MSVSphere Packaging Team
3 months ago
commit
e46a0761f7
GPG Key ID:
B2B0B9F29E528FE8
@ -0,0 +1 @@
|
||||
bc93feb781e01b2101e06e413f65924d4f633d0a SOURCES/authselect-1.5.0.tar.gz
|
||||
@ -0,0 +1 @@
|
||||
SOURCES/authselect-1.5.0.tar.gz
|
||||
@ -0,0 +1,101 @@
|
||||
From adb36ae3633e2dfaa9c21bb45d05551f1ea3d749 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 21 Feb 2024 14:27:49 +0100
|
||||
Subject: [PATCH 01/11] sssd: reintroduce with-files-access-provider
|
||||
|
||||
This is still needed to support .k5login file with proxy domain. For
|
||||
example:
|
||||
|
||||
```
|
||||
[domain/proxy]
|
||||
id_provider = proxy
|
||||
proxy_lib_name = files
|
||||
access_provider = krb5
|
||||
auth_provider = krb5
|
||||
krb5_server = kdc.test
|
||||
krb5_realm = TEST
|
||||
```
|
||||
---
|
||||
profiles/sssd/README | 10 ++++++++++
|
||||
profiles/sssd/fingerprint-auth | 2 +-
|
||||
profiles/sssd/password-auth | 2 +-
|
||||
profiles/sssd/smartcard-auth | 2 +-
|
||||
profiles/sssd/system-auth | 2 +-
|
||||
5 files changed, 14 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
||||
index 770891a338754b53ee48ba34d9d80c2f2f31cdb6..f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d 100644
|
||||
--- a/profiles/sssd/README
|
||||
+++ b/profiles/sssd/README
|
||||
@@ -89,6 +89,16 @@ with-mdns4::
|
||||
with-mdns6::
|
||||
Enable multicast DNS over IPv6.
|
||||
|
||||
+with-files-access-provider:: If set, account management for local users is
|
||||
+ handled also by pam_sss. This can be used to support SSSD's proxy domain
|
||||
+ that is configured to serve users from local files but provide
|
||||
+ authentication and access management (.k5login file) via Kerberos.
|
||||
+
|
||||
+ *WARNING:* SSSD access check will become mandatory for local users and
|
||||
+ if SSSD is stopped then local users will not be able to log in. Only
|
||||
+ system accounts (as defined by pam_usertype, including root) will be
|
||||
+ able to log in.
|
||||
+
|
||||
with-gssapi::
|
||||
If set, pam_sss_gss module is enabled to perform user authentication over
|
||||
GSSAPI.
|
||||
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
|
||||
index 94232086a60f56976bd5182f5d10da9c63ec22b6..20ad3613e66ec85c7d2462d0449854e522383b3a 100644
|
||||
--- a/profiles/sssd/fingerprint-auth
|
||||
+++ b/profiles/sssd/fingerprint-auth
|
||||
@@ -11,7 +11,7 @@ auth required pam_deny.so
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so
|
||||
-account sufficient pam_localuser.so
|
||||
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
||||
index 05487ca293138a1154cb6820dbc9a53770904670..97c33b678706e7eeb86bf45251baa41739f2940f 100644
|
||||
--- a/profiles/sssd/password-auth
|
||||
+++ b/profiles/sssd/password-auth
|
||||
@@ -18,7 +18,7 @@ account required pam_access.so
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so
|
||||
-account sufficient pam_localuser.so
|
||||
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
|
||||
index 540556ce89b727a226bec4d3322a1775ef350253..78cb329bf332f4d629740a0fff7d2dfe43f7d78d 100644
|
||||
--- a/profiles/sssd/smartcard-auth
|
||||
+++ b/profiles/sssd/smartcard-auth
|
||||
@@ -11,7 +11,7 @@ auth required pam_deny.so
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so
|
||||
-account sufficient pam_localuser.so
|
||||
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
||||
index 83f9214fdd0a97ec49a8df52a2e202e034cbc0c6..90c3504a414f0a151475cc207285b230fec381b1 100644
|
||||
--- a/profiles/sssd/system-auth
|
||||
+++ b/profiles/sssd/system-auth
|
||||
@@ -25,7 +25,7 @@ account required pam_access.so
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so
|
||||
-account sufficient pam_localuser.so
|
||||
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,217 @@
|
||||
From d498f7aa562cf41e0999f7733664c27fa62bcf7c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 11:54:44 +0100
|
||||
Subject: [PATCH 02/11] spec: modify specfile for Fedora 40 and RHEL 10 as
|
||||
minimal version
|
||||
|
||||
- conditionals that are no longer used are removed
|
||||
- upgrade path is removed
|
||||
- this was already triggered in Fedora 38, so it is no longer useful
|
||||
- RHEL is updated to authselect with leapp when going from 7 to 8
|
||||
we don't want to touch existing configurations
|
||||
---
|
||||
rpm/authselect.spec.in | 102 ++---------------------------------------
|
||||
1 file changed, 3 insertions(+), 99 deletions(-)
|
||||
|
||||
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
|
||||
index 24ce4e603208ce26eb228bbee565c868428a2af1..e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1 100644
|
||||
--- a/rpm/authselect.spec.in
|
||||
+++ b/rpm/authselect.spec.in
|
||||
@@ -12,20 +12,6 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
|
||||
|
||||
%global makedir %{_builddir}/%{name}-%{version}
|
||||
|
||||
-%if 0%{?fedora} >= 35 || 0%{?rhel} >= 10
|
||||
-%global with_compat 0
|
||||
-%else
|
||||
-%global with_compat 1
|
||||
-%endif
|
||||
-
|
||||
-%if 0%{?fedora} >= 36 || 0%{?rhel} >= 10
|
||||
-%global with_user_nsswitch 0
|
||||
-%global enforce_authselect 1
|
||||
-%else
|
||||
-%global with_user_nsswitch 1
|
||||
-%global enforce_authselect 0
|
||||
-%endif
|
||||
-
|
||||
# Set the default profile
|
||||
%{?fedora:%global default_profile local with-silent-lastlog}
|
||||
%{?rhel:%global default_profile local}
|
||||
@@ -43,21 +29,14 @@ BuildRequires: po4a
|
||||
BuildRequires: %{_bindir}/a2x
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: libselinux-devel
|
||||
-%if %{with_compat}
|
||||
-BuildRequires: python3-devel
|
||||
-%endif
|
||||
Requires: authselect-libs%{?_isa} = %{version}-%{release}
|
||||
Suggests: sssd
|
||||
Suggests: samba-winbind
|
||||
Suggests: fprintd-pam
|
||||
Suggests: oddjob-mkhomedir
|
||||
|
||||
-%if !%{with_compat}
|
||||
# Properly obsolete removed authselect-compat package.
|
||||
-Obsoletes: authselect-compat < 1.2.4
|
||||
-# Inherited from former authselect-compat package.
|
||||
-Obsoletes: authconfig < 7.0.1-6
|
||||
-%endif
|
||||
+Obsoletes: authselect-compat < 1.3
|
||||
|
||||
%description
|
||||
Authselect is designed to be a replacement for authconfig but it takes
|
||||
@@ -74,14 +53,6 @@ Summary: Utility library used by the authselect tool
|
||||
Requires: coreutils
|
||||
Requires: sed
|
||||
Suggests: systemd
|
||||
-%if %{enforce_authselect}
|
||||
-# authselect now owns nsswitch.conf (glibc) and pam files
|
||||
-Conflicts: pam < 1.5.2-8
|
||||
-Conflicts: glibc < 2.34.9000-27
|
||||
-# systemd, nss-mdns no longer contains nsswitch.conf scriptlets
|
||||
-Conflicts: systemd < 249.7-4
|
||||
-Conflicts: nss-mdns < 0.15.1-3
|
||||
-%endif
|
||||
|
||||
%description libs
|
||||
Common library files for authselect. This package is used by the authselect
|
||||
@@ -95,25 +66,6 @@ Requires: authselect-libs%{?_isa} = %{version}-%{release}
|
||||
System header files and development libraries for authselect. Useful if
|
||||
you develop a front-end for the authselect library.
|
||||
|
||||
-%if %{with_compat}
|
||||
-%package compat
|
||||
-Summary: Tool to provide minimum backwards compatibility with authconfig
|
||||
-Obsoletes: authconfig < 7.0.1-6
|
||||
-Provides: authconfig
|
||||
-Requires: authselect%{?_isa} = %{version}-%{release}
|
||||
-Recommends: oddjob-mkhomedir
|
||||
-Suggests: sssd
|
||||
-Suggests: realmd
|
||||
-Suggests: samba-winbind
|
||||
-
|
||||
-%description compat
|
||||
-This package will replace %{_sbindir}/authconfig with a tool that will
|
||||
-translate some of the authconfig calls into authselect calls. It provides
|
||||
-only minimum backward compatibility and users are encouraged to migrate
|
||||
-to authselect completely.
