summarylogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.SRCINFO79
-rw-r--r--0001-platform-add-Arch-Linux-platform.patch205
-rw-r--r--0002-dogtag-vault-do-not-import-pki-in-makeapi.patch39
-rw-r--r--0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch29
-rw-r--r--PKGBUILD168
-rw-r--r--archlinux.patch376
-rw-r--r--freeipa-client.install4
-rwxr-xr-xsss-auth-setup.py338
8 files changed, 454 insertions, 784 deletions
diff --git a/.SRCINFO b/.SRCINFO
index de610b774cee..6b79d9f263fe 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = freeipa
pkgdesc = The Identity, Policy and Audit system
- pkgver = 4.2.3
+ pkgver = 4.4.0
pkgrel = 1
url = http://www.freeipa.org/
arch = i686
@@ -18,13 +18,12 @@ pkgbase = freeipa
makedepends = python2
makedepends = python2-ldap
makedepends = python2-setuptools
- makedepends = python2-krbv
makedepends = python2-nss
- makedepends = python2-cryptography
+ makedepends = python2-cryptography>=0.9
makedepends = python2-netaddr
- makedepends = python2-kerberos>=1.1
- makedepends = sssd>=1.13.1
+ makedepends = python2-gssapi>=1.1.2
makedepends = python2-memcached
+ makedepends = sssd>=1.14.0
makedepends = python2-lxml
makedepends = python2-pyasn1>=0.0.9a
makedepends = python2-qrcode
@@ -32,21 +31,28 @@ pkgbase = freeipa
makedepends = systemd
makedepends = libunistring
makedepends = python2-yubico>=1.2.3
- source = http://freeipa.org/downloads/src/freeipa-4.2.3.tar.gz
- source = sss-auth-setup.py
- source = archlinux.patch
- sha256sums = 7b0e5cb834c6ca36bfe464ec4c6a226e44ce1948edd74b7c4344f43e75d9a133
- sha256sums = 012a11cdc42e0eb072eec3dd988fa910964f355ec2ae6b67ead373ad69e84e3e
- sha256sums = 3e237f89fe2d806cdc2e4694233d0e01e01996aa41036dd520b99cb6dae71eed
+ makedepends = python2-six
+ makedepends = ding-libs>=0.5.0
+ makedepends = python2-dbus
+ makedepends = python2-netifaces
+ source = http://freeipa.org/downloads/src/freeipa-4.4.0.tar.gz
+ source = 0001-platform-add-Arch-Linux-platform.patch
+ source = 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
+ source = 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch
+ sha256sums = 5d846bbeb5bfe9121bd8e472385552a9ded5868d2d44e94cbe0ad9191a439b49
+ sha256sums = de0de8d251fd93254518228d4aa82a01ec1bdce7741289a41de9ec694176ebe7
+ sha256sums = 7cebbb95f71abe30f9f206129968341553ff688a4ce3c0bbf3ddb8219b2a799e
+ sha256sums = 5bb4e6ed7aa6d28ad1e8db93fb0f0a85c366bd6be3b2346891346de6ba33baee
-pkgname = freeipa-python
+pkgname = python2-ipalib
pkgdesc = Python libraries used by IPA
- depends = python2-kerberos>=1.1
+ arch = any
+ depends = freeipa-common=4.4.0-1
+ depends = python2-gssapi>=1.1.2
depends = gnupg
- depends = iproute2
depends = keyutils
depends = python2-nss>=0.16
- depends = python2-cryptography
+ depends = python2-cryptography>=0.9
depends = python2-lxml
depends = python2-netaddr
depends = sssd
@@ -54,36 +60,63 @@ pkgname = freeipa-python
depends = python2-pyasn1
depends = python2-dateutil
depends = python2-yubico>=1.2.3
- depends = wget
depends = python2-dbus
depends = python2-setuptools
+ depends = python2-six
+ depends = python2-ldap>=2.4.15
+ depends = python2-dnspython>=1.11.1
+ depends = python2-netifaces>=0.10.4
+ depends = python2-pyusb
+ provides = python2-ipapython=4.4.0-1
+ provides = python2-ipaplatform=4.4.0-1
+ conflicts = freeipa-python
+ replaces = freeipa-python
+
+pkgname = python2-ipaclient
+ pkgdesc = Python libraries used by IPA client
+ arch = any
+ depends = freeipa-client-common=4.4.0-1
+ depends = freeipa-common=4.4.0-1
+ depends = python2-ipalib=4.4.0-1
+ depends = python2-dnspython>=1.11.1
+
+pkgname = freeipa-common
+ pkgdesc = Common files used by IPA
+ arch = any
+ conflicts = freeipa-python
+ replaces = freeipa-python
+
+pkgname = freeipa-client-common
+ pkgdesc = Common files used by IPA client
+ arch = any
pkgname = freeipa-client
pkgdesc = IPA authentication for use on clients
install = freeipa-client.install
- depends = freeipa-python=4.2.3-1
+ depends = freeipa-client-common=4.4.0-1
+ depends = freeipa-common=4.4.0-1
+ depends = python2-ipaclient=4.4.0-1
depends = python2-ldap
depends = cyrus-sasl-gssapi
depends = ntp
depends = krb5
+ depends = authconfig
depends = pam-krb5
depends = curl>=7.21.7
depends = xmlrpc-c>=1.27.4
- depends = sssd>=1.13.1
+ depends = sssd>=1.14.0
depends = certmonger>=0.78
depends = nss
depends = bind-tools
depends = oddjob
- depends = python2-krbv
- depends = python2-dnspython>=1.11.1
+ depends = python2-gssapi>=1.1.2
depends = autofs
depends = nfsidmap
depends = nfs-utils
pkgname = freeipa-admintools
pkgdesc = IPA administrative tools
- depends = freeipa-python=4.2.3-1
- depends = freeipa-client=4.2.3-1
- depends = python2-krbv
+ arch = any
+ depends = python2-ipaclient=4.4.0-1
depends = python2-ldap
diff --git a/0001-platform-add-Arch-Linux-platform.patch b/0001-platform-add-Arch-Linux-platform.patch
new file mode 100644
index 000000000000..167445accbe9
--- /dev/null
+++ b/0001-platform-add-Arch-Linux-platform.patch
@@ -0,0 +1,205 @@
+From 466e2dde63b1247902de1bbfa28628f4b875c61e Mon Sep 17 00:00:00 2001
+From: Xiao-Long Chen <chenxiaolong@cxl.epac.to>
+Date: Wed, 16 Apr 2014 19:31:08 -0400
+Subject: [PATCH 1/3] platform: add Arch Linux platform
+
+This patch has been adapted from the patches provided with freeipa package
+in the Arch User Repository (AUR).
