<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>



<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/sssd-team/sssd">Debian SSSD packaging / sssd</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/888d37d083d454412525ab498fa070c9d7424cf2">888d37d0</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-03-09T12:49:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bumping the version to track 1.16.2 development
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/67645557dc0301e7ea66bba15c4ff3fb11f9540e">67645557</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-03-09T13:39:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA: Handle empty nisDomainName

Resolves:
https://pagure.io/SSSD/sssd/issue/3573

If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the
netgroup at all. This is not in agreement with man innetgr which says "Any of
the elements in a triple can be empty, which means that anything matches. The
functions described here allow access to the netgroup databases".

This patch instead returns an empty domain as well, which eventually
produces the same output as if the netgroup was requested from the
compat tree.

To reproduce the bug:
$ ipa netgroup-add
Netgroup name: emptydom
-------------------------
Added netgroup "emptydom"
-------------------------
  Netgroup name: emptydom
  NIS domain name: ipa.test
  IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3
$ ipa netgroup-add-member
Netgroup name: emptydom
[member user]: admin
[member group]:
[member host]:
[member host group]:
[member netgroup]:
  Netgroup name: emptydom
  NIS domain name: ipa.test
  Member User: admin
-------------------------
Number of members added 1
-------------------------
$ ipa netgroup-mod --nisdomain="" emptydom
----------------------------
Modified netgroup "emptydom"
----------------------------
  Netgroup name: emptydom
  Member User: admin

Then run:
    getent negroup emptydom
without the patch, the netgroup won't be resolvable. It will resolve to
a netgroup triple that looks like this after the patch:
    emptydom              (-,admin,)

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0f8add07b8257fcce9f62ad80d24e79b8013ae42">0f8add07</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-03-09T13:39:46+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">intg: enhance netgroups test

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/15989964da9740e0bdc275d1446b053b771727de">15989964</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-03-09T13:57:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CI: Add dbus into debian dependencies

There is just weak dependency (recommends) between dbus
libraries and dbus daemon. It is installed by default but we should
not rely in integration tests on weak dependency if we directly need
binary dbus-daemon.

sh# apt-cache depends libdbus-1-dev libdbus-1-3
libdbus-1-dev
  Depends: libdbus-1-3
  Depends: pkg-config
    pkgconf
libdbus-1-3
  Depends: libc6
  Depends: libsystemd0
  Breaks: dbus
  Recommends: dbus

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/19f5dd0b8dc4eff3373a0ac9ea17c2440628fd4c">19f5dd0b</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-03-09T13:57:47+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: simple CA to generate certificates for test

To avoid issue with certificate lifetimes a simple OpenSSL based CA is
used to generate certificates for tests.

To make management easy all related data is kept in
src/tests/test_CA. Since some header files will be generated the
generation of the needed files is added to BUILT_SOURCES as other
generated code.

Related to https://pagure.io/SSSD/sssd/issue/3436

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0dc7f90667df6420bc9e93ae2c8bacd6ea148f0f">0dc7f906</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-03-09T13:57:53+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: replace hardcoded certificates

Since the hardcoded certificates have a limited lifetime they are
replaces by certificates from the test CA.

Related to https://pagure.io/SSSD/sssd/issue/3436

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cbcb2dab1ba06c65d64910b733f4480b5cf5d090">cbcb2dab</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-03-09T13:57:58+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: remove NSS test databases

NSS databases with the certificates from the test CA will be
automatically generated. The static databases are not needed anymore.

Related to https://pagure.io/SSSD/sssd/issue/3436

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/da694601229b5c8c5303a91317f067a912599e89">da694601</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-03-10T20:08:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E266 pep8 issues on test_ldap.py

E266: too many leading '#' for block comment

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/16fe3a34960ff3a5c79c6412b755220545501968">16fe3a34</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:08:58+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E501 pep8 issues on test_ldap.py

E501: line too long (longer than 79 characters)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b4c08cb3249cd270e38e9b74a83c00c38ec16c19">b4c08cb3</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-03-10T20:09:04+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E231 pep8 issues on test_session_recording.py

E231: missing whitespace after ':'

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f02b0bddd8004ddd04cd852b24d3d8a3aa3191e6">f02b0bdd</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-03-10T20:09:09+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E501 pep8 issues on test_session_recording.py

E501: line too long (longer than 79 characters)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b4d72adc14e7ca110a97b76caff682fdcee617be">b4d72adc</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:11+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E20[12] pep8 issues on python-test.py

E201: whitespace after '['
E202: whitespace before ']'

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/018fe983c8eee68c4acb5e5fba1675f3119ded17">018fe983</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E501 pep8 issues on python-test.py

E501: line too long (longer than 79 characters)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/3fac321c1580f64ec5412c49a997d2a14bfe1052">3fac321c</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:15+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E251 pep8 issues on python-test.py

E251: unexpected spaces around keyword / parameter equals

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/71dc7aa5c1c838ce85372071905f045d400e6fad">71dc7aa5</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E231 pep8 issues on python-test.py

E231: missing whitespace after ','

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/01e7730dabb7971e605b72fe66f936f15a84ffa6">01e7730d</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:18+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E265 pep8 issues on python-test.py

E265: block comment should start with '# '

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e3f0de237540024cbe3b14385342c7cbf991d001">e3f0de23</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E128 pep8 issues on python-test.py

E128: continuation line under-indented for visual indent

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5e86d31f9b151a34cdb9df76349a083f9632fc10">5e86d31f</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:21+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E302 pep8 issues on python-test.py

E302: expected 2 blank lines, found 1

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0e16e020bf73022adf6b6470b95ae8ee72004036">0e16e020</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:22+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix W391 pep8 issues on python-test.py

W391: blank line at end of file

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4593a2f126c83c4d05f942da7df59b2cc656cf20">4593a2f1</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:23+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E228 pep8 issues on python-test.py

E228: missing whitespace around modulo operator

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8b53952cbc3bf0ec84804e6be0a9b1256a49c19f">8b53952c</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E261 pep8 issues on python-test.py

E261: at least two spaces before inline comment

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/629563edc4538aaf6f55c229c82bd4041d8122c7">629563ed</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E701 pep8 issues on python-test.py

E701: multiple statements on one line (colon)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f64f99dd56596ca25ee41e6e36ecbf8a6fd5b49e">f64f99dd</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E305 pep8 issues on python-test.py

E305: expected 2 blank lines after class or function definition, found 1

This issue was found on a debian_testing machine.

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7b9c3e69e5248940accc5e0c2ce08503bea87c75">7b9c3e69</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:29+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E20[12] pep8 issues on pysss_murmur-test.py

E201: whitespace after '['
E202: whitespace before ']'

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9dc4c15552c396a80add39d0da865793e5643237">9dc4c155</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E211 pep8 issues on pysss_murmur-test.py

E211: whitespace before '('

This issue was found on a debian_testing machine.

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8e00bbcab18b2a33437cd430607f928e32b1fdf7">8e00bbca</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E20[12] pep8 issues on pyhbac-test.py

E201: whitespace after '['
E202: whitespace before ']'

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/235917c1758a4dcaa859394325bb742048c46205">235917c1</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:32+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E261 pep8 issues on pyhbac-test.py

E261: at least two spaces before inline comment

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/87fe92e90c73c7b314e5c01fde623e87a37fc9d2">87fe92e9</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix W391 pep8 issues on pyhbac-test.py

W391: blank line at end of file

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/25e0e4b0994e59e26d4144152f564b47ec84c8ea">25e0e4b0</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:35+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E501 pep8 issues on pyhbac-test.py

E501: line too long (longer than 79 characters)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/01012f0d7799008e66a2d7109b7940146dcaf68d">01012f0d</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:37+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E302 pep8 issues on pyhbac-test.py

E302: expected 2 blank lines, found 1

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/00f267a32a8d1c32c817eba4223c7c6d5a9d82da">00f267a3</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:38+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E305 pep8 issues on pyhbac-test.py

E305: expected 2 blank lines after class or function definition, found 1

This issue was found on a debian_testing machine.

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4c3ddbb119c1ca0e12c49f58b914559e2510e2f1">4c3ddbb1</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:39+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E711 pep8 issues on sssd_group.py

E711: comparison to None should be 'if cond is not None:'

The issue was found on: debian_testing, fedora22, fedora23, rhel6 and
rhel7 machines.

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a7acb83aa5c70547f5575cdbb13228f23e3621c0">a7acb83a</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:41+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E305 pep8 issues on sssd_netgroup.py

E305: expected 2 blank lines after class or function definition, found 1

This issue was found on a debian_testing machine.

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c13c7dd58ebe24fb07227f29008a7b6895f8d57b">c13c7dd5</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E501 pep8 issues on utils.py

E501: line too long (longer than 79 characters)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e27a07b94b1ec2e7d61b8fce388add6e3481f131">e27a07b9</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:43+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E305 pep8 issues on conf.py

E305: expected 2 blank lines after class or function definition

This issue was found on a debian_testing machine

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6df8895947fbd0a01df92b82d6f418c8202595b2">6df88959</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONTRIB: Fix E501 pep8 issues on sssd_gdb_plugin.py

E501: line too long (longer than 79 characters)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/942edc402f4acc3de4dc3ec15a89d31d9f206cf6">942edc40</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:46+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONTRIB: Fix E305 pep8 issues on sssd_gdb_plugin.py

E305: expected 2 blank lines after class or function definition, found 1

This issue was found on a debian_testing machine.

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/40fab0e80857198605b69e1010ab5e090769cc99">40fab0e8</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:47+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E302 pep8 issues on test_enumeration.py

E302: expected 2 blank lines, found 1

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1129979bf8a96e4a8389d8c997bc2437e9e7e328">1129979b</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-03-10T20:09:49+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E303 pep8 issues on test_ldap.py

E303: too many blank lines (3)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/38cec21168b3b80c312e9efcfea4eba22a9648c8">38cec211</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: FIX E501 pep8 issues on pysss_murmur-test.py

E501: line too long (longer than 79 characters)

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a907aa07340ef0051cd74bbab9618820e1bca1b8">a907aa07</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:53+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CI: Enable pep8 check

CI can now check pep8 issues for all .py files but the ones under
src/config (for those, there's an issue already filed[0]).