|
||||
-%endif
|
||||
-
|
||||
-
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
@@ -123,16 +75,7 @@ done
|
||||
|
||||
%build
|
||||
autoreconf -if
|
||||
-%configure \
|
||||
-%if %{with_compat}
|
||||
- --with-pythonbin="%{__python3}" \
|
||||
- --with-compat \
|
||||
-%endif
|
||||
-%if %{with_user_nsswitch}
|
||||
- --with-user-nsswitch \
|
||||
-%endif
|
||||
- %{nil}
|
||||
-
|
||||
+%configure
|
||||
%make_build
|
||||
|
||||
%check
|
||||
@@ -168,20 +111,14 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
|
||||
-%if %{enforce_authselect}
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
|
||||
-%endif
|
||||
%dir %{_localstatedir}/lib/authselect
|
||||
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
|
||||
-%if %{with_user_nsswitch}
|
||||
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
|
||||
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
|
||||
-%endif
|
||||
%dir %{_datadir}/authselect
|
||||
%dir %{_datadir}/authselect/vendor
|
||||
%dir %{_datadir}/authselect/default
|
||||
@@ -241,12 +178,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
|
||||
%{_libdir}/libauthselect.so
|
||||
%{_libdir}/pkgconfig/authselect.pc
|
||||
|
||||
-%if %{with_compat}
|
||||
-%files compat
|
||||
-%{_sbindir}/authconfig
|
||||
-%{python3_sitelib}/authselect/
|
||||
-%endif
|
||||
-
|
||||
%files -f %{name}.8.lang -f %{name}-migration.7.lang
|
||||
%{_bindir}/authselect
|
||||
%{_mandir}/man8/authselect.8*
|
||||
@@ -265,47 +196,21 @@ if [ $1 == 0 ] ; then
|
||||
fi
|
||||
|
||||
%pre libs
|
||||
-%if %{enforce_authselect}
|
||||
# Check if this is a new installation.
|
||||
%__rm -f %{forcefile}
|
||||
if [ $1 -eq 1 ] ; then
|
||||
touch %{forcefile}
|
||||
fi
|
||||
-
|
||||
-# Check if we are upgrading from older version then authselect-1.3.0
|
||||
-# The version command is not available on earlier versions
|
||||
-if [ $1 -gt 1 ] ; then
|
||||
- %{_bindir}/authselect check &> /dev/null
|
||||
- if [ $? -ne 0 ]; then
|
||||
- %{_bindir}/authselect version &> /dev/null
|
||||
- if [ $? -ne 0 ]; then
|
||||
- touch %{forcefile}
|
||||
- fi
|
||||
- fi
|
||||
-fi
|
||||
-%endif
|
||||
-
|
||||
exit 0
|
||||
|
||||
%posttrans libs
|
||||
-# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
|
||||
-%if %{with_user_nsswitch}
|
||||
-if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
|
||||
- %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
|
||||
- touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
|
||||
-fi
|
||||
-%endif
|
||||
|
||||
# Keep nss-altfiles for all rpm-ostree based systems.
|
||||
# See https://github.com/authselect/authselect/issues/48
|
||||
if test -e /run/ostree-booted; then
|
||||
for PROFILE in `ls %{_datadir}/authselect/default`; do
|
||||
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
|
||||
-%if %{with_user_nsswitch}
|
||||
- %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
|
||||
-%else
|
||||
%__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
|
||||
-%endif
|
||||
done
|
||||
fi
|
||||
|
||||
@@ -314,8 +219,7 @@ if [ $? -eq 6 ]; then
|
||||
NOBACKUP="--nobackup"
|
||||
fi
|
||||
|
||||
-# If we are upgrading from pre authselect-1.3.0 or this is a new installation
|
||||
-# select the default configuration.
|
||||
+# If this is a new installation select the default configuration.
|
||||
if [ -f %{forcefile} ]; then
|
||||
%{_bindir}/authselect select %{default_profile} --force $NOBACKUP &> /dev/null
|
||||
%__rm -f %{forcefile}
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,177 @@
|
||||
From 9321126e20898b23c19e168177d8a383a750fefb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 12:51:37 +0100
|
||||
Subject: [PATCH 04/11] nis: install nis profile conditionally
|
||||
|
||||
NIS profile is installed only if --with-nis-profile configure flag is
|
||||
given.
|
||||
---
|
||||
profiles/Makefile.am | 2 ++
|
||||
rpm/authselect.spec.in | 37 +++++++++++++++++++----------
|
||||
scripts/manpages-build.sh.in | 1 +
|
||||
src/conf_macros.m4 | 10 ++++++++
|
||||
src/man/authselect-migration.7.adoc | 7 ++++++
|
||||
5 files changed, 45 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
|
||||
index bc437c158f6922afdba4ab261c73f31c93846118..61728cab77022ddc0bb35a3649a38123dc4987cf 100644
|
||||
--- a/profiles/Makefile.am
|
||||
+++ b/profiles/Makefile.am
|
||||
@@ -15,6 +15,7 @@ dist_profile_local_DATA = \
|
||||
$(top_srcdir)/profiles/local/dconf-locks \
|
||||
$(NULL)
|
||||
|
||||
+if WITH_NIS_PROFILE
|
||||
profile_nisdir = $(authselect_profile_dir)/nis
|
||||
dist_profile_nis_DATA = \
|
||||
$(top_srcdir)/profiles/nis/nsswitch.conf \
|
||||
@@ -28,6 +29,7 @@ dist_profile_nis_DATA = \
|
||||
$(top_srcdir)/profiles/nis/dconf-db \
|
||||
$(top_srcdir)/profiles/nis/dconf-locks \
|
||||
$(NULL)
|
||||
+endif
|
||||
|
||||
profile_sssddir = $(authselect_profile_dir)/sssd
|
||||
dist_profile_sssd_DATA = \
|
||||
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
|
||||
index e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1..350ca953632f21be861c1ee75f25f71d107ca1ee 100644
|
||||
--- a/rpm/authselect.spec.in
|
||||
+++ b/rpm/authselect.spec.in
|
||||
@@ -12,6 +12,13 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
|
||||
|
||||
%global makedir %{_builddir}/%{name}-%{version}
|
||||
|
||||
+# Disable NIS profile on RHEL
|
||||
+%if 0%{?rhel}
|
||||
+%global with_nis_profile 0
|
||||
+%else
|
||||
+%global with_nis_profile 1
|
||||
+%endif
|
||||
+
|
||||
# Set the default profile
|
||||
%{?fedora:%global default_profile local with-silent-lastlog}
|
||||
%{?rhel:%global default_profile local}
|
||||
@@ -75,7 +82,11 @@ done
|
||||
|
||||
%build
|
||||
autoreconf -if
|
||||
-%configure
|
||||
+%configure \
|
||||
+%if %{with_nis_profile}
|
||||
+ --with-nis-profile \
|
||||
+%endif
|
||||
+ %{nil}
|
||||
%make_build
|
||||
|
||||
%check
|
||||
@@ -123,7 +134,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
|
||||
%dir %{_datadir}/authselect/vendor
|
||||
%dir %{_datadir}/authselect/default
|
||||
%dir %{_datadir}/authselect/default/local/
|
||||
-%dir %{_datadir}/authselect/default/nis/
|
||||
%dir %{_datadir}/authselect/default/sssd/
|
||||
%dir %{_datadir}/authselect/default/winbind/
|
||||
%{_datadir}/authselect/default/local/dconf-db
|
||||
@@ -136,16 +146,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
|
||||
%{_datadir}/authselect/default/local/REQUIREMENTS
|
||||
%{_datadir}/authselect/default/local/smartcard-auth
|
||||
%{_datadir}/authselect/default/local/system-auth
|
||||
-%{_datadir}/authselect/default/nis/dconf-db
|
||||
-%{_datadir}/authselect/default/nis/dconf-locks
|
||||
-%{_datadir}/authselect/default/nis/fingerprint-auth
|
||||
-%{_datadir}/authselect/default/nis/nsswitch.conf
|
||||
-%{_datadir}/authselect/default/nis/password-auth
|
||||
-%{_datadir}/authselect/default/nis/postlogin
|
||||
-%{_datadir}/authselect/default/nis/README
|
||||
-%{_datadir}/authselect/default/nis/REQUIREMENTS
|
||||
-%{_datadir}/authselect/default/nis/smartcard-auth
|
||||
-%{_datadir}/authselect/default/nis/system-auth
|
||||
%{_datadir}/authselect/default/sssd/dconf-db
|
||||
%{_datadir}/authselect/default/sssd/dconf-locks
|
||||
%{_datadir}/authselect/default/sssd/fingerprint-auth
|
||||
@@ -166,6 +166,19 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
|
||||
%{_datadir}/authselect/default/winbind/REQUIREMENTS
|
||||
%{_datadir}/authselect/default/winbind/smartcard-auth
|
||||
%{_datadir}/authselect/default/winbind/system-auth
|
||||
+%if %{with_nis_profile}
|
||||
+%dir %{_datadir}/authselect/default/nis/
|
||||
+%{_datadir}/authselect/default/nis/dconf-db
|
||||
+%{_datadir}/authselect/default/nis/dconf-locks
|
||||
+%{_datadir}/authselect/default/nis/fingerprint-auth
|
||||
+%{_datadir}/authselect/default/nis/nsswitch.conf
|
||||
+%{_datadir}/authselect/default/nis/password-auth
|
||||
+%{_datadir}/authselect/default/nis/postlogin
|
||||
+%{_datadir}/authselect/default/nis/README
|
||||
+%{_datadir}/authselect/default/nis/REQUIREMENTS
|
||||
+%{_datadir}/authselect/default/nis/smartcard-auth
|
||||
+%{_datadir}/authselect/default/nis/system-auth
|
||||
+%endif
|
||||
%{_libdir}/libauthselect.so.*
|
||||
%{_mandir}/man5/authselect-profiles.5*
|
||||
%{_datadir}/doc/authselect/COPYING
|
||||
diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
|
||||
index 314bb2b2a0e4432632478230ab5ff5b3dce2943f..9e553f755a64717f854f3aba33c62140130ce18f 100755
|
||||
--- a/scripts/manpages-build.sh.in
|
||||
+++ b/scripts/manpages-build.sh.in
|
||||
@@ -233,6 +233,7 @@ ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
|
||||
ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
|
||||
ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
|
||||
ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
|
||||
+ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
|
||||
|
||||
manpages-translate
|
||||
|
||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
||||
index 17c1629723066b0c4e354051366ce209428af6c1..9a81a6e194d16ecc0408e8631530cf7048fd9241 100644
|
||||
--- a/src/conf_macros.m4
|
||||
+++ b/src/conf_macros.m4
|
||||
@@ -99,3 +99,13 @@ if test x"$with_user_nsswitch" = xyes; then
|
||||
AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
|
||||
AC_SUBST(BUILD_USER_NSSWITCH, 1)
|
||||
fi
|
||||
+
|
||||
+AC_ARG_WITH([nis-profile],
|
||||
+ [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
|
||||
+ [], with_nis_profile=no
|
||||
+)
|
||||
+AM_CONDITIONAL([WITH_NIS_PROFILE], [test x$with_nis_profile = xyes])
|
||||
+AC_SUBST(WITH_NIS_PROFILE, 0)
|
||||
+if test x"$with_nis_profile" = xyes; then
|
||||
+ AC_SUBST(WITH_NIS_PROFILE, 1)
|
||||
+fi
|
||||
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
|
||||
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..8cc58e60301925974fdb738c5b9a746749981df8 100644
|
||||
--- a/src/man/authselect-migration.7.adoc
|
||||
+++ b/src/man/authselect-migration.7.adoc
|
||||
@@ -72,7 +72,12 @@ configuration file for required services.
|
||||
|--enablesssd --enablesssdauth |sssd
|
||||
|--enablekrb5 |sssd
|
||||
|--enablewinbind --enablewinbindauth |winbind
|
||||
+ifeval::[{WITH_NIS_PROFILE} == 1]
|
||||
|--enablenis |nis
|
||||
+endif::[]
|
||||
+ifeval::[{WITH_NIS_PROFILE} != 1]
|
||||
+|--enablenis |none
|
||||
+endif::[]
|
||||
|=========================================================
|
||||
|
||||
.Relation of authconfig options to authselect profile features
|
||||
@@ -199,6 +204,7 @@ will perform an initial setup which involves creating a Kerberos keytab and
|
||||
running `adcli` to join the domain. It also makes changes to `smb.conf`. You
|
||||
can then tune it up by modifying {sysconfdir}/samba/smb.conf.