+
+Signed-off-by: Jan Cholasta <jcholast@redhat.com>
+---
+ client/man/ipa-client-automount.1 | 4 ++--
+ client/man/ipa-client-install.1 | 4 ++--
+ ipaplatform/archlinux/__init__.py | 3 +++
+ ipaplatform/archlinux/constants.py | 12 ++++++++++++
+ ipaplatform/archlinux/paths.py | 22 ++++++++++++++++++++++
+ ipaplatform/archlinux/services.py | 38 ++++++++++++++++++++++++++++++++++++++
+ ipaplatform/archlinux/tasks.py | 16 ++++++++++++++++
+ ipaplatform/setup.py.in | 1 +
+ 8 files changed, 96 insertions(+), 4 deletions(-)
+ create mode 100644 ipaplatform/archlinux/__init__.py
+ create mode 100644 ipaplatform/archlinux/constants.py
+ create mode 100644 ipaplatform/archlinux/paths.py
+ create mode 100644 ipaplatform/archlinux/services.py
+ create mode 100644 ipaplatform/archlinux/tasks.py
+
+diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
+index 5b60503..16ccbea 100644
+--- a/client/man/ipa-client-automount.1
++++ b/client/man/ipa-client-automount.1
+@@ -29,7 +29,7 @@ The automount configuration consists of three files:
+ .IP o
+ /etc/nsswitch.conf
+ .IP o
+-/etc/sysconfig/autofs
++/etc/conf.d/autofs
+ .IP o
+ /etc/autofs_ldap_auth.conf
+
+@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default):
+ .TP
+ Files that will be configured when using the ldap automount client:
+
+-/etc/sysconfig/autofs
++/etc/conf.d/autofs
+
+ /etc/autofs_ldap_auth.conf
+
+diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
+index 7f490d1..5f0c379 100644
+--- a/client/man/ipa-client-install.1
++++ b/client/man/ipa-client-install.1
+@@ -257,7 +257,7 @@ Files replaced if NTP is enabled:
+
+ /etc/ntp.conf
+ .br
+-/etc/sysconfig/ntpd
++/etc/conf.d/ntpd.conf
+ .br
+ /etc/ntp/step\-tickers
+ .TP
+@@ -279,7 +279,7 @@ Files updated, existing content is maintained:
+ .br
+ /etc/krb5.keytab
+ .br
+-/etc/sysconfig/network
++/etc/hostname
+ .SH "EXIT STATUS"
+ 0 if the installation was successful
+
+diff --git a/ipaplatform/archlinux/__init__.py b/ipaplatform/archlinux/__init__.py
+new file mode 100644
+index 0000000..9da42e7
+--- /dev/null
++++ b/ipaplatform/archlinux/__init__.py
+@@ -0,0 +1,3 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
+diff --git a/ipaplatform/archlinux/constants.py b/ipaplatform/archlinux/constants.py
+new file mode 100644
+index 0000000..148abd8
+--- /dev/null
++++ b/ipaplatform/archlinux/constants.py
+@@ -0,0 +1,12 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++from ipaplatform.redhat.constants import RedHatConstantsNamespace
++
++
++class ArchLinuxConstantsNamespace(RedHatConstantsNamespace):
++ pass
++
++
++constants = ArchLinuxConstantsNamespace()
+diff --git a/ipaplatform/archlinux/paths.py b/ipaplatform/archlinux/paths.py
+new file mode 100644
+index 0000000..a7b8ea7
+--- /dev/null
++++ b/ipaplatform/archlinux/paths.py
+@@ -0,0 +1,22 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++from ipaplatform.redhat.paths import RedHatPathNamespace
++
++
++class ArchLinuxPathNamespace(RedHatPathNamespace):
++ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs/autofs_ldap_auth.conf"
++ CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
++ SYSCONFIG_NFS = "/etc/conf.d/nfs-common.conf"
++ SYSCONFIG_NTPD = "/etc/conf.d/ntpd.conf"
++ SYSCONFIG_AUTOFS = "/etc/default/autofs"
++ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = (
++ "/usr/lib/certmonger/certmonger/dogtag-ipa-ca-renew-agent-submit")
++ DOGTAG_IPA_RENEW_AGENT_SUBMIT = (
++ "/usr/lib/certmonger/certmonger/dogtag-ipa-renew-agent-submit")
++ IPA_SERVER_GUARD = "/usr/lib/certmonger/certmonger/ipa-server-guard"
++ LIB64_FIREFOX = "/usr/lib/firefox"
++
++
++paths = ArchLinuxPathNamespace()
+diff --git a/ipaplatform/archlinux/services.py b/ipaplatform/archlinux/services.py
+new file mode 100644
+index 0000000..c0fb6fb
+--- /dev/null
++++ b/ipaplatform/archlinux/services.py
+@@ -0,0 +1,38 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++from ipaplatform.redhat.services import (RedHatService,
++ redhat_service_class_factory,
++ RedHatServices,
++ RedHatSSHService,
++ redhat_system_units,
++ timedate_services)
++
++archlinux_system_units = dict(redhat_system_units)
++archlinux_system_units['messagebus'] = 'dbus.service'
++archlinux_system_units['rpcgssd'] = 'rpc-gssd.service'
++archlinux_system_units['rpcidmapd'] = 'rpc-idmapd.service'
++
++
++class ArchLinuxService(RedHatService):
++ system_units = archlinux_system_units
++
++
++class ArchLinuxSSHService(ArchLinuxService, RedHatSSHService):
++ pass
++
++
++def archlinux_service_class_factory(name):
++ if name == 'sshd':
++ return ArchLinuxSSHService(name)
++ return ArchLinuxService(name)
++
++
++class ArchLinuxServices(RedHatServices):
++ def service_class_factory(self, name):
++ return archlinux_service_class_factory(name)
++
++
++service = archlinux_service_class_factory
++knownservices = ArchLinuxServices()
+diff --git a/ipaplatform/archlinux/tasks.py b/ipaplatform/archlinux/tasks.py
+new file mode 100644
+index 0000000..cae3245
+--- /dev/null
++++ b/ipaplatform/archlinux/tasks.py
+@@ -0,0 +1,16 @@
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++from ipaplatform.archlinux.paths import paths
++from ipaplatform.redhat.tasks import RedHatTaskNamespace
++
++
++class ArchLinuxTaskNamespace(RedHatTaskNamespace):
++ def restore_network_configuration(self, fstore, statestore):
++ filepath = paths.ETC_HOSTNAME
++ if fstore.has_file(filepath):
++ fstore.restore_file(filepath)
++
