Bug 238465 - security/sssd: Update to 1.13.4
Summary: security/sssd: Update to 1.13.4
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Steve Wills
URL:
Keywords: needs-patch, needs-qa
Depends on:
Blocks: 240708
  Show dependency treegraph
 
Reported: 2019-06-10 18:56 UTC by Rick
Modified: 2019-11-02 20:51 UTC (History)
11 users (show)

See Also:
lukas.slebodnik: maintainer-feedback-


Attachments
[patch] update to 1.12.5 (23.34 KB, patch)
2019-06-21 16:12 UTC, John Hein
no flags Details | Diff
[patch] update to 1.12.5 [v2] (23.35 KB, patch)
2019-06-21 20:23 UTC, John Hein
no flags Details | Diff
[patch] update to 1.12.5 [v3] (23.78 KB, patch)
2019-06-22 03:59 UTC, John Hein
no flags Details | Diff
[patch] update to 1.13.4 (35.96 KB, patch)
2019-06-24 05:50 UTC, John Hein
no flags Details | Diff
update to 1.13.4 with backported N_ELEMENTS (36.48 KB, patch)
2019-10-02 15:55 UTC, Steve Wills
no flags Details | Diff
Further updated patch (36.52 KB, patch)
2019-10-02 17:33 UTC, Steve Wills
no flags Details | Diff
patch to 1.13.4 (37.19 KB, patch)
2019-10-17 05:03 UTC, Rick
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Rick 2019-06-10 18:56:05 UTC
security/sssd is version 1.11.7_17 while the main project distributes 2.1. It needs updating. It also depends on Samba 4.6 and fails to build w/ a newer version presently. Samba 4.6 is deprecated and scheduled for removal in August 2019 according to it's pkg-message:

Message from samba46-4.6.16_2:

===============================================================================
How to start: http://wiki.samba.org/index.php/Samba4/HOWTO

* Your configuration is: /usr/local/etc/smb4.conf
* All the relevant databases are under: /var/db/samba4
* All the logs are under: /var/log/samba4
* Provisioning script is: /usr/local/bin/samba-tool

For additional documentation check: http://wiki.samba.org/index.php/Samba4

Bug reports should go to the: https://bugzilla.samba.org/

===============================================================================
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

yes.

It is scheduled to be removed on or after 2019-08-19.
Comment 2 John Hein 2019-06-21 16:12:11 UTC
Created attachment 205266 [details]
[patch] update to 1.12.5

Here' a patch to update to 1.12.5

This takes sssd from the old 1.11.7 up one major to the latest 1.12 release.  Next will be to update to 1.13.4 which is the latest in the long term maintenance (LTM) release series.  I think the LTM series (now 1.13.*) should be the target for the security/sssd port for now.

From the release info page:
https://docs.pagure.org/SSSD.sssd/users/releases.html

"Releases designated as LTM are long-term maintenance releases and will see bugfixes and security patches for a longer time than other releases."

There is also a so-called "stable" release series.  Search for "stable" on the home page:
https://pagure.io/SSSD/sssd

That might be a good candidate for a security/sssd-stable port.  Alternately, security/sssd could be the "stable" flavor and there could be a security/sssd-ltm or security/sssd13.

For now, let's good up to the LTM release at least.  Then we can decide where to go from there.

QA:

 - poudriere testport (11/amd64): ok
 - stage-qa & check-plist: ok
 - portlint (no new errors or warnings)

** To be helpful, please do some run testing.  Just quick testing is fine since I will submit an update to 1.13.4 here soon.