|
||||
|
||||
+ifeval::[{WITH_NIS_PROFILE} == 1]
|
||||
NIS
|
||||
~~~
|
||||
There are several places that needs to be configured in order to make
|
||||
@@ -227,6 +233,7 @@ $ domainname mydomain
|
||||
$ setsebool -P allow_ypbind 1
|
||||
----
|
||||
|
||||
+endif::[]
|
||||
PASSWORD QUALITY
|
||||
~~~~~~~~~~~~~~~~
|
||||
Authselect enables `pam_pwquality` module to enforce password quality
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,349 @@
|
||||
From 923fd37712eae8d99d514708e35894b6ea056628 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 13:24:25 +0100
|
||||
Subject: [PATCH 05/11] configure: drop user-nsswitch.conf support
|
||||
|
||||
user-nsswitch.conf support is now completely dropped, it can no
|
||||
longer be enabled via configure flag
|
||||
---
|
||||
scripts/manpages-build.sh.in | 1 -
|
||||
src/cli/main.c | 9 --
|
||||
src/conf_macros.m4 | 10 --
|
||||
src/lib/files/nsswitch.c | 156 -----------------------------
|
||||
src/lib/paths.h | 3 -
|
||||
src/man/authselect-profiles.5.adoc | 7 --
|
||||
src/man/authselect.8.adoc | 61 -----------
|
||||
7 files changed, 247 deletions(-)
|
||||
|
||||
diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
|
||||
index 9e553f755a64717f854f3aba33c62140130ce18f..f4ac71e3a22723a52101bb9cbbadd79740515070 100755
|
||||
--- a/scripts/manpages-build.sh.in
|
||||
+++ b/scripts/manpages-build.sh.in
|
||||
@@ -232,7 +232,6 @@ ATTR+=" -a AUTHSELECT_PAM_DIR=\"@AUTHSELECT_PAM_DIR@\""
|
||||
ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
|
||||
ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
|
||||
ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
|
||||
-ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
|
||||
ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
|
||||
|
||||
manpages-translate
|
||||
diff --git a/src/cli/main.c b/src/cli/main.c
|
||||
index 18486b50bc42f9937cc7294c3e5e2b32cafab5e0..fe06a5d8ababa58209690a97e84ae254b859cdc6 100644
|
||||
--- a/src/cli/main.c
|
||||
+++ b/src/cli/main.c
|
||||
@@ -186,15 +186,6 @@ static errno_t activate(struct cli_cmdline *cmdline)
|
||||
goto done;
|
||||
}
|
||||
|
||||
-#ifdef BUILD_USER_NSSWITCH
|
||||
- maps = authselect_profile_nsswitch_maps(profile, features);
|
||||
- if (maps == NULL) {
|
||||
- ERROR("Unable to obtain nsswitch maps!");
|
||||
- ret = EFAULT;
|
||||
- goto done;
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
if (backup || backup_name != NULL || (enforce && !nobackup)) {
|
||||
ret = perform_backup(quiet, 1, backup_name);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
||||
index 9a81a6e194d16ecc0408e8631530cf7048fd9241..ae8fa0274e038e98115d000717487dbdbc04df4c 100644
|
||||
--- a/src/conf_macros.m4
|
||||
+++ b/src/conf_macros.m4
|
||||
@@ -90,16 +90,6 @@ if test x"$with_compat" = xyes; then
|
||||
fi
|
||||
AM_CONDITIONAL([BUILD_COMPAT], [test x$with_compat = xyes])
|
||||
|
||||
-AC_ARG_WITH([user-nsswitch],
|
||||
- [AC_HELP_STRING([--with-user-nsswitch], [Build with user nsswitch support [no]])],
|
||||
- [], with_user_nsswitch=no
|
||||
-)
|
||||
-AC_SUBST(BUILD_USER_NSSWITCH, 0)
|
||||
-if test x"$with_user_nsswitch" = xyes; then
|
||||
- AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
|
||||
- AC_SUBST(BUILD_USER_NSSWITCH, 1)
|
||||
-fi
|
||||
-
|
||||
AC_ARG_WITH([nis-profile],
|
||||
[AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
|
||||
[], with_nis_profile=no
|
||||
diff --git a/src/lib/files/nsswitch.c b/src/lib/files/nsswitch.c
|
||||
index 9598ea5cc5d5e30678acd91354629a87fc727be9..0e35380a2603316483cd6bcfdc58742c25b6a2b1 100644
|
||||
--- a/src/lib/files/nsswitch.c
|
||||
+++ b/src/lib/files/nsswitch.c
|
||||
@@ -87,160 +87,6 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-#ifdef BUILD_USER_NSSWITCH
|
||||
-
|
||||
-static errno_t
|
||||
-authselect_nsswitch_delete_maps(char **maps,
|
||||
- char *content)
|
||||
-{
|
||||
- char *match_string;
|
||||
- const char *map_name;
|
||||
- size_t map_len;
|
||||
- size_t orig_len;
|
||||
- regmatch_t m[RE_NSS_MATCHES];
|
||||
- regex_t regex;
|
||||
- errno_t ret;
|
||||
- int reret;
|
||||
- int i;
|
||||
-
|
||||
- if (string_is_empty(content)) {
|
||||
- return EOK;
|
||||
- }
|
||||
-
|
||||
- orig_len = strlen(content);
|
||||
-
|
||||
- reret = regcomp(®ex, RE_NSS, REG_EXTENDED | REG_NEWLINE);
|
||||
- if (reret != REG_NOERROR) {
|
||||
- ERROR("Unable to compile regular expression: regex error %d", reret);
|
||||
- ret = EFAULT;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- match_string = content;
|
||||
- while ((reret = regexec(®ex, match_string, 2, m, 0)) == REG_NOERROR) {
|
||||
- map_name = match_string + m[1].rm_so;
|
||||
- map_len = m[1].rm_eo - m[1].rm_so;
|
||||
- for (i = 0; maps[i] != NULL; i++) {
|
||||
- if (strncmp(map_name, maps[i], map_len) == 0) {
|
||||
- string_remove_line(content, match_string, m[1].rm_so);
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- /* Since the whole line could have been removed, we have to find first
|
||||
- * non-zero position. */
|
||||
- match_string += m[0].rm_eo;
|
||||
- while (*match_string == '\0' && match_string - content < orig_len) {
|
||||
- match_string++;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (reret != REG_NOMATCH) {
|
||||
- ERROR("Unable to search string: regex error %d", reret);
|
||||
- ret = EFAULT;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- string_replace_shake(content, orig_len);
|
||||
-
|
||||
- ret = EOK;
|
||||
-
|
||||
-done:
|
||||
- regfree(®ex);
|
||||
-
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
-errno_t
|
||||
-authselect_nsswitch_generate(const char *template,
|
||||
- const char **features,
|
||||
- char **_content)
|
||||
-{
|
||||
- static const char *preambule = \
|
||||
- "# If you want to make changes to nsswitch.conf please modify\n"
|
||||
- "# " PATH_USER_NSSWITCH " and run 'authselect apply-changes'.\n"
|
||||
- "#\n"
|
||||
- "# Note that your changes may not be applied as they may be\n"
|
||||
- "# overwritten by selected profile. Maps set in the authselect\n"
|
||||
- "# profile takes always precedence and overwrites the same maps\n"
|
||||
- "# set in the user file. Only maps that are not set by the profile\n"
|
||||
- "# are applied from the user file.\n"
|
||||
- "#\n"
|
||||
- "# For example, if the profile sets:\n"
|
||||
- "# passwd: sss files\n"
|
||||
- "# and " PATH_USER_NSSWITCH " contains:\n"
|
||||
- "# passwd: files\n"
|
||||
- "# hosts: files dns\n"
|
||||
- "# the resulting generated nsswitch.conf will be:\n"
|
||||
- "# passwd: sss files # from profile\n"
|
||||
- "# hosts: files dns # from user file\n\n";
|
||||
- char *user_content = NULL;
|
||||
- char *generated = NULL;
|
||||
- char *content = NULL;
|
||||
- char **maps = NULL;
|
||||
- errno_t ret;
|
||||
-
|
||||
- generated = template_generate(template, features);
|
||||
- if (generated == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = textfile_read(PATH_USER_NSSWITCH, AUTHSELECT_FILE_SIZE_LIMIT,
|
||||
- &user_content);
|
||||
- switch (ret) {
|
||||
- case EOK:
|
||||
- ret = authselect_nsswitch_find_maps(generated, &maps);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = authselect_nsswitch_delete_maps(maps, user_content);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (string_is_empty(user_content)) {
|
||||
- content = format("%s%s", preambule, generated);
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
- content = format("%s%s\n# Included from %s\n\n%s",
|
||||
- preambule, generated, PATH_USER_NSSWITCH,
|
||||
- user_content);
|
||||
- break;
|
||||
- case ENOENT:
|
||||
- content = format("%s%s", preambule, generated);
|
||||
- break;
|
||||
- default:
|
||||
- ERROR("Unable to read [%s] [%d]: %s", PATH_USER_NSSWITCH,
|
||||
- ret, strerror(ret));
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (content == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- *_content = content;
|
||||
-
|
||||
- ret = EOK;
|
||||
-
|
||||
-done:
|
||||
- if (ret != EOK) {
|
||||
- ERROR("Unable to generate nsswitch.conf [%d]: %s", ret, strerror(ret));
|
||||
- }
|
||||
-
|
||||
- free(user_content);
|
||||
- free(generated);
|
||||
- string_array_free(maps);
|
||||
-
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
-#else /* BUILD_USER_NSSWITCH */
|
||||
-
|
||||
errno_t
|
||||
authselect_nsswitch_generate(const char *template,
|
||||
const char **features,
|
||||
@@ -257,5 +103,3 @@ authselect_nsswitch_generate(const char *template,
|
||||
|
||||
return EOK;
|
||||
}
|
||||
-
|
||||
-#endif /* BUILD_USER_NSSWITCH */
|
||||
diff --git a/src/lib/paths.h b/src/lib/paths.h
|
||||
index ca30b784f8bc63150f46ef08a26ec2bc5bcb3d67..41e4534b2efd421be8b9fea3b1fa9ebc3a699749 100644
|
||||
--- a/src/lib/paths.h
|
||||
+++ b/src/lib/paths.h
|
||||
@@ -53,9 +53,6 @@
|
||||
#define PATH_DCONF_DB AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_DB
|
||||
#define PATH_DCONF_LOCK AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_LOCK
|
||||
|
||||
-/* Path to files that can be modified by user. */
|
||||
-#define PATH_USER_NSSWITCH AUTHSELECT_CONFIG_DIR "/user-nsswitch.conf"
|
||||
-
|
||||
/* Names of symbolic links that points to generated files. */
|
||||
#define PATH_SYMLINK_SYSTEM AUTHSELECT_PAM_DIR "/" FILE_SYSTEM
|
||||
#define PATH_SYMLINK_PASSWORD AUTHSELECT_PAM_DIR "/" FILE_PASSWORD
|
||||
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
|
||||
index 76a48fa25a13a7052eeac662d7f5f1b11f1f9493..648b7980cfaabeb02913650a35dfffa8e17b0aaa 100644
|
||||
--- a/src/man/authselect-profiles.5.adoc
|
||||
+++ b/src/man/authselect-profiles.5.adoc
|
||||
@@ -53,14 +53,7 @@ done to the system.