++
++tasks = ArchLinuxTaskNamespace()
+diff --git a/ipaplatform/setup.py.in b/ipaplatform/setup.py.in
+index 11bb757..2d355fc 100644
+--- a/ipaplatform/setup.py.in
++++ b/ipaplatform/setup.py.in
+@@ -65,6 +65,7 @@ def setup_package():
+ classifiers=[line for line in CLASSIFIERS.split('\n') if line],
+ package_dir = {'ipaplatform': ''},
+ packages = ["ipaplatform",
++ "ipaplatform.archlinux",
+ "ipaplatform.base",
+ "ipaplatform.fedora",
+ "ipaplatform.redhat",
+--
+2.7.4
+
diff --git a/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch b/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
new file mode 100644
index 000000000000..67f6fb8a6e9e
--- /dev/null
+++ b/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
@@ -0,0 +1,39 @@
+From 4efe2cba72d317a03abad3869532d97e1f0259a6 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 2 Aug 2016 12:56:44 +0200
+Subject: [PATCH 2/3] dogtag, vault: do not import `pki` in makeapi
+
+---
+ ipaserver/plugins/dogtag.py | 2 +-
+ ipaserver/plugins/vault.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
+index aef1e88..53c3270 100644
+--- a/ipaserver/plugins/dogtag.py
++++ b/ipaserver/plugins/dogtag.py
+@@ -253,7 +253,7 @@ import ipapython.cookie
+ from ipapython import dogtag
+ from ipapython import ipautil
+
+-if api.env.in_server:
++if not api.env.validate_api:
+ import pki
+ from pki.client import PKIConnection
+ import pki.crypto as cryptoutil
+diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
+index c9b7cb9..52cbf17 100644
+--- a/ipaserver/plugins/vault.py
++++ b/ipaserver/plugins/vault.py
+@@ -35,7 +35,7 @@ from ipalib import _, ngettext
+ from ipapython import kerberos
+ from ipapython.dn import DN
+
+-if api.env.in_server:
++if not api.env.validate_api:
+ import pki.account
+ import pki.key
+
+--
+2.7.4
+
diff --git a/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch b/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch
new file mode 100644
index 000000000000..3377bb665e39
--- /dev/null
+++ b/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch
@@ -0,0 +1,29 @@
+From 124251f2d4bb915d69ef9e11e61494a27ef5b370 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 2 Aug 2016 13:49:36 +0200
+Subject: [PATCH 3/3] client install: do not assume /etc/krb5.conf.d exists
+
+---
+ client/ipa-client-install | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/client/ipa-client-install b/client/ipa-client-install
+index cee202f..12c6153 100755
+--- a/client/ipa-client-install
++++ b/client/ipa-client-install
+@@ -1066,8 +1066,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
+ krbconf.setIndent((""," "," "))
+
+ opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
+- {'name':'empty', 'type':'empty'},
+- {'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '}]
++ {'name':'empty', 'type':'empty'}]
++
++ if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
++ opts.append({'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '})
+
+ # SSSD include dir
+ if options.sssd:
+--
+2.7.4
+
diff --git a/PKGBUILD b/PKGBUILD
index 3b14b1422f30..4f79bb8c449e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,8 +2,13 @@
# Contributor: Xiao-Long Chen <chenxiaolong@cxl.epac.to>
pkgbase=freeipa
-pkgname=(freeipa-python freeipa-client freeipa-admintools)
-pkgver=4.2.3
+pkgname=(python2-ipalib
+ python2-ipaclient
+ freeipa-common
+ freeipa-client-common
+ freeipa-client
+ freeipa-admintools)
+pkgver=4.4.0
pkgrel=1
pkgdesc='The Identity, Policy and Audit system'
arch=('i686' 'x86_64')
@@ -21,33 +26,40 @@ makedepends=('nspr'
'python2'
'python2-ldap'
'python2-setuptools'
- 'python2-krbv'
'python2-nss'
- 'python2-cryptography'
+ 'python2-cryptography>=0.9'
'python2-netaddr'
- 'python2-kerberos>=1.1'
- 'sssd>=1.13.1'
+ 'python2-gssapi>=1.1.2'
'python2-memcached'
+ 'sssd>=1.14.0'
'python2-lxml'
'python2-pyasn1>=0.0.9a'
'python2-qrcode'
'python2-dnspython>=1.11.1'
'systemd'
'libunistring'
- 'python2-yubico>=1.2.3')
+ 'python2-yubico>=1.2.3'
+ 'python2-six'
+ 'ding-libs>=0.5.0'
+ 'python2-dbus'
+ 'python2-netifaces')
source=("http://freeipa.org/downloads/src/freeipa-$pkgver.tar.gz"
- sss-auth-setup.py
- archlinux.patch)
-sha256sums=('7b0e5cb834c6ca36bfe464ec4c6a226e44ce1948edd74b7c4344f43e75d9a133'
- '012a11cdc42e0eb072eec3dd988fa910964f355ec2ae6b67ead373ad69e84e3e'
- '3e237f89fe2d806cdc2e4694233d0e01e01996aa41036dd520b99cb6dae71eed')
+ 0001-platform-add-Arch-Linux-platform.patch
+ 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
+ 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch)
+sha256sums=('5d846bbeb5bfe9121bd8e472385552a9ded5868d2d44e94cbe0ad9191a439b49'
+ 'de0de8d251fd93254518228d4aa82a01ec1bdce7741289a41de9ec694176ebe7'
+ '7cebbb95f71abe30f9f206129968341553ff688a4ce3c0bbf3ddb8219b2a799e'
+ '5bb4e6ed7aa6d28ad1e8db93fb0f0a85c366bd6be3b2346891346de6ba33baee')
prepare() {
cd "${pkgbase}-${pkgver}"
rm -rf ipaplatform/archlinux
- patch -p1 <"$srcdir"/archlinux.patch
+ patch -p1 <"$srcdir"/0001-platform-add-Arch-Linux-platform.patch
+ patch -p1 <"$srcdir"/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch
+ patch -p1 <"$srcdir"/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch
}
build() {
@@ -67,30 +79,35 @@ build() {
rm -f ipaplatform/paths.py
rm -f ipaplatform/constants.py
make version-update
- cd ipa-client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin; cd ..
+ cd client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin; cd ..
