sdap_access.c
  head/security/sssd/files/patch-src__sss_client__common.c
  head/security/sssd/files/patch-src__sss_client__nss_group.c
  head/security/sssd/files/patch-src__sss_client__sss_nss.exports
  head/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c
  head/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c
  head/security/sssd/files/patch-src__util__find_uid.c
  head/security/sssd/files/patch-src__util__server.c
  head/security/sssd/files/patch-src__util__signal.c
  head/security/sssd/files/patch-src__util__sss_ldap.c
  head/security/sssd/files/patch-src__util__util.h
  head/security/sssd/pkg-plist
Comment 6 Fernando Apesteguía freebsd_committer 2020-03-29 18:21:39 UTC
Committed,

Thanks!

bug #241347 doesn't seem to take off.
Comment 7 Joerg Wunsch freebsd_committer 2020-07-14 21:43:41 UTC
Sorry, r529824 breaks environments that require sssd_pac, by unconditionally removing it from pkg-plist. It is then built during the compilation but not installed. Trying to start sssd in such an environment leads to:

(Tue Jul 14 22:38:57 2020) [sssd] [service_startup_handler] (0x0010): Could not exec /usr/local/libexec/sssd/sssd_pac -d 0x00f0 --debug-to-files, reason: No such file or directory

I don't pretend to understand all the relationships between the individual parts of sssd, but simply dropping sssd_pac is obviously not a usable solution either. In my case (client attached to a RedHat IPA server), I had to roll back the port to r528058 in order to get a working sssd again. My guess is that sssd_pac depends on both, krb5 as well as SMB, so pkg-plist might have to take that into account.

Reopening the PR since the current state is clearly "broken".
Comment 8 Fernando Apesteguía freebsd_committer 2020-07-28 17:08:41 UTC
(In reply to Joerg Wunsch from comment #7)

Hi Joerg,

Do you have some solution to this?
Comment 9 Joerg Wunsch freebsd_committer 2020-07-28 19:26:28 UTC
(In reply to Fernando Apesteguía from comment #8)
Sorry, I don't. I could only share my observation that the patch breaks it.

I think the really best fix would be to proceed getting PR 241347 resolved, as this also finally resolves the "depends on Python 2.7" issue.
Comment 10 Fernando Apesteguía freebsd_committer 2020-07-30 06:34:15 UTC
(In reply to Joerg Wunsch from comment #7)

I checked and sssd_pac is not built for me, not even if configured with SMB. How do you see it is built but not installed?

Thanks.
Comment 11 Joerg Wunsch freebsd_committer 2020-07-30 06:53:07 UTC
All I can say is it simply failed to work for me, due to the missing sssd_pac component.

(Tue Jul 14 22:37:19:921420 2020) [sssd] [server_setup] (0x0040): Becoming a daemon.
(Tue Jul 14 22:37:19 2020) [sssd] [service_startup_handler] (0x0010): Could not exec /usr/local/libexec/sssd/sssd_pac -d 0x0
0f0 --debug-to-files, reason: No such file or directory

It took me quite a while to realize that sssd_pac was actually built but not installed, due to the previous commit. So I reverted the port to the second-to-last version, and everything went fine.

I'm going to attach my build log for reference.
Comment 12 Joerg Wunsch freebsd_committer 2020-07-30 07:00:40 UTC
Created attachment 216875 [details]
Build log showing sssd_pac is being built.
Comment 13 Fernando Apesteguía freebsd_committer 2020-07-30 16:45:18 UTC
(In reply to Joerg Wunsch from comment #12)
Thanks for the log. Just to sum up:

* The port was broken before ports r529824. It failed to build with SMB=on because it did not install neither sssd_pac nor sssd_pac_plugin.so

* I can't make it build those files regardless of the value of the SMB option

* In the attached log, sssd_pac is not only built but installed in the staging area:

libtool: install: /bin/sh /usr/ports/security/sssd/work/sssd-1.11.7/build/install-sh -c -s .libs/sssd_pac /usr/ports/security/sssd/work/stage/usr/local/libexec/sssd/sssd_pac

It should be failing.

It doesn't seem you are building this in poudriere, are you? If so, could you build with DEVELOPER=yes in /etc/make.conf to pass extra checks?