|
||||
the modules in the system-auth configuration file._
|
||||
|
||||
*nsswitch.conf*::
|
||||
-ifeval::[{BUILD_USER_NSSWITCH} == 0]
|
||||
Name Service Switch configuration file.
|
||||
-endif::[]
|
||||
-ifeval::[{BUILD_USER_NSSWITCH} == 1]
|
||||
- Name Service Switch configuration file. Only maps relevant to the profile
|
||||
- must be set. Maps that are not specified by the profile are included from
|
||||
- {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf.
|
||||
-endif::[]
|
||||
|
||||
*dconf-db*::
|
||||
Changes to dconf database. The main uses case of this file is to set
|
||||
diff --git a/src/man/authselect.8.adoc b/src/man/authselect.8.adoc
|
||||
index 39758a6ca71e962ae942ce3608ac3bd0ffd3fabf..5d695cced0fbdc2cda78d61eb3f7b8d929cae692 100644
|
||||
--- a/src/man/authselect.8.adoc
|
||||
+++ b/src/man/authselect.8.adoc
|
||||
@@ -261,67 +261,6 @@ These options are available with all commands.
|
||||
the program execution but may indicate some undesired situations
|
||||
(e.g. unexpected file in a profile directory).
|
||||
|
||||
-ifeval::[{BUILD_USER_NSSWITCH} == 1]
|
||||
-NSSWITCH.CONF MANAGEMENT
|
||||
-------------------------
|
||||
-Authselect generates {AUTHSELECT_NSSWITCH_CONF} and does not allow any user
|
||||
-changes to this file. Such changes are detected and authselect will refuse to
|
||||
-write any system configuration unless a *--force* option is provided to
|
||||
-the *select* command. This mechanism prevents authselect from overwriting
|
||||
-anything that does not match any available profile.
|
||||
-
|
||||
-Any user changes to nsswitch maps must be done in file
|
||||
-{AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf. When authselect generates
|
||||
-new _nsswitch.conf_ it reads this file and combines it with configuration
|
||||
-from selected profile. The profile configuration takes always precedence.
|
||||
-In other words, profiles do not have to set all nsswitch maps but can set only
|
||||
-those that are relevant to the profile. If a map is set within a profile,
|
||||
-it always overwrites the same map from _user-nsswitch.conf_.
|
||||
-
|
||||
-.Example 1
|
||||
-[subs="attributes"]
|
||||
-----
|
||||
-# "sssd" profile
|
||||
-$ cat {AUTHSELECT_PROFILE_DIR}/sssd/nsswitch.conf
|
||||
-passwd: sss files systemd
|
||||
-group: sss files systemd
|
||||
-netgroup: sss files
|
||||
-automount: sss files
|
||||
-services: sss files
|
||||
-sudoers: files sss {include if "with-sudo"}
|
||||
-
|
||||
-$ cat {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf
|
||||
-passwd: files sss
|
||||
-group: files sss
|
||||
-hosts: files dns myhostname
|
||||
-sudoers: files
|
||||
-
|
||||
-$ authselect select sssd
|
||||
-
|
||||
-# passwd and group maps from user-nsswitch.conf are ignored
|
||||
-$ cat {AUTHSELECT_NSSWITCH_CONF}
|
||||
-passwd: sss files systemd
|
||||
-group: sss files systemd
|
||||
-netgroup: sss files
|
||||
-automount: sss files
|
||||
-services: sss files
|
||||
-hosts: files dns myhostname
|
||||
-sudoers: files
|
||||
-
|
||||
-$ authselect select sssd with-sudo
|
||||
-
|
||||
-# passwd, group and sudoers maps from user-nsswitch.conf are ignored
|
||||
-$ cat {AUTHSELECT_NSSWITCH_CONF}
|
||||
-passwd: sss files systemd
|
||||
-group: sss files systemd
|
||||
-netgroup: sss files
|
||||
-automount: sss files
|
||||
-services: sss files
|
||||
-sudoers: files sss
|
||||
-hosts: files dns myhostname
|
||||
-----
|
||||
-endif::[]
|
||||
-
|
||||
TROUBLESHOOTING
|
||||
---------------
|
||||
|
||||
--
|
||||
2.42.0
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,46 @@
|
||||
From 23936036c5b6cd51843a7f964998f5345877fa8e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 13:34:31 +0100
|
||||
Subject: [PATCH 07/11] ci: remove python checks
|
||||
|
||||
With the compat tool gone, there is no other python script.
|
||||
---
|
||||
.github/workflows/analyze.yml | 18 +-----------------
|
||||
1 file changed, 1 insertion(+), 17 deletions(-)
|
||||
|
||||
diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml
|
||||
index 37682f068b586dc0e7ba34f1098f4009b88e7254..16b48b031519b81221de9248d65f076b2616b2f7 100644
|
||||
--- a/.github/workflows/analyze.yml
|
||||
+++ b/.github/workflows/analyze.yml
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v1
|
||||
with:
|
||||
- languages: cpp, python
|
||||
+ languages: cpp
|
||||
queries: +security-and-quality
|
||||
|
||||
- name: Autobuild
|
||||
@@ -33,19 +33,3 @@ jobs:
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v1
|
||||
-
|
||||
- flake8:
|
||||
- runs-on: ubuntu-latest
|
||||
- permissions:
|
||||
- contents: read
|
||||
- steps:
|
||||
- - name: Checkout repository
|
||||
- uses: actions/checkout@v2
|
||||
-
|
||||
- - name: Install flake8
|
||||
- run: |
|
||||
- sudo apt update
|
||||
- sudo apt install -y flake8
|
||||
-
|
||||
- - name: Execute flake8 on the repository
|
||||
- run: flake8 --ignore=W503,E501 src/compat/authcompat.py.in.in .
|
||||
--
|
||||
2.42.0
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,78 @@
|
||||
From 8d8adbd35c741d9038588386414ccbddb99bd31d Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Thu, 14 Dec 2023 14:16:11 +0100
|
||||
Subject: [PATCH 09/11] profiles: merge groups records with [SUCCESS=merge]
|
||||
|
||||
Services such as systemd-homed would like to advertise users which are
|
||||
part of system groups, such as "wheel". That only works if glibc's
|
||||
[SUCCESS=merge] feature is used in nsswitch.conf, so that group records
|
||||
from multiple sources are merged.
|
||||
|
||||
This is documented here:
|
||||
|
||||
https://www.freedesktop.org/software/systemd/man/latest/nss-systemd.html#Configuration%20in%20/etc/nsswitch.conf
|
||||
|
||||
This hence adds [SUCCESS=merge] expressions to all NSS modules listed in
|
||||
the "groups" lines.
|
||||
---
|
||||
profiles/local/nsswitch.conf | 2 +-
|
||||
profiles/nis/nsswitch.conf | 2 +-
|
||||
profiles/sssd/nsswitch.conf | 2 +-
|
||||
profiles/winbind/nsswitch.conf | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
|
||||
index c63692fc00c0815c5ba303ec5b48b6c9d7577df2..8582a955c8d03ea1d122a34cd273326d985bdcfb 100644
|
||||
--- a/profiles/local/nsswitch.conf
|
||||
+++ b/profiles/local/nsswitch.conf
|
||||
@@ -1,7 +1,7 @@
|
||||
# In order of likelihood of use to accelerate lookup.
|
||||
passwd: files {if "with-altfiles":altfiles }systemd
|
||||
shadow: files
|
||||
-group: files {if "with-altfiles":altfiles }systemd
|
||||
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
|
||||
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
|
||||
services: files
|
||||
netgroup: files
|
||||
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
|
||||
index 685f92c326bc7767ee167a77b7ba782672bf801f..c033812facee9159c76e2d514ac652e4de2e0b6b 100644
|
||||
--- a/profiles/nis/nsswitch.conf
|
||||
+++ b/profiles/nis/nsswitch.conf
|
||||
@@ -1,7 +1,7 @@
|
||||
# In order of likelihood of use to accelerate lookup.
|
||||
passwd: files {if "with-altfiles":altfiles }nis systemd
|
||||
shadow: files nis
|
||||
-group: files {if "with-altfiles":altfiles }nis systemd
|
||||
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
|
||||
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
|
||||
services: files nis
|
||||
netgroup: files nis
|
||||
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
|
||||
index 58844a62c8f52f8f25477a811b02a5e401120f30..9f194bc82cee52d4e12779def95afa2f794f66bf 100644
|
||||
--- a/profiles/sssd/nsswitch.conf
|
||||
+++ b/profiles/sssd/nsswitch.conf
|
||||
@@ -1,7 +1,7 @@
|
||||
# In order of likelihood of use to accelerate lookup.
|
||||
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
|
||||
shadow: files
|
||||
-group: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
|
||||
+group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
|
||||
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
|
||||
services: files sss
|
||||
netgroup: files sss
|
||||
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
|
||||
index f0a97e42e084f94fddd329d4cb93d5b5d1da3360..1591ccb3ffa8bd10b8ff06a0620328e275d09241 100644
|
||||
--- a/profiles/winbind/nsswitch.conf
|
||||
+++ b/profiles/winbind/nsswitch.conf
|
||||
@@ -1,7 +1,7 @@
|
||||
# In order of likelihood of use to accelerate lookup.
|
||||
passwd: files {if "with-altfiles":altfiles }winbind systemd
|
||||
shadow: files
|
||||
-group: files {if "with-altfiles":altfiles }winbind systemd
|
||||
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
|
||||
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
|
||||
services: files
|
||||
netgroup: files
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,26 @@
|
||||
From 565d8a76f1d6ec6c23cd38f7aa4812426e8cb460 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 14:18:00 +0100
|
||||
Subject: [PATCH 10/11] spec: use altfiles with success=merge on ostree systems
|
||||
as well
|
||||
|
||||
---
|
||||
rpm/authselect.spec.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
|
||||
index 350ca953632f21be861c1ee75f25f71d107ca1ee..39c4ca66058e0749e6d3aea6e7ff76a7a06c4ecc 100644
|
||||
--- a/rpm/authselect.spec.in
|
||||
+++ b/rpm/authselect.spec.in
|
||||
@@ -223,7 +223,7 @@ exit 0
|
||||
if test -e /run/ostree-booted; then
|
||||
for PROFILE in `ls %{_datadir}/authselect/default`; do
|
||||
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
|
||||
- %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
|
||||
+ %__sed -ie 's/{if "with-altfiles":altfiles \[SUCCESS=merge\] }/altfiles [SUCCESS=merge] /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
|
||||
done
|
||||
fi
|
||||
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,72 @@
|
||||
From 7b7889507928610b37b73641d28d5bbe3f763a4a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 17:22:45 +0100
|
||||
Subject: [PATCH 11/11] profiles: put myhostname before dns
|
||||
|
||||
To allow `hostname --fqdn` to work correctly. Putting myhostname early
|
||||
prevents lookup of canonical hostname if only shortname is provided.
