[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 135 commits: tests: convert multihost/basic/test_basic to test_kcm and test_authentication

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Thu Jan 18 10:15:38 GMT 2024 


Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd


Commits:
0a429107 by Patrik Rosecky at 2023-09-08T14:41:29+02:00
tests: convert multihost/basic/test_basic to test_kcm and test_authentication

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 376534022aebf11d23ee2b70ef13d17ca3842aea)

- - - - -
f1a11708 by Jakub Vavra at 2023-09-11T10:31:26+02:00
Tests: Print krb5.conf when joining realm.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 6540a67c9dac1c4b1c313797b169a32d94702819)

- - - - -
cb1c59c7 by Jakub Vavra at 2023-09-11T10:31:26+02:00
Tests: Split package installation to different transactions.

When package is missing/broken the dnf does not install anything
on fedora this prevented automation working properly.
This way the "optional" packages are installed separately.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 8fc5aadb1fbdf3ae1fdacc9dc9855db87f521650)

- - - - -
f117da5a by Jakub Vavra at 2023-09-11T10:31:26+02:00
Tests: Handle dns with systemd resolved.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit e73efe153dd2e9ee753cf416030e135700434a67)

- - - - -
71ca2053 by Pavel Březina at 2023-09-15T10:50:01+02:00
tests: add sssd_test_framework.markers plugin

This loads additional markers defined in the sssd_test_framework.

Currently, there is only `builtwith` to check if SSSD was built with
particular feature (files-provider only at this moment).

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 233a846e864fe2a364e05d08c3ae91475b5916d1)

- - - - -
674ee267 by Dan Lavu at 2023-09-25T13:41:52+02:00
tests: adding group and importance markers

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit f05d4ec1ecdaef90f3272504dbd9ac6c2e7aa8d8)

- - - - -
ec8f0269 by Jakub Vavra at 2023-09-26T08:16:28+02:00
tests: Add missing pytest marker config.

Reviewed-by: Patrik Rosecky <prosecky at redhat.com>
(cherry picked from commit 39dde256e5e9d226e63898e910b8ffda4428f933)

- - - - -
a4de653f by Sumit Bose at 2023-09-26T16:14:26+02:00
ci: remove unused clang-analyzer from dependencies

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9474e0f4f42375b40e302da727401b9a5e28c2f5)

- - - - -
02bd1d7e by Justin Stephenson at 2023-09-26T16:15:45+02:00
Passkey: Allow kerberos preauth for "false" UV

When IPA passkey configuration sets require-user-verification=false
then the user verification value will be 0. We need to allow this
configuration within the plugin.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 57dac1e29f040a8c65ff815b15b1a8c9b70c276c)

- - - - -
a3111338 by Iker Pedrosa at 2023-09-26T16:15:45+02:00
passkey: omit user-verification

If user-verification is disabled and the key doesn't support it, then
omit it. Otherwise, the authentication will produce an error and the
user will be unable to authenticate.

I have also added a unit-test to check this condition.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit a8daf9790906b7321024fef8e636f9c1b14343ab)

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2c05926ed1fa4deab74b80d9faf6e4c26f31f46f)

- - - - -
45fbcd93 by aborah at 2023-09-26T16:18:44+02:00
Tests: Enabling proxy_fast_alias shows "ldb_modify failed: [Invalid attribute syntax]" for id lookups.

Enabling proxy_fast_alias shows "ldb_modify failed: [Invalid attribute syntax]" for id lookups.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit bcbc0b3190e01895ccdce48c60b4966d204bd2f0)

- - - - -
7e45b32a by aborah at 2023-09-26T16:19:42+02:00
Tests: Port rootdse test suit to new test framework.

Port rootdse test suit to new test framework.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 5f3c82d3c9e7ef999ebc2e754be64c81194d68a4)

- - - - -
b86d301c by Alexey Tikhonov at 2023-09-26T16:40:12+02:00
SUDO service: ${DEBUG_LOGGER} was missed for 'sudo'

service in a7277fecf7a65ab6c83b36f009c558cdfbf997d2

Resolves: https://github.com/SSSD/sssd/issues/6920

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 01bee47a1557c0d21c9f35384c53758c70cf97c5)

Reviewed-by: Alejandro López <allopez at redhat.com>

- - - - -
5469de2f by Justin Stephenson at 2023-09-27T19:39:23+02:00
tests: Improve read write pipe child tests

Add test for multiple reads with a large message, and
add tests for child read/write safe calls.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ae920b9ab3ddb107611f21b842bfddb6077290f1)

- - - - -
00479693 by Justin Stephenson at 2023-09-27T19:39:23+02:00
util: Realloc buffer size for atomic safe read

Realloc and increase the buffer size when safe read returns more
than CHILD_MSG_CHUNK size bytes.

This handles multiple passkey mappings returned from the krb5 child
in kerberos pre-authentication.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1f4fffdb7f57d70151741ea7d844d020250fd309)

- - - - -
0705145c by Alexey Tikhonov at 2023-10-02T09:51:25+02:00
MC: a couple of additions to 'recover from invalid memory cache size' patch

Additions to 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 :

 - handle all invalidations consistently
 - supply a valid pointer to `sss_mmap_cache_validate_or_reinit()`,
   not a pointer to a local var

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 88d8afbb115f18007dcc11f7ebac1b238c3ebd98)

- - - - -
ede391c2 by Justin Stephenson at 2023-10-03T10:50:09+02:00
Passkey: Increase conv message size for prompting

Size needs to handle the prompts for interactive, touch, pin prompt, and
kerberos pre-auth warning message which could all be displayed.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 6f8f7c82b2b38220d99395d5d2732281b3cf1867)

- - - - -
583daff7 by Patrik Rosecky at 2023-10-03T10:50:35+02:00
Tests: converted alltests/test_pasword_policy.py to tests/test_ldap.py

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 64422699aed9a0024d39af00462c22dc47a8dfac)

- - - - -
6bba653c by Pavel Březina at 2023-10-03T10:51:01+02:00
ci: install latest SSSD code on IPA server

This allows us to test changes to the server mode as well.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 9dccf7ff61c6dda89300cd36c62830dfff1687ad)

