import authselect-1.5.0-6.el10

i10c-beta changed/i10c-beta/authselect-1.5.0-6.el10
MSVSphere Packaging Team 3 months ago
commit e46a0761f7
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

@ -0,0 +1 @@
bc93feb781e01b2101e06e413f65924d4f633d0a SOURCES/authselect-1.5.0.tar.gz

1
.gitignore vendored

@ -0,0 +1 @@
SOURCES/authselect-1.5.0.tar.gz

@ -0,0 +1,101 @@
From adb36ae3633e2dfaa9c21bb45d05551f1ea3d749 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 21 Feb 2024 14:27:49 +0100
Subject: [PATCH 01/11] sssd: reintroduce with-files-access-provider
This is still needed to support .k5login file with proxy domain. For
example:
```
[domain/proxy]
id_provider = proxy
proxy_lib_name = files
access_provider = krb5
auth_provider = krb5
krb5_server = kdc.test
krb5_realm = TEST
```
---
profiles/sssd/README | 10 ++++++++++
profiles/sssd/fingerprint-auth | 2 +-
profiles/sssd/password-auth | 2 +-
profiles/sssd/smartcard-auth | 2 +-
profiles/sssd/system-auth | 2 +-
5 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 770891a338754b53ee48ba34d9d80c2f2f31cdb6..f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -89,6 +89,16 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
+with-files-access-provider:: If set, account management for local users is
+ handled also by pam_sss. This can be used to support SSSD's proxy domain
+ that is configured to serve users from local files but provide
+ authentication and access management (.k5login file) via Kerberos.
+
+ *WARNING:* SSSD access check will become mandatory for local users and
+ if SSSD is stopped then local users will not be able to log in. Only
+ system accounts (as defined by pam_usertype, including root) will be
+ able to log in.
+
with-gssapi::
If set, pam_sss_gss module is enabled to perform user authentication over
GSSAPI.
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 94232086a60f56976bd5182f5d10da9c63ec22b6..20ad3613e66ec85c7d2462d0449854e522383b3a 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -11,7 +11,7 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 05487ca293138a1154cb6820dbc9a53770904670..97c33b678706e7eeb86bf45251baa41739f2940f 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -18,7 +18,7 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 540556ce89b727a226bec4d3322a1775ef350253..78cb329bf332f4d629740a0fff7d2dfe43f7d78d 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -11,7 +11,7 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 83f9214fdd0a97ec49a8df52a2e202e034cbc0c6..90c3504a414f0a151475cc207285b230fec381b1 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -25,7 +25,7 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
--
2.42.0

@ -0,0 +1,217 @@
From d498f7aa562cf41e0999f7733664c27fa62bcf7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 11:54:44 +0100
Subject: [PATCH 02/11] spec: modify specfile for Fedora 40 and RHEL 10 as
minimal version
- conditionals that are no longer used are removed
- upgrade path is removed
- this was already triggered in Fedora 38, so it is no longer useful
- RHEL is updated to authselect with leapp when going from 7 to 8
we don't want to touch existing configurations
---
rpm/authselect.spec.in | 102 ++---------------------------------------
1 file changed, 3 insertions(+), 99 deletions(-)
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index 24ce4e603208ce26eb228bbee565c868428a2af1..e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -12,20 +12,6 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
-%if 0%{?fedora} >= 35 || 0%{?rhel} >= 10
-%global with_compat 0
-%else
-%global with_compat 1
-%endif
-
-%if 0%{?fedora} >= 36 || 0%{?rhel} >= 10
-%global with_user_nsswitch 0
-%global enforce_authselect 1
-%else
-%global with_user_nsswitch 1
-%global enforce_authselect 0
-%endif
-
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
@@ -43,21 +29,14 @@ BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
-%if %{with_compat}
-BuildRequires: python3-devel
-%endif
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
-%if !%{with_compat}
# Properly obsolete removed authselect-compat package.
-Obsoletes: authselect-compat < 1.2.4
-# Inherited from former authselect-compat package.
-Obsoletes: authconfig < 7.0.1-6
-%endif
+Obsoletes: authselect-compat < 1.3
%description
Authselect is designed to be a replacement for authconfig but it takes
@@ -74,14 +53,6 @@ Summary: Utility library used by the authselect tool
Requires: coreutils
Requires: sed
Suggests: systemd
-%if %{enforce_authselect}
-# authselect now owns nsswitch.conf (glibc) and pam files
-Conflicts: pam < 1.5.2-8
-Conflicts: glibc < 2.34.9000-27
-# systemd, nss-mdns no longer contains nsswitch.conf scriptlets
-Conflicts: systemd < 249.7-4
-Conflicts: nss-mdns < 0.15.1-3
-%endif
%description libs
Common library files for authselect. This package is used by the authselect
@@ -95,25 +66,6 @@ Requires: authselect-libs%{?_isa} = %{version}-%{release}
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
-%if %{with_compat}
-%package compat
-Summary: Tool to provide minimum backwards compatibility with authconfig
-Obsoletes: authconfig < 7.0.1-6
-Provides: authconfig
-Requires: authselect%{?_isa} = %{version}-%{release}
-Recommends: oddjob-mkhomedir
-Suggests: sssd
-Suggests: realmd
-Suggests: samba-winbind
-
-%description compat
-This package will replace %{_sbindir}/authconfig with a tool that will
-translate some of the authconfig calls into authselect calls. It provides
-only minimum backward compatibility and users are encouraged to migrate
-to authselect completely.
-%endif
-
-
%prep
%setup -q
@@ -123,16 +75,7 @@ done
%build
autoreconf -if
-%configure \
-%if %{with_compat}
- --with-pythonbin="%{__python3}" \
- --with-compat \
-%endif
-%if %{with_user_nsswitch}
- --with-user-nsswitch \
-%endif
- %{nil}
-
+%configure
%make_build
%check
@@ -168,20 +111,14 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
-%if %{enforce_authselect}
%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
-%endif
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
-%if %{with_user_nsswitch}
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
-%endif
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
@@ -241,12 +178,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
-%if %{with_compat}
-%files compat
-%{_sbindir}/authconfig
-%{python3_sitelib}/authselect/
-%endif
-
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
@@ -265,47 +196,21 @@ if [ $1 == 0 ] ; then
fi
%pre libs
-%if %{enforce_authselect}
# Check if this is a new installation.
%__rm -f %{forcefile}
if [ $1 -eq 1 ] ; then
touch %{forcefile}
fi
-
-# Check if we are upgrading from older version then authselect-1.3.0
-# The version command is not available on earlier versions
-if [ $1 -gt 1 ] ; then
- %{_bindir}/authselect check &> /dev/null
- if [ $? -ne 0 ]; then
- %{_bindir}/authselect version &> /dev/null
- if [ $? -ne 0 ]; then
- touch %{forcefile}
- fi
- fi
-fi
-%endif
-
exit 0
%posttrans libs
-# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
-%if %{with_user_nsswitch}
-if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
- %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
- touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
-fi
-%endif
# Keep nss-altfiles for all rpm-ostree based systems.
# See https://github.com/authselect/authselect/issues/48
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
-%if %{with_user_nsswitch}
- %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
-%else
%__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
-%endif
done
fi
@@ -314,8 +219,7 @@ if [ $? -eq 6 ]; then
NOBACKUP="--nobackup"
fi
-# If we are upgrading from pre authselect-1.3.0 or this is a new installation
-# select the default configuration.
+# If this is a new installation select the default configuration.
if [ -f %{forcefile} ]; then
%{_bindir}/authselect select %{default_profile} --force $NOBACKUP &> /dev/null
%__rm -f %{forcefile}
--
2.42.0

