<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch master
at <a href="https://salsa.debian.org/sssd-team/sssd">Debian SSSD packaging / sssd</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b5b073c26f3a8e63d701b893e21bd83d4f87f6c3">b5b073c2</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-08T19:42:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bumping the version to track the 1.16.3 development
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/efae9509cb05648357e9b4c10a93c0d38558bed4">efae9509</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-14T18:01:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5 locator: add support for multiple addresses
Read multiple addresses from the kdcinfo files add call the provided
callback with each of them.
Related to https://pagure.io/SSSD/sssd/issue/941
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9f683246228848173c57ad02bde241bd761481ea">9f683246</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-14T18:01:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5 locator: fix IPv6 support
IPv6 addresses are added with surrounding '[' and ']' to the kdcinfo
file to be able to specify a port number properly. The Kerberos location
plugin didn't handle those entries properly.
Related to https://pagure.io/SSSD/sssd/issue/941
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c1fbc6b64ecaf51efc4379c4c8a4960de095abf0">c1fbc6b6</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-14T18:01:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5 locator: make plugin more robust
Although currently libkrb5 sets all parameters of the locator plugin
calls to suitable values we should make sure that provided pointers are
not NULL before trying to dereference them.
Related to https://pagure.io/SSSD/sssd/issue/941
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2124275fe494a0241a552538c70f40c2291f3795">2124275f</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-14T18:01:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5 locator: add unit tests
Unit test for existing and new functionality of the Kerberos locator
plugin.
Related to https://pagure.io/SSSD/sssd/issue/941
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cc7922755dac53c69558ba060b309ac48ae82783">cc792275</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-14T18:02:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD/IPA: Create kdcinfo file for sub-domains
With this patch kdcinfo files are created for sub-domains by the AD
provider and by the IPA provider on the IPA servers
(ipa_server_mode=True).
Related to https://pagure.io/SSSD/sssd/issue/3652
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d91661e295c8e878f1bbf34e6f65f61e8301bf0e">d91661e2</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-14T18:02:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5: refactor removal of krb5info files
Currently a persistent offline callback removes the krb5info files for
the configured main domain and those files were removed by a SIGTERM
signal handlers as well.
This does not scale if krb5info files are created for sub-domains as
well. To remove the files automatically the removal is moved into a
talloc destructor of an offline callback which is added if the file is
created and frees itself when the system goes offline. Due to the
talloc memory hierarchy we get removal on shutdown for free.
Related to https://pagure.io/SSSD/sssd/issue/3652
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4759a482781bcecdb0ad1119e74dcefa1fe94337">4759a482</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-14T18:02:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5_common: add callback only once
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f28d995719db632130e9e063cb1ab7cb4e0fc8d8">f28d9957</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-14T18:02:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">data provider: run offline callbacks only once
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1038473e1c9775d1273809c46673fa1475e50937">1038473e</a></strong>
<div>
<span>by Amit Kumar</span>
<i>at 2018-06-14T18:02:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Responder: simplify if-else structure in sss_dp_get_account_msg()
The structure of if-else statements in sss_dp_get_account_msg
become too complex. Replacing if-else with switch initially,
Will investigate more on refactoring further.
Resolves: https://pagure.io/SSSD/sssd/issue/1903
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b34fcff0f8bccd7b827686b50c53f45b7e20bb44">b34fcff0</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-06-16T08:16:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">intg: Do not hardcode nsslibdir
This change is needed in order to have make intgcheck-run properly
running on opensuse systems.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1575ec97e080656f69b3f93e641c76e74ffb8182">1575ec97</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:29:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Extend the schema with sshPublicKey attribute
This will allow to store the users with a sshPublicKey attribute
provided that they have the right objectclass as well.
Related to:
https://pagure.io/SSSD/sssd/issue/3747
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/56cda832e9f61c52e9cfde1f0864507de718ffbb">56cda832</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:29:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Allow adding sshPublicKey for users
Adds the objectclass and allows storing a list of sshPublicKey
attributes for users. Since there is no harm in adding the extra
objectclass, we can do it unconditionally.
Related to:
https://pagure.io/SSSD/sssd/issue/3747
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/804c5b538ad89a1a3897b93f39d716fa50530842">804c5b53</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:30:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add a basic SSH responder test
Adds a basic test that makes sure that a list of SSH public keys can be
retrieved. This is to make sure we don't break the SSH integration later
on.