- - - - -
b8b2bfaf by Patrik Rosecky at 2023-10-03T10:52:02+02:00
Tests: alltest/test_sssctl_local.py converted to system/tests/sssctl.py

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 620af3b3fe160199fa92f49bd03abc91a37a04d7)

- - - - -
7a53c7ac by Patrik Rosecky at 2023-10-03T10:52:44+02:00
Tests: multihost/basic/test_files converted

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ea7273b3d4e93f7cdf5bb6f5defcf1bd38659f8d)

- - - - -
df709da5 by Madhuri Upadhye at 2023-10-03T10:56:39+02:00
tests: add passkey tests for sssctl and non-kerberos authentication

1. Register a key with sssctl
2. Register a key with IPA sssctl command
3. Check authentication of user with IPA, LDAP, AD and Samba

All tests cases automated with umockdev.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 66c0a2d00b872db77d59efb41bac66df0cf04c26)

- - - - -
c6ea805e by Alejandro López at 2023-10-06T11:21:19+02:00
NSS: Replace notification message by a less scary one

Replace the message "Unable to find primary gid" by another one that
sounds less scary and is a little bit clearer for users.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2c59fd211a6b35022fb2a4683918d77610f76660)

- - - - -
a9617cff by Patrik Rosecky at 2023-10-06T11:22:02+02:00
Tests:alltests/test_rfc2307.py converted to test_ldap.py

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 8ecfe20efca6696e94f64fbd2a024f6bcd7bb26d)

- - - - -
8d5752f4 by Patrik Rosecky at 2023-10-06T11:22:39+02:00
Tests: alltests/test_sss_cache.py converted to multihost/test_sssctl.py

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit b07a7552aac1a1bb4985c31e6005771032d9cad6)

- - - - -
129ceaed by licunlong at 2023-10-06T14:04:07+02:00
cli: caculate the wait_time in milliseconds

The timeout we pass in is 300000ms, and we sleep 1s every
time we get a EAGAIN error, so we need to multiply 1000
for sleep_time.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit a997ee7bd9d259e7faf654cb94145c0135df02f8)

- - - - -
3b939ce9 by Scott Poore at 2023-10-10T15:52:06+02:00
Tests: add follow-symlinks to sed for nsswitch

The multihost/alltests/test_automount_from_bash.py test module runs a
sed against /etc/nsswitch.conf which convers it from a link to a file.
This causes issues with authselect in later tests resulting in test
errors.  This can be fixed by adding the --follow-symlinks option.

The restore() from the fixture should return the config to it's original
content.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 1082f2563f5cdc7d4f019c3a85bd0c717fc6fd16)

- - - - -
1fa72109 by Alejandro López at 2023-10-11T13:43:21+02:00
KCM: Remove the oldest expired credential if no more space.

:feature: When adding a new credential to KCM and the user has
          already reached their limit, the oldest expired credential
          will be removed to free some space.
          If no expired credential is found to be removed, the operation
          will fail as it happened in the previous versions.

Resolves: https://github.com/SSSD/sssd/issues/6667

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 93ee0159a0f467ced3412d034ec706dd3508901e)

- - - - -
834b5369 by Alejandro López at 2023-10-11T13:43:21+02:00
KCM: Display in the log the limit as set by the user

max_uid_ccaches is unconditionally incremented by 2 in ccdb_secdb_init()
to create space for some internal entries. We cannot just show this
value as it is not what the user configured.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 96d8b77ae6e7d1dd72b9add553935fc4aa6ab2c5)

- - - - -
6218b40f by Jakub Vavra at 2023-10-12T11:23:19+02:00
Tests: Skip tests unstable on other archs and tweak realm join.

Unify realm join for AD params tests to use code with timeout
to prevent suite freezing in sasl authid tests.
Set the whole suite as flaky to retry when realm join freezes.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 88a386e12a11287771d5429b11b066bf6e75e42f)

- - - - -
c799b75d by Jakub Vavra at 2023-10-16T10:23:12+02:00
Tests: Fix AD param sasl tests.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 8264cb573637c08b26c4ff8abcc44e09fd77fec0)

- - - - -
5e35a695 by Alexey Tikhonov at 2023-10-16T10:23:31+02:00
configure: use 'LDB_CFLAGS'

Also add all common *_CFLAGS to cwrap tests.

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 421a818f8be269a72c1d78653885ee171ac7c5f5)

- - - - -
c99f684c by Jakub Vavra at 2023-10-16T11:19:12+02:00
Tests: adjoin in test_00015_authselect_cannot_validate_its_own_files

Switch test_00015_authselect_cannot_validate_its_own_files to use adjoin
fixture instead of joining manually.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 4a9f8ebb8032df4b2e8dffb2be80fbd6575b0e7b)

- - - - -
7d73571e by Sumit Bose at 2023-10-16T13:34:48+02:00
utils: enable talloc null tracking

With this patch talloc_enable_null_tracking() is called during
`server_setup()` to make talloc memory usage reports more useful.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 7601918757910994894b9547647602b8c2ac806c)

- - - - -
42face74 by Sumit Bose at 2023-10-16T13:35:17+02:00
proxy: add support for certificate mapping rules

To be able to do local Smartcard authenticate the backend must be able
to map a certificate to a user based on the provided mapping rules.

With this patch the proxy provider is able to handle the certificate
mapping rules and users handled by the proxy provider can be configured
for Smartcard authentication. Besides the mapping rule local Smartcard
authentication should be enable with the 'local_auth_policy' option in
the backend and with 'pam_cert_auth' in the PAM responder.

:relnote: The proxy provider is now able to handle certificate mapping and
  matching rules and users handled by the proxy provider can be
  configured for local Smartcard authentication. Besides the mapping rule
  local Smartcard authentication should be enable with the 'local_auth_policy'
  option in the backend and with 'pam_cert_auth' in the PAM responder.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit c38699232594b8bdd79dbeed36b7afa5ba9b0512)

- - - - -
351aab97 by Sumit Bose at 2023-10-16T13:35:17+02:00
intg: add NSS module for nss-wrapper support

The main use case of this NSS module is to run proxy provider tests with
cwrap's nss-wrapper.  The proxy provider loads the NSS modules directly
with dlopen() and is not using glibc's NSS mechanism. Since nss-wrapper
just wraps the standard glibc calls and does not provide an NSS module
on its own we have to use this workaround to make proxy provider work
with nss-wrapper.