@ -0,0 +1,471 @@
From 4485f4686c285310b2a11ac545e88e3acef870ea Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Tue, 20 Feb 2024 21:36:02 +0100
Subject: [PATCH 03/11] po: update translations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
(Finnish) currently translated at 100.0% (349 of 349 strings)
Translation: authselect/master
Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-application/fi/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
po: update translations
(Turkish) currently translated at 100.0% (349 of 349 strings)
Translation: authselect/master
Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-application/tr/
Co-authored-by: Jan Kuparinen <copper_fin@hotmail.com>
Co-authored-by: Oğuz Ersen <oguz@ersen.moe>
Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-authselect8adoc/
Translation: authselect/master-authselect.8.adoc
---
po/fi.po | 11 +++++------
po/tr.po | 12 ++++++------
src/man/po/authselect.8.adoc.ca.po | 2 +-
src/man/po/authselect.8.adoc.cs.po | 2 +-
src/man/po/authselect.8.adoc.de.po | 2 +-
src/man/po/authselect.8.adoc.es.po | 2 +-
src/man/po/authselect.8.adoc.fa.po | 2 +-
src/man/po/authselect.8.adoc.fi.po | 2 +-
src/man/po/authselect.8.adoc.fr.po | 2 +-
src/man/po/authselect.8.adoc.hu.po | 2 +-
src/man/po/authselect.8.adoc.it.po | 2 +-
src/man/po/authselect.8.adoc.ja.po | 2 +-
src/man/po/authselect.8.adoc.ko.po | 2 +-
src/man/po/authselect.8.adoc.nl.po | 2 +-
src/man/po/authselect.8.adoc.pl.po | 2 +-
src/man/po/authselect.8.adoc.pt.po | 2 +-
src/man/po/authselect.8.adoc.pt_BR.po | 2 +-
src/man/po/authselect.8.adoc.ru.po | 2 +-
src/man/po/authselect.8.adoc.si.po | 2 +-
src/man/po/authselect.8.adoc.sv.po | 2 +-
src/man/po/authselect.8.adoc.tr.po | 2 +-
src/man/po/authselect.8.adoc.uk.po | 2 +-
src/man/po/authselect.8.adoc.zh_CN.po | 16 +++++++---------
src/man/po/authselect.8.adoc.zh_TW.po | 2 +-
24 files changed, 39 insertions(+), 42 deletions(-)
diff --git a/po/fi.po b/po/fi.po
index 63f52ad6a8cd85d6f5c06b0a57d194ac94268206..12c84ea64ed09176d2e08e0d02aa47278540758f 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -1,14 +1,14 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR Red Hat, Inc.
# This file is distributed under the same license as the authselect package.
-# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022.
+# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2024.
# Ricky Tigg <ricky.tigg@gmail.com>, 2022.
msgid ""
msgstr ""
"Project-Id-Version: authselect 1.2.2\n"
"Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n"
"POT-Creation-Date: 2023-09-27 13:03+0200\n"
-"PO-Revision-Date: 2022-05-23 17:18+0000\n"
+"PO-Revision-Date: 2024-02-20 20:36+0000\n"
"Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
"Language-Team: Finnish <https://translate.fedoraproject.org/projects/"
"authselect/master-application/fi/>\n"
@@ -17,7 +17,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 4.12.2\n"
+"X-Generator: Weblate 5.4\n"
#: src/lib/authselect.c:47 src/lib/authselect.c:188
msgid "Unable to obtain supported features"
@@ -671,10 +671,9 @@ msgid "Unable to chown file [%s] [%d]: %s"
msgstr "Ei pysty ajamaan chmod tiedostolle [%s] [%d]: %s"
#: src/lib/util/selinux.c:46
-#, fuzzy, c-format
-#| msgid "Unable to create selabel context [%d]: %s"
+#, c-format
msgid "Unable to create selabel handle [%d]: %s"
-msgstr "Selabel-kontekstia [%d] ei voida luoda: %s"
+msgstr "Selabel-kahvaa [%d] ei voida luoda: %s"
#: src/lib/util/selinux.c:55
#, c-format
diff --git a/po/tr.po b/po/tr.po
index 546e09bcb7457a44b43965dc222328cbdfe6f94d..8799903c5c18c48972d6faf464f5ee256460729a 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -3,13 +3,14 @@
# This file is distributed under the same license as the authselect package.
# Oğuz Ersen <oguzersen@protonmail.com>, 2020, 2021.
# Anonymous <noreply@weblate.org>, 2020.
+# Oğuz Ersen <oguz@ersen.moe>, 2024.
msgid ""
msgstr ""
"Project-Id-Version: authselect 1.1\n"
"Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n"
"POT-Creation-Date: 2023-09-27 13:03+0200\n"
-"PO-Revision-Date: 2021-12-10 17:16+0000\n"
-"Last-Translator: Oğuz Ersen <oguzersen@protonmail.com>\n"
+"PO-Revision-Date: 2024-01-29 17:36+0000\n"
+"Last-Translator: Oğuz Ersen <oguz@ersen.moe>\n"
"Language-Team: Turkish <https://translate.fedoraproject.org/projects/"
"authselect/master-application/tr/>\n"
"Language: tr\n"
@@ -17,7 +18,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 4.9.1\n"
+"X-Generator: Weblate 5.3.1\n"
#: src/lib/authselect.c:47 src/lib/authselect.c:188
msgid "Unable to obtain supported features"
@@ -671,10 +672,9 @@ msgid "Unable to chown file [%s] [%d]: %s"
msgstr "[%s] dosyasının sahibi değiştirilemedi [%d]: %s"
#: src/lib/util/selinux.c:46
-#, fuzzy, c-format
-#| msgid "Unable to create selabel context [%d]: %s"
+#, c-format
msgid "Unable to create selabel handle [%d]: %s"
-msgstr "selabel bağlamı oluşturulamadı [%d]: %s"
+msgstr "selabel tanıtıcısı oluşturulamadı [%d]: %s"
#: src/lib/util/selinux.c:55
#, c-format
diff --git a/src/man/po/authselect.8.adoc.ca.po b/src/man/po/authselect.8.adoc.ca.po
index 8c04b973ccfb0136589965d79a4fc38f57c38523..01e54857766fcbf7f063792a9953cbd26a979a51 100644
--- a/src/man/po/authselect.8.adoc.ca.po
+++ b/src/man/po/authselect.8.adoc.ca.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: Automatically generated\n"
"Language-Team: none\n"
diff --git a/src/man/po/authselect.8.adoc.cs.po b/src/man/po/authselect.8.adoc.cs.po
index 84d630218ec7ef3b880a0da7315b2abd30bd3e62..cc98ea8c50ad65a19862b8470938cafafecc3e70 100644
--- a/src/man/po/authselect.8.adoc.cs.po
+++ b/src/man/po/authselect.8.adoc.cs.po
@@ -3,7 +3,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-08-07 20:21+0000\n"
"Last-Translator: Jan Kalabza <jan.kalabza@gmail.com>\n"
"Language-Team: Czech <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.de.po b/src/man/po/authselect.8.adoc.de.po
index c336bc529496cf756c4bbf19740866ebaf42a338..e3182a8baf1652da247c2dc9f773a313f29f79a2 100644
--- a/src/man/po/authselect.8.adoc.de.po
+++ b/src/man/po/authselect.8.adoc.de.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-08-15 14:21+0000\n"
"Last-Translator: Jens Maucher <jensmaucher@gmail.com>\n"
"Language-Team: German <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.es.po b/src/man/po/authselect.8.adoc.es.po
index 3d4ad340075ba970b2b56768fffb49567d16dcfa..b578e40a436b8ea242c4aba0e5149c09336162e2 100644
--- a/src/man/po/authselect.8.adoc.es.po
+++ b/src/man/po/authselect.8.adoc.es.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-11-26 20:01+0000\n"
"Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
"Language-Team: Spanish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.fa.po b/src/man/po/authselect.8.adoc.fa.po
index ae77afb38249e573ebeedd97b6ebddfc8f681d59..e4b24f2f91ea06ed6e83a50c4e6e35678f65dd80 100644
--- a/src/man/po/authselect.8.adoc.fa.po
+++ b/src/man/po/authselect.8.adoc.fa.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-05-28 19:20+0000\n"
"Last-Translator: Taha Mokhtary <taha490mokh@outlook.com>\n"
"Language-Team: Persian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.fi.po b/src/man/po/authselect.8.adoc.fi.po
index 8253cfd47b1b4ddb9d57283f887f1de6ad59b473..16aec3e6d69581b8875b5af4e426efc5cbc0ca5e 100644
--- a/src/man/po/authselect.8.adoc.fi.po
+++ b/src/man/po/authselect.8.adoc.fi.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-05-26 06:18+0000\n"
"Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
"Language-Team: Finnish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.fr.po b/src/man/po/authselect.8.adoc.fr.po
index d8a23e660ec33a5d59b3647ae4795375451e70a9..ffb86dc6e1f79205213f4c576ddea94858f00088 100644
--- a/src/man/po/authselect.8.adoc.fr.po
+++ b/src/man/po/authselect.8.adoc.fr.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-03-24 15:20+0000\n"
"Last-Translator: grimst <grimaitres@gmail.com>\n"
"Language-Team: French <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.hu.po b/src/man/po/authselect.8.adoc.hu.po