|
||||
|
||||
myhostname has been moved back and forth several times, it looks
|
||||
like this place is now functional and works as expected.
|
||||
---
|
||||
profiles/local/nsswitch.conf | 2 +-
|
||||
profiles/nis/nsswitch.conf | 2 +-
|
||||
profiles/sssd/nsswitch.conf | 2 +-
|
||||
profiles/winbind/nsswitch.conf | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
|
||||
index 8582a955c8d03ea1d122a34cd273326d985bdcfb..538926e4d5cc8c190a7b2d10fd3756ad3269a720 100644
|
||||
--- a/profiles/local/nsswitch.conf
|
||||
+++ b/profiles/local/nsswitch.conf
|
||||
@@ -2,7 +2,7 @@
|
||||
passwd: files {if "with-altfiles":altfiles }systemd
|
||||
shadow: files
|
||||
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
|
||||
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
|
||||
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
|
||||
services: files
|
||||
netgroup: files
|
||||
automount: files
|
||||
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
|
||||
index c033812facee9159c76e2d514ac652e4de2e0b6b..488476e91879b549fe605008d500b1810360f3be 100644
|
||||
--- a/profiles/nis/nsswitch.conf
|
||||
+++ b/profiles/nis/nsswitch.conf
|
||||
@@ -2,7 +2,7 @@
|
||||
passwd: files {if "with-altfiles":altfiles }nis systemd
|
||||
shadow: files nis
|
||||
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
|
||||
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
|
||||
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
|
||||
services: files nis
|
||||
netgroup: files nis
|
||||
automount: files nis
|
||||
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
|
||||
index 9f194bc82cee52d4e12779def95afa2f794f66bf..b98094d9e0eaeb1559347b81a9505822ff713034 100644
|
||||
--- a/profiles/sssd/nsswitch.conf
|
||||
+++ b/profiles/sssd/nsswitch.conf
|
||||
@@ -2,7 +2,7 @@
|
||||
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
|
||||
shadow: files
|
||||
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
|
||||
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
|
||||
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
|
||||
services: files sss
|
||||
netgroup: files sss
|
||||
sudoers: files sss {include if "with-sudo"}
|
||||
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
|
||||
index 1591ccb3ffa8bd10b8ff06a0620328e275d09241..cc966b34464bb28776b903d61fff1f6a94a1eb6f 100644
|
||||
--- a/profiles/winbind/nsswitch.conf
|
||||
+++ b/profiles/winbind/nsswitch.conf
|
||||
@@ -2,7 +2,7 @@
|
||||
passwd: files {if "with-altfiles":altfiles }winbind systemd
|
||||
shadow: files
|
||||
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
|
||||
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
|
||||
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
|
||||
services: files
|
||||
netgroup: files
|
||||
automount: files
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,376 @@
|
||||
From 054c83d1a40d5e0f98230d0f6ac34bd7ecdf383e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 15:49:09 +0100
|
||||
Subject: [PATCH 1/3] rhel10: remove systemd-homed
|
||||
|
||||
systemd-homed is not present in rhel.
|
||||
---
|
||||
profiles/local/README | 3 ---
|
||||
profiles/local/password-auth | 4 ----
|
||||
profiles/local/system-auth | 4 ----
|
||||
profiles/nis/README | 3 ---
|
||||
profiles/nis/REQUIREMENTS | 3 ---
|
||||
profiles/nis/password-auth | 4 ----
|
||||
profiles/nis/system-auth | 4 ----
|
||||
profiles/sssd/README | 3 ---
|
||||
profiles/sssd/REQUIREMENTS | 3 ---
|
||||
profiles/sssd/password-auth | 4 ----
|
||||
profiles/sssd/system-auth | 4 ----
|
||||
profiles/winbind/README | 3 ---
|
||||
profiles/winbind/REQUIREMENTS | 3 ---
|
||||
profiles/winbind/password-auth | 4 ----
|
||||
profiles/winbind/system-auth | 4 ----
|
||||
15 files changed, 53 deletions(-)
|
||||
|
||||
diff --git a/profiles/local/README b/profiles/local/README
|
||||
index 03f602441fe95ee280b575508f20d1f1de949b25..eedb298090b5b7c068ee1dfec0ee36c8b3086af4 100644
|
||||
--- a/profiles/local/README
|
||||
+++ b/profiles/local/README
|
||||
@@ -54,9 +54,6 @@ with-mdns4::
|
||||
with-mdns6::
|
||||
Enable multicast DNS over IPv6.
|
||||
|
||||
-with-systemd-homed::
|
||||
- If set, pam_systemd_homed is enabled for all pam operations.
|
||||
-
|
||||
with-libvirt::
|
||||
Enable connecting to libvirt VMs using the hostname configured in the
|
||||
guest OS or, as a fallback, their name.
|
||||
diff --git a/profiles/local/password-auth b/profiles/local/password-auth
|
||||
index 13e10d93b1d43ade8c45c32c50c613f6cf2abcca..d50d7e1fefaf257b8ddcdd1610004ffca9d93634 100644
|
||||
--- a/profiles/local/password-auth
|
||||
+++ b/profiles/local/password-auth
|
||||
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so
|
||||
|
||||
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
password requisite pam_pwquality.so
|
||||
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
||||
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
||||
@@ -24,7 +21,6 @@ password required pam_deny.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/local/system-auth b/profiles/local/system-auth
|
||||
index 7f3c56adb2329dd4a08b1cb08b63e8d0d9b13c86..290cd24eb9c50f196d6fc68a3688f097f49159fe 100644
|
||||
--- a/profiles/local/system-auth
|
||||
+++ b/profiles/local/system-auth
|
||||
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so
|
||||
|
||||
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
password requisite pam_pwquality.so
|
||||
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
||||
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
||||
@@ -25,7 +22,6 @@ password required pam_deny.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/nis/README b/profiles/nis/README
|
||||
index e3a1a0b986689bfd43d9531464bcd8fa7a0f5237..745138bbdb1e045db41990dcb8864477d3408e36 100644
|
||||
--- a/profiles/nis/README
|
||||
+++ b/profiles/nis/README
|
||||
@@ -65,9 +65,6 @@ with-mdns4::
|
||||
with-mdns6::
|
||||
Enable multicast DNS over IPv6.
|
||||
|
||||
-with-systemd-homed::
|
||||
- If set, pam_systemd_homed is enabled for all pam operations.
|
||||
-
|
||||
without-nullok::
|
||||
Do not add nullok parameter to pam_unix.
|
||||
|
||||
diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
|
||||
index 3e32879eba37e1bd2692aa2852c87036bfa78ed5..d8fe0456ee2b351e98af374fc0206717e6994031 100644
|
||||
--- a/profiles/nis/REQUIREMENTS
|
||||
+++ b/profiles/nis/REQUIREMENTS
|
||||
@@ -16,6 +16,3 @@ Make sure that NIS service is configured and enabled. See NIS documentation for
|
||||
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
|
||||
{include if "with-libvirt"}
|
||||
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
|
||||
- {include if "with-systemd-homed"}
|
||||
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
|
||||
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
|
||||
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
|
||||
index 45af4792df9f661fe04e1060e32cc6c0aa38c7c4..927fbcbda8fa4e910e29c88a3806fb5265bbc7bc 100644
|
||||
--- a/profiles/nis/password-auth
|
||||
+++ b/profiles/nis/password-auth
|
||||
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so broken_shadow
|
||||
|
||||
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
|
||||
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
||||
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
||||
@@ -24,7 +21,6 @@ password required pam_deny.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
|
||||
index 0bd022ee2286f37a5becb0daba2a5813693300a9..40a1bf74aaf3d721c4d720938e57766bfe651e47 100644
|
||||
--- a/profiles/nis/system-auth
|
||||
+++ b/profiles/nis/system-auth
|
||||
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so broken_shadow
|
||||
|
||||
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
|
||||
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
||||
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
||||
@@ -25,7 +22,6 @@ password required pam_deny.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
||||
index f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d..a497da5dcffd0a03a122677c49ee2f8021927b04 100644
|
||||
--- a/profiles/sssd/README
|
||||
+++ b/profiles/sssd/README
|
||||
@@ -106,9 +106,6 @@ with-gssapi::
|
||||
with-subid::
|
||||
Enable SSSD as a source of subid database in /etc/nsswitch.conf.
|
||||
|
||||
-with-systemd-homed::
|
||||
- If set, pam_systemd_homed is enabled for all pam operations.
|
||||
-
|
||||
without-nullok::
|
||||
Do not add nullok parameter to pam_unix.
|
||||
|
||||
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
|
||||
index 6aaf7c771f7c1bcbf2aee7152422acc9d53c71f5..b36f6069a54a5f711a10aa0700f33e1a8e37794e 100644
|
||||
--- a/profiles/sssd/REQUIREMENTS
|
||||
+++ b/profiles/sssd/REQUIREMENTS
|
||||
@@ -25,6 +25,3 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
|
||||
- with-tlog is selected, make sure that session recording is enabled in SSSD {include if "with-tlog"}
|
||||
{include if "with-libvirt"}
|
||||
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
|
||||
- {include if "with-systemd-homed"}
|
||||
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
|
||||
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
|
||||
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
||||
index 97c33b678706e7eeb86bf45251baa41739f2940f..f468507b938ea2a7ac305a65f5fdea14a1ae10f1 100644
|
||||
--- a/profiles/sssd/password-auth
|
||||
+++ b/profiles/sssd/password-auth
|
||||
@@ -7,7 +7,6 @@ auth required pam_u2f.so cue {if not
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
@@ -16,14 +15,12 @@ auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
|
||||
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
password requisite pam_pwquality.so local_users_only
|
||||
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
||||
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
||||
@@ -35,7 +32,6 @@ password required pam_deny.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
||||
index 90c3504a414f0a151475cc207285b230fec381b1..870e4d7024066e3e40786bde6c3c39c7ba8d62c0 100644
|
||||
--- a/profiles/sssd/system-auth
|
||||
+++ b/profiles/sssd/system-auth
|
||||
@@ -12,7 +12,6 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
|
||||
auth sufficient pam_sss_gss.so {include if "with-gssapi"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
@@ -23,14 +22,12 @@ auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
|
||||
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
password requisite pam_pwquality.so local_users_only
|
||||
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
||||
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
||||
@@ -42,7 +39,6 @@ password required pam_deny.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/winbind/README b/profiles/winbind/README
|
||||
index f65870d1d03da6465ad446dac87ed141d7115d8b..8844e1da2003a0266dfe8937774d6d6f7dad0210 100644
|
||||
--- a/profiles/winbind/README
|
||||
+++ b/profiles/winbind/README
|
||||
@@ -75,9 +75,6 @@ with-mdns4::
|
||||
with-mdns6::
|
||||
Enable multicast DNS over IPv6.
