From c2f58694059a4f8aa0dceb7cb3e13cf6ce3b2415 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Tue, 26 Nov 2024 15:35:25 +0300 Subject: [PATCH] import authselect-1.5.0-6.el10 --- .authselect.metadata | 1 + .gitignore | 1 + ...introduce-with-files-access-provider.patch | 101 + ...file-for-Fedora-40-and-RHEL-10-as-mi.patch | 217 ++ SOURCES/0003-po-update-translations.patch | 471 +++ ...is-install-nis-profile-conditionally.patch | 177 ++ ...gure-drop-user-nsswitch.conf-support.patch | 349 +++ ...onfigure-drop-authconfig-compat-tool.patch | 1510 ++++++++++ SOURCES/0007-ci-remove-python-checks.patch | 46 + SOURCES/0008-pot-update-pot-files.patch | 2561 +++++++++++++++++ ...ge-groups-records-with-SUCCESS-merge.patch | 78 + ...s-with-success-merge-on-ostree-syste.patch | 26 + ...1-profiles-put-myhostname-before-dns.patch | 72 + .../0901-rhel10-remove-systemd-homed.patch | 376 +++ .../0902-rhel10-remove-ecryptfs-support.patch | 250 ++ .../0903-rhel10-remove-systemd-resolved.patch | 68 + SPECS/authselect.spec | 481 ++++ 17 files changed, 6785 insertions(+) create mode 100644 .authselect.metadata create mode 100644 .gitignore create mode 100644 SOURCES/0001-sssd-reintroduce-with-files-access-provider.patch create mode 100644 SOURCES/0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch create mode 100644 SOURCES/0003-po-update-translations.patch create mode 100644 SOURCES/0004-nis-install-nis-profile-conditionally.patch create mode 100644 SOURCES/0005-configure-drop-user-nsswitch.conf-support.patch create mode 100644 SOURCES/0006-configure-drop-authconfig-compat-tool.patch create mode 100644 SOURCES/0007-ci-remove-python-checks.patch create mode 100644 SOURCES/0008-pot-update-pot-files.patch create mode 100644 SOURCES/0009-profiles-merge-groups-records-with-SUCCESS-merge.patch create mode 100644 SOURCES/0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch create mode 100644 SOURCES/0011-profiles-put-myhostname-before-dns.patch create mode 100644 SOURCES/0901-rhel10-remove-systemd-homed.patch create mode 100644 SOURCES/0902-rhel10-remove-ecryptfs-support.patch create mode 100644 SOURCES/0903-rhel10-remove-systemd-resolved.patch create mode 100644 SPECS/authselect.spec diff --git a/.authselect.metadata b/.authselect.metadata new file mode 100644 index 0000000..1942565 --- /dev/null +++ b/.authselect.metadata @@ -0,0 +1 @@ +bc93feb781e01b2101e06e413f65924d4f633d0a SOURCES/authselect-1.5.0.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5ccce7a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/authselect-1.5.0.tar.gz diff --git a/SOURCES/0001-sssd-reintroduce-with-files-access-provider.patch b/SOURCES/0001-sssd-reintroduce-with-files-access-provider.patch new file mode 100644 index 0000000..d793c67 --- /dev/null +++ b/SOURCES/0001-sssd-reintroduce-with-files-access-provider.patch @@ -0,0 +1,101 @@ +From adb36ae3633e2dfaa9c21bb45d05551f1ea3d749 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 21 Feb 2024 14:27:49 +0100 +Subject: [PATCH 01/11] sssd: reintroduce with-files-access-provider + +This is still needed to support .k5login file with proxy domain. For +example: + +``` +[domain/proxy] +id_provider = proxy +proxy_lib_name = files +access_provider = krb5 +auth_provider = krb5 +krb5_server = kdc.test +krb5_realm = TEST +``` +--- + profiles/sssd/README | 10 ++++++++++ + profiles/sssd/fingerprint-auth | 2 +- + profiles/sssd/password-auth | 2 +- + profiles/sssd/smartcard-auth | 2 +- + profiles/sssd/system-auth | 2 +- + 5 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/profiles/sssd/README b/profiles/sssd/README +index 770891a338754b53ee48ba34d9d80c2f2f31cdb6..f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -89,6 +89,16 @@ with-mdns4:: + with-mdns6:: + Enable multicast DNS over IPv6. + ++with-files-access-provider:: If set, account management for local users is ++ handled also by pam_sss. This can be used to support SSSD's proxy domain ++ that is configured to serve users from local files but provide ++ authentication and access management (.k5login file) via Kerberos. ++ ++ *WARNING:* SSSD access check will become mandatory for local users and ++ if SSSD is stopped then local users will not be able to log in. Only ++ system accounts (as defined by pam_usertype, including root) will be ++ able to log in. ++ + with-gssapi:: + If set, pam_sss_gss module is enabled to perform user authentication over + GSSAPI. +diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth +index 94232086a60f56976bd5182f5d10da9c63ec22b6..20ad3613e66ec85c7d2462d0449854e522383b3a 100644 +--- a/profiles/sssd/fingerprint-auth ++++ b/profiles/sssd/fingerprint-auth +@@ -11,7 +11,7 @@ auth required pam_deny.so + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} + account required pam_unix.so +-account sufficient pam_localuser.so ++account sufficient pam_localuser.so {exclude if "with-files-access-provider"} + account sufficient pam_usertype.so issystem + account [default=bad success=ok user_unknown=ignore] pam_sss.so + account required pam_permit.so +diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth +index 05487ca293138a1154cb6820dbc9a53770904670..97c33b678706e7eeb86bf45251baa41739f2940f 100644 +--- a/profiles/sssd/password-auth ++++ b/profiles/sssd/password-auth +@@ -18,7 +18,7 @@ account required pam_access.so + account required pam_faillock.so {include if "with-faillock"} + account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so +-account sufficient pam_localuser.so ++account sufficient pam_localuser.so {exclude if "with-files-access-provider"} + account sufficient pam_usertype.so issystem + account [default=bad success=ok user_unknown=ignore] pam_sss.so + account required pam_permit.so +diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth +index 540556ce89b727a226bec4d3322a1775ef350253..78cb329bf332f4d629740a0fff7d2dfe43f7d78d 100644 +--- a/profiles/sssd/smartcard-auth ++++ b/profiles/sssd/smartcard-auth +@@ -11,7 +11,7 @@ auth required pam_deny.so + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} + account required pam_unix.so +-account sufficient pam_localuser.so ++account sufficient pam_localuser.so {exclude if "with-files-access-provider"} + account sufficient pam_usertype.so issystem + account [default=bad success=ok user_unknown=ignore] pam_sss.so + account required pam_permit.so +diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth +index 83f9214fdd0a97ec49a8df52a2e202e034cbc0c6..90c3504a414f0a151475cc207285b230fec381b1 100644 +--- a/profiles/sssd/system-auth ++++ b/profiles/sssd/system-auth +@@ -25,7 +25,7 @@ account required pam_access.so + account required pam_faillock.so {include if "with-faillock"} + account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so +-account sufficient pam_localuser.so ++account sufficient pam_localuser.so {exclude if "with-files-access-provider"} + account sufficient pam_usertype.so issystem + account [default=bad success=ok user_unknown=ignore] pam_sss.so + account required pam_permit.so +-- +2.42.0 + diff --git a/SOURCES/0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch b/SOURCES/0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch new file mode 100644 index 0000000..1b8159c --- /dev/null +++ b/SOURCES/0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch @@ -0,0 +1,217 @@ +From d498f7aa562cf41e0999f7733664c27fa62bcf7c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 11:54:44 +0100 +Subject: [PATCH 02/11] spec: modify specfile for Fedora 40 and RHEL 10 as + minimal version + +- conditionals that are no longer used are removed +- upgrade path is removed + - this was already triggered in Fedora 38, so it is no longer useful + - RHEL is updated to authselect with leapp when going from 7 to 8 + we don't want to touch existing configurations +--- + rpm/authselect.spec.in | 102 ++--------------------------------------- + 1 file changed, 3 insertions(+), 99 deletions(-) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index 24ce4e603208ce26eb228bbee565c868428a2af1..e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -12,20 +12,6 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + + %global makedir %{_builddir}/%{name}-%{version} + +-%if 0%{?fedora} >= 35 || 0%{?rhel} >= 10 +-%global with_compat 0 +-%else +-%global with_compat 1 +-%endif +- +-%if 0%{?fedora} >= 36 || 0%{?rhel} >= 10 +-%global with_user_nsswitch 0 +-%global enforce_authselect 1 +-%else +-%global with_user_nsswitch 1 +-%global enforce_authselect 0 +-%endif +- + # Set the default profile + %{?fedora:%global default_profile local with-silent-lastlog} + %{?rhel:%global default_profile local} +@@ -43,21 +29,14 @@ BuildRequires: po4a + BuildRequires: %{_bindir}/a2x + BuildRequires: libcmocka-devel >= 1.0.0 + BuildRequires: libselinux-devel +-%if %{with_compat} +-BuildRequires: python3-devel +-%endif + Requires: authselect-libs%{?_isa} = %{version}-%{release} + Suggests: sssd + Suggests: samba-winbind + Suggests: fprintd-pam + Suggests: oddjob-mkhomedir + +-%if !%{with_compat} + # Properly obsolete removed authselect-compat package. +-Obsoletes: authselect-compat < 1.2.4 +-# Inherited from former authselect-compat package. +-Obsoletes: authconfig < 7.0.1-6 +-%endif ++Obsoletes: authselect-compat < 1.3 + + %description + Authselect is designed to be a replacement for authconfig but it takes +@@ -74,14 +53,6 @@ Summary: Utility library used by the authselect tool + Requires: coreutils + Requires: sed + Suggests: systemd +-%if %{enforce_authselect} +-# authselect now owns nsswitch.conf (glibc) and pam files +-Conflicts: pam < 1.5.2-8 +-Conflicts: glibc < 2.34.9000-27 +-# systemd, nss-mdns no longer contains nsswitch.conf scriptlets +-Conflicts: systemd < 249.7-4 +-Conflicts: nss-mdns < 0.15.1-3 +-%endif + + %description libs + Common library files for authselect. This package is used by the authselect +@@ -95,25 +66,6 @@ Requires: authselect-libs%{?_isa} = %{version}-%{release} + System header files and development libraries for authselect. Useful if + you develop a front-end for the authselect library. + +-%if %{with_compat} +-%package compat +-Summary: Tool to provide minimum backwards compatibility with authconfig +-Obsoletes: authconfig < 7.0.1-6 +-Provides: authconfig +-Requires: authselect%{?_isa} = %{version}-%{release} +-Recommends: oddjob-mkhomedir +-Suggests: sssd +-Suggests: realmd +-Suggests: samba-winbind +- +-%description compat +-This package will replace %{_sbindir}/authconfig with a tool that will +-translate some of the authconfig calls into authselect calls. It provides +-only minimum backward compatibility and users are encouraged to migrate +-to authselect completely. +-%endif +- +- + %prep + %setup -q + +@@ -123,16 +75,7 @@ done + + %build + autoreconf -if +-%configure \ +-%if %{with_compat} +- --with-pythonbin="%{__python3}" \ +- --with-compat \ +-%endif +-%if %{with_user_nsswitch} +- --with-user-nsswitch \ +-%endif +- %{nil} +- ++%configure + %make_build + + %check +@@ -168,20 +111,14 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin + %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth + %ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth +-%if %{enforce_authselect} + %ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf + %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth + %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth + %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin + %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth + %ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth +-%endif + %dir %{_localstatedir}/lib/authselect + %ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/ +-%if %{with_user_nsswitch} +-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf +-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created +-%endif + %dir %{_datadir}/authselect + %dir %{_datadir}/authselect/vendor + %dir %{_datadir}/authselect/default +@@ -241,12 +178,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %{_libdir}/libauthselect.so + %{_libdir}/pkgconfig/authselect.pc + +-%if %{with_compat} +-%files compat +-%{_sbindir}/authconfig +-%{python3_sitelib}/authselect/ +-%endif +- + %files -f %{name}.8.lang -f %{name}-migration.7.lang + %{_bindir}/authselect + %{_mandir}/man8/authselect.8* +@@ -265,47 +196,21 @@ if [ $1 == 0 ] ; then + fi + + %pre libs +-%if %{enforce_authselect} + # Check if this is a new installation. + %__rm -f %{forcefile} + if [ $1 -eq 1 ] ; then + touch %{forcefile} + fi +- +-# Check if we are upgrading from older version then authselect-1.3.0 +-# The version command is not available on earlier versions +-if [ $1 -gt 1 ] ; then +- %{_bindir}/authselect check &> /dev/null +- if [ $? -ne 0 ]; then +- %{_bindir}/authselect version &> /dev/null +- if [ $? -ne 0 ]; then +- touch %{forcefile} +- fi +- fi +-fi +-%endif +- + exit 0 + + %posttrans libs +-# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created +-%if %{with_user_nsswitch} +-if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then +- %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null +- touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null +-fi +-%endif + + # Keep nss-altfiles for all rpm-ostree based systems. + # See https://github.com/authselect/authselect/issues/48 + if test -e /run/ostree-booted; then + for PROFILE in `ls %{_datadir}/authselect/default`; do + %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null +-%if %{with_user_nsswitch} +- %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null +-%else + %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null +-%endif + done + fi + +@@ -314,8 +219,7 @@ if [ $? -eq 6 ]; then + NOBACKUP="--nobackup" + fi + +-# If we are upgrading from pre authselect-1.3.0 or this is a new installation +-# select the default configuration. ++# If this is a new installation select the default configuration. + if [ -f %{forcefile} ]; then + %{_bindir}/authselect select %{default_profile} --force $NOBACKUP &> /dev/null + %__rm -f %{forcefile} +-- +2.42.0 + diff --git a/SOURCES/0003-po-update-translations.patch b/SOURCES/0003-po-update-translations.patch new file mode 100644 index 0000000..3903936 --- /dev/null +++ b/SOURCES/0003-po-update-translations.patch @@ -0,0 +1,471 @@ +From 4485f4686c285310b2a11ac545e88e3acef870ea Mon Sep 17 00:00:00 2001 +From: Weblate +Date: Tue, 20 Feb 2024 21:36:02 +0100 +Subject: [PATCH 03/11] po: update translations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(Finnish) currently translated at 100.0% (349 of 349 strings) +Translation: authselect/master +Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-application/fi/ + +Update translation files + +Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. + +po: update translations + +(Turkish) currently translated at 100.0% (349 of 349 strings) +Translation: authselect/master +Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-application/tr/ + +Co-authored-by: Jan Kuparinen +Co-authored-by: Oğuz Ersen +Co-authored-by: Weblate +Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-authselect8adoc/ +Translation: authselect/master-authselect.8.adoc +--- + po/fi.po | 11 +++++------ + po/tr.po | 12 ++++++------ + src/man/po/authselect.8.adoc.ca.po | 2 +- + src/man/po/authselect.8.adoc.cs.po | 2 +- + src/man/po/authselect.8.adoc.de.po | 2 +- + src/man/po/authselect.8.adoc.es.po | 2 +- + src/man/po/authselect.8.adoc.fa.po | 2 +- + src/man/po/authselect.8.adoc.fi.po | 2 +- + src/man/po/authselect.8.adoc.fr.po | 2 +- + src/man/po/authselect.8.adoc.hu.po | 2 +- + src/man/po/authselect.8.adoc.it.po | 2 +- + src/man/po/authselect.8.adoc.ja.po | 2 +- + src/man/po/authselect.8.adoc.ko.po | 2 +- + src/man/po/authselect.8.adoc.nl.po | 2 +- + src/man/po/authselect.8.adoc.pl.po | 2 +- + src/man/po/authselect.8.adoc.pt.po | 2 +- + src/man/po/authselect.8.adoc.pt_BR.po | 2 +- + src/man/po/authselect.8.adoc.ru.po | 2 +- + src/man/po/authselect.8.adoc.si.po | 2 +- + src/man/po/authselect.8.adoc.sv.po | 2 +- + src/man/po/authselect.8.adoc.tr.po | 2 +- + src/man/po/authselect.8.adoc.uk.po | 2 +- + src/man/po/authselect.8.adoc.zh_CN.po | 16 +++++++--------- + src/man/po/authselect.8.adoc.zh_TW.po | 2 +- + 24 files changed, 39 insertions(+), 42 deletions(-) + +diff --git a/po/fi.po b/po/fi.po +index 63f52ad6a8cd85d6f5c06b0a57d194ac94268206..12c84ea64ed09176d2e08e0d02aa47278540758f 100644 +--- a/po/fi.po ++++ b/po/fi.po +@@ -1,14 +1,14 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR Red Hat, Inc. + # This file is distributed under the same license as the authselect package. +-# Jan Kuparinen , 2021, 2022. ++# Jan Kuparinen , 2021, 2022, 2024. + # Ricky Tigg , 2022. + msgid "" + msgstr "" + "Project-Id-Version: authselect 1.2.2\n" + "Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n" + "POT-Creation-Date: 2023-09-27 13:03+0200\n" +-"PO-Revision-Date: 2022-05-23 17:18+0000\n" ++"PO-Revision-Date: 2024-02-20 20:36+0000\n" + "Last-Translator: Jan Kuparinen \n" + "Language-Team: Finnish \n" +@@ -17,7 +17,7 @@ msgstr "" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=2; plural=n != 1;\n" +-"X-Generator: Weblate 4.12.2\n" ++"X-Generator: Weblate 5.4\n" + + #: src/lib/authselect.c:47 src/lib/authselect.c:188 + msgid "Unable to obtain supported features" +@@ -671,10 +671,9 @@ msgid "Unable to chown file [%s] [%d]: %s" + msgstr "Ei pysty ajamaan chmod tiedostolle [%s] [%d]: %s" + + #: src/lib/util/selinux.c:46 +-#, fuzzy, c-format +-#| msgid "Unable to create selabel context [%d]: %s" ++#, c-format + msgid "Unable to create selabel handle [%d]: %s" +-msgstr "Selabel-kontekstia [%d] ei voida luoda: %s" ++msgstr "Selabel-kahvaa [%d] ei voida luoda: %s" + + #: src/lib/util/selinux.c:55 + #, c-format +diff --git a/po/tr.po b/po/tr.po +index 546e09bcb7457a44b43965dc222328cbdfe6f94d..8799903c5c18c48972d6faf464f5ee256460729a 100644 +--- a/po/tr.po ++++ b/po/tr.po +@@ -3,13 +3,14 @@ + # This file is distributed under the same license as the authselect package. + # Oğuz Ersen , 2020, 2021. + # Anonymous , 2020. ++# Oğuz Ersen , 2024. + msgid "" + msgstr "" + "Project-Id-Version: authselect 1.1\n" + "Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n" + "POT-Creation-Date: 2023-09-27 13:03+0200\n" +-"PO-Revision-Date: 2021-12-10 17:16+0000\n" +-"Last-Translator: Oğuz Ersen \n" ++"PO-Revision-Date: 2024-01-29 17:36+0000\n" ++"Last-Translator: Oğuz Ersen \n" + "Language-Team: Turkish \n" + "Language: tr\n" +@@ -17,7 +18,7 @@ msgstr "" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=2; plural=n != 1;\n" +-"X-Generator: Weblate 4.9.1\n" ++"X-Generator: Weblate 5.3.1\n" + + #: src/lib/authselect.c:47 src/lib/authselect.c:188 + msgid "Unable to obtain supported features" +@@ -671,10 +672,9 @@ msgid "Unable to chown file [%s] [%d]: %s" + msgstr "[%s] dosyasının sahibi değiştirilemedi [%d]: %s" + + #: src/lib/util/selinux.c:46 +-#, fuzzy, c-format +-#| msgid "Unable to create selabel context [%d]: %s" ++#, c-format + msgid "Unable to create selabel handle [%d]: %s" +-msgstr "selabel bağlamı oluşturulamadı [%d]: %s" ++msgstr "selabel tanıtıcısı oluşturulamadı [%d]: %s" + + #: src/lib/util/selinux.c:55 + #, c-format +diff --git a/src/man/po/authselect.8.adoc.ca.po b/src/man/po/authselect.8.adoc.ca.po +index 8c04b973ccfb0136589965d79a4fc38f57c38523..01e54857766fcbf7f063792a9953cbd26a979a51 100644 +--- a/src/man/po/authselect.8.adoc.ca.po ++++ b/src/man/po/authselect.8.adoc.ca.po +@@ -5,7 +5,7 @@ + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" +-"POT-Creation-Date: 2023-09-27 13:03+0200\n" ++"POT-Creation-Date: 2024-01-18 16:34+0100\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: Automatically generated\n" + "Language-Team: none\n" +diff --git a/src/man/po/authselect.8.adoc.cs.po b/src/man/po/authselect.8.adoc.cs.po +index 84d630218ec7ef3b880a0da7315b2abd30bd3e62..cc98ea8c50ad65a19862b8470938cafafecc3e70 100644 +--- a/src/man/po/authselect.8.adoc.cs.po ++++ b/src/man/po/authselect.8.adoc.cs.po +@@ -3,7 +3,7 @@ + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" +-"POT-Creation-Date: 2023-09-27 13:03+0200\n" ++"POT-Creation-Date: 2024-01-18 16:34+0100\n" + "PO-Revision-Date: 2023-08-07 20:21+0000\n" + "Last-Translator: Jan Kalabza \n" + "Language-Team: Czech \n" + "Language-Team: German \n" + "Language-Team: Spanish \n" + "Language-Team: Persian \n" + "Language-Team: Finnish \n" + "Language-Team: French \n" + "Language-Team: Hungarian \n" + "Language-Team: Italian \n" + "Language-Team: Japanese \n" + "Language-Team: Korean \n" + "Language-Team: Dutch \n" + "Language-Team: Polish \n" + "Language-Team: Portuguese \n" + "Language-Team: Portuguese (Brazil) \n" + "Language-Team: Russian \n" + "Language-Team: Sinhala \n" + "Language-Team: Swedish \n" + "Language-Team: Turkish \n" + "Language-Team: Ukrainian \n" + "Language-Team: Chinese (Simplified) \n" + "Language-Team: Chinese (Traditional) +Date: Fri, 23 Feb 2024 12:51:37 +0100 +Subject: [PATCH 04/11] nis: install nis profile conditionally + +NIS profile is installed only if --with-nis-profile configure flag is +given. +--- + profiles/Makefile.am | 2 ++ + rpm/authselect.spec.in | 37 +++++++++++++++++++---------- + scripts/manpages-build.sh.in | 1 + + src/conf_macros.m4 | 10 ++++++++ + src/man/authselect-migration.7.adoc | 7 ++++++ + 5 files changed, 45 insertions(+), 12 deletions(-) + +diff --git a/profiles/Makefile.am b/profiles/Makefile.am +index bc437c158f6922afdba4ab261c73f31c93846118..61728cab77022ddc0bb35a3649a38123dc4987cf 100644 +--- a/profiles/Makefile.am ++++ b/profiles/Makefile.am +@@ -15,6 +15,7 @@ dist_profile_local_DATA = \ + $(top_srcdir)/profiles/local/dconf-locks \ + $(NULL) + ++if WITH_NIS_PROFILE + profile_nisdir = $(authselect_profile_dir)/nis + dist_profile_nis_DATA = \ + $(top_srcdir)/profiles/nis/nsswitch.conf \ +@@ -28,6 +29,7 @@ dist_profile_nis_DATA = \ + $(top_srcdir)/profiles/nis/dconf-db \ + $(top_srcdir)/profiles/nis/dconf-locks \ + $(NULL) ++endif + + profile_sssddir = $(authselect_profile_dir)/sssd + dist_profile_sssd_DATA = \ +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1..350ca953632f21be861c1ee75f25f71d107ca1ee 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -12,6 +12,13 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + + %global makedir %{_builddir}/%{name}-%{version} + ++# Disable NIS profile on RHEL ++%if 0%{?rhel} ++%global with_nis_profile 0 ++%else ++%global with_nis_profile 1 ++%endif ++ + # Set the default profile + %{?fedora:%global default_profile local with-silent-lastlog} + %{?rhel:%global default_profile local} +@@ -75,7 +82,11 @@ done + + %build + autoreconf -if +-%configure ++%configure \ ++%if %{with_nis_profile} ++ --with-nis-profile \ ++%endif ++ %{nil} + %make_build + + %check +@@ -123,7 +134,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %dir %{_datadir}/authselect/vendor + %dir %{_datadir}/authselect/default + %dir %{_datadir}/authselect/default/local/ +-%dir %{_datadir}/authselect/default/nis/ + %dir %{_datadir}/authselect/default/sssd/ + %dir %{_datadir}/authselect/default/winbind/ + %{_datadir}/authselect/default/local/dconf-db +@@ -136,16 +146,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %{_datadir}/authselect/default/local/REQUIREMENTS + %{_datadir}/authselect/default/local/smartcard-auth + %{_datadir}/authselect/default/local/system-auth +-%{_datadir}/authselect/default/nis/dconf-db +-%{_datadir}/authselect/default/nis/dconf-locks +-%{_datadir}/authselect/default/nis/fingerprint-auth +-%{_datadir}/authselect/default/nis/nsswitch.conf +-%{_datadir}/authselect/default/nis/password-auth +-%{_datadir}/authselect/default/nis/postlogin +-%{_datadir}/authselect/default/nis/README +-%{_datadir}/authselect/default/nis/REQUIREMENTS +-%{_datadir}/authselect/default/nis/smartcard-auth +-%{_datadir}/authselect/default/nis/system-auth + %{_datadir}/authselect/default/sssd/dconf-db + %{_datadir}/authselect/default/sssd/dconf-locks + %{_datadir}/authselect/default/sssd/fingerprint-auth +@@ -166,6 +166,19 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + %{_datadir}/authselect/default/winbind/REQUIREMENTS + %{_datadir}/authselect/default/winbind/smartcard-auth + %{_datadir}/authselect/default/winbind/system-auth ++%if %{with_nis_profile} ++%dir %{_datadir}/authselect/default/nis/ ++%{_datadir}/authselect/default/nis/dconf-db ++%{_datadir}/authselect/default/nis/dconf-locks ++%{_datadir}/authselect/default/nis/fingerprint-auth ++%{_datadir}/authselect/default/nis/nsswitch.conf ++%{_datadir}/authselect/default/nis/password-auth ++%{_datadir}/authselect/default/nis/postlogin ++%{_datadir}/authselect/default/nis/README ++%{_datadir}/authselect/default/nis/REQUIREMENTS ++%{_datadir}/authselect/default/nis/smartcard-auth ++%{_datadir}/authselect/default/nis/system-auth ++%endif + %{_libdir}/libauthselect.so.