index cc9533c0b0b31a691c636bee3305a0d6dcd05f7b..e9afadedb912b8e1838ab0552e1fce292e5a972f 100644
--- a/src/man/po/authselect.8.adoc.hu.po
+++ b/src/man/po/authselect.8.adoc.hu.po
@@ -4,7 +4,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-05-12 16:21+0000\n"
"Last-Translator: Dankaházi (ifj.) István <dankahazi.istvan@gmail.com>\n"
"Language-Team: Hungarian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.it.po b/src/man/po/authselect.8.adoc.it.po
index ba4c7f28c8339e051f6ec1a671f5b36a241ed22c..f7be3a8f0316ad6ab3d85e0e844801e8709d4c23 100644
--- a/src/man/po/authselect.8.adoc.it.po
+++ b/src/man/po/authselect.8.adoc.it.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-06-09 21:18+0000\n"
"Last-Translator: Nathan <nathan95@live.it>\n"
"Language-Team: Italian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.ja.po b/src/man/po/authselect.8.adoc.ja.po
index a51b5e224fabe4481cad474e75428d0ebf3e6b8e..ef82bf20e14d8f34f81709ab5b591a5608577dfe 100644
--- a/src/man/po/authselect.8.adoc.ja.po
+++ b/src/man/po/authselect.8.adoc.ja.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-01-21 09:16+0000\n"
"Last-Translator: simmon <simmon@nplob.com>\n"
"Language-Team: Japanese <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.ko.po b/src/man/po/authselect.8.adoc.ko.po
index 1c5e72b3d83c651e892f957829a8a95f4e8a3de5..27d7ea56ccb60b2623245bb002b2aca1fceafe9c 100644
--- a/src/man/po/authselect.8.adoc.ko.po
+++ b/src/man/po/authselect.8.adoc.ko.po
@@ -9,7 +9,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-12-03 10:19+0000\n"
"Last-Translator: 김인수 <simmon@nplob.com>\n"
"Language-Team: Korean <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.nl.po b/src/man/po/authselect.8.adoc.nl.po
index 63237e8274e347f97bccf9cb10fbf2b9ed6a4d65..b26ffb2185f994f4305b59d59567a787cd2e4bfd 100644
--- a/src/man/po/authselect.8.adoc.nl.po
+++ b/src/man/po/authselect.8.adoc.nl.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-04-02 20:20+0000\n"
"Last-Translator: Maarten <maarten@posteo.de>\n"
"Language-Team: Dutch <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.pl.po b/src/man/po/authselect.8.adoc.pl.po
index b75ee13e702eef796f650c3a9da3b6c5b4e6fc0c..a7d6b42b39470b34672a543ae84f8cb0f0f0be05 100644
--- a/src/man/po/authselect.8.adoc.pl.po
+++ b/src/man/po/authselect.8.adoc.pl.po
@@ -9,7 +9,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-05-07 11:00+0000\n"
"Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
"Language-Team: Polish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.pt.po b/src/man/po/authselect.8.adoc.pt.po
index 6b70ebc6b96a6ff6a83c853090939a2c6fb9818c..d38eb472eaabaa1475aba0438e00b0a76eb6eb0c 100644
--- a/src/man/po/authselect.8.adoc.pt.po
+++ b/src/man/po/authselect.8.adoc.pt.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2020-05-27 14:40+0000\n"
"Last-Translator: Manuela Silva <mmsrs@sky.com>\n"
"Language-Team: Portuguese <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.pt_BR.po b/src/man/po/authselect.8.adoc.pt_BR.po
index b53c0991c3741bda2863f5741279da4f94ad9ac1..6793e2b4bb32ddc268a998de262c4e2ebbbbe60b 100644
--- a/src/man/po/authselect.8.adoc.pt_BR.po
+++ b/src/man/po/authselect.8.adoc.pt_BR.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2020-08-05 21:29+0000\n"
"Last-Translator: Fábio Rodrigues Ribeiro <farribeiro@gmail.com>\n"
"Language-Team: Portuguese (Brazil) <https://translate.fedoraproject.org/"
diff --git a/src/man/po/authselect.8.adoc.ru.po b/src/man/po/authselect.8.adoc.ru.po
index e3be9c2f74466768d302a7b572c611b66a8ce06c..e09ff934255b8159b96844698191edf49563c3b3 100644
--- a/src/man/po/authselect.8.adoc.ru.po
+++ b/src/man/po/authselect.8.adoc.ru.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-04-15 19:17+0000\n"
"Last-Translator: Igor Gorbounov <igor.gorbounov@gmail.com>\n"
"Language-Team: Russian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.si.po b/src/man/po/authselect.8.adoc.si.po
index 680dbc849fffac6aa36f6cd73bfa7e937495c184..73ee855f62defbe3c1b9f7dcbf0d52e64a57f2e3 100644
--- a/src/man/po/authselect.8.adoc.si.po
+++ b/src/man/po/authselect.8.adoc.si.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2021-08-18 19:04+0000\n"
"Last-Translator: Hela Basa <r45xveza@pm.me>\n"
"Language-Team: Sinhala <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.sv.po b/src/man/po/authselect.8.adoc.sv.po
index 09230620986f5e51d6fb3f448408cd358fa2f405..e02d689dfe45c91a5a9498b80628b179c2900141 100644
--- a/src/man/po/authselect.8.adoc.sv.po
+++ b/src/man/po/authselect.8.adoc.sv.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-02-04 22:20+0000\n"
"Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
"Language-Team: Swedish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.tr.po b/src/man/po/authselect.8.adoc.tr.po
index 6e07d847ebe1215f2447409a4a278569ce937665..9ae399bdd4834ff268be140ced000e8940a9bd47 100644
--- a/src/man/po/authselect.8.adoc.tr.po
+++ b/src/man/po/authselect.8.adoc.tr.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-12-03 10:19+0000\n"
"Last-Translator: Oğuz Ersen <oguz@ersen.moe>\n"
"Language-Team: Turkish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.uk.po b/src/man/po/authselect.8.adoc.uk.po
index 5f29b38d2c6134893285054e8ee53bf57c5afb4e..4ea4a570a0cc1aaa6c705fe29d39aaa2d58fab5f 100644
--- a/src/man/po/authselect.8.adoc.uk.po
+++ b/src/man/po/authselect.8.adoc.uk.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-12-03 10:19+0000\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.zh_CN.po b/src/man/po/authselect.8.adoc.zh_CN.po
index 914e9495d27dd96dc8642f2f8fd14cf423ec4b81..eda47df87c59010fe0cc3a970352257604e6b0a9 100644
--- a/src/man/po/authselect.8.adoc.zh_CN.po
+++ b/src/man/po/authselect.8.adoc.zh_CN.po
@@ -8,7 +8,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-12-04 03:43+0000\n"
"Last-Translator: Jingge Chen <mariocanfly@hotmail.com>\n"
"Language-Team: Chinese (Simplified) <https://translate.fedoraproject.org/"
@@ -141,9 +141,7 @@ msgstr ""
#: src/man/authselect.8.adoc:51
#, no-wrap
msgid "*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] [--backup=NAME]"
-msgstr ""
-"*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] "
-"[--backup=NAME]"
+msgstr "*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] [--backup=NAME]"
#. type: Plain text
#: src/man/authselect.8.adoc:54
@@ -254,8 +252,8 @@ msgid ""
"otherwise an error is returned."
msgstr ""
"重新应用当前选定的配置文件。如果配置文件模板已更新,该命令可用于重新生成当前"
-"系统配置,以便在系统上应用这些更改。只有当现有配置是有效的 authselect "
-"配置时,此命令才会重新应用更改,否则将返回错误信息。"
+"系统配置,以便在系统上应用这些更改。只有当现有配置是有效的 authselect 配置"
+"时,此命令才会重新应用更改,否则将返回错误信息。"
#. type: Plain text
#: src/man/authselect.8.adoc:91
@@ -308,8 +306,7 @@ msgid ""
"_Note:_ This will only list the features without any description. Please, read the profile documentation with *show* to see what the features do."
msgstr ""
"列出给定配置文件中的所有可用功能。\n"
-"_注意_这仅会列出所有功能但不提供任何描述。请使用 *show* "
-"阅读配置文件,了解这些功能。"
+"_注意_这仅会列出所有功能但不提供任何描述。请使用 *show* 阅读配置文件,了解这些功能。"
#. type: Labeled list
#: src/man/authselect.8.adoc:105
@@ -345,7 +342,8 @@ msgid ""
"Print information about currently selected profiles. If *--raw* option is "
"specified, the command will print raw parameters as they were passed to "
"*select* command instead of formatted output."
-msgstr "打印当前所选配置文件的信息。如果指定了 *--raw* 选项,命令将打印传给 *select* "
+msgstr ""
+"打印当前所选配置文件的信息。如果指定了 *--raw* 选项,命令将打印传给 *select* "
"命令的原始参数,而不是格式化输出。"
#. type: Labeled list
diff --git a/src/man/po/authselect.8.adoc.zh_TW.po b/src/man/po/authselect.8.adoc.zh_TW.po
index eb80dce79f25d5aba2c9806c869fdaf959fd4c93..80c3eed4a6ef2259540ca32335c9e1f4f623a25a 100644
--- a/src/man/po/authselect.8.adoc.zh_TW.po
+++ b/src/man/po/authselect.8.adoc.zh_TW.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2020-05-22 17:40+0000\n"
"Last-Translator: Yi-Jyun Pan <pan93412@gmail.com>\n"
"Language-Team: Chinese (Traditional) <https://translate.fedoraproject.org/"
--
2.42.0

