Bug 238465 - security/sssd: Update to 1.13.4
Summary: security/sssd: Update to 1.13.4
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-10 18:56 UTC by vrwmiller
Modified: 2019-09-12 12:27 UTC (History)
6 users (show)

See Also:
bugzilla: maintainer-feedback? (lukas.slebodnik)


Attachments
[patch] update to 1.12.5 (23.34 KB, patch)
2019-06-21 16:12 UTC, John Hein
no flags Details | Diff
[patch] update to 1.12.5 [v2] (23.35 KB, patch)
2019-06-21 20:23 UTC, John Hein
no flags Details | Diff
[patch] update to 1.12.5 [v3] (23.78 KB, patch)
2019-06-22 03:59 UTC, John Hein
no flags Details | Diff
[patch] update to 1.13.4 (35.96 KB, patch)
2019-06-24 05:50 UTC, John Hein
jcfyecrayz: maintainer-approval? (lukas.slebodnik)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description vrwmiller 2019-06-10 18:56:05 UTC
security/sssd is version 1.11.7_17 while the main project distributes 2.1. It needs updating. It also depends on Samba 4.6 and fails to build w/ a newer version presently. Samba 4.6 is deprecated and scheduled for removal in August 2019 according to it's pkg-message:

Message from samba46-4.6.16_2:

===============================================================================
How to start: http://wiki.samba.org/index.php/Samba4/HOWTO

* Your configuration is: /usr/local/etc/smb4.conf
* All the relevant databases are under: /var/db/samba4
* All the logs are under: /var/log/samba4
* Provisioning script is: /usr/local/bin/samba-tool

For additional documentation check: http://wiki.samba.org/index.php/Samba4

Bug reports should go to the: https://bugzilla.samba.org/

===============================================================================
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

yes.

It is scheduled to be removed on or after 2019-08-19.
Comment 2 John Hein 2019-06-21 16:12:11 UTC
Created attachment 205266 [details]
[patch] update to 1.12.5

Here' a patch to update to 1.12.5

This takes sssd from the old 1.11.7 up one major to the latest 1.12 release.  Next will be to update to 1.13.4 which is the latest in the long term maintenance (LTM) release series.  I think the LTM series (now 1.13.*) should be the target for the security/sssd port for now.

From the release info page:
https://docs.pagure.org/SSSD.sssd/users/releases.html

"Releases designated as LTM are long-term maintenance releases and will see bugfixes and security patches for a longer time than other releases."

There is also a so-called "stable" release series.  Search for "stable" on the home page:
https://pagure.io/SSSD/sssd

That might be a good candidate for a security/sssd-stable port.  Alternately, security/sssd could be the "stable" flavor and there could be a security/sssd-ltm or security/sssd13.

For now, let's good up to the LTM release at least.  Then we can decide where to go from there.

QA:

 - poudriere testport (11/amd64): ok
 - stage-qa & check-plist: ok
 - portlint (no new errors or warnings)

** To be helpful, please do some run testing.  Just quick testing is fine since I will submit an update to 1.13.4 here soon.


Change summary:

 - update 1.11.7 to 1.12.5
 - use non-legacy tdb/ldb/talloc/tevent ports
 - pet portlint: move USES
 - put all /var/db paths in /var/db/sss/ (new: /var/db/sss/gpo_cache; move db/sss_mc -> db/sss/mc)
 - use --without-nfsv4-idmapd-plugin (NFSv4 idmapd function is different in freebsd - see nfsuserd).  Future change can investigate integration with nfsuserd.  For now, avoid build issues if it tries to include support for idmapd.
 - update startup script with new /var dirs.  Add them to @dir cleanup list in pkg-plist.  Remove the ${RMDIR} for them from Makefile (not needed).
 - update some of the patches to fix build errors (need LTLIBINTL for some build products, remove more cases of non-portable "timezone" global, catch up existing patches due to upstream code motion, etc.)
 - pkg-plist refresh to reflect changes (mostly man pages & docs; a couple new .so modules and two new .pc files)
Comment 3 John Hein 2019-06-21 16:41:48 UTC
(In reply to John Hein from comment #2)
The build testing above was done with default options (DOCS on, SMB off).

I will also test with DOCS on, SMB on.  To make that work, it will probably be better to point to the same default deps for tevent/tdb/talloc/ldb as the default samba port (samba48), so there will probably be a patch update for that.
Comment 4 John Hein 2019-06-21 20:23:25 UTC
Created attachment 205271 [details]
[patch] update to 1.12.5 [v2]

(In reply to John Hein from comment #3)
Tested with DOCS on & SMB on.  Same QA results (all okay), but see [1].  Please do run testing.

Updated patch to use the same default talloc/tdb/tevent/ldb ports as default samba port (samba48).