Related:
https://pagure.io/SSSD/sssd/issue/3747
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cb138d7d060611e891d341db08477e41f9a3d17d">cb138d7d</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:30:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSH: Do not exit abruptly if SSHD closes its end of the pipe before reading all the SSH keys
Resolves:
https://pagure.io/SSSD/sssd/issue/3747
Before writing the keys to sshd, ignore SIGPIPE so that if the pipe
towards the authorizedkeys helper is closed, the sss_ssh_authorizedkeys
helper is not terminated with SIGPIPE, but instead proceeds and then the
write(2) calls would non-terminally fail with EPIPE.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/909c16edb26a3c48b10a49e7919a35d13d31c52e">909c16ed</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:30:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add a helper binary that can trigger the SIGPIPE to authorizedkeys
Adds a test tool that simulates the behaviour of OpenSSH in the sense
that it starts to read the output from the sss_ssh_authorizedkeys tool,
but then closes the pipe before reading the whole output.
Related:
https://pagure.io/SSSD/sssd/issue/3747
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4cc3c1a1b1070c12bcc4351880d8207e47b37496">4cc3c1a1</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:30:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add a regression test for SIGHUP handling in sss_ssh_authorizedkeys
A regression test for:
https://pagure.io/SSSD/sssd/issue/3747
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b0ec3875da281a9c29eda2cb19c1026510866d5b">b0ec3875</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:36:22Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "LDAP/IPA: add local email address to aliases"
This reverts commit 9a310913d696d190db14c625080678db853a33fd.
Storing the e-mail address as a nameAlias was a performance optimization
to avoid having to fall back to the UPN lookup, but had the disadvantage
of returning multiple results for cases where an e-mail address is the
same as a user's fully qualified name.
Since the e-mail lookups would still work without this optimization,
just after one more lookup, let's revert the patch.
Resolves:
https://pagure.io/SSSD/sssd/issue/3607
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/58f60a0949f5d84b1fe5d15e52adfceb84053569">58f60a09</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:36:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util: Remove the unused function is_email_from_domain
This commit pretty much reverts commit
04d4c4d45f3942a813b7f772737f801f877f4e64, it's just coded manually,
because "git revert 04d4c4d45f3942a813b7f772737f801f877f4e64"
resulted in conflicts. It's easier to just remove the single
function.
Related:
https://pagure.io/SSSD/sssd/issue/3607
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d057eb2e20a19ce975dc2202f7c0e9f204eb9510">d057eb2e</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:36:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Allow storing e-mail address for users
This would allow adding tests for by-e-mail lookups later
Related:
https://pagure.io/SSSD/sssd/issue/3607
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/76ce965fc3abfdcf3a4a9518e57545ea060033d6">76ce965f</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:36:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add regression test for looking up users with conflicting e-mail addresses
Related:
https://pagure.io/SSSD/sssd/issue/3607
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5e1641b104f159f9fa47c3008d84119dfd5ab226">5e1641b1</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:37:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD/LDAP: Do not misuse the ignore_mark_offline to check if a connection needs to be checked for POSIX attribute presence
The logic behind deciding whether to check if a server contains any
POSIX attributes used the ignore_mark_offline flag. This was OK for some
time, because this flag was only set for to true for Global Catalog
connections, which are those that we need to check.
However, in recent releases, the flag was also set for any connection
towards a trusted domain. This had the unintended effect that any
lookup, LDAP or GC against a trusted domain ran the wide POSIX presence
check.
Resolves:
https://pagure.io/SSSD/sssd/issue/3754
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4c79db69cbad88ed56e87e8fe61f697f72d7408d">4c79db69</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:38:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Remove outdated notes from the re_expression description
These notes are only valid for very old pcre releases which hopefully
nobody is using anymore.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8071976af46cdd29980f1a11f8a6d6f00ab050ed">8071976a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-22T09:39:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Document the re_expression needed to suport @-signs in the groupnames
In the 2.0 release we will be able to change the default regular
expression that will allow to consume @-signs in the name, but
since the 1.x branches need to stay backwards compatible, let's
only document the regex for now.
