sssd/sssd.spec

# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$

# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)

%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})

Name: sssd
Version: 2.9.4
Release: 9
Summary: System Security Services Daemon
License: GPL-3.0-or-later
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/2.9.4/sssd-2.9.4.tar.gz

Patch0001: backport-CVE-2023-3758.patch
Patch0002: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
Patch0003: backport-ad-refresh-root-domain-when-read-directly.patch
Patch0004: backport-RESPONDER-use-proper-context-for-getDomains.patch
Patch0005: backport-SSH-sanity-check-to-please-coverity.patch
Patch0006: backport-CLIENT-idmap-fix-coverity-warning.patch
Patch0007: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
Patch0008: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch

Requires: sssd-ad = %{version}-%{release}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-ipa = %{version}-%{release}
Requires: sssd-krb5 = %{version}-%{release}
Requires: sssd-ldap = %{version}-%{release}
Requires: sssd-proxy = %{version}-%{release}
Suggests: logrotate
Suggests: procps-ng
Suggests: python3-sssdconfig = %{version}-%{release}
Suggests: sssd-dbus = %{version}-%{release}
Obsoletes: python3-sssd < %{version}-%{release}

BuildRequires: libtool popt-devel
BuildRequires: libldb-devel
BuildRequires: libini_config-devel openldap-devel pam-devel
BuildRequires: libxslt docbook-style-xsl
BuildRequires: c-ares-devel python3-devel check-devel
BuildRequires: doxygen libsemanage-devel bind-utils
BuildRequires: gettext-devel glib2-devel
BuildRequires: systemd-devel
BuildRequires: cifs-utils-devel libnfsidmap-devel samba4-devel libsmbclient-devel samba-winbind
BuildRequires: systemtap-sdt-devel jansson-devel
BuildRequires: p11-kit-devel openssl-devel
BuildRequires: chrpath dbus-devel
BuildRequires: libcurl-devel libjose-devel keyutils-libs-devel krb5-devel
BuildRequires: pcre2-devel libunistring libunistring-devel 

%description
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable back end system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.

The sssd subpackage is a meta-package that contains the daemon as well as all
the existing back ends.

%package common
Summary: Common files for the SSSD
License: GPL-3.0-or-later
Obsoletes: libsss_simpleifp < 2.9.2
Obsoletes: libsss_simpleifp-debuginfo < 2.9.2
Requires: libldb
Requires: sssd-client%{?_isa} = %{version}-%{release}
Requires: libsss_sudo = %{version}-%{release}
Requires: libsss_autofs%{?_isa} = %{version}-%{release}
Requires: sssd-nfs-idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
%{?systemd_requires}
Provides: libsss_sudo-devel = %{version}-%{release}
Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1

%description common
Common files for the SSSD. The common package includes all the files needed
to run a particular back end, however, the back ends are packaged in separate
subpackages such as sssd-ldap.

%package client
Summary: SSSD Client libraries for NSS and PAM
License: LGPL-3.0-or-later
Requires: libsss_nss_idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires(post):  /usr/sbin/alternatives
Requires(preun): /usr/sbin/alternatives

%description client
Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
service.

%package -n libsss_sudo
Summary: A library to allow communication between SUDO and SSSD
License: LGPL-3.0-or-later
Conflicts: sssd-common < %{version}-%{release}

%description -n libsss_sudo
A utility library to allow communication between SUDO and SSSD

%package -n libsss_autofs
Summary: A library to allow communication between Autofs and SSSD
License: LGPL-3.0-or-later
Conflicts: sssd-common < %{version}-%{release}

%description -n libsss_autofs
A utility library to allow communication between Autofs and SSSD

%package tools
Summary: Userspace tools for use with the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
# for logger=journald support with sss_analyze
Requires: python3-systemd
Requires: sssd-dbus

%description tools
Provides several administrative tools:
    * sss_debuglevel to change the debug level on the fly
    * sss_seed which pre-creates a user entry for use in kickstarts
    * sss_obfuscate for generating an obfuscated LDAP password
    * sssctl -- an sssd status and control utility

%package -n python3-sssdconfig
Summary: SSSD and IPA configuration file manipulation classes and functions
License: GPL-3.0-or-later
BuildArch: noarch
%{?python_provide:%python_provide python3-sssdconfig}

%description -n python3-sssdconfig
Provides python3 files for manipulation SSSD and IPA configuration files.