make IPA_VERSION_IS_GIT_SNAPSHOT=no client
make client-install DESTDIR="$PWD"/_install
+ # Switch shebang of /usr/bin/ipa
+ # XXX: ipa cli is not stable enough for enabling py3 support, keep it in py2
+ # in any case
+ sed -i -e'1s/python\(3\|$\)/python2/' _install/usr/bin/ipa
+
mkdir -p _install/usr/share/ipa
mkdir -p _install/etc/ipa/
mkdir -p _install/etc/ipa/nssdb
- mkdir -p _install/etc/ipa/dnssec
mkdir -p _install/var/lib/ipa-client/sysrestore
mkdir -p _install/etc/bash_completion.d
install -pm 644 contrib/completion/ipa.bash_completion _install/etc/bash_completion.d/ipa
}
-package_freeipa-python() {
+package_python2-ipalib() {
pkgdesc='Python libraries used by IPA'
- depends=('python2-kerberos>=1.1'
+ arch=('any')
+ depends=("freeipa-common=$pkgver-$pkgrel"
+ 'python2-gssapi>=1.1.2'
'gnupg'
- 'iproute2'
'keyutils'
'python2-nss>=0.16'
- 'python2-cryptography'
+ 'python2-cryptography>=0.9'
'python2-lxml'
'python2-netaddr'
'sssd'
@@ -98,9 +115,17 @@ package_freeipa-python() {
'python2-pyasn1'
'python2-dateutil'
'python2-yubico>=1.2.3'
- 'wget'
'python2-dbus'
- 'python2-setuptools')
+ 'python2-setuptools'
+ 'python2-six'
+ 'python2-ldap>=2.4.15'
+ 'python2-dnspython>=1.11.1'
+ 'python2-netifaces>=0.10.4'
+ 'python2-pyusb')
+ provides=("python2-ipapython=$pkgver-$pkgrel"
+ "python2-ipaplatform=$pkgver-$pkgrel")
+ conflicts=('freeipa-python')
+ replaces=('freeipa-python')
cd "${pkgbase}-${pkgver}"
@@ -108,43 +133,103 @@ package_freeipa-python() {
Contributors.txt
local _file
- for _file in _install/usr/share/locale/*/*/ipa.mo \
- _install/usr/lib/python2.*/site-packages/ipapython \
+ for _file in _install/usr/lib/python2.*/site-packages/ipapython \
_install/usr/lib/python2.*/site-packages/ipalib \
_install/usr/lib/python2.*/site-packages/ipaplatform \
- _install/usr/lib/python2.*/site-packages/default_encoding_utf8.so \
- _install/usr/lib/python2.*/site-packages/_ipap11helper.so \
_install/usr/lib/python2.*/site-packages/ipapython-*.egg-info \
- _install/usr/lib/python2.*/site-packages/freeipa-*.egg-info \
- _install/usr/lib/python2.*/site-packages/ipaplatform-*.egg-info \
- _install/usr/lib/python2.*/site-packages/python_default_encoding-*.egg-info \
- _install/usr/lib/python2.*/site-packages/_ipap11helper-*.egg-info \
- _install/etc/ipa/nssdb \
- _install/etc/ipa/dnssec
+ _install/usr/lib/python2.*/site-packages/ipalib-*.egg-info \
+ _install/usr/lib/python2.*/site-packages/ipaplatform-*.egg-info
+ do
+ _file="${_file#_install/}"
+ mkdir -p "$pkgdir"/"${_file%/*}"
+ mv _install/"$_file" "$pkgdir"/"$_file"
+ done
+}
+
+package_python2-ipaclient() {
+ pkgdesc='Python libraries used by IPA client'
+ arch=('any')
+ depends=("freeipa-client-common=$pkgver-$pkgrel"
+ "freeipa-common=$pkgver-$pkgrel"
+ "python2-ipalib=$pkgver-$pkgrel"
+ 'python2-dnspython>=1.11.1')
+
+ cd "${pkgbase}-${pkgver}"
+
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ Contributors.txt
+
+ local _file
+ for _file in _install/usr/lib/python2.*/site-packages/ipaclient \
+ _install/usr/lib/python2.*/site-packages/ipaclient-*.egg-info
+ do
+ _file="${_file#_install/}"
+ mkdir -p "$pkgdir"/"${_file%/*}"
+ mv _install/"$_file" "$pkgdir"/"$_file"
+ done
+}
+
+package_freeipa-common() {
+ pkgdesc='Common files used by IPA'
+ arch=('any')
+ conflicts=('freeipa-python')
+ replaces=('freeipa-python')
+
+ cd "${pkgbase}-${pkgver}"
+
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ Contributors.txt
+
+ local _file
+ for _file in _install/usr/share/locale/*/*/ipa.mo
+ do
+ _file="${_file#_install/}"
+ mkdir -p "$pkgdir"/"${_file%/*}"
+ mv _install/"$_file" "$pkgdir"/"$_file"
+ done
+}
+
+package_freeipa-client-common() {
+ pkgdesc='Common files used by IPA client'
+ arch=('any')
+
+ cd "${pkgbase}-${pkgver}"
+
+ install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \
+ Contributors.txt
+
+ local _file
+ for _file in _install/etc/ipa/nssdb \
+ _install/usr/share/ipa \
+ _install/var/lib/ipa-client/sysrestore \
+ _install/usr/share/man/man5/default.conf.5.gz
do
_file="${_file#_install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
mv _install/"$_file" "$pkgdir"/"$_file"
done
+
}
package_freeipa-client() {
pkgdesc='IPA authentication for use on clients'
- depends=("freeipa-python=$pkgver-$pkgrel"
+ depends=("freeipa-client-common=$pkgver-$pkgrel"
+ "freeipa-common=$pkgver-$pkgrel"
+ "python2-ipaclient=$pkgver-$pkgrel"
'python2-ldap'
'cyrus-sasl-gssapi'
'ntp'
'krb5'
+ 'authconfig'
'pam-krb5'
'curl>=7.21.7'
'xmlrpc-c>=1.27.4'
- 'sssd>=1.13.1'
+ 'sssd>=1.14.0'
'certmonger>=0.78'
'nss'
'bind-tools'
'oddjob'
- 'python2-krbv'
- 'python2-dnspython>=1.11.1'
+ 'python2-gssapi>=1.1.2'
'autofs'
'nfsidmap'
'nfs-utils')
@@ -162,30 +247,23 @@ package_freeipa-client() {
_install/usr/bin/ipa-getkeytab \
_install/usr/bin/ipa-rmkeytab \
_install/usr/bin/ipa-join \
- _install/usr/share/ipa \
- _install/var/lib/ipa-client/sysrestore \
- _install/usr/lib/python2.*/site-packages/ipaclient \
_install/usr/share/man/man1/ipa-getkeytab.1.gz \
_install/usr/share/man/man1/ipa-rmkeytab.1.gz \
_install/usr/share/man/man1/ipa-client-install.1.gz \
_install/usr/share/man/man1/ipa-client-automount.1.gz \
_install/usr/share/man/man1/ipa-certupdate.1.gz \
- _install/usr/share/man/man1/ipa-join.1.gz \
- _install/usr/share/man/man5/default.conf.5.gz
+ _install/usr/share/man/man1/ipa-join.1.gz
do
_file="${_file#_install/}"
mkdir -p "$pkgdir"/"${_file%/*}"
mv _install/"$_file" "$pkgdir"/"$_file"
done
-
- install -Dm755 "$srcdir"/sss-auth-setup.py "$pkgdir"/usr/bin/sss-auth-setup
}
package_freeipa-admintools() {
pkgdesc="IPA administrative tools"
- depends=("freeipa-python=$pkgver-$pkgrel"
- "freeipa-client=$pkgver-$pkgrel"
- 'python2-krbv'
+ arch=('any')
+ depends=("python2-ipaclient=$pkgver-$pkgrel"
'python2-ldap')
cd "${pkgbase}-${pkgver}"
diff --git a/archlinux.patch b/archlinux.patch
deleted file mode 100644
index 5035bf3a90c0..000000000000
--- a/archlinux.patch
+++ /dev/null
@@ -1,376 +0,0 @@
-From 4578e73df81f2edc0e2d1dc6799be54ae4ed6971 Mon Sep 17 00:00:00 2001
-From: Xiao-Long Chen <chenxiaolong@cxl.epac.to>
-Date: Wed, 16 Apr 2014 19:31:08 -0400
-Subject: [PATCH] Add Arch Linux Platform
-
-This patch has been adapted from the patches and sss-auth-setup.py script
-provided with freeipa in AUR.