[0]: https://pagure.io/SSSD/sssd/issue/3514

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/89f5332ccf59672ecafc36abe07d2351e32a05d5">89f5332c</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-10T20:09:54+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CI: Ignore E722 pep8 issues on debian machines

For now, let's ignore E722 (do not use bare except) in the
debian_testing machines that are part of our CI.

Resolves:
https://pagure.io/SSSD/sssd/issue/3605

Reviewed-by: Michal Židek <mzidek@redhat.com>

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cce64caa78d088d54c40e50b777b8a8ddd1a0c0a">cce64caa</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-13T10:43:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix E501 pep8 issues on test_netgroup.py

E501: line too long (longer than 79 characters)

The issue was inserted in commit 0f8add07b8, which has been pushed just
before the pep8 patches got merged.

The whole file was changed in order to adapt to the changes proposed to
this patch.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e32e17d04c796b37bc3f4cde58106d54ffa2b6d1">e32e17d0</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2018-03-13T11:23:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: Print simple allow and deny lists

For debug purposes, print the simple allow and deny users/groups lists
when a sufficient log debug level is set.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/86c06c3b3d1cb4f590bcd951939bf3ef0001c4d3">86c06c3b</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-03-15T12:41:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_ca: add empty index.txt.attr file

Although is does not harm because 'openssl ca' creates the
index.tx.tattr file with a suitable content automatically this patch
adds the file to the test_CA directory to silence a message like:

Can't open ./index.txt.attr for reading, No such file or directory
139867607979840:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:74:fopen('./index.txt.attr','r')
139867607979840:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:81:

which is show by recent versions of OpenSSL.

Related to https://pagure.io/SSSD/sssd/issue/3436

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a0173060a404c55bb0a81135cc43e415c30dea6c">a0173060</a></strong>
<div>
<span>by Yuri Chornoivan</span>
<i>at 2018-03-16T08:42:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Fix minor typos

Reviewed-by: Lukáš Slebodník <lslebodn@fedoraproject.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/718bce1f8bad38354d7e52d6bf588e3516c0f3c6">718bce1f</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-16T16:03:52+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Remove dead code

This piece of code introduced as part of 4049b63f8c most likely by
mistake and can be removed without causing any harm.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e5c74ab068d87b598d1090c83f1c4d9e47939c83">e5c74ab0</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-26T20:55:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONFDB: Start a ldb transaction from sss_ldb_modify_permissive()

The reason why confdb_expand_app_domains() always fails is because we
try to do a ldb_request() without starting a ldb transaction.

When we're dealing with ldb_modify(), ldb_add(), ldb_delete() kind of
messages, those call ldb_autotransaction_request() which will start a
new transaction and treat it properly when doing the ldb_request(). In
our case that we're calling ldb_request() by our own, we must ensure
that the transaction is started and properly deal with it._

It's never been noticed because in the only place the function is used
its errors are ignored.

Resolves:
https://pagure.io/SSSD/sssd/issue/3660

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f405a4a3694957b5a5cb45d0f7ea2854d876cbb6">f405a4a3</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-26T20:55:30+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TOOLS: Take into consideration app domains

In order to properly show an app domain when listing domains using
sssctl domain-list we have to expand the confdb, as already done in the
monitor code.

Resolves:
https://pagure.io/SSSD/sssd/issue/3658

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a73d70f7ebe194337d7732fd644384c94c2ce0d5">a73d70f7</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-26T20:55:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Move get_call_output() to util.py

This function will be reused outside of test_sssctl.py.

Related:
https://pagure.io/SSSD/sssd/issue/3658

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/885da2c88a214eddd8c5ba16118debdf7e8f2666">885da2c8</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-26T20:55:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Make get_call_output() more flexible about the stderr log

Future tests that will be added will need the stderr redirected to the
STDOUT.

Related:
https://pagure.io/SSSD/sssd/issue/3658

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/14b485b11c31341c6874ac4183f757287fb30f64">14b485b1</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-26T20:55:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add a basic test of `sssctl domain-list`

Let's just add a test for `sssctl domain-list` in order to avoid
regressing https://pagure.io/SSSD/sssd/issue/3658.

The test has been added as part of test_infopipe.py in order to take
advantage of the machinery already provided there.

Resolves:
https://pagure.io/SSSD/sssd/issue/3658

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a40c6b4280f319efb935a9c9d3b83486a0f4d2d3">a40c6b42</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-29T20:06:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Use json_loadb() when dealing with sss_iobuf data

As sss_iobuf data is *non* NULL terminated, we have to use json_loadb()
passing the data's length instead of just using json_loads().

Due to this issue, when running sssd-kcm under valgrind and performing a
`kinit foo` a bunch of erros like the following one could be seen:
==2638== Conditional jump or move depends on uninitialised value(s)
==2638==    at 0x57DB678: stream_get.part.3 (load.c:172)
==2638==    by 0x57DB9CA: stream_get (load.c:643)
==2638==    by 0x57DB9CA: lex_get (load.c:246)
==2638==    by 0x57DB9CA: lex_scan (load.c:601)
==2638==    by 0x57DC56A: parse_json.constprop.7 (load.c:904)
==2638==    by 0x57DC6AB: json_loads (load.c:959)
==2638==    by 0x11ABEA: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638==    by 0x11AEF0: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638==    by 0x125D4A: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638==    by 0x12623B: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638==    by 0x9BCD71F: epoll_event_loop (tevent_epoll.c:728)
==2638==    by 0x9BCD71F: epoll_event_loop_once (tevent_epoll.c:930)
==2638==    by 0x9BCBBA6: std_event_loop_once (tevent_standard.c:114)
==2638==    by 0x9BC7FEC: _tevent_loop_once (tevent.c:725)
==2638==    by 0x9BC820A: tevent_common_loop_wait (tevent.c:848)

Related to:
https://pagure.io/SSSD/sssd/issue/3687

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/bfc6d9d611bfbc54b3f738084d86fb887c8769b5">bfc6d9d6</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-29T20:15:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Remove mem_ctx from kcm_new_req()

Let's remove the mem_ctx argument as we really want cctx to be the
memory context here, so that if the client disconnects the request goes
away.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2f11cf256a10ca6f6ace35a05cc2edb46689567f">2f11cf25</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-29T20:15:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Introduce kcm_input_get_payload_len()

As this piece of code will be useful for us in the future patches of
this series, let's move it to a new function.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/786c40023e1348e7613805446ae821af7030b5d3">786c4002</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-29T20:15:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Do not use 2048 as fixed size for the payload

The KCM code has the limit set as 2048 only inside #ifdef __APPLE__,
while it should be normally set as 10 * 1024 * 1024, as seen in:
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53

Last but not least, doesn't make much sense to use a fixed value as the
first 4 bytes received are the payload size ... so let's just allocate
the needed size instead of having a fixed value.

Resolves:
https://pagure.io/SSSD/sssd/issue/3671

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b09cd3072153663bfcce902633b5e6f9134e72e0">b09cd307</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-29T20:15:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Adjust REPLY_MAX to the one used in krb5

krb5 has its MAX_REPLY_SIZE set as 10*1024*1024, as seen in:
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53

Related:
https://pagure.io/SSSD/sssd/issue/3386

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a263309322cf8fff15d21207a4eee5f301e3ad2e">a2633093</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-03-29T20:23:07+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">intg: convert results returned as bytes to strings

With python3 comparisons between byte literals and strings will fail. To
make sure assertions will pass the search results must be converted to
(utf-8) strings first.

Resolves https://pagure.io/SSSD/sssd/issue/3666

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/96fdbb2cb7d1bd8f9b2b64acfb5dd845b0290946">96fdbb2c</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-29T21:47:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Fix typo in ccdb_sec_delete_list_done()

When deleting the ccache we want to check if sec_key_list_len is equal 0
and not if sec_key_list is 0.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e588e24c900e3f587f52533db12b87451b789a33">e588e24c</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-03-29T21:47:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Only print the number of found items after we have it

With the current code we've been always printing "Found 0 items" as
state->sec_key_list_len is only set by sec_list_parse().

In order to solve this, let's just print it *after* we have
state->sec_key_list_len set.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/250751bf8b0532d6175e762b7f2f008cc1c39a78">250751bf</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-04T10:36:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: When marking an entry as expired, also set the originalModifyTimestamp to 1

Resolves:
https://pagure.io/SSSD/sssd/issue/3684

If the cleanup task removes a user who was a fully resolved member (not a
ghost), but then the group the user was a member of is requested, unless
the group had changed, the user doesn't appear as a member of the group
again. This is because the modify timestamp would prevent the group from
updating and therefore the ghost attribute is not readded.

To mitigate this, let's also set the originalModifyTimestamp attribute
to 1, so that we never take the optimized path while updating the group.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/47ad0778be72994a2294b2e73cc5c670be6811a7">47ad0778</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2018-04-04T10:38:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo ldap: do not store rules without sudoHost attribute

Unless it is cn=defaults.

Resolves:
https://pagure.io/SSSD/sssd/issue/3558

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63">cd4590de</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2018-04-04T10:39:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb custom: completely replace old object instead of merging it

This patch is written primary for sudo use case, but it makes sure the we do
not merge two record in other parts of the code that uses sysdb_store_custom.

1) If there are two rules with the same cn (possible with multiple search bases
or organizational units) we would end up merging those two rules instead of
choosing one of them.

2) Also smart refresh would merge the diff insteand of removing the attributes
that are no longer present in ldap.

Since 1) is a rare use case and it is a misconfiguration we completely replace
the old rule with new one. It is simpler to implement and it solves both issues.