Change summary:

 - update 1.11.7 to 1.12.5
 - use non-legacy tdb/ldb/talloc/tevent ports
 - pet portlint: move USES
 - put all /var/db paths in /var/db/sss/ (new: /var/db/sss/gpo_cache; move db/sss_mc -> db/sss/mc)
 - use --without-nfsv4-idmapd-plugin (NFSv4 idmapd function is different in freebsd - see nfsuserd).  Future change can investigate integration with nfsuserd.  For now, avoid build issues if it tries to include support for idmapd.
 - update startup script with new /var dirs.  Add them to @dir cleanup list in pkg-plist.  Remove the ${RMDIR} for them from Makefile (not needed).
 - update some of the patches to fix build errors (need LTLIBINTL for some build products, remove more cases of non-portable "timezone" global, catch up existing patches due to upstream code motion, etc.)
 - pkg-plist refresh to reflect changes (mostly man pages & docs; a couple new .so modules and two new .pc files)
Comment 3 John Hein 2019-06-21 16:41:48 UTC
(In reply to John Hein from comment #2)
The build testing above was done with default options (DOCS on, SMB off).

I will also test with DOCS on, SMB on.  To make that work, it will probably be better to point to the same default deps for tevent/tdb/talloc/ldb as the default samba port (samba48), so there will probably be a patch update for that.
Comment 4 John Hein 2019-06-21 20:23:25 UTC
Created attachment 205271 [details]
[patch] update to 1.12.5 [v2]

(In reply to John Hein from comment #3)
Tested with DOCS on & SMB on.  Same QA results (all okay), but see [1].  Please do run testing.

Updated patch to use the same default talloc/tdb/tevent/ldb ports as default samba port (samba48).

[1] Note: For now (until bug 230705 is resolved), this ONLY works if you build samba without bundled ldb.  You can do this as described in comment 8 of bug 230705.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230705#c8.
Comment 5 John Hein 2019-06-22 03:59:20 UTC
Created attachment 205276 [details]
[patch] update to 1.12.5 [v3]

v2 of the 1.12.5 update patch was the wrong version (missed some plist entries for SMB on).
Comment 6 John Hein 2019-06-24 05:50:01 UTC
Created attachment 205304 [details]
[patch] update to 1.13.4

Here's the update to 1.13.4 - on the current long term maintenance series of sssd.  I didn't obsolete the 1.12.5 patch since that can still be applied for testing if you want to incrementally update from 1.11.7.  But I think it's reasonable to commit the change from 1.11.7 to 1.13.4 and skip over 1.12.5.  See previous comments regarding other versions (2.x).

If you are an sssd user, please do run-time testing with this patch.

Changes from the 1.12.5 patch include:

- Set an option for python2 or python3.  If both are installed and
  detected, it would require a more complicated plist.  Instead add a
  radio option for either python2 or python3 (or neither), which defaults
  to python3 (matching the current ports default).

- Disable PAC responder if SMB is off.  It is part if Microsoft Active
  Directory [1] and needs samba.  If you happen to have samba installed,
  but the SMB option off, sssd's configure will detect samba and try to
  build the PAC responder which will trigger stage-qa warnings.

- Handle build errors for pysss.c (when building with python support [2]):

    In file included from src/python/pysss.c:27:
    In file included from ./src/util/util.h:51:
    ./src/util/util_errors.h:130:26: error: unknown type name 'errno_t'


- plist updates.


[1]
For more info on PAC (Privilege Attribute Certificate):

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962

https://jhrozek.wordpress.com/category/sssd/


[2] patch from bug filed upstream - https://pagure.io/SSSD/sssd/issue/4027




As with the 1.12.5 patch, if you want to build with SMB on, this still needs samba to be built without the bundled ldb, as in:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230705#c8
Comment 7 John Hein 2019-06-24 06:33:46 UTC
(In reply to John Hein from comment #6)
QA for 1.13.4 patch:

 ... with various opt combinations: DOCS=on, SMB=on & off, PYTHON2=on, PYTHON3=on, PYTHON2/3=off

 - poudriere testport (11/amd64): ok
 - stage-qa & check-plist: ok
 - portlint (no new errors or warnings)
Comment 8 Rick 2019-06-26 16:27:01 UTC
(In reply to John Hein from comment #6)

Thanks for this patch! Poudriere bulk builds security/sssd with this patch applied, SMB=on, and SAMBA4_BUNDLED_LDB=no via FreeBSD 11.2-RELEASE-p10. The package was tested by configuring the new repo on a SSSD-enabled system, removing packages that will conflict (samba46, tevent, talloc, tdb, ldb), and pkg upgrade -fy followed by a reboot.