-
-Signed-off-by: Jan Cholasta <jcholast@redhat.com>
----
- ipa-client/ipa-install/ipa-client-install | 32 -------------------------------
- ipa-client/ipaclient/ipa_certupdate.py | 12 ------------
- ipa-client/ipaclient/ntpconf.py | 6 +++---
- ipa-client/man/ipa-client-automount.1 | 4 ++--
- ipa-client/man/ipa-client-install.1 | 5 ++---
- ipaplatform/archlinux/__init__.py | 3 +++
- ipaplatform/archlinux/authconfig.py | 22 +++++++++++++++++++++
- ipaplatform/archlinux/constants.py | 12 ++++++++++++
- ipaplatform/archlinux/paths.py | 21 ++++++++++++++++++++
- ipaplatform/archlinux/services.py | 29 ++++++++++++++++++++++++++++
- ipaplatform/archlinux/tasks.py | 16 ++++++++++++++++
- ipaplatform/setup.py.in | 1 +
- ipapython/certmonger.py | 12 +++---------
- 13 files changed, 114 insertions(+), 61 deletions(-)
- create mode 100644 ipaplatform/archlinux/__init__.py
- create mode 100644 ipaplatform/archlinux/authconfig.py
- create mode 100644 ipaplatform/archlinux/constants.py
- create mode 100644 ipaplatform/archlinux/paths.py
- create mode 100644 ipaplatform/archlinux/services.py
- create mode 100644 ipaplatform/archlinux/tasks.py
-
-diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
-index 789ff59..1d57245 100755
---- a/ipa-client/ipa-install/ipa-client-install
-+++ b/ipa-client/ipa-install/ipa-client-install
-@@ -536,7 +536,6 @@ def uninstall(options, env):
- hostname = socket.getfqdn()
-
- ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-- sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-
- cmonger = services.knownservices.certmonger
- if ipa_db.has_nickname('Local IPA host'):
-@@ -547,15 +546,6 @@ def uninstall(options, env):
- root_logger.error("%s failed to stop tracking certificate: %s",
- cmonger.service_name, e)
-
-- client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
-- if sys_db.has_nickname(client_nss_nickname):
-- try:
-- certmonger.stop_tracking(paths.NSS_DB_DIR,
-- nickname=client_nss_nickname)
-- except RuntimeError, e:
-- root_logger.error("%s failed to stop tracking certificate: %s",
-- cmonger.service_name, e)
--
- # Remove our host cert and CA cert
- try:
- ipa_certs = ipa_db.list_certs()
-@@ -570,15 +560,6 @@ def uninstall(options, env):
- os.path.join(ipa_db.secdir, 'pwdfile.txt')):
- remove_file(filename)
-
-- for nickname, trust_flags in ipa_certs:
-- while sys_db.has_nickname(nickname):
-- try:
-- sys_db.delete_cert(nickname)
-- except Exception, e:
-- root_logger.error("Failed to remove %s from %s: %s",
-- nickname, sys_db.secdir, e)
-- break
--
- # Remove any special principal names we added to the IPA CA helper
- certmonger.remove_principal_from_cas()
-
-@@ -2883,19 +2864,6 @@ def install(options, env, fstore, statestore):
- # Add the CA certificates to the platform-dependant systemwide CA store
- tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
-
-- # Add the CA certificates to the default NSS database
-- root_logger.debug(
-- "Attempting to add CA certificates to the default NSS database.")
-- sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-- for cert, nickname, trust_flags in ca_certs_trust:
-- try:
-- sys_db.add_cert(cert, nickname, trust_flags)
-- except CalledProcessError, e:
-- root_logger.error(
-- "Failed to add %s to the default NSS database.", nickname)
-- return CLIENT_INSTALL_ERROR
-- root_logger.info("Added CA certificates to the default NSS database.")
--
- if not options.on_master:
- client_dns(cli_server[0], hostname, options)
- configure_certmonger(fstore, subject_base, cli_realm, hostname,
-diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py
-index a953067..4cb8872 100644
---- a/ipa-client/ipaclient/ipa_certupdate.py
-+++ b/ipa-client/ipaclient/ipa_certupdate.py
-@@ -94,17 +94,6 @@ class CertUpdate(admintool.AdminTool):
- self.update_file(paths.IPA_CA_CRT, certs)
-
- ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-- sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
--
-- # Remove IPA certs from /etc/pki/nssdb
-- for nickname, trust_flags in ipa_db.list_certs():
-- while sys_db.has_nickname(nickname):
-- try:
-- sys_db.delete_cert(nickname)
-- except ipautil.CalledProcessError, e:
-- self.log.error("Failed to remove %s from %s: %s",
-- nickname, sys_db.secdir, e)
-- break
-
- # Remove old IPA certs from /etc/ipa/nssdb
- for nickname in ('IPA CA', 'External CA cert'):
-@@ -117,7 +106,6 @@ class CertUpdate(admintool.AdminTool):
- break
-
- self.update_db(ipa_db.secdir, certs)
-- self.update_db(sys_db.secdir, certs)
-
- tasks.remove_ca_certs_from_systemwide_ca_store()
- tasks.insert_ca_certs_into_systemwide_ca_store(certs)
-diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
-index 9a7db65..3c26eef 100644
---- a/ipa-client/ipaclient/ntpconf.py
-+++ b/ipa-client/ipaclient/ntpconf.py
-@@ -112,9 +112,9 @@ def config_ntp(ntp_servers, fstore = None, sysstore = None):
- if os.path.exists(path_step_tickers):
- config_step_tickers = True
- ns = ipautil.template_str(ntp_step_tickers, sub_dict)
-- __backup_config(path_step_tickers, fstore)
-- __write_config(path_step_tickers, ns)
-- tasks.restore_context(path_step_tickers)
-+ #__backup_config(path_step_tickers, fstore)
-+ #__write_config(path_step_tickers, ns)
-+ #tasks.restore_context(path_step_tickers)
-
- if sysstore:
- module = 'ntp'
-diff --git a/ipa-client/man/ipa-client-automount.1 b/ipa-client/man/ipa-client-automount.1
-index 5b60503..16ccbea 100644
---- a/ipa-client/man/ipa-client-automount.1
-+++ b/ipa-client/man/ipa-client-automount.1
-@@ -29,7 +29,7 @@ The automount configuration consists of three files:
- .IP o
- /etc/nsswitch.conf
- .IP o
--/etc/sysconfig/autofs
-+/etc/conf.d/autofs
- .IP o
- /etc/autofs_ldap_auth.conf
-
-@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default):
- .TP
- Files that will be configured when using the ldap automount client:
-
--/etc/sysconfig/autofs
-+/etc/conf.d/autofs
-
- /etc/autofs_ldap_auth.conf
-
-diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
-index 0fafd8a..9ffcd05 100644
---- a/ipa-client/man/ipa-client-install.1
-+++ b/ipa-client/man/ipa-client-install.1
-@@ -235,7 +235,7 @@ Files that will be replaced if they exist and SSSD is not configured (\-\-no\-ss
- Files replaced if NTP is enabled:
-
- /etc/ntp.conf\p
--/etc/sysconfig/ntpd\p
-+/etc/conf.d/ntpd.conf\p
- /etc/ntp/step\-tickers\p
- .TP
- Files always created (replacing existing content):
-@@ -249,9 +249,8 @@ Files always created (replacing existing content):
- Files updated, existing content is maintained:
-
- /etc/nsswitch.conf\p
--/etc/pki/nssdb\p
- /etc/krb5.keytab\p
--/etc/sysconfig/network\p
-+/etc/hostname\p
- .SH "EXIT STATUS"
- 0 if the installation was successful
-
-diff --git a/ipaplatform/archlinux/__init__.py b/ipaplatform/archlinux/__init__.py
-new file mode 100644
-index 0000000..9da42e7
---- /dev/null
-+++ b/ipaplatform/archlinux/__init__.py
-@@ -0,0 +1,3 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-diff --git a/ipaplatform/archlinux/authconfig.py b/ipaplatform/archlinux/authconfig.py
-new file mode 100644
-index 0000000..620b057
---- /dev/null
-+++ b/ipaplatform/archlinux/authconfig.py
-@@ -0,0 +1,22 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.base.authconfig import AuthConfig
-+
-+
-+class ArchLinuxAuthConfig(AuthConfig):
-+ """
-+ Arch Linux implementation of the AuthConfig class.
-+
-+ The freeipa package includes a sss-auth-setup.py Python 2 script which
-+ will set up both the NSS and PAM configuration. However, this script
-+ modifies the PAM configuration files directly, so the changes need to
-+ be undone before pacman updates anything in /etc/pam.d/ and if any new
-+ configuration files are added.
-+
-+ It's probably best to have this handled manually.
-+ """
-+
-+ def execute(self):
-+ raise NotImplementedError
-diff --git a/ipaplatform/archlinux/constants.py b/ipaplatform/archlinux/constants.py
-new file mode 100644
-index 0000000..459c22c
---- /dev/null
-+++ b/ipaplatform/archlinux/constants.py
-@@ -0,0 +1,12 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.base.constants import BaseConstantsNamespace
-+
-+
-+class ArchLinuxConstantsNamespace(BaseConstantsNamespace):
-+ pass
-+
-+
-+constants = ArchLinuxConstantsNamespace()
-diff --git a/ipaplatform/archlinux/paths.py b/ipaplatform/archlinux/paths.py
-new file mode 100644
-index 0000000..d5b5da5
---- /dev/null
-+++ b/ipaplatform/archlinux/paths.py
-@@ -0,0 +1,21 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.redhat.paths import RedHatPathNamespace
-+
-+
-+class ArchLinuxPathNamespace(RedHatPathNamespace):
-+ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs/autofs_ldap_auth.conf"
-+ SYSCONFIG_NFS = "/etc/conf.d/nfs-common.conf"
-+ SYSCONFIG_NTPD = "/etc/conf.d/ntpd.conf"
-+ SYSCONFIG_AUTOFS = "/etc/default/autofs"
-+ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = (
-+ "/usr/lib/certmonger/certmonger/dogtag-ipa-ca-renew-agent-submit")
-+ DOGTAG_IPA_RENEW_AGENT_SUBMIT = (
-+ "/usr/lib/certmonger/certmonger/dogtag-ipa-renew-agent-submit")
-+ IPA_SERVER_GUARD = "/usr/lib/certmonger/certmonger/ipa-server-guard"
-+ LIB64_FIREFOX = "/usr/lib/firefox"
-+
-+
-+paths = ArchLinuxPathNamespace()
-diff --git a/ipaplatform/archlinux/services.py b/ipaplatform/archlinux/services.py
-new file mode 100644
-index 0000000..4230e62
---- /dev/null
-+++ b/ipaplatform/archlinux/services.py
-@@ -0,0 +1,29 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.redhat.services import (
-+ redhat_system_units, RedHatService, redhat_service_class_factory,
-+ RedHatServices, timedate_services)
-+
-+archlinux_system_units = dict(redhat_system_units)
-+archlinux_system_units['messagebus'] = 'dbus.service'
-+archlinux_system_units['rpcgssd'] = 'rpc-gssd.service'
-+archlinux_system_units['rpcidmapd'] = 'rpc-idmapd.service'
-+
-+
-+class ArchLinuxService(RedHatService):
-+ system_units = archlinux_system_units
-+
-+
-+def archlinux_service_class_factory(name):
-+ return ArchLinuxService(name)
-+
-+
-+class ArchLinuxServices(RedHatServices):
-+ def service_class_factory(self, name):
-+ return archlinux_service_class_factory(name)
-+
-+
-+service = archlinux_service_class_factory
-+knownservices = ArchLinuxServices()
-diff --git a/ipaplatform/archlinux/tasks.py b/ipaplatform/archlinux/tasks.py
-new file mode 100644
-index 0000000..654eb9a
---- /dev/null
-+++ b/ipaplatform/archlinux/tasks.py
-@@ -0,0 +1,16 @@
-+#
-+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipaplatform.archlinux.paths import paths
-+from ipaplatform.base.tasks import BaseTaskNamespace
-+
-+
-+class ArchLinuxTaskNamespace(BaseTaskNamespace):
-+ def restore_network_configuration(self, fstore, statestore):
-+ filepath = paths.ETC_HOSTNAME
-+ if fstore.has_file(filepath):
-+ fstore.restore_file(filepath)
-+
-+
-+tasks = ArchLinuxTaskNamespace()
-diff --git a/ipaplatform/setup.py.in b/ipaplatform/setup.py.in
-index 944e686..1fcaab0 100644
---- a/ipaplatform/setup.py.in
-+++ b/ipaplatform/setup.py.in
-@@ -66,6 +66,7 @@ def setup_package():
- classifiers=filter(None, CLASSIFIERS.split('\n')),
- package_dir = {'ipaplatform': ''},
- packages = ["ipaplatform",
-+ "ipaplatform.archlinux",
- "ipaplatform.base",
- "ipaplatform.fedora",
- "ipaplatform.redhat",
-diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
-index b376768..b22ce24 100644
---- a/ipapython/certmonger.py
-+++ b/ipapython/certmonger.py
-@@ -418,7 +418,7 @@ def add_principal_to_cas(principal):
- If the hostname we were passed to use in ipa-client-install doesn't
- match the value of gethostname() then we need to append
- -k host/HOSTNAME@REALM to the ca helper defined for
-- /usr/libexec/certmonger/ipa-submit.