@ -0,0 +1,177 @@
From 9321126e20898b23c19e168177d8a383a750fefb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 12:51:37 +0100
Subject: [PATCH 04/11] nis: install nis profile conditionally
NIS profile is installed only if --with-nis-profile configure flag is
given.
---
profiles/Makefile.am | 2 ++
rpm/authselect.spec.in | 37 +++++++++++++++++++----------
scripts/manpages-build.sh.in | 1 +
src/conf_macros.m4 | 10 ++++++++
src/man/authselect-migration.7.adoc | 7 ++++++
5 files changed, 45 insertions(+), 12 deletions(-)
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
index bc437c158f6922afdba4ab261c73f31c93846118..61728cab77022ddc0bb35a3649a38123dc4987cf 100644
--- a/profiles/Makefile.am
+++ b/profiles/Makefile.am
@@ -15,6 +15,7 @@ dist_profile_local_DATA = \
$(top_srcdir)/profiles/local/dconf-locks \
$(NULL)
+if WITH_NIS_PROFILE
profile_nisdir = $(authselect_profile_dir)/nis
dist_profile_nis_DATA = \
$(top_srcdir)/profiles/nis/nsswitch.conf \
@@ -28,6 +29,7 @@ dist_profile_nis_DATA = \
$(top_srcdir)/profiles/nis/dconf-db \
$(top_srcdir)/profiles/nis/dconf-locks \
$(NULL)
+endif
profile_sssddir = $(authselect_profile_dir)/sssd
dist_profile_sssd_DATA = \
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1..350ca953632f21be861c1ee75f25f71d107ca1ee 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -12,6 +12,13 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
+# Disable NIS profile on RHEL
+%if 0%{?rhel}
+%global with_nis_profile 0
+%else
+%global with_nis_profile 1
+%endif
+
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
@@ -75,7 +82,11 @@ done
%build
autoreconf -if
-%configure
+%configure \
+%if %{with_nis_profile}
+ --with-nis-profile \
+%endif
+ %{nil}
%make_build
%check
@@ -123,7 +134,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/local/
-%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/local/dconf-db
@@ -136,16 +146,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/local/REQUIREMENTS
%{_datadir}/authselect/default/local/smartcard-auth
%{_datadir}/authselect/default/local/system-auth
-%{_datadir}/authselect/default/nis/dconf-db
-%{_datadir}/authselect/default/nis/dconf-locks
-%{_datadir}/authselect/default/nis/fingerprint-auth
-%{_datadir}/authselect/default/nis/nsswitch.conf
-%{_datadir}/authselect/default/nis/password-auth
-%{_datadir}/authselect/default/nis/postlogin
-%{_datadir}/authselect/default/nis/README
-%{_datadir}/authselect/default/nis/REQUIREMENTS
-%{_datadir}/authselect/default/nis/smartcard-auth
-%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
@@ -166,6 +166,19 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
+%if %{with_nis_profile}
+%dir %{_datadir}/authselect/default/nis/
+%{_datadir}/authselect/default/nis/dconf-db
+%{_datadir}/authselect/default/nis/dconf-locks
+%{_datadir}/authselect/default/nis/fingerprint-auth
+%{_datadir}/authselect/default/nis/nsswitch.conf
+%{_datadir}/authselect/default/nis/password-auth
+%{_datadir}/authselect/default/nis/postlogin
+%{_datadir}/authselect/default/nis/README
+%{_datadir}/authselect/default/nis/REQUIREMENTS
+%{_datadir}/authselect/default/nis/smartcard-auth
+%{_datadir}/authselect/default/nis/system-auth
+%endif
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
index 314bb2b2a0e4432632478230ab5ff5b3dce2943f..9e553f755a64717f854f3aba33c62140130ce18f 100755
--- a/scripts/manpages-build.sh.in
+++ b/scripts/manpages-build.sh.in
@@ -233,6 +233,7 @@ ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
+ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
manpages-translate
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 17c1629723066b0c4e354051366ce209428af6c1..9a81a6e194d16ecc0408e8631530cf7048fd9241 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -99,3 +99,13 @@ if test x"$with_user_nsswitch" = xyes; then
AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
AC_SUBST(BUILD_USER_NSSWITCH, 1)
fi
+
+AC_ARG_WITH([nis-profile],
+ [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
+ [], with_nis_profile=no
+)
+AM_CONDITIONAL([WITH_NIS_PROFILE], [test x$with_nis_profile = xyes])
+AC_SUBST(WITH_NIS_PROFILE, 0)
+if test x"$with_nis_profile" = xyes; then
+ AC_SUBST(WITH_NIS_PROFILE, 1)
+fi
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..8cc58e60301925974fdb738c5b9a746749981df8 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -72,7 +72,12 @@ configuration file for required services.
|--enablesssd --enablesssdauth |sssd
|--enablekrb5 |sssd
|--enablewinbind --enablewinbindauth |winbind
+ifeval::[{WITH_NIS_PROFILE} == 1]
|--enablenis |nis
+endif::[]
+ifeval::[{WITH_NIS_PROFILE} != 1]
+|--enablenis |none
+endif::[]
|=========================================================
.Relation of authconfig options to authselect profile features
@@ -199,6 +204,7 @@ will perform an initial setup which involves creating a Kerberos keytab and
running `adcli` to join the domain. It also makes changes to `smb.conf`. You
can then tune it up by modifying {sysconfdir}/samba/smb.conf.
+ifeval::[{WITH_NIS_PROFILE} == 1]
NIS
~~~
There are several places that needs to be configured in order to make
@@ -227,6 +233,7 @@ $ domainname mydomain
$ setsebool -P allow_ypbind 1
----
+endif::[]
PASSWORD QUALITY
~~~~~~~~~~~~~~~~
Authselect enables `pam_pwquality` module to enforce password quality
--
2.42.0

