Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package himmelblau for openSUSE:Factory checked in at 2026-01-17 14:53:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/himmelblau (Old) and /work/SRC/openSUSE:Factory/.himmelblau.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "himmelblau" Sat Jan 17 14:53:05 2026 rev:39 rq:1327481 version:2.3.1+git0.2418ec2 Changes: -------- --- /work/SRC/openSUSE:Factory/himmelblau/himmelblau.changes 2025-11-26 17:14:51.612732474 +0100 +++ /work/SRC/openSUSE:Factory/.himmelblau.new.1928/himmelblau.changes 2026-01-17 14:53:57.609198183 +0100 @@ -1,0 +2,36 @@ +Thu Jan 15 21:22:11 UTC 2026 - David Mulder <[email protected]> + +- Update to version 2.3.1+git0.2418ec2: + * Version 2.3.1 + * Remove references to qrcodegen (these are 3.x features) + * QR Greeter compatibility for old GNOME + * Enable QR greeter automatically + * ci: Use latest cargo-vet from git to fix CI + * Fix HSM pin migration failure on Debian/Ubuntu upgrades from v1.4.x + * Version 2.3.0 + * cargo vet + * Update make vet from main branch + * Autostart the daemons on fresh install or upgrade + * Restart sshd when installing the ssh config + * Allow tasks daemon to write krb ccache + * Do not enumerate mapped users in NSS + * deps(rust): bump the all-cargo-updates group across 1 directory with 8 updates + * Update libhimmelblau to latest version + * Fix Tumbleweed build + * cargo vet + * Version 2.2.0 + * Update libhimmelblau to 0.8.x series + * deps(rust): bump the all-cargo-updates group with 17 updates + * Only use OpenSSH bug workaround for ssh service + * Fix debug noise from removing user from sudo group + * systemd: install files to /usr/lib/, not /etc/ + * Version 2.1.0 + * Fix nightly authselect build failure + * Generate the authselect profiles for each distro + * Improve pam config handling in aad-tool + * Make `aad-tool configure-pam` detect location of pam files + * Version 2.0.5 + * /var/lib/private/himmelblaud should be owned by root + * Use tmpfiles.d to create himmelblaud private data directory + +------------------------------------------------------------------- Old: ---- himmelblau-2.0.4+git.2.5d26a19.tar.bz2 New: ---- himmelblau-2.3.1+git0.2418ec2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ himmelblau.spec ++++++ --- /var/tmp/diff_new_pack.SF65SM/_old 2026-01-17 14:53:59.077259384 +0100 +++ /var/tmp/diff_new_pack.SF65SM/_new 2026-01-17 14:53:59.077259384 +0100 @@ -1,7 +1,7 @@ # # spec file for package himmelblau # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,7 +30,7 @@ %endif Name: himmelblau -Version: 2.0.4+git.2.5d26a19 +Version: 2.3.1+git0.2418ec2 Release: 0 Summary: Interoperability suite for Microsoft Azure Entra Id License: GPL-3.0-or-later @@ -39,117 +39,119 @@ Source: %{name}-%{version}.tar.bz2 Source1: vendor.tar.zst Source2: cargo_config +%if !0%{?suse_version} +BuildRequires: authselect +%endif +BuildRequires: autoconf BuildRequires: binutils +BuildRequires: ca-certificates BuildRequires: cargo BuildRequires: cargo-packaging +BuildRequires: checkpolicy +BuildRequires: clang BuildRequires: clang-devel +BuildRequires: cmake +BuildRequires: curl BuildRequires: dbus-1-devel +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: gettext +BuildRequires: git +BuildRequires: jq BuildRequires: krb5-devel BuildRequires: libcap-devel -BuildRequires: libclang13 -BuildRequires: libdhash-devel -BuildRequires: libopenssl-3-devel +BuildRequires: libtool +BuildRequires: libudev-devel BuildRequires: libunistring-devel +BuildRequires: make +BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: patchelf BuildRequires: pcre2-devel +BuildRequires: pkg-config +BuildRequires: policycoreutils +BuildRequires: policycoreutils-devel +BuildRequires: python3 +BuildRequires: systemd-rpm-macros %if 0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000 BuildRequires: selinux-policy-devel +BuildRequires: selinux-tools %endif BuildRequires: sqlite3-devel -BuildRequires: systemd-devel -BuildRequires: systemd-rpm-macros +BuildRequires: systemd-mini BuildRequires: tpm2-0-tss-devel +BuildRequires: wget ExclusiveArch: %{rust_tier1_arches} +Requires: policycoreutils Recommends: cron Recommends: krb5 Recommends: libnss_himmelblau2 Recommends: pam-himmelblau -Requires: system-user-tss -Provides: aad-cli -Provides: aad-common -Provides: authd -Provides: authd-msentraid -Suggests: himmelblau-sso -Requires: man -Requires: system-user-tss +Recommends: system-user-tss %description -Himmelblau is an interoperability