* + %{_mandir}/man5/authselect-profiles.5* + %{_datadir}/doc/authselect/COPYING +diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in +index 314bb2b2a0e4432632478230ab5ff5b3dce2943f..9e553f755a64717f854f3aba33c62140130ce18f 100755 +--- a/scripts/manpages-build.sh.in ++++ b/scripts/manpages-build.sh.in +@@ -233,6 +233,7 @@ ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\"" + ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\"" + ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\"" + ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\"" ++ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\"" + + manpages-translate + +diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 +index 17c1629723066b0c4e354051366ce209428af6c1..9a81a6e194d16ecc0408e8631530cf7048fd9241 100644 +--- a/src/conf_macros.m4 ++++ b/src/conf_macros.m4 +@@ -99,3 +99,13 @@ if test x"$with_user_nsswitch" = xyes; then + AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support]) + AC_SUBST(BUILD_USER_NSSWITCH, 1) + fi ++ ++AC_ARG_WITH([nis-profile], ++ [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])], ++ [], with_nis_profile=no ++) ++AM_CONDITIONAL([WITH_NIS_PROFILE], [test x$with_nis_profile = xyes]) ++AC_SUBST(WITH_NIS_PROFILE, 0) ++if test x"$with_nis_profile" = xyes; then ++ AC_SUBST(WITH_NIS_PROFILE, 1) ++fi +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..8cc58e60301925974fdb738c5b9a746749981df8 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -72,7 +72,12 @@ configuration file for required services. + |--enablesssd --enablesssdauth |sssd + |--enablekrb5 |sssd + |--enablewinbind --enablewinbindauth |winbind ++ifeval::[{WITH_NIS_PROFILE} == 1] + |--enablenis |nis ++endif::[] ++ifeval::[{WITH_NIS_PROFILE} != 1] ++|--enablenis |none ++endif::[] + |========================================================= + + .Relation of authconfig options to authselect profile features +@@ -199,6 +204,7 @@ will perform an initial setup which involves creating a Kerberos keytab and + running `adcli` to join the domain. It also makes changes to `smb.conf`. You + can then tune it up by modifying {sysconfdir}/samba/smb.conf. + ++ifeval::[{WITH_NIS_PROFILE} == 1] + NIS + ~~~ + There are several places that needs to be configured in order to make +@@ -227,6 +233,7 @@ $ domainname mydomain + $ setsebool -P allow_ypbind 1 + ---- + ++endif::[] + PASSWORD QUALITY + ~~~~~~~~~~~~~~~~ + Authselect enables `pam_pwquality` module to enforce password quality +-- +2.42.0 + diff --git a/SOURCES/0005-configure-drop-user-nsswitch.conf-support.patch b/SOURCES/0005-configure-drop-user-nsswitch.conf-support.patch new file mode 100644 index 0000000..1e401ca --- /dev/null +++ b/SOURCES/0005-configure-drop-user-nsswitch.conf-support.patch @@ -0,0 +1,349 @@ +From 923fd37712eae8d99d514708e35894b6ea056628 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 13:24:25 +0100 +Subject: [PATCH 05/11] configure: drop user-nsswitch.conf support + +user-nsswitch.conf support is now completely dropped, it can no +longer be enabled via configure flag +--- + scripts/manpages-build.sh.in | 1 - + src/cli/main.c | 9 -- + src/conf_macros.m4 | 10 -- + src/lib/files/nsswitch.c | 156 ----------------------------- + src/lib/paths.h | 3 - + src/man/authselect-profiles.5.adoc | 7 -- + src/man/authselect.8.adoc | 61 ----------- + 7 files changed, 247 deletions(-) + +diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in +index 9e553f755a64717f854f3aba33c62140130ce18f..f4ac71e3a22723a52101bb9cbbadd79740515070 100755 +--- a/scripts/manpages-build.sh.in ++++ b/scripts/manpages-build.sh.in +@@ -232,7 +232,6 @@ ATTR+=" -a AUTHSELECT_PAM_DIR=\"@AUTHSELECT_PAM_DIR@\"" + ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\"" + ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\"" + ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\"" +-ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\"" + ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\"" + + manpages-translate +diff --git a/src/cli/main.c b/src/cli/main.c +index 18486b50bc42f9937cc7294c3e5e2b32cafab5e0..fe06a5d8ababa58209690a97e84ae254b859cdc6 100644 +--- a/src/cli/main.c ++++ b/src/cli/main.c +@@ -186,15 +186,6 @@ static errno_t activate(struct cli_cmdline *cmdline) + goto done; + } + +-#ifdef BUILD_USER_NSSWITCH +- maps = authselect_profile_nsswitch_maps(profile, features); +- if (maps == NULL) { +- ERROR("Unable to obtain nsswitch maps!"); +- ret = EFAULT; +- goto done; +- } +-#endif +- + if (backup || backup_name != NULL || (enforce && !nobackup)) { + ret = perform_backup(quiet, 1, backup_name); + if (ret != EOK) { +diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 +index 9a81a6e194d16ecc0408e8631530cf7048fd9241..ae8fa0274e038e98115d000717487dbdbc04df4c 100644 +--- a/src/conf_macros.m4 ++++ b/src/conf_macros.m4 +@@ -90,16 +90,6 @@ if test x"$with_compat" = xyes; then + fi + AM_CONDITIONAL([BUILD_COMPAT], [test x$with_compat = xyes]) + +-AC_ARG_WITH([user-nsswitch], +- [AC_HELP_STRING([--with-user-nsswitch], [Build with user nsswitch support [no]])], +- [], with_user_nsswitch=no +-) +-AC_SUBST(BUILD_USER_NSSWITCH, 0) +-if test x"$with_user_nsswitch" = xyes; then +- AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support]) +- AC_SUBST(BUILD_USER_NSSWITCH, 1) +-fi +- + AC_ARG_WITH([nis-profile], + [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])], + [], with_nis_profile=no +diff --git a/src/lib/files/nsswitch.c b/src/lib/files/nsswitch.c +index 9598ea5cc5d5e30678acd91354629a87fc727be9..0e35380a2603316483cd6bcfdc58742c25b6a2b1 100644 +--- a/src/lib/files/nsswitch.c ++++ b/src/lib/files/nsswitch.c +@@ -87,160 +87,6 @@ done: + return ret; + } + +-#ifdef BUILD_USER_NSSWITCH +- +-static errno_t +-authselect_nsswitch_delete_maps(char **maps, +- char *content) +-{ +- char *match_string; +- const char *map_name; +- size_t map_len; +- size_t orig_len; +- regmatch_t m[RE_NSS_MATCHES]; +- regex_t regex; +- errno_t ret; +- int reret; +- int i; +- +- if (string_is_empty(content)) { +- return EOK; +- } +- +- orig_len = strlen(content); +- +- reret = regcomp(®ex, RE_NSS, REG_EXTENDED | REG_NEWLINE); +- if (reret != REG_NOERROR) { +- ERROR("Unable to compile regular expression: regex error %d", reret); +- ret = EFAULT; +- goto done; +- } +- +- match_string = content; +- while ((reret = regexec(®ex, match_string, 2, m, 0)) == REG_NOERROR) { +- map_name = match_string + m[1].rm_so; +- map_len = m[1].rm_eo - m[1].rm_so; +- for (i = 0; maps[i] != NULL; i++) { +- if (strncmp(map_name, maps[i], map_len) == 0) { +- string_remove_line(content, match_string, m[1].rm_so); +- break; +- } +- } +- +- /* Since the whole line could have been removed, we have to find first +- * non-zero position. */ +- match_string += m[0].rm_eo; +- while (*match_string == '\0' && match_string - content < orig_len) { +- match_string++; +- } +- } +- +- if (reret != REG_NOMATCH) { +- ERROR("Unable to search string: regex error %d", reret); +- ret = EFAULT; +- goto done; +- } +- +- string_replace_shake(content, orig_len); +- +- ret = EOK; +- +-done: +- regfree(®ex); +- +- return ret; +-} +- +-errno_t +-authselect_nsswitch_generate(const char *template, +- const char **features, +- char **_content) +-{ +- static const char *preambule = \ +- "# If you want to make changes to nsswitch.conf please modify\n" +- "# " PATH_USER_NSSWITCH " and run 'authselect apply-changes'.\n" +- "#\n" +- "# Note that your changes may not be applied as they may be\n" +- "# overwritten by selected profile. Maps set in the authselect\n" +- "# profile takes always precedence and overwrites the same maps\n" +- "# set in the user file. Only maps that are not set by the profile\n" +- "# are applied from the user file.\n" +- "#\n" +- "# For example, if the profile sets:\n" +- "# passwd: sss files\n" +- "# and " PATH_USER_NSSWITCH " contains:\n" +- "# passwd: files\n" +- "# hosts: files dns\n" +- "# the resulting generated nsswitch.conf will be:\n" +- "# passwd: sss files # from profile\n" +- "# hosts: files dns # from user file\n\n"; +- char *user_content = NULL; +- char *generated = NULL; +- char *content = NULL; +- char **maps = NULL; +- errno_t ret; +- +- generated = template_generate(template, features); +- if (generated == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = textfile_read(PATH_USER_NSSWITCH, AUTHSELECT_FILE_SIZE_LIMIT, +- &user_content); +- switch (ret) { +- case EOK: +- ret = authselect_nsswitch_find_maps(generated, &maps); +- if (ret != EOK) { +- goto done; +- } +- +- ret = authselect_nsswitch_delete_maps(maps, user_content); +- if (ret != EOK) { +- goto done; +- } +- +- if (string_is_empty(user_content)) { +- content = format("%s%s", preambule, generated); +- break; +- } +- +- content = format("%s%s\n# Included from %s\n\n%s", +- preambule, generated, PATH_USER_NSSWITCH, +- user_content); +- break; +- case ENOENT: +- content = format("%s%s", preambule, generated); +- break; +- default: +- ERROR("Unable to read [%s] [%d]: %s", PATH_USER_NSSWITCH, +- ret, strerror(ret)); +- goto done; +- } +- +- if (content == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- *_content = content; +- +- ret = EOK; +- +-done: +- if (ret != EOK) { +- ERROR("Unable to generate nsswitch.conf [%d]: %s", ret, strerror(ret)); +- } +- +- free(user_content); +- free(generated); +- string_array_free(maps); +- +- return ret; +-} +- +-#else /* BUILD_USER_NSSWITCH */ +- + errno_t + authselect_nsswitch_generate(const char *template, + const char **features, +@@ -257,5 +103,3 @@ authselect_nsswitch_generate(const char *template, + + return EOK; + } +- +-#endif /* BUILD_USER_NSSWITCH */ +diff --git a/src/lib/paths.h b/src/lib/paths.h +index ca30b784f8bc63150f46ef08a26ec2bc5bcb3d67..41e4534b2efd421be8b9fea3b1fa9ebc3a699749 100644 +--- a/src/lib/paths.h ++++ b/src/lib/paths.h +@@ -53,9 +53,6 @@ + #define PATH_DCONF_DB AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_DB + #define PATH_DCONF_LOCK AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_LOCK + +-/* Path to files that can be modified by user. */ +-#define PATH_USER_NSSWITCH AUTHSELECT_CONFIG_DIR "/user-nsswitch.conf" +- + /* Names of symbolic links that points to generated files. */ + #define PATH_SYMLINK_SYSTEM AUTHSELECT_PAM_DIR "/" FILE_SYSTEM + #define PATH_SYMLINK_PASSWORD AUTHSELECT_PAM_DIR "/" FILE_PASSWORD +diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc +index 76a48fa25a13a7052eeac662d7f5f1b11f1f9493..648b7980cfaabeb02913650a35dfffa8e17b0aaa 100644 +--- a/src/man/authselect-profiles.5.adoc ++++ b/src/man/authselect-profiles.5.adoc +@@ -53,14 +53,7 @@ done to the system. + the modules in the system-auth configuration file._ + + *nsswitch.conf*:: +-ifeval::[{BUILD_USER_NSSWITCH} == 0] + Name Service Switch configuration file. +-endif::[] +-ifeval::[{BUILD_USER_NSSWITCH} == 1] +- Name Service Switch configuration file. Only maps relevant to the profile +- must be set. Maps that are not specified by the profile are included from +- {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf. +-endif::[] + + *dconf-db*:: + Changes to dconf database. The main uses case of this file is to set +diff --git a/src/man/authselect.8.adoc b/src/man/authselect.8.adoc +index 39758a6ca71e962ae942ce3608ac3bd0ffd3fabf..5d695cced0fbdc2cda78d61eb3f7b8d929cae692 100644 +--- a/src/man/authselect.8.adoc ++++ b/src/man/authselect.8.adoc +@@ -261,67 +261,6 @@ These options are available with all commands. + the program execution but may indicate some undesired situations + (e.g. unexpected file in a profile directory). + +-ifeval::[{BUILD_USER_NSSWITCH} == 1] +-NSSWITCH.CONF MANAGEMENT +------------------------- +-Authselect generates {AUTHSELECT_NSSWITCH_CONF} and does not allow any user +-changes to this file. Such changes are detected and authselect will refuse to +-write any system configuration unless a *--force* option is provided to +-the *select* command. This mechanism prevents authselect from overwriting +-anything that does not match any available profile. +- +-Any user changes to nsswitch maps must be done in file +-{AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf. When authselect generates +-new _nsswitch.conf_ it reads this file and combines it with configuration +-from selected profile. The profile configuration takes always precedence. +-In other words, profiles do not have to set all nsswitch maps but can set only +-those that are relevant to the profile. If a map is set within a profile, +-it always overwrites the same map from _user-nsswitch.conf_. +- +-.Example 1 +-[subs="attributes"] +----- +-# "sssd" profile +-$ cat {AUTHSELECT_PROFILE_DIR}/sssd/nsswitch.conf +-passwd: sss files systemd +-group: sss files systemd +-netgroup: sss files +-automount: sss files +-services: sss files +-sudoers: files sss {include if "with-sudo"} +- +-$ cat {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf +-passwd: files sss +-group: files sss +-hosts: files dns myhostname +-sudoers: files +- +-$ authselect select sssd +- +-# passwd and group maps from user-nsswitch.conf are ignored +-$ cat {AUTHSELECT_NSSWITCH_CONF} +-passwd: sss files systemd +-group: sss files systemd +-netgroup: sss files +-automount: sss files +-services: sss files +-hosts: files dns myhostname +-sudoers: files +- +-$ authselect select sssd with-sudo +- +-# passwd, group and sudoers maps from user-nsswitch.conf are ignored +-$ cat {AUTHSELECT_NSSWITCH_CONF} +-passwd: sss files systemd +-group: sss files systemd +-netgroup: sss files +-automount: sss files +-services: sss files +-sudoers: files sss +-hosts: files dns myhostname +----- +-endif::[] +- + TROUBLESHOOTING + --------------- + +-- +2.42.0 + diff --git a/SOURCES/0006-configure-drop-authconfig-compat-tool.patch b/SOURCES/0006-configure-drop-authconfig-compat-tool.patch new file mode 100644 index 0000000..926549c --- /dev/null +++ b/SOURCES/0006-configure-drop-authconfig-compat-tool.patch @@ -0,0 +1,1510 @@ +From 3687d4e28a45b1896165e2e1d029fc81bf5a2a11 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 13:25:50 +0100 +Subject: [PATCH 06/11] configure: drop authconfig compat tool + +authconfig-compat tool is now dropped and it can no longer be +enabled via configure switch +--- + Makefile.am | 1 - + configure.ac | 2 - + po/POTFILES.in | 6 - + src/compat/Makefile.am | 47 -- + src/compat/authcompat.py.in.in | 665 ----------------------- + src/compat/authcompat_ConfigSnippet.py | 92 ---- + src/compat/authcompat_EnvironmentFile.py | 216 -------- + src/compat/authcompat_Options.py | 326 ----------- + src/compat/snippets/authconfig-krb.conf | 14 - + src/compat/snippets/authconfig-sssd.conf | 18 - + src/conf_macros.m4 | 9 - + 11 files changed, 1396 deletions(-) + delete mode 100644 src/compat/Makefile.am + delete mode 100755 src/compat/authcompat.py.in.in + delete mode 100644 src/compat/authcompat_ConfigSnippet.py + delete mode 100644 src/compat/authcompat_EnvironmentFile.py + delete mode 100644 src/compat/authcompat_Options.py + delete mode 100644 src/compat/snippets/authconfig-krb.conf + delete mode 100644 src/compat/snippets/authconfig-sssd.conf + +diff --git a/Makefile.am b/Makefile.am +index 1c9b88d47f809cb218d19887734769f12b944bb4..befa38ba16f2ff6659fe452c4e4f8d9f646b3d84 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -2,7 +2,6 @@ SUBDIRS= \ + po \ + profiles \ + src/common \ +- src/compat \ + src/lib \ + src/cli \ + src/tests \ +diff --git a/configure.ac b/configure.ac +index 3a355bb78dd8040cd91f32e5602a55bf34a9563b..612763702cda22737ad841dd246dafbb607c0bed 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -51,8 +51,6 @@ AC_CONFIG_FILES([Makefile + profiles/Makefile + rpm/authselect.spec + src/common/Makefile +- src/compat/authcompat.py.in +- src/compat/Makefile + src/cli/Makefile + src/lib/Makefile + src/lib/authselect.pc +diff --git a/po/POTFILES.in b/po/POTFILES.in +index 2e7fbc89bbffe3a7584cf48bb99509d0912854e9..1380ba855ab4c9c2d35f956736cb195d4890042d 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -26,9 +26,3 @@ src/common/format.c + # Command line tool + src/cli/cli_tool.c + src/cli/main.c +- +-# Compat tool +-src/compat/authcompat_ConfigSnippet.py +-src/compat/authcompat_EnvironmentFile.py +-src/compat/authcompat_Options.py +-src/compat/authcompat.py.in.in +diff --git a/src/compat/Makefile.am b/src/compat/Makefile.am +deleted file mode 100644 +index 5928e53a22d432247a2ce1e120dcad699d3c961e..0000000000000000000000000000000000000000 +--- a/src/compat/Makefile.am ++++ /dev/null +@@ -1,47 +0,0 @@ +-if BUILD_COMPAT +-expand_prefix = \ +- ( \ +- $(SED) -e 's,$${exec_prefix},$(exec_prefix),g' | \ +- $(SED) -e 's,$${prefix},$(prefix),g' \ +- ) +- +-generated_files = \ +- authcompat.py \ +- $(NULL) +- +-expand_files: +- for FILE in $(generated_files) ; do \ +- $(expand_prefix) < $$FILE.in > $$FILE ; \ +- done +- +-.PHONY: expand_files +-BUILT_SOURCES = expand_files +- +-CLEANFILES = \ +- $(generated_files) \ +- $(NULL) +- +-pkgpython_SCRIPTS = \ +- authcompat.py \ +- $(NULL) +- +-dist_pkgpython_DATA = \ +- authcompat_ConfigSnippet.py \ +- authcompat_EnvironmentFile.py \ +- authcompat_Options.py \ +- $(NULL) +- +-snippetsdir = $(pkgpythondir)/snippets +-dist_snippets_DATA = \ +- snippets/authconfig-krb.conf \ +- snippets/authconfig-sssd.conf \ +- $(NULL) +- +-# Create symbolic link that will replace authconfig +-install-exec-hook: +- $(MKDIR_P) $(DESTDIR)/$(sbindir) +- $(LN_S) -f $(pkgpythondir)/authcompat.py $(DESTDIR)/$(sbindir)/authconfig +- +-uninstall-local: +- $(RM) $(DESTDIR)/$(sbindir)/authconfig +-endif +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +deleted file mode 100755 +index 6bea49829410e280ea06d19e265bad552ac93b02..0000000000000000000000000000000000000000 +--- a/src/compat/authcompat.py.in.in ++++ /dev/null +@@ -1,665 +0,0 @@ +-#!@PYTHON_BIN@ +-# -*- coding: utf-8 -*- +-# +-# Authors: +-# Pavel Březina +-# +-# Copyright (C) 2018 Red Hat +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 3 of the License, or +-# (at your option) any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +-# +- +-import os +-import sys +-import locale +-import gettext +-import subprocess +- +- +-from authcompat_Options import Options +-from authcompat_EnvironmentFile import EnvironmentFile +-from authcompat_ConfigSnippet import ConfigSnippet +- +-_ = gettext.gettext +- +- +-def eprint(*args, **kwargs): +- print(*args, file=sys.stderr, **kwargs) +- +- +-class Command: +- TEST = False +- +- def __init__(self, command, args, input=None, check=True): +- self.args = [command] + args +- self.input = input.encode() if input is not None else None +- self.check = check +- self.result = None +- +- def run(self): +- print(_("Executing: %s") % ' '.join(self.args)) +- +- if self.TEST: +- return +- +- self.result = subprocess.run(self.args, check=self.check, +- input=self.input, +- stdout=subprocess.PIPE, +- stderr=subprocess.PIPE) +- +- +-class Service: +- def __init__(self, name): +- self.name = name + '.service' +- +- def runsystemd(self, command, required, enoent_code): +- try: +- command.run() +- except subprocess.CalledProcessError as result: +- if required and result.returncode == enoent_code: +- eprint(_("Service %s was not found. Please install the service.") +- % self.name) +- elif result.returncode != enoent_code: +- eprint(_("Command [%s] failed with %d, stderr:") +- % (' '.join(result.cmd), result.returncode)) +- eprint(result.stderr.decode()) +- +- def enable(self): +- cmd = Command(Path.System("cmd-systemctl"), ["enable", self.name]) +- self.runsystemd(cmd, True, 1) +- +- def disable(self): +- cmd = Command(Path.System("cmd-systemctl"), ["disable", self.name]) +- self.runsystemd(cmd, False, 1) +- +- def start(self, Restart=True): +- if Restart: +- self.stop() +- cmd = Command(Path.System("cmd-systemctl"), ["start", self.name]) +- self.runsystemd(cmd, True, 5) +- +- def stop(self): +- cmd = Command(Path.System("cmd-systemctl"), ["stop", self.name]) +- self.runsystemd(cmd, False, 5) +- +- +-class Path: +- LocalDir = os.path.dirname(os.path.realpath(__file__)) +- Config = EnvironmentFile(LocalDir + "/authcompat_paths") +- +- Files = { +- 'ldap.conf': '@sysconfdir@/openldap/ldap.conf', +- 'krb5.conf': '@sysconfdir@/krb5.conf.d/authconfig-krb.conf', +- 'sssd.conf': '@sysconfdir@/sssd/conf.d/authconfig-sssd.conf', +- 'authconfig': '@sysconfdir@/sysconfig/authconfig', +- 'network': '@sysconfdir@/sysconfig/network', +- 'pwquality.conf': '@sysconfdir@/security/pwquality.conf.d/10-authconfig-pwquality.conf', +- 'yp.conf': '@sysconfdir@/yp.conf', +- 'cmd-systemctl': '@bindir@/systemctl', +- 'cmd-authselect': '@bindir@/authselect', +- 'cmd-realm': '@sbindir@/realm', +- 'cmd-domainname': '@bindir@/domainname', +- 'cmd-setsebool': '@sbindir@/setsebool' +- } +- +- @staticmethod +- def Local(relpath): +- return "%s/%s" % (Path.LocalDir, relpath) +- +- @staticmethod +- def System(name): +- return Path.Files[name] +- +- +-class Configuration: +- class Base(object): +- def __init__(self, options, ServiceName=None): +- self.options = options +- self.service = None +- if ServiceName is not None: +- self.service = Service(ServiceName) +- +- def isEnabled(self): +- return True +- +- def isDisabled(self): +- return not self.isEnabled() +- +- def enableService(self, nostart): +- if self.service is None: +- return +- +- self.service.enable() +- +- if not nostart: +- self.service.start() +- +- def disableService(self, nostop): +- if self.service is None: +- return +- +- self.service.disable() +- +- if not nostop: +- self.service.stop() +- +- def cleanup(self): +- return +- +- def write(self): +- return +- +- def get(self, name): +- return self.options.get(name) +- +- def isset(self, name): +- return self.options.isset(name) +- +- def getTrueOrNone(self, name): +- return self.options.getTrueOrNone(name) +- +- def getBool(self, name): +- return self.options.getBool(name) +- +- def getBoolAsValue(self, name, if_true, if_false, AllowNone=False): +- if AllowNone and not self.isset(name): +- return None +- +- value = self.getBool(name) +- if value: +- return if_true +- +- return if_false +- +- def removeFile(self, filename): +- print(_("Removing file: %s") % filename) +- if self.options.getBool("test-call"): +- return +- +- try: +- os.remove(filename) +- except FileNotFoundError: +- return +- +- class LDAP(Base): +- def __init__(self, options): +- super(Configuration.LDAP, self).__init__(options) +- +- def write(self): +- config = EnvironmentFile(Path.System('ldap.conf'), " ", +- delimiter_re=r"\s\t", quotes=False) +- if self.isset("ldapserver"): +- config.set("URI", self.get("ldapserver")) +- +- if self.isset("ldapbasedn"): +- config.set("BASE", self.get("ldapbasedn")) +- +- config.write() +- +- class Kerberos(Base): +- def __init__(self, options): +- super(Configuration.Kerberos, self).__init__(options) +- +- def isEnabled(self): +- if not self.isset("krb5realm") and not self.isset("krb5realmdns"): +- return None +- +- return self.get("krb5realm") != "" or self.getBool("krb5realmdns") +- +- def cleanup(self): +- # Do not remove the file if these options are not set +- if not self.isset("krb5realm") and not self.isset("krb5realmdns"): +- return +- +- self.removeFile(Path.System('krb5.conf')) +- +- def write(self): +- if self.isDisabled(): +- return +- +- path = Path.Local("snippets/authconfig-krb.conf") +- config = ConfigSnippet(path, Path.System('krb5.conf')) +- realm = self.get("krb5realm") +- +- keys = { +- 'realm': self.get("krb5realm"), +- 'kdc-srv': self.get("krb5kdcdns"), +- 'realm-srv': self.get("krb5realmdns"), +- 'kdc': self.get("krb5kdc") if realm else None, +- 'adminserver': self.get("krb5adminserver") if realm else None, +- 'domain': realm.lower() if realm else None +- } +- +- config.write(keys) +- +- class Network(Base): +- def __init__(self, options): +- super(Configuration.Network, self).__init__(options) +- +- def write(self): +- nisdomain = self.get("nisdomain") +- config = EnvironmentFile(Path.System('network')) +- +- if nisdomain is None: +- return +- +- config.set("NISDOMAIN", nisdomain) +- config.write() +- +- class SSSD(Base): +- def __init__(self, options): +- super(Configuration.SSSD, self).__init__(options, ServiceName="sssd") +- +- def isEnabled(self): +- if not self.isset("ldap") and not self.isset("sssd"): +- return None +- +- return self.getBool("ldap") or self.getBool("sssd") +- +- def cleanup(self): +- self.removeFile(Path.System('sssd.conf')) +- +- def write(self): +- # Authconfig would not generate sssd in this case so we should not +- # either. Even if --enablesssd[auth] was provided the configuration +- # would not be generated. +- if not self.getBool("ldap"): +- return +- +- path = Path.Local("snippets/authconfig-sssd.conf") +- config = ConfigSnippet(path, Path.System('sssd.conf')) +- +- schema = "rfc2307bis" if self.getBool("rfc2307bis") else None +- +- keys = { +- 'ldap-uri': self.get("ldapserver"), +- 'ldap-basedn': self.get("ldapbasedn"), +- 'ldap-tls': self.getTrueOrNone("ldaptls"), +- 'ldap-schema': schema, +- 'krb5': self.getTrueOrNone("krb5"), +- 'kdc-uri': self.get("krb5kdc"), +- 'kpasswd-uri': self.get("krb5adminserver"), +- 'realm': self.get("krb5realm"), +- 'cache-creds': self.getTrueOrNone("cachecreds"), +- 'cert-auth': self.getTrueOrNone("smartcard") +- } +- +- config.write(keys) +- os.chmod(Path.System('sssd.conf'), mode=0o600) +- +- class Winbind(Base): +- def __init__(self, options): +- super(Configuration.Winbind, self).