%package -n python3-sss
Summary: Python3 bindings for sssd
License: LGPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
%{?python_provide:%python_provide python3-sss}

%description -n python3-sss
Provides python3 bindings:
    * function for retrieving list of groups user belongs to
    * class for obfuscation of passwords

%package -n python3-sss-murmur
Summary: Python3 bindings for murmur hash function
License: LGPL-3.0-or-later
%{?python_provide:%python_provide python3-sss-murmur}

%description -n python3-sss-murmur
Provides python3 module for calculating the murmur hash version 3

%package ldap
Summary: The LDAP back end of the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}

%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch identity data
from and authenticate against an LDAP server.

%package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPL-3.0-or-later
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: sssd-common = %{version}-%{release}

%description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can use for
Kerberos user or host authentication.

%package krb5
Summary: The Kerberos authentication back end for the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}

%description krb5
Provides the Kerberos back end that the SSSD can utilize authenticate
against a Kerberos server.

%package common-pac
Summary: Common files needed for supporting PAC processing
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}

%description common-pac
Provides common files needed by SSSD providers such as IPA and Active Directory
for handling Kerberos PACs.

%package ipa
Summary: The IPA back end of the SSSD
License: GPL-3.0-or-later
Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}

%description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity data
from and authenticate against an IPA server.

%package ad
Summary: The AD back end of the SSSD
License: GPL-3.0-or-later
Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Recommends: adcli
Suggests: sssd-winbind-idmap = %{version}-%{release}

%description ad
Provides the Active Directory back end that the SSSD can utilize to fetch
identity data from and authenticate against an Active Directory server.

%package proxy
Summary: The proxy back end of the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}

%description proxy
Provides the proxy back end which can be used to wrap an existing NSS and/or
PAM modules to leverage SSSD caching.

%package -n libsss_idmap
Summary: FreeIPA Idmap library
License: LGPL-3.0-or-later

%description -n libsss_idmap
Utility library to convert SIDs to Unix uids and gids

%package -n libsss_idmap-devel
Summary: FreeIPA Idmap library
License: LGPL-3.0-or-later
Requires: libsss_idmap = %{version}-%{release}

%description -n libsss_idmap-devel
Utility library to SIDs to Unix uids and gids

%package -n libipa_hbac
Summary: FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later

%description -n libipa_hbac
Utility library to validate FreeIPA HBAC rules for authorization requests

%package -n libipa_hbac-devel
Summary: FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Requires: libipa_hbac = %{version}-%{release}

%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization requests

%package -n python3-libipa_hbac
Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
License: LGPL-3.0-or-later
Requires: libipa_hbac = %{version}-%{release}
%{?python_provide:%python_provide python3-libipa_hbac}

%description -n python3-libipa_hbac
The python3-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications.

%package -n libsss_nss_idmap
Summary: Library for SID and certificate based lookups
License: LGPL-3.0-or-later

%description -n libsss_nss_idmap
Utility library for SID and certificate based lookups

%package -n libsss_nss_idmap-devel
Summary: Library for SID and certificate based lookups
License: LGPL-3.0-or-later
Requires: libsss_nss_idmap = %{version}-%{release}

%description -n libsss_nss_idmap-devel
Utility library for SID and certificate based lookups

%package -n python3-libsss_nss_idmap
Summary: Python3 bindings for libsss_nss_idmap
License: LGPL-3.0-or-later
Requires: libsss_nss_idmap = %{version}-%{release}
%{?python_provide:%python_provide python3-libsss_nss_idmap}

%description -n python3-libsss_nss_idmap
The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
be used by Python applications.

%package dbus
Summary: The D-Bus responder of the SSSD
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
%{?systemd_requires}

%description dbus
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus.

%package winbind-idmap
Summary: SSSD's idmap_sss Backend for Winbind
License: GPL-3.0-or-later AND LGPL-3.0-or-later
Requires: libsss_nss_idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Conflicts: sssd-common < %{version}-%{release}

%description winbind-idmap
The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs
and SIDs.

%package nfs-idmap
Summary: SSSD plug-in for NFSv4 rpc.idmapd
License: GPL-3.0-or-later
Conflicts: sssd-common < %{version}-%{release}

%description nfs-idmap
The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
UIDs/GIDs to names and vice versa. It can be also used for mapping principal
(user) name to IDs(UID or GID) or to obtain groups which user are member of.