DO NOT USE THIS IN /etc/nsswitch.conf, it will cause an infinite loop.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit ffd467430310f0671ba78fa0ef0385426f37d51f)

- - - - -
d3649143 by Sumit Bose at 2023-10-16T13:35:17+02:00
intg: replace files with proxy provider in PAM responder test

This patch replaces the deprecated files provider in the PAM responder
tests with the proxy provider. The straight-forward replacement would be
'proxy_lib_name = files' to use libnss_files.so.2 with the proxy
provider. But the tests are using nss-wrapper which wraps the plain
glibc calls. Because of this the test is using a dedicated NSS module to
work with nss-wrapper.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 54f558966aa515370ee6218793a36d4148c80a73)

- - - - -
25a913ea by Sumit Bose at 2023-10-16T13:35:17+02:00
confdb: add new option for confdb_certmap_to_sysdb()

With this new boolean options the backends calling
confdb_certmap_to_sysdb() can indicate if the certificate mapping rules
should be applied for local users or not, which currently means LDAP
based mapping with a search filter string.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 8952f6d8fea4a0e7e18eebf9e6a9f35d32de93bd)

- - - - -
7668ed6e by Sumit Bose at 2023-10-16T13:35:17+02:00
intg: use file and proxy provider in PAM responder test

All Smartcard authentication related tests are run now with the proxy
provider and the deprecated files provider. If the files provider will
be removed the tests can be removed by reverting this patch.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit f5f8030ad7bc469130ed69abec4c2563eca52e17)

- - - - -
04b6a22b by Sumit Bose at 2023-10-16T13:35:17+02:00
intg: add proxy auth with fallback test

SSSD currently assumed that PAM modules configured for the proxy auth
provider expect passwords as input. If a Smartcard is present during the
authentication, but local Smartcard authentication is not enabled, the
user should see a password prompt.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 4d475e41a5223f4bdabc1465bad4d4f87a911064)

- - - - -
793284ab by Justin Stephenson at 2023-10-18T15:29:20+02:00
man: Improve LDAP security wording

All communication, including the identity provided must be
encrypted to prevent attacks.

Resolves: https://github.com/SSSD/sssd/issues/6681

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a48c7445 by Tomas Halman at 2023-10-18T15:31:33+02:00
dyndns: PTR record updates separately

DNS server does not allow updates for different zones in one
single step. Those updates must be sent separately.

It is complicated and in some cases impossible to detect that
PTR updates does not fit into one zone because it often depends
on DNS server configuration.

With this patch PTR record updates are always sent separately.

Resolves: https://github.com/SSSD/sssd/issues/6956

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit f0bba9d5178d18e7b08aaa58375916d111dfeb59)

- - - - -
aa3616b3 by Dan Lavu at 2023-10-18T15:35:22+02:00
Updating ad_multihost test

* fixing raiseonerr=False to disjoin function
* cleaned up code since the line limit has increased
* added AD from forest1 to resolv.conf and /etc/hosts
* updating test case documentation to clarify the test

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit bd839b85e25701116cb8453e142014973a9c6de9)

- - - - -
c866b531 by Dan Lavu at 2023-10-18T15:35:22+02:00
Updating ad_multihost test

* fixing raiseonerr=False to disjoin function
* cleaned up code since the line limit has increased
* added AD from forest1 to resolv.conf and /etc/hosts
* updating test case documentation to clarify the test

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit cb72984e2d533306489c6161678443ce2fe48661)

- - - - -
3fd19c80 by Dan Lavu at 2023-10-18T15:35:22+02:00
Adding test case for bz2167728

* Cleaned up lines since the character count has increased
* Added test ids to existing tests

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 95678ad7e4f18e47cd67aabe660e0c26c07a2ffa)

- - - - -
9c4f7281 by Iker Pedrosa at 2023-10-23T13:27:56+02:00
man: clarify user credentials for `cache_credentials`

It only applies to passwords, not other authentication mechanisms like
smartcards or passkeys.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 38d334ea040e2f5b0da4a3a37618215658b2c3a8)

- - - - -
9e7a08a8 by Patrik Rosecky at 2023-10-23T13:32:53+02:00
TESTS: topology set to KnownTopologyGroup.AnyProvider

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit ce117ae0c25305a5109d0f663d677a9ccae3b68a)

- - - - -
a9498b12 by Jakub Vavra at 2023-10-25T15:07:33+02:00
Tests: Fix autofs cleanups

Autofs tests were not cleaning properly leaving behind stuck/unresponsive
mounts. This was failing other tests that were executed after these suites.
Tests were stuck when trying to create a new local users or listing dirs.

Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 7a3cc7a7be5eb8215709d5074d91567f7b7b60e1)

- - - - -
2bbc8754 by Sumit Bose at 2023-10-25T15:15:27+02:00
ipa: reduce log level of some HBAC log messages

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit a7b19bcb47ddaaaa745a32571b444ee185e79b4c)

- - - - -
fa33c997 by Iker Pedrosa at 2023-10-25T15:59:27+02:00
CI: build passkey for centos-9

Also include RHEL9+ to build passkey in the spec file.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 5a211ec941acde206d52092f5547fc46737f30e5)

- - - - -
9ebaee77 by dependabot[bot] at 2023-10-26T11:34:13+02:00
build(deps): bump DamianReeves/write-file-action

Bumps [DamianReeves/write-file-action](https://github.com/damianreeves/write-file-action) from 41569a7dac64c252caacca7bceefe28b70b38db1 to 0a7fcbe1960c53fc08fe789fa4850d24885f4d84.
- [Release notes](https://github.com/damianreeves/write-file-action/releases)
- [Commits](https://github.com/damianreeves/write-file-action/compare/41569a7dac64c252caacca7bceefe28b70b38db1...0a7fcbe1960c53fc08fe789fa4850d24885f4d84)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0456ecad643428b2ac28c932cb7435c8b914529a)

- - - - -
d154f72d by dependabot[bot] at 2023-10-26T11:34:38+02:00
build(deps): bump actions/checkout from 3 to 4

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 2f5b299996ea8e4d0bdded3eb0b020ed311209f9)