__init__(options, ServiceName="winbind") +- +- def isEnabled(self): +- if not self.isset("winbind") and not self.isset("winbindauth"): +- return None +- +- return self.getBool("winbind") or self.getBool("winbindauth") +- +- def write(self): +- if not self.isset("winbindjoin"): +- return +- +- creds = self.options.get("winbindjoin").split("%", 1) +- +- user = creds[0] +- password = None +- if len(creds) > 1: +- password = creds[1] + '\n' +- +- args = [ +- 'join', +- '-U', '"%s"' % user, +- '--client-software', 'winbind' +- ] +- +- if self.isset("smbworkgroup"): +- args.append(self.get("smbworkgroup")) +- +- cmd = Command(Path.System('cmd-realm'), args, input=password) +- try: +- cmd.run() +- except FileNotFoundError: +- eprint(_("%s was not found. Please, install realmd.") +- % Path.System('cmd-realm')) +- +- class PWQuality(Base): +- def __init__(self, options): +- super(Configuration.PWQuality, self).__init__(options) +- +- def write(self): +- config = EnvironmentFile(Path.System('pwquality.conf')) +- value_set = False +- +- pwopts = { +- "minlen": self.get("passminlen"), +- "minclass": self.get("passminclass"), +- "maxrepeat": self.get("passmaxrepeat"), +- "maxclassrepeat": self.get("passmaxclassrepeat"), +- "lcredit": self.getBoolAsValue("reqlower", -1, 0, AllowNone=True), +- "ucredit": self.getBoolAsValue("requpper", -1, 0, AllowNone=True), +- "dcredit": self.getBoolAsValue("reqdigit", -1, 0, AllowNone=True), +- "ocredit": self.getBoolAsValue("reqother", -1, 0, AllowNone=True) +- } +- +- # Write options only if their are actually set +- for opt, value in pwopts.items(): +- if value is not None: +- print(opt + "=" + str(value)) +- config.set(opt, value) +- value_set = True +- +- if value_set: +- config.write() +- +- class MakeHomedir(Base): +- def __init__(self, options): +- super(Configuration.MakeHomedir, self).__init__(options, ServiceName="oddjobd") +- +- def isEnabled(self): +- if not self.isset("mkhomedir"): +- return None +- +- return self.getBool("mkhomedir") +- +- def disableService(self, nostop): +- # Never disable the service in case it is already running as +- # other applications may depend on it. +- return +- +- class NIS(Base): +- def __init__(self, options): +- super(Configuration.NIS, self).__init__(options) +- self.rpcbind = Service("rpcbind") +- self.ypbind = Service("ypbind") +- +- def isEnabled(self): +- if not self.isset("nis"): +- return None +- +- return self.getBool("nis") +- +- def enableService(self, nostart): +- if not self.isset("nisdomain"): +- return +- +- nisdom = self.get("nisdomain") +- +- if not nostart: +- cmd = Command(Path.System('cmd-domainname'), [nisdom]) +- cmd.run() +- +- cmd = Command(Path.System('cmd-setsebool'), +- ['-P', 'allow_ypbind', '1']) +- cmd.run() +- +- self.rpcbind.enable() +- self.ypbind.enable() +- +- if not nostart: +- self.rpcbind.start(Restart=False) +- self.ypbind.start() +- +- def disableService(self, nostop): +- if not nostop: +- cmd = Command(Path.System('cmd-domainname'), ["(none)"]) +- cmd.run() +- +- cmd = Command(Path.System('cmd-setsebool'), +- ['-P', 'allow_ypbind', '0']) +- cmd.run() +- +- self.rpcbind.disable() +- self.ypbind.disable() +- +- if not nostop: +- self.rpcbind.stop() +- self.ypbind.stop() +- +- def write(self): +- if not self.isset("nisdomain"): +- return +- +- output = "domain " + self.get("nisdomain") +- +- additional_servers = [] +- if self.isset("nisserver"): +- servers = self.get("nisserver").split(",") +- additional_servers = servers[1:] +- output += " server " + servers[0] + "\n" +- else: +- output += " broadcast\n" +- +- for server in additional_servers: +- output += "ypserver " + server + "\n" +- +- filename = Path.System('yp.conf') +- if self.getBool("test-call"): +- print("========== BEGIN Content of [%s] ==========" % filename) +- print(output) +- print("========== END Content of [%s] ==========\n" % filename) +- return +- +- with open(filename, "w") as f: +- f.write(output) +- +- +-class AuthCompat: +- def __init__(self): +- self.sysconfig = EnvironmentFile(Path.System('authconfig')) +- self.options = Options() +- +- self.options.parse() +- self.options.applysysconfig(self.sysconfig) +- self.options.updatesysconfig(self.sysconfig) +- +- def printWarning(self): +- print(_("Running authconfig compatibility tool.")) +- print(_("The purpose of this tool is to enable authentication against " +- "chosen services with authselect and minimum configuration. " +- "It does not provide all capabilities of authconfig.\n")) +- print(_("IMPORTANT: authconfig is replaced by authselect, " +- "please update your scripts.")) +- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault")) +- print(_("See man authselect-migration(7) to help you with migration to authselect")) +- +- options = self.options.getSetButUnsupported() +- if options: +- print(_("Warning: These options are not supported anymore " +- "and have no effect:")) +- for name in options: +- print(" --%s" % name) +- +- print("") +- +- def printOptions(self): +- for option in Options.List: +- print("%s=%s" % (option.name, option.value)) +- +- def printSysconfig(self): +- for line in self.sysconfig.getall(): +- print("%s=%s" % (line.name, line.value)) +- +- def canContinue(self): +- disallowed = ["test", "probe", "restorebackup", "restorelastbackup"] +- required = ["update", "updateall", "kickstart"] +- +- if not self.options.getBool("test") and os.getuid() != 0: +- print(_("authconfig can only be run as root")) +- return False +- +- for option in disallowed: +- if self.options.getBool(option): +- print(_("Error: option --%s is no longer supported and we " +- "cannot continue if it is set." % option)) +- return False +- +- if self.options.getBool("winbind") != self.options.getBool("winbindauth"): +- print(_("Error: Both --enablewinbind and --enablewinbindauth must be set.")) +- return False +- +- # We require one of these options to perform changes +- # We encourage to use --updateall since we no longer support just pure +- # --update or --kickstart, they will act as --updateall. +- for option in required: +- if self.options.getBool(option): +- return True +- +- print(_("Error: Please, provide --updateall option.")) +- return False +- +- def runAuthselect(self): +- map = { +- 'smartcard': 'with-smartcard', +- 'requiresmartcard': 'with-smartcard-required', +- 'fingerprint': 'with-fingerprint', +- 'ecryptfs': 'with-ecryptfs', +- 'mkhomedir': 'with-mkhomedir', +- 'faillock': 'with-faillock', +- 'pamaccess': 'with-pamaccess', +- 'winbindkrb5': 'with-krb5' +- } +- +- # Read current configuration first. +- (profile, features) = self.getCurrentAuthselectConfig() +- +- # Change profile if requested. +- if (self.options.getBool("ldap") +- or self.options.getBool("ldapauth") +- or self.options.getBool("sssd") +- or self.options.getBool("sssdauth")): +- profile = "sssd" +- elif self.options.getBool("nis"): +- profile = "nis" +- elif self.options.getBool("winbind"): +- profile = "winbind" +- +- # Default to sssd +- if profile is None: +- profile = "sssd" +- +- # Add enabled and remove disabled features. +- for option, feature in map.items(): +- if not self.options.isset(option): +- continue +- +- enabled = self.options.getBool(option) +- if enabled: +- features.append(feature) +- else: +- while feature in features: +- features.remove(feature) +- +- # Add lock-on-smartcard-removal if requested +- if self.options.isset("smartcardaction"): +- if int(self.options.get("smartcardaction")) == 0: +- features.append("with-smartcard-lock-on-removal") +- else: +- features.remove("with-smartcard-lock-on-removal") +- +- # Remove duplicates. The order is not kept but that does not matter. +- features = list(set(features)) +- +- # Always run with --force. This is either first call of authconfig +- # in installation script or it is run on already configured system. +- # We want to use authselect in both cases anyway, since authconfig +- # would change the configuration either way. +- args = ["select", profile] +- args.extend(features) +- args.append("--force") +- +- cmd = Command(Path.System('cmd-authselect'), args) +- cmd.run() +- +- def getCurrentAuthselectConfig(self): +- cmd = Command(Path.System('cmd-authselect'), ['check'], check=False) +- cmd.run() +- +- if cmd.result is None or cmd.result.returncode != 0: +- return (None, []) +- +- cmd = Command(Path.System('cmd-authselect'), ['current', '--raw']) +- cmd.run() +- +- current = cmd.result.stdout.decode("utf-8").split() +- return (current[0], current[1:]) +- +- def writeConfiguration(self): +- configs = [ +- Configuration.LDAP(self.options), +- Configuration.Network(self.options), +- Configuration.Kerberos(self.options), +- Configuration.SSSD(self.options), +- Configuration.Winbind(self.options), +- Configuration.PWQuality(self.options), +- Configuration.MakeHomedir(self.options), +- Configuration.NIS(self.options) +- ] +- +- for config in configs: +- # Configuration decides if it needs to write something or not +- config.write() +- +- # Enable or disable service if needed +- nostart = self.options.getBool("nostart") +- try: +- enabled = config.isEnabled() +- +- # Skip service management if it can not be decided +- if enabled is None: +- continue +- +- if enabled: +- config.enableService(nostart) +- else: +- config.disableService(nostart) +- config.cleanup() +- except subprocess.CalledProcessError as result: +- # This is not fatal error. +- eprint(_("Command [%s] failed with %d, stderr:") +- % (' '.join(result.cmd), result.returncode)) +- eprint(result.stderr.decode()) +- +- +-def main(): +- try: +- locale.setlocale(locale.LC_ALL, '') +- except locale.Error: +- sys.stderr.write('Warning: Unsupported locale setting.\n') +- +- authcompat = AuthCompat() +- authcompat.printWarning() +- +- Command.TEST = authcompat.options.getBool("test-call") +- EnvironmentFile.TEST = authcompat.options.getBool("test-call") +- ConfigSnippet.TEST = authcompat.options.getBool("test-call") +- +- if not authcompat.canContinue(): +- sys.exit(1) +- +- try: +- authcompat.runAuthselect() +- authcompat.writeConfiguration() +- authcompat.sysconfig.write() +- except subprocess.CalledProcessError as result: +- eprint(_("Command [%s] failed with %d, stderr:") +- % (' '.join(result.cmd), result.returncode)) +- eprint(result.stderr.decode()) +- +- sys.exit(0) +- +- +-if __name__ == "__main__": +- main() +diff --git a/src/compat/authcompat_ConfigSnippet.py b/src/compat/authcompat_ConfigSnippet.py +deleted file mode 100644 +index 01033ea0ab71e0eb235f03f1fb2a6aec124e2286..0000000000000000000000000000000000000000 +--- a/src/compat/authcompat_ConfigSnippet.py ++++ /dev/null +@@ -1,92 +0,0 @@ +-# -*- coding: utf-8 -*- +-# +-# Authors: +-# Pavel Březina +-# +-# Copyright (C) 2018 Red Hat +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 3 of the License, or +-# (at your option) any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +-# +- +-import errno +-import os +-import re +- +- +-class ConfigSnippet: +- TEST = False +- +- AllKeysRE = re.compile(r'\${\??(?P[\w-]*)}') +- DummyKeysRE = re.compile(r'\${\?[\w-]*}') +- +- def __init__(self, template, destination): +- with open(template, "r") as f: +- self.template = f.read() +- +- self.destination = destination +- +- def generate(self, values): +- # First remove lines containing key that is not set +- lines = self.template.split('\n') +- remove = [] +- +- for idx, line in enumerate(lines): +- for match in self.AllKeysRE.finditer(line): +- key = match.group("key") +- if key not in values or values[key] is None: +- remove.append(idx) +- break +- +- for idx in sorted(remove, reverse=True): +- del lines[idx] +- +- # Build output string +- output = '\n'.join(lines) +- +- # Remove all dummy keys ${?key} +- output = self.DummyKeysRE.sub("", output) +- +- # Replace values +- for key, value in values.items(): +- if value is None: +- continue +- +- if type(value) is bool: +- value = "true" if value else "false" +- +- output = output.replace("${%s}" % key, value) +- +- return output +- +- def write(self, values, to_stdout=False): +- output = self.generate(values) +- +- if self.TEST: +- print("========== BEGIN Content of [%s] ==========" % self.destination) +- print(output) +- print("========== END Content of [%s] ==========\n" % self.destination) +- return +- +- dirname = os.path.dirname(self.destination) +- if not os.path.exists(dirname): +- try: +- os.makedirs(dirname) +- except OSError as exception: +- if exception.errno == errno.EEXIST and os.path.isdir(dirname): +- pass +- else: +- raise +- +- with open(self.destination, "w") as f: +- f.write(output) +diff --git a/src/compat/authcompat_EnvironmentFile.py b/src/compat/authcompat_EnvironmentFile.py +deleted file mode 100644 +index 2dabd5963ce1aa7160801415f3bf69d4a793cdd1..0000000000000000000000000000000000000000 +--- a/src/compat/authcompat_EnvironmentFile.py ++++ /dev/null +@@ -1,216 +0,0 @@ +-# -*- coding: utf-8 -*- +-# +-# Authors: +-# Pavel Březina +-# +-# Copyright (C) 2018 Red Hat +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 3 of the License, or +-# (at your option) any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +-# +- +-import errno +-import os +-import re +- +- +-class EnvironmentFile: +- TEST = False +- +- def __init__(self, filename, +- delimiter='=', delimiter_re=None, +- quotes=True): +- self.filename = filename +- self.delimiter = delimiter +- self.quotes = quotes +- self.environment = [] +- +- delimiter_re = delimiter_re if delimiter_re is not None else delimiter +- self.pattern = re.compile(r'^(\s*)(\S*)([^\n\S]*)(' +- + delimiter_re +- + r')([^\n\S]*)(.*)$', +- re.MULTILINE) +- +- self.read() +- +- def read(self): +- try: +- with open(self.filename, "r") as f: +- lines = f.readlines() +- except FileNotFoundError: +- return +- +- for line in lines: +- parsed = self.Line.Parse(line, self.pattern, +- self.delimiter, self.quotes) +- self.environment.append(parsed) +- +- def write(self): +- output = "" +- for line in self.environment: +- output = output + line.getLine() +- +- if self.TEST: +- print("========== BEGIN Content of [%s] ==========" % self.filename) +- print(output) +- print("========== END Content of [%s] ==========\n" % self.filename) +- return +- +- dirname = os.path.dirname(self.filename) +- if not os.path.exists(dirname): +- try: +- os.makedirs(dirname) +- except OSError as exception: +- if exception.errno == errno.EEXIST and os.path.isdir(dirname): +- pass +- else: +- raise +- +- with open(self.filename, "w") as f: +- f.write(output) +- +- def get(self, name, default=None): +- value = None +- for line in self.environment: +- if line.isVariable() and line.name == name: +- value = line.value +- +- if value is None: +- return default +- +- if value.lower() in [None, "no", "false", "f", "n"]: +- return False +- elif value.lower() in ["yes", "true", "t", "y"]: +- return True +- +- return value +- +- def getall(self): +- lines = [] +- for line in self.environment: +- if line.isVariable(): +- lines.append(line) +- +- return lines +- +- def set(self, name, value): +- if type(value) is bool: +- value = "yes" if value else "no" +- +- for line in self.environment: +- if line.isVariable() and line.name == name: +- line.set(name, value) +- return +- +- line = self.Line(self.delimiter, self.quotes) +- line.set(name, value) +- self.environment.append(line) +- +- class Line: +- def __init__(self, delimiter, quotes, +- name=None, value=None, original=None, fmt=None): +- self.delimiter = delimiter +- self.quotes = quotes +- self.name = name +- self.value = value +- self.original = original +- self.fmt = fmt +- +- def isVariable(self): +- return self.fmt is not None +- +- def isOriginal(self): +- return self.original is not None +- +- def set(self, name, value): +- self.name = name +- self.value = value +- if self.fmt is None: +- self.fmt = "${name}%s${value}\n" % self.delimiter +- +- def getLine(self): +- if self.isOriginal(): +- return self.original +- +- value = self.value if self.value is not None else "" +- replacement = { +- 'name': self.name, +- 'value': self.Escape(value, self.quotes) +- } +- +- line = self.fmt +- for key, value in replacement.items(): +- line = line.replace("${" + key + "}", str(value)) +- +- return line +- +- @staticmethod +- def Parse(line, pattern, delimiter, quotes): +- match = pattern.match(line) +- if line.startswith('#') or not line.strip() or not match: +- return EnvironmentFile.Line(delimiter, quotes, original=line) +- +- name = match.group(2) +- value = EnvironmentFile.Line.Unescape(match.group(6), quotes) +- fmt = "%s${name}%s%s%s${value}\n" % (match.group(1), +- match.group(3), +- match.group(4), +- match.group(5)) +- +- return EnvironmentFile.Line(delimiter, quotes, name=name, +- value=value, fmt=fmt) +- +- @staticmethod +- def Escape(value, quotes): +- if value is None: +- return "" +- +- value = str(value) +- value = value.replace("\\", "\\\\") +- value = value.replace("\"", "\\\"") +- value = value.replace("'", "\\\'") +- value = value.replace("$", "\\$") +- value = value.replace("~", "\\~") +- value = value.replace("`", "\\`") +- +- if quotes: +- if value.find(" ") > 0 or value.find("\t") > 0: +- value = "\"" + value + "\"" +- +- return value +- +- @staticmethod +- def Unescape(value, quotes): +- if not value: +- return value +- +- value = str(value) +- +- length = len(value) +- if quotes: +- if (value[0] == "\"" or value[0] == "'") and value[0] == value[length - 1]: +- value = value[1:length - 1] +- +- i = 0 +- while True: +- i = value.find("\\", i) +- if i < 0: +- break +- if i + 1 >= len(value): +- value = value[0:i] +- break +- +- value = value[0:i] + value[i + 1:] +- i += 1 +- +- return value +diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py +deleted file mode 100644 +index d26dedabdfb9519861076b58cddd0dd0eb04b7cb..0000000000000000000000000000000000000000 +--- a/src/compat/authcompat_Options.py ++++ /dev/null +@@ -1,326 +0,0 @@ +-# -*- coding: utf-8 -*- +-# +-# Authors: +-# Pavel Březina +-# +-# Copyright (C) 2018 Red Hat +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 3 of the License, or +-# (at your option) any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for morerequi details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +-# +- +-import argparse +-import gettext +- +-_ = gettext.gettext +- +- +-class Option: +- def __init__(self, name, metavar, help, feature, supported): +- self.name = name +- self.metavar = metavar +- self.help = help +- self.feature = feature +- self.supported = supported +- self.value = None +- self.from_sysconfig = False +- +- def set(self, new_value): +- self.value = new_value +- +- def set_from_sysconfig(self, new_value): +- self.set(new_value) +- self.from_sysconfig = True +- +- def isset(self): +- return self.value is not None +- +- @staticmethod +- def Valued(name, metavar, help): +- return Option(name, metavar, help, feature=False, supported=True) +- +- @staticmethod +- def Switch(name, help): +- return Option(name, None, help, feature=False, supported=True) +- +- @staticmethod +- def Feature(name, help): +- return Option(name, None, help, feature=True, supported=True) +- +- @staticmethod +- def UnsupportedValued(name, metavar): +- return Option(name, metavar, None, feature=False, supported=False) +- +- @staticmethod +- def UnsupportedFeature(name): +- return Option(name, None, None, feature=True, supported=False) +- +- @staticmethod +- def UnsupportedSwitch(name): +- return Option(name, None, None, feature=False, supported=False) +- +- +-class Options: +- List = [ +- # These options are still supported in authconfig compatibility +- # layers. The tool will do its best to translate them to authselect +- # call and where needed, it will generate a configuration file. +- # +- # However, they will just make sure that an authentication against +- # expected service is working. They may not result in the exact same +- # configuration as authconfig would generate. +- Option.Feature("nis", _("NIS for user information by default")), +- Option.Valued("nisdomain", _(""), _("default NIS domain")), +- Option.Valued("nisserver", _(""), _("default NIS server")), +- Option.Feature("ldap", _("LDAP for user information by default")), +- Option.Feature("ldapauth", _("LDAP for authentication by default")), +- Option.Valued("ldapserver", _(""), _("default LDAP server hostname or URI")), +- Option.Valued("ldapbasedn", _(""), _("default LDAP base DN")), +- Option.Feature("ldaptls", _("use of TLS with LDAP (RFC-2830)")), +- Option.Feature("ldapstarttls", _("use of TLS for identity lookups with LDAP (RFC-2830)")), +- Option.Feature("rfc2307bis", _("use of RFC-2307bis schema for LDAP user information lookups")), +- Option.Feature("smartcard", _("authentication with smart card by default")), +- Option.Valued("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")), +- Option.Feature("requiresmartcard", _("require smart card for authentication by default")), +- Option.Feature("fingerprint", _("authentication with fingerprint readers by default")), +- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")), +- Option.Feature("krb5", _("Kerberos authentication by default")), +- Option.Valued("krb5kdc", _(""), _("default Kerberos KDC")), +- Option.Valued("krb5adminserver", _(""), _("default Kerberos admin server")), +- Option.Valued("krb5realm", _(""), _("default Kerberos realm")), +- Option.Feature("krb5kdcdns", _("use of DNS to find Kerberos KDCs")), +- Option.Feature("krb5realmdns", _("use of DNS to find Kerberos realms")), +- Option.Feature("winbind", _("winbind for user information by default")), +- Option.Feature("winbindauth", _("winbind for authentication by default")), +- Option.Valued("winbindjoin", _(""), _("join the winbind domain or ads realm now as this administrator")), +- Option.Feature("winbindkrb5", _("Kerberos 5 for authenticate with winbind")), +- Option.Valued("smbworkgroup", _(""), _("workgroup authentication servers are in")), +- Option.Feature("sssd", _("SSSD for user information by default with manually managed configuration")), +- Option.Feature("sssdauth", _("SSSD for authentication by default with manually managed configuration")), +- Option.Feature("cachecreds", _("caching of user credentials in SSSD by default")), +- Option.Feature("pamaccess", _("check of access.conf during account authorization")), +- Option.Feature("mkhomedir", _("creation of home directories for users on their first login")), +- Option.Feature("faillock", _("account locking in case of too many consecutive authentication failures")), +- Option.Valued("passminlen", _(""), _("minimum length of a password")), +- Option.Valued("passminclass", _(""), _("minimum number of character classes in a password")), +- Option.Valued("passmaxrepeat", _(""), _("maximum number of same consecutive characters in a password")), +- Option.Valued("passmaxclassrepeat", _(""), _("maximum number of consecutive characters of same class in a password")), +- Option.Feature("reqlower", _("require at least one lowercase character in a password")), +- Option.Feature("requpper", _("require at least one uppercase character in a password")), +- Option.Feature("reqdigit", _("require at least one digit in a password")), +- Option.Feature("reqother", _("require at least one other character in a password")), +- +- # Program options +- Option.Switch("nostart", _("do not start/stop services")), +- Option.Switch("updateall", _("update all configuration files")), +- Option.Switch("update", _("the same as --updateall")), +- Option.Switch("kickstart", _("the same as --updateall")), +- +- # Hidden compat tool option, useful for testing. No changes to the +- # system will be done, they will be printed. +- Option.Switch("test-call", argparse.SUPPRESS), +- +- # Unsupported program options but we have to react somehow when set +- Option.UnsupportedSwitch("test"), +- Option.UnsupportedSwitch("probe"), +- Option.UnsupportedValued("savebackup", _("")), +- Option.UnsupportedValued("restorebackup", _("")), +- Option.UnsupportedSwitch("restorelastbackup"), +- +- # These options are no longer supported in authconfig compatibility +- # layers and will produce warning when used. They will not affect +- # the system. +- Option.UnsupportedFeature("cache"), +- Option.UnsupportedFeature("shadow"), +- Option.UnsupportedSwitch("useshadow"), +- Option.UnsupportedFeature("md5"), +- Option.UnsupportedSwitch("usemd5"), +- Option.UnsupportedValued("passalgo", _("")), +- Option.UnsupportedValued("ldaploadcacert", _("")), +- Option.UnsupportedValued("smartcardmodule", _("")), +- Option.UnsupportedValued("smbsecurity", _("")), +- Option.UnsupportedValued("smbrealm", _("")), +- Option.UnsupportedValued("smbservers", _("")), +- Option.UnsupportedValued("smbidmaprange", _("")), +- Option.UnsupportedValued("smbidmapuid", _("")), +- Option.UnsupportedValued("smbidmapgid", _("")), +- Option.UnsupportedValued("winbindseparator", _("<\\>")), +- Option.UnsupportedValued("winbindtemplatehomedir", _("")), +- Option.UnsupportedValued("winbindtemplateshell", _("")), +- Option.UnsupportedFeature("winbindusedefaultdomain"), +- Option.UnsupportedFeature("winbindoffline"), +- Option.UnsupportedFeature("preferdns"), +- Option.UnsupportedFeature("forcelegacy"), +- Option.UnsupportedFeature("locauthorize"), +- Option.UnsupportedFeature("sysnetauth"), +- Option.UnsupportedValued("faillockargs", _("")), +- ] +- +- Map = { +- # These options were use with autodetection of pam_cracklib +- # and pam_passwdqc. However, authselect supports only