-+ /usr/lib/certmonger/certmonger/ipa-submit.
-
- We also need to restore this on uninstall.
- """
-@@ -493,18 +493,12 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
- params['KEY_PIN_FILE'] = os.path.abspath(pinfile)
- if pre_command:
- if not os.path.isabs(pre_command):
-- if sys.maxsize > 2**32L:
-- libpath = 'lib64'
-- else:
-- libpath = 'lib'
-+ libpath = 'lib'
- pre_command = certmonger_cmd_template % (libpath, pre_command)
- params['cert-presave-command'] = pre_command
- if post_command:
- if not os.path.isabs(post_command):
-- if sys.maxsize > 2**32L:
-- libpath = 'lib64'
-- else:
-- libpath = 'lib'
-+ libpath = 'lib'
- post_command = certmonger_cmd_template % (libpath, post_command)
- params['cert-postsave-command'] = post_command
- if profile:
---
-2.6.4
-
diff --git a/freeipa-client.install b/freeipa-client.install
index 07a72603e788..d034848e6049 100644
--- a/freeipa-client.install
+++ b/freeipa-client.install
@@ -20,8 +20,8 @@ post_upgrade() {
fi
fi
- if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then
- python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
+ if [ $restore -ge 2 ]; then
+ python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
fi
# Has the client been configured?
diff --git a/sss-auth-setup.py b/sss-auth-setup.py
deleted file mode 100755
index 38a0d435b54a..000000000000
--- a/sss-auth-setup.py
+++ /dev/null
@@ -1,338 +0,0 @@
-#!/usr/bin/env python2
-
-# Written by: Xiao-Long Chen <chenxiaolong@cxl.epac.to>
-# License: GPLv3
-
-import base64
-import hashlib
-import os
-import re
-import shutil
-
-nss_databases = ['passwd', 'group', 'services', 'netgroup', 'automount']
-
-PAM_CONFIG_DIR = '/etc/pam.d/'
-
-def nss_enable_sss():
- if os.path.exists("/etc/nsswitch.conf.sss_tmp"):
- os.remove("/etc/nsswitch.conf.sss_tmp")
-
- # Backup /etc/nsswitch.conf
- shutil.copyfile("/etc/nsswitch.conf", "/etc/nsswitch.conf.sss_bak")
-
- nsswitch_orig = open("/etc/nsswitch.conf", 'r')
- nsswitch_new = open("/etc/nsswitch.conf.sss_tmp", 'w')
-
- while True:
- current_line = nsswitch_orig.readline()
- if not current_line:
- break
-
- if current_line != '\n' and current_line.split()[0][:-1] in nss_databases:
- if "sss" in current_line:
- print("sss is already enabled for the NSS " +
- current_line.split()[0][:-1] + " database")
- else:
- print("Enabling sss support for the NSS " +
- current_line.split()[0][:-1] + " database...")
- if current_line[-1] == '\n':
- current_line = current_line[:-1] + " sss\n"
- else:
- current_line += " sss"
-
- # Write new file
- nsswitch_new.write(current_line)
-
- nsswitch_orig.close()
- nsswitch_new.close()
-
- # Replace original /etc/nsswitch.conf
- shutil.move("/etc/nsswitch.conf.sss_tmp", "/etc/nsswitch.conf")
-
-def nss_disable_sss():
- if os.path.exists("/etc/nsswitch.conf.sss_tmp"):
- os.remove("/etc/nsswitch.conf.sss_tmp")
-
- nsswitch_orig = open("/etc/nsswitch.conf", 'r')
- nsswitch_new = open("/etc/nsswitch.conf.sss_tmp", 'w')
-
- while True:
- current_line = nsswitch_orig.readline()
- if not current_line:
- break
-
- if current_line != '\n' and current_line.split()[0][:-1] in nss_databases:
- if "sss" in current_line:
- print("Disabling sss for the NSS " +
- current_line.split()[0][:-1] + " database...")
- current_line = re.sub(r"[ \t]+sss[ \t]*", ' ', current_line)
- # Remove extra spaces
- current_line = re.sub(r"[ \t]+\n", '\n', current_line)
-
- # Write new file
- nsswitch_new.write(current_line)
-
- nsswitch_orig.close()
- nsswitch_new.close()
-
- # Replace original /etc/nsswitch.conf
- shutil.move("/etc/nsswitch.conf.sss_tmp", "/etc/nsswitch.conf")
-
-def pam_check_header(pam_config):
- pam_file = open(PAM_CONFIG_DIR + pam_config, 'r')
-
- inside_header = False
- has_header = False
- sha512sum = ''
- base64enc = ''
- returned = None
-
- while True:
- current_line = pam_file.readline()
- if not current_line:
- break
-
- if current_line == '\n' or current_line == '# \n':
- continue
-
- if current_line == '# -----BEGIN PAM BACKUP-----\n':
- inside_header = True
-
- elif current_line == '# -----END PAM BACKUP-----\n':
- if not inside_header:
- # Invalid because the begin line is missing
- returned = ('INVALID', None, None)
- break
-
- has_header = True
- break
-
- elif inside_header:
- if current_line.startswith('# Hash: '):
- sha512sum = current_line[8:-1]
- elif current_line.startswith('# Data: '):
- base64enc = current_line[8:-1]
- else:
- # Invalid because unknown data is in the header
- returned = ('INVALID', None, None)
- break
-
- pam_file.close()
-
- if has_header:
- if sha512sum == hashlib.sha512(base64.b64decode(base64enc)).hexdigest():
- returned = ('VALID', sha512sum, base64enc)
- else:
- # Invalid because the checksum of the data does not match the hash
- returned = ('INVALID', None, None)
-
- if not returned:
- returned = ('NONE', None, None)
-
- return returned
-
-def pam_config_setup(pam_config):
- pam_file_orig = open(PAM_CONFIG_DIR + pam_config, 'r')
- pam_file_new = open(PAM_CONFIG_DIR + pam_config + '.sss_tmp', 'a')
-
- while True:
- current_line = pam_file_orig.readline()
- if not current_line:
- break
-
- if current_line.startswith('#%PAM-1.0'):
- continue
-
- if current_line != '\n' and current_line[0] != '#':
- current_line_split = current_line.split()
-
- # Change 'required' to 'sufficient' for the pam_unix.so module
- if current_line_split[2] == "pam_unix.so" and current_line_split[1] == "required":
- #pam_file_new.write(current_line.replace("required", "sufficient"))
- pam_file_new.write(current_line_split[0] + "\t\tinclude\t\tsss\n")