Related:
https://pagure.io/SSSD/sssd/issue/3219
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a2cc554f438c220b3cc73eb93879dd87795a86cd">a2cc554f</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-22T10:17:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: add libsss_child dependency to libsss_cert
Since the refactoring of the ssh responder to call p11_child to
validate certificates there is a dependency between libss_cert and
libsss_child. In some environments, e.g. gentoo or the OpenSUSE build
service, this dependency must be declared explicitly even if it is
resolved otherwise while linking the binaries.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ed90a20a0f0e936eb00d268080716c0384ffb01d">ed90a20a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-25T07:18:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SUDO: Create the socket with stricter permissions
This patch switches the sudo responder from being created as a public
responder where the permissions are open and not checked by the sssd
deaamon to a private socket. In this case, sssd creates the pipes with
strict permissions (see the umask in the call to create_pipe_fd() in
set_unix_socket()) and additionaly checks the permissions with every read
via the tevent integrations (see accept_fd_handler()).
Resolves:
https://pagure.io/SSSD/sssd/issue/3766 (CVE-2018-10852)
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c5ef56b4f9ffb361742edae36b261a4ffd0e75ae">c5ef56b4</a></strong>
<div>
<span>by amitkumar50</span>
<i>at 2018-06-25T11:11:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Give information regarding priority of ldap lookup
This PR provides information about priority of lookup
similar to as provided by function select_principal_from_keytab().
Resolves: https://pagure.io/SSSD/sssd/issue/3475
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/29bbc8e017f2d9b98667890a9b7056128a93e572">29bbc8e0</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-29T20:16:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: expose the helper function to format the site DNS query
This function will be used later in the patchset. Instead of exposing
the format constant, expose the function that builds the DNS query for
site discovery.
Related:
https://pagure.io/SSSD/sssd/issue/3291
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6f80bccc6f8203381c387080bd0563ba10994487">6f80bccc</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-29T20:17:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESOLV: Add a resolv_hostport_list request
Adds a request that resolves a list of (host,port) tuples and returns a
list of structures that contain the resolv_hostent structure as other
resolver requests do, but also a pointer to the original request tuple.
This is done because the request skips any unresolvable inputs, so it
might be handy to know which input an output maps to.
It is expected that the request will be used in the future also for cases
where we want to e.g. try the connectivity to a serve using a mechanism
such as an LDAP ping.
Related:
https://pagure.io/SSSD/sssd/issue/3291
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a9a9f39342ebd26425cb1b3baedfea2429d88b04">a9a9f393</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-29T20:17:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KRB5/IPA/AD: Add a utility function to create a krb5_service instance
Each Kerberized provider used hand-crafted copy-paste code to set up its
copy of the krb5_service structure. Instead of adding yet another copy in
this patchset in the IPA subdomains code, create a utility function instead.
Due to IPA provider first creating the krb5_service in the common setup
function, but only later reading the auth options in the auth provider
constructor, the code first uses the default true value for the use_kdcinfo
flag and then overrides it with the configured value in the auth constructor
-- it would be preferable to create the structure with the right value at
creation time, but this would require bigger refactoring. Also, the code
before this change was even less correct as the flag was initially set the
"false" due to the structure being allocated with talloc_zero(). At least
now it uses the default value.
Related:
https://pagure.io/SSSD/sssd/issue/3291
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8971399c872c21769d5c62cf753c5f9df4caf8cb">8971399c</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-29T20:17:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KRB5: Allow writing multiple addresses to the kdcinfo plugin
Turns the previous write_krb5info_file() function into a static function
that writes whatever input it recevies. Adds a wrapper around it that
accepts a list of strings, turns that into a newline-separated string
which is then passed to the original function.
Related:
https://pagure.io/SSSD/sssd/issue/3291
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1cce549e0f88f4873c320577d6213dcaeb08766f">1cce549e</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-29T20:17:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA: Add the options that the IPA subdomains code will read for trusted domains on the client
With this patchset, IPA clients will read and evaluate the ad_server and
ad_site options. This patch just adds the required structures for later
usage.
Related:
https://pagure.io/SSSD/sssd/issue/3291
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/18b7f0a30b4745b7d61b3e599e5fb8cd399c23f3">18b7f0a3</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-29T20:18:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA: Populate kdcinfo files on trust clients with configured AD servers
Resolves:
https://pagure.io/SSSD/sssd/issue/3291
Adds a new request into the IPA subdomains provider. This request runs on
IPA clients only.