@ -0,0 +1,349 @@
From 923fd37712eae8d99d514708e35894b6ea056628 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 13:24:25 +0100
Subject: [PATCH 05/11] configure: drop user-nsswitch.conf support
user-nsswitch.conf support is now completely dropped, it can no
longer be enabled via configure flag
---
scripts/manpages-build.sh.in | 1 -
src/cli/main.c | 9 --
src/conf_macros.m4 | 10 --
src/lib/files/nsswitch.c | 156 -----------------------------
src/lib/paths.h | 3 -
src/man/authselect-profiles.5.adoc | 7 --
src/man/authselect.8.adoc | 61 -----------
7 files changed, 247 deletions(-)
diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
index 9e553f755a64717f854f3aba33c62140130ce18f..f4ac71e3a22723a52101bb9cbbadd79740515070 100755
--- a/scripts/manpages-build.sh.in
+++ b/scripts/manpages-build.sh.in
@@ -232,7 +232,6 @@ ATTR+=" -a AUTHSELECT_PAM_DIR=\"@AUTHSELECT_PAM_DIR@\""
ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
-ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
manpages-translate
diff --git a/src/cli/main.c b/src/cli/main.c
index 18486b50bc42f9937cc7294c3e5e2b32cafab5e0..fe06a5d8ababa58209690a97e84ae254b859cdc6 100644
--- a/src/cli/main.c
+++ b/src/cli/main.c
@@ -186,15 +186,6 @@ static errno_t activate(struct cli_cmdline *cmdline)
goto done;
}
-#ifdef BUILD_USER_NSSWITCH
- maps = authselect_profile_nsswitch_maps(profile, features);
- if (maps == NULL) {
- ERROR("Unable to obtain nsswitch maps!");
- ret = EFAULT;
- goto done;
- }
-#endif
-
if (backup || backup_name != NULL || (enforce && !nobackup)) {
ret = perform_backup(quiet, 1, backup_name);
if (ret != EOK) {
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 9a81a6e194d16ecc0408e8631530cf7048fd9241..ae8fa0274e038e98115d000717487dbdbc04df4c 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -90,16 +90,6 @@ if test x"$with_compat" = xyes; then
fi
AM_CONDITIONAL([BUILD_COMPAT], [test x$with_compat = xyes])
-AC_ARG_WITH([user-nsswitch],
- [AC_HELP_STRING([--with-user-nsswitch], [Build with user nsswitch support [no]])],
- [], with_user_nsswitch=no
-)
-AC_SUBST(BUILD_USER_NSSWITCH, 0)
-if test x"$with_user_nsswitch" = xyes; then
- AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
- AC_SUBST(BUILD_USER_NSSWITCH, 1)
-fi
-
AC_ARG_WITH([nis-profile],
[AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
[], with_nis_profile=no
diff --git a/src/lib/files/nsswitch.c b/src/lib/files/nsswitch.c
index 9598ea5cc5d5e30678acd91354629a87fc727be9..0e35380a2603316483cd6bcfdc58742c25b6a2b1 100644
--- a/src/lib/files/nsswitch.c
+++ b/src/lib/files/nsswitch.c
@@ -87,160 +87,6 @@ done:
return ret;
}
-#ifdef BUILD_USER_NSSWITCH
-
-static errno_t
-authselect_nsswitch_delete_maps(char **maps,
- char *content)
-{
- char *match_string;
- const char *map_name;
- size_t map_len;
- size_t orig_len;
- regmatch_t m[RE_NSS_MATCHES];
- regex_t regex;
- errno_t ret;
- int reret;
- int i;
-
- if (string_is_empty(content)) {
- return EOK;
- }
-
- orig_len = strlen(content);
-
- reret = regcomp(&regex, RE_NSS, REG_EXTENDED | REG_NEWLINE);
- if (reret != REG_NOERROR) {
- ERROR("Unable to compile regular expression: regex error %d", reret);
- ret = EFAULT;
- goto done;
- }
-
- match_string = content;
- while ((reret = regexec(&regex, match_string, 2, m, 0)) == REG_NOERROR) {
- map_name = match_string + m[1].rm_so;
- map_len = m[1].rm_eo - m[1].rm_so;
- for (i = 0; maps[i] != NULL; i++) {
- if (strncmp(map_name, maps[i], map_len) == 0) {
- string_remove_line(content, match_string, m[1].rm_so);
- break;
- }
- }
-
- /* Since the whole line could have been removed, we have to find first
- * non-zero position. */
- match_string += m[0].rm_eo;
- while (*match_string == '\0' && match_string - content < orig_len) {
- match_string++;
- }
- }
-
- if (reret != REG_NOMATCH) {
- ERROR("Unable to search string: regex error %d", reret);
- ret = EFAULT;
- goto done;
- }
-
- string_replace_shake(content, orig_len);
-
- ret = EOK;
-
-done:
- regfree(&regex);
-
- return ret;
-}
-
-errno_t
-authselect_nsswitch_generate(const char *template,
- const char **features,
- char **_content)
-{
- static const char *preambule = \
- "# If you want to make changes to nsswitch.conf please modify\n"
- "# " PATH_USER_NSSWITCH " and run 'authselect apply-changes'.\n"
- "#\n"
- "# Note that your changes may not be applied as they may be\n"
- "# overwritten by selected profile. Maps set in the authselect\n"
- "# profile takes always precedence and overwrites the same maps\n"
- "# set in the user file. Only maps that are not set by the profile\n"
- "# are applied from the user file.\n"
- "#\n"
- "# For example, if the profile sets:\n"
- "# passwd: sss files\n"
- "# and " PATH_USER_NSSWITCH " contains:\n"
- "# passwd: files\n"
- "# hosts: files dns\n"
- "# the resulting generated nsswitch.conf will be:\n"
- "# passwd: sss files # from profile\n"
- "# hosts: files dns # from user file\n\n";
- char *user_content = NULL;
- char *generated = NULL;
- char *content = NULL;
- char **maps = NULL;
- errno_t ret;
-
- generated = template_generate(template, features);
- if (generated == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = textfile_read(PATH_USER_NSSWITCH, AUTHSELECT_FILE_SIZE_LIMIT,
- &user_content);
- switch (ret) {
- case EOK:
- ret = authselect_nsswitch_find_maps(generated, &maps);
- if (ret != EOK) {
- goto done;
- }
-
- ret = authselect_nsswitch_delete_maps(maps, user_content);
- if (ret != EOK) {
- goto done;
- }
-
- if (string_is_empty(user_content)) {
- content = format("%s%s", preambule, generated);
- break;
- }
-
- content = format("%s%s\n# Included from %s\n\n%s",
- preambule, generated, PATH_USER_NSSWITCH,
- user_content);
- break;
- case ENOENT:
- content = format("%s%s", preambule, generated);
- break;
- default:
- ERROR("Unable to read [%s] [%d]: %s", PATH_USER_NSSWITCH,
- ret, strerror(ret));
- goto done;
- }
-
- if (content == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- *_content = content;
-
- ret = EOK;
-
-done:
- if (ret != EOK) {
- ERROR("Unable to generate nsswitch.conf [%d]: %s", ret, strerror(ret));
- }
-
- free(user_content);
- free(generated);
- string_array_free(maps);
-
- return ret;
-}
-
-#else /* BUILD_USER_NSSWITCH */
-
errno_t
authselect_nsswitch_generate(const char *template,
const char **features,
@@ -257,5 +103,3 @@ authselect_nsswitch_generate(const char *template,
return EOK;
}
-
-#endif /* BUILD_USER_NSSWITCH */
diff --git a/src/lib/paths.h b/src/lib/paths.h
index ca30b784f8bc63150f46ef08a26ec2bc5bcb3d67..41e4534b2efd421be8b9fea3b1fa9ebc3a699749 100644
--- a/src/lib/paths.h
+++ b/src/lib/paths.h
@@ -53,9 +53,6 @@
#define PATH_DCONF_DB AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_DB
#define PATH_DCONF_LOCK AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_LOCK
-/* Path to files that can be modified by user. */
-#define PATH_USER_NSSWITCH AUTHSELECT_CONFIG_DIR "/user-nsswitch.conf"
-
/* Names of symbolic links that points to generated files. */
#define PATH_SYMLINK_SYSTEM AUTHSELECT_PAM_DIR "/" FILE_SYSTEM
#define PATH_SYMLINK_PASSWORD AUTHSELECT_PAM_DIR "/" FILE_PASSWORD
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
index 76a48fa25a13a7052eeac662d7f5f1b11f1f9493..648b7980cfaabeb02913650a35dfffa8e17b0aaa 100644
--- a/src/man/authselect-profiles.5.adoc
+++ b/src/man/authselect-profiles.5.adoc
@@ -53,14 +53,7 @@ done to the system.
the modules in the system-auth configuration file._
*nsswitch.conf*::
-ifeval::[{BUILD_USER_NSSWITCH} == 0]
Name Service Switch configuration file.
-endif::[]
-ifeval::[{BUILD_USER_NSSWITCH} == 1]
- Name Service Switch configuration file. Only maps relevant to the profile
- must be set. Maps that are not specified by the profile are included from
- {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf.
-endif::[]
*dconf-db*::
Changes to dconf database. The main uses case of this file is to set
diff --git a/src/man/authselect.8.adoc b/src/man/authselect.8.adoc
index 39758a6ca71e962ae942ce3608ac3bd0ffd3fabf..5d695cced0fbdc2cda78d61eb3f7b8d929cae692 100644
--- a/src/man/authselect.8.adoc
+++ b/src/man/authselect.8.adoc
@@ -261,67 +261,6 @@ These options are available with all commands.
the program execution but may indicate some undesired situations
(e.g. unexpected file in a profile directory).
-ifeval::[{BUILD_USER_NSSWITCH} == 1]
-NSSWITCH.CONF MANAGEMENT
-------------------------
-Authselect generates {AUTHSELECT_NSSWITCH_CONF} and does not allow any user
-changes to this file. Such changes are detected and authselect will refuse to
-write any system configuration unless a *--force* option is provided to
-the *select* command. This mechanism prevents authselect from overwriting
-anything that does not match any available profile.
-
-Any user changes to nsswitch maps must be done in file
-{AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf. When authselect generates
-new _nsswitch.conf_ it reads this file and combines it with configuration
-from selected profile. The profile configuration takes always precedence.
-In other words, profiles do not have to set all nsswitch maps but can set only
-those that are relevant to the profile. If a map is set within a profile,
-it always overwrites the same map from _user-nsswitch.conf_.
-
-.Example 1
-[subs="attributes"]
-----
-# "sssd" profile
-$ cat {AUTHSELECT_PROFILE_DIR}/sssd/nsswitch.conf
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-sudoers: files sss {include if "with-sudo"}
-
-$ cat {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf
-passwd: files sss
-group: files sss
-hosts: files dns myhostname
-sudoers: files
-
-$ authselect select sssd
-
-# passwd and group maps from user-nsswitch.conf are ignored
-$ cat {AUTHSELECT_NSSWITCH_CONF}
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-hosts: files dns myhostname
-sudoers: files
-
-$ authselect select sssd with-sudo
-
-# passwd, group and sudoers maps from user-nsswitch.conf are ignored
-$ cat {AUTHSELECT_NSSWITCH_CONF}
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-sudoers: files sss
-hosts: files dns myhostname
-----
-endif::[]
-
TROUBLESHOOTING
---------------
--
2.42.0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,46 @@
From 23936036c5b6cd51843a7f964998f5345877fa8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 13:34:31 +0100
Subject: [PATCH 07/11] ci: remove python checks
With the compat tool gone, there is no other python script.
---
.github/workflows/analyze.yml | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml
index 37682f068b586dc0e7ba34f1098f4009b88e7254..16b48b031519b81221de9248d65f076b2616b2f7 100644
--- a/.github/workflows/analyze.yml
+++ b/.github/workflows/analyze.yml
@@ -25,7 +25,7 @@ jobs:
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
- languages: cpp, python
+ languages: cpp
queries: +security-and-quality
- name: Autobuild
@@ -33,19 +33,3 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
-
- flake8:
- runs-on: ubuntu-latest
- permissions:
- contents: read
- steps:
- - name: Checkout repository
- uses: actions/checkout@v2
-
- - name: Install flake8
- run: |
- sudo apt update
- sudo apt install -y flake8
-
- - name: Execute flake8 on the repository
- run: flake8 --ignore=W503,E501 src/compat/authcompat.py.in.in .
--
2.42.0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,78 @@
From 8d8adbd35c741d9038588386414ccbddb99bd31d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 14 Dec 2023 14:16:11 +0100
Subject: [PATCH 09/11] profiles: merge groups records with [SUCCESS=merge]
Services such as systemd-homed would like to advertise users which are
part of system groups, such as "wheel". That only works if glibc's
[SUCCESS=merge] feature is used in nsswitch.conf, so that group records
from multiple sources are merged.
This is documented here:
https://www.freedesktop.org/software/systemd/man/latest/nss-systemd.html#Configuration%20in%20/etc/nsswitch.conf
This hence adds [SUCCESS=merge] expressions to all NSS modules listed in
the "groups" lines.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index c63692fc00c0815c5ba303ec5b48b6c9d7577df2..8582a955c8d03ea1d122a34cd273326d985bdcfb 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
-group: files {if "with-altfiles":altfiles }systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files
netgroup: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 685f92c326bc7767ee167a77b7ba782672bf801f..c033812facee9159c76e2d514ac652e4de2e0b6b 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
-group: files {if "with-altfiles":altfiles }nis systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
services: files nis
netgroup: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 58844a62c8f52f8f25477a811b02a5e401120f30..9f194bc82cee52d4e12779def95afa2f794f66bf 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
-group: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
+group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files sss
netgroup: files sss
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index f0a97e42e084f94fddd329d4cb93d5b5d1da3360..1591ccb3ffa8bd10b8ff06a0620328e275d09241 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
-group: files {if "with-altfiles":altfiles }winbind systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files
netgroup: files
--
2.42.0