%package -n libsss_certmap
Summary: SSSD Certificate Mapping Library
License: LGPL-3.0-or-later
Conflicts: sssd-common < %{version}-%{release}

%description -n libsss_certmap
Library to map certificates to users based on rules

%package -n libsss_certmap-devel
Summary: SSSD Certificate Mapping Library
License: LGPL-3.0-or-later
Requires: libsss_certmap = %{version}-%{release}

%description -n libsss_certmap-devel
Library to map certificates to users based on rules

%package kcm
Summary: An implementation of a Kerberos KCM server
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
%{?systemd_requires}

%description kcm
An implementation of a Kerberos KCM server. Use this package if you want to
use the KCM: Kerberos credentials cache.

%package idp
Summary: Kerberos plugins and OIDC helper for external identity providers.
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}

%description idp
This package provides Kerberos plugins that are required to enable
authentication against external identity providers. Additionally a helper
program to handle the OAuth 2.0 Device Authorization Grant is provided.

%package_help

%prep
%autosetup -p1

%build

autoreconf -ivf

%configure \
    --with-test-dir=/dev/shm \
    --with-db-path=%{_localstatedir}/lib/sss/db \
    --with-mcache-path=%{_localstatedir}/lib/sss/mc \
    --with-pipe-path=%{_localstatedir}/lib/sss/pipes \
    --with-pubconf-path=%{_localstatedir}/lib/sss/pubconf \
    --with-gpo-cache-path=%{_localstatedir}/lib/sss/gpo_cache \
    --with-init-dir=%{_initrddir} \
    --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
    --enable-nsslibdir=%{_libdir} \
    --enable-pammoddir=%{_libdir}/security \
    --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
    --disable-static \
    --disable-rpath \
    --with-initscript=systemd \
    --with-syslog=journald \
    --with-crypto=libcrypto \
    --without-python2-bindings \
    --enable-sss-default-nss-plugin \
    %{?with_cifs_utils_plugin_option} \
    --enable-systemtap

%make_build all docs

%check
export CK_TIMEOUT_MULTIPLIER=10
make %{?_smp_mflags} check VERBOSE=yes
unset CK_TIMEOUT_MULTIPLIER

%install
# python-setuptools >= v60.0.0 changes the SETUPTOOLS_USE_DISTUTILS default value to local,
# it does't use Python's standard library distutils default.
# As a result, failed to build sssd.
# Now, set SETUPTOOLS_USE_DISTUTILS value to stdlib
export SETUPTOOLS_USE_DISTUTILS=stdlib

sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate

%make_install

# Prepare language files
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd

# install default sssd.conf file
install -m600 src/examples/sssd-example.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf

# Copy default logrotate file
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sssd

# Make sure SSSD is able to run on read-only root
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d
install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd

# Kerberos KCM credential cache by default
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache

# Enable krb5 idp plugins by default (when sssd-idp package is installed)
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp

# krb5 configuration snippet
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
   $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir

# Create directory for cifs-idmap alternative
# Otherwise this directory could not be owned by sssd-client
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils

# Remove .la files created by libtool
%delete_la

# Suppress developer-only documentation
#rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}

# Older versions of rpmbuild can only handle one -f option
# So we need to append to the sssd*.lang file
for file in `find $RPM_BUILD_ROOT/%{python3_sitelib} -maxdepth 1 -name "*.egg-info" 2> /dev/null`
do
    echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang
done

touch sssd.lang
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
                  sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
                  libsss_certmap sssd_kcm
do
    touch $subpackage.lang
done

chrpath -d $RPM_BUILD_ROOT%{python3_sitearch}/pysss.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_ad.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/gpo_child
chrpath -d $RPM_BUILD_ROOT%{_bindir}/sss_ssh_authorizedkeys
chrpath -d $RPM_BUILD_ROOT%{_bindir}/sss_ssh_knownhostsproxy
chrpath -d $RPM_BUILD_ROOT%{ldb_modulesdir}/memberof.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libifp_iface.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libifp_iface_sync.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_cert.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_child.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_crypt.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_iface.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_iface_sync.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_krb5_common.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_ldap_common.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_semanage.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_simple.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_util.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/p11_child
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sss_signal
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_autofs
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_be
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_check_socket_activated_responders
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_nss
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_pam
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_ssh
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_sudo
chrpath -d $RPM_BUILD_ROOT%{_sbindir}/sss_cache
chrpath -d $RPM_BUILD_ROOT%{_sbindir}/sssd
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_pac
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/sssd_ifp
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_ipa.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/selinux_child
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_krb5.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/krb5_child
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/ldap_child
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_ldap.so
chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_proxy.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/proxy_child
chrpath -d $RPM_BUILD_ROOT%{_sbindir}/sss_override
chrpath -d $RPM_BUILD_ROOT%{_sbindir}/sss_seed
chrpath -d $RPM_BUILD_ROOT%{_sbindir}/sssctl

mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
echo "/usr/lib64/sssd" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf

for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
do
    lang=`echo $man | cut -c 1-2`
    case `basename $man` in
        sss_cache*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
            ;;
        sss_ssh*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
            ;;
        sss_rpcidmapd*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_nfs_idmap.lang
            ;;
        sss_*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
            ;;
        sssctl*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
            ;;
        sssd_krb5_*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
            ;;
        pam_sss*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
            ;;
        sssd-ldap*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang
            ;;
        sssd-krb5*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_krb5.lang
            ;;
        sssd-ipa*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ipa.lang
            ;;
        sssd-ad*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ad.lang
            ;;
        sssd-proxy*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_proxy.lang
            ;;
        sssd-ifp*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang
            ;;
        sssd-kcm*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang
            ;;
        idmap_sss*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang
            ;;
        sss-certmap*)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
            ;;
        *)
            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
            ;;
    esac
done

# Print these to the rpmbuild log
echo "sssd.lang:"
cat sssd.lang

echo "python3_sssdconfig.lang:"
cat python3_sssdconfig.lang

for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
                  sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
                  libsss_certmap sssd_kcm
do
    echo "$subpackage.lang:"
    cat $subpackage.lang
done

%files
%license COPYING

%files common -f sssd.lang
%license COPYING
%doc src/examples/sssd-example.conf
%{_sbindir}/sssd
%{_unitdir}/sssd.service
%{_unitdir}/sssd-autofs.socket
%{_unitdir}/sssd-autofs.service
%{_unitdir}/sssd-nss.socket
%{_unitdir}/sssd-nss.service
%{_unitdir}/sssd-pac.socket
%{_unitdir}/sssd-pac.service
%{_unitdir}/sssd-pam.socket
%{_unitdir}/sssd-pam-priv.socket
%{_unitdir}/sssd-pam.service
%{_unitdir}/sssd-ssh.socket
%{_unitdir}/sssd-ssh.service
%{_unitdir}/sssd-sudo.socket
%{_unitdir}/sssd-sudo.service

%dir %{_libexecdir}/sssd
%{_libexecdir}/sssd/sssd_be
%{_libexecdir}/sssd/sssd_nss
%{_libexecdir}/sssd/sssd_pam
%{_libexecdir}/sssd/sssd_autofs
%{_libexecdir}/sssd/sssd_ssh
%{_libexecdir}/sssd/sssd_sudo
%{_libexecdir}/sssd/p11_child
%{_libexecdir}/sssd/sssd_check_socket_activated_responders

%dir %{_libdir}/%{name}
%{_libdir}/%{name}/libsss_simple.so

%{_libdir}/%{name}/libsss_child.so
%{_libdir}/%{name}/libsss_crypt.so
%{_libdir}/%{name}/libsss_cert.so
%{_libdir}/%{name}/libsss_debug.so
%{_libdir}/%{name}/libsss_krb5_common.so
%{_libdir}/%{name}/libsss_ldap_common.so
%{_libdir}/%{name}/libsss_util.so
%{_libdir}/%{name}/libsss_semanage.so
%{_libdir}/%{name}/libifp_iface.so
%{_libdir}/%{name}/libifp_iface_sync.so
%{_libdir}/%{name}/libsss_iface.so
%{_libdir}/%{name}/libsss_iface_sync.so
%{_libdir}/%{name}/libsss_sbus.so
%{_libdir}/%{name}/libsss_sbus_sync.so

%{ldb_modulesdir}/memberof.so
%{_bindir}/sss_ssh_authorizedkeys
%{_bindir}/sss_ssh_knownhostsproxy
%{_sbindir}/sss_cache
%{_libexecdir}/sssd/sss_signal