I think there is an extra dependency that is needed to build sssd_pac that is in your host but not recorded in the ports Makefile so the configure script does not build that executable. I just can't find out what that is (the port already depends and installs security/krb5).
Comment 14 Fernando Apesteguía freebsd_committer 2020-07-30 17:56:17 UTC
Created attachment 216885 [details]
Patch to the ports tree

I got it.

security/sssd/files contains a patch in which the acceptable versions of kerberus are listed. In ports r526479 the default version for security/krb5 was bumped to 1.18 but the patch in security/sssd was not update. So it never met the conditions to build sssd_pac.

I think in your case it builds and packs because you have installed security/krb5 < 1.18.

I tested in poudriere:

SMB=on
 * Builds OK and sssd_pac files are generated:
  root@12_1amd64-default:~ # pkg info -l sssd | grep sssd_pac
        /usr/local/lib/krb5/plugins/authdata/sssd_pac_plugin.so
        /usr/local/libexec/sssd/sssd_pac
SMB=off
 * PAC files are not generated as expected.
Comment 15 Fernando Apesteguía freebsd_committer 2020-07-30 17:58:28 UTC
Hi Joerg,

Would you try the new patch?

Thanks in advance.
Comment 16 Joerg Wunsch freebsd_committer 2020-07-30 20:14:20 UTC
As you have guessed, yes, this did not happen in a Poudriere here, but on a live system. I had to rebuild sssd after a security update on some other port – but krb5 was not updated (no security issues).

I'll give your new patch a try.
Comment 17 Joerg Wunsch freebsd_committer 2020-07-30 21:40:14 UTC
Thanks, I can confirm this also works for krb5-1.17.1 (which is installed here).

Since you tested it in Poudriere with krb5-1.18, I think all is fine now.
Comment 18 commit-hook freebsd_committer 2020-08-03 16:32:32 UTC
A commit references this bug:

Author: fernape
Date: Mon Aug  3 16:31:34 UTC 2020
New revision: 544081
URL: https://svnweb.freebsd.org/changeset/ports/544081

Log:
  security/sssd: Fix pkg-plist to include PAC files

  In PR 244778 this port was reported to fail during package. sssd_pac and others
  were not generated by the build process. They were removed from the pkg-plist
  and the issue closed (maintainer timed out).

  Recently joerg@ reported sssd_pac should be included. It turns out,
  files/patch-src_external_pac__responder.m4 needs to be updated whenever a
  version bump of security/krb5 occurs[1]. This is kind of obscure since building
  security/sssd with default options does not reproduce the problem (SMB=on is
  needed).

  [1] https://svnweb.freebsd.org/changeset/ports/526479

  PR:	244778
  Reported by:	joerg@
  Approved by:	maintainer (timeout)
  MFH:	2020Q3 (plist fix)

Changes:
  head/security/sssd/Makefile
  head/security/sssd/files/patch-src_external_pac__responder.m4
  head/security/sssd/pkg-plist
Comment 19 commit-hook freebsd_committer 2020-08-03 18:09:55 UTC
A commit references this bug:

Author: fernape
Date: Mon Aug  3 18:09:21 UTC 2020
New revision: 544095
URL: https://svnweb.freebsd.org/changeset/ports/544095

Log:
  MFH: r544081

  security/sssd: Fix pkg-plist to include PAC files

  In PR 244778 this port was reported to fail during package. sssd_pac and others
  were not generated by the build process. They were removed from the pkg-plist
  and the issue closed (maintainer timed out).

  Recently joerg@ reported sssd_pac should be included. It turns out,
  files/patch-src_external_pac__responder.m4 needs to be updated whenever a
  version bump of security/krb5 occurs[1]. This is kind of obscure since building
  security/sssd with default options does not reproduce the problem (SMB=on is
  needed).

  [1] https://svnweb.freebsd.org/changeset/ports/526479

  PR:	244778
  Reported by:	joerg@
  Approved by:	maintainer (timeout)

  Approved by:	ports-secteam@ (blanket, plist fix)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/security/sssd/Makefile
  branches/2020Q3/security/sssd/files/patch-src_external_pac__responder.m4
  branches/2020Q3/security/sssd/pkg-plist
Comment 20 Fernando Apesteguía freebsd_committer 2020-08-03 18:11:19 UTC
Committed

Thanks to all!
Comment 21 commit-hook freebsd_committer 2020-08-04 15:48:49 UTC
A commit references this bug:

Author: fernape
Date: Tue Aug  4 15:47:50 UTC 2020
New revision: 544175
URL: https://svnweb.freebsd.org/changeset/ports/544175

Log:
  security/sssd: Add comment in case of package fail

  Add a comment to give a clue in case of failure during the package phase.

  PR:	244778

Changes:
  head/security/sssd/Makefile