[1] Note: For now (until bug 230705 is resolved), this ONLY works if you build samba without bundled ldb.  You can do this as described in comment 8 of bug 230705.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230705#c8.
Comment 5 John Hein 2019-06-22 03:59:20 UTC
Created attachment 205276 [details]
[patch] update to 1.12.5 [v3]

v2 of the 1.12.5 update patch was the wrong version (missed some plist entries for SMB on).
Comment 6 John Hein 2019-06-24 05:50:01 UTC
Created attachment 205304 [details]
[patch] update to 1.13.4

Here's the update to 1.13.4 - on the current long term maintenance series of sssd.  I didn't obsolete the 1.12.5 patch since that can still be applied for testing if you want to incrementally update from 1.11.7.  But I think it's reasonable to commit the change from 1.11.7 to 1.13.4 and skip over 1.12.5.  See previous comments regarding other versions (2.x).

If you are an sssd user, please do run-time testing with this patch.

Changes from the 1.12.5 patch include:

- Set an option for python2 or python3.  If both are installed and
  detected, it would require a more complicated plist.  Instead add a
  radio option for either python2 or python3 (or neither), which defaults
  to python3 (matching the current ports default).

- Disable PAC responder if SMB is off.  It is part if Microsoft Active
  Directory [1] and needs samba.  If you happen to have samba installed,
  but the SMB option off, sssd's configure will detect samba and try to
  build the PAC responder which will trigger stage-qa warnings.

- Handle build errors for pysss.c (when building with python support [2]):

    In file included from src/python/pysss.c:27:
    In file included from ./src/util/util.h:51:
    ./src/util/util_errors.h:130:26: error: unknown type name 'errno_t'


- plist updates.


[1]
For more info on PAC (Privilege Attribute Certificate):

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962

https://jhrozek.wordpress.com/category/sssd/


[2] patch from bug filed upstream - https://pagure.io/SSSD/sssd/issue/4027




As with the 1.12.5 patch, if you want to build with SMB on, this still needs samba to be built without the bundled ldb, as in:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230705#c8
Comment 7 John Hein 2019-06-24 06:33:46 UTC
(In reply to John Hein from comment #6)
QA for 1.13.4 patch:

 ... with various opt combinations: DOCS=on, SMB=on & off, PYTHON2=on, PYTHON3=on, PYTHON2/3=off

 - poudriere testport (11/amd64): ok
 - stage-qa & check-plist: ok
 - portlint (no new errors or warnings)
Comment 8 vrwmiller 2019-06-26 16:27:01 UTC
(In reply to John Hein from comment #6)

Thanks for this patch! Poudriere bulk builds security/sssd with this patch applied, SMB=on, and SAMBA4_BUNDLED_LDB=no via FreeBSD 11.2-RELEASE-p10. The package was tested by configuring the new repo on a SSSD-enabled system, removing packages that will conflict (samba46, tevent, talloc, tdb, ldb), and pkg upgrade -fy followed by a reboot.

The system permitted console and ssh login authenticated through updated SSSD. sudo also functioned as expected w/ SSSD enabled.
Comment 9 John Hein 2019-07-08 12:35:55 UTC
After samba48 was recently updated (to 4.8.12_3) in the past week or so, the workaround to build samba48 with SAMBA4_BUNDLED_LDB=no no longer works.

See bug 230705, comment 14 and bug 230705, comment 17 (and bug 230705, comment 8).

To support building sssd with SMB=on now, you need to revert samba48 to back 4.8.12_1 or we need to find a new fix to allow samba to coexist with an unbundled ldb.
Comment 10 Joris Dedieu 2019-07-17 09:04:42 UTC
Currently build with SMB=on is broken even with this patch. 

pkg-static: samba48-4.8.12_3 conflicts with tdb1-1.3.16,1 (installs files into the same place).  Problematic file: /usr/local/lib/python2.7/site-packages/tdb.so
Comment 11 John Hein 2019-07-19 12:48:36 UTC
(In reply to Joris Dedieu from comment #10)
Yep, samba48 broke this with ports r505764 and ports r505798 which were trying to reduce problems with conflicts.  But they make the ldb conflict harder to work around.  See bug 230705, comment 18 (which hints at a needed fix, but that might not be enough).
Comment 12 Karli Sjöberg 2019-07-30 12:43:26 UTC
(In reply to Joris Dedieu from comment #10)

Mostly just a +1 here, wanting to upgrade samba from 4.6 since it's about to croak any day now. Please let me know if there's anything you want help testing or something, I'm all for it!

Best Regards

/K
Comment 13 Karli Sjöberg 2019-09-12 12:27:30 UTC
Hey again!

No responses on testing anything yet but I can at least say that I'm doing alright now with samba410 after applying patch to sssd from 239022. My FreeBSD systems, both virtual and physical, including two AD DC are happy again.

/K