- - - - -
66d115cc by dependabot[bot] at 2023-10-26T11:35:01+02:00
build(deps): bump vapier/coverity-scan-action from 1.2.0 to 1.7.0

Bumps [vapier/coverity-scan-action](https://github.com/vapier/coverity-scan-action) from 1.2.0 to 1.7.0.
- [Release notes](https://github.com/vapier/coverity-scan-action/releases)
- [Commits](https://github.com/vapier/coverity-scan-action/compare/v1.2.0...v1.7.0)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit ff42d88994a13c9f130741a13ee7fe4dac63a5df)

- - - - -
155584ee by dependabot[bot] at 2023-10-26T11:36:59+02:00
build(deps): bump linuxdeepin/action-cppcheck

Bumps [linuxdeepin/action-cppcheck](https://github.com/linuxdeepin/action-cppcheck) from 9ef62c4ec8cd5660952cd02c58b83fa57c16a42b to e63fb1d3f321e0467737aa9de7f691360fb1b8fb.
- [Release notes](https://github.com/linuxdeepin/action-cppcheck/releases)
- [Commits](https://github.com/linuxdeepin/action-cppcheck/compare/9ef62c4ec8cd5660952cd02c58b83fa57c16a42b...e63fb1d3f321e0467737aa9de7f691360fb1b8fb)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit cbb107314100bf2be9f55aa2b967a60d149440ca)

- - - - -
380eafa5 by Pavel Březina at 2023-10-27T13:15:33+02:00
intg: return status code for calls requiring it in fake nss module

To avoid gcc warning that a function is not returning value.

```
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_setpwent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:63:1: error: control reaches end of non-void function [-Werror=return-type]
   63 | }
      | ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_endpwent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:77:1: error: control reaches end of non-void function [-Werror=return-type]
   77 | }
      | ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_setgrent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:98:1: error: control reaches end of non-void function [-Werror=return-type]
   98 | }
      | ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_endgrent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:111:1: error: control reaches end of non-void function [-Werror=return-type]
  111 | }
      | ^
```

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 4f5b1a25a0bd108cbba77a63dfe50f64f2249764)

- - - - -
e217fa82 by Pavel Březina at 2023-11-02T13:59:45+01:00
ci: get frozen Fedora releases in the matrix

A Fedora release may be in a frozen state (beta freeze, final freeze),
in such case, it is not temporarily visible under "pending"
but under "frozen".

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 17cf4bbb7e7969d6cba4e1a61ef2bb7b6a879c50)

- - - - -
ef5370e9 by Alexey Tikhonov at 2023-11-03T12:07:18+01:00
SSS_CLIENT: replace `__thread` with `pthread_*specific()`

in sss_client code to properly handle OOM condition (with `__thread`
glibc terminates process in this case).

Solution relies on the fact that `sss_cli_check_socket()` is always
executed first, before touching socket.
Nonetheless, there are sanity guards in setters/getters just in case.

It's possible to move context initialization code into a separate
function and call it in every getter/setter, but probably not worth it.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Carlos O'Donell <codonell at redhat.com>
(cherry picked from commit b0212b04f109875936612a52a7b30a80e5a85ee5)

- - - - -
5a546c84 by Pavel Březina at 2023-11-09T12:23:19+01:00
ipa: do not go offline if group does not have SID

This happens during applying overrides on cached group
during initgroups of trusted user. If the group does not
have SID (it's GID is outside the sidgen range), SSSD goes
offline.

Only SSSD running in server_mode is affected.

This patch ignores error in single group and rather continues
processing the remaining groups.

Resolves: https://github.com/SSSD/sssd/issues/6942

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 26047f07c0f7aa61a44543de8674ec7d0904812e)

- - - - -
3da54579 by Sumit Bose at 2023-11-10T11:38:43+01:00
PAM: fix Smartcard offline authentication

Even if a Smartcard was inserted and proper certificates were found
offline authentication with the Smartcard was not possible because the
certificate information was accidentally removed from the reply send to
the PAM module.

Resolves: https://github.com/SSSD/sssd/issues/7009

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 962e9d0529c5ffd4e9b3c342b038daa5dbaa75e9)

- - - - -
2eae8ab4 by Weblate at 2023-11-13T11:47:40+01:00
po: update translations

(Russian) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ru/

po: update translations

(Polish) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/pl/

po: update translations

(Korean) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

po: update translations

(Georgian) currently translated at 13.2% (95 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ka/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/

po: update translations

(Polish) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/pl/

po: update translations

(Georgian) currently translated at 13.0% (93 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ka/

po: update translations

(Finnish) currently translated at 10.2% (73 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/fi/

- - - - -
d380342b by Pavel Březina at 2023-11-13T11:54:22+01:00
pot: update pot files

- - - - -
ee2e0cd9 by Pavel Březina at 2023-11-13T11:55:21+01:00
Release sssd-2.9.3

- - - - -
ba7b9938 by Iker Pedrosa at 2023-11-14T12:44:46+01:00
CI: clean configure.sh

Support for Fedora 36-, RHEL/CentOS 6 and 7 in master branch ended, so
let's remove them. In addition, Python2 support only exists in
RHEL/Centos 8, so make only those two dstributions use
`python2-bindings`. Finally, include RHEL/CentOS 10 for configurable
features.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 3edc04d17fbfa520f5522293e861227f5119e15f)

- - - - -
31617400 by Iker Pedrosa at 2023-11-14T12:44:46+01:00
CI: clean distro.sh

Support for Fedora 36- in master branch ended, so let's remove them.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 39a0de22daa8b95feb280427876732bcbbb22583)

- - - - -
52acc394 by Iker Pedrosa at 2023-11-14T12:44:46+01:00
CI: clean deps.sh

Support for Fedora 36- in master branch ended, so let's remove them.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 05ea3f1bec1b1b51e5248c6276ada7870cf03fdc)

- - - - -
776f6e19 by Iker Pedrosa at 2023-11-14T12:44:46+01:00
CI: upload cwrap logs

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 292ef326b4a181d061c59a15fc7819feb8118313)

- - - - -
fd414aae by Jakub Vavra at 2023-11-15T07:02:15+01:00
Tests: Add a test for bz1900973 kcm delete expired tickets

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0f1a6e350584924fd9f18aceae20d04c54bdd845)

