summary refs log tree commit diff
diff options
context:
space:
mode:
authorTimotej Lazar <timotej.lazar@araneo.si>2022-05-23 20:54:18 +0200
committerLudovic Courtès <ludo@gnu.org>2022-05-24 17:19:02 +0200
commit3e59d41df031a86e48f6b8ee1ac7a72d3c183f69 (patch)
tree15a60bbe45b2a09e93734c24c9b18e89be23f0f6
parentba708a52fdeb062443dc7174f683665f94b4b48b (diff)
downloadguix-3e59d41df031a86e48f6b8ee1ac7a72d3c183f69.tar.gz
gnu: sssd: Update to 2.7.0.
Add support for renewing AD membership with adcli. Wrap binaries with
LDB_MODULES_PATH. Fix the sss_analyze utility to run without systemd
libraries. Add native inputs to generate man pages and run additional tests
during build.

* gnu/packages/sssd.scm (sssd): Update to 2.7.0.
[patches]: Drop patches applied upstream. Add a patch for sss_analyze.
[inputs]: Add adcli, bash-minimal, jose, keyutils, libnl, pcre2, python.
Drop augeas, pcre.
[native-inputs]: Add cmocka, doxygen, gettext-minimal, libfaketime,
libtool, openssh, po4a, softhsm.
[arguments]: Rewrite in gexp style. Fix configure checks. Remove static
library from install. Wrap binaries to set correct paths.
* gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch,
gnu/packages/patches/sssd-fix-samba-4.15.3.patch,
gnu/packages/patches/sssd-fix-samba.patch: Delete files.
* gnu/packages/patches/sssd-optional-systemd.patch: New file.
* gnu/local.mk (dist_patch_DATA): Update accordingly.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
-rw-r--r--gnu/local.mk4
-rw-r--r--gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch71
-rw-r--r--gnu/packages/patches/sssd-fix-samba-4.15.3.patch523
-rw-r--r--gnu/packages/patches/sssd-fix-samba.patch50
-rw-r--r--gnu/packages/patches/sssd-optional-systemd.patch45
-rw-r--r--gnu/packages/patches/sssd-system-directories.patch44
-rw-r--r--gnu/packages/sssd.scm207
7 files changed, 204 insertions, 740 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 2a74677509..2cadb8c42c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1614,8 +1614,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/sdl-pango-sans-serif.patch		\
   %D%/packages/patches/smalltalk-multiplication-overflow.patch	\
   %D%/packages/patches/sqlite-hurd.patch			\
-  %D%/packages/patches/sssd-collision-with-external-nss-symbol.patch	\
-  %D%/packages/patches/sssd-fix-samba-4.15.3.patch	\
   %D%/packages/patches/strace-readlink-tests.patch		\
   %D%/packages/patches/sunxi-tools-remove-sys-io.patch	\
   %D%/packages/patches/p11-kit-hurd.patch			\
@@ -1829,7 +1827,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/snappy-add-inline-for-GCC.patch		\
   %D%/packages/patches/sphinxbase-fix-doxygen.patch		\
   %D%/packages/patches/spice-vdagent-glib-2.68.patch		\
-  %D%/packages/patches/sssd-fix-samba.patch			\
+  %D%/packages/patches/sssd-optional-systemd.patch		\
   %D%/packages/patches/sssd-system-directories.patch		\
   %D%/packages/patches/steghide-fixes.patch			\
   %D%/packages/patches/suitesparse-mongoose-cmake.patch		\
diff --git a/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch b/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch
deleted file mode 100644
index 9d59ae91be..0000000000
--- a/gnu/packages/patches/sssd-collision-with-external-nss-symbol.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From fe9eeb51be06059721e873f77092b1e9ba08e6c1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Thu, 27 Feb 2020 06:50:40 +0100
-Subject: [PATCH] nss: Collision with external nss symbol
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-One of our internal static function names started
-to collide with external nss symbol. Additional
-sss_ suffix was added to avoid the collision.