pam_pwquality. +- # "USEPWQUALITY" : "", +- # "USEPASSWDQC" : "", +- "USEFAILLOCK": "faillock", +- "FAILLOCKARGS": "faillockargs", +- "USELDAP": "ldap", +- "USENIS": "nis", +- "USEECRYPTFS": "ecryptfs", +- "USEWINBIND": "winbind", +- "WINBINDKRB5": "winbindkrb5", +- "USESSSD": "sssd", +- "USEKERBEROS": "krb5", +- "USELDAPAUTH": "ldapauth", +- "USESMARTCARD": "smartcard", +- "FORCESMARTCARD": "requiresmartcard", +- "USEFPRINTD": "fingerprint", +- "PASSWDALGORITHM": "passalgo", +- "USEMD5": "md5", +- "USESHADOW": "shadow", +- "USEWINBINDAUTH": "winbindauth", +- "USESSSDAUTH": "sssdauth", +- "USELOCAUTHORIZE": "locauthorize", +- "USEPAMACCESS": "pamaccess", +- "USEMKHOMEDIR": "mkhomedir", +- "USESYSNETAUTH": "sysnetauth", +- "FORCELEGACY": "forcelegacy", +- "CACHECREDENTIALS": "cachecreds", +- } +- +- def __init__(self): +- self.options = {} +- +- for option in self.List: +- self.options[option.name] = option +- +- def parse(self): +- parser = argparse.ArgumentParser(description='Authconfig Compatibility Tool.') +- +- parsers = { +- 'supported': parser.add_argument_group(_('These options have a compatibility layer')), +- 'unsupported': parser.add_argument_group(_('These options are no longer supported and have no effect')) +- } +- +- for option in self.List: +- group = 'supported' if option.supported else 'unsupported' +- self.add_option(parsers[group], option) +- +- cmdline = parser.parse_args() +- +- for name, option in self.options.items(): +- value = getattr(cmdline, name) +- option.set(value) +- +- # usemd5 and useshadow are equivalent to enablemd5 and enableshadow +- if not self.isset('md5') and self.isset('usemd5'): +- self.set('md5', self.get('usemd5')) +- +- if not self.isset('shadow') and self.isset('useshadow'): +- self.set('shadow', self.get('useshadow')) +- +- # ldapstarttls is equivalent to ldaptls +- if self.isset('ldapstarttls') and not self.isset('ldaptls'): +- self.set('ldaptls', self.get('ldapstarttls')) +- +- def applysysconfig(self, sysconfig): +- for name, option in self.Map.items(): +- if not self.isset(option): +- self.options[option].set_from_sysconfig(sysconfig.get(name)) +- +- def updatesysconfig(self, sysconfig): +- for name, option in self.Map.items(): +- if self.isset(option): +- sysconfig.set(name, self.get(option)) +- +- def get(self, name): +- return self.options[name].value +- +- def set(self, name, value): +- self.options[name].set(value) +- +- def isset(self, name): +- return self.options[name].isset() +- +- def getBool(self, name): +- value = self.get(name) +- if value is None or not value: +- return False +- return True +- +- def getTrueOrNone(self, name): +- value = self.get(name) +- if value is None or not value: +- return None +- return True +- +- def getSetButUnsupported(self): +- options = [] +- for option in Options.List: +- if option.supported: +- continue +- +- if not option.isset(): +- continue +- +- if option.from_sysconfig: +- continue +- +- name = option.name +- if option.feature: +- name = "enable" + name if option.value else "disable" + name +- +- options.append(name) +- +- return options +- +- def add_option(self, parser, option): +- if option.metavar is not None: +- self.add_valued(parser, option) +- elif option.feature: +- self.add_feature(parser, option) +- else: +- self.add_switch(parser, option) +- +- def add_valued(self, parser, option): +- parser.add_argument("--" + option.name, +- action='store', +- help=option.help, +- dest=option.name, +- metavar=option.metavar) +- +- def add_switch(self, parser, option): +- parser.add_argument("--" + option.name, +- action='store_const', +- const=True, +- help=option.help, +- dest=option.name) +- +- def add_feature(self, parser, option): +- help_enable = None +- help_disable = None +- +- if option.help is not None: +- help_enable = _("enable") + " " + option.help +- help_disable = _("disable") + " " + option.help +- +- parser.add_argument("--enable" + option.name, +- action='store_const', +- const=True, +- help=help_enable, +- dest=option.name) +- +- parser.add_argument("--disable" + option.name, +- action='store_const', +- const=False, +- help=help_disable, +- dest=option.name) +diff --git a/src/compat/snippets/authconfig-krb.conf b/src/compat/snippets/authconfig-krb.conf +deleted file mode 100644 +index e5ace8626321795c009ed9c0050cd35cab6a8ee0..0000000000000000000000000000000000000000 +--- a/src/compat/snippets/authconfig-krb.conf ++++ /dev/null +@@ -1,14 +0,0 @@ +-[libdefaults] +- dns_lookup_kdc = ${kdc-srv} +- dns_lookup_realm = ${realm-srv} +- default_realm = ${realm} +- +-[realms] +- ${realm} = { +- kdc = ${kdc} +- admin_server = ${adminserver} +- ${?realm}} +- +-[domain_realm] +- ${domain} = ${realm} +- .${domain} = ${realm} +diff --git a/src/compat/snippets/authconfig-sssd.conf b/src/compat/snippets/authconfig-sssd.conf +deleted file mode 100644 +index 13bd1dcb84c0b4a983d19dc00d8a73e4c7c2cee4..0000000000000000000000000000000000000000 +--- a/src/compat/snippets/authconfig-sssd.conf ++++ /dev/null +@@ -1,18 +0,0 @@ +-[sssd] +-domains = default +- +-[domain/default] +-id_provider = ldap +-auth_provider${?krb5} = krb5 +-ldap_uri = ${ldap-uri} +-ldap_search_base = ${ldap-basedn} +-ldap_id_use_start_tls = ${ldap-tls} +-ldap_schema = ${ldap-schema} +-krb5_server${?krb5} = ${kdc-uri} +-krb5_kpasswd${?krb5} = ${kpasswd-uri} +-krb5_realm${?krb5} = ${realm} +-krb5_store_password_if_offline${?krb5} = ${cache-credentials} +-cache_credentials = ${cache-credentials} +- +-[pam]${?cert-auth} +-pam_cert_auth = ${cert-auth} +diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 +index ae8fa0274e038e98115d000717487dbdbc04df4c..8dafd94cf57398ce1c654d83289d210ac730d14d 100644 +--- a/src/conf_macros.m4 ++++ b/src/conf_macros.m4 +@@ -81,15 +81,6 @@ AS_IF([test "x$enable_debug_template_regex" = "xyes"], + ) + ) + +-AC_ARG_WITH([compat], +- [AC_HELP_STRING([--with-compat], [Build with compatibility tool [no]])], +- [], with_compat=no +-) +-if test x"$with_compat" = xyes; then +- AM_PATH_PYTHON([3]) +-fi +-AM_CONDITIONAL([BUILD_COMPAT], [test x$with_compat = xyes]) +- + AC_ARG_WITH([nis-profile], + [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])], + [], with_nis_profile=no +-- +2.42.0 + diff --git a/SOURCES/0007-ci-remove-python-checks.patch b/SOURCES/0007-ci-remove-python-checks.patch new file mode 100644 index 0000000..7b3fccd --- /dev/null +++ b/SOURCES/0007-ci-remove-python-checks.patch @@ -0,0 +1,46 @@ +From 23936036c5b6cd51843a7f964998f5345877fa8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 13:34:31 +0100 +Subject: [PATCH 07/11] ci: remove python checks + +With the compat tool gone, there is no other python script. +--- + .github/workflows/analyze.yml | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml +index 37682f068b586dc0e7ba34f1098f4009b88e7254..16b48b031519b81221de9248d65f076b2616b2f7 100644 +--- a/.github/workflows/analyze.yml ++++ b/.github/workflows/analyze.yml +@@ -25,7 +25,7 @@ jobs: + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: +- languages: cpp, python ++ languages: cpp + queries: +security-and-quality + + - name: Autobuild +@@ -33,19 +33,3 @@ jobs: + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 +- +- flake8: +- runs-on: ubuntu-latest +- permissions: +- contents: read +- steps: +- - name: Checkout repository +- uses: actions/checkout@v2 +- +- - name: Install flake8 +- run: | +- sudo apt update +- sudo apt install -y flake8 +- +- - name: Execute flake8 on the repository +- run: flake8 --ignore=W503,E501 src/compat/authcompat.py.in.in . +-- +2.42.0 + diff --git a/SOURCES/0008-pot-update-pot-files.patch b/SOURCES/0008-pot-update-pot-files.patch new file mode 100644 index 0000000..5351deb --- /dev/null +++ b/SOURCES/0008-pot-update-pot-files.patch @@ -0,0 +1,2561 @@ +From 9159f3a5306ae12139e283858f942c0891d5b098 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 14:08:47 +0100 +Subject: [PATCH 08/11] pot: update pot files + +--- + po/authselect.pot | 536 ++++----------------- + src/man/po/authselect-migration.7.adoc.pot | 218 ++++----- + src/man/po/authselect-profiles.5.adoc.pot | 259 +++++----- + src/man/po/authselect.8.adoc.pot | 171 ++----- + 4 files changed, 349 insertions(+), 835 deletions(-) + +diff --git a/po/authselect.pot b/po/authselect.pot +index 3428c421b57a5b9b06452c986cb47856a5b48f60..77e626f303ae1d54b28e90ffd5642502c65690dc 100644 +--- a/po/authselect.pot ++++ b/po/authselect.pot +@@ -6,9 +6,9 @@ + #, fuzzy + msgid "" + msgstr "" +-"Project-Id-Version: authselect 1.4.2\n" ++"Project-Id-Version: authselect 1.5.0\n" + "Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n" +-"POT-Creation-Date: 2023-09-27 13:03+0200\n" ++"POT-Creation-Date: 2024-02-23 14:08+0100\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" +@@ -565,7 +565,7 @@ msgid "Unable to get basename of [%s]" + msgstr "" + + #: src/lib/util/dir.c:90 src/lib/util/dir.c:97 src/lib/util/file.c:126 +-#: src/lib/util/file.c:199 src/cli/main.c:857 ++#: src/lib/util/file.c:199 src/cli/main.c:848 + #, c-format + msgid "Unable to stat [%s] [%d]: %s" + msgstr "" +@@ -855,7 +855,7 @@ msgstr "" + msgid "[OPTIONS...]" + msgstr "" + +-#: src/cli/cli_tool.c:337 src/cli/cli_tool.c:389 src/cli/main.c:849 ++#: src/cli/cli_tool.c:337 src/cli/cli_tool.c:389 src/cli/main.c:840 + msgid "Out of memory!" + msgstr "" + +@@ -894,14 +894,14 @@ msgid "" + "\n" + msgstr "" + +-#: src/cli/main.c:76 src/cli/main.c:441 src/cli/main.c:484 ++#: src/cli/main.c:76 src/cli/main.c:432 src/cli/main.c:475 + msgid "Profile identifier." + msgstr "" + +-#: src/cli/main.c:79 src/cli/main.c:257 src/cli/main.c:302 src/cli/main.c:351 +-#: src/cli/main.c:399 src/cli/main.c:444 src/cli/main.c:487 src/cli/main.c:660 +-#: src/cli/main.c:737 src/cli/main.c:784 src/cli/main.c:824 src/cli/main.c:889 +-#: src/cli/main.c:915 ++#: src/cli/main.c:79 src/cli/main.c:248 src/cli/main.c:293 src/cli/main.c:342 ++#: src/cli/main.c:390 src/cli/main.c:435 src/cli/main.c:478 src/cli/main.c:651 ++#: src/cli/main.c:728 src/cli/main.c:775 src/cli/main.c:815 src/cli/main.c:880 ++#: src/cli/main.c:906 + msgid "Unable to parse command arguments" + msgstr "" + +@@ -918,15 +918,15 @@ msgstr "" + msgid "Enforce changes" + msgstr "" + +-#: src/cli/main.c:162 src/cli/main.c:250 src/cli/main.c:650 src/cli/main.c:728 ++#: src/cli/main.c:162 src/cli/main.c:241 src/cli/main.c:641 src/cli/main.c:719 + msgid "Backup system files before activating profile (generate unique name)" + msgstr "" + +-#: src/cli/main.c:163 src/cli/main.c:251 src/cli/main.c:651 src/cli/main.c:729 ++#: src/cli/main.c:163 src/cli/main.c:242 src/cli/main.c:642 src/cli/main.c:720 + msgid "Backup system files before activating profile" + msgstr "" + +-#: src/cli/main.c:163 src/cli/main.c:251 src/cli/main.c:651 src/cli/main.c:729 ++#: src/cli/main.c:163 src/cli/main.c:242 src/cli/main.c:642 src/cli/main.c:720 + msgid "NAME" + msgstr "" + +@@ -934,179 +934,175 @@ msgstr "" + msgid "Do not backup system files when --force is set" + msgstr "" + +-#: src/cli/main.c:165 src/cli/main.c:652 ++#: src/cli/main.c:165 src/cli/main.c:643 + msgid "Do not print profile requirements" + msgstr "" + +-#: src/cli/main.c:176 src/cli/main.c:414 src/cli/main.c:450 src/cli/main.c:493 +-#: src/cli/main.c:525 src/cli/main.c:679 ++#: src/cli/main.c:176 src/cli/main.c:405 src/cli/main.c:441 src/cli/main.c:484 ++#: src/cli/main.c:516 src/cli/main.c:670 + #, c-format + msgid "Unable to get profile information [%d]: %s" + msgstr "" + +-#: src/cli/main.c:184 src/cli/main.c:533 src/cli/main.c:687 ++#: src/cli/main.c:184 src/cli/main.c:524 src/cli/main.c:678 + msgid "Unable to read profile requirements!" + msgstr "" + +-#: src/cli/main.c:192 +-msgid "Unable to obtain nsswitch maps!" +-msgstr "" +- +-#: src/cli/main.c:207 ++#: src/cli/main.c:198 + msgid "" + "\n" + "Some unexpected changes to the configuration were detected.\n" + "Use --force parameter if you want to overwrite these changes.\n" + msgstr "" + +-#: src/cli/main.c:212 ++#: src/cli/main.c:203 + #, c-format + msgid "Unable to activate profile [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:217 ++#: src/cli/main.c:208 + #, c-format + msgid "Profile \"%s\" was selected.\n" + msgstr "" + +-#: src/cli/main.c:220 ++#: src/cli/main.c:211 + msgid "The following nsswitch maps are overwritten by the profile:\n" + msgstr "" + +-#: src/cli/main.c:223 ++#: src/cli/main.c:214 + #, c-format + msgid "- %s\n" + msgstr "" + +-#: src/cli/main.c:228 ++#: src/cli/main.c:219 + #, c-format + msgid "" + "\n" + "%s\n" + msgstr "" + +-#: src/cli/main.c:269 ++#: src/cli/main.c:260 + msgid "Changes were successfully applied.\n" + msgstr "" + +-#: src/cli/main.c:272 src/cli/main.c:308 src/cli/main.c:669 ++#: src/cli/main.c:263 src/cli/main.c:299 src/cli/main.c:660 + msgid "No existing configuration detected.\n" + msgstr "" + +-#: src/cli/main.c:275 ++#: src/cli/main.c:266 + msgid "" + "Some unexpected changes to the configuration were detected. Use 'select' " + "command instead.\n" + msgstr "" + +-#: src/cli/main.c:279 ++#: src/cli/main.c:270 + #, c-format + msgid "Unable to apply changes [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:296 ++#: src/cli/main.c:287 + msgid "Print command parameters instead of formatted output" + msgstr "" + +-#: src/cli/main.c:311 src/cli/main.c:672 ++#: src/cli/main.c:302 src/cli/main.c:663 + #, c-format + msgid "Unable to get current configuration [%d]: %s" + msgstr "" + +-#: src/cli/main.c:325 ++#: src/cli/main.c:316 + #, c-format + msgid "Profile ID: %s\n" + msgstr "" + +-#: src/cli/main.c:326 ++#: src/cli/main.c:317 + msgid "Enabled features:" + msgstr "" + +-#: src/cli/main.c:329 ++#: src/cli/main.c:320 + msgid " None\n" + msgstr "" + +-#: src/cli/main.c:357 ++#: src/cli/main.c:348 + #, c-format + msgid "Unable to test current configuration [%d]: %s" + msgstr "" + +-#: src/cli/main.c:364 ++#: src/cli/main.c:355 + msgid "" + "Current configuration is not valid. It was probably modified outside " + "authselect." + msgstr "" + +-#: src/cli/main.c:371 ++#: src/cli/main.c:362 + msgid "Current configuration is valid." + msgstr "" + +-#: src/cli/main.c:374 ++#: src/cli/main.c:365 + msgid "No configuration detected." + msgstr "" + +-#: src/cli/main.c:378 ++#: src/cli/main.c:369 + msgid "System was not configured with authselect." + msgstr "" + +-#: src/cli/main.c:405 ++#: src/cli/main.c:396 + msgid "Unable to get profile list!" + msgstr "" + +-#: src/cli/main.c:458 ++#: src/cli/main.c:449 + #, c-format + msgid "Unable to get profile features [%d]: %s" + msgstr "" + +-#: src/cli/main.c:572 ++#: src/cli/main.c:563 + msgid "Print content of all files" + msgstr "" + +-#: src/cli/main.c:573 ++#: src/cli/main.c:564 + msgid "Print nsswitch.conf content" + msgstr "" + +-#: src/cli/main.c:574 ++#: src/cli/main.c:565 + msgid "Print system-auth content" + msgstr "" + +-#: src/cli/main.c:575 ++#: src/cli/main.c:566 + msgid "Print password-auth content" + msgstr "" + +-#: src/cli/main.c:576 ++#: src/cli/main.c:567 + msgid "Print smartcard-auth content" + msgstr "" + +-#: src/cli/main.c:577 ++#: src/cli/main.c:568 + msgid "Print fingerprint-auth content" + msgstr "" + +-#: src/cli/main.c:578 ++#: src/cli/main.c:569 + msgid "Print postlogin content" + msgstr "" + +-#: src/cli/main.c:579 ++#: src/cli/main.c:570 + msgid "Print dconf database content" + msgstr "" + +-#: src/cli/main.c:580 ++#: src/cli/main.c:571 + msgid "Print dconf lock content" + msgstr "" + +-#: src/cli/main.c:607 ++#: src/cli/main.c:598 + #, c-format + msgid "Unable to get generated content [%d]: %s" + msgstr "" + +-#: src/cli/main.c:626 ++#: src/cli/main.c:617 + #, c-format + msgid "" + "File %s: Empty\n" + "\n" + msgstr "" + +-#: src/cli/main.c:628 ++#: src/cli/main.c:619 + #, c-format + msgid "" + "File %s:\n" +@@ -1114,534 +1110,190 @@ msgid "" + "\n" + msgstr "" + +-#: src/cli/main.c:657 ++#: src/cli/main.c:648 + msgid "Feature to enable." + msgstr "" + +-#: src/cli/main.c:694 ++#: src/cli/main.c:685 + #, c-format + msgid "Unable to backup current configuration [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:701 ++#: src/cli/main.c:692 + #, c-format + msgid "Unable to enable feature [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:706 ++#: src/cli/main.c:697 + #, c-format + msgid "%s\n" + msgstr "" + +-#: src/cli/main.c:734 ++#: src/cli/main.c:725 + msgid "Feature to disable." + msgstr "" + +-#: src/cli/main.c:748 ++#: src/cli/main.c:739 + #, c-format + msgid "Unable to disable feature [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:769 ++#: src/cli/main.c:760 + msgid "Create new profile as a vendor profile instead of a custom profile" + msgstr "" + +-#: src/cli/main.c:770 ++#: src/cli/main.c:761 + msgid "ID of a profile that should be used as a base for the new profile" + msgstr "" + +-#: src/cli/main.c:771 ++#: src/cli/main.c:762 + msgid "" + "Base new profile on a default profile even if vendor profile with the same " + "name exists" + msgstr "" + +-#: src/cli/main.c:772 ++#: src/cli/main.c:763 + msgid "Symlink meta files from the base profile instead of copying them" + msgstr "" + +-#: src/cli/main.c:773 ++#: src/cli/main.c:764 + msgid "Symlink nsswitch files from the base profile instead of copying them" + msgstr "" + +-#: src/cli/main.c:774 ++#: src/cli/main.c:765 + msgid "Symlink pam files from the base profile instead of copying them" + msgstr "" + +-#: src/cli/main.c:775 ++#: src/cli/main.c:766 + msgid "Symlink dconf files from the base profile instead of copying them" + msgstr "" + +-#: src/cli/main.c:776 ++#: src/cli/main.c:767 + msgid "Symlink specific file (can be set multiple times)" + msgstr "" + +-#: src/cli/main.c:781 ++#: src/cli/main.c:772 + msgid "New profile name." + msgstr "" + +-#: src/cli/main.c:791 ++#: src/cli/main.c:782 + #, c-format + msgid "Unable to create new profile [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:795 ++#: src/cli/main.c:786 + #, c-format + msgid "New profile was created at %s\n" + msgstr "" + +-#: src/cli/main.c:818 ++#: src/cli/main.c:809 + msgid "Print backup names without any formatting and additional information" + msgstr "" + +-#: src/cli/main.c:830 ++#: src/cli/main.c:821 + msgid "Unable to list available backups!" + msgstr "" + +-#: src/cli/main.c:867 ++#: src/cli/main.c:858 + #, c-format + msgid "%-*s (created at %s)\n" + msgstr "" + +-#: src/cli/main.c:886 ++#: src/cli/main.c:877 + msgid "Name of the backup to remove." + msgstr "" + +-#: src/cli/main.c:895 ++#: src/cli/main.c:886 + #, c-format + msgid "Unable to remove backup [%s] [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:912 ++#: src/cli/main.c:903 + msgid "Name of the backup to restore from." + msgstr "" + +-#: src/cli/main.c:921 ++#: src/cli/main.c:912 + #, c-format + msgid "Unable to restore backup [%s] [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:937 ++#: src/cli/main.c:928 + #, c-format + msgid "Unable to uninstall authselect configuration [%d]: %s\n" + msgstr "" + +-#: src/cli/main.c:987 ++#: src/cli/main.c:978 + msgid "Select profile" + msgstr "" + +-#: src/cli/main.c:988 ++#: src/cli/main.c:979 + msgid "Regenerate configuration for currently selected command" + msgstr "" + +-#: src/cli/main.c:989 ++#: src/cli/main.c:980 + msgid "List available profiles" + msgstr "" + +-#: src/cli/main.c:990 ++#: src/cli/main.c:981 + msgid "List available profile features" + msgstr "" + +-#: src/cli/main.c:991 ++#: src/cli/main.c:982 + msgid "Show profile information" + msgstr "" + +-#: src/cli/main.c:992 ++#: src/cli/main.c:983 + msgid "Print profile requirements" + msgstr "" + +-#: src/cli/main.c:993 ++#: src/cli/main.c:984 + msgid "Get identifier of currently selected profile" + msgstr "" + +-#: src/cli/main.c:994 ++#: src/cli/main.c:985 + msgid "Check if the current configuration is valid" + msgstr "" + +-#: src/cli/main.c:995 ++#: src/cli/main.c:986 + msgid "Print changes that would be otherwise written" + msgstr "" + +-#: src/cli/main.c:996 ++#: src/cli/main.c:987 + msgid "Enable feature in currently selected profile" + msgstr "" + +-#: src/cli/main.c:997 ++#: src/cli/main.c:988 + msgid "Disable feature in currently selected profile" + msgstr "" + +-#: src/cli/main.c:998 ++#: src/cli/main.c:989 + msgid "Create new authselect profile" + msgstr "" + +-#: src/cli/main.c:999 ++#: src/cli/main.c:990 + msgid "Backup commands:" + msgstr "" + +-#: src/cli/main.c:1000 ++#: src/cli/main.c:991 + msgid "List available backups" + msgstr "" + +-#: src/cli/main.c:1001 ++#: src/cli/main.c:992 + msgid "Remove backup" + msgstr "" + +-#: src/cli/main.c:1002 ++#: src/cli/main.c:993 + msgid "Restore from backup" + msgstr "" + +-#: src/cli/main.c:1003 ++#: src/cli/main.c:994 + msgid "Other:" + msgstr "" + +-#: src/cli/main.c:1004 ++#: src/cli/main.c:995 + msgid "Opt-out from authselect managed configuration" + msgstr "" + +-#: src/cli/main.c:1006 ++#: src/cli/main.c:997 + msgid "Print authselect version" + msgstr "" +- +-#: src/compat/authcompat_Options.py:82 +-msgid "NIS for user information by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:83 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:83 +-msgid "default NIS domain" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:84 src/compat/authcompat_Options.py:87 +-#: src/compat/authcompat_Options.py:98 src/compat/authcompat_Options.py:99 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:84 +-msgid "default NIS server" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:85 +-msgid "LDAP for user information by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:86 +-msgid "LDAP for authentication by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:87 +-msgid "default LDAP server hostname or URI" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:88 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:88 +-msgid "default LDAP base DN" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:89 +-msgid "use of TLS with LDAP (RFC-2830)" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:90 +-msgid "use of TLS for identity lookups with LDAP (RFC-2830)" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:91 +-msgid "use of RFC-2307bis schema for LDAP user information lookups" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:92 +-msgid "authentication with smart card by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:93 +-msgid "<0=Lock|1=Ignore>" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:93 +-msgid "action to be taken on smart card removal" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:94 +-msgid "require smart card for authentication by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:95 +-msgid "authentication with fingerprint readers by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:96 +-msgid "automatic per-user ecryptfs" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:97 +-msgid "Kerberos authentication by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:98 +-msgid "default Kerberos KDC" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:99 +-msgid "default Kerberos admin server" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:100 src/compat/authcompat_Options.py:152 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:100 +-msgid "default Kerberos realm" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:101 +-msgid "use of DNS to find Kerberos KDCs" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:102 +-msgid "use of DNS to find Kerberos realms" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:103 +-msgid "winbind for user information by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:104 +-msgid "winbind for authentication by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:105 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:105 +-msgid "join the winbind domain or ads realm now as this administrator" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:106 +-msgid "Kerberos 5 for authenticate with winbind" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:107 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:107 +-msgid "workgroup authentication servers are in" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:108 +-msgid "" +-"SSSD for user information by default with manually managed configuration" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:109 +-msgid "SSSD for authentication by default with manually managed configuration" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:110 +-msgid "caching of user credentials in SSSD by default" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:111 +-msgid "check of access.conf during account authorization" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:112 +-msgid "creation of home directories for users on their first login" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:113 +-msgid "account locking in case of too many consecutive authentication failures" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:114 src/compat/authcompat_Options.py:115 +-#: src/compat/authcompat_Options.py:116 src/compat/authcompat_Options.py:117 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:114 +-msgid "minimum length of a password" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:115 +-msgid "minimum number of character classes in a password" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:116 +-msgid "maximum number of same consecutive characters in a password" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:117 +-msgid "maximum number of consecutive characters of same class in a password" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:118 +-msgid "require at least one lowercase character in a password" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:119 +-msgid "require at least one uppercase character in a password" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:120 +-msgid "require at least one digit in a password" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:121 +-msgid "require at least one other character in a password" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:124 +-msgid "do not start/stop services" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:125 +-msgid "update all configuration files" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:126 src/compat/authcompat_Options.py:127 +-msgid "the same as --updateall" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:136 src/compat/authcompat_Options.py:137 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:148 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:149 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:150 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:151 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:153 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:154 src/compat/authcompat_Options.py:155 +-#: src/compat/authcompat_Options.py:156 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:157 +-msgid "<\\>" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:158 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:159 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:166 +-msgid "" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:210 +-msgid "These options have a compatibility layer" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:211 +-msgid "These options are no longer supported and have no effect" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:313 +-msgid "enable" +-msgstr "" +- +-#: src/compat/authcompat_Options.py:314 +-msgid "disable" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:51 +-#, python-format +-msgid "Executing: %s" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:71 +-#, python-format +-msgid "Service %s was not found. Please install the service." +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:74 src/compat/authcompat.py.in.in:631 +-#: src/compat/authcompat.py.in.in:657 +-#, python-format +-msgid "Command [%s] failed with %d, stderr:" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:186 +-#, python-format +-msgid "Removing file: %s" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:335 +-#, python-format +-msgid "%s was not found. Please, install realmd." +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:469 +-msgid "Running authconfig compatibility tool." +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:470 +-msgid "" +-"The purpose of this tool is to enable authentication against chosen services " +-"with authselect and minimum configuration. It does not provide all " +-"capabilities of authconfig.