Resolves:
https://pagure.io/SSSD/sssd/issue/3558

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/519354d079731e673244a8e3851e5c5522d1b45e">519354d0</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-04T10:44:37+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SERVER: Tone down shutdown messages for socket-activated responders

When dealing with socket-activated responders, those may be shut
themselves down after some inactivy period. And that's completely normal
and expected, thus should not be logged as an fatal error.

For the case when the responder is started by the monitor, however, it
still makes sense to keep the code as it is as the responders won't shut
themselves down in any normal scenario.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0f6b5b02afb35caae774ff4d52854a844d49f52e">0f6b5b02</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-04T14:45:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA: Qualify the externalUser sudo attribute

We broke the externalUser support with the introduction of the fully
qualified attributes, because the provider was saving the data verbatim,
but the sudo responder expects a fully qualified name.

Reproducer:
    on the server:
        ipa sudocmd-add --desc='For reading log files' /usr/bin/less
        ipa sudorule-add readfiles
        ipa sudorule-add-user --users=lcluser
        ipa sudorule-mod --hostcat=all readfiles

    then on the client:
        configure sssd with:
            id_provider = files
            sudo_provider = ipa
            ipa_domain = ipa.test

        run:
            sudo useradd lcluser
            sudo passwd lcluser
            su - lcluser
            sudo -l

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f22528922c065f37ca928f95fd86ed2ea79e0d51">f2252892</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-04T14:58:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Adjust netgroup setnetgrent cache lifetime if midpoint refresh is used

This is a minor regression compared to the state of the code before we
converted the responders to cache_req. The NSS responder keeps a has
table of netgroup objects in memory for either the lifetime of the
netgroup, or, in case midpoint refresh is used, up to the midpoint
refresh time. The case with the midpoint refresh was removed in the
cache_req enabled code, which means that even if the netgroup was
updated in the cache with the background refresh task, the object was
never read from cache, but always still returned from the in-memory
enumeration hash.

Resolves:
https://pagure.io/SSSD/sssd/issue/3550

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c1208b485924964a7a4fcf19562964acb47fc214">c1208b48</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2018-04-05T14:00:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONFDB: Add passwd_files and group_files options

Add new options to the files provider allowing an administrator to
configure the files provider to read and monitor multiple or
non-standard passwd and group file sources. These options default to
/etc/passwd and /etc/group when unset.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0d6d493f68bb83a046d351cb3035b08ef5456b50">0d6d493f</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2018-04-05T14:00:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FILES: Handle files provider sources

Setup watches on passwd and group files provided with the files provider
options passwd_files and group_files lists

Resolves:
https://pagure.io/SSSD/sssd/issue/3402

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4a9100a588ade253cecb2224b95bd8caa8136109">4a9100a5</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-05T14:00:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add a test for the multiple files feature

Adds an integration test for the new feature.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/abf377672e0011da817b5105fe581b27f2f855b7">abf37767</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2018-04-09T10:02:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Missing header in ad_access.h

ad_access.h depends on data_provider.h header but
does not include it.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7a42831b208ed8d2fcb9d8beaa12bd2214bb7dce">7a42831b</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2018-04-09T10:02:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Add ad_options to ad_gpo_process_som_state

We will need at least ad_site option from this
context available to get the AD site override
value.

Resolves:
https://pagure.io/SSSD/sssd/issue/3646

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/744e2b4d0710c1dc850bfadbd75ae1ae7faf1148">744e2b4d</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2018-04-09T10:02:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Use AD site override if set

Use AD site override if it was set in SSSD configuration.

Resolves:
https://pagure.io/SSSD/sssd/issue/3646

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/37a84285aeb497ed4909d16916bbf934af3f68b3">37a84285</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-04-10T14:43:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: initialize nss_enum_index in nss_setnetgrent()

setnetgrent() is the first call when looking up a netgroup and sets the
netgroup name for upcoming getnetgrent() and endnetgrent() calls.
Currently the state is reset by calling endnetgrent() but it would be
more robust to unconditionally reset the state in setnetgrent() as well
in case calling endnetgrent() was forgotten.

Related to https://pagure.io/SSSD/sssd/issue/3679

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/08db22b1b1a2e742edbca92e35087294d963adda">08db22b1</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-04-10T14:43:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: add a netgroup counter to struct nss_enum_index

Netgroups are not looked up with the help of a single request but by
calling setnetgrent(), getnetgrent() and endnetgrent() where
getnetgrent() might be called multiple times depending on the number of
netgroup elements. Since the caller does not provide a state the state
has to be maintained by the SSSD nss responder. Besides the netgroup
name this is mainly the number of elements already returned.

This number is used to select the next element to return and currently
it is assumed that there are not changes to the netgroup while the
client is requesting the individual elements. But if e.g. the 3 nss
calls are not used correctly or the netgroup is modified while the
client is sending getnetgrent() calls the stored number might be out of
range. To be on the safe side the stored number should be always
compared with the current number of netgroup elements.

Related to https://pagure.io/SSSD/sssd/issue/3679

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b8db8c2d83d1d75c42c1e17145d3907211b3a146">b8db8c2d</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-04-10T14:46:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sssctl: Showing help even when sssd not configured

On a clean and unconfigured system, it's not possible
to use --help.
1) dnf install sssd-tools
2) sssctl cache-remove --help
Shows:
[confdb_get_domains] (0x0010): No domains configured, fatal error!

Solution: Donot check for confdb initialization when sssctl 3rd
command line argument passed is '--help'.

Please note when we run 'sssctl --help' on unconfigured system
confdb check is not done and proper o/p is seen.

Resolves: https://pagure.io/SSSD/sssd/issue/3634

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/fe58f0fbf34de5931ce3305396e5e4467796a325">fe58f0fb</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2018-04-10T14:47:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sssctl: move check for version error to correct place

This check was added here:

284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 490) int sss_tool_main(int argc, const char **argv,
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 491)                   struct sss_route_cmd *commands,
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 492)                   void *pvt)
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 493) {
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 494)     struct sss_tool_ctx *tool_ctx;
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 495)     uid_t uid;
e98ccef2 (Pavel Březina   2016-06-09 16:13:34 +0200 496)     errno_t ret;
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 497)
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 498)     uid = getuid();
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 499)     if (uid != 0) {
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 500)         DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid);
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 501)         ERROR("%1$s must be run as root\n", argv[0]);
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 502)         return EXIT_FAILURE;
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 503)     }
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 504)
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 505)     ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 506)     if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 507)         tool_ctx->init_err = ret;
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 508)     } else if (ret != EOK) {
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 509)         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 510)         return EXIT_FAILURE;
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 511)     }

But then the initialization code was moved from sss_tool_init to tool_cmd_init which is called from sss_tool_route.

a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 328)             if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 329)                 DEBUG(SSSDBG_FATAL_FAILURE,
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 330)                       "Command %s does not handle initialization error [%d] %s\n",
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 331)                       cmdline.command, tool_ctx->init_err,
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 332)                       sss_strerror(tool_ctx->init_err));
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 333)                 return tool_ctx->init_err;
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 334)             }
a0b824ac (Jakub Hrozek    2016-07-01 13:26:38 +0200 335)
cbee11e9 (Michal Židek    2016-10-12 13:09:37 +0200 336)             ret = tool_cmd_init(tool_ctx, &commands[i]);
cbee11e9 (Michal Židek    2016-10-12 13:09:37 +0200 337)             if (ret != EOK) {
cbee11e9 (Michal Židek    2016-10-12 13:09:37 +0200 338)                 DEBUG(SSSDBG_FATAL_FAILURE,
cbee11e9 (Michal Židek    2016-10-12 13:09:37 +0200 339)                       "Command initialization failed [%d] %s\n",
cbee11e9 (Michal Židek    2016-10-12 13:09:37 +0200 340)                       ret, sss_strerror(ret));
cbee11e9 (Michal Židek    2016-10-12 13:09:37 +0200 341)                 return ret;
cbee11e9 (Michal Židek    2016-10-12 13:09:37 +0200 342)             }
cbee11e9 (Michal Židek    2016-10-12 13:09:37 +0200 343)
284937e6 (Pavel Březina   2015-07-22 10:02:02 +0200 344)             return commands[i].fn(&cmdline, tool_ctx, pvt);

This rendered the original change a dead code, because sss_tool_init only returns ENOMEM or EOK.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/56839605d139573319b7df24774b56ea78ec742b">56839605</a></strong>
<div>
<span>by amitkumar50</span>
<i>at 2018-04-11T16:44:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Add sss-certmap man page regarding priority processing

PR adds following text in PRIORITY section of man sss-certmap:
The processing is stopped when a matched rule is found and no
further rules are checked.

Resolves: https://pagure.io/SSSD/sssd/issue/3469

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/adb9823dc6b6247cd477fa7b050959f264f6582b">adb9823d</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-04-18T14:30:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Remove unused parameter from sysdb_cache_connect_helper

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0b784c622c66f815c21b36148d0536aea90e3df0">0b784c62</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-04-18T14:31:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: Add gcc to build dependencies

gcc will be removed from buildroot in fedora 29
http://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/810935f67a25f130b37f72948cc9a8b37529afc1">810935f6</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-04-18T21:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">UTIL: Use alternative way for detecting PyErr_NewExceptionWithDoc

Function PyErr_NewExceptionWithDoc was added in python 2.7.0
and we use fallback implementation for older versions of python.

Previously, we used detection of PyErr_NewExceptionWithDoc at configure
time; but it does not work well in case of python2.6 and python3.x

Resolves:
https://pagure.io/SSSD/sssd/issue/3656

Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f0bcadfb033c78c78631c4430288a60aa639100f">f0bcadfb</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-04-18T21:08:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONFIGURE: drop unused check

Related to: https://pagure.io/SSSD/sssd/issue/3656

Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2d43eaf43540c375d39c5e1c2482595e919fb4df">2d43eaf4</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-18T21:11:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SDAP: Improve a DEBUG message about GC detection

It was not entirely clear what the message means. We should improve the
debug message to make it clear that all or none attributes should be
replicated to the Global Catalog.