|
||||
|
||||
-with-systemd-homed::
|
||||
- If set, pam_systemd_homed is enabled for all pam operations.
|
||||
-
|
||||
without-nullok::
|
||||
Do not add nullok parameter to pam_unix.
|
||||
|
||||
diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS
|
||||
index 232f6ee986ac66c5fed972c91c17080e0740e5c7..31a37d74ca5a4c46415545b8f6e0f61e8ad3b433 100644
|
||||
--- a/profiles/winbind/REQUIREMENTS
|
||||
+++ b/profiles/winbind/REQUIREMENTS
|
||||
@@ -16,6 +16,3 @@ Make sure that winbind service is configured and enabled. See winbind documentat
|
||||
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
|
||||
{include if "with-libvirt"}
|
||||
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
|
||||
- {include if "with-systemd-homed"}
|
||||
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
|
||||
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
|
||||
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
|
||||
index 8d74149dd48643dbb4b80d62600d3ece0868ec30..8d1682b9301c2b9c92292a41120f69611f148108 100644
|
||||
--- a/profiles/winbind/password-auth
|
||||
+++ b/profiles/winbind/password-auth
|
||||
@@ -4,7 +4,6 @@ auth required pam_faillock.so preauth
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
@@ -13,14 +12,12 @@ auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so broken_shadow
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
|
||||
account required pam_permit.so
|
||||
|
||||
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
password requisite pam_pwquality.so local_users_only
|
||||
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
||||
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
||||
@@ -31,7 +28,6 @@ password required pam_deny.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
|
||||
index 2326c859284c5823c5a6d34390d794dbf33110d2..612143d10fe502d7f6ed636b4fba6cc639aa66b0 100644
|
||||
--- a/profiles/winbind/system-auth
|
||||
+++ b/profiles/winbind/system-auth
|
||||
@@ -5,7 +5,6 @@ auth sufficient pam_fprintd.so
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
@@ -14,14 +13,12 @@ auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
account required pam_unix.so broken_shadow
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_usertype.so issystem
|
||||
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
|
||||
account required pam_permit.so
|
||||
|
||||
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
password requisite pam_pwquality.so local_users_only
|
||||
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
||||
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
||||
@@ -32,7 +29,6 @@ password required pam_deny.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,250 @@
|
||||
From 3167eaadde7a3f997925172b8d77cb380bf0d9d8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 10 Jun 2019 10:53:15 +0200
|
||||
Subject: [PATCH 2/3] rhel10: remove ecryptfs support
|
||||
|
||||
ecryptfs-utils is not present in rhel.
|
||||
---
|
||||
profiles/nis/README | 3 ---
|
||||
profiles/nis/fingerprint-auth | 1 -
|
||||
profiles/nis/password-auth | 1 -
|
||||
profiles/nis/postlogin | 4 ----
|
||||
profiles/nis/system-auth | 1 -
|
||||
profiles/sssd/README | 3 ---
|
||||
profiles/sssd/fingerprint-auth | 1 -
|
||||
profiles/sssd/password-auth | 1 -
|
||||
profiles/sssd/postlogin | 4 ----
|
||||
profiles/sssd/smartcard-auth | 1 -
|
||||
profiles/sssd/system-auth | 1 -
|
||||
profiles/winbind/README | 3 ---
|
||||
profiles/winbind/fingerprint-auth | 1 -
|
||||
profiles/winbind/password-auth | 1 -
|
||||
profiles/winbind/postlogin | 4 ----
|
||||
profiles/winbind/system-auth | 1 -
|
||||
src/man/authselect-migration.7.adoc | 5 ++---
|
||||
17 files changed, 2 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/profiles/nis/README b/profiles/nis/README
|
||||
index 745138bbdb1e045db41990dcb8864477d3408e36..3e2f8b01fa37f8c7060a9c263f66c3df9782061d 100644
|
||||
--- a/profiles/nis/README
|
||||
+++ b/profiles/nis/README
|
||||
@@ -21,9 +21,6 @@ with-mkhomedir::
|
||||
Enable automatic creation of home directories for users on their
|
||||
first login.
|
||||
|
||||
-with-ecryptfs::
|
||||
- Enable automatic per-user ecryptfs.
|
||||
-
|
||||
with-fingerprint::
|
||||
Enable authentication with fingerprint reader through *pam_fprintd*.
|
||||
|
||||
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
|
||||
index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be2982bdf36cb 100644
|
||||
--- a/profiles/nis/fingerprint-auth
|
||||
+++ b/profiles/nis/fingerprint-auth
|
||||
@@ -15,7 +15,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
|
||||
index 927fbcbda8fa4e910e29c88a3806fb5265bbc7bc..56a51d9eebb2987da340805ddb4e4a6752ebdeb2 100644
|
||||
--- a/profiles/nis/password-auth
|
||||
+++ b/profiles/nis/password-auth
|
||||
@@ -20,7 +20,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
|
||||
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
|
||||
--- a/profiles/nis/postlogin
|
||||
+++ b/profiles/nis/postlogin
|
||||
@@ -1,7 +1,3 @@
|
||||
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-
|
||||
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-
|
||||
session optional pam_umask.so silent
|
||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
||||
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
|
||||
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
|
||||
index 40a1bf74aaf3d721c4d720938e57766bfe651e47..74cf6ece9ce0b1b64b122fd2309ebf5d496c4787 100644
|
||||
--- a/profiles/nis/system-auth
|
||||
+++ b/profiles/nis/system-auth
|
||||
@@ -21,7 +21,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
||||
index a497da5dcffd0a03a122677c49ee2f8021927b04..2038a32b682f36d9eef51fda138730abc9666279 100644
|
||||
--- a/profiles/sssd/README
|
||||
+++ b/profiles/sssd/README
|
||||
@@ -35,9 +35,6 @@ with-mkhomedir::
|
||||
Enable automatic creation of home directories for users on their
|
||||
first login.
|
||||
|
||||
-with-ecryptfs::
|
||||
- Enable automatic per-user ecryptfs.
|
||||
-
|
||||
with-smartcard::
|
||||
Enable authentication with smartcards through SSSD. Please note that
|
||||
smartcard support must be also explicitly enabled within
|
||||
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
|
||||
index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e5232126df55564 100644
|
||||
--- a/profiles/sssd/fingerprint-auth
|
||||
+++ b/profiles/sssd/fingerprint-auth
|
||||
@@ -20,7 +20,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
||||
index f468507b938ea2a7ac305a65f5fdea14a1ae10f1..c15121ad00ff00dfcd1743341594c853ba734d9c 100644
|
||||
--- a/profiles/sssd/password-auth
|
||||
+++ b/profiles/sssd/password-auth
|
||||
@@ -31,7 +31,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
|
||||
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
|
||||
--- a/profiles/sssd/postlogin
|
||||
+++ b/profiles/sssd/postlogin
|
||||
@@ -1,7 +1,3 @@
|
||||
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-
|
||||
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-
|
||||
session optional pam_umask.so silent
|
||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
||||
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
|
||||
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
|
||||
index 78cb329bf332f4d629740a0fff7d2dfe43f7d78d..13d3ee71f4d02c4ede777be6337031fc67baaa63 100644
|
||||
--- a/profiles/sssd/smartcard-auth
|
||||
+++ b/profiles/sssd/smartcard-auth
|
||||
@@ -18,7 +18,6 @@ account required pam_permit.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
||||
index 870e4d7024066e3e40786bde6c3c39c7ba8d62c0..4ea19acebe2208f9e21676bf0ae0a92e9a92b1f4 100644
|
||||
--- a/profiles/sssd/system-auth
|
||||
+++ b/profiles/sssd/system-auth
|
||||
@@ -38,7 +38,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/winbind/README b/profiles/winbind/README
|
||||
index 8844e1da2003a0266dfe8937774d6d6f7dad0210..7397bb9a6c8086b9720cc355d98de70b8107e79b 100644
|
||||
--- a/profiles/winbind/README
|
||||
+++ b/profiles/winbind/README
|
||||
@@ -33,9 +33,6 @@ with-mkhomedir::
|
||||
Enable automatic creation of home directories for users on their
|
||||
first login.
|
||||
|
||||
-with-ecryptfs::
|
||||
- Enable automatic per-user ecryptfs.
|
||||
-
|
||||
with-fingerprint::
|
||||
Enable authentication with fingerprint reader through *pam_fprintd*.
|
||||
|
||||
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
|
||||
index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a41202d21fd67 100644
|
||||
--- a/profiles/winbind/fingerprint-auth
|
||||
+++ b/profiles/winbind/fingerprint-auth
|
||||
@@ -19,7 +19,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
|
||||
index 8d1682b9301c2b9c92292a41120f69611f148108..8b260fa06f5ed8494d1f6fac74517d3a54622693 100644
|
||||
--- a/profiles/winbind/password-auth
|
||||
+++ b/profiles/winbind/password-auth
|
||||
@@ -27,7 +27,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin
|
||||
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
|
||||
--- a/profiles/winbind/postlogin
|
||||
+++ b/profiles/winbind/postlogin
|
||||
@@ -1,7 +1,3 @@
|
||||
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-
|
||||
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-
|
||||
session optional pam_umask.so silent
|
||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
||||
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
|
||||
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
|
||||
index 612143d10fe502d7f6ed636b4fba6cc639aa66b0..33aa13efb92405393236c3511ebb351facd916f0 100644
|
||||
--- a/profiles/winbind/system-auth
|
||||
+++ b/profiles/winbind/system-auth
|
||||
@@ -28,7 +28,6 @@ password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
|
||||
index 8cc58e60301925974fdb738c5b9a746749981df8..9056913dee9eef1590c8590d3cc0b51005a98af3 100644
|
||||
--- a/src/man/authselect-migration.7.adoc
|
||||
+++ b/src/man/authselect-migration.7.adoc
|
||||
@@ -85,7 +85,6 @@ endif::[]
|
||||
|*Authconfig options* |*Authselect profile feature*
|
||||
|--enablesmartcard |with-smartcard
|
||||
|--enablefingerprint |with-fingerprint
|
||||
-|--enableecryptfs |with-ecryptfs
|
||||
|--enablemkhomedir |with-mkhomedir
|
||||
|--enablefaillock |with-faillock
|
||||
|--enablepamaccess |with-pamaccess
|
||||
@@ -108,8 +107,8 @@ authselect select sssd with-faillock
|
||||
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
|
||||
authselect select sssd with-smartcard
|
||||
|
||||
-authconfig --enableecryptfs --enablepamaccess --updateall
|
||||
-authselect select sssd with-ecryptfs with-pamaccess
|
||||
+authconfig --enablepamaccess --updateall
|
||||
+authselect select sssd with-pamaccess
|
||||
|
||||
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
|
||||
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,68 @@
|
||||
From b259ca399de497e0fc5e0763257e89bcc2e5a902 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 16:01:58 +0100
|
||||
Subject: [PATCH 3/3] rhel10: remove systemd-resolved
|
||||
|
||||
systemd-resolved should not be enabled by default in rhel.