-
-This is needed to unblock Fedora Rawhide's
-SSSD build.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/responder/nss/nss_cmd.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
-index 356aea1564..02706c4b94 100644
---- a/src/responder/nss/nss_cmd.c
-+++ b/src/responder/nss/nss_cmd.c
-@@ -731,11 +731,13 @@ static void nss_getent_done(struct tevent_req *subreq)
-     talloc_free(cmd_ctx);
- }
- 
--static void nss_setnetgrent_done(struct tevent_req *subreq);
-+static void sss_nss_setnetgrent_done(struct tevent_req *subreq);
- 
--static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
--                               enum cache_req_type type,
--                               nss_protocol_fill_packet_fn fill_fn)
-+/* This function's name started to collide with external nss symbol,
-+ * so it has additional sss_* prefix unlike other functions here. */
-+static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx,
-+                                   enum cache_req_type type,
-+                                   nss_protocol_fill_packet_fn fill_fn)
- {
-     struct nss_ctx *nss_ctx;
-     struct nss_state_ctx *state_ctx;
-@@ -777,7 +779,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
-         goto done;
-     }
- 
--    tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx);
-+    tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx);
- 
-     ret = EOK;
- 
-@@ -790,7 +792,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
-     return EOK;
- }
- 
--static void nss_setnetgrent_done(struct tevent_req *subreq)
-+static void sss_nss_setnetgrent_done(struct tevent_req *subreq)
- {
-     struct nss_cmd_ctx *cmd_ctx;
-     errno_t ret;
-@@ -1040,8 +1042,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx)
- 
- static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx)
- {
--    return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME,
--                           nss_protocol_fill_setnetgrent);
-+    return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME,
-+                               nss_protocol_fill_setnetgrent);
- }
- 
- static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx)
diff --git a/gnu/packages/patches/sssd-fix-samba-4.15.3.patch b/gnu/packages/patches/sssd-fix-samba-4.15.3.patch
deleted file mode 100644
index 731daa0ed9..0000000000
--- a/gnu/packages/patches/sssd-fix-samba-4.15.3.patch
+++ /dev/null
@@ -1,523 +0,0 @@
-From 3ba88c317fd64b69b000adbdf881c88383f325d1 Mon Sep 17 00:00:00 2001
-From: Noel Power <noel.power@suse.com>
-Date: Tue, 24 Mar 2020 13:37:07 +0000
-Subject: [PATCH] Use ndr_pull_steal_switch_value for modern samba versions
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit bc56b10aea999284458dcc293b54cf65288e325d attempted to
-fix the build error resulting from removal of 'ndr_pull_get_switch'
-
-This change uses the new replacement method
-'ndr_pull_steal_switch_value' however depending on the samba version
-the ndr_pull_steal_switch_value abi is different.
-
-Note: ndr_pull_steal_switch_value is used since samba 4.10 for
-      the affected methods
-
-Note: the following methods have been refreshed from samba-4.12 generated
-      code;
-
-    o ndr_pull_security_ace_object_type
-    o ndr_pull_security_ace_object_inherited_type
-    o ndr_pull_security_ace_object_ctr
-
-Signed-off-by: Noel Power <noel.power@suse.com>
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc)
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/external/samba.m4         |  9 ++++++-
- src/providers/ad/ad_gpo_ndr.c | 45 ++++++++++++++++++++---------------
- 2 files changed, 34 insertions(+), 20 deletions(-)
-
-diff --git a/src/external/samba.m4 b/src/external/samba.m4
-index 089f602a60..8e06174ead 100644
---- a/src/external/samba.m4
-+++ b/src/external/samba.m4
-@@ -132,8 +132,15 @@ int main(void)
-         AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1,
-                            [Samba's struct idmap_domain has dom_sid member])
-         AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member])
-+        if test $samba_minor_version -ge 12 ; then
-+            AC_DEFINE_UNQUOTED(SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, 1,
-+                               [Samba's new push/pull switch functions])
-+            AC_MSG_NOTICE([Samba has support for new ndr_push_steal_switch_value and ndr_pull_steal_switch_value functions])
-+        else
-+            AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions])
-+        fi
-     else
-         AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member])
-+        AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions])
-     fi
--
- fi
-
- SAVE_CFLAGS=$CFLAGS
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index 49c49d71b2..3d389e513d 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -105,9 +105,14 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
-                                   union security_ace_object_type *r)
- {
-     uint32_t level;
--    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
-+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
-+#else
-+        level = ndr_pull_steal_switch_value(ndr, r);
-+#endif
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-         switch (level) {
-         case SEC_ACE_OBJECT_TYPE_PRESENT: {
-@@ -117,14 +122,6 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
-             break; }
-         }
-     }
--    if (ndr_flags & NDR_BUFFERS) {
--        switch (level) {
--        case SEC_ACE_OBJECT_TYPE_PRESENT:
--            break;
--        default:
--            break;
--        }
--    }
-     return NDR_ERR_SUCCESS;
- }
-
-@@ -135,9 +132,14 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
-                                             union security_ace_object_inherited_type *r)
- {
-     uint32_t level;
--    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
-+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
-+#else
-+        level = ndr_pull_steal_switch_value(ndr, r);
-+#endif
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-         switch (level) {
-         case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: {
-@@ -149,14 +151,6 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
-             break; }
-         }
-     }
--    if (ndr_flags & NDR_BUFFERS) {
--        switch (level) {
--        case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT:
--            break;
--        default:
--            break;
--        }
--    }
-     return NDR_ERR_SUCCESS;
- }
-
-@@ -198,9 +192,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
-                                  union security_ace_object_ctr *r)
- {
-     uint32_t level;
--    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
-+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
-+#else
-+        level = ndr_pull_steal_switch_value(ndr, r);