- - - - -
f394acee by Alexey Tikhonov at 2023-11-17T14:09:30+01:00
SPEC: 'sssd-proxy' requires 'libsss_certmap.so'

Resolves following rpminspect warning:
```
Subpackage sssd-proxy carries 'Requires: libsss_certmap.so.0()(64bit)' which comes from
subpackage libsss_certmap but does not carry an explicit package version requirement.
Please add 'Requires: libsss_certmap = %{version}-%{release}' to the spec file to avoid
the need to test interoperability between various combinations of old and new subpackages.
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3eae4cc5282e4b76454b358e986da0757bb81d7f)

- - - - -
4b4564c3 by Alexey Tikhonov at 2023-11-17T14:10:35+01:00
UTIL: use proper specifier for 'DEBUG_CHAIN_ID_FMT_*'

Resolves: https://github.com/SSSD/sssd/issues/6790

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2617dcfd6376e0bb0a44cc15b11f0e6531c33960)

- - - - -
1e2af0d1 by Alexey Tikhonov at 2023-11-17T14:10:35+01:00
Don't provide 'uint64_t' as POPT_ARG_LONG.

Sizes might not match on some platforms.

Resolves: https://github.com/SSSD/sssd/issues/6790

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 098bf64a03e5e7c054bd0e40717484d45c93d031)

- - - - -
b536e4b3 by Dan Lavu at 2023-11-28T12:35:11+01:00
tests: consolidation, refactoring and organizing, renaming of some tests

- added markers to pytest.ini
- added markers to tests
- consolidated two sssctl test files into one, sssctl_config_check.py and sssctl.py
- renamed test_id.py, to test_identity.py, just to match the marker groups
- renamed the test cases in test_identity.py to be more readable
- renamed test_ldap_extra_attrs.py to test_schema.py , after looking at the tests, its testing the schema attributes
- appended test_shadow.py to test_ldap.py , tests shadowlastchange = 0 in LDAP

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 92e85f1a135c89bca17cbd8c7efe8562d2c5beca)

- - - - -
469ddcbf by Alejandro López at 2023-11-28T13:23:18+01:00
LOGROTATE: logrotate should also signal sssd_kcm

sssd_kcm is not registered with SSSD's monitor, so it is not signaled
when it must restart the log. Adding this command will directly signal
sssd_kcm (in addition to the monitor).

If sssd_kcm is also running in one or more containers, they will also
receive the signal. Because only the log files in the host where rotated,
the instances in the containers will go on using the same log files.
Nothing will happen except for the "Received SIGHUP. Rotating logfiles."
message in the log files. If we want to avoid this, we should implement
a PID file.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 230e7757a7805c7c530d0914936f353882bd504e)

- - - - -
8c832345 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Replace a hard-coded constant by a macro

The per-UID quota is internally increased by 2. This value is no
longer hard-coded but replaced by the KCM_MAX_UID_EXTRA_SECRETS macro.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit c73b7eb801ed14892e34cd8e810678220785edf5)

- - - - -
855d0465 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Fixed a wrong check

The pointer to the newly allocated iobuffer is stored into
state->op_ctx->reply but the check for NULL is done on state->reply,
which we already know is not NULL because it was checked before and
not modified after that.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3cba6d1153c102f9596335db28cc017e8338e868)

- - - - -
14e7d7c0 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Remove unused cc_be_type from struct kcm_ccdb

This field is never set and never used. Let's remove it.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 126920546e38f9df6c1c1bda95f0bcd6991cb722)

- - - - -
3e740a25 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: When freeing the client, check that it is not NULL.

`cc-> client` could be NULL.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2eb67afc014878108a555fd0ac41bef954a2a962)

- - - - -
a5c96e29 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: sss_iobuf_init_empty() shall not zero memory

sss_iobuf_init_empty() and related functions zero the allocated memory
even though it is not needed. Most of the time, all the fields in the
structures will be set to non-zero values. In these cases zeroing the
is useless and we stop doing it.

Only in two cases, some pointers were being left unmodified, so they
are now being manually set to NULL.

Resolves: https://github.com/SSSD/sssd/issues/7014

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit edb63cde4fcfa1089e8f39c5d0b6f1e0c184ea0d)

- - - - -
78d0a97d by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Reduce the amount of memory allocated for the packages

Some packages are being allocated to their maximum size, even though all
that memory is not required. When the amount of memory needed is not know,
We reduce the amount of memory allocated to the initial size defined by
the KCM_PACKET_INITIAL_SIZE macro.

The existing KCM_REPLY_MAX was replaced by KCM_PACKET_MAX_SIZE.

Resolves: https://github.com/SSSD/sssd/issues/7014

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit fe6c35addee2cfd0c32021e4b079eec7575ca90c)

- - - - -
60fde9d5 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Do not zero memory when not need.

A few more cases where memory is allocated and zeroed when it is not
required.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit b4f9f63bd74722c543c7d2f3695f0d2351eba4c3)

- - - - -
c5d04578 by Patrik Rosecky at 2023-11-29T08:30:56+01:00
Tests: converted alltests/test_default_debug_level

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit e9189052a46d28e6397686c28d744d5e45f1f72d)

- - - - -
ff520020 by Sumit Bose at 2023-12-01T10:35:10+01:00
ci: make valgrind suppression more relaxed for test_ipa_subdomains_server

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e9e6d80e20fbf82c8b48ca4edbe2996018f7f7cd)

- - - - -
e03921e4 by Sumit Bose at 2023-12-01T10:35:38+01:00
nssidmap: fix sss_nss_getgrouplist_timeout() with empty secondary group list

sss_nss_getgrouplist_timeout() is intended as a replacement for
getgrouplist() which only gets secondary groups from SSSD. Currently it