The request looks into the configuration for either the ad_site or ad_server
options for each subdomain. If none are found, the subdomain is skipped.
If either is found, the request resolves the server names, or first the
site and then the server names from the site and writes their addresses
to the kdcinfo files for each subdomain. This allows programs such as
kinit but also SSSD's krb5_child to use the configured servers.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/014e7d8ab6aa4cf3051764052326258230c0bc86">014e7d8a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-06-29T20:18:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Document the options available for AD trusted domains
Related:
https://pagure.io/SSSD/sssd/issue/3291
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/13c8450788a429fa49ba532b40ebfd7f3a4132e4">13c84507</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-06-29T20:18:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: consider resource_groups in PAC as well
With recent versions of Active Directory the SIDs of Domain Local groups
might be only available in the resource_groups section of the PAC, this
feature is also called SID compression. To get a complete list of groups
the user is a member of the SIDs from this section must be extracted as
well.
Resolves https://pagure.io/SSSD/sssd/issue/3767
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/72099c320a02b5ce1941947a572e210afd849d7c">72099c32</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-07-09T20:12:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: make create_ipa_preauth_indicator() public as create_preauth_indicator()
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d724ea3c21de7d29a8910a217efa88e93b329129">d724ea3c</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-07-09T20:12:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PAM: create pre-auth indicator file
If pam_cert_auth is enabled the PAM responder will automatically create
the pre-authentication indicator file to tell pam_sss to do the pre-auth
step to find out about the available authentication methods.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c8d1c1b734a1763b3e1233f060cc5c8d6db078e9">c8d1c1b7</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:23:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SDAP: Detect schemaNamingContext from the rootDSE
Whether an attribute is replicated to the Global Catalog or not can be
detected by checking the value of the isMemberOfPartialAttributeSet
attribute:
https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-ismemberofpartialattributeset
This attribute is present in all objects with the objectClass
attributeSchema in AD:
https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes
And finally, the attributeSchema objects in AD are present in a schema
naming context. The schema naming context is replicated to all DCs in the
forest even though their own naming context might be different:
https://docs.microsoft.com/en-us/windows/desktop/ad/naming-contexts-and-partitions
Where the schema naming context is located is given by the
schemaNamingContext attribute of the rootDSE.
This patch is trivial on its own and just reads schemaNamingContext from
the rootDSE and stores it in the sdap_options structure for later use.
Related:
https://pagure.io/SSSD/sssd/issue/3755
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ba96e7b839b875946f03787a3a57f259230a0fef">ba96e7b8</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:24:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Add Global Catalog usability check in subdomain code by looking at the schema
Addsa a new tevent request which checks for the presence of uidNumber
and gidNumber under the schema naming context, which is typically
cn=schema,cn=configuration,$BASEDN. For both objects representing each of
the attributes, the isMemberOfPartialAttributeSet attribute is requested. If
this attribute is set to TRUE, then the attribute corresponding to this
schema object had been replicated to the Global Catalog.
Because the isMemberOfPartialAttributeSet is not replicated to the GC
itself, we use the LDAP connection for the search.
Related:
https://pagure.io/SSSD/sssd/issue/3755
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4273ac0490eeef72d2daa0c7f6cee80d65b6b34d">4273ac04</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:24:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Remove the legacy check from ad_get_account_domain_posix_check request
Previously, the POSIX attribute presence check was run as part of the ID
request, so it was necessary to also run the check as part of the
get-domain-for-ID request.
Since moving the POSIX check to being a part of the subdomain provider,
this is no longer needed as the subdomain provider disables the GC
support on its own if required. Therefore we can just remove the POSIX
check from the get-domain-for-ID request.
Related:
https://pagure.io/SSSD/sssd/issue/3755
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8d78119811e2572bb1a05da5abb7c5a2d43d1f97">8d781198</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:24:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP/AD: Remove the legacy POSIX check from user, group and enumeration searches
This code is superseded by the POSIX check in the subdomains provider.
Related:
https://pagure.io/SSSD/sssd/issue/3755
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5b2b6493dfb3c1f2cb945356e34c70d8c5d64185">5b2b6493</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:24:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Remove the legacy POSIX check itself
This code is no longer needed now.