-+#endif
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-         switch (level) {
-         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: {
-@@ -224,6 +223,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
-         }
-     }
-     if (ndr_flags & NDR_BUFFERS) {
-+        if (!(ndr_flags & NDR_SCALARS)) {
-+            /* We didn't get it above, and the token is not needed after this. */
-+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-+            NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
-+#else
-+            level = ndr_pull_steal_switch_value(ndr, r);
-+#endif
-+        }
-         switch (level) {
-         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
-             NDR_CHECK(ndr_pull_security_ace_object
-From 5285a1896ee19bb8f1ff752380547bc6d7a43334 Mon Sep 17 00:00:00 2001
-From: Noel Power <noel.power@suse.com>
-Date: Tue, 24 Mar 2020 18:14:34 +0000
-Subject: [PATCH] ad_gpo_ndr.c: refresh ndr_ methods from samba-4.12
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Noel Power <noel.power@suse.com>
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit c031adde4f532f39845a0efd78693600f1f8b2f4)
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/providers/ad/ad_gpo_ndr.c | 201 ++++++++++++++++++----------------
- 1 file changed, 106 insertions(+), 95 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index 3d389e513d..a64b1a0f84 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -177,8 +177,16 @@ ndr_pull_security_ace_object(struct ndr_pull *ndr,
-         NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
-     }
-     if (ndr_flags & NDR_BUFFERS) {
-+        NDR_CHECK(ndr_pull_set_switch_value
-+                  (ndr,
-+                   &r->type,
-+                   r->flags & SEC_ACE_OBJECT_TYPE_PRESENT));
-         NDR_CHECK(ndr_pull_security_ace_object_type
-                   (ndr, NDR_BUFFERS, &r->type));
-+        NDR_CHECK(ndr_pull_set_switch_value
-+                  (ndr,
-+                   &r->inherited_type,
-+                   r->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT));
-         NDR_CHECK(ndr_pull_security_ace_object_inherited_type
-                   (ndr, NDR_BUFFERS, &r->inherited_type));
-     }
-@@ -342,7 +350,7 @@ ndr_pull_security_acl(struct ndr_pull *ndr,
-                   (ndr, NDR_SCALARS, &r->revision));
-         NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size));
-         NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_aces));
--        if (r->num_aces > 1000) {
-+        if (r->num_aces > 2000) {
-             return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range");
-         }
-         size_aces_0 = r->num_aces;
-@@ -408,107 +416,110 @@ ad_gpo_ndr_pull_security_descriptor(struct ndr_pull *ndr,
-     TALLOC_CTX *_mem_save_sacl_0;
-     uint32_t _ptr_dacl;
-     TALLOC_CTX *_mem_save_dacl_0;
--    uint32_t _flags_save_STRUCT = ndr->flags;
--    uint32_t _relative_save_offset;
--
--    ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN);
--    NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
--    if (ndr_flags & NDR_SCALARS) {
--        NDR_CHECK(ndr_pull_align(ndr, 5));
--        NDR_CHECK(ndr_pull_security_descriptor_revision(ndr,
-+    {
-+        uint32_t _flags_save_STRUCT = ndr->flags;
-+        ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN);
-+        NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-+        if (ndr_flags & NDR_SCALARS) {
-+            NDR_CHECK(ndr_pull_align(ndr, 5));
-+            NDR_CHECK(ndr_pull_security_descriptor_revision(ndr,
-+                                                            NDR_SCALARS,
-+                                                            &r->revision));
-+            NDR_CHECK(ndr_pull_security_descriptor_type(ndr,
-                                                         NDR_SCALARS,
--                                                        &r->revision));
--        NDR_CHECK(ndr_pull_security_descriptor_type(ndr,
--                                                    NDR_SCALARS,
--                                                    &r->type));
--        NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid));
--        if (_ptr_owner_sid) {
--            NDR_PULL_ALLOC(ndr, r->owner_sid);
--            NDR_CHECK(ndr_pull_relative_ptr1(ndr,
--                                             r->owner_sid,
--                                             _ptr_owner_sid));
--        } else {
--            r->owner_sid = NULL;
--        }
--        NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid));
--        if (_ptr_group_sid) {
--            NDR_PULL_ALLOC(ndr, r->group_sid);
--            NDR_CHECK(ndr_pull_relative_ptr1(ndr,
--                                             r->group_sid,
--                                             _ptr_group_sid));
--        } else {
--            r->group_sid = NULL;
--        }
--        NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl));
--        if (_ptr_sacl) {
--            NDR_PULL_ALLOC(ndr, r->sacl);
--            NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl));
--        } else {
--            r->sacl = NULL;
--        }
--        NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl));
--        if (_ptr_dacl) {
--            NDR_PULL_ALLOC(ndr, r->dacl);
--            NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl));
--        } else {
--            r->dacl = NULL;
--        }
--        NDR_CHECK(ndr_pull_trailer_align(ndr, 5));
--    }
--    if (ndr_flags & NDR_BUFFERS) {
--        if (r->owner_sid) {
--            _relative_save_offset = ndr->offset;
--            NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid));
--            _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
--            NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0);
--            NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid));
--            NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0);
--            if (ndr->offset > ndr->relative_highest_offset) {
--                ndr->relative_highest_offset = ndr->offset;
-+                                                        &r->type));
-+            NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid));
-+            if (_ptr_owner_sid) {
-+                NDR_PULL_ALLOC(ndr, r->owner_sid);
-+                NDR_CHECK(ndr_pull_relative_ptr1(ndr,
-+                                                 r->owner_sid,
-+                                                 _ptr_owner_sid));
-+            } else {
-+                r->owner_sid = NULL;
-             }
--            ndr->offset = _relative_save_offset;
--        }
--        if (r->group_sid) {
--            _relative_save_offset = ndr->offset;
--            NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid));