- continue
-
- pam_file_new.write(current_line)
-
- pam_file_orig.close()
- pam_file_new.close()
-
-def pam_enable_sss():
- print('Enabling sssd support in:')
-
- rows, columns = os.popen('stty size', 'r').read().split()
- columns = int(columns) - 3
-
- for fullpath, directories, files in os.walk(PAM_CONFIG_DIR):
- files.sort()
- for pam_config in files:
- if pam_config == 'sss' or pam_config == 'sss.bak' or \
- pam_config.startswith('.') or pam_config.endswith('~'):
- continue
-
- status = pam_check_header(pam_config)[0]
- if status == 'NONE':
- status_msg = 'done'
- elif status == 'VALID':
- status_msg = 'already enabled (skipping)'
- elif status == 'INVALID':
- status_msg = 'invalid backup header (skipping)'
-
- pam_config_path = PAM_CONFIG_DIR + pam_config
-
- if status == 'NONE':
- pam_file = open(pam_config_path, 'rb')
-
- raw_content = pam_file.read()
- sha512sum = hashlib.sha512(raw_content).hexdigest()
- base64enc_raw = base64.b64encode(raw_content)
- base64enc = base64enc_raw.decode('ascii')
-
- pam_file.close()
-
- tmp_file = open(pam_config_path + '.sss_tmp', 'w')
-
- tmp_file.write('#%PAM-1.0\n')
- tmp_file.write('# -----BEGIN PAM BACKUP-----\n')
- tmp_file.write('# Hash: ' + sha512sum + '\n')
- tmp_file.write('# \n')
- tmp_file.write('# Data: ' + base64enc + '\n')
- tmp_file.write('# -----END PAM BACKUP-----\n')
- tmp_file.write('\n')
-
- tmp_file.close()
-
- pam_config_setup(pam_config)
-
- shutil.move(pam_config_path + '.sss_tmp', pam_config_path)
-
- if len(pam_config_path + status_msg) > columns:
- print(pam_config_path)
- print(('{:>%is} ' % columns + 2).format(status_msg))
- else:
- print((' {:<%is}{:>%is} ' % \
- (len(pam_config_path), columns - len(pam_config_path))). \
- format(pam_config_path, status_msg))
-
- if os.path.exists(PAM_CONFIG_DIR + 'sss'):
- print('%ssss already exists. Moving it to %ssss.bak' % \
- (PAM_CONFIG_DIR, PAM_CONFIG_DIR))
- shutil.move(PAM_CONFIG_DIR + 'sss', PAM_CONFIG_DIR + 'sss.bak')
-
- pam_sss = open(PAM_CONFIG_DIR + 'sss', 'w')
- # Auth
- pam_sss.write("auth sufficient pam_unix.so nullok try_first_pass\n")
- pam_sss.write("auth sufficient pam_sss.so use_first_pass\n")
- pam_sss.write("auth required pam_deny.so\n")
- # Account
- pam_sss.write("account required pam_unix.so\n")
- pam_sss.write("#account [default=bad success=ok user_unknown=ignore] pam_sss.so\n")
- pam_sss.write("account optional pam_sss.so\n")
- # Password
- pam_sss.write("password sufficient pam_unix.so try_first_pass nullok sha512 shadow\n")
- pam_sss.write("password sufficient pam_sss.so use_authtok\n")
- pam_sss.write("password required pam_deny.so\n")
- # Session
- pam_sss.write("session required pam_unix.so\n")
- pam_sss.write("session optional pam_sss.so\n")
- pam_sss.close()
-
-def pam_disable_sss():
- print('Disabling sssd support in:')
-
- rows, columns = os.popen('stty size', 'r').read().split()
- columns = int(columns) - 3
-
- for fullpath, directories, files in os.walk(PAM_CONFIG_DIR):
- files.sort()
- for pam_config in files:
- if pam_config == 'sss' or pam_config == 'sss.bak' or \
- pam_config.startswith('.') or pam_config.endswith('~'):
- continue
-
- status, sha512sum, base64enc = pam_check_header(pam_config)
- if status == 'NONE':
- status_msg = 'already disabled (skipping)'
- elif status == 'VALID':
- status_msg = 'done'
- elif status == 'INVALID':
- status_msg = 'invalid backup header (skipping)'
-
- pam_config_path = PAM_CONFIG_DIR + pam_config
-
- if status == 'VALID':
- pam_file = open(pam_config_path + '.sss_tmp', 'wb')
- pam_file.write(base64.b64decode(base64enc))
- pam_file.close()
- shutil.move(pam_config_path + '.sss_tmp', pam_config_path)
-
- if len(pam_config_path + status_msg) > columns:
- print(pam_config_path)
- print(('{:>%is} ' % columns + 2).format(status_msg))
- else:
- print((' {:<%is}{:>%is} ' % \
- (len(pam_config_path), columns - len(pam_config_path))). \
- format(pam_config_path, status_msg))
-
- if os.path.exists(PAM_CONFIG_DIR + 'sss'):
- os.remove(PAM_CONFIG_DIR + 'sss')
-
-def parse_arguments():
- import argparse
- import textwrap
-
- arg_parser = argparse.ArgumentParser()
- arg_parser.formatter_class = argparse.RawDescriptionHelpFormatter
- arg_parser.description = textwrap.dedent("""
- Arch Linux sssd authentication setup helper for PAM and NSS
- -----------------------------------------------------------
- """)
-
- nss_group = arg_parser.add_mutually_exclusive_group()
- nss_group.add_argument("--enable-nss",
- help="Enable support for SSSD in NSS",
- action="store_true",
- dest="nss_action",
- default=None)
- nss_group.add_argument("--disable-nss",
- help="Disable support for SSSD in NSS",
- action="store_false",
- dest="nss_action",
- default=None)
-
- pam_group = arg_parser.add_mutually_exclusive_group()
- pam_group.add_argument("--enable-pam",
- help="Enable support for SSSD in PAM",
- action="store_true",
- dest="pam_action",
- default=None)
- pam_group.add_argument("--disable-pam",
- help="Disable support for SSSD in PAM",
- action="store_false",
- dest="pam_action",
- default=None)
-
- args = arg_parser.parse_args()
-
- if args.nss_action == None and args.pam_action == None:
- print("No action given!")
- exit(1)
-
- if os.getuid() != 0:
- print("sss-auth-setup must be run as root!")
- exit(1)
-
- if args.nss_action != None:
- if args.nss_action:
- nss_enable_sss()
- else:
- nss_disable_sss()
-
- if args.pam_action != None:
- if args.pam_action:
- pam_enable_sss()
- else:
- pam_disable_sss()
-
-if __name__ == "__main__":
- parse_arguments()