returns an ENOENT error if there are no secondary groups returned by
SSSD. However, as with getgrouplist(), there is the second parameter
which expects a single GID which will be added to the result. This means
that sss_nss_getgrouplist_timeout() will always return at least this GID
as a result and an ENOENT error does not make sense.

With this patch sss_nss_getgrouplist_timeout() will not return an error
anymore if there are no secondary groups but just a result with the
single GID from the second parameter.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit cffe6e09c6b4cd8afa049365bbd432ace5d2a9d9)

- - - - -
9a6ff9e7 by Sumit Bose at 2023-12-04T11:25:47+01:00
pam: fix Smartcard auth with files provider

It is expected that the files provider ignores the local_auth_policy
option and supports Smartcard authentication by default.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 5e7cd889d6b2554e822370d2c962791d00f26278)

- - - - -
a8928a9a by Madhuri Upadhye at 2023-12-05T22:10:38+01:00
tests: add passkey tests for authentication failures

Test cases are as follows:
4. Check auth deny for incorrect pin for LDAP, IPA, Ad and Samba.
5. Check auth deny for incorrect passkey mapping for LDAP, IPA, AD and Samba.
6. Check auth of user when server is not resolvable for IPA, LDAP, AD and Samba.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit f4c9d6efd6492ca32679aff1897b3d2593b9455d)

- - - - -
be5399c1 by Sumit Bose at 2023-12-06T17:55:14+01:00
sssctl: do not require root for user-checks

There is no requirement for root to run the test and if the user does
not has the needed privileges to access the related services this is
good as a test result as well. Additionally at least pam_chauthtok()
behaves differently when being called as root compared to an ordinary
user.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 8ff7fdc127dafb8d4d98231e0f7d43af89f8595b)

- - - - -
e44ad324 by Jakub Vavra at 2023-12-06T17:56:06+01:00
Tests: Add a test for kcm log rotation SSSD-5687

Ticket: https://issues.redhat.com/browse/SSSD-5687

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit 38db355aa1b0b8f370e8eba2001bbdf58a9d7d77)

- - - - -
2bc72a2b by Patrik Rosecky at 2023-12-06T17:56:37+01:00
Tests: alltests/test_autoprivategroup.py converted to system/test_auto_private_groups.py

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit a5f636bb4c90dc6077ebe0bbc50ae166d39ecf24)

- - - - -
35bcb91b by Pavel Březina at 2023-12-06T18:50:25+01:00
ad: do not print backtrace if SSSD domain name is not the same as DNS name

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 76d3b5a45bff7a473613504414e8f913f2929800)

- - - - -
eabeb3a7 by Pavel Březina at 2023-12-06T18:50:25+01:00
ad: do not print backtrace if SOM is missing in GPO

This is expected on empty GPOs and we just skip the element.
Therefore we should not print backtrace.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3e976dc6a7a5785d5ea657dd050709eb04889748)

- - - - -
d02874be by Pavel Březina at 2023-12-07T16:15:47+01:00
tests: adapt to new firewall API

The firewall API was redesigned in order to make it more flexible and
start supporting outbound rules as well. Blocking all communication
to given host using an outbound rules is less prone to errors since
it does not depend on specific ports.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0f9611cdc6c0bef30d1762f9665a973c31b59fd3)

- - - - -
f4908728 by Justin Stephenson at 2023-12-07T16:22:32+01:00
passkey: Add krb5 preauthentication prompt support

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 60fdacfd88247ca4cd7f69e77c51749285c3e89b)

- - - - -
6959dc6a by Alexey Tikhonov at 2023-12-08T12:14:16+01:00
DP: reduce log level in case a responder asks for unknown domain

Since 9358a74d3a56c738890353aaf6bc956bfe72df99 a domain might be
skipped by 'ad_enabled_domains' option

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 39cd0baa06742b349ed763aa40ea4de366e80f1a)

- - - - -
66bd91d5 by Patrik Rosecky at 2023-12-08T13:22:39+01:00
Tests: alltests/test_ldap_extra_attrs.py converted to system/tests/test_schema.py

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit c2360811d5a65e0438eb4a26e4f7e8148e631a8a)

- - - - -
f6faf123 by Alexey Tikhonov at 2023-12-12T11:34:04+01:00
LOGS: added missing new line

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 97c05c4e3cf5f6af6bf080ceb70bff772db556db)

- - - - -
4d01e11d by Justin Stephenson at 2023-12-12T11:36:13+01:00
passkey: Skip processing non-passkey mapping data

In the AD case, the user altSecurityIdentities attribute can
store passkey, smartcard, or ssh public key mapping data. Check
to ensure we are handling passkey data before continuing in
PAM passkey processing.

:relnote: Fixes a crash when PAM passkey processing incorrectly
handles non-passkey data.

Resolves: https://github.com/SSSD/sssd/issues/7061

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 6ed1eff44f8cad2e1c1d07cd4d3731b3d143dd9b)

- - - - -
1cffe5bc by Jakub Vavra at 2023-12-12T15:37:13+01:00
Tests: Fix tokengroups tests.

Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit ff8f248b0a773d3d6ef1091543fa8c4342ddd410)

- - - - -
9f406d42 by Jakub Vavra at 2023-12-15T07:49:45+01:00
Tests: Retry realm join as it is flaky on multiarch setups

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit df1b74546f95ab4adb4c69a5d3e23daba1d961b3)

- - - - -
cbd479d7 by Jakub Vavra at 2023-12-15T14:58:44+01:00
Tests: Change path to keytabs to reflect whole domain in them

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit a5270f898c6d22141033b9d9e735c09d65a0a83f)

- - - - -
0ae92383 by Jakub Vavra at 2023-12-20T06:53:28+01:00
Tests: Add importance and ticket to multihost

Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 5fb0a9ddcacd85525a1a96e0611198e239f8f895)

- - - - -
854edfb0 by Jakub Vavra at 2023-12-20T13:17:33+01:00
Tests: Revert change of retun type of realm_join

I looks like realm join return value was parsed in one place so I
am reverting the mishap change of the return type.

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit b66035f3d60eea4289206d0b30c3058d18149cb4)