@ -0,0 +1,26 @@
From 565d8a76f1d6ec6c23cd38f7aa4812426e8cb460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 14:18:00 +0100
Subject: [PATCH 10/11] spec: use altfiles with success=merge on ostree systems
as well
---
rpm/authselect.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index 350ca953632f21be861c1ee75f25f71d107ca1ee..39c4ca66058e0749e6d3aea6e7ff76a7a06c4ecc 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -223,7 +223,7 @@ exit 0
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
- %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+ %__sed -ie 's/{if "with-altfiles":altfiles \[SUCCESS=merge\] }/altfiles [SUCCESS=merge] /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
done
fi
--
2.42.0

@ -0,0 +1,72 @@
From 7b7889507928610b37b73641d28d5bbe3f763a4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 17:22:45 +0100
Subject: [PATCH 11/11] profiles: put myhostname before dns
To allow `hostname --fqdn` to work correctly. Putting myhostname early
prevents lookup of canonical hostname if only shortname is provided.
myhostname has been moved back and forth several times, it looks
like this place is now functional and works as expected.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index 8582a955c8d03ea1d122a34cd273326d985bdcfb..538926e4d5cc8c190a7b2d10fd3756ad3269a720 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files
netgroup: files
automount: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index c033812facee9159c76e2d514ac652e4de2e0b6b..488476e91879b549fe605008d500b1810360f3be 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
services: files nis
netgroup: files nis
automount: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 9f194bc82cee52d4e12779def95afa2f794f66bf..b98094d9e0eaeb1559347b81a9505822ff713034 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files sss
netgroup: files sss
sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index 1591ccb3ffa8bd10b8ff06a0620328e275d09241..cc966b34464bb28776b903d61fff1f6a94a1eb6f 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files
netgroup: files
automount: files
--
2.42.0

@ -0,0 +1,376 @@
From 054c83d1a40d5e0f98230d0f6ac34bd7ecdf383e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 15:49:09 +0100
Subject: [PATCH 1/3] rhel10: remove systemd-homed
systemd-homed is not present in rhel.
---
profiles/local/README | 3 ---
profiles/local/password-auth | 4 ----
profiles/local/system-auth | 4 ----
profiles/nis/README | 3 ---
profiles/nis/REQUIREMENTS | 3 ---
profiles/nis/password-auth | 4 ----
profiles/nis/system-auth | 4 ----
profiles/sssd/README | 3 ---
profiles/sssd/REQUIREMENTS | 3 ---
profiles/sssd/password-auth | 4 ----
profiles/sssd/system-auth | 4 ----
profiles/winbind/README | 3 ---
profiles/winbind/REQUIREMENTS | 3 ---
profiles/winbind/password-auth | 4 ----
profiles/winbind/system-auth | 4 ----
15 files changed, 53 deletions(-)
diff --git a/profiles/local/README b/profiles/local/README
index 03f602441fe95ee280b575508f20d1f1de949b25..eedb298090b5b7c068ee1dfec0ee36c8b3086af4 100644
--- a/profiles/local/README
+++ b/profiles/local/README
@@ -54,9 +54,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
with-libvirt::
Enable connecting to libvirt VMs using the hostname configured in the
guest OS or, as a fallback, their name.
diff --git a/profiles/local/password-auth b/profiles/local/password-auth
index 13e10d93b1d43ade8c45c32c50c613f6cf2abcca..d50d7e1fefaf257b8ddcdd1610004ffca9d93634 100644
--- a/profiles/local/password-auth
+++ b/profiles/local/password-auth
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -24,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/local/system-auth b/profiles/local/system-auth
index 7f3c56adb2329dd4a08b1cb08b63e8d0d9b13c86..290cd24eb9c50f196d6fc68a3688f097f49159fe 100644
--- a/profiles/local/system-auth
+++ b/profiles/local/system-auth
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -25,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/README b/profiles/nis/README
index e3a1a0b986689bfd43d9531464bcd8fa7a0f5237..745138bbdb1e045db41990dcb8864477d3408e36 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -65,9 +65,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
index 3e32879eba37e1bd2692aa2852c87036bfa78ed5..d8fe0456ee2b351e98af374fc0206717e6994031 100644
--- a/profiles/nis/REQUIREMENTS
+++ b/profiles/nis/REQUIREMENTS
@@ -16,6 +16,3 @@ Make sure that NIS service is configured and enabled. See NIS documentation for
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 45af4792df9f661fe04e1060e32cc6c0aa38c7c4..927fbcbda8fa4e910e29c88a3806fb5265bbc7bc 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -24,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 0bd022ee2286f37a5becb0daba2a5813693300a9..40a1bf74aaf3d721c4d720938e57766bfe651e47 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -25,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d..a497da5dcffd0a03a122677c49ee2f8021927b04 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -106,9 +106,6 @@ with-gssapi::
with-subid::
Enable SSSD as a source of subid database in /etc/nsswitch.conf.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index 6aaf7c771f7c1bcbf2aee7152422acc9d53c71f5..b36f6069a54a5f711a10aa0700f33e1a8e37794e 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -25,6 +25,3 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
- with-tlog is selected, make sure that session recording is enabled in SSSD {include if "with-tlog"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 97c33b678706e7eeb86bf45251baa41739f2940f..f468507b938ea2a7ac305a65f5fdea14a1ae10f1 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -7,7 +7,6 @@ auth required pam_u2f.so cue {if not
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -16,14 +15,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -35,7 +32,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 90c3504a414f0a151475cc207285b230fec381b1..870e4d7024066e3e40786bde6c3c39c7ba8d62c0 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -12,7 +12,6 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
auth sufficient pam_sss_gss.so {include if "with-gssapi"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
@@ -23,14 +22,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -42,7 +39,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index f65870d1d03da6465ad446dac87ed141d7115d8b..8844e1da2003a0266dfe8937774d6d6f7dad0210 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -75,9 +75,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS
index 232f6ee986ac66c5fed972c91c17080e0740e5c7..31a37d74ca5a4c46415545b8f6e0f61e8ad3b433 100644
--- a/profiles/winbind/REQUIREMENTS
+++ b/profiles/winbind/REQUIREMENTS
@@ -16,6 +16,3 @@ Make sure that winbind service is configured and enabled. See winbind documentat
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 8d74149dd48643dbb4b80d62600d3ece0868ec30..8d1682b9301c2b9c92292a41120f69611f148108 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -4,7 +4,6 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -13,14 +12,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -31,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 2326c859284c5823c5a6d34390d794dbf33110d2..612143d10fe502d7f6ed636b4fba6cc639aa66b0 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -5,7 +5,6 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -14,14 +13,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -32,7 +29,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
--
2.42.0