--            _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
--            NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0);
--            NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid));
--            NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0);
--            if (ndr->offset > ndr->relative_highest_offset) {
--                ndr->relative_highest_offset = ndr->offset;
-+            NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid));
-+            if (_ptr_group_sid) {
-+                NDR_PULL_ALLOC(ndr, r->group_sid);
-+                NDR_CHECK(ndr_pull_relative_ptr1(ndr,
-+                                                 r->group_sid,
-+                                                 _ptr_group_sid));
-+            } else {
-+                r->group_sid = NULL;
-             }
--            ndr->offset = _relative_save_offset;
--        }
--        if (r->sacl) {
--            _relative_save_offset = ndr->offset;
--            NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl));
--            _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
--            NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0);
--            NDR_CHECK(ndr_pull_security_acl(ndr,
--                                            NDR_SCALARS|NDR_BUFFERS,
--                                            r->sacl));
--            NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0);
--            if (ndr->offset > ndr->relative_highest_offset) {
--                ndr->relative_highest_offset = ndr->offset;
-+            NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl));
-+            if (_ptr_sacl) {
-+                NDR_PULL_ALLOC(ndr, r->sacl);
-+                NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl));
-+            } else {
-+                r->sacl = NULL;
-             }
--            ndr->offset = _relative_save_offset;
-+            NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl));
-+            if (_ptr_dacl) {
-+                NDR_PULL_ALLOC(ndr, r->dacl);
-+                NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl));
-+            } else {
-+                r->dacl = NULL;
-+            }
-+            NDR_CHECK(ndr_pull_trailer_align(ndr, 5));
-         }
--        if (r->dacl) {
--            _relative_save_offset = ndr->offset;
--            NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl));
--            _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
--            NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0);
--            NDR_CHECK(ndr_pull_security_acl(ndr,
--                                            NDR_SCALARS|NDR_BUFFERS,
--                                            r->dacl));
--            NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0);
--            if (ndr->offset > ndr->relative_highest_offset) {
--                ndr->relative_highest_offset = ndr->offset;
-+        if (ndr_flags & NDR_BUFFERS) {
-+            if (r->owner_sid) {
-+                uint32_t _relative_save_offset;
-+                _relative_save_offset = ndr->offset;
-+                NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid));
-+                _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
-+                NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0);
-+                NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid));
-+                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0);
-+                if (ndr->offset > ndr->relative_highest_offset) {
-+                    ndr->relative_highest_offset = ndr->offset;
-+                }
-+                ndr->offset = _relative_save_offset;
-+            }
-+            if (r->group_sid) {
-+                uint32_t _relative_save_offset;
-+                _relative_save_offset = ndr->offset;
-+                NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid));
-+                _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr);
-+                NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0);
-+                NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid));
-+                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0);
-+                if (ndr->offset > ndr->relative_highest_offset) {
-+                    ndr->relative_highest_offset = ndr->offset;
-+                }
-+                ndr->offset = _relative_save_offset;
-+            }
-+            if (r->sacl) {
-+                uint32_t _relative_save_offset;
-+                _relative_save_offset = ndr->offset;
-+                NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl));
-+                _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
-+                NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0);
-+                NDR_CHECK(ndr_pull_security_acl(ndr,
-+                                                NDR_SCALARS|NDR_BUFFERS,
-+                                                r->sacl));
-+                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0);
-+                if (ndr->offset > ndr->relative_highest_offset) {
-+                    ndr->relative_highest_offset = ndr->offset;
-+                }
-+                ndr->offset = _relative_save_offset;
-+            }
-+            if (r->dacl) {
-+                uint32_t _relative_save_offset;
-+                _relative_save_offset = ndr->offset;
-+                NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl));
-+                _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr);
-+                NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0);
-+                NDR_CHECK(ndr_pull_security_acl(ndr,
-+                                                NDR_SCALARS|NDR_BUFFERS,
-+                                                r->dacl));
-+                NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0);
-+                if (ndr->offset > ndr->relative_highest_offset) {
-+                    ndr->relative_highest_offset = ndr->offset;
-+                }
-+                ndr->offset = _relative_save_offset;
-             }
--            ndr->offset = _relative_save_offset;
-         }
--
-         ndr->flags = _flags_save_STRUCT;
-     }
-     return NDR_ERR_SUCCESS;
-From d5809f6f41ec0dc3fd38f9e4ae917a38bf7dfa43 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 28 May 2020 15:02:43 +0200
-Subject: [PATCH] ad_gpo_ndr.c: more ndr updates
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch add another update to the ndr code which was previously
-updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and
-1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc.
-
-As missing update in ndr_pull_security_ace() cased
-a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
-added to prevent similar issues in future.