This patch can be reverted once we fix
https://pagure.io/SSSD/sssd/issue/3538 and only use the GC to look up
the entry DN, not the entry itself.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4ab8734cc45fab2d1a0e690b566da1bda63df76c">4ab8734c</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-18T21:11:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Improve docs about GC detection

Add the same note we have as part of our debug to the sssd-ad manual.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/46a4c265629d9b725c41f22849741ce7342bdd85">46a4c265</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-04-20T14:39:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss-idmap: do not set a limit

If the limit is set the needed size to return all groups cannot be
returned.

Related to https://pagure.io/SSSD/sssd/issue/3715

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b">2c4dc7a4</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-04-20T14:39:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss-idmap: use right group list pointer after sss_get_ex()

If the initial array is too small it will be reallocated during
sss_get_ex() and the pointer might change and the initial memory area
should not be used anymore.

Related to https://pagure.io/SSSD/sssd/issue/3715

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/851d31264c826d7e1bca38bb6d49e66b446707e7">851d3126</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-25T07:29:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Add InvalidateGroupById handler

There are some situations where, from the backend, the NSS responder
will have to be notified to invalidate a group.

In order to achieve this in a clean way, let's add the
InvalidateGroupById handler and make use of it later in this very same
series.

Related:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/709c42f0cabc96d0e0edf72753a0967593206ff4">709c42f0</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-25T07:30:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DP: Add dp_sbus_invalidate_group_memcache()

This function will be called from the data provider to the NSS
responder, which will invalidate a group in the memcache.

Related:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ccd349f0274217e1f0cc118e3a6045e2235ce420">ccd349f0</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-25T07:30:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ERRORS: Add ERR_GID_DUPLICATED

This new error will be returned from sysdb_add_incomplete_group()
when renaming a group which will case gid collision.

Related:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d2633d922eeed68f92be4248b9172b928c189920">d2633d92</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-25T07:30:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Augment the sdap_opts structure with a data provider pointer

In order to be able to use the Data Provider methods from the SDAP code
to e.g. invalidate memcache when needed, add a new field to the
sdap_options structure with the data_provider structure pointer.

Fill the pointer value for all LDAP-based providers.

Related:
https://pagure.io/SSSD/sssd/issue/2653

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a537df2ea99acb0181dc360ddf9a60b69c16faf0">a537df2e</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-25T07:31:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SDAP: Add sdap_handle_id_collision_for_incomplete_groups()

This newly added function is a helper to properly hadle group
id-collisions when renaming incomplete groups and it does:
- Deletes the group from sysdb
- Adds the new incomplete group
- Notifies the NSS responder that the entry also has to be deleted from
  the memory cache

This function will be called from
sdap_ad_save_group_membership_with_idmapping() and from
sdap_add_incomplete_groups().

Related:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a2e743cd23e8e2033340612c77a8dbb8ef48c1e1">a2e743cd</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-25T07:31:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SDAP: Properly handle group id-collision when renaming incomplete groups

Resolves:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/514b2be089bfd0e2702d7e9ab883ab071a61b719">514b2be0</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-25T07:31:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB_OPS: Error out on id-collision when adding an incomplete group

This situation can be hit when renaming a group. For now, let's just
error this out so the caller can handle it properly on its own layer.

Related:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/35d6fb7cabd6183252fd29b29aaf66264dca9135">35d6fb7c</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-25T07:31:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add an integration test for renaming incomplete groups during initgroups

As we implemented the group renaming heuristics to rename only if we can
use another "hint" like the original DN or the SID to know the group is
the same, this patch adds two tests (positive and negative) to make sure
a group with a totally different RDN and hence different originalDN
cannot be renamed but a group whose name changed but the RDN stays the
same can be renamed.

Related:
https://pagure.io/SSSD/sssd/issue/3282

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ba2d5f7a0adefb017d3f85203d715b725ca8810f">ba2d5f7a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-25T07:31:37+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: sysdb_add_incomplete_group now returns EEXIST with a duplicate GID

Related:
https://pagure.io/SSSD/sssd/issue/2653

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/91d1e4c134b7c90abd2ff86b313175c542cd834c">91d1e4c1</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-25T07:33:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Document which principal does the AD provider use

Administrators are often confused by the difference between what
principal is used to authenticate to AD. Let's document that.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e6e5fe349aa6ed85eb9acb3273007fa90ee99450">e6e5fe34</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2018-04-27T13:42:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Fix bug with empty GPO rules

When two or more GPO rules were defined on the server
and one of them contained no SIDs (no users or groups
were specified), then SSSD failed to store such rule
and users were denied access (system error).

This patch changes the behavior so that in case
there are no SIDs in the rule a special value is
stored with the rule to indicate that the rule
was actually specified, but this value will not
match any real SID (because the rule should be
empty).

Resolves:
https://pagure.io/SSSD/sssd/issue/3680

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8655dd075dbbc1578f8d3c77209cbfb696e03809">8655dd07</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:42:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SECRETS: reset last_request_time on any activity

As all the activities are being handled by the secrets responder itself
and not by responder's common code, we have to take care of re-setting
the last_request_time by ourselves here.

Without this patch, the responder would be shot down after reaching the
idle_timeout with activities happening or not.

Resolves:
https://pagure.io/SSSD/sssd/issue/3633

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cefadc6eedd0c316d3cbbfe47102791b7fbadc88">cefadc6e</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:42:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: reset last_request_time on any activity

As all the activities are being handled by the kcm responder itself and
not by responder's common code, we have to take care of re-setting the
last_request_time by ourselves here.

Without this patch, the responder would be shot down after reaching the
idle_timeout with activities happening or not.

Resolves:
https://pagure.io/SSSD/sssd/issue/3633

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/26592d1aa9395c9a851d8657b4c2bb53d2cc1384">26592d1a</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:42:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESPONDER: Add sss_client_fd_handler()

Currently we have 3 functions to handle client fds:
- sec_fd_handler(): for secrets responder
- kcm_fd_handler(): for kcm responder
- client_fd_handler(): for all the others reponders

As those functions only differ by the functions used to handle sending
and receiving data to the fds, let's create a generic function that
receives the specific send_fn() and recv_fn() functions.

With this newly introduced function we'll be able to simply remove
duplicated code from those 3 handlers and just call
sss_client_fd_handler() from all of those.

Resolves:
https://pagure.io/SSSD/sssd/issue/3633

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2f7006567bebe766e5c12f18fb15c3909c83a4f4">2f700656</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:42:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESPONDER: Make use of sss_client_fd_handler()

Let's make use of the sss_client_fd_handler() on client_fd_handler().

Resolves:
https://pagure.io/SSSD/sssd/issue/3633

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/04c236ca801b0edaefe9e5553ca26126087c5d68">04c236ca</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:42:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SECRETS: Make use of sss_client_fd_handler()

Let's make use of the sss_client_fd_handler() on sec_fd_handler().

Resolves:
https://pagure.io/SSSD/sssd/issue/3633

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/01ef93a43e1629006416f33111f6077b3e92b175">01ef93a4</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:43:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Make use of sss_client_fd_handler()

Let's make use of the sss_client_fd_handler() on kcm_fd_handler()

Resolves:
https://pagure.io/SSSD/sssd/issue/3633

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1ab24b3923a5ab43d2a632bf84a7bb08113a78b7">1ab24b39</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:43:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Rename test_idle_timeout()

As this test is related to the client_idle_timeout, let's rename it
accordingly.

Resolves:
https://pagure.io/SSSD/sssd/issue/3633

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ac9c3ad8228000140d80f91d4c5492d89d6e79f6">ac9c3ad8</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:43:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add test for responder_idle_timeout

Two new tests have been added in order to test the following scenarios
of responder_idle_timeout:
- responder is shutdown after n seconds;
- responder has its shutdown delayed due to some activity and then is
  shutdown after n seconds;

In order to have the tests added, a new dep has been introduced:
python-psutil

Keep in mind those newly added tests make our test suite to take a few
minutes more to finish. As it may be an inconvenience for some
developers, the tests have been explicitly marked as slow (both by the
pytest markdown and by having _slow in their names) and can be skipped
by doing:
`make intgcheck-run  make intgcheck-run \
 INTGCHECK_PYTEST_ARGS="-k test_secrets.py -m 'not slow'"`

Resolves:
https://pagure.io/SSSD/sssd/issue/3633

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a30d0c95042b239557ecee3b7fc765d6d28592be">a30d0c95</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-04-27T13:44:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Fix typo in test_sysdb_domain_resolution_order_ops()

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d69e1da370fa33c5085b31eb6302a30d81817534">d69e1da3</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-27T13:45:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FILES: Do not overwrite and actually remove files_ctx.{pwd,grp}_watch

The snotify_ctx structures were unused, are completely opaque (their
only value is that if they are freed, the watches disappear which
the files provider never does).

And moreover, since the patches to support multiple files, the watches
were overwritten with subsequent assignments.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1f8bfb6975becda07ff29f557f82b6ac1eaa0be9">1f8bfb69</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-27T13:45:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FILES: Reduce code duplication

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/81f16996c980a75e98538c7dd91baf9e0e635f58">81f16996</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-27T13:45:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FILES: Reset the domain status back even on errors

The block that resets the domain status was only called on success, so
on error, the domain would have been permanently stuck in an
inconsistent state.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c1bce7da6c33b352dc708a5dd9712a4d96c63057">c1bce7da</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-27T13:45:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FILES: Skip files that are not created yet

In order to avoid complex ordering logic, even if one file is updated,
we flush all the entries. In theory, we could only flush the individual
file and all the files preceding it, but it's safer to just create a
complete mirror every time.

And this can be problematic if one of the files we try to update is not
created yet during the update. This can happen e.g. when a file is not
created during early boot.