- - - - -
033f3db0 by Andre Boscatto at 2023-12-20T16:50:47+01:00
man: fix wrong product name

Resolves: https://github.com/SSSD/sssd/issues/7094

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 9abcaf90580346ee15ea9f08ec40ce0f5a805cd4)

- - - - -
02c18320 by Justin Stephenson at 2023-12-20T16:52:07+01:00
Passkey: Fix coverity memory overrun error

Fix for:

  CID 336599:  Memory - corruptions  (OVERRUN)
  Overrunning dynamic array "result_creds" by passing it to a
  function that accesses it at byte "creds_len".

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 1d33bde42aa747e18c4ab8f202ec1053fd9ab6a0)

- - - - -
f5e3bb39 by Justin Stephenson at 2023-12-20T16:52:07+01:00
Passkey: Fix coverity RESOURCE_LEAK

Fix for:

  CID 470374:  Resource leaks  (RESOURCE_LEAK)
  Variable "prompt_reply" going out of scope leaks the storage
  it points to.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit a134074c2ecea50d6ccee80e969b436887c5ef68)

- - - - -
51f90318 by Justin Stephenson at 2023-12-20T16:52:07+01:00
Passkey: Fix valgrind error and missing free

==367086== Conditional jump or move depends on uninitialised value(s)
==367086==    at 0x12BF1A31: string_get (load.c:894)
==367086==    by 0x12BF291D: stream_get.part.0 (load.c:158)
==367086==    by 0x12BF3182: UnknownInlinedFun (load.c:154)
==367086==    by 0x12BF3182: UnknownInlinedFun (load.c:227)
==367086==    by 0x12BF3182: lex_scan.isra.0 (load.c:573)
==367086==    by 0x12BF7F6A: parse_json (load.c:868)
==367086==    by 0x12BF80C8: json_loads (load.c:920)
==367086==    by 0x12BDDFD9: sss_passkey_message_from_reply_json (passkey_utils.c:544)
==367086==    by 0x12BDCA76: sss_passkeycl_process (passkey_clpreauth.c:321)
==367086==    by 0x4906215: UnknownInlinedFun (preauth2.c:352)
==367086==    by 0x4906215: UnknownInlinedFun (preauth2.c:679)
==367086==    by 0x4906215: k5_preauth (preauth2.c:1018)
==367086==    by 0x48F9489: UnknownInlinedFun (get_in_tkt.c:1351)
==367086==    by 0x48F9489: UnknownInlinedFun (get_in_tkt.c:1912)
==367086==    by 0x48F9489: krb5_init_creds_step (get_in_tkt.c:1868)
==367086==    by 0x48FA43A: k5_init_creds_get (get_in_tkt.c:564)
==367086==    by 0x48FB3EB: k5_get_init_creds (get_in_tkt.c:1978)
==367086==    by 0x48FB817: krb5_get_init_creds_password (gic_pwd.c:210)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 22d35690b6379a59b1bdfc5c20812b792e76af02)

- - - - -
160738ee by Alexey Tikhonov at 2023-12-21T13:51:27+01:00
SSS_CLIENT: MC: in case mem-cache file validation fails,

don't return anything but EINVAL, because `_nss_sss_*()` functions
can have a special handling for other error codes (for ERANGE in
particular).

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 958a5e25c447dc502e8f8fbecf3253e62f92b0b2)

- - - - -
a186224d by Alexey Tikhonov at 2023-12-21T13:51:27+01:00
SSS_CLIENT: check if mem-cache fd was hijacked

Real life example would be:
https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369
 - TigerVNC unconditionally overwrites fd=3

Resolves: https://github.com/SSSD/sssd/issues/6986

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 0344c41aca0d6fcaa33e081ed77297607e48ced4)

- - - - -
abb146e1 by Alexey Tikhonov at 2023-12-21T13:51:27+01:00
SSS_CLIENT: check if reponder socket was hijacked

Real life example would be:
https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369
 - TigerVNC unconditionally overwrites fd=3

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2bcfb7f9238c27025e99e6445e9ba799e0bde7b8)

- - - - -
8bf25b6c by Pavel Březina at 2023-12-21T13:51:53+01:00
scripts: sign tarball with sssd project key

... also switch to gpg2.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 2e75d735e963dc1f5399648a804c9ccc89721261)

- - - - -
5c224730 by Pavel Březina at 2023-12-21T13:51:53+01:00
scripts: create checksum file for release tarball

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit c7a6e62d1a8f0c3a9424ad01555b24c0f67b4251)

- - - - -
46f4161e by Alejandro López at 2023-12-27T10:29:24+01:00
KCM: Fix a memory "leak"

When an operation is processed, a buffer is allocated for the reply
and its parent is the client context (struct cli_ctx). This buffer
is not explicitly freed but it is released when the client context is
freed. With each operation a new buffer is allocated and the
previous one gets "lost."

This is not an actual leak because the lost buffers are released by
talloc once the client context is freed, when the connection is closed.
But on long-lived connections this can consume a large amount of memory
before the connection is closed.

To solve this, the request context (struct kcm_req_ctx) is the new
parent of the buffer. The request is freed as soon as the operation is
completed and no buffer gets lost.

Resolves: https://github.com/SSSD/sssd/issues/7072

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit cbae6855320b53f3f2bdc0e11c5a9c8eb84daf87)

- - - - -
8a78c75a by Patrik Rosecky at 2023-12-27T10:31:17+01:00
Tests: multihost/test_sssctl_analyzer.py converted to system/test_sssctl_analyze.py

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 543eda1953652494c594ce1f4bf1ed0ca6ac1b42)

- - - - -
5a2256cb by Jakub Vavra at 2024-01-05T14:27:30+01:00
Tests: Add a plugin for a per-test logging

Add a pytest plugin to remove / duplicate test log from console
and put it into a stand-alone per-test log files.

Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 9d6caaed3a804978186338c896ce120aa258fffd)

- - - - -
852b9e0c by Patrik Rosecky at 2024-01-05T14:43:25+01:00
Tests: alltests/test_config_validation converted

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit d3a2bd0870e2267ebaaf32dab03ab5707be6483c)

- - - - -
bd9cf6f4 by Patrik Rosecky at 2024-01-05T14:47:43+01:00
Tests: alltests/test_offline.py converted

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit ea7de588dcf1272dd7284925333b08829adae806)

- - - - -
80d5a34f by Madhuri Upadhye at 2024-01-08T12:13:20+01:00
Tests: Add passkey test cases for following scenario

Test cases are as follows:
7.  Check offline authentication of a user with LDAP, IPA, AD and Samba