suite for Microsoft Azure Entra Id, -which allows users to sign into a Linux machine using Azure +Himmelblau is an interoperability suite for Microsoft Azure Entra Id +and Intune, which allows users to sign into a Linux machine using Azure Entra Id credentials. %package -n pam-himmelblau Summary: Azure Entra Id authentication PAM module Requires: %{name} = %{version} -Provides: libpam-aad -Suggests: himmelblau-qr-greeter -Recommends: authselect -Recommends: (oddjob-mkhomedir if authselect) +Recommends: oddjob_mkhomedir +Suggests: authselect %description -n pam-himmelblau -Himmelblau is an interoperability suite for Microsoft Azure Entra Id, -which allows users to sign into a Linux machine using Azure +Himmelblau is an interoperability suite for Microsoft Azure Entra Id +and Intune, which allows users to sign into a Linux machine using Azure Entra Id credentials. %package -n libnss_himmelblau2 Summary: Azure Entra Id authentication NSS module +Requires: %{name} = %{version} Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig -Requires: %{name} -Provides: libnss-aad + Provides: nss-himmelblau %description -n libnss_himmelblau2 -Himmelblau is an interoperability suite for Microsoft Azure Entra Id, -which allows users to sign into a Linux machine using Azure +Himmelblau is an interoperability suite for Microsoft Azure Entra Id +and Intune, which allows users to sign into a Linux machine using Azure Entra Id credentials. %package -n himmelblau-sshd-config Summary: Azure Entra Id SSHD Configuration Requires: %{name} = %{version} -Supplements: (pam-himmelblau and openssh-server) Requires: openssh-server BuildRequires: openssh-server BuildArch: noarch %description -n himmelblau-sshd-config -Himmelblau is an interoperability suite for Microsoft Azure Entra Id, -which allows users to sign into a Linux machine using Azure +Himmelblau is an interoperability suite for Microsoft Azure Entra Id +and Intune, which allows users to sign into a Linux machine using Azure Entra Id credentials. %package -n himmelblau-sso Summary: Azure Entra Id Browser SSO Requires: %{name} = %{version} -Supplements: (MozillaFirefox and himmelblau) -Supplements: (chromium and himmelblau) -Supplements: (google-chrome-stable and himmelblau) -Supplements: (microsoft-edge-stable and himmelblau) -Provides: linux-entra-sso -# This is a hint, enabling users to call `zypper in intune-portal`, and receive -# the expected himmelblau+intune+sso capabilities. -Provides: intune-portal -# This is necessary to prevent users from installing Himmelblau SSO along side -# Microsoft's Broker, as these will conflict. -Provides: microsoft-identity-broker +Recommends: curl +Recommends: jq +Recommends: libfuse2 %description -n himmelblau-sso Himmelblau SSO provides Azure Entra Id browser single sign-on via Firefox, Chromium, Google Chrome, and Microsoft Edge (where installed), -using native messaging and managed browser policies. +using native messaging and managed browser policies. It also provides +web apps for common Office 365 applications (Teams, Outlook, etc). %package -n himmelblau-qr-greeter Summary: Azure Entra Id DAG URL QR code GNOME Shell extension -Requires: gnome-shell >= 45 -Supplements: (pam-himmelblau and gnome-shell) -BuildArch: noarch +Requires: gnome-shell +Recommends: systemd-container %description -n himmelblau-qr-greeter GNOME Shell extension that adds a QR code to authentication prompts when a MS DAG URL is detected. -%postun -n libnss_himmelblau2 -p /sbin/ldconfig - %prep %autosetup -a1 @@ -159,6 +161,9 @@ export HIMMELBLAU_ALLOW_MISSING_SELINUX=1 %endif %{cargo_build} --workspace --exclude himmelblau-fuzz +%if !0%{?suse_version} +make authselect +%endif %check %if !(0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000) @@ -168,101 +173,192 @@ %install # NSS -cp target/release/libnss_%{name}.so target/release/libnss_%{name}.so.2 install -D -d -m 0755 %{buildroot}/%{_libdir} -strip --strip-unneeded target/release/libnss_himmelblau.so.2 -patchelf --set-soname libnss_himmelblau.so.2 target/release/libnss_himmelblau.so.2 -install -m 0755 target/release/libnss_%{name}.so.2 %{buildroot}/%{_libdir} -install -Dm 0644 src/nss/src/nss-himmelblau.tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/nss-himmelblau.conf +install -D -d -m 0755 %{buildroot}/%{_tmpfilesdir} +strip --strip-unneeded target/release/libnss_himmelblau.so +patchelf --set-soname libnss_himmelblau.so.2 target/release/libnss_himmelblau.so +install -m 0755 target/release/libnss_himmelblau.so %{buildroot}/%{_libdir}/libnss_himmelblau.so.2 +install -m 0644 src/nss/src/nss-himmelblau.tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/nss-himmelblau.conf # PAM install -D -d -m 0755 %{buildroot}/%{_pam_moduledir} strip --strip-unneeded target/release/libpam_himmelblau.so -install -m 0755 target/release/libpam_%{name}.so %{buildroot}/%{_pam_moduledir}/pam_%{name}.so -install -D -d -m 0755 %{buildroot}%{_datadir}/authselect/vendor/himmelblau -install -m 644 platform/el/authselect/* %{buildroot}%{_datadir}/authselect/vendor/himmelblau/ +install -m 0755 target/release/libpam_himmelblau.so %{buildroot}/%{_pam_moduledir}/pam_himmelblau.so +%if !0%{?suse_version} +install -D -d -m 0755 %{buildroot}/%{_datadir}/authselect/vendor/himmelblau/ +install -m 0755 platform/el/authselect/* %{buildroot}/%{_datadir}/authselect/vendor/himmelblau/ +%endif -# Daemons, etc -install -D -d -m 0755 %{buildroot}/%{_sysconfdir}/himmelblau -cp src/config/himmelblau.conf.example %{buildroot}/%{_sysconfdir}/himmelblau/himmelblau.conf +# Himmelblau install -D -d -m 0755 %{buildroot}%{_sbindir} +install -D -d -m 0755 %{buildroot}%{_bindir} +install -D -d -m 0755 %{buildroot}%{_unitdir} +install -D -d -m 0755 %{buildroot}/%{_sysconfdir}/himmelblau +install -D -d -m 0755 %{buildroot}%{_datarootdir}/dbus-1/services +install -D -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d +install -D -d -m 0755 %{buildroot}%{_sysconfdir}/krb5.conf.d +install -D -d -m 0755 %{buildroot}/%{_unitdir}/display-manager.service.d/ +install -d -m 0600 %{buildroot}%{_localstatedir}/cache/himmelblau-policies +install -D -d -m 0755 %{buildroot}%{_datadir}/doc/himmelblau/ +install -D -d -m 0755 %{buildroot}/%{_tmpfilesdir}/ +install -D -d -m 0755 %{buildroot}%{_mandir}/man1 +install -D -d -m 0755 %{buildroot}%{_mandir}/man5 +install -D -d -m 0755 %{buildroot}%{_mandir}/man8 strip --strip-unneeded target/release/himmelblaud strip --strip-unneeded target/release/himmelblaud_tasks strip --strip-unneeded target/release/broker -install -m 0755 target/release/himmelblaud %{buildroot}/%{_sbindir} -install -m 0755 target/release/himmelblaud_tasks %{buildroot}/%{_sbindir} -install -m 0755 target/release/broker %{buildroot}/%{_sbindir} +strip --strip-unneeded target/release/aad-tool +install -m 0644 src/config/himmelblau.conf.example %{buildroot}/%{_sysconfdir}/himmelblau/himmelblau.conf +install -m 0644 src/config/krb5_himmelblau.conf %{buildroot}/%{_sysconfdir}/krb5.conf.d/ +install -m 0644 src/config/gdm3_service_override.conf %{buildroot}/%{_unitdir}/display-manager.service.d/override.conf +install -m 0755 target/release/aad-tool %{buildroot}/%{_bindir}/ +install -m 0644 platform/opensuse/himmelblaud-tasks.service %{buildroot}/%{_unitdir}/ +install -m 0644 platform/opensuse/himmelblaud.service %{buildroot}/%{_unitdir}/ +install -m 0755 target/release/himmelblaud %{buildroot}/%{_sbindir}/ +install -m 0755 target/release/himmelblaud_tasks %{buildroot}/%{_sbindir}/ +install -m 0644 README.md %{buildroot}/%{_datadir}/doc/himmelblau/README +install -m 0644 src/config/himmelblau.conf.example %{buildroot}/%{_datadir}/doc/himmelblau/ +install -m 0644 man/man1/aad-tool.1 %{buildroot}/%{_mandir}/man1/ +install -m 0644 man/man5/himmelblau.conf.5 %{buildroot}/%{_mandir}/man5/ +install -m 0644 man/man8/himmelblaud.8 %{buildroot}/%{_mandir}/man8/ +install -m 0644 man/man8/himmelblaud_tasks.8 %{buildroot}/%{_mandir}/man8/ +install -m 0644 src/daemon/src/himmelblau-policies.tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/himmelblau-policies.conf +install -m 0644 src/daemon/src/himmelblaud.tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/himmelblaud.conf +%if 0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000 +install -D -d -m 0755 %{buildroot}/%{_selinux_pkgdir} +install -D -d -m 0755 %{buildroot}/%{_selinux_docdir} +install -m 0644 target/release/himmelblaud.pp %{buildroot}/%{_selinux_pkgdir}/himmelblaud.pp +install -m 0644 src/selinux/src/himmelblaud.te %{buildroot}/%{_selinux_docdir}/himmelblaud.te +install -m 0644 src/selinux/src/himmelblaud.fc %{buildroot}/%{_selinux_docdir}/himmelblaud.fc +%endif pushd %{buildroot}%{_sbindir} ln -s himmelblaud rchimmelblaud ln -s himmelblaud_tasks rchimmelblaud_tasks ln -s broker rcbroker popd -install -D -d -m 0755 %{buildroot}%{_bindir} -strip --strip-unneeded target/release/aad-tool -install -m 0755 target/release/aad-tool %{buildroot}/%{_bindir} -install -D -d -m 0755 %{buildroot}%{_unitdir} -install -m 0644 platform/opensuse/himmelblaud.service %{buildroot}%{_unitdir}/himmelblaud.service -install -m 0644 platform/opensuse/himmelblaud-tasks.service %{buildroot}%{_unitdir}/himmelblaud-tasks.service -install -D -d -m 0755 %{buildroot}%{_datarootdir}/dbus-1/services -install -m 0644 platform/opensuse/com.microsoft.identity.broker1.service %{buildroot}%{_datarootdir}/dbus-1/services/ + +# SSHD Config install -D -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d -install -m 0644 platform/el/sshd_config %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf -install -D -d -m 0755 %{buildroot}%{_sysconfdir}/krb5.conf.d -install -m 0644 src/config/krb5_himmelblau.conf %{buildroot}%{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf -install -d -m 0600 %{buildroot}%{_localstatedir}/cache/himmelblau-policies -install -Dm 0644 src/config/gdm3_service_override.conf %{buildroot}%{_unitdir}/display-manager.service.d/override.conf -%if 0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000 -install -Dm 0644 target/release/himmelblaud.pp %{buildroot}%{_selinux_pkgdir}/himmelblaud.pp -install -Dm 0644 src/selinux/src/himmelblaud.te %{buildroot}%{_selinux_docdir}/himmelblaud.te -install -Dm 0644 src/selinux/src/himmelblaud.fc %{buildroot}%{_selinux_docdir}/himmelblaud.fc -%endif +install -m 0644 platform/el/sshd_config %{buildroot}/%{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf # Single Sign On strip --strip-unneeded target/release/linux-entra-sso -install -m 0755 target/release/linux-entra-sso %{buildroot}/%{_bindir}/linux-entra-sso install -D -d -m 0755 %{buildroot}%{_libdir}/mozilla/native-messaging-hosts -install -m 0644 src/sso/src/firefox/linux_entra_sso.json %{buildroot}%{_libdir}/mozilla/native-messaging-hosts/ install -D -d -m 0755 %{buildroot}%{_sysconfdir}/firefox/policies -install -m 0644 src/sso/src/firefox/policies.json %{buildroot}%{_sysconfdir}/firefox/policies/ -install -D -d -m0755 %{buildroot}%{chrome_nm_dir} -install -D -d -m0755 %{buildroot}%{chromium_nm_dir} -install -D -d -m0755 %{buildroot}%{chrome_ext_dir} -install -D -d -m0755 %{buildroot}%{chrome_policy_dir} -install -D -d -m0755 %{buildroot}%{chromium_policy_dir} -install -m 0644 src/sso/src/chrome/linux_entra_sso.json %{buildroot}%{chrome_nm_dir} -install -m 0644 src/sso/src/chrome/linux_entra_sso.json %{buildroot}%{chromium_nm_dir} -install -m 0644 src/sso/src/chrome/extension.json %{buildroot}%{chrome_ext_dir}/jlnfnnolkbjieggibinobhkjdfbpcohn.json -install -m 0644 src/sso/src/chrome/policies.json %{buildroot}%{chrome_policy_dir}/himmelblau.json -install -m 0644 src/sso/src/chrome/policies.json %{buildroot}%{chromium_policy_dir}/himmelblau.json +install -D -d -m 0755 %{buildroot}%{chrome_nm_dir} +install -D -d -m 0755 %{buildroot}%{chromium_nm_dir} +install -D -d -m 0755 %{buildroot}%{chrome_ext_dir} +install -D -d -m 0755 %{buildroot}%{chrome_policy_dir} +install -D -d -m 0755 %{buildroot}%{chromium_policy_dir} +install -D -d -m 0755 %{buildroot}%{_datadir}/applications/ +%{!?_iconsdir:%global _iconsdir %{_datadir}/icons} +install -D -d -m 0755 %{buildroot}%{_iconsdir}/hicolor/256x256/apps install -m 0755 src/o365/src/o365.sh %{buildroot}/%{_bindir}/o365 install -m 0755 src/o365/src/o365-multi.sh %{buildroot}/%{_bindir}/o365-multi install -m 0755 src/o365/src/o365-url-handler.sh %{buildroot}/%{_bindir}/o365-url-handler -install -D -d -m 0755 %{buildroot}%{_datadir}/applications/ -install -m 0644 src/o365/generated/*.desktop %{buildroot}%{_datadir}/applications/ -%{!?_iconsdir:%global _iconsdir %{_datadir}/icons} -install -D -d -m 0755 %{buildroot}%{_iconsdir}/hicolor/256x256/apps/ -install -m 0644 src/o365/src/*.png %{buildroot}%{_iconsdir}/hicolor/256x256/apps/ - -# Man pages -install -D -d -m 0755 %{buildroot}%{_mandir}/man1 -install -D -d -m 0755 %{buildroot}%{_mandir}/man5 -install -D -d -m 0755 %{buildroot}%{_mandir}/man8 -install -m 0644 man/man1/aad-tool.1 %{buildroot}%{_mandir}/man1/ -install -m 0644 man/man5/himmelblau.conf.5 %{buildroot}%{_mandir}/man5/ -install -m 0644 man/man8/himmelblaud.8 %{buildroot}%{_mandir}/man8/ -install -m 0644 man/man8/himmelblaud_tasks.8 %{buildroot}%{_mandir}/man8/ +install -m 0755 src/o365/generated/*.desktop %{buildroot}/%{_datadir}/applications/ +install -m 0755 src/o365/src/*.png %{buildroot}/%{_iconsdir}/hicolor/256x256/apps/ +install -m 0755 target/release/linux-entra-sso %{buildroot}/%{_bindir}/linux-entra-sso +install -m 0644 src/sso/src/firefox/linux_entra_sso.json %{buildroot}/%{_libdir}/mozilla/native-messaging-hosts/ +install -m 