\n" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:473 +-msgid "" +-"IMPORTANT: authconfig is replaced by authselect, please update your scripts." +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:475 +-msgid "" +-"See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/" +-"AuthselectAsDefault" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:476 +-msgid "" +-"See man authselect-migration(7) to help you with migration to authselect" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:480 +-msgid "Warning: These options are not supported anymore and have no effect:" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:500 +-msgid "authconfig can only be run as root" +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:505 +-#, python-format +-msgid "" +-"Error: option --%s is no longer supported and we cannot continue if it is " +-"set." +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:510 +-msgid "Error: Both --enablewinbind and --enablewinbindauth must be set." +-msgstr "" +- +-#: src/compat/authcompat.py.in.in:520 +-msgid "Error: Please, provide --updateall option." +-msgstr "" +diff --git a/src/man/po/authselect-migration.7.adoc.pot b/src/man/po/authselect-migration.7.adoc.pot +index 86a7f52ecac93a6538e5168deb806a97515c8c7c..93c99f10098b2ba2775823150b6efbf83a05e2ac 100644 +--- a/src/man/po/authselect-migration.7.adoc.pot ++++ b/src/man/po/authselect-migration.7.adoc.pot +@@ -7,7 +7,7 @@ + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" +-"POT-Creation-Date: 2022-05-04 13:46+0200\n" ++"POT-Creation-Date: 2024-02-23 14:08+0100\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" +@@ -17,30 +17,31 @@ msgstr "" + "Content-Transfer-Encoding: 8bit\n" + + #. type: Title = +-#: ./src/man/authselect-migration.7.adoc:2 ++#: src/man/authselect-migration.7.adoc:2 + #, no-wrap + msgid "authselect-migration(7)" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:6 ++#: src/man/authselect-migration.7.adoc:6 + #, no-wrap + msgid "NAME" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:8 +-msgid "authselect-migration - A guide how to migrate from authconfig to authselect." ++#: src/man/authselect-migration.7.adoc:8 ++msgid "" ++"authselect-migration - A guide how to migrate from authconfig to authselect." + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:10 ++#: src/man/authselect-migration.7.adoc:10 + #, no-wrap + msgid "DESCRIPTION" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:15 ++#: src/man/authselect-migration.7.adoc:15 + msgid "" + "This manual page explains the main differences between authconfig, the " + "previous tool to configure system authentication and identity sources, and " +@@ -49,20 +50,20 @@ msgid "" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:17 ++#: src/man/authselect-migration.7.adoc:17 + #, no-wrap + msgid "MAIN DIFFERENCES" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:20 ++#: src/man/authselect-migration.7.adoc:20 + msgid "" + "Authselect takes a completely different approach to system configuration " + "than the previous tool authconfig." + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:25 ++#: src/man/authselect-migration.7.adoc:25 + msgid "" + "Authconfig tries its best to keep users's manual changes to the files it " + "generates. It generates not only PAM configuration files and nsswitch.conf " +@@ -71,38 +72,36 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:34 ++#: src/man/authselect-migration.7.adoc:34 + msgid "" + "Authselect does no such things. It does not generate any configuration files " + "beside PAM and nsswitch.conf and it strictly prohibits any manual changes to " + "generated configuration. It provides a set of files called profiles. Each " + "profile describes how the resulting configuration should look like and it " +-"can be slightly modified by enabling or disabling certain optional " +-"features. If a need arises for a different profile than what authselect " +-"ships, the administrator has an option to create a whole new profile and use " +-"it with authselect. See authselect-profiles(5) to learn more about " +-"profiles." ++"can be slightly modified by enabling or disabling certain optional features. " ++"If a need arises for a different profile than what authselect ships, the " ++"administrator has an option to create a whole new profile and use it with " ++"authselect. See authselect-profiles(5) to learn more about profiles." + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:46 ++#: src/man/authselect-migration.7.adoc:46 + msgid "" +-"This may seem like a big disadvantage but the truth is the " +-"opposite. Authconfig is a very old tool and the applications providing " +-"required services have changed rapidly over the years. Typically, there is " +-"no longer a need to have multiple authentication modules in PAM and " +-"nsswitch.conf, because the vast majority of use-cases is covered by " +-"SSSD. Therefore there is no need to add or remove them specifically. There " +-"are also better tools to generate configuration for system daemons that can " +-"help you automate the process of joining to a remote domain such as " +-"`realm`. In addition, the shipped profiles give us comprehensive and " +-"deterministic system configuration that can be fully tested and is much less " +-"error prone. It is also much easier to distribute such configuration across " +-"many systems." ++"This may seem like a big disadvantage but the truth is the opposite. " ++"Authconfig is a very old tool and the applications providing required " ++"services have changed rapidly over the years. Typically, there is no longer " ++"a need to have multiple authentication modules in PAM and nsswitch.conf, " ++"because the vast majority of use-cases is covered by SSSD. Therefore there " ++"is no need to add or remove them specifically. There are also better tools " ++"to generate configuration for system daemons that can help you automate the " ++"process of joining to a remote domain such as `realm`. In addition, the " ++"shipped profiles give us comprehensive and deterministic system " ++"configuration that can be fully tested and is much less error prone. It is " ++"also much easier to distribute such configuration across many systems." + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:52 ++#: src/man/authselect-migration.7.adoc:52 + msgid "" + "Probably the most controversial change is that authselect only ships " + "profiles for sssd and winbind providers. Those two providers cover all " +@@ -113,13 +112,13 @@ msgid "" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:54 ++#: src/man/authselect-migration.7.adoc:54 + #, no-wrap + msgid "JOINING REMOTE DOMAINS" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:59 ++#: src/man/authselect-migration.7.adoc:59 + msgid "" + "You can use either `ipa-client-install` or `realm` to join an IPA domain and " + "`realm` to join an Active Directory domain. These tools will make sure that " +@@ -128,13 +127,13 @@ msgid "" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:61 ++#: src/man/authselect-migration.7.adoc:61 + #, no-wrap + msgid "CONVERTING YOUR SCRIPTS" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:67 ++#: src/man/authselect-migration.7.adoc:67 + msgid "" + "If you use `ipa-client-install` or `realm` to join a domain, you can just " + "remove any authconfig call in your scripts. If this is not an option, you " +@@ -144,13 +143,13 @@ msgid "" + msgstr "" + + #. type: Block title +-#: ./src/man/authselect-migration.7.adoc:68 ++#: src/man/authselect-migration.7.adoc:68 + #, no-wrap + msgid "Relation of authconfig options to authselect profiles" + msgstr "" + + #. type: Table +-#: ./src/man/authselect-migration.7.adoc:76 ++#: src/man/authselect-migration.7.adoc:77 + #, no-wrap + msgid "" + "|*Authconfig options* |*Authselect profile*\n" +@@ -161,14 +160,20 @@ msgid "" + "|--enablenis |nis\n" + msgstr "" + ++#. type: Table ++#: src/man/authselect-migration.7.adoc:80 ++#, no-wrap ++msgid "|--enablenis |none\n" ++msgstr "" ++ + #. type: Block title +-#: ./src/man/authselect-migration.7.adoc:78 ++#: src/man/authselect-migration.7.adoc:83 + #, no-wrap + msgid "Relation of authconfig options to authselect profile features" + msgstr "" + + #. type: Table +-#: ./src/man/authselect-migration.7.adoc:90 ++#: src/man/authselect-migration.7.adoc:95 + #, no-wrap + msgid "" + "|*Authconfig options* |*Authselect profile feature*\n" +@@ -184,7 +189,7 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:97 ++#: src/man/authselect-migration.7.adoc:102 + msgid "" + "Authconfig options `--enableshadow` and `--passalgo=sha512` were often used " + "to make sure that passwords are stored in `/etc/shadow` using `sha512` " +@@ -194,13 +199,13 @@ msgid "" + msgstr "" + + #. type: Block title +-#: ./src/man/authselect-migration.7.adoc:98 ++#: src/man/authselect-migration.7.adoc:103 + #, no-wrap + msgid "Examples" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:102 ++#: src/man/authselect-migration.7.adoc:107 + #, no-wrap + msgid "" + "authconfig --enableldap --enableldapauth --enablefaillock --updateall\n" +@@ -208,16 +213,15 @@ msgid "" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:105 ++#: src/man/authselect-migration.7.adoc:110 + #, no-wrap + msgid "" +-"authconfig --enablesssd --enablesssdauth --enablesmartcard " +-"--smartcardmodule=sssd --updateall\n" ++"authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall\n" + "authselect select sssd with-smartcard\n" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:108 ++#: src/man/authselect-migration.7.adoc:113 + #, no-wrap + msgid "" + "authconfig --enableecryptfs --enablepamaccess --updateall\n" +@@ -225,35 +229,33 @@ msgid "" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:111 ++#: src/man/authselect-migration.7.adoc:116 + #, no-wrap + msgid "" +-"authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator " +-"--updateall\n" ++"authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall\n" + "realm join -U Administrator --client-software=winbind WINBINDDOMAIN\n" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:114 ++#: src/man/authselect-migration.7.adoc:119 + #, no-wrap + msgid "CONFIGURATION FILES" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:116 ++#: src/man/authselect-migration.7.adoc:121 + msgid "" +-"This section contains snippets for minimal configuration of various " +-"services." ++"This section contains snippets for minimal configuration of various services." + msgstr "" + + #. type: Title ~ +-#: ./src/man/authselect-migration.7.adoc:118 ++#: src/man/authselect-migration.7.adoc:123 + #, no-wrap + msgid "LDAP" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:122 ++#: src/man/authselect-migration.7.adoc:127 + msgid "" + "Even if LDAP is not directly used through `pam_ldap` and `nss_ldap`, it is " + "still useful to configure ldap.conf to configure openldap-libs and " +@@ -261,13 +263,13 @@ msgid "" + msgstr "" + + #. type: Block title +-#: ./src/man/authselect-migration.7.adoc:123 ++#: src/man/authselect-migration.7.adoc:128 + #, no-wrap + msgid "{sysconfdir}/openldap/ldap.conf" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:127 ++#: src/man/authselect-migration.7.adoc:132 + #, no-wrap + msgid "" + "# Set the default base dn\n" +@@ -275,7 +277,7 @@ msgid "" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:130 ++#: src/man/authselect-migration.7.adoc:135 + #, no-wrap + msgid "" + "# Set the default LDAP server\n" +@@ -283,13 +285,13 @@ msgid "" + msgstr "" + + #. type: Title ~ +-#: ./src/man/authselect-migration.7.adoc:133 ++#: src/man/authselect-migration.7.adoc:138 + #, no-wrap + msgid "KERBEROS" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:136 ++#: src/man/authselect-migration.7.adoc:141 + msgid "" + "If you use Kerberos, the default Kerberos realm should be configured in " + "order for krb5-libs and therefore tools such as `kinit` to work out of the " +@@ -297,13 +299,13 @@ msgid "" + msgstr "" + + #. type: Block title +-#: ./src/man/authselect-migration.7.adoc:137 ++#: src/man/authselect-migration.7.adoc:142 + #, no-wrap + msgid "{sysconfdir}/krb5.conf" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:141 ++#: src/man/authselect-migration.7.adoc:146 + #, no-wrap + msgid "" + "[libdefaults]\n" +@@ -311,7 +313,7 @@ msgid "" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:146 ++#: src/man/authselect-migration.7.adoc:151 + #, no-wrap + msgid "" + "[realms]\n" +@@ -321,7 +323,7 @@ msgid "" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:150 ++#: src/man/authselect-migration.7.adoc:155 + #, no-wrap + msgid "" + "[domain_realm]\n" +@@ -330,31 +332,31 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:153 +-#: ./src/man/authselect-migration.7.adoc:247 ++#: src/man/authselect-migration.7.adoc:158 ++#: src/man/authselect-migration.7.adoc:254 + #, no-wrap + msgid "SSSD" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:158 ++#: src/man/authselect-migration.7.adoc:163 + msgid "" + "Authselect encourages users to use SSSD wherever possible. There are many " + "configuration options, see sssd.conf(5). This is a minimal configuration " +-"that creates one LDAP domain called `default`. The LDAP server is " +-"auto-discovered through DNS lookups." ++"that creates one LDAP domain called `default`. The LDAP server is auto-" ++"discovered through DNS lookups." + msgstr "" + + #. type: Block title +-#: ./src/man/authselect-migration.7.adoc:159 +-#: ./src/man/authselect-migration.7.adoc:175 ++#: src/man/authselect-migration.7.adoc:164 ++#: src/man/authselect-migration.7.adoc:180 + #, no-wrap + msgid "{sysconfdir}/sssd/sssd.conf" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:164 +-#: ./src/man/authselect-migration.7.adoc:180 ++#: src/man/authselect-migration.7.adoc:169 ++#: src/man/authselect-migration.7.adoc:185 + #, no-wrap + msgid "" + "[sssd]\n" +@@ -363,7 +365,7 @@ msgid "" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:169 ++#: src/man/authselect-migration.7.adoc:174 + #, no-wrap + msgid "" + "[domain/default]\n" +@@ -373,7 +375,7 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:174 ++#: src/man/authselect-migration.7.adoc:179 + msgid "" + "And here is a configuration snippet for the same domain but now the " + "authentication is done over Kerberos. The KDC server is auto-discovered " +@@ -381,7 +383,7 @@ msgid "" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:188 ++#: src/man/authselect-migration.7.adoc:193 + #, no-wrap + msgid "" + "[domain/default]\n" +@@ -394,7 +396,7 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:194 ++#: src/man/authselect-migration.7.adoc:199 + msgid "" + "If you want to configure SSSD for an IPA or Active Directory domain, use the " + "`realm` tool. This will perform an initial setup which involves creating a " +@@ -403,13 +405,13 @@ msgid "" + msgstr "" + + #. type: Title ~ +-#: ./src/man/authselect-migration.7.adoc:196 ++#: src/man/authselect-migration.7.adoc:201 + #, no-wrap + msgid "WINBIND" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:201 ++#: src/man/authselect-migration.7.adoc:206 + msgid "" + "If you want to configure the machine to use Winbind, use `realm`. This will " + "perform an initial setup which involves creating a Kerberos keytab and " +@@ -418,14 +420,14 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:203 +-#: ./src/man/authselect-migration.7.adoc:255 ++#: src/man/authselect-migration.7.adoc:209 ++#: src/man/authselect-migration.7.adoc:262 + #, no-wrap + msgid "NIS" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:207 ++#: src/man/authselect-migration.7.adoc:213 + msgid "" + "There are several places that needs to be configured in order to make NIS " + "authentication work. First, you need to set NIS domain and optionally also " +@@ -433,13 +435,13 @@ msgid "" + msgstr "" + + #. type: Block title +-#: ./src/man/authselect-migration.7.adoc:208 ++#: src/man/authselect-migration.7.adoc:214 + #, no-wrap + msgid "{sysconfdir}/yp.conf" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:213 ++#: src/man/authselect-migration.7.adoc:219 + #, no-wrap + msgid "" + "domain mydomain broadcast\n" +@@ -448,24 +450,24 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:216 ++#: src/man/authselect-migration.7.adoc:222 + msgid "NIS domain must be also set in system network configuration." + msgstr "" + + #. type: Block title +-#: ./src/man/authselect-migration.7.adoc:217 ++#: src/man/authselect-migration.7.adoc:223 + #, no-wrap + msgid "{sysconfdir}/sysconfig/network" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:220 ++#: src/man/authselect-migration.7.adoc:226 + #, no-wrap + msgid "NISDOMAIN=mydomain\n" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:224 ++#: src/man/authselect-migration.7.adoc:230 + msgid "" + "Now, you can set the domain name with command line so there is no need to " + "reboot your system. Additionaly, it may be necessary to enable NIS in " +@@ -473,7 +475,7 @@ msgid "" + msgstr "" + + #. type: delimited block - +-#: ./src/man/authselect-migration.7.adoc:228 ++#: src/man/authselect-migration.7.adoc:234 + #, no-wrap + msgid "" + "$ domainname mydomain\n" +@@ -481,13 +483,13 @@ msgid "" + msgstr "" + + #. type: Title ~ +-#: ./src/man/authselect-migration.7.adoc:231 ++#: src/man/authselect-migration.7.adoc:238 + #, no-wrap + msgid "PASSWORD QUALITY" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:236 ++#: src/man/authselect-migration.7.adoc:243 + msgid "" + "Authselect enables `pam_pwquality` module to enforce password quality " + "restrictions. This module is enabled only for local users. Remote users " +@@ -496,45 +498,45 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:240 ++#: src/man/authselect-migration.7.adoc:247 + msgid "" +-"The `pam_pwquality` module can be configured in " +-"{sysconfdir}/security/pwquality.conf. See pam_pwquality(8) to see its " +-"configuration options and defaults." ++"The `pam_pwquality` module can be configured in {sysconfdir}/security/" ++"pwquality.conf. See pam_pwquality(8) to see its configuration options and " ++"defaults." + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:242 ++#: src/man/authselect-migration.7.adoc:249 + #, no-wrap + msgid "STARTING SERVICES" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:245 ++#: src/man/authselect-migration.7.adoc:252 + msgid "" + "Depending on your configuration, you need to start required services " + "manually with systemd." + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:249 ++#: src/man/authselect-migration.7.adoc:256 + #, no-wrap + msgid "systemctl enable sssd.service ; systemctl start sssd.service\n" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:251 ++#: src/man/authselect-migration.7.adoc:258 + msgid "Winbind" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:253 ++#: src/man/authselect-migration.7.adoc:260 + #, no-wrap + msgid "systemctl enable winbind.service ; systemctl start winbind.service\n" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:258 ++#: src/man/authselect-migration.7.adoc:265 + #, no-wrap + msgid "" + "systemctl enable rpcbind.service ; systemctl start rpcbind.service\n" +@@ -542,24 +544,24 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:260 ++#: src/man/authselect-migration.7.adoc:267 + msgid "If mkhomedir feature is enabled" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:262 ++#: src/man/authselect-migration.7.adoc:269 + #, no-wrap + msgid "systemctl enable oddjobd.service ; systemctl start oddjobd.service\n" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:264 ++#: src/man/authselect-migration.7.adoc:271 + #, no-wrap + msgid "AUTHCONFIG TOOLS" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:268 ++#: src/man/authselect-migration.7.adoc:275 + msgid "" + "Authconfig shipped a tool called _cacertdir_rehash_. If you depend on this " + "tool, please switch to native _openssl_ command: *openssl rehash " +@@ -567,14 +569,14 @@ msgid "" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-migration.7.adoc:270 ++#: src/man/authselect-migration.7.adoc:277 + #, no-wrap + msgid "SEE ALSO" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-migration.7.adoc:272 ++#: src/man/authselect-migration.7.adoc:279 + msgid "" +-"authselect(8), authselect-profiles(5), realm(8), ipa-client-install(1), " +-"sssd.conf(5), smb.conf(5), ldap.conf(5), krb5.conf(5)" ++"authselect(8), authselect-profiles(5), realm(8), ipa-client-install(1), sssd." ++"conf(5), smb.conf(5), ldap.conf(5), krb5.conf(5)" + msgstr "" +diff --git a/src/man/po/authselect-profiles.5.adoc.pot b/src/man/po/authselect-profiles.5.adoc.pot +index 45ca16e66e2dabbc55ec5106352c0b8f43b3826b..d6ce53d9b963771113b81d502338b352d410807d 100644 +--- a/src/man/po/authselect-profiles.5.adoc.pot ++++ b/src/man/po/authselect-profiles.5.adoc.pot +@@ -7,7 +7,7 @@ + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" +-"POT-Creation-Date: 2022-05-04 13:46+0200\n" ++"POT-Creation-Date: 2024-02-23 14:08+0100\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" +@@ -17,89 +17,90 @@ msgstr "" + "Content-Transfer-Encoding: 8bit\n" + + #. type: Title = +-#: ./src/man/authselect-profiles.5.adoc:2 ++#: src/man/authselect-profiles.5.adoc:2 + #, no-wrap + msgid "authselect-profiles(5)" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-profiles.5.adoc:6 ++#: src/man/authselect-profiles.5.adoc:6 + #, no-wrap + msgid "NAME" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:8 ++#: src/man/authselect-profiles.5.adoc:8 + msgid "authselect-profiles - how to extend authselect profiles." + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-profiles.5.adoc:10 ++#: src/man/authselect-profiles.5.adoc:10 + #, no-wrap + msgid "DESCRIPTION" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:13 ++#: src/man/authselect-profiles.5.adoc:13 + msgid "" + "This manual page explains how are authselect profiles organized and how to " + "create new profiles." + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-profiles.5.adoc:15 ++#: src/man/authselect-profiles.5.adoc:15 + #, no-wrap + msgid "PROFILE DIRECTORIES" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:17 ++#: src/man/authselect-profiles.5.adoc:17 + msgid "Profiles can be found in one of three directories." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:18 ++#: src/man/authselect-profiles.5.adoc:18 + #, no-wrap + msgid "*{AUTHSELECT_PROFILE_DIR}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:20 +-msgid "Read-only directory containing profiles shipped together with authselect." ++#: src/man/authselect-profiles.5.adoc:20 ++msgid "" ++"Read-only directory containing profiles shipped together with authselect." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:21 ++#: src/man/authselect-profiles.5.adoc:21 + #, no-wrap + msgid "*{AUTHSELECT_VENDOR_DIR}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:24 ++#: src/man/authselect-profiles.5.adoc:24 + msgid "" + "Read-only directory for vendor-specific profiles that can override the ones " + "in _default_ directory." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:25 ++#: src/man/authselect-profiles.5.adoc:25 + #, no-wrap + msgid "*{AUTHSELECT_CUSTOM_DIR}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:27 ++#: src/man/authselect-profiles.5.adoc:27 + msgid "Place for administrator-defined profiles." + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-profiles.5.adoc:29 ++#: src/man/authselect-profiles.5.adoc:29 + #, no-wrap + msgid "PROFILE FILES" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:33 ++#: src/man/authselect-profiles.5.adoc:33 + msgid "" + "Each profile consists of one or more of these files which provide a " + "mandatory profile description and describe the changes that are done to the " +@@ -107,37 +108,38 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:34 ++#: src/man/authselect-profiles.5.adoc:34 + #, no-wrap + msgid "*README*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:36 +-msgid "Description of the profile. The first line must be a name of the profile." ++#: src/man/authselect-profiles.5.adoc:36 ++msgid "" ++"Description of the profile. The first line must be a name of the profile." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:37 ++#: src/man/authselect-profiles.5.adoc:37 + #, no-wrap + msgid "*system-auth*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:40 ++#: src/man/authselect-profiles.5.adoc:40 + msgid "" + "PAM stack that is included from nearly all individual service configuration " + "files." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:41 ++#: src/man/authselect-profiles.5.adoc:41 + #, no-wrap + msgid "*password-auth*, *smartcard-auth*, *fingerprint-auth*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:45 ++#: src/man/authselect-profiles.5.adoc:45 + msgid "" + "These PAM stacks are for applications which handle authentication from " + "different types of devices via simultaneously running individual " +@@ -145,13 +147,13 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:46 ++#: src/man/authselect-profiles.5.adoc:46 + #, no-wrap + msgid "*postlogin*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:54 ++#: src/man/authselect-profiles.5.adoc:54 + msgid "" + "The purpose of this PAM stack is to provide a common place for all PAM " + "modules which should be called after the stack configured in system-auth or " +@@ -163,35 +165,24 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:55 ++#: src/man/authselect-profiles.5.adoc:55 + #, no-wrap + msgid "*nsswitch.conf*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:58 ++#: src/man/authselect-profiles.5.adoc:57 + msgid "Name Service Switch configuration file." + msgstr "" + +-#. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:63 +-#, no-wrap +-msgid "" +-" Name Service Switch configuration file. Only maps relevant to the " +-"profile\n" +-" must be set. Maps that are not specified by the profile are included " +-"from\n" +-" {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf.\n" +-msgstr "" +- + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:65 ++#: src/man/authselect-profiles.5.adoc:58 + #, no-wrap + msgid "*dconf-db*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:69 ++#: src/man/authselect-profiles.5.adoc:62 + msgid "" + "Changes to dconf database. The main uses case of this file is to set changes " + "for gnome login screen in order to enable or disable smartcard and " +@@ -199,24 +190,24 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:70 ++#: src/man/authselect-profiles.5.adoc:63 + #, no-wrap + msgid "*dconf-locks*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:72 ++#: src/man/authselect-profiles.5.adoc:65 + msgid "This file define locks on values set in dconf database." + msgstr "" + + #. type: Title ~ +-#: ./src/man/authselect-profiles.5.adoc:74 ++#: src/man/authselect-profiles.5.adoc:67 + #, no-wrap + msgid "CONDITIONAL LINES" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:78 ++#: src/man/authselect-profiles.5.adoc:71 + msgid "" + "Each of these files serves as a template. A template is a plain text file " + "with optional usage of several operators that can be used to provide some " +@@ -224,13 +215,13 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:79 ++#: src/man/authselect-profiles.5.adoc:72 + #, no-wrap + msgid "*{continue if \"feature\"}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:84 ++#: src/man/authselect-profiles.5.adoc:77 + msgid "" + "Immediately stop processing of the file unless \"feature\" is defined (the " + "rest of the file content will be removed). If \"feature\" is defined, the " +@@ -239,13 +230,13 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:85 ++#: src/man/authselect-profiles.5.adoc:78 + #, no-wrap + msgid "*{stop if \"feature\"}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:90 ++#: src/man/authselect-profiles.5.adoc:83 + msgid "" + "Opposite of \"continue if\". Immediately stop processing of the file if " + "\"feature\" is defined (the rest of the file content will be removed). If " +@@ -254,39 +245,39 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:91 ++#: src/man/authselect-profiles.5.adoc:84 + #, no-wrap + msgid "*{include if \"feature\"}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:94 ++#: src/man/authselect-profiles.5.adoc:87 + msgid "" + "Include the line where this operator is placed only if \"feature\" is " + "defined." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:95 ++#: src/man/authselect-profiles.5.adoc:88 + #, no-wrap + msgid "*{exclude if \"feature\"}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:98 ++#: src/man/authselect-profiles.5.adoc:91 + msgid "" + "Opposite to \"include-if\". Include the line where this operator is placed " + "only if \"feature\" is not defined." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:99 ++#: src/man/authselect-profiles.5.adoc:92 + #, no-wrap + msgid "*{imply \"implied-feature\" if \"feature\"}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:103 ++#: src/man/authselect-profiles.5.adoc:96 + msgid "" + "Enable feature \"implied-feature\" if feature \"feature\" is enabled. The " + "whole line with this operator is removed, thus it is not possible to add " +@@ -294,33 +285,33 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:104 ++#: src/man/authselect-profiles.5.adoc:97 + #, no-wrap + msgid "*{if \"feature\":true|false}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:107 ++#: src/man/authselect-profiles.5.adoc:100 + msgid "" + "If \"feature\" is defined, replace this operator with string \"true\", " + "otherwise with string \"false\"." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:108 ++#: src/man/authselect-profiles.5.adoc:101 + #, no-wrap + msgid "*{if \"feature\":true}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:111 ++#: src/man/authselect-profiles.5.adoc:104 + msgid "" + "If \"feature\" is defined, replace this operator with string \"true\", " + "otherwise with an empty string." + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:115 ++#: src/man/authselect-profiles.5.adoc:108 + msgid "" + "It is also possible to use logical expression in conditional line instead of " + "specifying single feature name. In this case the expression will evaluate to " +@@ -328,7 +319,7 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:120 ++#: src/man/authselect-profiles.5.adoc:113 + msgid "" + "The expression syntax consists of feature names (e.g. _\"feature\"_) which " + "returns _true_ if the feature is defined or _false_ if it is not defined and " +@@ -337,57 +328,57 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:122 ++#: src/man/authselect-profiles.5.adoc:115 + msgid "For example:" + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:123 ++#: src/man/authselect-profiles.5.adoc:116 + #, no-wrap + msgid "*{if \"feature1\" or \"feature2\":true}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:126 ++#: src/man/authselect-profiles.5.adoc:119 + msgid "" + "If \"feature1\" or \"feature2\" is defined, replace this operator with " + "string \"true\", otherwise with an empty string." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:127 ++#: src/man/authselect-profiles.5.adoc:120 + #, no-wrap + msgid "*{if not \"feature\":true|false}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:130 ++#: src/man/authselect-profiles.5.adoc:123 + msgid "" + "If \"feature\" is not defined, replace this operator with string \"true\", " + "otherwise with string \"false\"." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:131 ++#: src/man/authselect-profiles.5.adoc:124 + #, no-wrap + msgid "*{if not \"feature\":true}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:134 ++#: src/man/authselect-profiles.5.adoc:127 + msgid "" + "If \"feature\" is not defined, replace this operator with string \"true\", " + "otherwise with an empty string." + msgstr "" + + #. type: Labeled list +-#: ./src/man/authselect-profiles.5.adoc:135 ++#: src/man/authselect-profiles.5.adoc:128 + #, no-wrap + msgid "*{if \"feature1\" and (\"feature2\" or \"feature3\"):true}*" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:138 ++#: src/man/authselect-profiles.5.adoc:131 + msgid "" + "If \"feature1\" is defined, and one of \"feature2\" and \"feature3\" is " + "defined replace this operator with string \"true\", otherwise with an empty " +@@ -395,20 +386,20 @@ msgid "" + msgstr "" + + #. type: Title ~ +-#: ./src/man/authselect-profiles.5.adoc:140 ++#: src/man/authselect-profiles.5.adoc:133 + #, no-wrap + msgid "EXAMPLE" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:143 ++#: src/man/authselect-profiles.5.adoc:136 + msgid "" + "Here is an example of using \"if\" operator. If \"with-sudo\" feature is " + "enabled, it will add \"sss\" to sudoers line." + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:150 ++#: src/man/authselect-profiles.5.adoc:143 + #, no-wrap + msgid "" + " passwd: sss files\n" +@@ -420,42 +411,34 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:155 ++#: src/man/authselect-profiles.5.adoc:148 + msgid "" + "Here is an example of \"continue-if\" and \"include-if\" operators. The " +-"resulting file will be empty unless \"with-smartcard\" feature is " +-"enabled. If it is enabled and also \"with-faillock\" feature is enabled, it " +-"will also enable support for pam_faillock." ++"resulting file will be empty unless \"with-smartcard\" feature is enabled. " ++"If it is enabled and also \"with-faillock\" feature is enabled, it will also " ++"enable support for pam_faillock." + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:168 ++#: src/man/authselect-profiles.5.adoc:161 + #, no-wrap + msgid "" + " {continue if \"with-smartcard\"}\n" + " auth required pam_env.so\n" +-" auth required pam_faildelay.so " +-"delay=2000000\n" +-" auth required pam_faillock.so " +-"preauth silent deny=4 unlock_time=1200 {include if \"with-faillock\"}\n" +-" auth [default=1 ignore=ignore success=ok] pam_succeed_if.so " +-"uid >= 1000 quiet\n" +-" auth [default=1 ignore=ignore success=ok] " +-"pam_localuser.so\n" +-" auth sufficient pam_unix.so " +-"nullok\n" +-" auth requisite pam_succeed_if.so " +-"uid >= 1000 quiet_success\n" +-" auth sufficient pam_sss.so " +-"forward_pass\n" +-" auth required pam_faillock.so " +-"authfail deny=4 unlock_time=1200 {include if \"with-faillock\"}\n" ++" auth required pam_faildelay.so delay=2000000\n" ++" auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if \"with-faillock\"}\n" ++" auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet\n" ++" auth [default=1 ignore=ignore success=ok] pam_localuser.so\n" ++" auth sufficient pam_unix.so nullok\n" ++" auth requisite pam_succeed_if.so uid >= 1000 quiet_success\n" ++" auth sufficient pam_sss.so forward_pass\n" ++" auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if \"with-faillock\"}\n" + " auth required pam_deny.so\n" + " ...\n" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:173 ++#: src/man/authselect-profiles.5.adoc:166 + msgid "" + "Here is an example of \"continue-if\" using logical expression. The file " + "will be empty unless \"with-smartcard\" or \"with-smartcard-required\" is " +@@ -465,82 +448,60 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:186 ++#: src/man/authselect-profiles.5.adoc:179 + #, no-wrap + msgid "" + " {continue if \"with-smartcard\" or \"with-smartcard-required\"}\n" + " auth required pam_env.so\n" +-" auth required pam_faildelay.so " +-"delay=2000000\n" +-" auth required pam_faillock.so " +-"preauth silent deny=4 unlock_time=1200 {include if \"with-faillock\"}\n" +-" auth [default=1 ignore=ignore success=ok] pam_succeed_if.so " +-"uid >= 1000 quiet\n" +-" auth [default=1 ignore=ignore success=ok] " +-"pam_localuser.so\n" +-" auth sufficient pam_unix.so " +-"nullok\n" +-" auth requisite pam_succeed_if.so " +-"uid >= 1000 quiet_success\n" +-" auth sufficient pam_sss.so " +-"forward_pass\n" +-" auth required pam_faillock.so " +-"authfail deny=4 unlock_time=1200 {include if \"with-faillock\"}\n" ++" auth required pam_faildelay.so delay=2000000\n" ++" auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if \"with-faillock\"}\n" ++" auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet\n" ++" auth [default=1 ignore=ignore success=ok] pam_localuser.so\n" ++" auth sufficient pam_unix.so nullok\n" ++" auth requisite pam_succeed_if.so uid >= 1000 quiet_success\n" ++" auth sufficient pam_sss.so forward_pass\n" ++" auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if \"with-faillock\"}\n" + " auth required pam_deny.so\n" + " ...\n" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:191 ++#: src/man/authselect-profiles.5.adoc:184 + msgid "" +-"Here is an example of \"imply-if\" operator. Enabling feature " +-"\"with-smartcard-required\" will also enable \"with-smartcard\" to make sure " +-"that all relevant PAM modules are used. This will achieve the same behavior " +-"as the previous example." ++"Here is an example of \"imply-if\" operator. Enabling feature \"with-" ++"smartcard-required\" will also enable \"with-smartcard\" to make sure that " ++"all relevant PAM modules are used. This will achieve the same behavior as " ++"the previous example." + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:206 ++#: src/man/authselect-profiles.5.adoc:199 + #, no-wrap + msgid "" + " {imply \"with-smartcard\" if \"with-smartcard-required\"}\n" + " auth required pam_env.so\n" +-" auth required pam_faildelay.so " +-"delay=2000000\n" +-" auth [success=1 default=ignore] pam_succeed_if.so " +-"service notin " +-"login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet " +-"use_uid {include if \"with-smartcard-required\"}\n" +-" auth [success=done ignore=ignore default=die] pam_sss.so " +-"require_cert_auth ignore_authinfo_unavail {include if " +-"\"with-smartcard-required\"}\n" +-" auth [default=1 ignore=ignore success=ok] pam_succeed_if.so " +-"uid >= 1000 quiet\n" +-" auth [default=1 ignore=ignore success=ok] pam_localuser.so " +-"{exclude if \"with-smartcard\"}\n" +-" auth [default=2 ignore=ignore success=ok] pam_localuser.so " +-"{include if \"with-smartcard\"}\n" +-" auth [success=done authinfo_unavail=ignore user_unknown=ignore " +-"ignore=ignore default=die] pam_sss.so try_cert_auth {include if " +-"\"with-smartcard\"}\n" +-" auth sufficient pam_unix.so {if " +-"not \"without-nullok\":nullok}\n" +-" auth requisite pam_succeed_if.so " +-"uid >= 1000 quiet_success\n" +-" auth sufficient pam_sss.so " +-"forward_pass\n" ++" auth required pam_faildelay.so delay=2000000\n" ++" auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if \"with-smartcard-required\"}\n" ++" auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if \"with-smartcard-required\"}\n" ++" auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet\n" ++" auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if \"with-smartcard\"}\n" ++" auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if \"with-smartcard\"}\n" ++" auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if \"with-smartcard\"}\n" ++" auth sufficient pam_unix.so {if not \"without-nullok\":nullok}\n" ++" auth requisite pam_succeed_if.so uid >= 1000 quiet_success\n" ++" auth sufficient pam_sss.so forward_pass\n" + " auth required pam_deny.so\n" + " ...\n" + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-profiles.5.adoc:208 ++#: src/man/authselect-profiles.5.adoc:201 + #, no-wrap + msgid "CREATING A NEW PROFILE" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:213 ++#: src/man/authselect-profiles.5.adoc:206 + msgid "" + "To register a new profile within authselect, create a directory in one of " + "the authselect profile locations with the files listed above. Not all of the " +@@ -549,20 +510,20 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:217 ++#: src/man/authselect-profiles.5.adoc:210 + msgid "" + "You may find *authselect create-profile* command helpful when creating new " +-"profile. See *authselect(8)* manual page or *authselect create-profile " +-"--help* for more information." ++"profile. See *authselect(8)* manual page or *authselect create-profile --" ++"help* for more information." + msgstr "" + + #. type: Title - +-#: ./src/man/authselect-profiles.5.adoc:219 ++#: src/man/authselect-profiles.5.adoc:212 + #, no-wrap + msgid "SEE ALSO" + msgstr "" + + #. type: Plain text +-#: ./src/man/authselect-profiles.5.adoc:220 ++#: src/man/authselect-profiles.5.adoc:213 + msgid "authselect(8), nsswitch.conf(5), PAM(8)" + msgstr "" +diff --git a/src/man/po/authselect.8.adoc.pot b/src/man/po/authselect.8.adoc.pot +index 09bf6e5714249a0ee4271db22577581d7ebdc3e7..097472b8f2b1c0d6f0d5d86e68e884142f25017b 100644 +--- a/src/man/po/authselect.8.adoc.pot ++++ b/src/man/po/authselect.8.adoc.pot +@@ -7,7 +7,7 @@ + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" +-"POT-Creation-Date: 2024-01-18 16:34+0100\n" ++"POT-Creation-Date: 2024-02-23 14:08+0100\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" +@@ -765,120 +765,19 @@ msgid "" + msgstr "" + + #. type: Title - +-#: src/man/authselect.8.adoc:266 +-#, no-wrap +-msgid "NSSWITCH.CONF MANAGEMENT" +-msgstr "" +- +-#. type: Plain text +-#: src/man/authselect.8.adoc:272 +-msgid "" +-"Authselect generates {AUTHSELECT_NSSWITCH_CONF} and does not allow any user " +-"changes to this file. Such changes are detected and authselect will refuse " +-"to write any system configuration unless a *--force* option is provided to " +-"the *select* command. This mechanism prevents authselect from overwriting " +-"anything that does not match any available profile." +-msgstr "" +- +-#. type: Plain text +-#: src/man/authselect.8.adoc:280 +-msgid "" +-"Any user changes to nsswitch maps must be done in file " +-"{AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf. When authselect generates new " +-"_nsswitch.conf_ it reads this file and combines it with configuration from " +-"selected profile. The profile configuration takes always precedence. In " +-"other words, profiles do not have to set all nsswitch maps but can set only " +-"those that are relevant to the profile. If a map is set within a profile, it " +-"always overwrites the same map from _user-nsswitch.conf_." +-msgstr "" +- +-#. type: Block title +-#: src/man/authselect.8.adoc:281 +-#, no-wrap +-msgid "Example 1" +-msgstr "" +- +-#. type: delimited block - +-#: src/man/authselect.8.adoc:292 +-#, no-wrap +-msgid "" +-"# \"sssd\" profile\n" +-"$ cat {AUTHSELECT_PROFILE_DIR}/sssd/nsswitch.conf\n" +-"passwd: sss files systemd\n" +-"group: sss files systemd\n" +-"netgroup: sss files\n" +-"automount: sss files\n" +-"services: sss files\n" +-"sudoers: files sss {include if \"with-sudo\"}\n" +-msgstr "" +- +-#. type: delimited block - +-#: src/man/authselect.8.adoc:298 +-#, no-wrap +-msgid "" +-"$ cat {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf\n" +-"passwd: files sss\n" +-"group: files sss\n" +-"hosts: files dns myhostname\n" +-"sudoers: files\n" +-msgstr "" +- +-#. type: delimited block - +-#: src/man/authselect.8.adoc:300 +-#, no-wrap +-msgid "$ authselect select sssd\n" +-msgstr "" +- +-#. type: delimited block - +-#: src/man/authselect.8.adoc:310 +-#, no-wrap +-msgid "" +-"# passwd and group maps from user-nsswitch.conf are ignored\n" +-"$ cat {AUTHSELECT_NSSWITCH_CONF}\n" +-"passwd: sss files systemd\n" +-"group: sss files systemd\n" +-"netgroup: sss files\n" +-"automount: sss files\n" +-"services: sss files\n" +-"hosts: files dns myhostname\n" +-"sudoers: files\n" +-msgstr "" +- +-#. type: delimited block - +-#: src/man/authselect.8.adoc:312 +-#, no-wrap +-msgid "$ authselect select sssd with-sudo\n" +-msgstr "" +- +-#. type: delimited block - +-#: src/man/authselect.8.adoc:322 +-#, no-wrap +-msgid "" +-"# passwd, group and sudoers maps from user-nsswitch.conf are ignored\n" +-"$ cat {AUTHSELECT_NSSWITCH_CONF}\n" +-"passwd: sss files systemd\n" +-"group: sss files systemd\n" +-"netgroup: sss files\n" +-"automount: sss files\n" +-"services: sss files\n" +-"sudoers: files sss\n" +-"hosts: files dns myhostname\n" +-msgstr "" +- +-#. type: Title - +-#: src/man/authselect.8.adoc:326 ++#: src/man/authselect.8.adoc:265 + #, no-wrap + msgid "TROUBLESHOOTING" + msgstr "" + + #. type: Title ~ +-#: src/man/authselect.8.adoc:329 ++#: src/man/authselect.8.adoc:268 + #, no-wrap + msgid "How can I tell if my system is using authselect?" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:333 ++#: src/man/authselect.8.adoc:272 + msgid "" + "Use *authselect check*. The output will tell you if you have 1) " + "configuration generated by authselect 2) non-authselect configuration or 3) " +@@ -887,13 +786,13 @@ msgid "" + msgstr "" + + #. type: Title ~ +-#: src/man/authselect.8.adoc:335 ++#: src/man/authselect.8.adoc:274 + #, no-wrap + msgid "Is nsswitch.conf supposed to be a symbolic link now?" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:341 ++#: src/man/authselect.8.adoc:280 + msgid "" + "Authselect generates your system configuration from scratch and stores it at " + "{AUTHSELECT_CONFIG_DIR}. System files are then created as symbolic links to " +@@ -903,18 +802,18 @@ msgid "" + msgstr "" + + #. type: Title ~ +-#: src/man/authselect.8.adoc:343 ++#: src/man/authselect.8.adoc:282 + #, no-wrap + msgid "Error: Unexpected changes to the configuration were detected." + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:345 ++#: src/man/authselect.8.adoc:284 + msgid "For example:" + msgstr "" + + #. type: delimited block . +-#: src/man/authselect.8.adoc:351 ++#: src/man/authselect.8.adoc:290 + #, no-wrap + msgid "" + "[error] [/etc/authselect/nsswitch.conf] does not exist!