%dir %{_localstatedir}/lib/sss
%dir %{_localstatedir}/cache/krb5rcache
%attr(700,root,root) %dir %{_localstatedir}/lib/sss/db
%attr(755,root,root) %dir %{_localstatedir}/lib/sss/mc
%attr(700,root,root) %dir %{_localstatedir}/lib/sss/secrets
%attr(751,root,root) %dir %{_localstatedir}/lib/sss/deskprofile
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{_localstatedir}/lib/sss/mc/passwd
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{_localstatedir}/lib/sss/mc/group
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{_localstatedir}/lib/sss/mc/initgroups
%attr(755,root,root) %dir %{_localstatedir}/lib/sss/pipes
%attr(700,root,root) %dir %{_localstatedir}/lib/sss/pipes/private
%attr(755,root,root) %dir %{_localstatedir}/lib/sss/pubconf
%attr(755,root,root) %dir %{_localstatedir}/lib/sss/gpo_cache
%attr(750,root,root) %dir %{_var}/log/%{name}
%attr(700,root,root) %dir %{_sysconfdir}/sssd
%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%config(noreplace) /etc/ld.so.conf.d/*
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
%{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf

%{_datadir}/sssd/cfg_rules.ini
%dir %{_datadir}/sssd/systemtap
%{_datadir}/sssd/systemtap/id_perf.stp
%{_datadir}/sssd/systemtap/nested_group_perf.stp
%{_datadir}/sssd/systemtap/dp_request.stp
%{_datadir}/sssd/systemtap/ldap_perf.stp
%dir %{_datadir}/systemtap
%dir %{_datadir}/systemtap/tapset
%{_datadir}/systemtap/tapset/sssd.stp
%{_datadir}/systemtap/tapset/sssd_functions.stp

%files ldap -f sssd_ldap.lang
%license COPYING
%{_libdir}/%{name}/libsss_ldap.so

%files krb5-common
%license COPYING
%attr(755,root,root) %dir %{_localstatedir}/lib/sss/pubconf/krb5.include.d
%{_libexecdir}/sssd/ldap_child
%{_libexecdir}/sssd/krb5_child

%files krb5 -f sssd_krb5.lang
%license COPYING
%{_libdir}/%{name}/libsss_krb5.so
%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
%dir %{_datadir}/sssd/krb5-snippets
%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir

%files common-pac
%license COPYING
%{_libexecdir}/sssd/sssd_pac

%files ipa -f sssd_ipa.lang
%license COPYING
%attr(700,root,root) %dir %{_localstatedir}/lib/sss/keytabs
%{_libdir}/%{name}/libsss_ipa.so
%{_libexecdir}/sssd/selinux_child

%files ad -f sssd_ad.lang
%license COPYING
%{_libdir}/%{name}/libsss_ad.so
%{_libexecdir}/sssd/gpo_child

%files proxy
%license COPYING
%{_libexecdir}/sssd/proxy_child
%{_libdir}/%{name}/libsss_proxy.so

%files dbus -f sssd_dbus.lang
%license COPYING
%{_libexecdir}/sssd/sssd_ifp
%{_unitdir}/sssd-ifp.service
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service

%files client -f sssd_client.lang
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libnss_sss.so.2
%{_libdir}/security/pam_sss_gss.so
%{_libdir}/security/pam_sss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
%dir %{_libdir}/cifs-utils
%{_libdir}/cifs-utils/cifs_idmap_sss.so
%dir %{_sysconfdir}/cifs-utils
%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so

%files -n libsss_sudo
%license src/sss_client/COPYING
%{_libdir}/libsss_sudo.so*

%files -n libsss_autofs
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/libsss_autofs.so

%files tools -f sssd_tools.lang
%license COPYING
%{_sbindir}/sss_obfuscate
%{_sbindir}/sss_override
%{_sbindir}/sss_debuglevel
%{_sbindir}/sss_seed
%{_sbindir}/sssctl
%{_libexecdir}/sssd/sss_analyze
%{python3_sitelib}/sssd/

%files -n python3-sssdconfig -f python3_sssdconfig.lang
%dir %{python3_sitelib}/SSSDConfig
%{python3_sitelib}/SSSDConfig/*.py*
%dir %{python3_sitelib}/SSSDConfig/__pycache__
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
%dir %{_datadir}/sssd
%{_datadir}/sssd/sssd.api.conf
%{_datadir}/sssd/sssd.api.d