To solve this, try to be very defensive and always flush the whole
database, ignore ENOENT errors, but abort on all other errors.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/77d63f561830c15341b2ffe915a4c86b3c0f88a3">77d63f56</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-04-27T13:45:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FILES: Only send the request for update if the files domain is inconsistent

Resolves:
https://pagure.io/SSSD/sssd/issue/3520

The code was probably commented out as a mistake..

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/65034a715e5071ad944bf37b414c6a36bf60cf29">65034a71</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-03T21:51:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DYNDNS: Move the retry logic into a separate function

Let's not repeat ourselves

Related to:
https://pagure.io/SSSD/sssd/issue/3725

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b57dfac8a047494162395422447ed5675806cfdc">b57dfac8</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-03T21:52:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DYNDNS: Retry also on timeouts

There is the dyndns_server option that is supposed to make it possible
for the admin to select a server to update DNS with if the server
detected by nsupdate does not work. The fallback works OK for the case
where nsupdate fails with a non-zero return code, but doesn't work
for the case where nsupdate times out.

This patch extends the retry condition to also fallback to the
dyndns_server directive if nsupdate return ERR_DYNDNS_TIMEOUT.

Resolves:
https://pagure.io/SSSD/sssd/issue/3725

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/3cff2c5e563d967366d534bd3fc8c410f6467ea6">3cff2c5e</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-03T21:53:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Warn if the LDAP schema is overriden with the AD provider

Resolves:
https://pagure.io/SSSD/sssd/issue/3726

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8a8285cf515c78709e16ec03b254c89466fe3ea2">8a8285cf</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-03T21:54:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Only check non-POSIX groups for GID conflicts

When checking for a GID conflict, it doesn't make sense to check for one
when the group being added is a non-POSIX one, because then the GID will
always be 0.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/10213efaf1f9f587b47a82778a252d79863f665e">10213efa</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-03T21:56:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Do not keep allocating external groups on a long-lived context

The hash table with the external groups was never freed, so the
server_mode->ext_groups context was growing over time.

This patch keeps the new hash on the state if something failed, then
frees the previous hash and finally steals the new hash onto the server
mode.

Resolves:
https://pagure.io/SSSD/sssd/issue/3719

Signed-off-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2952de740f2ec1da9cbd682fb1d9219e5370e6a1">2952de74</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-03T22:02:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Do not fail the domain locator plugin if ID outside the domain range is looked up

A fix for upstream bug #3569 and the domain-locator feature were both
developed in the context of the same upstream version and therefore
touched the same code, but the domain locator did not account for the
ERR_ID_OUTSIDE_RANGE error code.

Therefore lookups for IDs that are outside the range for the domain
caused the whole lookup to fail instead of carrying on to the next
domain.

This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID
was not found at all. Also some whitespace errors are fixed.

Resolves:
https://pagure.io/SSSD/sssd/issue/3728

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b13cc2d1413a0d5bbe36e06e5ffd87dbf5c0cb9f">b13cc2d1</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-05-08T09:43:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: nss_clear_netgroup_hash_table() do not free data

nss_clear_netgroup_hash_table() is called during the clearEnumCache SBUS
request, which is e.g. used during 'sss_cache -E', to remove netgroup
data cached in the memory of the NSS responder.

Currently nss_clear_netgroup_hash_table() calls
'sss_ptr_hash_delete_all(nss_ctx->netgrent, true);' which not only
removes all entries in the 'netgerent' hash table but frees them as
well.

The second step is not needed because nss_setnetgrent_set_timeout()
takes care that the data is freed after a timeout. Additionally freeing
the data in nss_clear_netgroup_hash_table() can even do harm when the
request is received by the NSS responder while waiting for the backend
to acquire the netgroup data. Because if the backend is done the NSS
responder tries do use enum_ctx which might have been freed in the
meantime.

Because of this nss_clear_netgroup_hash_table() should only remove the
data from the hash table but not free it.

Related to https://pagure.io/SSSD/sssd/issue/3731

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cf4f5e031ecbdfba0b55a4f69a06175a2e718e67">cf4f5e03</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-11T17:42:02+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Properly handle name/gid override when using domain resolution order

When using name/gid override together with domain resolution order the
mpg name/gid may be returned instead of the overridden one.

In order to avoid that, let's add a check in case the domain supports
mpg so we can ensure that the originalADname and originalADgidNumber
attributes are the very same as the ones searched and then normally
proceed with the current flow in the code. In case those are not the
same, we *must* follow the code path for the non-mpg domains and then
return the proper values.

Resolves: https://pagure.io/SSSD/sssd/issue/3595

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/10a0bda924cbf230984a80a1e76a3269f2a656fa">10a0bda9</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-16T04:55:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Increase test_resp_idle_timeout* timeout

As suggested by Sumit, let's increase the timeout in the
test_resp_idle_timeout* as those are a little bit on the edge.

Related:
https://pagure.io/SSSD/sssd/issue/3633

Resolves:
https://pagure.io/SSSD/sssd/issue/3730

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/28436b57345c644ecff4234b17e7571bf8b386c2">28436b57</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-16T04:55:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">COVERITY: Add coverity support

Using travis-ci we can start doing coverity scans on every pushed code.
This is not something new as so far we have been relying on sgallagh's
internal infra to do so, unfortunatelly the infra is about to be
retired ... thus, start to use public coverity's instance is a hard
requirement for us.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Signed-off-by: Edjunior Machado <emachado@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e551413487ca2d5f8328e7b9148908613f6d48eb">e5514134</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-16T04:56:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAKE_SRPM: Add --output parameter

This parameter is being added as it makes our life easier when dealing
with automated copr builds for this project.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4568d68d51bd88571cadd4a9cbbda019f1c2bae8">4568d68d</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-16T04:56:30+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add .copr/Makefile

This will be used in order to provide automated builds to the project on
copr.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c6b99b070268c3807833e9f894d9a36304014417">c6b99b07</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-05-18T17:23:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">winbind idmap plugin: support inferface version 6

With Samba 4.7 the interface version of the idmap plugin was updated to
6. The patch adds support for this new version but can be complied with
the older version as well.

A configure option is added to select the version, if no version is
given configure tries to detect the version with the help of an internal
Samba library libidmap-samba4.so.

To make sure that always the right version is used configure will fail
if Samba is used (--with-samba, default) and no version can be
determined.

Resolves https://pagure.io/SSSD/sssd/issue/3741

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4ab4a26ea1a3777ebb0ac1d0138ec1645401fc8a">4ab4a26e</a></strong>
<div>
<span>by amitkumar50</span>
<i>at 2018-05-18T17:24:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Clarify how comments work in sssd.conf

PR changes comment description in sssd.conf from:
'A line comment starts with a hash sign...'
to
'A comment line starts with a hash sign...'

Resolves: https://pagure.io/SSSD/sssd/issue/1117

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/095bbe17b25369b967e97162d945cb001a13029e">095bbe17</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-05-18T22:13:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">winbind idmap plugin: fix detection

Currently when compiling the detection code for the idmap interface
version only SMBCLIENT_CFLAGS are used. Since libsmbclient does not use
NTSTATUS the cflags do not contain '-DHAVE_IMMEDIATE_STRUCTURES=1' which
make NTSTATUS to a struct instead of an integer. Since Samba itself
might be complied with this define (it typically is) we have to make
sure we use it as well. Otherwise the test program might crash on
platforms where this change changes the calling convention as well.

Related to https://pagure.io/SSSD/sssd/issue/3741

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/afe7060fa4fbad4a6de26419bcd20d807eb54684">afe7060f</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-23T17:47:53+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Return ENOENT for mpg with local provider

We need to return ENOENT for local provider if user have
just magic private group. Otherwise we would not be able
to detect such situation in sss_groupshow

    /* The search itself */
    ret = group_show(tctx, tctx->sysdb,
                     tctx->local, pc_recursive,
                      tctx->octx->name, &root);
    /* Also show MPGs */
    if (ret == ENOENT) {
        ret = group_show_mpg(tctx, tctx->local,
                             tctx->octx->name, &root);
    }

Resolves:
https://pagure.io/SSSD/sssd/issue/3644

Merges: https://pagure.io/SSSD/sssd/pull-request/3720

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b0aa567b00215621d5930b900985e0cf39809b84">b0aa567b</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-23T17:47:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb-tests: sysdb_search_group_by_name with local provider

ldap and local provider are handled differently
in sysdb_search_group_by_name. And we need to cover both cases to avoid
regressions.