|
||||
---
|
||||
profiles/local/nsswitch.conf | 2 +-
|
||||
profiles/nis/nsswitch.conf | 2 +-
|
||||
profiles/sssd/nsswitch.conf | 2 +-
|
||||
profiles/winbind/nsswitch.conf | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
|
||||
index 538926e4d5cc8c190a7b2d10fd3756ad3269a720..1ad4276566f775086fc091d8e1c35d4ac94a9786 100644
|
||||
--- a/profiles/local/nsswitch.conf
|
||||
+++ b/profiles/local/nsswitch.conf
|
||||
@@ -2,7 +2,7 @@
|
||||
passwd: files {if "with-altfiles":altfiles }systemd
|
||||
shadow: files
|
||||
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
|
||||
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
|
||||
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
|
||||
services: files
|
||||
netgroup: files
|
||||
automount: files
|
||||
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
|
||||
index 488476e91879b549fe605008d500b1810360f3be..88110258a69e7366980944ec3ccd9c79c0a1b323 100644
|
||||
--- a/profiles/nis/nsswitch.conf
|
||||
+++ b/profiles/nis/nsswitch.conf
|
||||
@@ -2,7 +2,7 @@
|
||||
passwd: files {if "with-altfiles":altfiles }nis systemd
|
||||
shadow: files nis
|
||||
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
|
||||
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
|
||||
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis myhostname dns
|
||||
services: files nis
|
||||
netgroup: files nis
|
||||
automount: files nis
|
||||
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
|
||||
index b98094d9e0eaeb1559347b81a9505822ff713034..89a1f230487a18d12ff9c3862e3394035bf17cff 100644
|
||||
--- a/profiles/sssd/nsswitch.conf
|
||||
+++ b/profiles/sssd/nsswitch.conf
|
||||
@@ -2,7 +2,7 @@
|
||||
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
|
||||
shadow: files
|
||||
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
|
||||
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
|
||||
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
|
||||
services: files sss
|
||||
netgroup: files sss
|
||||
sudoers: files sss {include if "with-sudo"}
|
||||
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
|
||||
index cc966b34464bb28776b903d61fff1f6a94a1eb6f..5315640e39f7c84b4c138f393fa3b5c970e4afa5 100644
|
||||
--- a/profiles/winbind/nsswitch.conf
|
||||
+++ b/profiles/winbind/nsswitch.conf
|
||||
@@ -2,7 +2,7 @@
|
||||
passwd: files {if "with-altfiles":altfiles }winbind systemd
|
||||
shadow: files
|
||||
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
|
||||
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
|
||||
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
|
||||
services: files
|
||||
netgroup: files
|
||||
automount: files
|
||||
--
|
||||
2.42.0
|
||||
|
||||
@ -0,0 +1,484 @@
|
||||
# Do not terminate build if language files are empty.
|
||||
%define _empty_manifest_terminate_build 0
|
||||
|
||||
Name: authselect
|
||||
Version: 1.5.0
|
||||
Release: 6%{?dist}
|
||||
Summary: Configures authentication and identity sources from supported profiles
|
||||
URL: https://github.com/authselect/authselect
|
||||
|
||||
License: GPL-3.0-or-later
|
||||
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
|
||||
|
||||
%global makedir %{_builddir}/%{name}-%{version}
|
||||
|
||||
# Disable NIS profile on RHEL
|
||||
%if 0%{?rhel}
|
||||
%global with_nis_profile 0
|
||||
%else
|
||||
%global with_nis_profile 1
|
||||
%endif
|
||||
|
||||
# Set the default profile
|
||||
%{?fedora:%global default_profile local with-silent-lastlog}
|
||||
%{?rhel:%global default_profile local}
|
||||
|
||||
# Patches
|
||||
Patch0001: 0001-sssd-reintroduce-with-files-access-provider.patch
|
||||
Patch0002: 0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch
|
||||
Patch0003: 0003-po-update-translations.patch
|
||||
Patch0004: 0004-nis-install-nis-profile-conditionally.patch
|
||||
Patch0005: 0005-configure-drop-user-nsswitch.conf-support.patch
|
||||
Patch0006: 0006-configure-drop-authconfig-compat-tool.patch
|
||||
Patch0007: 0007-ci-remove-python-checks.patch
|
||||
Patch0008: 0008-pot-update-pot-files.patch
|
||||
Patch0009: 0009-profiles-merge-groups-records-with-SUCCESS-merge.patch
|
||||
Patch0010: 0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch
|
||||
Patch0011: 0011-profiles-put-myhostname-before-dns.patch
|
||||
|
||||
# RHEL-only patches
|
||||
%if 0%{?rhel}
|
||||
Patch0901: 0901-rhel10-remove-systemd-homed.patch
|
||||
Patch0902: 0902-rhel10-remove-ecryptfs-support.patch
|
||||
Patch0903: 0903-rhel10-remove-systemd-resolved.patch
|
||||
%endif
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: findutils
|
||||
BuildRequires: libtool
|
||||
BuildRequires: m4
|
||||
BuildRequires: gcc
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: pkgconfig(popt)
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: po4a
|
||||
BuildRequires: %{_bindir}/a2x
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: libselinux-devel
|
||||
Requires: authselect-libs%{?_isa} = %{version}-%{release}
|
||||
Suggests: sssd
|
||||
Suggests: samba-winbind
|
||||
Suggests: fprintd-pam
|
||||
Suggests: oddjob-mkhomedir
|
||||
|
||||
# Properly obsolete removed authselect-compat package.
|
||||
Obsoletes: authselect-compat < 1.3
|
||||
|
||||
%description
|
||||
Authselect is designed to be a replacement for authconfig but it takes
|
||||
a different approach to configure the system. Instead of letting
|
||||
the administrator build the PAM stack with a tool (which may potentially
|
||||
end up with a broken configuration), it would ship several tested stacks
|
||||
(profiles) that solve a use-case and are well tested and supported.
|
||||
At the same time, some obsolete features of authconfig are not
|
||||
supported by authselect.
|
||||
|
||||
%package libs
|
||||
Summary: Utility library used by the authselect tool
|
||||
# Required by scriptlets
|
||||
Requires: coreutils
|
||||
Requires: sed
|
||||
Suggests: systemd
|
||||
|
||||
%description libs
|
||||
Common library files for authselect. This package is used by the authselect
|
||||
command line tool and any other potential front-ends.
|
||||
|
||||
%package devel
|
||||
Summary: Development libraries and headers for authselect
|
||||
Requires: authselect-libs%{?_isa} = %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
System header files and development libraries for authselect. Useful if
|
||||
you develop a front-end for the authselect library.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
for p in %patches ; do
|
||||
%__patch -p1 -i $p
|
||||
done
|
||||
|
||||
%build
|
||||
autoreconf -if
|
||||
%configure \
|
||||
%if %{with_nis_profile}
|
||||
--with-nis-profile \
|
||||
%endif
|
||||
%{nil}
|
||||
|
||||
%make_build
|
||||
|
||||
%check
|
||||
%make_build check
|
||||
|
||||
%install
|
||||
%make_install
|
||||
|
||||
# Find translations
|
||||
%find_lang %{name}
|
||||
%find_lang %{name} %{name}.8.lang --with-man
|
||||
%find_lang %{name}-migration %{name}-migration.7.lang --with-man
|
||||
%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
|
||||
|
||||
# We want this file to contain only manual page translations
|
||||
%__sed -i '/LC_MESSAGES/d' %{name}.8.lang
|
||||
|
||||
# Remove .la and .a files created by libtool
|
||||
find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \;
|
||||
find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
|
||||
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%files libs -f %{name}.lang -f %{name}-profiles.5.lang