%files -n python3-sss
%{python3_sitearch}/pysss.so

%files -n python3-sss-murmur
%{python3_sitearch}/pysss_murmur.so

%files -n libsss_idmap
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_idmap.so.*

%files -n libsss_idmap-devel
%doc idmap_doc/html
%{_includedir}/sss_idmap.h
%{_libdir}/libsss_idmap.so
%{_libdir}/pkgconfig/sss_idmap.pc

%files -n libipa_hbac
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libipa_hbac.so.*

%files -n libipa_hbac-devel
%doc hbac_doc/html
%{_includedir}/ipa_hbac.h
%{_libdir}/libipa_hbac.so
%{_libdir}/pkgconfig/ipa_hbac.pc

%files -n libsss_nss_idmap
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_nss_idmap.so.*

%files -n libsss_nss_idmap-devel
%doc nss_idmap_doc/html
%{_includedir}/sss_nss_idmap.h
%{_libdir}/libsss_nss_idmap.so
%{_libdir}/pkgconfig/sss_nss_idmap.pc

%files -n python3-libsss_nss_idmap
%{python3_sitearch}/pysss_nss_idmap.so

%files -n python3-libipa_hbac
%{python3_sitearch}/pyhbac.so

%files winbind-idmap -f sssd_winbind_idmap.lang
%dir %{_libdir}/samba/idmap
%{_libdir}/samba/idmap/sss.so

%files nfs-idmap -f sssd_nfs_idmap.lang
%{_libdir}/libnfsidmap/sss.so

%files -n libsss_certmap -f libsss_certmap.lang
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_certmap.so.*

%files -n libsss_certmap-devel
%doc certmap_doc/html
%{_includedir}/sss_certmap.h
%{_libdir}/libsss_certmap.so
%{_libdir}/pkgconfig/sss_certmap.pc

%files kcm -f sssd_kcm.lang
%{_libexecdir}/sssd/sssd_kcm
%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache
%dir %{_datadir}/sssd-kcm
%{_datadir}/sssd-kcm/kcm_default_ccache
%{_unitdir}/sssd-kcm.socket
%{_unitdir}/sssd-kcm.service

%files idp
%{_libexecdir}/sssd/oidc_child
%{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp

%files help
%doc %{_pkgdocdir}
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man8/*

%post common
%systemd_post sssd.service
%systemd_post sssd-autofs.socket
%systemd_post sssd-nss.socket
%systemd_post sssd-pac.socket
%systemd_post sssd-pam.socket
%systemd_post sssd-pam-priv.socket
%systemd_post sssd-ssh.socket
%systemd_post sssd-sudo.socket

%preun common
%systemd_preun sssd.service
%systemd_preun sssd-autofs.socket
%systemd_preun sssd-nss.socket
%systemd_preun sssd-pac.socket
%systemd_preun sssd-pam.socket
%systemd_preun sssd-pam-priv.socket
%systemd_preun sssd-ssh.socket
%systemd_preun sssd-sudo.socket

%postun common
%systemd_postun_with_restart sssd-autofs.socket
%systemd_postun_with_restart sssd-nss.socket
%systemd_postun_with_restart sssd-pac.socket
%systemd_postun_with_restart sssd-pam.socket
%systemd_postun_with_restart sssd-pam-priv.socket
%systemd_postun_with_restart sssd-ssh.socket
%systemd_postun_with_restart sssd-sudo.socket

%systemd_postun sssd-autofs.service
%systemd_postun sssd-nss.service
%systemd_postun sssd-pac.service
%systemd_postun sssd-pam.service
%systemd_postun sssd-ssh.service
%systemd_postun sssd-sudo.service

%post dbus
%systemd_post sssd-ifp.service

%preun dbus
%systemd_preun sssd-ifp.service

%postun dbus
%systemd_postun_with_restart sssd-ifp.service

%post kcm
%systemd_post sssd-kcm.socket

%preun kcm
%systemd_preun sssd-kcm.socket

%postun kcm
%systemd_postun_with_restart sssd-kcm.socket
%systemd_postun_with_restart sssd-kcm.service

%post client
/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20

%preun client
if [ $1 -eq 0 ] ; then
        /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
fi