Resolves:
https://pagure.io/SSSD/sssd/issue/3644

Merges: https://pagure.io/SSSD/sssd/pull-request/3720

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/320cc463887f5a11909ae54a7e415517bf27458c">320cc463</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-23T17:48:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Fix the title of the session recording man page

Reviewed-by: amitkumar50 <amitkuma@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/92addd7ba861103d6d7f61168abd72bbf2a6ca53">92addd7b</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-24T22:19:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux_child: Allow to query sssd

The function getpwnam_r is indirectly used ins selinux_child
on few places. (in libselinux and libsemanage)

There is not any reason why we should block nss calls with sssd.
It is a child process and loop cannot be created.
(BTW it is also allowed in krb_child and proxy_child)

  #0  _nss_sss_getpwnam_r (name=0x55c0e6471a50 "user4_2", result=0x7ffe9ab0d05,
          buffer=0x55c0e64741a0 "\200é\256\177\177", buflen=1024,
          errnop=0x7f7fafbcdb08)
          at src/sss_client/nss_passwd.c:132
  #1  0x00007f7fae7ad48f in __getpwnam_r (name=name@entry=0x55c0e6471a50 "user4_2",
          resbuf=resbuf@entry=0x7ffe9ab0d050, buffer=buffer@entry=0x55c0e64741a0 "\200é\256\177\177",
          buflen=buflen@entry=1024, result=result@entry=0x7ffe9ab0d048)
          at ../nss/getXXbyYY_r.c:316
  #2  0x00007f7faeabc9e2 in get_default_gid (name=0x55c0e6471a50 "user4_2")
          at seusers.c:105
  #3  getseuserbyname (name=0x55c0e6471a50 "user4_2", r_seuser=0x7ffe9ab0d0f0,
          r_level=0x7ffe9ab0d0f8) at seusers.c:186
  #4  0x000055c0e5126d02 in seuser_needs_update (ibuf=0x55c0e64718e0)
          at src/providers/ipa/selinux_child.c:175
  #5  main (argc=<optimized out>, argv=<optimized out>)
          at src/providers/ipa/selinux_child.c:332

  #0  _nss_sss_getpwnam_r (name=0x55c0e647dda0 "user3_1", result=0x7ffe9ab0cce0,
          buffer=0x55c0e6482180 "\240AG\346\300U", buflen=1024,
          errnop=0x7f7fafbcdb08) at src/sss_client/nss_passwd.c:132
  #1  0x00007f7fae7ad48f in __getpwnam_r (name=name@entry=0x55c0e647dda0 "user3_1",
          resbuf=resbuf@entry=0x7ffe9ab0cce0, buffer=buffer@entry=0x55c0e6482180 "\240AG\346\300U",
          buflen=buflen@entry=1024, result=result@entry=0x7ffe9ab0ccd8)
          at ../nss/getXXbyYY_r.c:316
  #2  0x00007f7faece29b3 in add_user (head=head@entry=0x7ffe9ab0ce28,
          user=user@entry=0x55c0e64b5930, name=name@entry=0x55c0e647dda0 "user3_1",
          sename=sename@entry=0x55c0e647bdc0 "staff_u",
          selogin=selogin@entry=0x55c0e647dda0 "user3_1",
          s=<optimized out>) at genhomedircon.c:999
  #3  0x00007f7faece334c in get_users (errors=<synthetic pointer>,
          s=0x7ffe9ab0ce70) at genhomedircon.c:1167
  #4  write_gen_home_dir_context (homedir_context_tpl=0x55c0e647d3d0,
          user_context_tpl=0x55c0e647a870, username_context_tpl=0x0,
          out=0x55c0e646fa80, s=0x7ffe9ab0ce70) at genhomedircon.c:1205
  #5  write_context_file (out=<optimized out>, s=0x7ffe9ab0ce70)
          at genhomedircon.c:1317
  #6  semanage_genhomedircon (sh=sh@entry=0x55c0e6476380, policydb=<optimized out>,
          usepasswd=<optimized out>, ignoredirs=<optimized out>)
          at genhomedircon.c:1382
  #7  0x00007f7faecdfb95 in semanage_direct_commit (sh=0x55c0e6476380)
          at direct_api.c:1575
  #8  0x00007f7faece4d6d in semanage_commit (sh=0x55c0e6476380) at handle.c:426
  #9  0x000055c0e5127cf8 in sss_set_seuser (login_name=0x55c0e6471a5 "user4_2",
          seuser_name=0x55c0e6471960 "staff_u", mls=<optimized out>)
          at src/util/sss_semanage.c:335
  #10 0x000055c0e5126eea in sc_set_seuser (mls=0x55c0e64719d0 "s0-s0:c0.c1023",
          seuser_name=0x55c0e6471960 "staff_u",
          login_name=0x55c0e6471a50 "user4_2")
          at src/providers/ipa/selinux_child.c:162
  #11 main (argc=<optimized out>, argv=<optimized out>)
          at src/providers/ipa/selinux_child.c:334

Merges: https://pagure.io/SSSD/sssd/pull-request/3732

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/51c6c483349786a988d0a64f56e09abdb71b0801">51c6c483</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-24T22:19:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux_child: Fix crash with initialized key

The semanage_seuser_key_t can be NULL in done section
in case of issues with initializing semanage handle or failure
with creating transaction.

The semanage_seuser_key_free is not NULL tolerant therefore its better
to prevent dereference of NULL pointer.

  #0  semanage_seuser_key_free_internal (key=0x0) at seuser_record.c:83
  #1  0x000055c1f8a687ed in sss_set_seuser (login_name=0x55c1f9ff8a50 "user4_1",
          seuser_name=0x55c1f9ff8960 "staff_u", mls=<optimized out>)
          at src/util/sss_semanage.c:344
  #2  0x000055c1f8a67eea in sc_set_seuser (mls=0x55c1f9ff89d0 "s0-s0:c0.c1023",
          seuser_name=0x55c1f9ff8960 "staff_u",
          login_name=0x55c1f9ff8a50 "user4_1")
          at src/providers/ipa/selinux_child.c:162
  #3  main (argc=<optimized out>, argv=<optimized out>)
          at src/providers/ipa/selinux_child.c:334

Merges: https://pagure.io/SSSD/sssd/pull-request/3732

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d5c3070c3dd8664b23999f003adc7fd170d19f20">d5c3070c</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-28T09:44:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Don't force a fqname for files provider' output

Although this do not cause any issue per si, doesn't make sense to have
the output of the files provider changing its behaviour depending on
whether we do or do not use a domain_resolution_order.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7f6ff80cf1dac5a0b663709d6f9e6ef4c7993fc9">7f6ff80c</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-28T09:44:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cache_req: Don't force a fqname for files provider output

As we're enforcing the output of files provider to be fully-qualified we
can face some weirdness when using domain_resolution_order as:
[user@implicit_files@machine]$

This is not only not coherent but also causes issues when the local
user, which is managed by the files provider, tries to do a `sudo su`.

As the most common scenario for *local* users is to have the user
(non-fully-qualified) in sudoers and, as sudo simply compares usernames,
changing the output from non fully-qualified to fully-qualified would
break this scenario, not allowing the user which has sudo access to use
sudo.

In order to avoid the issues described above, let's just not force the
output of the files provider to be fully-qualified.

Resolves:
https://pagure.io/SSSD/sssd/issue/3743

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a16d9743e466d5d19a6ea7e5dbe1484413c0e0c5">a16d9743</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-28T09:44:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: Add a test for files provider + domain resolution order

Resolves:
https://pagure.io/SSSD/sssd/issue/3743

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/74a5147228e2d92540007668d28331e2137a25b4">74a51472</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-28T09:44:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: Users managed by the files provider don't have their output fully-qualified

As the users managed by the files provider won't have their output using
fully-qualified domain names, let's make it explicity in our man pages.

Resolves:
https://pagure.io/SSSD/sssd/issue/3743

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e354ec7458d523e7bfca3237f42fd5d05bb0d767">e354ec74</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-28T09:44:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DP/LDAP: Only increase the initgrTimestamp when the full initgroups DP request finishes

An initgroups request for an AD user consists of two parts - resolving
the AD user, which internally calls an LDAP request and adding the IPA
external group memberships. For (probably?) historical reasons from the
time before we had any notion of subdomains, the initgrTimestamp
attribute is written down at the LDAP request level when it finishes --
which means the initgrTimestamp is written before the IPA external group
membership is evaluated.

When two requests for initgroups arrive semi-concurrently, it can happen
that the first request will trigger the whole machinery while the other
one would evaluate the initgrTimestamp attribute that was just bumped,
but the IPA group memberships were not yet written to the cache.

The result is that the second racing request only returns AD groups.

This fix removes writing the timestamp from the generic LDAP code and
instead writes the timestamp only when the Data Provider request fully
returns.

Resolves:
https://pagure.io/SSSD/sssd/issue/3744

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8f4b18db02185d704f68dfde576bcb0a72ae6664">8f4b18db</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-31T22:44:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "CACHE_REQ: Don't force a fqname for files provider' output"

This reverts commit d5c3070c3dd8664b23999f003adc7fd170d19f20.

The patch was pushed by mistake and should not be kept nor be part of
our tree.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f9b42e39332ad09c173b4747b9c6ff5d097d30bd">f9b42e39</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-31T22:45:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux_child: workaround fqnames when using DRO

When using domain_resolution_order the username will always be
fully-qualified, what has been causing some SELinux issues as mappings
for user 'admin' are not applied for 'admin@ipa.example'.

In order to work this around we can take advantage that selinux_child
queries SSSD since commit 92addd7ba and call getpwnam() in order to get
the username in the correct format.

seuser_needs_update() signature has been updated due to this change.

Resolves:
https://pagure.io/SSSD/sssd/issue/3740

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/50a90eb24efb0d74fcb6d0cd16ec9e8999e52be3">50a90eb2</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-31T22:46:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Do not use signal-unsafe calls in ldap_child SIGTERM handler

The DEBUG macros internally use several signal-unsafe calls so it's
better to not use any DEBUG macros at all.

man 7 signal-safety lists functions that can be used in a signal
handler.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/179c7fb36f2bc699631ea1b76a8ced474e70a88f">179c7fb3</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-31T22:47:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo_ldap: fix sudoHost=defaults -> cn=defaults in the filter

This is a typo introduced as part of 47ad0778.

Resolves:
https://pagure.io/SSSD/sssd/issue/3742

Related:
https://pagure.io/SSSD/sssd/issue/3558

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0f897b18fd1a3681776aaaccf99114a7617d1d04">0f897b18</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-31T22:47:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "sysdb custom: completely replace old object instead of merging it"

This reverts commit cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63, as the
commit introduced a regression on known_hosts.

Resolves:
https://pagure.io/SSSD/sssd/issue/3733

Related:
https://pagure.io/SSSD/sssd/issue/3558

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f9e4c93414a492e592fc862586e39f8b7a4f27b6">f9e4c934</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-05-31T22:48:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb_sudo: completely replace old object instead of merging it

Let's make sure that we do not merge two record in sysdb_sudo.

1) If there are two rules with the same cn (possible with multiple search bases
or organizational units) we would end up merging those two rules instead of
choosing one of them.

2) Also smart refresh would merge the diff insteand of removing the attributes
that are no longer present in ldap.