-
-Resolves: https://github.com/SSSD/sssd/issues/5183
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit a7c755672cd277497da3df4714f6d9457b6ac5ae)
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/providers/ad/ad_gpo_ndr.c  |  1 +
- src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++
- 2 files changed, 58 insertions(+)
-
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index a64b1a0f84..9f040dfb03 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr,
-         ndr->offset += pad;
-     }
-     if (ndr_flags & NDR_BUFFERS) {
-+        NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
-         NDR_CHECK(ndr_pull_security_ace_object_ctr
-                   (ndr, NDR_BUFFERS, &r->object));
-     }
-diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c
-index 0589adcc3d..97dbe01794 100644
---- a/src/tests/cmocka/test_ad_gpo.c
-+++ b/src/tests/cmocka/test_ad_gpo.c
-@@ -329,6 +329,60 @@ void test_ad_gpo_ace_includes_client_sid_false(void **state)
-                                         ace_dom_sid, false);
- }
-
-+uint8_t test_sid_data[] = {
-+0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
-+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
-+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
-+0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
-+0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8,
-+0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00,
-+0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55,
-+0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00,
-+0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60,
-+0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
-+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
-+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
-+0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
-+0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00,
-+0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00,
-+0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00,
-+0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11,
-+0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
-+0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00,
-+0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00
-+};
-+
-+void test_ad_gpo_parse_sd(void **state)
-+{
-+    int ret;
-+    struct security_descriptor *sd = NULL;
-+
-+    ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd);
-+    assert_int_equal(ret, EINVAL);
-+
-+    ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd);
-+    assert_int_equal(ret, EOK);
-+    assert_non_null(sd);
-+    assert_int_equal(sd->revision, 1);
-+    assert_int_equal(sd->type, 39940);
-+    assert_null(sd->owner_sid);
-+    assert_null(sd->group_sid);
-+    assert_null(sd->sacl);
-+    assert_non_null(sd->dacl);
-+    assert_int_equal(sd->dacl->revision, 4);
-+    assert_int_equal(sd->dacl->size, 308);
-+    assert_int_equal(sd->dacl->num_aces, 10);
-+    assert_int_equal(sd->dacl->aces[0].type, 0);
-+    assert_int_equal(sd->dacl->aces[0].flags, 0);
-+    assert_int_equal(sd->dacl->aces[0].size, 36);
-+    assert_int_equal(sd->dacl->aces[0].access_mask, 917693);
-+    /* There are more components and ACEs in the security_descriptor struct
-+     * which are not checked here. */
-+
-+    talloc_free(sd);
-+}
-+
- int main(int argc, const char *argv[])
- {
-     poptContext pc;
-@@ -364,6 +418,9 @@ int main(int argc, const char *argv[])
-         cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false,
-                                         ad_gpo_test_setup,
-                                         ad_gpo_test_teardown),
-+        cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd,
-+                                        ad_gpo_test_setup,
-+                                        ad_gpo_test_teardown),
-     };
-
-     /* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/gnu/packages/patches/sssd-fix-samba.patch b/gnu/packages/patches/sssd-fix-samba.patch
deleted file mode 100644
index 714968337a..0000000000
--- a/gnu/packages/patches/sssd-fix-samba.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Fri, 24 Jan 2020 15:17:39 +0100
-Subject: [PATCH] Fix build failure against samba 4.12.0rc1
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The ndr_pull_get_switch() function was dropped, but it was just a wrapper
-around the ndr_token_peek() function, so we can use this approach on both
-old and new versions of libndr.
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/providers/ad/ad_gpo_ndr.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index d573033494..8f405aa62b 100644
---- a/src/providers/ad/ad_gpo_ndr.c
-+++ b/src/providers/ad/ad_gpo_ndr.c
-@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
-                                   union security_ace_object_type *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
-                                             union security_ace_object_inherited_type *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
-@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
-                                  union security_ace_object_ctr *r)
- {
-     uint32_t level;
--    level = ndr_pull_get_switch_value(ndr, r);
-+    level = ndr_token_peek(&ndr->switch_list, r);
-     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-     if (ndr_flags & NDR_SCALARS) {
-         NDR_CHECK(ndr_pull_union_align(ndr, 4));
diff --git a/gnu/packages/patches/sssd-optional-systemd.patch b/gnu/packages/patches/sssd-optional-systemd.patch
new file mode 100644
index 0000000000..0784fdc7aa
--- /dev/null
+++ b/gnu/packages/patches/sssd-optional-systemd.patch
@@ -0,0 +1,45 @@
+Allow running sss_analyze without Python modules for systemd.
+Upstream PR: https://github.com/SSSD/sssd/pull/6125
+
+diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
+index b96a23c05..28ac2f194 100644
+--- a/src/tools/analyzer/modules/request.py
++++ b/src/tools/analyzer/modules/request.py
+@@ -1,8 +1,6 @@
+ import re
+ import logging
+ 
+-from sssd.source_files import Files
+-from sssd.source_journald import Journald
+ from sssd.parser import SubparsersAction
+ from sssd.parser import Option
+ 
+@@ -77,8 +75,10 @@ class RequestAnalyzer:
+             Instantiated source object
+         """
+         if args.source == "journald":
++            from sssd.source_journald import Journald
+             source = Journald()
+         else:
++            from sssd.source_files import Files
+             source = Files(args.logdir)
+         return source
+ 
+@@ -143,7 +143,7 @@ class RequestAnalyzer:
+             self.consumed_logs.append(line.rstrip(line[-1]))
+         else:
+             # files source includes newline
+-            if isinstance(source, Files):
++            if type(source).__name__ == 'Files':
+                 print(line, end='')
+             else:
+                 print(line)
+@@ -225,7 +225,7 @@ class RequestAnalyzer:
+         source.set_component(component, False)
+         self.done = ""
+         for line in self.matched_line(source, patterns):
+-            if isinstance(source, Journald):
++            if type(source).__name__ == 'Journald':
+                 print(line)
+             else:
+                 self.print_formatted(line, args.verbose)
diff --git a/gnu/packages/patches/sssd-system-directories.patch b/gnu/packages/patches/sssd-system-directories.patch
index f2ab0182e1..ce0dcf5d4d 100644
--- a/gnu/packages/patches/sssd-system-directories.patch
+++ b/gnu/packages/patches/sssd-system-directories.patch
@@ -1,29 +1,29 @@
 Do not attempt to create $localstatedir and $sysconfdir (i.e., /var and /etc)
 upon "make install".