The system permitted console and ssh login authenticated through updated SSSD. sudo also functioned as expected w/ SSSD enabled.
Comment 9 John Hein 2019-07-08 12:35:55 UTC
After samba48 was recently updated (to 4.8.12_3) in the past week or so, the workaround to build samba48 with SAMBA4_BUNDLED_LDB=no no longer works.

See bug 230705, comment 14 and bug 230705, comment 17 (and bug 230705, comment 8).

To support building sssd with SMB=on now, you need to revert samba48 to back 4.8.12_1 or we need to find a new fix to allow samba to coexist with an unbundled ldb.
Comment 10 Joris Dedieu 2019-07-17 09:04:42 UTC
Currently build with SMB=on is broken even with this patch. 

pkg-static: samba48-4.8.12_3 conflicts with tdb1-1.3.16,1 (installs files into the same place).  Problematic file: /usr/local/lib/python2.7/site-packages/tdb.so
Comment 11 John Hein 2019-07-19 12:48:36 UTC
(In reply to Joris Dedieu from comment #10)
Yep, samba48 broke this with ports r505764 and ports r505798 which were trying to reduce problems with conflicts.  But they make the ldb conflict harder to work around.  See bug 230705, comment 18 (which hints at a needed fix, but that might not be enough).
Comment 12 Karli Sjöberg 2019-07-30 12:43:26 UTC
(In reply to Joris Dedieu from comment #10)

Mostly just a +1 here, wanting to upgrade samba from 4.6 since it's about to croak any day now. Please let me know if there's anything you want help testing or something, I'm all for it!

Best Regards

/K
Comment 13 Karli Sjöberg 2019-09-12 12:27:30 UTC
Hey again!

No responses on testing anything yet but I can at least say that I'm doing alright now with samba410 after applying patch to sssd from 239022. My FreeBSD systems, both virtual and physical, including two AD DC are happy again.

/K
Comment 14 Kubilay Kocak freebsd_committer freebsd_triage 2019-09-21 02:47:50 UTC
Patch needs updating (see comment 11).

@John Re Python 2/3 support, port options for choosing this is not the standard/accepted method for Python version selection. 

Did you try to set/use USES=python (declaring that is supports "any" (2/3)version), and test with make.conf overrides: DEFAULT_VERSIONS=python=2.7|3.5 ?
Comment 15 Richard Frewin 2019-09-22 08:01:40 UTC
Just a +1 here.  I am successfully running sssd 1.13.4 and samba410 in a small production environment.
sssd 1.13.4 based on modified patch above with files/patch-src__monitor.c fix and using ldb15.
samba410 was compiled with the following in make.conf:

.if ${.CURDIR:M*/net/samba410}
SAMBA4_BUNDLED_LDB=  no
.endif

Only using LDAP, but no known problems so far.
Comment 16 Rick 2019-09-30 13:13:49 UTC
(In reply to Richard Frewin from comment #15)

Comment #15 guided me to identify security/sssd builds [ from HEAD ] and functions as desired w/ Samba support given the configuration below, which upgrades Samba from 4.[678] to 4.10.

This mitigates SSSD build failures w/ SMB=on, but fails to update the port to a more recent version. The attached patch should be ported to ports -HEAD.

Updates to make.conf:

DEFAULT_VERSIONS=samba=4.10

.if ${.CURDIR:M*/security/sssd}
OPTIONS_FILE_SET+=SMB
.endif

.if ${.CURDIR:M*/net/samba410}
OPTIONS_FILE_UNSET+=AD_DC
SAMBA4_BUNDLED_LDB=no
SAMBA4_BUNDLED_TALLOC=no
SAMBA4_BUNDLED_TEVENT=no
SAMBA4_BUNDLED_TDB=no
.endif