0644 src/sso/src/firefox/policies.json %{buildroot}/%{_sysconfdir}/firefox/policies/ +install -m 0644 src/sso/src/chrome/linux_entra_sso.json %{buildroot}/%{chrome_nm_dir}/ +install -m 0644 src/sso/src/chrome/linux_entra_sso.json %{buildroot}/%{chromium_nm_dir}/ +install -m 0644 src/sso/src/chrome/extension.json %{buildroot}/%{chrome_ext_dir}/jlnfnnolkbjieggibinobhkjdfbpcohn.json +install -m 0644 src/sso/src/chrome/policies.json %{buildroot}/%{chrome_policy_dir}/himmelblau.json +install -m 0644 src/sso/src/chrome/policies.json %{buildroot}/%{chromium_policy_dir}/himmelblau.json +install -m 0644 platform/opensuse/com.microsoft.identity.broker1.service %{buildroot}/%{_datadir}/dbus-1/services/ +install -m 0755 target/release/broker %{buildroot}/%{_sbindir}/ # QR Greeter install -D -d -m 0755 %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected] -install -m 0644 src/qr-greeter/src/[email protected]/extension.js %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ -install -m 0644 src/qr-greeter/src/[email protected]/metadata.json %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ -install -m 0644 src/qr-greeter/src/[email protected]/stylesheet.css %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ -install -m 0644 src/qr-greeter/src/msdag.png %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ +install -m 0644 target/release/qr-greeter-build/[email protected]/extension.js %{buildroot}/%{_datadir}/gnome-shell/extensions/[email protected]/extension.js +install -m 0644 target/release/qr-greeter-build/[email protected]/metadata.json %{buildroot}/%{_datadir}/gnome-shell/extensions/[email protected]/metadata.json +install -m 0644 target/release/qr-greeter-build/[email protected]/stylesheet.css %{buildroot}/%{_datadir}/gnome-shell/extensions/[email protected]/stylesheet.css +install -m 0644 target/release/qr-greeter-build/[email protected]/msdag.png %{buildroot}/%{_datadir}/gnome-shell/extensions/[email protected]/msdag.png -%pre -%service_add_pre himmelblaud.service himmelblaud-tasks.service +%post -n libnss_himmelblau2 +/sbin/ldconfig + +handle_nsswitch_conf() { + conf=$1 + sed -i '/^passwd:/ {/himmelblau/! s/$/ himmelblau/}' $conf + sed -i '/^group:/ {/himmelblau/! s/$/ himmelblau/}' $conf + sed -i '/^shadow:/ {/himmelblau/! s/$/ himmelblau/}' $conf +} + +etc_nsswitch_conf="/etc/nsswitch.conf" +usr_etc_nsswitch_conf="/usr/etc/nsswitch.conf" +if [ -f $etc_nsswitch_conf ]; then + handle_nsswitch_conf $etc_nsswitch_conf +elif [ -f $usr_etc_nsswitch_conf ]; then + cp $usr_etc_nsswitch_conf $etc_nsswitch_conf + handle_nsswitch_conf $etc_nsswitch_conf +fi + +# Ensure cache directory is created immediately after installation, ignoring failures +systemd-tmpfiles --create /usr/lib/tmpfiles.d/nss-himmelblau.conf 2>/dev/null || systemd-tmpfiles --create /usr/lib/x86_64-linux-gnu/tmpfiles.d/nss-himmelblau.conf 2>/dev/null || true + +%postun -n libnss_himmelblau2 -p /sbin/ldconfig + +%post -n pam-himmelblau +# Only create a symlink if it doesn't already exist +if [ ! -e /lib64/security/pam_himmelblau.so ]; then + mkdir -p /lib64/security + ln -s /usr/lib64/security/pam_himmelblau.so /lib64/security/pam_himmelblau.so +fi +if command -v authselect >/dev/null 2>&1; then + feats="$(authselect current 2>/dev/null | awk '"'"'/Enabled features:/{f=1;next} f && /^-/{print $2}'"'"')" + authselect select himmelblau $feats --force >/dev/null 2>&1 || : + authselect apply-changes >/dev/null 2>&1 || : +fi + +%postun -n pam-himmelblau +# Only remove a symlink if it exists and is a symlink +if [ -L /lib64/security/pam_himmelblau.so ]; then + rm -f /lib64/security/pam_himmelblau.so +fi + +%preun -n pam-himmelblau +# $1 is set by RPM: 0=uninstall, 1=upgrade. If your packager doesn’t pass it, we default to 0. +if [ "${1:-0}" -ne 0 ]; then exit 0; fi # don’t switch on upgrade +if command -v authselect >/dev/null 2>&1; then + if authselect current 2>/dev/null | grep -qE "^Profile ID:\s+himmelblau$"; then + if [ -d /usr/share/authselect/default/local ]; then base=local + elif [ -d /usr/share/authselect/default/minimal ]; then base=minimal + else base=sssd; fi + feats="$(authselect current 2>/dev/null | awk '"'"'/Enabled features:/{f=1;next} f && /^-/{print $2}'"'"')" + authselect select "$base" $feats --force >/dev/null 2>&1 || : + authselect apply-changes >/dev/null 2>&1 || : + fi +fi %post +%service_add_post himmelblaud.service himmelblaud-tasks.service + +# Ensure cache directory is created with correct permissions +systemd-tmpfiles --create /usr/lib/tmpfiles.d/himmelblau-policies.conf 2>/dev/null || true + +# Ensure private data directory is created with correct permissions +systemd-tmpfiles --create /usr/lib/tmpfiles.d/himmelblaud.conf 2>/dev/null || true + +# Remove old service files from /etc/systemd/system/ that were installed by v1.4.x +# These take precedence over the new files in /usr/lib/systemd/system/ and lack +# the LoadCredentialEncrypted directive needed for HSM pin handling. +for OLD_FILE in \ + "/etc/systemd/system/himmelblaud.service" \ + "/etc/systemd/system/himmelblaud-tasks.service" \ + "/etc/systemd/system/gdm3.service.d/override.conf"; do + if [ -f "$OLD_FILE" ]; then + echo "Removing old service file: $OLD_FILE" + rm -f "$OLD_FILE" + fi +done + +# Reload systemd to pick up the new service files from /usr/lib/systemd/system/ +if command -v systemctl >/dev/null 2>&1; then + systemctl daemon-reload || true +fi + gen_pin_hex() { if command -v openssl >/dev/null 2>&1; then openssl rand -hex 24 | tr -d '\n' @@ -276,7 +372,32 @@ LEGACY=/var/lib/private/himmelblaud/hsm-pin CRED=/var/lib/private/himmelblaud/hsm-pin.enc - if [ ! -f $CRED ]; then + if [ -f $LEGACY ] && [ -f $CRED ]; then + # Both files exist - this can happen if a previous upgrade failed due to + # missing LoadCredentialEncrypted in the service file (issue #987). + # The daemon would have generated a new plaintext hsm-pin which is now + # the active PIN matching the machine key. Try starting the daemon first + # to see if it works, and only re-encrypt if we get an HSM pin error. + echo "Both hsm-pin and hsm-pin.enc exist, checking if recovery is needed..." + if command -v systemctl >/dev/null 2>&1; then + # Try to restart the daemon and capture the result + systemctl restart himmelblaud.service 2>/dev/null || true + sleep 2 + # Check if the daemon failed with an HSM pin error + if ! systemctl is-active --quiet himmelblaud.service; then + DAEMON_LOG=$(journalctl -u himmelblaud.service -n 50 --no-pager 2>/dev/null || true) + if echo "$DAEMON_LOG" | grep -q "Unable to load machine root key"; then + echo "Re-encrypting HSM-PIN (recovering from failed upgrade)" + HSM_PIN=$(cat $LEGACY) + printf '%s' "$HSM_PIN" | systemd-creds encrypt --name=hsm-pin --with-key=auto --tpm2-device=auto - "$CRED" && rm -f $LEGACY + fi + else + # Daemon is running fine, just clean up the legacy file + echo "Daemon running successfully, removing legacy hsm-pin file" + rm -f $LEGACY + fi + fi + elif [ ! -f $CRED ]; then # Generate a new PIN if one doesn't exist, otherwise use the existing one if [ ! -f $LEGACY ]; then HSM_PIN=$(gen_pin_hex) @@ -286,11 +407,34 @@ fi # Encrypt the PIN - install -d -m 755 /var/lib/private/himmelblaud printf '%s' "$HSM_PIN" | systemd-creds encrypt --name=hsm-pin --with-key=auto --tpm2-device=auto - "$CRED" && (rm -f $LEGACY || true) fi fi +# Enable and start Himmelblau daemons if systemd is available +if command -v systemctl >/dev/null 2>&1; then + echo "Enabling and starting Himmelblau services..." + systemctl daemon-reload || true + systemctl enable himmelblaud.service himmelblaud-tasks.service || true + systemctl restart himmelblaud.service himmelblaud-tasks.service || true +fi + +%postun +%service_del_postun himmelblaud.service himmelblaud-tasks.service + +if [ "$1" -eq 0 ]; then + if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled; then + semodule -r himmelblaud || : + fi +fi + +%pre +%service_add_pre himmelblaud.service himmelblaud-tasks.service + +%preun +%service_del_preun himmelblaud.service himmelblaud-tasks.service + +%posttrans if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled; then if semodule -i /usr/share/selinux/packages/himmelblaud.pp; then semanage fcontext -a -t himmelblau_var_cache_t '/var/cache/himmelblaud' @@ -319,146 +463,126 @@ fi fi -%service_add_post himmelblaud.service himmelblaud-tasks.service - -%post -n libnss_himmelblau2 -/sbin/ldconfig - -handle_nsswitch_conf() { - conf=$1 - sed -i '/^passwd:/ {/himmelblau/! s/$/ himmelblau/}' $conf - sed -i '/^group:/ {/himmelblau/! s/$/ himmelblau/}' $conf - sed -i '/^shadow:/ {/himmelblau/! s/$/ himmelblau/}' $conf -} - -etc_nsswitch_conf="/etc/nsswitch.conf" -usr_etc_nsswitch_conf="/usr/etc/nsswitch.conf" -if [ -f $etc_nsswitch_conf ]; then - handle_nsswitch_conf $etc_nsswitch_conf -elif [ -f $usr_etc_nsswitch_conf ]; then - cp $usr_etc_nsswitch_conf $etc_nsswitch_conf - handle_nsswitch_conf $etc_nsswitch_conf +%post -n himmelblau-sshd-config +# Comment out the `KbdInteractiveAuthentication no` line if present +CONF="/etc/ssh/sshd_config" +if [ -f "$CONF" ]; then + sed -i 's/^KbdInteractiveAuthentication[[:space:]]\+no/#KbdInteractiveAuthentication no/' "$CONF" fi -# Ensure cache directory is created immediately after installation, ignoring failures -systemd-tmpfiles --create /usr/lib/tmpfiles.d/nss-himmelblau.conf 2>/dev/null || systemd-tmpfiles --create /usr/lib/x86_64-linux-gnu/tmpfiles.d/nss-himmelblau.conf 2>/dev/null || true - -%post -n pam-himmelblau -if command -v authselect >/dev/null 2>&1; then - feats="$(authselect current 2>/dev/null | awk '"'"'/Enabled features:/{f=1;next} f && /^-/{print $2}'"'"')" - authselect select himmelblau $feats --force >/dev/null 2>&1 || : - authselect apply-changes >/dev/null 2>&1 || : +# Restart sshd if systemd is available, to make the config change take effect +if command -v systemctl >/dev/null 2>&1; then + echo "Restarting sshd service..." + systemctl restart ssh 2>/dev/null || systemctl restart sshd 2>/dev/null || true fi -%preun -%service_del_preun himmelblaud.service himmelblaud-tasks.service - -%preun -n pam-himmelblau -# $1 is set by RPM: 0=uninstall, 1=upgrade. If your packager doesn’t pass it, we default to 0. -if [ "${1:-0}" -ne 0 ]; then exit 0; fi # don’t switch on upgrade -if command -v authselect >/dev/null 2>&1; then - if authselect current 2>/dev/null | grep -qE "^Profile ID:\s+himmelblau$"; then - if [ -d /usr/share/authselect/default/local ]; then base=local - elif [ -d /usr/share/authselect/default/minimal ]; then base=minimal - else base=sssd; fi - feats="$(authselect current 2>/dev/null | awk '"'"'/Enabled features:/{f=1;next} f && /^-/{print $2}'"'"')" - authselect select "$base" $feats --force >/dev/null 2>&1 || : - authselect apply-changes >/dev/null 2>&1 || : - fi +%post -n himmelblau-sso +if command -v update-desktop-database >/dev/null 2>&1; then update-desktop-database -q || true; fi +if [ -d /usr/share/icons/hicolor ] && command -v gtk-update-icon-cache >/dev/null 2>&1; then gtk-update-icon-cache -q /usr/share/icons/hicolor || true; fi + +%postun -n himmelblau-sso +if command -v update-desktop-database >/dev/null 2>&1; then update-desktop-database -q || true; fi +if [ -d /usr/share/icons/hicolor ] && command -v gtk-update-icon-cache >/dev/null 2>&1; then gtk-update-icon-cache -q /usr/share/icons/hicolor || true; fi + +%post -n himmelblau-qr-greeter +if command -v machinectl >/dev/null 2>&1 && getent passwd gdm >/dev/null 2>&1; then + echo "Enabling Himmelblau QR Greeter GNOME Shell extension for GDM user..." + + # Run the gsettings command inside a non-interactive gdm shell. + machinectl --quiet shell gdm@ /bin/bash -lc \ + "gsettings set org.gnome.shell enabled-extensions \"['[email protected]']\"" \ + || echo 'Warning: unable to enable QR Greeter extension for gdm user' >&2 + echo "Himmelblau QR Greeter GNOME Shell extension enabled for GDM user. You must restart for the changes to take effect." +else + echo 'Info: machinectl or gdm user not available; skipping automatic extension enable.' >&2 fi -%postun -if [ "$1" -eq 0 ]; then - if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled; then - semodule -r himmelblaud || : - fi -fi -%service_del_postun himmelblaud.service himmelblaud-tasks.service - %files %dir %{_sysconfdir}/himmelblau %dir %{_localstatedir}/cache/himmelblau-policies +%dir %{_unitdir}/display-manager.service.d %config(noreplace) %{_sysconfdir}/himmelblau/himmelblau.conf %config %{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf -%dir %{_unitdir}/display-manager.service.d %config %{_unitdir}/display-manager.service.d/override.conf +%{_bindir}/aad-tool +%{_unitdir}/himmelblaud-tasks.service +%{_unitdir}/himmelblaud.service %{_sbindir}/himmelblaud -%{_sbindir}/rchimmelblaud %{_sbindir}/himmelblaud_tasks +%{_sbindir}/rchimmelblaud %{_sbindir}/rchimmelblaud_tasks -%{_bindir}/aad-tool -%{_unitdir}/himmelblaud.service -%{_unitdir}/himmelblaud-tasks.service +%dir %{_datadir}/doc/himmelblau +%{_datadir}/doc/himmelblau/README +%{_datadir}/doc/himmelblau/himmelblau.conf.example %{_mandir}/man1/aad-tool.1* %{_mandir}/man5/himmelblau.conf.5* %{_mandir}/man8/himmelblaud.8* %{_mandir}/man8/himmelblaud_tasks.8* +%config %{_tmpfilesdir}/himmelblau-policies.conf +%config %{_tmpfilesdir}/himmelblaud.conf %if 0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000 -%{_selinux_pkgdir}/himmelblaud.pp %dir %{_docdir}/himmelblau-selinux %dir %{_selinux_docdir} +%{_selinux_pkgdir}/himmelblaud.pp %{_selinux_docdir}/himmelblaud.te %{_selinux_docdir}/himmelblaud.fc %endif %files -n libnss_himmelblau2 -%{_libdir}/libnss_%{name}.so.