|
||||
%dir %{_sysconfdir}/authselect
|
||||
%dir %{_sysconfdir}/authselect/custom
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
|
||||
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
|
||||
%dir %{_localstatedir}/lib/authselect
|
||||
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
|
||||
%dir %{_datadir}/authselect
|
||||
%dir %{_datadir}/authselect/vendor
|
||||
%dir %{_datadir}/authselect/default
|
||||
%dir %{_datadir}/authselect/default/local/
|
||||
%dir %{_datadir}/authselect/default/sssd/
|
||||
%dir %{_datadir}/authselect/default/winbind/
|
||||
%{_datadir}/authselect/default/local/dconf-db
|
||||
%{_datadir}/authselect/default/local/dconf-locks
|
||||
%{_datadir}/authselect/default/local/fingerprint-auth
|
||||
%{_datadir}/authselect/default/local/nsswitch.conf
|
||||
%{_datadir}/authselect/default/local/password-auth
|
||||
%{_datadir}/authselect/default/local/postlogin
|
||||
%{_datadir}/authselect/default/local/README
|
||||
%{_datadir}/authselect/default/local/REQUIREMENTS
|
||||
%{_datadir}/authselect/default/local/smartcard-auth
|
||||
%{_datadir}/authselect/default/local/system-auth
|
||||
%{_datadir}/authselect/default/sssd/dconf-db
|
||||
%{_datadir}/authselect/default/sssd/dconf-locks
|
||||
%{_datadir}/authselect/default/sssd/fingerprint-auth
|
||||
%{_datadir}/authselect/default/sssd/nsswitch.conf
|
||||
%{_datadir}/authselect/default/sssd/password-auth
|
||||
%{_datadir}/authselect/default/sssd/postlogin
|
||||
%{_datadir}/authselect/default/sssd/README
|
||||
%{_datadir}/authselect/default/sssd/REQUIREMENTS
|
||||
%{_datadir}/authselect/default/sssd/smartcard-auth
|
||||
%{_datadir}/authselect/default/sssd/system-auth
|
||||
%{_datadir}/authselect/default/winbind/dconf-db
|
||||
%{_datadir}/authselect/default/winbind/dconf-locks
|
||||
%{_datadir}/authselect/default/winbind/fingerprint-auth
|
||||
%{_datadir}/authselect/default/winbind/nsswitch.conf
|
||||
%{_datadir}/authselect/default/winbind/password-auth
|
||||
%{_datadir}/authselect/default/winbind/postlogin
|
||||
%{_datadir}/authselect/default/winbind/README
|
||||
%{_datadir}/authselect/default/winbind/REQUIREMENTS
|
||||
%{_datadir}/authselect/default/winbind/smartcard-auth
|
||||
%{_datadir}/authselect/default/winbind/system-auth
|
||||
%if %{with_nis_profile}
|
||||
%dir %{_datadir}/authselect/default/nis/
|
||||
%{_datadir}/authselect/default/nis/dconf-db
|
||||
%{_datadir}/authselect/default/nis/dconf-locks
|
||||
%{_datadir}/authselect/default/nis/fingerprint-auth
|
||||
%{_datadir}/authselect/default/nis/nsswitch.conf
|
||||
%{_datadir}/authselect/default/nis/password-auth
|
||||
%{_datadir}/authselect/default/nis/postlogin
|
||||
%{_datadir}/authselect/default/nis/README
|
||||
%{_datadir}/authselect/default/nis/REQUIREMENTS
|
||||
%{_datadir}/authselect/default/nis/smartcard-auth
|
||||
%{_datadir}/authselect/default/nis/system-auth
|
||||
%endif
|
||||
%{_libdir}/libauthselect.so.*
|
||||
%{_mandir}/man5/authselect-profiles.5*
|
||||
%{_datadir}/doc/authselect/COPYING
|
||||
%{_datadir}/doc/authselect/README.md
|
||||
%license COPYING
|
||||
%doc README.md
|
||||
|
||||
%files devel
|
||||
%{_includedir}/authselect.h
|
||||
%{_libdir}/libauthselect.so
|
||||
%{_libdir}/pkgconfig/authselect.pc
|
||||
|
||||
%files -f %{name}.8.lang -f %{name}-migration.7.lang
|
||||
%{_bindir}/authselect
|
||||
%{_mandir}/man8/authselect.8*
|
||||
%{_mandir}/man7/authselect-migration.7*
|
||||
%{_sysconfdir}/bash_completion.d/authselect-completion.sh
|
||||
|
||||
%preun
|
||||
if [ $1 == 0 ] ; then
|
||||
# Remove authselect symbolic links so all authselect files can be
|
||||
# deleted safely. If this fail, the uninstallation must fail to avoid
|
||||
# breaking the system by removing PAM files. However, the command can
|
||||
# only fail if it can not write to the file system.
|
||||
%{_bindir}/authselect opt-out
|
||||
fi
|
||||
|
||||
%posttrans libs
|
||||
# Keep nss-altfiles for all rpm-ostree based systems.
|
||||
# See https://github.com/authselect/authselect/issues/48
|
||||
if test -e /run/ostree-booted; then
|
||||
for PROFILE in `ls %{_datadir}/authselect/default`; do
|
||||
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
|
||||
%__sed -i -e 's/{if "with-altfiles":\([^}]\+\)}/\1/g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
|
||||
done
|
||||
fi
|
||||
|
||||
# If this is a new installation select the default configuration.
|
||||
if [ $1 == 1 ] ; then
|
||||
%{_bindir}/authselect select %{default_profile} --force --nobackup &> /dev/null
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Minimal profile was removed. Switch to local during upgrade.
|
||||
%__sed -i '1 s/^minimal$/local/' %{_sysconfdir}/authselect/authselect.conf
|
||||
for file in %{_sysconfdir}/authselect/custom/*/*; do
|
||||
link=`%{_bindir}/readlink "$file"`
|
||||
if [[ "$link" == %{_datadir}/authselect/default/minimal/* ]]; then
|
||||
target=`%{_bindir}/basename "$link"`
|
||||
%{_bindir}/ln -sfn "%{_datadir}/authselect/default/local/$target" "$file"
|
||||
fi
|
||||
done
|
||||
|
||||
# Apply any changes to profiles (validates configuration first internally)
|
||||
%{_bindir}/authselect apply-changes &> /dev/null
|
||||
|
||||
exit 0
|
||||
|
||||
%changelog
|
||||
* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.5.0-6
|
||||
- Rebuilt for MSVSphere 10
|
||||
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.5.0-6
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
* Tue Feb 27 2024 Jonathan Lebon <jonathan@jlebon.com> - 1.5.0-5
|
||||
- Fix altfiles rendering on OSTree variants
|
||||
|
||||
* Fri Feb 23 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-4
|
||||
- Add back with-files-access-provider
|
||||
- Remove outdated scriptlets
|
||||
- Group merging added to nsswitch.conf group in all profiles
|
||||
- myhostname is put right before dns module in nsswitch.conf hosts (rhbz#2257197)
|
||||
- Internal packaging changes
|
||||
|
||||
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Thu Jan 18 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-1
|
||||
- Rebase to 1.5.0
|
||||
- "minimal" profile was removed and replaced with "local". (rhbz#2253180)
|
||||
- "local" profile is now default (rhbz#2253180)
|
||||
|
||||
* Wed Sep 27 2023 Pavel Březina <pbrezina@redhat.com> - 1.4.3-1
|
||||
- Rebase to 1.4.3
|
||||
|
||||
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Mon Dec 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.2-1
|
||||
- Rebase to 1.4.2
|
||||
|
||||
* Thu Dec 1 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.1-1
|
||||
- Rebase to 1.4.1
|
||||
|
||||
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Fri Jul 8 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-2
|
||||
- Fix issues with popt-1.19
|
||||
|
||||
* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-1
|
||||
- Rebase to 1.3.0
|
||||
|
||||
* Thu Feb 10 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-10
|
||||
- Fix mdns support (#2052269)
|
||||
|
||||
* Thu Feb 3 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-9
|
||||
- Make authselect compatible with ostree (#2034360)
|
||||
- Authselect now requires explicit opt-out if users don't want to use it (#2051545)
|
||||
|
||||
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-7
|
||||
- Remove unnecessary dependencies (#2039869)
|
||||
|
||||
* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-6
|
||||
- Fix detection of ostree system (#2034360)
|
||||
|
||||
* Tue Dec 28 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-5
|
||||
- Try to use io.open() in pre scriptlet instead of rpm.open() (rpm >= 4.17.0)
|
||||
|
||||
* Tue Dec 21 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-4
|
||||
- Use lua for pre scriptlets to reduce dependencies
|
||||
|
||||
* Fri Dec 10 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-3
|
||||
- Update conflicting versions of glibc and pam
|
||||
|
||||
* Mon Dec 6 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-1
|
||||
- Rebase to 1.3.0
|
||||
- Authselect configuration is now enforced (#2000936)
|
||||
|
||||
* Sat Aug 14 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.4-2
|
||||
- Add proper Obsoletes for removed authselect-compat package
|
||||
Fixes: rhbz#1993189
|
||||
|
||||
* Mon Aug 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.4-1
|
||||
- Rebase to 1.2.4
|
||||
|
||||
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.3-3
|
||||
- Backport support for yescrypt hash method
|
||||
|
||||
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.2.3-2
|
||||
- Rebuilt for Python 3.10
|
||||
|
||||
* Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-1
|
||||
- Rebase to 1.2.3
|
||||
|
||||
* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-4
|
||||
- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors
|
||||
Resolves: #1935331
|
||||
|
||||
* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
|
||||
- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
|
||||
- Rebase to 1.2.2
|
||||
- Add nss-altfiles to profiles on Fedora Silverblue
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Wed Jul 22 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-3
|
||||
- Add resolved by default to nis and minimal profiles
|
||||
- Fix parsing of multiple conditionals on the same line
|
||||
|
||||
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.2.1-2
|
||||
- Rebuilt for Python 3.9
|
||||
|
||||
* Mon May 11 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-1
|
||||
- Rebase to 1.2.1
|
||||
|
||||
* Wed Mar 4 2020 Pavel Březina <pbrezina@redhat.com> - 1.2-1
|
||||
- Rebase to 1.2
|
||||
|
||||
* Mon Feb 17 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-7
|
||||
- fix restoring non-authselect configuration from backup
|
||||
|
||||
* Wed Jan 29 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-6
|
||||
- cli: fix auto backup when --force is set
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-4
|
||||
- Rebuilt for Python 3.8.0rc1 (#1748018)
|
||||
|
||||
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-3
|
||||
- Rebuilt for Python 3.8
|
||||
|
||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Thu Jun 13 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-1
|
||||
- Rebase to 1.1
|
||||
|
||||
* Tue Feb 26 2019 Pavel Březina <pbrezina@redhat.com> - 1.0.3-1
|
||||
- Rebase to 1.0.3
|
||||
|
||||
* Tue Feb 26 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0.2-4
|
||||
- Use %ghost for files owned by authselect
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-2
|
||||
- Resolves rhbz#1655025 (invalid backup).
|
||||
|
||||
* Fri Nov 23 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-1
|
||||
- Rebase to 1.0.2
|
||||
|
||||
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-2
|
||||
- Require systemd instead of systemctl
|
||||
|
||||
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-1
|
||||
- Rebase to 1.0.1
|
||||
|
||||
* Fri Sep 14 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
|
||||
- Scriptlets should no produce any error messages (RHBZ #1622272)
|
||||
- Provide fix for pwquality configuration (RHBZ #1618865)
|
||||
|
||||
* Thu Aug 30 2018 Adam Williamson <awilliam@redhat.com> - 1.0-2
|
||||
- Backport PR #78 to fix broken pwquality config (RHBZ #1618865)
|
||||
|
||||
* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
|
||||
- Rebase to 1.0
|
||||
|
||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.4-4
|
||||
- Rebuilt for Python 3.7
|
||||
|
||||
* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
|
||||
- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
|
||||
|
||||
* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
|
||||
- Don't disable oddjobd.service (RHBZ #1571844)
|
||||
|
||||
* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
|
||||
- rebasing to 0.4
|
||||
|
||||
* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
|
||||
- rebasing to 0.3.2
|
||||
- authselect-compat now only suggests packages, not recommends
|
||||
|
||||
* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
|
||||
- rebasing to 0.3.1
|
||||
|
||||
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
|
||||
- Provide authconfig
|
||||
|
||||
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
|
||||
- Properly own all appropriate directories
|
||||
- Remove unneeded %%defattr
|
||||
- Remove deprecated Group tag
|
||||
- Make Obsoletes versioned
|
||||
- Remove unneeded ldconfig scriptlets
|
||||
|
||||
* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
|
||||
- rebasing to 0.3
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
|
||||
- fix rpmlint errors
|
||||
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
|
||||
- rebasing to 0.2
|
||||
* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
|
||||
- initial packaging
|
||||
Loading…
Reference in new issue