%posttrans common
%systemd_postun_with_restart sssd.service

%changelog
* Wed Oct 30 2024 xuraoqing <xuraoqing@huawei.com> - 2.9.4-9
- option --enable-files-domain in configure has been removed

* Fri Oct 25 2024 fangxiuning <fangxiuning@huawei.com> - 2.9.4-8
- backport patches to fix bugs

* Sun Sep 29 2024 fangxiuning <fangxiuning@huawei.com> - 2.9.4-7
- backport patches to fix bugs

* Tue Jun 18 2024 wangjiang <wangjiang37@h-partners.com> - 2.9.4-6
- backport upstream patches

* Tue May 21 2024 wangqingsan <wangqingsan@huawei.com> - 2.9.4-5
- redefine chrpath_delete macro to delete runpath/rpath

* Sat May 11 2024 wangcheng <wangcheng156@huawei.com> - 2.9.4-4
- Modify the dependencies of the sssd-common subpackage

* Thu Apr 25 2024 liweigang <liweiganga@uniontech.com> - 2.9.4-3
- fix CVE-2023-3758

* Thu Feb 29 2024 chendexi <chendexi@kylinos.cn> - 2.9.4-2
- unpack for sssd

* Mon Feb 5 2024 wangcheng <wangcheng156@huawei.com> - 2.9.4-1
- upgrade to 2.9.4
  fix some important bugs
  feature: remove the oldest expired credential to free some space
  new configuration option local_auth_policy is added

* Thu Aug 10 2023 wangcheng <wangcheng156@huawei.com> - 2.9.1-2
- fix build fail

* Wed Jul 19 2023 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2.9.1-1
- update to 2.9.1

* Tue Mar 28 2023 jiangjixiang <jiangjixiang@kylinos.cn> - 2.8.2-5
- fix pid wrapping in sss_cli_check_socket

* Wed Mar 08 2023 zhouchenchen123 <zhouchenchen@huawei.com> - 2.8.2-4
- fix coredump in sssd.service

* Tue Mar 07 2023 zhouchenchen123 <zhouchenchen@huawei.com> - 2.8.2-3
- move oidc_child rpath build

* Wed Feb 22 2023 zhouchenchen <zhouchenchen@huawei.com> - 2.8.2-2
- add buildrequires dbus-devel

* Fri Feb 3 2023 zhouchenchen <zhouchenchen@huawei.com> - 2.8.2-1
- update version to 2.8.2

* Mon Sep 26 2022 zhujianwei001 <zhujianwei7@huawei.com> - 2.6.1-4
- delete brken link

* Tue Sep 20 2022 zhouchenchen <zhouchenchen@huawei.com> - 2.6.1-3
- add version check in Obsoletes to avoid warning messages

* Wed Jul 27 2022 zhouchenchen <zhouchenchen@huawei.com> - 2.6.1-2
- fix the sssd build failure issue

* Wed Dec 29 2021 panxiaohe <panxiaohe@huawei.com> - 2.6.1-1
- update version to 2.6.1

* Tue Aug 31 2021 fuanan <fuanan3@huawei.com> - 2.5.1-3
- Type:CVE
- ID:CVE-2021-3621
- SUG:NA
- DESC:fix CVE-2021-3621

* Tue Aug 24 2021 chenyanpanHW <chenyanpan@huawei.com> - 2.5.1-2
- DESC: remove unnesseary BuildRequires

* Tue Jul 6 2021 zoulin <zoulin13@huawei.com> - 2.5.1-1
- update version to 2.5.1;
- do not use systemd to restart services with RefuseManualStart=true

* Thu Oct 29 2020 panxiaohe <panxiaohe@huawei.com> - 2.2.3-4
- remove subpackage python2-sssd

* Sat Sep 19 2020 Liquor <lirui130@huawei.com> - 2.2.3-3
- install default sssd.conf file

* Sat Aug 1 2020 Liquor <lirui130@huawei.com> - 2.2.3-2
- Fix build failure against samba 4.12.5

* Sat Jul 25 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 2.2.3-1
- update version to 2.2.3

* Tue May 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.2.2-4
- accept krb5 1.18 for building the PAC plugin

* Thu Feb 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.2.2-3
- rebuild for libldb

* Thu Oct 10 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.2.2-2
- add LGPLv3+ and COPYING for main mackage

* Tue Aug 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.2.2-1
- Package init