\n" +@@ -925,7 +824,7 @@ msgid "" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:355 ++#: src/man/authselect.8.adoc:294 + msgid "" + "This means that your configuration is unknown to authselect and as such it " + "will not be modified. To fix this, please call *authselect select* with *--" +@@ -933,101 +832,101 @@ msgid "" + msgstr "" + + #. type: Title - +-#: src/man/authselect.8.adoc:357 ++#: src/man/authselect.8.adoc:296 + #, no-wrap + msgid "RETURN CODES" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:359 ++#: src/man/authselect.8.adoc:298 + msgid "The *authselect* can return these exit codes:" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:361 ++#: src/man/authselect.8.adoc:300 + msgid "0: Success." + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:362 ++#: src/man/authselect.8.adoc:301 + msgid "1: Generic error." + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:363 ++#: src/man/authselect.8.adoc:302 + msgid "" + "2: Profile or configuration was not found or the system was not configured " + "with authselect." + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:364 ++#: src/man/authselect.8.adoc:303 + msgid "" + "3: Current configuration is not valid, it was edited without authselect." + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:365 ++#: src/man/authselect.8.adoc:304 + msgid "" + "4: System configuration must be overwritten to activate an authselect " + "profile, --force parameter is needed." + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:366 ++#: src/man/authselect.8.adoc:305 + msgid "5: Executed command must be run as root." + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:367 ++#: src/man/authselect.8.adoc:306 + msgid "6: No configuration was detected." + msgstr "" + + #. type: Title - +-#: src/man/authselect.8.adoc:369 ++#: src/man/authselect.8.adoc:308 + #, no-wrap + msgid "GENERATED FILES" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:372 ++#: src/man/authselect.8.adoc:311 + msgid "" + "Authselect creates and maintains the following files to configure system " + "identity and authentication providers properly." + msgstr "" + + #. type: Labeled list +-#: src/man/authselect.8.adoc:373 ++#: src/man/authselect.8.adoc:312 + #, no-wrap + msgid "*{AUTHSELECT_NSSWITCH_CONF}*" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:375 ++#: src/man/authselect.8.adoc:314 + msgid "Name Service Switch configuration file." + msgstr "" + + #. type: Labeled list +-#: src/man/authselect.8.adoc:376 ++#: src/man/authselect.8.adoc:315 + #, no-wrap + msgid "*{AUTHSELECT_PAM_DIR}/system-auth*" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:379 ++#: src/man/authselect.8.adoc:318 + msgid "" + "PAM stack that is included from nearly all individual service configuration " + "files." + msgstr "" + + #. type: Labeled list +-#: src/man/authselect.8.adoc:380 ++#: src/man/authselect.8.adoc:319 + #, no-wrap + msgid "*{AUTHSELECT_PAM_DIR}/password-auth, smartcard-auth, fingerprint-auth*" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:384 ++#: src/man/authselect.8.adoc:323 + msgid "" + "These PAM stacks are for applications which handle authentication from " + "different types of devices via simultaneously running individual " +@@ -1035,13 +934,13 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: src/man/authselect.8.adoc:385 ++#: src/man/authselect.8.adoc:324 + #, no-wrap + msgid "*{AUTHSELECT_PAM_DIR}/postlogin*" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:393 ++#: src/man/authselect.8.adoc:332 + msgid "" + "The purpose of this PAM stack is to provide a common place for all PAM " + "modules which should be called after the stack configured in system-auth or " +@@ -1053,13 +952,13 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: src/man/authselect.8.adoc:394 ++#: src/man/authselect.8.adoc:333 + #, no-wrap + msgid "*{AUTHSELECT_DCONF_DIR}/{AUTHSELECT_DCONF_FILE}*" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:398 ++#: src/man/authselect.8.adoc:337 + msgid "" + "Changes to dconf database. The main uses case of this file is to set changes " + "for gnome login screen in order to enable or disable smartcard and " +@@ -1067,24 +966,24 @@ msgid "" + msgstr "" + + #. type: Labeled list +-#: src/man/authselect.8.adoc:399 ++#: src/man/authselect.8.adoc:338 + #, no-wrap + msgid "*{AUTHSELECT_DCONF_DIR}/locks/{AUTHSELECT_DCONF_FILE}*" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:401 ++#: src/man/authselect.8.adoc:340 + msgid "This file define locks on values set in dconf database." + msgstr "" + + #. type: Title - +-#: src/man/authselect.8.adoc:403 ++#: src/man/authselect.8.adoc:342 + #, no-wrap + msgid "SEE ALSO" + msgstr "" + + #. type: Plain text +-#: src/man/authselect.8.adoc:404 ++#: src/man/authselect.8.adoc:343 + msgid "" + "authselect-profiles(5), authselect-migration(7), nsswitch.conf(5), PAM(8)" + msgstr "" +-- +2.42.0 + diff --git a/SOURCES/0009-profiles-merge-groups-records-with-SUCCESS-merge.patch b/SOURCES/0009-profiles-merge-groups-records-with-SUCCESS-merge.patch new file mode 100644 index 0000000..436d2d0 --- /dev/null +++ b/SOURCES/0009-profiles-merge-groups-records-with-SUCCESS-merge.patch @@ -0,0 +1,78 @@ +From 8d8adbd35c741d9038588386414ccbddb99bd31d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 14 Dec 2023 14:16:11 +0100 +Subject: [PATCH 09/11] profiles: merge groups records with [SUCCESS=merge] + +Services such as systemd-homed would like to advertise users which are +part of system groups, such as "wheel". That only works if glibc's +[SUCCESS=merge] feature is used in nsswitch.conf, so that group records +from multiple sources are merged. + +This is documented here: + +https://www.freedesktop.org/software/systemd/man/latest/nss-systemd.html#Configuration%20in%20/etc/nsswitch.conf + +This hence adds [SUCCESS=merge] expressions to all NSS modules listed in +the "groups" lines. +--- + profiles/local/nsswitch.conf | 2 +- + profiles/nis/nsswitch.conf | 2 +- + profiles/sssd/nsswitch.conf | 2 +- + profiles/winbind/nsswitch.conf | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf +index c63692fc00c0815c5ba303ec5b48b6c9d7577df2..8582a955c8d03ea1d122a34cd273326d985bdcfb 100644 +--- a/profiles/local/nsswitch.conf ++++ b/profiles/local/nsswitch.conf +@@ -1,7 +1,7 @@ + # In order of likelihood of use to accelerate lookup. + passwd: files {if "with-altfiles":altfiles }systemd + shadow: files +-group: files {if "with-altfiles":altfiles }systemd ++group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd + hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns + services: files + netgroup: files +diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf +index 685f92c326bc7767ee167a77b7ba782672bf801f..c033812facee9159c76e2d514ac652e4de2e0b6b 100644 +--- a/profiles/nis/nsswitch.conf ++++ b/profiles/nis/nsswitch.conf +@@ -1,7 +1,7 @@ + # In order of likelihood of use to accelerate lookup. + passwd: files {if "with-altfiles":altfiles }nis systemd + shadow: files nis +-group: files {if "with-altfiles":altfiles }nis systemd ++group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd + hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns + services: files nis + netgroup: files nis +diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf +index 58844a62c8f52f8f25477a811b02a5e401120f30..9f194bc82cee52d4e12779def95afa2f794f66bf 100644 +--- a/profiles/sssd/nsswitch.conf ++++ b/profiles/sssd/nsswitch.conf +@@ -1,7 +1,7 @@ + # In order of likelihood of use to accelerate lookup. + passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd + shadow: files +-group: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd ++group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd + hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns + services: files sss + netgroup: files sss +diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf +index f0a97e42e084f94fddd329d4cb93d5b5d1da3360..1591ccb3ffa8bd10b8ff06a0620328e275d09241 100644 +--- a/profiles/winbind/nsswitch.conf ++++ b/profiles/winbind/nsswitch.conf +@@ -1,7 +1,7 @@ + # In order of likelihood of use to accelerate lookup. + passwd: files {if "with-altfiles":altfiles }winbind systemd + shadow: files +-group: files {if "with-altfiles":altfiles }winbind systemd ++group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd + hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns + services: files + netgroup: files +-- +2.42.0 + diff --git a/SOURCES/0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch b/SOURCES/0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch new file mode 100644 index 0000000..440ef32 --- /dev/null +++ b/SOURCES/0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch @@ -0,0 +1,26 @@ +From 565d8a76f1d6ec6c23cd38f7aa4812426e8cb460 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 14:18:00 +0100 +Subject: [PATCH 10/11] spec: use altfiles with success=merge on ostree systems + as well + +--- + rpm/authselect.spec.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in +index 350ca953632f21be861c1ee75f25f71d107ca1ee..39c4ca66058e0749e6d3aea6e7ff76a7a06c4ecc 100644 +--- a/rpm/authselect.spec.in ++++ b/rpm/authselect.spec.in +@@ -223,7 +223,7 @@ exit 0 + if test -e /run/ostree-booted; then + for PROFILE in `ls %{_datadir}/authselect/default`; do + %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null +- %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null ++ %__sed -ie 's/{if "with-altfiles":altfiles \[SUCCESS=merge\] }/altfiles [SUCCESS=merge] /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null + done + fi + +-- +2.42.0 + diff --git a/SOURCES/0011-profiles-put-myhostname-before-dns.patch b/SOURCES/0011-profiles-put-myhostname-before-dns.patch new file mode 100644 index 0000000..33fb9c7 --- /dev/null +++ b/SOURCES/0011-profiles-put-myhostname-before-dns.patch @@ -0,0 +1,72 @@ +From 7b7889507928610b37b73641d28d5bbe3f763a4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 17:22:45 +0100 +Subject: [PATCH 11/11] profiles: put myhostname before dns + +To allow `hostname --fqdn` to work correctly. Putting myhostname early +prevents lookup of canonical hostname if only shortname is provided. + +myhostname has been moved back and forth several times, it looks +like this place is now functional and works as expected. +--- + profiles/local/nsswitch.conf | 2 +- + profiles/nis/nsswitch.conf | 2 +- + profiles/sssd/nsswitch.conf | 2 +- + profiles/winbind/nsswitch.conf | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf +index 8582a955c8d03ea1d122a34cd273326d985bdcfb..538926e4d5cc8c190a7b2d10fd3756ad3269a720 100644 +--- a/profiles/local/nsswitch.conf ++++ b/profiles/local/nsswitch.conf +@@ -2,7 +2,7 @@ + passwd: files {if "with-altfiles":altfiles }systemd + shadow: files + group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd +-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns ++hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns + services: files + netgroup: files + automount: files +diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf +index c033812facee9159c76e2d514ac652e4de2e0b6b..488476e91879b549fe605008d500b1810360f3be 100644 +--- a/profiles/nis/nsswitch.conf ++++ b/profiles/nis/nsswitch.conf +@@ -2,7 +2,7 @@ + passwd: files {if "with-altfiles":altfiles }nis systemd + shadow: files nis + group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd +-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns ++hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns + services: files nis + netgroup: files nis + automount: files nis +diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf +index 9f194bc82cee52d4e12779def95afa2f794f66bf..b98094d9e0eaeb1559347b81a9505822ff713034 100644 +--- a/profiles/sssd/nsswitch.conf ++++ b/profiles/sssd/nsswitch.conf +@@ -2,7 +2,7 @@ + passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd + shadow: files + group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd +-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns ++hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns + services: files sss + netgroup: files sss + sudoers: files sss {include if "with-sudo"} +diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf +index 1591ccb3ffa8bd10b8ff06a0620328e275d09241..cc966b34464bb28776b903d61fff1f6a94a1eb6f 100644 +--- a/profiles/winbind/nsswitch.conf ++++ b/profiles/winbind/nsswitch.conf +@@ -2,7 +2,7 @@ + passwd: files {if "with-altfiles":altfiles }winbind systemd + shadow: files + group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd +-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns ++hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns + services: files + netgroup: files + automount: files +-- +2.42.0 + diff --git a/SOURCES/0901-rhel10-remove-systemd-homed.patch b/SOURCES/0901-rhel10-remove-systemd-homed.patch new file mode 100644 index 0000000..2b28c62 --- /dev/null +++ b/SOURCES/0901-rhel10-remove-systemd-homed.patch @@ -0,0 +1,376 @@ +From 054c83d1a40d5e0f98230d0f6ac34bd7ecdf383e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 15:49:09 +0100 +Subject: [PATCH 1/3] rhel10: remove systemd-homed + +systemd-homed is not present in rhel. +--- + profiles/local/README | 3 --- + profiles/local/password-auth | 4 ---- + profiles/local/system-auth | 4 ---- + profiles/nis/README | 3 --- + profiles/nis/REQUIREMENTS | 3 --- + profiles/nis/password-auth | 4 ---- + profiles/nis/system-auth | 4 ---- + profiles/sssd/README | 3 --- + profiles/sssd/REQUIREMENTS | 3 --- + profiles/sssd/password-auth | 4 ---- + profiles/sssd/system-auth | 4 ---- + profiles/winbind/README | 3 --- + profiles/winbind/REQUIREMENTS | 3 --- + profiles/winbind/password-auth | 4 ---- + profiles/winbind/system-auth | 4 ---- + 15 files changed, 53 deletions(-) + +diff --git a/profiles/local/README b/profiles/local/README +index 03f602441fe95ee280b575508f20d1f1de949b25..eedb298090b5b7c068ee1dfec0ee36c8b3086af4 100644 +--- a/profiles/local/README ++++ b/profiles/local/README +@@ -54,9 +54,6 @@ with-mdns4:: + with-mdns6:: + Enable multicast DNS over IPv6. + +-with-systemd-homed:: +- If set, pam_systemd_homed is enabled for all pam operations. +- + with-libvirt:: + Enable connecting to libvirt VMs using the hostname configured in the + guest OS or, as a fallback, their name. +diff --git a/profiles/local/password-auth b/profiles/local/password-auth +index 13e10d93b1d43ade8c45c32c50c613f6cf2abcca..d50d7e1fefaf257b8ddcdd1610004ffca9d93634 100644 +--- a/profiles/local/password-auth ++++ b/profiles/local/password-auth +@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} + auth sufficient pam_unix.so {if not "without-nullok":nullok} +-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} + auth required pam_faillock.so authfail {include if "with-faillock"} + auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} + auth required pam_deny.so + + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} +-account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so + +-password sufficient pam_systemd_home.so {include if "with-systemd-homed"} + password requisite pam_pwquality.so + password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} + password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +@@ -24,7 +21,6 @@ password required pam_deny.so + session optional pam_keyinit.so revoke + session required pam_limits.so + session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd_home.so {include if "with-systemd-homed"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/local/system-auth b/profiles/local/system-auth +index 7f3c56adb2329dd4a08b1cb08b63e8d0d9b13c86..290cd24eb9c50f196d6fc68a3688f097f49159fe 100644 +--- a/profiles/local/system-auth ++++ b/profiles/local/system-auth +@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} + auth sufficient pam_unix.so {if not "without-nullok":nullok} +-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} + auth required pam_faillock.so authfail {include if "with-faillock"} + auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} + auth required pam_deny.so + + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} +-account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so + +-password sufficient pam_systemd_home.so {include if "with-systemd-homed"} + password requisite pam_pwquality.so + password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} + password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +@@ -25,7 +22,6 @@ password required pam_deny.so + session optional pam_keyinit.so revoke + session required pam_limits.so + session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd_home.so {include if "with-systemd-homed"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/README b/profiles/nis/README +index e3a1a0b986689bfd43d9531464bcd8fa7a0f5237..745138bbdb1e045db41990dcb8864477d3408e36 100644 +--- a/profiles/nis/README ++++ b/profiles/nis/README +@@ -65,9 +65,6 @@ with-mdns4:: + with-mdns6:: + Enable multicast DNS over IPv6. + +-with-systemd-homed:: +- If set, pam_systemd_homed is enabled for all pam operations. +- + without-nullok:: + Do not add nullok parameter to pam_unix. + +diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS +index 3e32879eba37e1bd2692aa2852c87036bfa78ed5..d8fe0456ee2b351e98af374fc0206717e6994031 100644 +--- a/profiles/nis/REQUIREMENTS ++++ b/profiles/nis/REQUIREMENTS +@@ -16,6 +16,3 @@ Make sure that NIS service is configured and enabled. See NIS documentation for + - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} + {include if "with-libvirt"} + - with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"} +- {include if "with-systemd-homed"} +-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"} +- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"} +diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth +index 45af4792df9f661fe04e1060e32cc6c0aa38c7c4..927fbcbda8fa4e910e29c88a3806fb5265bbc7bc 100644 +--- a/profiles/nis/password-auth ++++ b/profiles/nis/password-auth +@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} + auth sufficient pam_unix.so {if not "without-nullok":nullok} +-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} + auth required pam_faillock.so authfail {include if "with-faillock"} + auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} + auth required pam_deny.so + + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} +-account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so broken_shadow + +-password sufficient pam_systemd_home.so {include if "with-systemd-homed"} + password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only} + password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} + password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +@@ -24,7 +21,6 @@ password required pam_deny.so + session optional pam_keyinit.so revoke + session required pam_limits.so + session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd_home.so {include if "with-systemd-homed"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth +index 0bd022ee2286f37a5becb0daba2a5813693300a9..40a1bf74aaf3d721c4d720938e57766bfe651e47 100644 +--- a/profiles/nis/system-auth ++++ b/profiles/nis/system-auth +@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} + auth sufficient pam_unix.so {if not "without-nullok":nullok} +-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} + auth required pam_faillock.so authfail {include if "with-faillock"} + auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} + auth required pam_deny.so + + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} +-account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so broken_shadow + +-password sufficient pam_systemd_home.so {include if "with-systemd-homed"} + password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only} + password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} + password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +@@ -25,7 +22,6 @@ password required pam_deny.so + session optional pam_keyinit.so revoke + session required pam_limits.so + session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd_home.so {include if "with-systemd-homed"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/README b/profiles/sssd/README +index f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d..a497da5dcffd0a03a122677c49ee2f8021927b04 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -106,9 +106,6 @@ with-gssapi:: + with-subid:: + Enable SSSD as a source of subid database in /etc/nsswitch.conf. + +-with-systemd-homed:: +- If set, pam_systemd_homed is enabled for all pam operations. +- + without-nullok:: + Do not add nullok parameter to pam_unix. + +diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS +index 6aaf7c771f7c1bcbf2aee7152422acc9d53c71f5..b36f6069a54a5f711a10aa0700f33e1a8e37794e 100644 +--- a/profiles/sssd/REQUIREMENTS ++++ b/profiles/sssd/REQUIREMENTS +@@ -25,6 +25,3 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo + - with-tlog is selected, make sure that session recording is enabled in SSSD {include if "with-tlog"} + {include if "with-libvirt"} + - with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"} +- {include if "with-systemd-homed"} +-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"} +- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"} +diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth +index 97c33b678706e7eeb86bf45251baa41739f2940f..f468507b938ea2a7ac305a65f5fdea14a1ae10f1 100644 +--- a/profiles/sssd/password-auth ++++ b/profiles/sssd/password-auth +@@ -7,7 +7,6 @@ auth required pam_u2f.so cue {if not + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth [default=1 ignore=ignore success=ok] pam_localuser.so + auth sufficient pam_unix.so {if not "without-nullok":nullok} +-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth sufficient pam_sss.so forward_pass + auth required pam_faillock.so authfail {include if "with-faillock"} +@@ -16,14 +15,12 @@ auth required pam_deny.so + + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} +-account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so + account sufficient pam_localuser.so {exclude if "with-files-access-provider"} + account sufficient pam_usertype.so issystem + account [default=bad success=ok user_unknown=ignore] pam_sss.so + account required pam_permit.so + +-password sufficient pam_systemd_home.so {include if "with-systemd-homed"} + password requisite pam_pwquality.so local_users_only + password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} + password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +@@ -35,7 +32,6 @@ password required pam_deny.so + session optional pam_keyinit.so revoke + session required pam_limits.so + session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd_home.so {include if "with-systemd-homed"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth +index 90c3504a414f0a151475cc207285b230fec381b1..870e4d7024066e3e40786bde6c3c39c7ba8d62c0 100644 +--- a/profiles/sssd/system-auth ++++ b/profiles/sssd/system-auth +@@ -12,7 +12,6 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so + auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} + auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} + auth sufficient pam_unix.so {if not "without-nullok":nullok} +-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"} + auth sufficient pam_sss_gss.so {include if "with-gssapi"} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +@@ -23,14 +22,12 @@ auth required pam_deny.so + + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} +-account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so + account sufficient pam_localuser.so {exclude if "with-files-access-provider"} + account sufficient pam_usertype.so issystem + account [default=bad success=ok user_unknown=ignore] pam_sss.so + account required pam_permit.so + +-password sufficient pam_systemd_home.so {include if "with-systemd-homed"} + password requisite pam_pwquality.so local_users_only + password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} + password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +@@ -42,7 +39,6 @@ password required pam_deny.so + session optional pam_keyinit.so revoke + session required pam_limits.so + session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd_home.so {include if "with-systemd-homed"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/README b/profiles/winbind/README +index f65870d1d03da6465ad446dac87ed141d7115d8b..8844e1da2003a0266dfe8937774d6d6f7dad0210 100644 +--- a/profiles/winbind/README ++++ b/profiles/winbind/README +@@ -75,9 +75,6 @@ with-mdns4:: + with-mdns6:: + Enable multicast DNS over IPv6. + +-with-systemd-homed:: +- If set, pam_systemd_homed is enabled for all pam operations. +- + without-nullok:: + Do not add nullok parameter to pam_unix. + +diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS +index 232f6ee986ac66c5fed972c91c17080e0740e5c7..31a37d74ca5a4c46415545b8f6e0f61e8ad3b433 100644 +--- a/profiles/winbind/REQUIREMENTS ++++ b/profiles/winbind/REQUIREMENTS +@@ -16,6 +16,3 @@ Make sure that winbind service is configured and enabled. See winbind documentat + - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} + {include if "with-libvirt"} + - with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"} +- {include if "with-systemd-homed"} +-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"} +- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"} +diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth +index 8d74149dd48643dbb4b80d62600d3ece0868ec30..8d1682b9301c2b9c92292a41120f69611f148108 100644 +--- a/profiles/winbind/password-auth ++++ b/profiles/winbind/password-auth +@@ -4,7 +4,6 @@ auth required pam_faillock.so preauth + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} + auth sufficient pam_unix.so {if not "without-nullok":nullok} +-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass + auth required pam_faillock.so authfail {include if "with-faillock"} +@@ -13,14 +12,12 @@ auth required pam_deny.so + + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} +-account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so broken_shadow + account sufficient pam_localuser.so + account sufficient pam_usertype.so issystem + account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth} + account required pam_permit.so + +-password sufficient pam_systemd_home.so {include if "with-systemd-homed"} + password requisite pam_pwquality.so local_users_only + password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} + password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +@@ -31,7 +28,6 @@ password required pam_deny.so + session optional pam_keyinit.so revoke + session required pam_limits.so + session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd_home.so {include if "with-systemd-homed"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth +index 2326c859284c5823c5a6d34390d794dbf33110d2..612143d10fe502d7f6ed636b4fba6cc639aa66b0 100644 +--- a/profiles/winbind/system-auth ++++ b/profiles/winbind/system-auth +@@ -5,7 +5,6 @@ auth sufficient pam_fprintd.so + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} + auth sufficient pam_unix.so {if not "without-nullok":nullok} +-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass + auth required pam_faillock.so authfail {include if "with-faillock"} +@@ -14,14 +13,12 @@ auth required pam_deny.so + + account required pam_access.so {include if "with-pamaccess"} + account required pam_faillock.so {include if "with-faillock"} +-account sufficient pam_systemd_home.so {include if "with-systemd-homed"} + account required pam_unix.so broken_shadow + account sufficient pam_localuser.so + account sufficient pam_usertype.so issystem + account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth} + account required pam_permit.so + +-password sufficient pam_systemd_home.so {include if "with-systemd-homed"} + password requisite pam_pwquality.so local_users_only + password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} + password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +@@ -32,7 +29,6 @@ password required pam_deny.so + session optional pam_keyinit.so revoke + session required pam_limits.so + session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd_home.so {include if "with-systemd-homed"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +-- +2.42.0 + diff --git a/SOURCES/0902-rhel10-remove-ecryptfs-support.patch b/SOURCES/0902-rhel10-remove-ecryptfs-support.patch new file mode 100644 index 0000000..fda2f95 --- /dev/null +++ b/SOURCES/0902-rhel10-remove-ecryptfs-support.patch @@ -0,0 +1,250 @@ +From 3167eaadde7a3f997925172b8d77cb380bf0d9d8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 10 Jun 2019 10:53:15 +0200 +Subject: [PATCH 2/3] rhel10: remove ecryptfs support + +ecryptfs-utils is not present in rhel. +--- + profiles/nis/README | 3 --- + profiles/nis/fingerprint-auth | 1 - + profiles/nis/password-auth | 1 - + profiles/nis/postlogin | 4 ---- + profiles/nis/system-auth | 1 - + profiles/sssd/README | 3 --- + profiles/sssd/fingerprint-auth | 1 - + profiles/sssd/password-auth | 1 - + profiles/sssd/postlogin | 4 ---- + profiles/sssd/smartcard-auth | 1 - + profiles/sssd/system-auth | 1 - + profiles/winbind/README | 3 --- + profiles/winbind/fingerprint-auth | 1 - + profiles/winbind/password-auth | 1 - + profiles/winbind/postlogin | 4 ---- + profiles/winbind/system-auth | 1 - + src/man/authselect-migration.7.adoc | 5 ++--- + 17 files changed, 2 insertions(+), 34 deletions(-) + +diff --git a/profiles/nis/README b/profiles/nis/README +index 745138bbdb1e045db41990dcb8864477d3408e36..3e2f8b01fa37f8c7060a9c263f66c3df9782061d 100644 +--- a/profiles/nis/README ++++ b/profiles/nis/README +@@ -21,9 +21,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth +index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be2982bdf36cb 100644 +--- a/profiles/nis/fingerprint-auth ++++ b/profiles/nis/fingerprint-auth +@@ -15,7 +15,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth +index 927fbcbda8fa4e910e29c88a3806fb5265bbc7bc..56a51d9eebb2987da340805ddb4e4a6752ebdeb2 100644 +--- a/profiles/nis/password-auth ++++ b/profiles/nis/password-auth +@@ -20,7 +20,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/nis/postlogin ++++ b/profiles/nis/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth +index 40a1bf74aaf3d721c4d720938e57766bfe651e47..74cf6ece9ce0b1b64b122fd2309ebf5d496c4787 100644 +--- a/profiles/nis/system-auth ++++ b/profiles/nis/system-auth +@@ -21,7 +21,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/README b/profiles/sssd/README +index a497da5dcffd0a03a122677c49ee2f8021927b04..2038a32b682f36d9eef51fda138730abc9666279 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -35,9 +35,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-smartcard:: + Enable authentication with smartcards through SSSD. Please note that + smartcard support must be also explicitly enabled within +diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth +index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e5232126df55564 100644 +--- a/profiles/sssd/fingerprint-auth ++++ b/profiles/sssd/fingerprint-auth +@@ -20,7 +20,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth +index f468507b938ea2a7ac305a65f5fdea14a1ae10f1..c15121ad00ff00dfcd1743341594c853ba734d9c 100644 +--- a/profiles/sssd/password-auth ++++ b/profiles/sssd/password-auth +@@ -31,7 +31,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/sssd/postlogin ++++ b/profiles/sssd/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth +index 78cb329bf332f4d629740a0fff7d2dfe43f7d78d..13d3ee71f4d02c4ede777be6337031fc67baaa63 100644 +--- a/profiles/sssd/smartcard-auth ++++ b/profiles/sssd/smartcard-auth +@@ -18,7 +18,6 @@ account required pam_permit.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth +index 870e4d7024066e3e40786bde6c3c39c7ba8d62c0..4ea19acebe2208f9e21676bf0ae0a92e9a92b1f4 100644 +--- a/profiles/sssd/system-auth ++++ b/profiles/sssd/system-auth +@@ -38,7 +38,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/README b/profiles/winbind/README +index 8844e1da2003a0266dfe8937774d6d6f7dad0210..7397bb9a6c8086b9720cc355d98de70b8107e79b 100644 +--- a/profiles/winbind/README ++++ b/profiles/winbind/README +@@ -33,9 +33,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth +index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a41202d21fd67 100644 +--- a/profiles/winbind/fingerprint-auth ++++ b/profiles/winbind/fingerprint-auth +@@ -19,7 +19,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth +index 8d1682b9301c2b9c92292a41120f69611f148108..8b260fa06f5ed8494d1f6fac74517d3a54622693 100644 +--- a/profiles/winbind/password-auth ++++ b/profiles/winbind/password-auth +@@ -27,7 +27,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/winbind/postlogin ++++ b/profiles/winbind/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth +index 612143d10fe502d7f6ed636b4fba6cc639aa66b0..33aa13efb92405393236c3511ebb351facd916f0 100644 +--- a/profiles/winbind/system-auth ++++ b/profiles/winbind/system-auth +@@ -28,7 +28,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index 8cc58e60301925974fdb738c5b9a746749981df8..9056913dee9eef1590c8590d3cc0b51005a98af3 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -85,7 +85,6 @@ endif::[] + |*Authconfig options* |*Authselect profile feature* + |--enablesmartcard |with-smartcard + |--enablefingerprint |with-fingerprint +-|--enableecryptfs |with-ecryptfs + |--enablemkhomedir |with-mkhomedir + |--enablefaillock |with-faillock + |--enablepamaccess |with-pamaccess +@@ -108,8 +107,8 @@ authselect select sssd with-faillock + authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall + authselect select sssd with-smartcard + +-authconfig --enableecryptfs --enablepamaccess --updateall +-authselect select sssd with-ecryptfs with-pamaccess ++authconfig --enablepamaccess --updateall ++authselect select sssd with-pamaccess + + authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall + realm join -U Administrator --client-software=winbind WINBINDDOMAIN +-- +2.42.0 + diff --git a/SOURCES/0903-rhel10-remove-systemd-resolved.patch b/SOURCES/0903-rhel10-remove-systemd-resolved.patch new file mode 100644 index 0000000..545e5a1 --- /dev/null +++ b/SOURCES/0903-rhel10-remove-systemd-resolved.patch @@ -0,0 +1,68 @@ +From b259ca399de497e0fc5e0763257e89bcc2e5a902 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 23 Feb 2024 16:01:58 +0100 +Subject: [PATCH 3/3] rhel10: remove systemd-resolved + +systemd-resolved should not be enabled by default in rhel. +--- + profiles/local/nsswitch.conf | 2 +- + profiles/nis/nsswitch.conf | 2 +- + profiles/sssd/nsswitch.conf | 2 +- + profiles/winbind/nsswitch.conf | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf +index 538926e4d5cc8c190a7b2d10fd3756ad3269a720..1ad4276566f775086fc091d8e1c35d4ac94a9786 100644 +--- a/profiles/local/nsswitch.conf ++++ b/profiles/local/nsswitch.conf +@@ -2,7 +2,7 @@ + passwd: files {if "with-altfiles":altfiles }systemd + shadow: files + group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd +-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns ++hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns + services: files + netgroup: files + automount: files +diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf +index 488476e91879b549fe605008d500b1810360f3be..88110258a69e7366980944ec3ccd9c79c0a1b323 100644 +--- a/profiles/nis/nsswitch.conf ++++ b/profiles/nis/nsswitch.conf +@@ -2,7 +2,7 @@ + passwd: files {if "with-altfiles":altfiles }nis systemd + shadow: files nis + group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd +-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns ++hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis myhostname dns + services: files nis + netgroup: files nis + automount: files nis +diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf +index b98094d9e0eaeb1559347b81a9505822ff713034..89a1f230487a18d12ff9c3862e3394035bf17cff 100644 +--- a/profiles/sssd/nsswitch.conf ++++ b/profiles/sssd/nsswitch.conf +@@ -2,7 +2,7 @@ + passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd + shadow: files + group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd +-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns ++hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns + services: files sss + netgroup: files sss + sudoers: files sss {include if "with-sudo"} +diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf +index cc966b34464bb28776b903d61fff1f6a94a1eb6f..5315640e39f7c84b4c138f393fa3b5c970e4afa5 100644 +--- a/profiles/winbind/nsswitch.conf ++++ b/profiles/winbind/nsswitch.conf +@@ -2,7 +2,7 @@ + passwd: files {if "with-altfiles":altfiles }winbind systemd + shadow: files + group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd +-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns ++hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns + services: files + netgroup: files + automount: files +-- +2.42.0 + diff --git a/SPECS/authselect.spec b/SPECS/authselect.spec new file mode 100644 index 0000000..c977b7c --- /dev/null +++ b/SPECS/authselect.spec @@ -0,0 +1,481 @@ +# Do not terminate build if language files are empty. +%define _empty_manifest_terminate_build 0 + +Name: authselect +Version: 1.5.0 +Release: 6%{?dist} +Summary: Configures authentication and identity sources from supported profiles +URL: https://github.com/authselect/authselect + +License: GPL-3.0-or-later +Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + +%global makedir %{_builddir}/%{name}-%{version} + +# Disable NIS profile on RHEL +%if 0%{?rhel} +%global with_nis_profile 0 +%else +%global with_nis_profile 1 +%endif + +# Set the default profile +%{?fedora:%global default_profile local with-silent-lastlog} +%{?rhel:%global default_profile local} + +# Patches +Patch0001: 0001-sssd-reintroduce-with-files-access-provider.patch +Patch0002: 0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch +Patch0003: 0003-po-update-translations.patch +Patch0004: 0004-nis-install-nis-profile-conditionally.patch +Patch0005: 0005-configure-drop-user-nsswitch.conf-support.patch +Patch0006: 0006-configure-drop-authconfig-compat-tool.patch +Patch0007: 0007-ci-remove-python-checks.patch +Patch0008: 0008-pot-update-pot-files.patch +Patch0009: 0009-profiles-merge-groups-records-with-SUCCESS-merge.patch +Patch0010: 0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch +Patch0011: 0011-profiles-put-myhostname-before-dns.patch + +# RHEL-only patches +%if 0%{?rhel} +Patch0901: 0901-rhel10-remove-systemd-homed.patch +Patch0902: 0902-rhel10-remove-ecryptfs-support.patch +Patch0903: 0903-rhel10-remove-systemd-resolved.patch +%endif + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: findutils +BuildRequires: libtool +BuildRequires: m4 +BuildRequires: gcc +BuildRequires: pkgconfig +BuildRequires: pkgconfig(popt) +BuildRequires: gettext-devel +BuildRequires: po4a +BuildRequires: %{_bindir}/a2x +BuildRequires: libcmocka-devel >= 1.0.0 +BuildRequires: libselinux-devel +Requires: authselect-libs%{?_isa} = %{version}-%{release} +Suggests: sssd +Suggests: samba-winbind +Suggests: fprintd-pam +Suggests: oddjob-mkhomedir + +# Properly obsolete removed authselect-compat package. +Obsoletes: authselect-compat < 1.3 + +%description +Authselect is designed to be a replacement for authconfig but it takes +a different approach to configure the system. Instead of letting +the administrator build the PAM stack with a tool (which may potentially +end up with a broken configuration), it would ship several tested stacks +(profiles) that solve a use-case and are well tested and supported. +At the same time, some obsolete features of authconfig are not +supported by authselect. + +%package libs +Summary: Utility library used by the authselect tool +# Required by scriptlets +Requires: coreutils +Requires: sed +Suggests: systemd + +%description libs +Common library files for authselect. This package is used by the authselect +command line tool and any other potential front-ends. + +%package devel +Summary: Development libraries and headers for authselect +Requires: authselect-libs%{?_isa} = %{version}-%{release} + +%description devel +System header files and development libraries for authselect. Useful if +you develop a front-end for the authselect library. + +%prep +%setup -q + +for p in %patches ; do + %__patch -p1 -i $p +done + +%build +autoreconf -if +%configure \ +%if %{with_nis_profile} + --with-nis-profile \ +%endif + %{nil} + +%make_build + +%check +%make_build check + +%install +%make_install + +# Find translations +%find_lang %{name} +%find_lang %{name} %{name}.8.lang --with-man +%find_lang %{name}-migration %{name}-migration.7.lang --with-man +%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man + +# We want this file to contain only manual page translations +%__sed -i '/LC_MESSAGES/d' %{name}.8.lang + +# Remove .la and .a files created by libtool +find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \; +find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; + +%ldconfig_scriptlets libs + +%files libs -f %{name}.lang -f %{name}-profiles.5.lang +%dir %{_sysconfdir}/authselect +%dir %{_sysconfdir}/authselect/custom +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf +%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin +%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth +%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth +%dir %{_localstatedir}/lib/authselect +%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/ +%dir %{_datadir}/authselect +%dir %{_datadir}/authselect/vendor +%dir %{_datadir}/authselect/default +%dir %{_datadir}/authselect/default/local/ +%dir %{_datadir}/authselect/default/sssd/ +%dir %{_datadir}/authselect/default/winbind/ +%{_datadir}/authselect/default/local/dconf-db +%{_datadir}/authselect/default/local/dconf-locks +%{_datadir}/authselect/default/local/fingerprint-auth +%{_datadir}/authselect/default/local/nsswitch.conf +%{_datadir}/authselect/default/local/password-auth +%{_datadir}/authselect/default/local/postlogin +%{_datadir}/authselect/default/local/README +%{_datadir}/authselect/default/local/REQUIREMENTS +%{_datadir}/authselect/default/local/smartcard-auth +%{_datadir}/authselect/default/local/system-auth +%{_datadir}/authselect/default/sssd/dconf-db +%{_datadir}/authselect/default/sssd/dconf-locks +%{_datadir}/authselect/default/sssd/fingerprint-auth +%{_datadir}/authselect/default/sssd/nsswitch.conf +%{_datadir}/authselect/default/sssd/password-auth +%{_datadir}/authselect/default/sssd/postlogin +%{_datadir}/authselect/default/sssd/README +%{_datadir}/authselect/default/sssd/REQUIREMENTS +%{_datadir}/authselect/default/sssd/smartcard-auth +%{_datadir}/authselect/default/sssd/system-auth +%{_datadir}/authselect/default/winbind/dconf-db +%{_datadir}/authselect/default/winbind/dconf-locks +%{_datadir}/authselect/default/winbind/fingerprint-auth +%{_datadir}/authselect/default/winbind/nsswitch.conf +%{_datadir}/authselect/default/winbind/password-auth +%{_datadir}/authselect/default/winbind/postlogin +%{_datadir}/authselect/default/winbind/README +%{_datadir}/authselect/default/winbind/REQUIREMENTS +%{_datadir}/authselect/default/winbind/smartcard-auth +%{_datadir}/authselect/default/winbind/system-auth +%if %{with_nis_profile} +%dir %{_datadir}/authselect/default/nis/ +%{_datadir}/authselect/default/nis/dconf-db +%{_datadir}/authselect/default/nis/dconf-locks +%{_datadir}/authselect/default/nis/fingerprint-auth +%{_datadir}/authselect/default/nis/nsswitch.conf +%{_datadir}/authselect/default/nis/password-auth +%{_datadir}/authselect/default/nis/postlogin +%{_datadir}/authselect/default/nis/README +%{_datadir}/authselect/default/nis/REQUIREMENTS +%{_datadir}/authselect/default/nis/smartcard-auth +%{_datadir}/authselect/default/nis/system-auth +%endif +%{_libdir}/libauthselect.so.* +%{_mandir}/man5/authselect-profiles.5* +%{_datadir}/doc/authselect/COPYING +%{_datadir}/doc/authselect/README.md +%license COPYING +%doc README.md + +%files devel +%{_includedir}/authselect.h +%{_libdir}/libauthselect.so +%{_libdir}/pkgconfig/authselect.pc + +%files -f %{name}.8.lang -f %{name}-migration.7.lang +%{_bindir}/authselect +%{_mandir}/man8/authselect.8* +%{_mandir}/man7/authselect-migration.7* +%{_sysconfdir}/bash_completion.d/authselect-completion.sh + +%preun +if [ $1 == 0 ] ; then + # Remove authselect symbolic links so all authselect files can be + # deleted safely. If this fail, the uninstallation must fail to avoid + # breaking the system by removing PAM files. However, the command can + # only fail if it can not write to the file system. + %{_bindir}/authselect opt-out +fi + +%posttrans libs +# Keep nss-altfiles for all rpm-ostree based systems. +# See https://github.com/authselect/authselect/issues/48 +if test -e /run/ostree-booted; then + for PROFILE in `ls %{_datadir}/authselect/default`; do + %{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null + %__sed -i -e 's/{if "with-altfiles":\([^}]\+\)}/\1/g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null + done +fi + +# If this is a new installation select the default configuration. +if [ $1 == 1 ] ; then + %{_bindir}/authselect select %{default_profile} --force --nobackup &> /dev/null + exit 0 +fi + +# Minimal profile was removed. Switch to local during upgrade. +%__sed -i '1 s/^minimal$/local/' %{_sysconfdir}/authselect/authselect.conf +for file in %{_sysconfdir}/authselect/custom/*/*; do + link=`%{_bindir}/readlink "$file"` + if [[ "$link" == %{_datadir}/authselect/default/minimal/* ]]; then + target=`%{_bindir}/basename "$link"` + %{_bindir}/ln -sfn "%{_datadir}/authselect/default/local/$target" "$file" + fi +done + +# Apply any changes to profiles (validates configuration first internally) +%{_bindir}/authselect apply-changes &> /dev/null + +exit 0 + +%changelog +* Mon Jun 24 2024 Troy Dawson - 1.5.0-6 +- Bump release for June 2024 mass rebuild + +* Tue Feb 27 2024 Jonathan Lebon - 1.5.0-5 +- Fix altfiles rendering on OSTree variants + +* Fri Feb 23 2024 Pavel Březina - 1.5.0-4 +- Add back with-files-access-provider +- Remove outdated scriptlets +- Group merging added to nsswitch.conf group in all profiles +- myhostname is put right before dns module in nsswitch.conf hosts (rhbz#2257197) +- Internal packaging changes + +* Mon Jan 22 2024 Fedora Release Engineering - 1.5.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 1.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Jan 18 2024 Pavel Březina - 1.5.0-1 +- Rebase to 1.5.0 +- "minimal" profile was removed and replaced with "local". (rhbz#2253180) +- "local" profile is now default (rhbz#2253180) + +* Wed Sep 27 2023 Pavel Březina - 1.4.3-1 +- Rebase to 1.4.3 + +* Wed Jul 19 2023 Fedora Release Engineering - 1.4.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jan 18 2023 Fedora Release Engineering - 1.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Dec 5 2022 Pavel Březina - 1.4.2-1 +- Rebase to 1.4.2 + +* Thu Dec 1 2022 Pavel Březina - 1.4.1-1 +- Rebase to 1.4.1 + +* Wed Jul 20 2022 Fedora Release Engineering - 1.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Fri Jul 8 2022 Pavel Březina - 1.4.0-2 +- Fix issues with popt-1.19 + +* Thu May 5 2022 Pavel Březina - 1.4.0-1 +- Rebase to 1.3.0 + +* Thu Feb 10 2022 Pavel Březina - 1.3.0-10 +- Fix mdns support (#2052269) + +* Thu Feb 3 2022 Pavel Březina - 1.3.0-9 +- Make authselect compatible with ostree (#2034360) +- Authselect now requires explicit opt-out if users don't want to use it (#2051545) + +* Wed Jan 19 2022 Fedora Release Engineering - 1.3.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jan 13 2022 Pavel Březina - 1.3.0-7 +- Remove unnecessary dependencies (#2039869) + +* Thu Jan 13 2022 Pavel Březina - 1.3.0-6 +- Fix detection of ostree system (#2034360) + +* Tue Dec 28 2021 Frantisek Zatloukal - 1.3.0-5 +- Try to use io.open() in pre scriptlet instead of rpm.open() (rpm >= 4.17.0) + +* Tue Dec 21 2021 Frantisek Zatloukal - 1.3.0-4 +- Use lua for pre scriptlets to reduce dependencies + +* Fri Dec 10 2021 Pavel Březina - 1.3.0-3 +- Update conflicting versions of glibc and pam + +* Mon Dec 6 2021 Pavel Březina - 1.3.0-1 +- Rebase to 1.3.0 +- Authselect configuration is now enforced (#2000936) + +* Sat Aug 14 2021 Björn Esser - 1.2.4-2 +- Add proper Obsoletes for removed authselect-compat package + Fixes: rhbz#1993189 + +* Mon Aug 9 2021 Pavel Březina - 1.2.4-1 +- Rebase to 1.2.4 + +* Wed Jul 21 2021 Fedora Release Engineering - 1.2.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon Jun 21 2021 Björn Esser - 1.2.3-3 +- Backport support for yescrypt hash method + +* Fri Jun 04 2021 Python Maint - 1.2.3-2 +- Rebuilt for Python 3.10 + +* Wed Mar 31 2021 Pavel Březina - 1.2.3-1 +- Rebase to 1.2.3 + +* Tue Mar 09 2021 Benjamin Berg - 1.2.2-4 +- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors + Resolves: #1935331 + +* Thu Mar 4 2021 Pavel Březina - 1.2.2-3 +- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication + +* Tue Jan 26 2021 Fedora Release Engineering - 1.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Nov 25 2020 Pavel Březina - 1.2.2-1 +- Rebase to 1.2.2 +- Add nss-altfiles to profiles on Fedora Silverblue + +* Mon Jul 27 2020 Fedora Release Engineering - 1.2.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 22 2020 Pavel Březina - 1.2.1-3 +- Add resolved by default to nis and minimal profiles +- Fix parsing of multiple conditionals on the same line + +* Tue May 26 2020 Miro Hrončok - 1.2.1-2 +- Rebuilt for Python 3.9 + +* Mon May 11 2020 Pavel Březina - 1.2.1-1 +- Rebase to 1.2.1 + +* Wed Mar 4 2020 Pavel Březina - 1.2-1 +- Rebase to 1.2 + +* Mon Feb 17 2020 Pavel Březina - 1.1-7 +- fix restoring non-authselect configuration from backup + +* Wed Jan 29 2020 Pavel Březina - 1.1-6 +- cli: fix auto backup when --force is set + +* Tue Jan 28 2020 Fedora Release Engineering - 1.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Oct 03 2019 Miro Hrončok - 1.1-4 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Mon Aug 19 2019 Miro Hrončok - 1.1-3 +- Rebuilt for Python 3.8 + +* Wed Jul 24 2019 Fedora Release Engineering - 1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jun 13 2019 Pavel Březina - 1.1-1 +- Rebase to 1.1 + +* Tue Feb 26 2019 Pavel Březina - 1.0.3-1 +- Rebase to 1.0.3 + +* Tue Feb 26 2019 Igor Gnatenko - 1.0.2-4 +- Use %ghost for files owned by authselect + +* Thu Jan 31 2019 Fedora Release Engineering - 1.0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Dec 3 2018 Pavel Březina - 1.0.2-2 +- Resolves rhbz#1655025 (invalid backup). + +* Fri Nov 23 2018 Pavel Březina - 1.0.2-1 +- Rebase to 1.0.2 + +* Thu Sep 27 2018 Pavel Březina - 1.0.1-2 +- Require systemd instead of systemctl + +* Thu Sep 27 2018 Pavel Březina - 1.0.1-1 +- Rebase to 1.0.1 + +* Fri Sep 14 2018 Pavel Březina - 1.0-3 +- Scriptlets should no produce any error messages (RHBZ #1622272) +- Provide fix for pwquality configuration (RHBZ #1618865) + +* Thu Aug 30 2018 Adam Williamson - 1.0-2 +- Backport PR #78 to fix broken pwquality config (RHBZ #1618865) + +* Mon Aug 13 2018 Pavel Březina - 1.0-1 +- Rebase to 1.0 + +* Thu Jul 12 2018 Fedora Release Engineering - 0.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro Hrončok - 0.4-4 +- Rebuilt for Python 3.7 + +* Mon May 14 2018 Pavel Březina - 0.4-3 +- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403) + +* Wed Apr 25 2018 Christian Heimes - 0.4-2 +- Don't disable oddjobd.service (RHBZ #1571844) + +* Mon Apr 9 2018 Pavel Březina - 0.4-1 +- rebasing to 0.4 + +* Tue Mar 6 2018 Pavel Březina - 0.3.2-1 +- rebasing to 0.3.2 +- authselect-compat now only suggests packages, not recommends + +* Mon Mar 5 2018 Pavel Březina - 0.3.1-1 +- rebasing to 0.3.1 + +* Tue Feb 20 2018 Igor Gnatenko - 0.3-3 +- Provide authconfig + +* Tue Feb 20 2018 Igor Gnatenko - 0.3-2 +- Properly own all appropriate directories +- Remove unneeded %%defattr +- Remove deprecated Group tag +- Make Obsoletes versioned +- Remove unneeded ldconfig scriptlets + +* Tue Feb 20 2018 Pavel Březina - 0.3-1 +- rebasing to 0.3 +* Wed Feb 07 2018 Fedora Release Engineering - 0.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild +* Wed Jan 10 2018 Pavel Březina - 0.2-2 +- fix rpmlint errors +* Wed Jan 10 2018 Pavel Březina - 0.2-1 +- rebasing to 0.2 +* Mon Jul 31 2017 Jakub Hrozek - 0.1-1 +- initial packaging