 
-diff --git a/Makefile.in b/Makefile.in
-index c32cb7d..77a5c00 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -7991,7 +7991,7 @@ sssdconfdir = $(sysconfdir)/sssd
- sssddatadir = $(datadir)/sssd
+diff --git a/Makefile.am b/Makefile.am
+index 0de53a2c8..51ad57bf1 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -58,7 +58,7 @@ sssddatadir = $(datadir)/sssd
  sssdapiplugindir = $(sssddatadir)/sssd.api.d
  sssdtapscriptdir = $(sssddatadir)/systemtap
+ krb5snippetsdir = $(sssddatadir)/krb5-snippets
 -dbuspolicydir = $(sysconfdir)/dbus-1/system.d
 +dbuspolicydir = $(prefix)/etc/dbus-1/system.d
  dbusservicedir = $(datadir)/dbus-1/system-services
  sss_statedir = $(localstatedir)/lib/sss
- pamlibdir = @pammoddir@
-@@ -8000,7 +8000,7 @@ nfslibdir = @nfsidmaplibdir@
- keytabdir = $(sss_statedir)/keytabs
- pkgconfigdir = $(libdir)/pkgconfig
+ runstatedir = @runstatedir@
+@@ -85,7 +85,7 @@ pkgconfigdir = $(libdir)/pkgconfig
+ krb5rcachedir = @krb5rcachedir@
  sudolibdir = @sudolibpath@
+ polkitdir = @polkitdir@
 -pamconfdir = $(sysconfdir)/pam.d
 +pamconfdir = $(prefix)/etc/pam.d
  systemtap_tapdir = @tapset_dir@
  sssdkcmdatadir = $(datadir)/sssd-kcm
  deskprofilepath = $(sss_statedir)/deskprofile
-@@ -43733,7 +43733,6 @@ installsssddirs::
+@@ -5195,7 +5195,6 @@ installsssddirs::
      $(DESTDIR)$(bindir) \
      $(DESTDIR)$(sbindir) \
      $(DESTDIR)$(mandir) \
@@ -31,15 +31,18 @@ index c32cb7d..77a5c00 100644
      $(DESTDIR)$(pluginpath) \
      $(DESTDIR)$(libdir)/ldb \
      $(DESTDIR)$(dbuspolicydir) \
-@@ -43743,22 +43742,9 @@ installsssddirs::
+@@ -5205,24 +5204,12 @@ installsssddirs::
      $(DESTDIR)$(sssddatadir) \
      $(DESTDIR)$(sudolibdir) \
      $(DESTDIR)$(autofslibdir) \
 -    $(DESTDIR)$(pipepath)/private \
+     $(DESTDIR)$(krb5snippetsdir) \
 -    $(SSSD_USER_DIRS) \
      $(NULL);
- @SSSD_USER_TRUE@	-chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
- @SSSD_USER_TRUE@	-chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
+ if SSSD_USER
+ 	-chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
+ 	-chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
+ endif
 -	$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
 -	    $(DESTDIR)$(keytabdir) \
 -	    $(NULL)
@@ -50,7 +53,14 @@ index c32cb7d..77a5c00 100644
 -	$(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) \
 -                          $(DESTDIR)$(sssdconfdir)/conf.d \
 -                          $(DESTDIR)$(sssdconfdir)/pki
--@BUILD_SECRETS_TRUE@	$(MKDIR_P) $(DESTDIR)$(secdbpath)
  
- @HAVE_DOXYGEN_TRUE@docs:
- @HAVE_DOXYGEN_TRUE@	$(DOXYGEN) src/doxy.config
+ if HAVE_DOXYGEN
+ docs:
+@@ -5338,7 +5325,6 @@ if BUILD_SAMBA
+ endif
+ if BUILD_KCM
+ 	$(MKDIR_P) $(DESTDIR)/$(sssdkcmdatadir)
+-	$(MKDIR_P) $(DESTDIR)$(secdbpath)
+ endif
+ 
+ uninstall-hook:
diff --git a/gnu/packages/sssd.scm b/gnu/packages/sssd.scm
index 5457991952..2b4322d6d8 100644
--- a/gnu/packages/sssd.scm
+++ b/gnu/packages/sssd.scm
@@ -24,22 +24,28 @@
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix gexp)
   #:use-module (guix git-download)
   #:use-module (guix utils)
+  #:use-module (guix build utils)
   #:use-module (guix build-system gnu)
   #:use-module (gnu packages)
   #:use-module (gnu packages)
   #:use-module (gnu packages adns)
   #:use-module (gnu packages augeas)
   #:use-module (gnu packages autotools)
+  #:use-module (gnu packages bash)
   #:use-module (gnu packages check)
+  #:use-module (gnu packages crypto)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages cyrus-sasl)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages dns)
   #:use-module (gnu packages docbook)
   #:use-module (gnu packages documentation)
+  #:use-module (gnu packages gettext)
   #:use-module (gnu packages glib)
+  #:use-module (gnu packages jose)
   #:use-module (gnu packages kerberos)
   #:use-module (gnu packages libunistring)
   #:use-module (gnu packages linux)
@@ -49,8 +55,11 @@
   #:use-module (gnu packages pcre)
   #:use-module (gnu packages popt)
   #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages python)
   #:use-module (gnu packages samba)
+  #:use-module (gnu packages security-token)
   #:use-module (gnu packages selinux)
+  #:use-module (gnu packages ssh)
   #:use-module (gnu packages web)
   #:use-module (gnu packages xml))
 
@@ -136,93 +145,128 @@ dynamically-growing, reference-counted array; libbasicobjects, a set of
 fundamental object types for C.")