Since 1) is a rare use case and it is a misconfiguration we completely replace
the old rule with new one. It is simpler to implement and it solves both issues.

Resolves:
https://pagure.io/SSSD/sssd/issue/3558

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6d3632290ba00414cf0453384eb52c2bedb25352">6d363229</a></strong>
<div>
<span>by Thorsten Scherf</span>
<i>at 2018-05-31T22:48:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: Add FILES as a valid config option for 'id_provider'

The 'id_provider' config option can now also take 'files' as a valid value.
This should be mentioned in man 5 sssd.conf. With this change we are also
going to deprecate the 'id_provider = local' setting.

Resolves:
https://pagure.io/SSSD/sssd/issue/3749

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7567215ca0e180414f76469699025f281b8ac6dc">7567215c</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-05-31T22:49:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AUTOFS: remove timed event if related object is removed

autofs_map_result_timeout() is called as a timed event to free the
autofs map data is the cache lifetime is exceeded. If the data is freed
earlier the timed event should be removed as well to avoid a double
free issue.

Since talloc is used here the most easy way to achieve this is to allocate
the timed event on the map object itself.

Resolves:
https://pagure.io/SSSD/sssd/issue/3752

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1e6381c81aa656d0e2112f344dd50ed695c7d327">1e6381c8</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Remove unnecessary *flags from test_ipa_dn

sh-4.4$ grep wrap src/providers/ipa/ipa_dn.c src/tests/cmocka/test_ipa_dn.c
sh-4.4$ grep UNIT_TESTING src/providers/ipa/ipa_dn.c src/tests/cmocka/test_ipa_dn.c

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/597677993c136e44f5188d817952f6addf9ca49c">59767799</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:13+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Remove ldap libraries from SSSD_LIBS

They are not used in any responder.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/38158852c4ec80d01479347e80c3438f88b3af23">38158852</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Remove ldap libraries from TOOL_LIBS

Just backend needs to be linked with openldap libraries.
None of tools need them.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/11ff270f959f43540a9409af0dc0b5a4d8db83dd">11ff270f</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Remove pcre libs from common *_LIBS

PCRE is used just in libsss_util and krb5 provider
(+ few unit tests)

sh$ git grep pcre_free
src/providers/krb5/krb5_init.c:        pcre_free(ctx->illegal_path_re);
src/tests/krb5_child-test.c:        pcre_free(ctx->illegal_path_re);
src/tests/krb5_utils-tests.c:    pcre_free(illegal_re);
src/util/usertools.c:        pcre_free(snctx->re);
src/util/usertools.c:        pcre_free_substring(result);
src/util/usertools.c:                pcre_free_substring(result);
src/util/usertools.c:                pcre_free_substring(result);

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a63c28695b46e5abe5775b68a36b6c6a4ba53104">a63c2869</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Remove pcre from krb5_child

sh# objdump -T /usr/libexec/sssd/krb5_child | grep pcre
sh# echo $?
1

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a10cd9ec082e6f2de299e5c45de3c049f69d0eb2">a10cd9ec</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Remove libcollection form common *libs

libcollection is not used directly by sssd.

sh$ git grep " col_"
sh$ echo $?
1

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/17f5b50d833e253a729081bf7fe0f9e82bf4c51a">17f5b50d</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Reduce dependencies of sss_signal

sss_signal is tiny binary which can call only
function "sss_signal" or debug related functions

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/af9c031a9bd5b8079c5d7e14b8fd2d6fdfb7dd93">af9c031a</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Remove cares from sssd_secrets

The secrets responder does not use any name resolution functions.

sh$ objdump -T /usr/libexec/sssd/sssd_secrets | grep ares
sh$ echo $?
1

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/acc799684542134cce6b5a1843003cbef956324e">acc79968</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-05-31T22:54:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Remove libini_config from common libs

The libini_config is not directly used by responders nor tools.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a887e33fbd02bc9ef987fc1bd2a487a04aff9980">a887e33f</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-06-02T09:48:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MONITOR: Do not use two configuration databases

confdb was initialized twice in monitor. The 1st time in
load_configuration and the 2nd time in server_setup.

libldb-1.4.0 contains stricter checking of PID which created db.
    ldb_tdb: Prevent ldb_tdb reuse after a fork()

    We may relax this restriction in the future, but for now do not assume
    that the caller has done a tdb_reopen_all() at the right time.

    Signed-off-by: Andrew Bartlett <abartlet@samba.org>

It did not cause any problem when sssd was stared in interactive mode
(used by systemd) But it causes failures in daemon mode which is used
in cwrap integration

[sssd] [ldb] (0x4000): Destroying timer event 0x5555557b1d30 "ltdb_timeout"
[sssd] [ldb] (0x4000): Ending timer event 0x5555557cbdd0 "ltdb_callback"
[sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
[sssd] [ldb] (0x0010): Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 28889 in process 28893
 / Protocol error
[sssd] [confdb_get_param] (0x0020): Failed to get [krb5_rcache_dir] from [config/sssd], error [5] (Input/output error)
[sssd] [confdb_get_string] (0x0020): Failed to get [krb5_rcache_dir] from [config/sssd], error [5] (Input/output error)

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/bc7b4a3bed39312b4157e216e9d20cf91347e709">bc7b4a3b</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-06-02T09:48:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CI: Prepare for python3 -> python

rpm-spec-builddeps is used for extracting build dependencies from spec
file to avoid duplication. But it was mostly used by python2 and
therefore we did not notice issues with python3 which has "print"
as a function and not as a statement.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5b3941612ad2aea9b197d5ece0560f34e97ff9f6">5b394161</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:10:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: move verification into separate functions

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6514c4bd802ddabd2ad8c9a8c3de1246c87dbad9">6514c4bd</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:10:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: add verification option

With the new option p11_child can be used to verify a certificate given
on the command line. This will allow the ssh responder to call p11_child
to verify a certificate instead of doing it on its own. This does not
only reduce code-duplication but makes sure that the ssh responder is
not blocked while running OCSP checks.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9971ee45e093babe164a4e260bc41e8bb27eefe0">9971ee45</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: add get_ssh_key_from_cert()

This new call only extracts the ssh key out of a certificate with the
help of NSS or OpenSSL without verifying the certificate.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f5e1aaf86bb97d6d9712a7c313536546f5d39947">f5e1aaf8</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: move p11 child paths to util.h

To allow other responders to call p11_child too, some general defines
are moved to a common place.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2f897afd62dd6e3ca4438b9f0d4d3e9ce1503985">2f897afd</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: add cert_to_ssh_key request

With this new request p11_child is used to verify the certificate before
the ssh key is extracted.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/176e4d24adfbbed57ffa8e0f978cf66547281ee3">176e4d24</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add test for cert_to_ssh_key request

This patch adds cmocka base until tests for the new cert_to_ssh_key
request

There seems to be a memory leak in bash if a called binary returns an
error code. Since p11_child is called via a libtool wrapper in the unit
tests and returns an error code if a certificate is invalid this will be
reported during the CI valgrind run. To make the CI pass here a
suppression is added.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/842daeb71baa866e6c4a9b152861b7f00261c247">842daeb7</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ssh: use cert_to_ssh_key request to verify certifcate and get keys

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4f63a1a976673bb6d28a2052008c7e0859afc8cc">4f63a1a9</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ssh: add option ssh_use_certificate_keys and enhance man page

This patch adds on option to switch the extraction of ssh keys from
X.509 certificates on and off and improves the general documentation
about this feature in the sss_ssh_authorizedkeys man page.

Related to https://pagure.io/SSSD/sssd/issue/3688

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7190e0ef5e8a675b8fcb2fe327dc8dfb14d8f4a3">7190e0ef</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: remove unused code from cert utils

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/165f58ab7fb22c7e82aca2be3eeb76377a955d2f">165f58ab</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add SSH responder tests

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b5136cd9a9146816bf0a24c0dd78bd44b2a8e739">b5136cd9</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:37+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: split common and NSS code into separate files

To avoid code duplication when adding support for OpenSSL the common
code is move into a separate file.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6d6e4a5d13449af3cf3408c1846bfbd9c7317b72">6d6e4a5d</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: add OpenSSL support

The patch adds an alternative implementation of p11_child with uses
p11-kit and OpenSSL instead of NSS.

Some certificate validation options are still missing and will be added
in upcoming patches.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4eed225be467db327bf111db2598acba8ccdf82d">4eed225b</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: make some cert auth checks order independent

Since it is not clear in which order multiple certificates are returned
by the Smartcard/PKCS#11 module/p11_child tests should not rely on the
order.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/075f2f3aba55da099fdd9ee6771d21e1b700bf1b">075f2f3a</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: allow tests to use OpenSSL version of p11_child

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ee76c686c79be7c3bb6c517403f06b0b3b29d831">ee76c686</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certmap: fix issue found by Coverity in OpenSSL version

So far Coverity was only run with the NSS build enabled, with OpenSSL
enabled an issue was found in an OpenSSL specific file.

Related to https://pagure.io/SSSD/sssd/issue/3495

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8adf6eadd2c4279865ed589934e08153898ca68e">8adf6ead</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:11:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC/CI: enable openssl build for Debian and upcoming versions

Related to https://pagure.io/SSSD/sssd/issue/3495

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8127b585a8f5f2528191a05b73fe6bd442e1b8c6">8127b585</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-05T21:12:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certmap: allow missing empty EKU in OpenSSL version

In the OpenSSL version of the certificate mapping and matching code a
missing Extended Key Usage (EKU) extension was not detected properly and
caused an error while processing the certificate.

Related to https://pagure.io/SSSD/sssd/issue/3489

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9adc750a0862651054275c5c6a9edeef5169c001">9adc750a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-05T21:10:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESPONDERS: Enable the local negative timeout by default

Instead of letting admins opt-in to caching the local users negatively
for a long time, let's enable the negative cache by default.