8.  Fetch user from cache for LDAP, IPA, AD and Samba server
9.  Check authentication of user when multiple keys added for same user with
    LDAP, IPA, AD and Samba server.
10. Check authentication of user when same key added for multiple user with
    LDAP, IPA, AD and Samba server.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 173f31148c1d3d0493ad620521414ab076d0623c)

- - - - -
a3393156 by Tomas Halman at 2024-01-08T14:20:27+01:00
Handle child-domain group membership

In AD, a user from a domain can be a member of a group that is
from a child of the domain.

The old code did not account for this and created a cache object
with incorrect DNs when ldap_use_tokengoups is set to False.

This patch looks up the correct domain before saving
group and membership attributes.

Resolves: https://github.com/SSSD/sssd/issues/7084

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 830a2e3d6abf337448f60541da66260d381fbe32)

- - - - -
98d8bedd by Alexey Tikhonov at 2024-01-09T17:10:24+01:00
DEBUG: added missing new line

Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
(cherry picked from commit 4cdb41751c95cd88b8398fe4f86e025c4c507970)

- - - - -
936b8281 by Sumit Bose at 2024-01-09T17:13:50+01:00
LDAP: make groups_by_user_send/recv public

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9b73614c49aeb3cfc3208dba5f472354086180b5)

- - - - -
09dcc73e by Sumit Bose at 2024-01-09T17:13:50+01:00
ad: gpo evalute host groups

With this patch the group-memberships of the client running SSSD are
included in the evaluation of the security filtering. Similar as in AD
the host object is more or less handled as a user object which allows
to skip some code dedicated to computers only.

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit c02e09afe9610d872121708893db8a21fb201b12)

- - - - -
dda0f2e0 by Sumit Bose at 2024-01-09T17:13:50+01:00
sysdb: remove sysdb_computer.[ch]

The related calls are not needed anymore.

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit ff23e7e2879f94a907d05b615dbdb547aaa2e542)

- - - - -
f5ce7c1d by Sumit Bose at 2024-01-09T17:13:50+01:00
sdap: add set_non_posix parameter

This patch adds a new parameter set_non_posix to the user and group
lookup calls. Currently the domain type is used to determine if the
search should be restricted to POSIX objects or not. The new option
allows to drop this restriction explicitly to look up non-POSIX objects.

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 5f63d9bfc71b271844db1ee122172630be1afed0)

- - - - -
05de56d0 by Tomas Halman at 2024-01-10T09:38:11+01:00
GPO evaluation of primary group

When we are evaluating GPO the SID of user's primary
group is not returned in the list. This patch converts
the value of origPrimaryGroupGidNumber attribute back to
SID and that SID is added to the list of SIDs before
evaluating the GPO rules.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ecb0c6370dbab8fdcb3cdfa3495a38319c8e5266)

- - - - -
cb64d47b by Dan Lavu at 2024-01-12T07:07:09+01:00
tests: updating poor assertion in dyndns

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 90eca38eca804b89bf76fec443f9a2f2ac420695)

- - - - -
2b86d580 by Timo Aaltonen at 2024-01-12T11:00:20+02:00
Merge branch 'upstream'

- - - - -
8e21df9a by Timo Aaltonen at 2024-01-12T11:01:54+02:00
version bump

- - - - -
087cd54f by Timo Aaltonen at 2024-01-12T11:07:51+02:00
control: Migrate to systemd-dev. (Closes: #1060512)

- - - - -
c054fc00 by aborah at 2024-01-12T12:07:53+01:00
Tests: Fix ipa test for gating.

Error: remote username contains invalid characters

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 23087669ef9826fbba9e3e6b379f2b0bb86c9820)

- - - - -
1c5a11fc by Dan Lavu at 2024-01-12T12:08:23+01:00
tests: adding background refresh tests to the new framework

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit c6d216fb74108d798f9ef5b804c87b3654ab1c30)

- - - - -
eecd4183 by Pavel Březina at 2024-01-12T13:05:07+01:00
pot: update pot files

- - - - -
02d3f214 by Pavel Březina at 2024-01-12T13:05:40+01:00
Release sssd-2.9.4

- - - - -
6eee9908 by Timo Aaltonen at 2024-01-18T11:56:38+02:00
rules, install: Use systemdsystemunitdir.

- - - - -
a2a01dcc by Sergio Durigan Junior at 2024-01-18T12:00:58+02:00
Improve certificate/smartcard dep8 tests.

- d/t/control: Don't depend on "needs-sudo" restriction, since the
  tests don't really use "sudo" selectively but rather rely on a normal
  user being setup as a side effect of "needs-sudo".  Instead, we can
  use "needs-root".

- d/t/sssd-smart-card-pam-auth-configs-tester.sh,
  d/t/sssd-softhism2-certificates-tests.sh: Use
  "${AUTOPKGTEST_NORMAL_USER}" instead of "$SUDO_USER".

- - - - -
f4e27168 by Timo Aaltonen at 2024-01-18T12:01:27+02:00
Merge branch 'upstream'

- - - - -
4210c44b by Timo Aaltonen at 2024-01-18T12:02:10+02:00
version bump

- - - - -
0b232512 by Timo Aaltonen at 2024-01-18T12:04:43+02:00
releasing package sssd version 2.9.4-1

- - - - -


30 changed files:

- .github/workflows/analyze-target.yml
- .github/workflows/ci.yml
- .github/workflows/copr_build.yml
- .github/workflows/coverity.yml
- .github/workflows/static-code-analysis.yml
- Makefile.am
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/distro.sh
- contrib/ci/get-matrix.py
- contrib/ci/sssd.supp
- contrib/sssd.spec.in
- debian/changelog
- debian/control
- debian/rules
- debian/sssd-ad-common.install
- debian/sssd-common.install
- debian/sssd-dbus.install
- debian/sssd-kcm.install
- debian/tests/control
- debian/tests/sssd-smart-card-pam-auth-configs-tester.sh
- debian/tests/sssd-softhism2-certificates-tests.sh
- po/bg.po
- po/ca.po
- po/cs.po
- po/de.po
- po/es.po
- po/eu.po
- po/fi.po
- po/fr.po


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/ceec671e20343961b31cabe39c861b091cfe04ee...0b232512607aecf92a53195ec66ac57ab5ea1a5e

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/ceec671e20343961b31cabe39c861b091cfe04ee...0b232512607aecf92a53195ec66ac57ab5ea1a5e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20240118/70f4da41/attachment-0001.htm>

More information about the Pkg-sssd-devel mailing list