     (license license:lgpl3+)))
 
-;; Note: This package installs modules for ldb and nss.  For the former we
-;; need to set LDB_MODULES_PATH.  For the latter LD_PRELOAD or LD_LIBRARY_PATH
-;; is needed.
 (define-public sssd
   (package
     (name "sssd")
-    (version "1.16.5")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://releases.pagure.org/SSSD/sssd/"
-                                  "sssd-" version ".tar.gz"))
-              (sha256
-               (base32
-                "1h6hwibaf3xa2w6qpzjiiywmfj6zkgbz4r2isf3gd0xm6vq7n6if"))
-              (patches (search-patches "sssd-fix-samba.patch"
-                                       "sssd-system-directories.patch"
-                                       "sssd-collision-with-external-nss-symbol.patch"
-                                       "sssd-fix-samba-4.15.3.patch"))))
+    (version "2.7.0")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/SSSD/sssd")
+             (commit version)))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32 "05pw5lg410vc2yc3k4hqfsbyr9k4k18qb61gbh9xz7fcjpcysqv8"))
+       (patches (search-patches "sssd-optional-systemd.patch"
+                                "sssd-system-directories.patch"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags
-       (list (string-append "DOCBOOK_XSLT="
-                            (assoc-ref %build-inputs "docbook-xsl")
-                            "/xml/xsl/docbook-xsl-"
-                            ,(package-version docbook-xsl)
-                            "/manpages/docbook.xsl")
-             ;; Remove "--postvalid" option, because that requires access to
-             ;; online DTDs.
-             "XMLLINT_FLAGS = --catalogs --nonet --noent --xinclude --noout")
-       #:configure-flags
-       (list "--localstatedir=/var" ;for /var/lib/sss, /var/run/sssd.pid, etc.
-             "--sysconfdir=/etc"    ;/etc/sssd
+     (list
+      #:make-flags
+      #~(list (string-append "CFLAGS=-DRENEWAL_PROG_PATH=\\\""
+                             #$(this-package-input "adcli") "/sbin/adcli"
+                             "\\\"")
+              (string-append "DOCBOOK_XSLT="
+                             #$(this-package-native-input "docbook-xsl")
+                             "/xml/xsl/docbook-xsl-"
+                             #$(package-version (this-package-native-input "docbook-xsl"))
+                             "/manpages/docbook.xsl")
+              ;; Remove "--postvalid" option, because that requires access to
+              ;; online DTDs.
+              "XMLLINT_FLAGS = --catalogs --nonet --noent --xinclude --noout")
+      #:configure-flags
+      #~(list "--localstatedir=/var" ; for /var/lib/sss, /var/run/sssd.pid, etc.
+              "--sysconfdir=/etc"    ; /etc/sssd
 
-             "--disable-cifs-idmap-plugin"
-             "--without-nfsv4-idmapd-plugin"
-             "--without-python2-bindings"
-             "--without-python3-bindings"
-             (string-append "--with-plugin-path="
-                            (assoc-ref %outputs "out")
-                            "/lib/sssd")
-             (string-append "--with-krb5-plugin-path="
-                            (assoc-ref %outputs "out")
-                            "/lib/krb5/plugins/libkrb5")
-             (string-append "--with-cifs-plugin-path="
-                            (assoc-ref %outputs "out")
-                            "/lib/cifs-utils")
-             (string-append "--with-init-dir="
-                            (assoc-ref %outputs "out")
-                            "/etc/init.d")
-             (string-append "--with-ldb-lib-dir="
-                            (assoc-ref %outputs "out")
-                            "/lib/ldb/modules/ldb")
-             (string-append "--with-xml-catalog-path="
-                            (assoc-ref %build-inputs "docbook-xml")
-                            "/xml/dtd/docbook/catalog.xml"))
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'disable-failing-test
-           (lambda _
-             (substitute* "src/tests/responder_socket_access-tests.c"
-               (("tcase_add_test\\(tc_utils, resp_str_to_array_test\\);") ""))
-             #t))
-         (add-after 'unpack 'add-config-in
-           (lambda _
-             (let ((config.h (open-file "config.h.in" "a")))
-               (display (string-append "
-/* Missing in commits on original repo, dunno why but won't work without. */
-#undef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
-")
-                        config.h)
-               (close config.h))))
-         (add-before 'configure 'autoconf
-           (lambda _
-             (invoke "autoconf"))))))
+              "--disable-cifs-idmap-plugin"
+              "--without-nfsv4-idmapd-plugin"
+              (string-append "--with-plugin-path="
+                             #$output "/lib/sssd")
+              (string-append "--with-krb5-plugin-path="
+                             #$output "/lib/krb5/plugins/libkrb5")
+              (string-append "--with-cifs-plugin-path="
+                             #$output "/lib/cifs-utils")
+              (string-append "--with-init-dir="
+                             #$output "/etc/init.d")
+              (string-append "--with-ldb-lib-dir="
+                             #$output "/lib/ldb/modules/ldb")
+              (string-append "--with-xml-catalog-path="
+                             #$(this-package-native-input "docbook-xml")
+                             "/xml/dtd/docbook/catalog.xml"))
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'patch-source-shebangs 'patch-more-shebangs
+            (lambda _
+              (substitute* '("src/tools/analyzer/sss_analyze"
+                             "src/tools/sss_obfuscate")
+                (("#!/usr/bin/.*python")
+                 (string-append "#!" #$(this-package-input "python") "/bin/python3")))))
+          (add-before 'bootstrap 'fix-configure-macros
+            (lambda _
+              ;; A configure test for nsupdate realm support fails without this.