Resolves:
https://pagure.io/SSSD/sssd/issue/3619

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/df8e1055b8bf344d106fb476205660a7d3ccd1b3">df8e1055</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-05T21:10:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Suppress a loud debug message in case a built-in SID can't be resolved

Resolves:
https://pagure.io/SSSD/sssd/issue/3706

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6191cf81d78cfff3140975734a7e1afbcd484f30">6191cf81</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:16:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: be aware that size_t might have different size than other integers

The memory assignment for the size_t type might be larger on some
platforms than for 32bit integer values and even for value of unsigned
int type. When converting/casting size_t to those values special care
has to be taken especially when pointers to those values are used.

The patch also contains a fix for a unit test which now should detect
the issue properly.

Related to https://pagure.io/SSSD/sssd/issue/3757

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/39d37f6daeaa5f0b12de3d36c43300aaeabf1d5c">39d37f6d</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2018-06-08T13:16:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: DEBUG msg when GP to PAM mappings overlap

Improve debugging by giving hints on how to fix the issue
with overlapping PAM mappings.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f3f1bd4acc6d16d685d109d26cb654db9d9c582e">f3f1bd4a</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2018-06-08T13:16:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Debugging default PAM service mapping

It was not simple to figure out what is going on when
the users where denied in case the PAM service was
not mapped to any Group Policy rule.

Resolves:
https://pagure.io/SSSD/sssd/issue/3664

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f8025ae01699b5221079a4ee2c6111c514642ce4">f8025ae0</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-06-08T13:17:07+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tlog: only log in tcurl_write_data when SSS_KCM_LOG_PRIVATE_DATA is set to YES

As a stopgap fix for this release, let's not log the content received in
tcurl_write_data().

A proper fix has to be done on Secrets's side.

Related:
https://pagure.io/SSSD/sssd/issue/3674

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8aa56a9e8744a7611fa26a254c4f9228e919c8ed">8aa56a9e</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:17:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb: add sysdb_getgrgid_attrs()

sysdb_getgrgid() is the only MPG aware by GID request but only supports
a fixes set of attributes. The new call allows to add additional
arguments.

Related to https://pagure.io/SSSD/sssd/issue/3748

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/032221568fe4287686d0ebb11b5c1fe51cc4735f">03222156</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:17:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa: use mpg aware group lookup in get_object_from_cache()

Since with algorithmic id-mapping SSSD automatically creates user
private groups for AD user with the help of magic private groups (mpg)
get_object_from_cache() should use mpg aware calls to make sure the
right user object is found when handling a request to look up a user
private group.

Only the lookup by gid had to be modified because
sysdb_search_group_by_name() used for lookups by name is aware of MPGs.

Related to https://pagure.io/SSSD/sssd/issue/3748

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e66517dcf63f1d4aaf866c22371dac7740ce0a48">e66517dc</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:17:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa: allow mpg group objects in apply_subdomain_homedir()

Since with algorithmic id-mapping SSSD automatically creates user
private groups for AD user with the help of magic private groups (mpg)
apply_subdomain_homedir() should be aware the in mpg domains a group
lookup might actually return a user object. Since the related sysdb
calls are clever and replace the objectcategory so that it matches the
original request type we have to check for the group category in the mpg
case as well. apply_subdomain_homedir() checks the uidNumber later as
well to make sure the object has the needed attributes for a user.

Related to https://pagure.io/SSSD/sssd/issue/3748

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ad6ab352879264fdade8861aff53aa035a2e2240">ad6ab352</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:17:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD/LDAP: do not fall back to mpg user lookup on GC connection

For MPG domains a group lookup might fall back to a user lookup to check
if the request is for a user private group. Since we cannot be sure that
all needed attributes for a user are replicated to the Global Catalog we
do not want to lookup the user during the fall back from the Global
Catalog.

Since we cannot skip Global Catalog lookups for groups completely due to
membership to groups with universal scope this patch adds a flag to tell
the lower level lookup calls to not fall back on connections to a Global
Catalog.

Related to https://pagure.io/SSSD/sssd/issue/3748

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8550c06fd960f2b68d7aa67f403510415cd8fdda">8550c06f</a></strong>
<div>
<span>by Richard Sharpe</span>
<i>at 2018-06-08T13:25:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss-imap: add sss_nss_getsidbyuid() and sss_nss_getsidbygid()

Two new calls are added to allow the caller to specify if the given
POSIX ID is a UID or a GID and the expected result is a user or a group
respectively. This is needed because on POSIX a user and a group may
share numerically the same ID value but might have different SIDs
assigned.

Related to https://pagure.io/SSSD/sssd/issue/3629

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2571accdefe0999129910b3532be129812598857">2571accd</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:25:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cifs idmap plugin: use new sss_nss_idmap calls

Related to https://pagure.io/SSSD/sssd/issue/3629

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8ae68aa27d3e4d3a42ebfa3cb165dc4d9f289c61">8ae68aa2</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:25:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">winbind idmap plugin: use new sss_nss_idmap calls

Related to https://pagure.io/SSSD/sssd/issue/3629

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/54c040cb4ea120771954d5882b756e9300b7b673">54c040cb</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:25:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">libwbclient-sssd: use new sss_nss_idmap calls

Related to https://pagure.io/SSSD/sssd/issue/3629

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b8da03b4234ea5536dc08c1627c710f0b64afc64">b8da03b4</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-08T13:25:13+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pysss_nss_idmap: add python bindings for new sss_nss_idmap calls

Related to https://pagure.io/SSSD/sssd/issue/3629

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/23c65bd29319abe90d1ba0bfa21ef2bb5d4e6844">23c65bd2</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-08T21:20:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updating the translations for the 1.16.2 release
</pre>
</li>
</ul>
<h4>28 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#eae40b507f9c3502accc6d7f8a39c9a7d9936b6f">
<span class="new-file">
+
.copr/Makefile
</span>
</a>
</li>
<li class="file-stats">
<a href="#dea01dd89a3b602828e630677fde5d77c06441c8">
<span class="new-file">
+
.travis.yml
</span>
</a>
</li>
<li class="file-stats">
<a href="#aeaeb516c0de942f0992b9ab758429dccb04ff10">
<span class="new-file">
+
.travis/travis-docker-build.sh
</span>
</a>
</li>
<li class="file-stats">
<a href="#a2a4240313da7c534067b5ee0328e0138025e7a9">
<span class="new-file">
+
.travis/travis-tasks.sh
</span>
</a>
</li>
<li class="file-stats">
<a href="#6651ddff6eb82c840ced7c1dddee15c6e1913dd4">
<span class="new-file">
+
Dockerfile
</span>
</a>
</li>
<li class="file-stats">
<a href="#4ff59043f99301504a0b609dfae19439287cf3d6">
<span class="new-file">
+
Dockerfile.deps
</span>
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#4fd746b72d7a3976d4c1ae84db34f6173b62a1e8">
contrib/ci/configure.sh
</a>
</li>
<li class="file-stats">
<a href="#49d80aa598751b3e8c23a3bbb4e7e9c03aa770b6">
contrib/ci/deps.sh
</a>
</li>
<li class="file-stats">
<a href="#808187b33a9ee15ebc4dcb8196fbb2439e32a511">
contrib/ci/rpm-spec-builddeps
</a>
</li>
<li class="file-stats">
<a href="#3ead13c99a6fdcbcc0a23d3846e2a8837cc2f3e7">
contrib/ci/run
</a>
</li>
<li class="file-stats">
<a href="#d348d65f630a357f2aeaa78fc64043f57caa4cb0">
contrib/ci/sssd.supp
</a>
</li>
<li class="file-stats">
<a href="#76218f39b53d6aef0e4075d5e29fd61d2d9efca3">
contrib/fedora/make_srpm.sh
</a>
</li>
<li class="file-stats">
<a href="#bc724ee14b825ed782b6b01a0dc13f00ff7725d6">
contrib/gdb/sssd_gdb_plugin.py
</a>
</li>
<li class="file-stats">
<a href="#b8d57aa4a09effcbac8deeffe8aea9131499424f">
contrib/sssd.spec.in
</a>
</li>
<li class="file-stats">
<a href="#4e573a66c66b45b45a1e180cad791738ed22cdd2">
po/bg.po
</a>
</li>
<li class="file-stats">
<a href="#b91599a7e7dcdfc93152518865a9d894acfe41c9">
po/ca.po
</a>
</li>
<li class="file-stats">
<a href="#fccf081b8d2f9631b6347df4a24d22fac5a73474">
po/cs.po
</a>
</li>
<li class="file-stats">
<a href="#8133f48bcd872819f4d7310d09b4ef30a26831b0">
po/de.po
</a>
</li>
<li class="file-stats">
<a href="#bf0ecd6fd82096852700283e68fd723ccfe57871">
po/es.po
</a>
</li>
<li class="file-stats">
<a href="#804f8c75d12ae05ad9351001530d8575e03a169d">
po/eu.po
</a>
</li>
<li class="file-stats">
<a href="#09aa9a4cf22de79302d7cefe7d280b7235f787c7">
po/fr.po
</a>
</li>
<li class="file-stats">
<a href="#1ea4eac30921a4a13fc7be0b323144e189daec70">
po/hu.po
</a>
</li>
<li class="file-stats">
<a href="#cbd0a16c6ab85833ae5892982bc57d68cc315864">
po/id.po
</a>
</li>
<li class="file-stats">
<a href="#327aa0bc550fa884acca79a3295e722b622f7559">
po/it.po
</a>
</li>
<li class="file-stats">
<a href="#5c873de36a1b57f9c8b16c7fb9cd64292a431fb2">
po/ja.po
</a>
</li>
<li class="file-stats">
<a href="#088da71e4e8eddb438a4704013c74671ac837fe3">
po/nb.po
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
<a href="https://salsa.debian.org/sssd-team/sssd/compare/7465d6a1ef6e83825dba3a4dc4dda7271671aba0...23c65bd29319abe90d1ba0bfa21ef2bb5d4e6844">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.

</p>
</div>
</body>
</html>