Updates to security/sssd/Makefile:

diff --git a/security/sssd/Makefile b/security/sssd/Makefile
index dddb1f6c2..265d9b818 100644
--- a/security/sssd/Makefile
+++ b/security/sssd/Makefile
@@ -17,7 +17,7 @@ LIB_DEPENDS=  libpopt.so:devel/popt \
                libtalloc.so:devel/talloc \
                libtevent.so:devel/tevent \
                libtdb.so:databases/tdb \
-               libldb.so:databases/ldb14 \
+               libldb.so:databases/ldb15 \
                libcares.so:dns/c-ares \
                libdbus-1.so:devel/dbus \
                libdhash.so:devel/ding-libs \


Updates to security/sssd/files/patch-src__monitor__monitor.c:

--- src/monitor/monitor.c.org	2019-07-14 23:45:13.760141000 +0200
+++ src/monitor/monitor.c	2019-07-14 23:58:50.715935000 +0200
@@ -2832,6 +2832,20 @@
     ret = server_setup(MONITOR_NAME, flags, monitor->conf_path, &main_ctx);
     if (ret != EOK) return 2;
 
+    /* Use confd initialized in server_setup. ldb_tdb module (1.4.0) check PID            
+   * of process which initialized db for locking purposes.            
+   * Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147:            
+   *    Reusing ldb opened by pid 28889 in process 28893            
+   */            
+   talloc_zfree(monitor->cdb);            
+   monitor->cdb = main_ctx->confdb_ctx;            
+
+   ret = confdb_get_domains(monitor->cdb, &monitor->domains);            
+   if (ret != EOK) {            
+	DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n");            
+	return 4;            
+   }            
+
     monitor->is_daemon = !opt_interactive;
     monitor->parent_pid = main_ctx->parent_pid;
     monitor->ev = main_ctx->event_ctx;
Comment 17 Steve Wills freebsd_committer 2019-10-02 15:55:54 UTC
Created attachment 208037 [details]
update to 1.13.4 with backported N_ELEMENTS

You can fix the N_ELEMENTS error by cherry picking upstream commits e32920a9c7 and e1ff063ffa. I've done that in the attached patch and it builds OK for me with Samba 4.10 with SAMBA4_BUNDLED_LDB=no. It does not build with Samba 4.8. I will try to fix that.
Comment 18 Steve Wills freebsd_committer 2019-10-02 17:33:50 UTC
Created attachment 208044 [details]
Further updated patch

Not sure if this is sufficient, but this changes sssd to rely on samba 4.10 directly, rather than vary which samba is used based on the default version in Mk/bsd.default-versions.mk. This still relies on setting SAMBA4_BUNDLED_LDB to no when the SMB option is on in sssd. It also means that you can't use the current default samba, samba 4.8, at the same time as sssd. Again, not sure if this is OK, but wanted to propose it.
Comment 19 Rick 2019-10-04 20:16:56 UTC
Thanks for the patch. It also requires the patch in bug #239022 to start sssd in daemon mode. I tested both patches, which apply cleanly, and sssd 1.13.4 w/ SMB=on builds with ldb15 and samba410 and functions as desired.

Samba is installed here as a consequence of sssd. As long as it builds and functions as desired, Samba version is negligible.
Comment 20 Timur I. Bakeyev freebsd_committer 2019-10-04 22:12:15 UTC
Samba 4.8 was EOLed on 2019-09-17, so you don't need to worry about it.

From other side, Samba 4.11 will depend, guess what, on ldb 1.6, which will flip the board again.

I'd rather stick the port to the original ldb package and let Samba and SSSD to coexist independently. That's the main reason, why ldb is now a bundled lib in Samba.
Comment 21 Steve Wills freebsd_committer 2019-10-05 01:24:31 UTC
(In reply to Timur I. Bakeyev from comment #20)
> I'd rather stick the port to the original ldb package and let Samba and SSSD to coexist independently. That's the main reason, why ldb is now a bundled lib in Samba.