Related:
https://pagure.io/SSSD/sssd/issue/3755
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4991e467c59cb1646c957f0037016a71c2fbc1bc">4991e467</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:33:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo testcli: Use hand-crafted JSON for output so that the test CLI is usable in tests
The sudo testcli tool can be handy in tests, but currently its output is
hard to process from a program. This patch makes the tool print an JSON
output instead, which will make it more usable.
Related:
https://pagure.io/SSSD/sssd/issue/3596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/074a9ea7b443b25bf27b4cf8e647a3e9b11363d8">074a9ea7</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:33:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Load the sudo schema in the default OpenLDAP test instance and create ou=sudoers
This will allow us to store sudo entries in our OpenLDAP test instances.
Related:
https://pagure.io/SSSD/sssd/issue/3596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b14cb238c5fe737c33e271f8ca5bef8f8c6e0238">b14cb238</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:33:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add API to add sudo rules in tests
Actually adds an API that allows the programmer to store sudoRole
objects in LDAP.
Related:
https://pagure.io/SSSD/sssd/issue/3596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5d838e13351d3062346ca449e00845750b9447da">5d838e13</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:33:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add a simple sudo LDAP test
Adds the most basic SUDO LDAP tests that makes sure a user specified in
a sudo rule can execute sudo and a user not specifed cannot.
Related:
https://pagure.io/SSSD/sssd/issue/3596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e75601bfe8475e4c1f821255a3f80c0a5d30f2be">e75601bf</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-10T11:33:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SUDO: Don't save duplicates when saving qualified names
The sudoUser attribute which is part of the sudo rule can contain any
name that sudo can parse on the LDAP side. Internally, however, the
attribute is always qualified with the name of the SSSD domain.
This patch makes sure that if two or more sudoUser attributes contain
the same name in both qualified and an unqualified form, the rule is
actually saved. Previously, the rule would have failed to be saved and
the sysdb sudo code would have errored out with EEXIST.
Resolves:
https://pagure.io/SSSD/sssd/issue/3596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ded46b7b7bea7ed6454adca2179e2347609a3321">ded46b7b</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-10T11:41:53Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">files: do not apply override_homedir to files provider
override_homedir should not be applied to files provider as the provider
should always return *only* what's in the files and nothing else.
Resolves:
https://pagure.io/SSSD/sssd/issue/3758
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/3b19518f18f59cc4fe23625ccfbede62992ef172">3b19518f</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-10T11:41:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add override_homedir tests for files provider
Resolves:
http://pagure.io/SSSD/sssd/issue/3758
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/241594613f3ef3b428851a7866905e41c967b893">24159461</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-10T11:42:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">files: do not apply override_shell to files provider
override_shell should not be applied to files provider as the provider
should always return *only* what's in the files and nothing else.
Resolves:
https://pagure.io/SSSD/sssd/issue/3758
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/fe48bc32d11743a6302d2a97d4120d787e68e37d">fe48bc32</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-10T11:42:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add override_shell tests for files provider
Resolves:
https://pagure.io/SSSD/sssd/issue/3758
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/024c1b3ae419791b2382db97c1a3d4ceca3ad3cd">024c1b3a</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-10T11:42:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util: add is_files_provider() helper
In a bunch of differente places we end up checking whether the domain's
provider is the "files" provider or not.
Let's just add some helper function to standardize the checks.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2373df99b9ff166bcbdb0c69fe5e28bd32ea43bf">2373df99</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-10T11:42:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">files: make use of is_files_provider() helper
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f0b4d482e370f08521003fcf43abef5089ac27e9">f0b4d482</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-12T07:18:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cache_req: keep the files provider as the first domain to be searched
Currently we can't guarantee any order on which domain will the first to
be searched. More than that, in case domain_resolution_order is set, we
actually enforce that the first domain searched will respect the option
set.
This behaviour is not exactly the expect, as the implicit files domain
has to be searched first in order to avoid querying for local users in
remote domains. In order to enforce this, let's just keep the files
domain as the first to be searched, always!