+              (substitute* "src/external/nsupdate.m4"
+                (("\\$NSUPDATE ") "$NSUPDATE -i "))
+              ;; Let tests find softhsm lib.
+              (substitute* "src/external/test_ca.m4"
+                (("/usr/lib/softhsm")
+                 (string-append #$(this-package-native-input "softhsm")
+                                "/lib/softhsm")))))
+          (add-before 'configure 'disable-failing-tests
+            (lambda _
+              ;; Disable tests that needs /etc/passwd.
+              (substitute* "Makefile.am"
+                (("pam-srv-tests") "")
+                (("test-negcache") ""))
+              ;; This test fails for unknown reason.
+              (substitute* "src/tests/responder_socket_access-tests.c"
+                (("tcase_add_test\\(tc_utils, resp_str_to_array_test\\);") ""))))
+          (add-before 'check 'set-libpython-path
+            (lambda _
+              (setenv "LD_LIBRARY_PATH"
+                      (string-append #$(this-package-input "python") "/lib"))))
+          (add-after 'install 'remove-static-libs
+            (lambda _
+              ;; Remove a static library that produces a (harmless) warning
+              ;; when starting a program that uses sssd’s LDB modules.
+              (delete-file
+               (string-append #$output "/lib/ldb/modules/ldb/memberof.la"))))
+          (add-after 'install 'wrap-binaries
+            (lambda _
+              (with-directory-excursion #$output
+                ;; Set path to LDB modules for sssd and utilities.
+                (for-each (lambda (bin)
+                            (wrap-program (string-append "sbin/" bin)
+                              `("LDB_MODULES_PATH" ":" prefix
+                                (,(string-append #$output "/lib/ldb/modules/ldb")))))
+                          '("sssd" "sssctl" "sss_cache" "sss_override" "sss_seed"))
+                ;; Set path to sssd’s site-packages for scripts.
+                (for-each (lambda (script)
+                            (wrap-program script
+                              `("GUIX_PYTHONPATH" ":" prefix
+                                (,(string-append #$output "/lib/python"
+                                                 #$(version-major+minor
+                                                    (package-version
+                                                     (this-package-input "python")))
+                                                 "/site-packages")))))
+                          '("libexec/sssd/sss_analyze" "sbin/sss_obfuscate"))))))))
     (inputs
-     (list augeas
-           `(,isc-bind "utils")
+     (list adcli
+           bash-minimal
            c-ares
-           curl
+           curl ; for OpenID Connect support
            cyrus-sasl
            dbus
            ding-libs
            glib
            gnutls
            http-parser
+           `(,isc-bind "utils")
            jansson
+           jose ; for OpenID Connect support
+           keyutils
            ldb
+           libnl
            libselinux
            libsemanage
            libunistring
@@ -231,21 +275,32 @@ fundamental object types for C.")
            nss
            openldap
            openssl
-           pcre
+           p11-kit ; for PKCS#11 support
+           pcre2
            popt
+           python
            samba
            talloc
            tdb
            tevent))
     (native-inputs
-     (list autoconf-2.69
-           check-0.14
-           docbook-xsl
+     (list autoconf
+           automake
+           check ; for tests
+           cmocka ; for tests
            docbook-xml
+           docbook-xsl
+           doxygen
+           gettext-minimal
+           libfaketime ; for tests
+           libtool
            libxml2 ; for xmllint
            libxslt
+           openssh ; for tests
            pkg-config
-           `(,util-linux "lib"))) ;for uuid.h, reqired for KCM
+           po4a
+           softhsm ; for tests
+           `(,util-linux "lib"))) ; for uuid.h, reqired for KCM
     (home-page "https://pagure.io/SSSD/sssd/")
     (synopsis "System security services daemon")
     (description "SSSD is a system daemon.  Its primary function is to provide