@ -0,0 +1,250 @@
From 3167eaadde7a3f997925172b8d77cb380bf0d9d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 10 Jun 2019 10:53:15 +0200
Subject: [PATCH 2/3] rhel10: remove ecryptfs support
ecryptfs-utils is not present in rhel.
---
profiles/nis/README | 3 ---
profiles/nis/fingerprint-auth | 1 -
profiles/nis/password-auth | 1 -
profiles/nis/postlogin | 4 ----
profiles/nis/system-auth | 1 -
profiles/sssd/README | 3 ---
profiles/sssd/fingerprint-auth | 1 -
profiles/sssd/password-auth | 1 -
profiles/sssd/postlogin | 4 ----
profiles/sssd/smartcard-auth | 1 -
profiles/sssd/system-auth | 1 -
profiles/winbind/README | 3 ---
profiles/winbind/fingerprint-auth | 1 -
profiles/winbind/password-auth | 1 -
profiles/winbind/postlogin | 4 ----
profiles/winbind/system-auth | 1 -
src/man/authselect-migration.7.adoc | 5 ++---
17 files changed, 2 insertions(+), 34 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 745138bbdb1e045db41990dcb8864477d3408e36..3e2f8b01fa37f8c7060a9c263f66c3df9782061d 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -21,9 +21,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be2982bdf36cb 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -15,7 +15,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 927fbcbda8fa4e910e29c88a3806fb5265bbc7bc..56a51d9eebb2987da340805ddb4e4a6752ebdeb2 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -20,7 +20,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/nis/postlogin
+++ b/profiles/nis/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 40a1bf74aaf3d721c4d720938e57766bfe651e47..74cf6ece9ce0b1b64b122fd2309ebf5d496c4787 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -21,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index a497da5dcffd0a03a122677c49ee2f8021927b04..2038a32b682f36d9eef51fda138730abc9666279 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -35,9 +35,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-smartcard::
Enable authentication with smartcards through SSSD. Please note that
smartcard support must be also explicitly enabled within
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e5232126df55564 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -20,7 +20,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index f468507b938ea2a7ac305a65f5fdea14a1ae10f1..c15121ad00ff00dfcd1743341594c853ba734d9c 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -31,7 +31,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/sssd/postlogin
+++ b/profiles/sssd/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 78cb329bf332f4d629740a0fff7d2dfe43f7d78d..13d3ee71f4d02c4ede777be6337031fc67baaa63 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -18,7 +18,6 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 870e4d7024066e3e40786bde6c3c39c7ba8d62c0..4ea19acebe2208f9e21676bf0ae0a92e9a92b1f4 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -38,7 +38,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index 8844e1da2003a0266dfe8937774d6d6f7dad0210..7397bb9a6c8086b9720cc355d98de70b8107e79b 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -33,9 +33,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a41202d21fd67 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -19,7 +19,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 8d1682b9301c2b9c92292a41120f69611f148108..8b260fa06f5ed8494d1f6fac74517d3a54622693 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -27,7 +27,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/winbind/postlogin
+++ b/profiles/winbind/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 612143d10fe502d7f6ed636b4fba6cc639aa66b0..33aa13efb92405393236c3511ebb351facd916f0 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -28,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 8cc58e60301925974fdb738c5b9a746749981df8..9056913dee9eef1590c8590d3cc0b51005a98af3 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -85,7 +85,6 @@ endif::[]
|*Authconfig options* |*Authselect profile feature*
|--enablesmartcard |with-smartcard
|--enablefingerprint |with-fingerprint
-|--enableecryptfs |with-ecryptfs
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
@@ -108,8 +107,8 @@ authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
-authconfig --enableecryptfs --enablepamaccess --updateall
-authselect select sssd with-ecryptfs with-pamaccess
+authconfig --enablepamaccess --updateall
+authselect select sssd with-pamaccess
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
--
2.42.0

@ -0,0 +1,68 @@
From b259ca399de497e0fc5e0763257e89bcc2e5a902 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 16:01:58 +0100
Subject: [PATCH 3/3] rhel10: remove systemd-resolved
systemd-resolved should not be enabled by default in rhel.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index 538926e4d5cc8c190a7b2d10fd3756ad3269a720..1ad4276566f775086fc091d8e1c35d4ac94a9786 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files
netgroup: files
automount: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 488476e91879b549fe605008d500b1810360f3be..88110258a69e7366980944ec3ccd9c79c0a1b323 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis myhostname dns
services: files nis
netgroup: files nis
automount: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index b98094d9e0eaeb1559347b81a9505822ff713034..89a1f230487a18d12ff9c3862e3394035bf17cff 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files sss
netgroup: files sss
sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index cc966b34464bb28776b903d61fff1f6a94a1eb6f..5315640e39f7c84b4c138f393fa3b5c970e4afa5 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files
netgroup: files
automount: files
--
2.42.0