* %dir %{_tmpfilesdir} -%{_tmpfilesdir}/nss-himmelblau.conf -%ghost %attr(0755,root,root) /var/cache/nss-himmelblau +%{_libdir}/libnss_himmelblau.so.2 +%config %{_tmpfilesdir}/nss-himmelblau.conf +%ghost %attr(0755,root,root) /%{_localstatedir}/cache/nss-himmelblau %files -n pam-himmelblau -%{_pam_moduledir}/pam_%{name}.so +%{_pam_moduledir}/pam_himmelblau.so +%if !0%{?suse_version} %dir %{_datadir}/authselect %dir %{_datadir}/authselect/vendor %dir %{_datadir}/authselect/vendor/himmelblau %{_datadir}/authselect/vendor/himmelblau/* +%endif %files -n himmelblau-sshd-config -# openssh-server doesn't own /etc/ssh/sshd_config.d before 15.5 +%config %{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf %if 0%{?sle_version} <= 150500 %dir %{_sysconfdir}/ssh/sshd_config.d %endif -%config %{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf %files -n himmelblau-sso -%{_bindir}/linux-entra-sso %dir %{_libdir}/mozilla %dir %{_libdir}/mozilla/native-messaging-hosts -%{_libdir}/mozilla/native-messaging-hosts/linux_entra_sso.json %dir %{_sysconfdir}/firefox %dir %{_sysconfdir}/firefox/policies -%config %{_sysconfdir}/firefox/policies/policies.json -%{_sbindir}/broker -%{_sbindir}/rcbroker -%{_datarootdir}/dbus-1/services/com.microsoft.identity.broker1.service %dir /etc/chromium -%dir /etc/chromium/native-messaging-hosts %dir /etc/chromium/policies -%dir /etc/chromium/policies/managed %dir /etc/opt/chrome -%dir /etc/opt/chrome/native-messaging-hosts %dir /etc/opt/chrome/policies -%dir /etc/opt/chrome/policies/managed %dir /usr/share/google-chrome %dir %{chrome_nm_dir} %dir %{chromium_nm_dir} %dir %attr(0555,root,root) %{chrome_policy_dir} %dir %attr(0555,root,root) %{chromium_policy_dir} %dir %{chrome_ext_dir} -%config %{chrome_nm_dir}/linux_entra_sso.json -%config %{chromium_nm_dir}/linux_entra_sso.json -%config %{chrome_ext_dir}/jlnfnnolkbjieggibinobhkjdfbpcohn.json -%config %{chrome_policy_dir}/himmelblau.json -%config %{chromium_policy_dir}/himmelblau.json +%dir %{_iconsdir}/hicolor +%dir %{_iconsdir}/hicolor/256x256 +%dir %{_iconsdir}/hicolor/256x256/apps %{_bindir}/o365 %{_bindir}/o365-multi %{_bindir}/o365-url-handler %{_datadir}/applications/*.desktop -%dir %{_iconsdir}/hicolor -%dir %{_iconsdir}/hicolor/256x256 -%dir %{_iconsdir}/hicolor/256x256/apps %{_iconsdir}/hicolor/256x256/apps/*.png +%{_bindir}/linux-entra-sso +%config %{_libdir}/mozilla/native-messaging-hosts/linux_entra_sso.json +%config %{_sysconfdir}/firefox/policies/policies.json +%config %{chrome_nm_dir}/linux_entra_sso.json +%config %{chromium_nm_dir}/linux_entra_sso.json +%config %{chrome_ext_dir}/jlnfnnolkbjieggibinobhkjdfbpcohn.json +%config %{chrome_policy_dir}/himmelblau.json +%config %{chromium_policy_dir}/himmelblau.json +%{_datadir}/dbus-1/services/com.microsoft.identity.broker1.service +%{_sbindir}/broker +%{_sbindir}/rcbroker %files -n himmelblau-qr-greeter %dir %{_datarootdir}/gnome-shell ++++++ _service ++++++ --- /var/tmp/diff_new_pack.SF65SM/_old 2026-01-17 14:53:59.117261051 +0100 +++ /var/tmp/diff_new_pack.SF65SM/_new 2026-01-17 14:53:59.125261385 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> <param name="scm">git</param> <param name="revision">stable-2.x</param> - <param name="versionformat">@PARENT_TAG@+git.@TAG_OFFSET@.%h</param> + <param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param> <param name="versionrewrite-pattern">himmelblau-(.*)</param> <param name="versionrewrite-replacement">\1</param> <param name="filename">himmelblau</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.SF65SM/_old 2026-01-17 14:53:59.157262719 +0100 +++ /var/tmp/diff_new_pack.SF65SM/_new 2026-01-17 14:53:59.157262719 +0100 @@ -3,6 +3,6 @@ <param name="url">https://github.com/openSUSE/himmelblau.git</param> <param name="changesrevision">6d2f6450ff3c0c945a884d4b35307e03a035a581</param></service><service name="tar_scm"> <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> - <param name="changesrevision">5d26a19e656f605e744e3a4ff9af48cc53eb936d</param></service></servicedata> + <param name="changesrevision">2418ec22e24a8d1410078f884a89752fa4f0e1a1</param></service></servicedata> (No newline at EOF) ++++++ himmelblau-2.0.4+git.2.5d26a19.tar.bz2 -> himmelblau-2.3.1+git0.2418ec2.tar.bz2 ++++++ ++++ 6640 lines of diff (skipped) ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/himmelblau/vendor.tar.zst /work/SRC/openSUSE:Factory/.himmelblau.new.1928/vendor.tar.zst differ: char 7, line 1