Sorry, can you explain? I don't understand that this means. Why do you prefer bundling ldb?
Comment 22 Rick 2019-10-05 05:44:02 UTC
(In reply to Timur I. Bakeyev from comment #20)

If I understand correctly, you suggest SAMBA4_BUNDLED_LDB=yes and DEFAULT_VERSIONS=samba=4.10 maintaining sssd's ldb14 dependency.

I tried to build samba410 and sssd with this patch applied minus the ldb15 dependency instead using the original ldb14. The monitor.c patch was also applied. samba410 fails in package phase citing the error below. sssd is subsequently skipped.

===========================================================================
=======================<phase: package        >============================
===>  Building package for samba410-4.10.8
pkg-static: Unable to access file /wrkdirs/usr/ports/net/samba410/work/stage/usr/local/lib/samba4/private/libtalloc.so.2:No such file or directory
pkg-static: Unable to access file /wrkdirs/usr/ports/net/samba410/work/stage/usr/local/man/man3/talloc.3.gz:No such file or directory
pkg-static: Unable to access file /wrkdirs/usr/ports/net/samba410/work/stage/usr/local/lib/samba4/private/libtdb.so.1:No such file or directory
pkg-static: Unable to access file /wrkdirs/usr/ports/net/samba410/work/stage/usr/local/lib/samba4/private/libtevent.so.0:No such file or directory
*** Error code 1

Stop.
make: stopped in /usr/ports/net/samba410
=>> Cleaning up wrkdir


With this make.conf:

DEFAULT_VERSION=samba=4.10

.if ${.CURDIR:M*/security/sssd}
OPTIONS_FILE_SET+=SMB
.endif

.if ${.CURDIR:M*/net/samba4*}
OPTIONS_FILE_UNSET+=AD_DC
SAMBA4_BUNDLED_LDB=yes
SAMBA4_BUNDLED_TALLOC=yes
SAMBA4_BUNDLED_TEVENT=yes
SAMBA4_BUNDLED_TDB=yes
.endif
Comment 23 Rick 2019-10-14 21:57:45 UTC
security/sssd in its current form w/ SMB=on builds only with Samba 4.10 with SAMBA4_BUNDLED_LDB=yes. net/samba410 must be explicitly built prior to security/sssd as opposed to allowing LIB_DEPENDS to pull it in (via Poudriere bulk). Config below. This is a reasonable config for me which updates Samba from 4.[678] to 4.10. Now if sssd can get to a LTS version or better... :)

The idea behind bundling ldb w/ Samba is -- since a) it's tightly coupled and b) it installs in a private lib dir -- sssd comes along and installs its own non-conflicting system ldb dependency, whatever version it may be (in this case ldb14).

Might it be appropriate to propose security/sssd's ldb dependency default to the version depended upon by current default Samba into the future?


This config produced the build:

bulk_build.in:

...
net/samba410
security/sssd
...


make.conf:

DEFAULT_VERSION=samba=4.10

.if ${.CURDIR:M*/net/samba4*}
OPTIONS_FILE_UNSET+=AD_DC
SAMBA4_BUNDLED_LDB=yes
.endif

.if ${.CURDIR:M*/security/sssd}
OPTIONS_FILE_SET+=SMB
.endif
Comment 24 Rick 2019-10-17 05:03:31 UTC
Created attachment 208374 [details]
patch to 1.13.4
Comment 25 Rick 2019-10-17 05:20:57 UTC
This new patch reverts the LIB_DEPENDS ldb and Samba 4.10 changes in swills' patch and leaves the remainder in tact, which patches sssd to 1.13.4. Coupling this patch with the config described in comment #23 as well as the patch from bug #239022 has proven to build sssd w/ SMB=on and the appropriate dependencies particularly Samba 4.10 and was successfully tested.

In other words, enabling security/sssd's SMB requires default samba=410 w/ SAMBA4_BUNDLED_LDB=yes and net/samba4* explicitly listed _above_ security/sssd in the Poudriere bulk file.
Comment 26 lukas.slebodnik 2019-10-19 22:02:07 UTC
sssd-1.13 branch should have been LTM in upstream but latest version 1.13.4 is 2.5 years old.

I created another BZ241347