@ -0,0 +1,484 @@
# Do not terminate build if language files are empty.
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.5.0
Release: 6%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPL-3.0-or-later
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
# Disable NIS profile on RHEL
%if 0%{?rhel}
%global with_nis_profile 0
%else
%global with_nis_profile 1
%endif
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
# Patches
Patch0001: 0001-sssd-reintroduce-with-files-access-provider.patch
Patch0002: 0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch
Patch0003: 0003-po-update-translations.patch
Patch0004: 0004-nis-install-nis-profile-conditionally.patch
Patch0005: 0005-configure-drop-user-nsswitch.conf-support.patch
Patch0006: 0006-configure-drop-authconfig-compat-tool.patch
Patch0007: 0007-ci-remove-python-checks.patch
Patch0008: 0008-pot-update-pot-files.patch
Patch0009: 0009-profiles-merge-groups-records-with-SUCCESS-merge.patch
Patch0010: 0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch
Patch0011: 0011-profiles-put-myhostname-before-dns.patch
# RHEL-only patches
%if 0%{?rhel}
Patch0901: 0901-rhel10-remove-systemd-homed.patch
Patch0902: 0902-rhel10-remove-ecryptfs-support.patch
Patch0903: 0903-rhel10-remove-systemd-resolved.patch
%endif
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: findutils
BuildRequires: libtool
BuildRequires: m4
BuildRequires: gcc
BuildRequires: pkgconfig
BuildRequires: pkgconfig(popt)
BuildRequires: gettext-devel
BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
# Properly obsolete removed authselect-compat package.
Obsoletes: authselect-compat < 1.3
%description
Authselect is designed to be a replacement for authconfig but it takes
a different approach to configure the system. Instead of letting
the administrator build the PAM stack with a tool (which may potentially
end up with a broken configuration), it would ship several tested stacks
(profiles) that solve a use-case and are well tested and supported.
At the same time, some obsolete features of authconfig are not
supported by authselect.
%package libs
Summary: Utility library used by the authselect tool
# Required by scriptlets
Requires: coreutils
Requires: sed
Suggests: systemd
%description libs
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
%description devel
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
%prep
%setup -q
for p in %patches ; do
%__patch -p1 -i $p
done
%build
autoreconf -if
%configure \
%if %{with_nis_profile}
--with-nis-profile \
%endif
%{nil}
%make_build
%check
%make_build check
%install
%make_install
# Find translations
%find_lang %{name}
%find_lang %{name} %{name}.8.lang --with-man
%find_lang %{name}-migration %{name}-migration.7.lang --with-man
%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
# We want this file to contain only manual page translations
%__sed -i '/LC_MESSAGES/d' %{name}.8.lang
# Remove .la and .a files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \;
find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ldconfig_scriptlets libs
%files libs -f %{name}.lang -f %{name}-profiles.5.lang
%dir %{_sysconfdir}/authselect
%dir %{_sysconfdir}/authselect/custom
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/local/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/local/dconf-db
%{_datadir}/authselect/default/local/dconf-locks
%{_datadir}/authselect/default/local/fingerprint-auth
%{_datadir}/authselect/default/local/nsswitch.conf
%{_datadir}/authselect/default/local/password-auth
%{_datadir}/authselect/default/local/postlogin
%{_datadir}/authselect/default/local/README
%{_datadir}/authselect/default/local/REQUIREMENTS
%{_datadir}/authselect/default/local/smartcard-auth
%{_datadir}/authselect/default/local/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
%{_datadir}/authselect/default/sssd/nsswitch.conf
%{_datadir}/authselect/default/sssd/password-auth
%{_datadir}/authselect/default/sssd/postlogin
%{_datadir}/authselect/default/sssd/README
%{_datadir}/authselect/default/sssd/REQUIREMENTS
%{_datadir}/authselect/default/sssd/smartcard-auth
%{_datadir}/authselect/default/sssd/system-auth
%{_datadir}/authselect/default/winbind/dconf-db
%{_datadir}/authselect/default/winbind/dconf-locks
%{_datadir}/authselect/default/winbind/fingerprint-auth
%{_datadir}/authselect/default/winbind/nsswitch.conf
%{_datadir}/authselect/default/winbind/password-auth
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
%if %{with_nis_profile}
%dir %{_datadir}/authselect/default/nis/
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
%{_datadir}/authselect/default/nis/fingerprint-auth
%{_datadir}/authselect/default/nis/nsswitch.conf
%{_datadir}/authselect/default/nis/password-auth
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/smartcard-auth
%{_datadir}/authselect/default/nis/system-auth
%endif
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
%{_datadir}/doc/authselect/README.md
%license COPYING
%doc README.md
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
%{_mandir}/man7/authselect-migration.7*
%{_sysconfdir}/bash_completion.d/authselect-completion.sh
%preun
if [ $1 == 0 ] ; then
# Remove authselect symbolic links so all authselect files can be
# deleted safely. If this fail, the uninstallation must fail to avoid
# breaking the system by removing PAM files. However, the command can
# only fail if it can not write to the file system.
%{_bindir}/authselect opt-out
fi
%posttrans libs
# Keep nss-altfiles for all rpm-ostree based systems.
# See https://github.com/authselect/authselect/issues/48
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
%__sed -i -e 's/{if "with-altfiles":\([^}]\+\)}/\1/g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
done
fi
# If this is a new installation select the default configuration.
if [ $1 == 1 ] ; then
%{_bindir}/authselect select %{default_profile} --force --nobackup &> /dev/null
exit 0
fi
# Minimal profile was removed. Switch to local during upgrade.
%__sed -i '1 s/^minimal$/local/' %{_sysconfdir}/authselect/authselect.conf
for file in %{_sysconfdir}/authselect/custom/*/*; do
link=`%{_bindir}/readlink "$file"`
if [[ "$link" == %{_datadir}/authselect/default/minimal/* ]]; then
target=`%{_bindir}/basename "$link"`
%{_bindir}/ln -sfn "%{_datadir}/authselect/default/local/$target" "$file"
fi
done
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
exit 0
%changelog
* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.5.0-6
- Rebuilt for MSVSphere 10
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.5.0-6
- Bump release for June 2024 mass rebuild
* Tue Feb 27 2024 Jonathan Lebon <jonathan@jlebon.com> - 1.5.0-5
- Fix altfiles rendering on OSTree variants
* Fri Feb 23 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-4
- Add back with-files-access-provider
- Remove outdated scriptlets
- Group merging added to nsswitch.conf group in all profiles
- myhostname is put right before dns module in nsswitch.conf hosts (rhbz#2257197)
- Internal packaging changes
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jan 18 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-1
- Rebase to 1.5.0
- "minimal" profile was removed and replaced with "local". (rhbz#2253180)
- "local" profile is now default (rhbz#2253180)
* Wed Sep 27 2023 Pavel Březina <pbrezina@redhat.com> - 1.4.3-1
- Rebase to 1.4.3
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Dec 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.2-1
- Rebase to 1.4.2
* Thu Dec 1 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.1-1
- Rebase to 1.4.1
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jul 8 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-2
- Fix issues with popt-1.19
* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-1
- Rebase to 1.3.0
* Thu Feb 10 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-10
- Fix mdns support (#2052269)
* Thu Feb 3 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-9
- Make authselect compatible with ostree (#2034360)
- Authselect now requires explicit opt-out if users don't want to use it (#2051545)
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-7
- Remove unnecessary dependencies (#2039869)
* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-6
- Fix detection of ostree system (#2034360)
* Tue Dec 28 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-5
- Try to use io.open() in pre scriptlet instead of rpm.open() (rpm >= 4.17.0)
* Tue Dec 21 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-4
- Use lua for pre scriptlets to reduce dependencies
* Fri Dec 10 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-3
- Update conflicting versions of glibc and pam
* Mon Dec 6 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-1
- Rebase to 1.3.0
- Authselect configuration is now enforced (#2000936)
* Sat Aug 14 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.4-2
- Add proper Obsoletes for removed authselect-compat package
Fixes: rhbz#1993189
* Mon Aug 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.4-1
- Rebase to 1.2.4
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.3-3
- Backport support for yescrypt hash method
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.2.3-2
- Rebuilt for Python 3.10
* Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-1
- Rebase to 1.2.3
* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-4
- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors
Resolves: #1935331
* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
- Rebase to 1.2.2
- Add nss-altfiles to profiles on Fedora Silverblue
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 22 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-3
- Add resolved by default to nis and minimal profiles
- Fix parsing of multiple conditionals on the same line
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.2.1-2
- Rebuilt for Python 3.9
* Mon May 11 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-1
- Rebase to 1.2.1
* Wed Mar 4 2020 Pavel Březina <pbrezina@redhat.com> - 1.2-1
- Rebase to 1.2
* Mon Feb 17 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-7
- fix restoring non-authselect configuration from backup
* Wed Jan 29 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-6
- cli: fix auto backup when --force is set
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-4
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-3
- Rebuilt for Python 3.8
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jun 13 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-1
- Rebase to 1.1
* Tue Feb 26 2019 Pavel Březina <pbrezina@redhat.com> - 1.0.3-1
- Rebase to 1.0.3
* Tue Feb 26 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0.2-4
- Use %ghost for files owned by authselect
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-2
- Resolves rhbz#1655025 (invalid backup).
* Fri Nov 23 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-1
- Rebase to 1.0.2
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-2
- Require systemd instead of systemctl
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-1
- Rebase to 1.0.1
* Fri Sep 14 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
- Scriptlets should no produce any error messages (RHBZ #1622272)
- Provide fix for pwquality configuration (RHBZ #1618865)
* Thu Aug 30 2018 Adam Williamson <awilliam@redhat.com> - 1.0-2
- Backport PR #78 to fix broken pwquality config (RHBZ #1618865)
* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
- Rebase to 1.0
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.4-4
- Rebuilt for Python 3.7
* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
- Don't disable oddjobd.service (RHBZ #1571844)
* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
- rebasing to 0.4
* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
- rebasing to 0.3.2
- authselect-compat now only suggests packages, not recommends
* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
- rebasing to 0.3.1
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
- Provide authconfig
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
- Properly own all appropriate directories
- Remove unneeded %%defattr
- Remove deprecated Group tag
- Make Obsoletes versioned
- Remove unneeded ldconfig scriptlets
* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
- rebasing to 0.3
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
- fix rpmlint errors
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
- rebasing to 0.2
* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
- initial packaging
Loading…
Cancel
Save