Resolves:
https://pagure.io/SSSD/sssd/issue/3768
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c07469f7e204038d3b300b285c4ab3992213e02f">c07469f7</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-12T07:19:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order()
Related:
https://pagure.io/SSSD/sssd/issue/3768
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0052abe2cb5a16dd105bfcaaaf691d5c389bcb62">0052abe2</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-12T07:19:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add a test to ensure the output_fqnames is false for files provider
Related:
https://pagure.io/SSSD/sssd/issue/3743
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/90378d31a641ae2e80515724954b8660523d8aa7">90378d31</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-12T07:20:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">crypto: Silence a Coverity warning in OpenSSL version of sss_hmac_sha1()
It looks like the case where the key_len was exactly 64 was Confusing
Coverity. The trace looks like this:
2. Condition key_len > 64, taking false branch.
3. cond_at_most: Checking key_len > 64UL implies that key_len may be up to 64 on the false branch.
49 if (key_len > HMAC_SHA1_BLOCKSIZE) {
50 /* keys longer than blocksize are shortened */
51 if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) {
52 ret = EIO;
53 goto done;
54 }
55
56 EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len);
57 EVP_DigestFinal_ex(ctx, ikey, &res_len);
58 memset(ikey + SSS_SHA1_LENGTH, 0, HMAC_SHA1_BLOCKSIZE - SSS_SHA1_LENGTH);
59 } else {
60 /* keys shorter than blocksize are zero-padded */
61 memcpy(ikey, key, key_len);
CID 18054 (#1 of 1): Out-of-bounds read (OVERRUN)4. overrun-local: Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer ikey + key_len. [Note: The source code implementation of the function has been overridden by a builtin model.]
62 memset(ikey + key_len, 0, HMAC_SHA1_BLOCKSIZE - key_len);
63 }
I think this is a false positive because then HMAC_SHA1_BLOCKSIZE-key_len
will be 0, so ikey+key_len will not be dereferenced at all, but let's be
helpful to Coverity and make sure the branch is not evaluated at all if
key_len == HMAC_SHA1_BLOCKSIZE.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ad10153f537e7d8312bb2c09968317a36cf9ad03">ad10153f</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-12T07:20:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">crypto: Make one condition more defensive in NSS version of sss_hmac_sha1()
This makes the code more robust in case the if-block is moved to some
other place without the 'if (key_len > HMAC_SHA1_BLOCKSIZE)' check
before.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6ced87849aba81676eae77de05f96ab32528cd1a">6ced8784</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-13T06:53:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries
If SSSD is searching for a user using a name-based filtrer in an
environment that uses nested OUs or sub domains, it is expected the
search can return two or more entries. The correct entry is then matched
using the domain name.
But the error message was confusing admins, because it simply said
"Expected one entry, found %d". This patch softens this error message
and rewords the message in case the matching fails.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/efd6702e5f70bb3df0f840dd3ce9f8f9264661ba">efd6702e</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-13T06:53:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">deskprofile: don't bail if we fail to save one profile
Due to different reasons (a bug on fleet-commander, for instance?) we
may face the situation where one profile ends up stored in freeipa on a
half-broken state (with no data, for instance).
In case it happens, we should try our best to save the not broken
profiles and just skip the broken ones instead of bailing the whole
operation.
Resolves:
https://pagure.io/SSSD/sssd/issue/3773
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0648053a7c99de5148c4cffea68c47a3f660303d">0648053a</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-07-19T14:08:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa provider: always use a special keytab to talk to a trusted DC
When FreeIPA is set up to trust an Active Directory forest, we should be
using trusted domain object credentials regardless of the trust
direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm
referral towards a trusted domain. However, this does not work
currently with Samba AD and in general we want to move away to use
TDO in all cases as it is guaranteed to have correct permissions on AD
side.
Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/14faec9cd9437ef116ae054412d25ec2e820e409">14faec9c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-07-19T14:08:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa provider: expand search base to cover trusted domain objects
In case of a trust between FreeIPA and an Active Directory, domain
controller would use a TDO object in the trusting domain to
authenticate. Due to how trusted domain objects are used in Active
Directory, a domain controller from the trusted domain either synthesize
a Kerberos ticket without MS-PAC or would use NTLMSSP to authenticate.
On IPA master smbd process will attempt to validate successfully
authenticated TDO principal by looking at its MS-PAC structure, only to
find it is missing. As result, smbd will revert to a direct getpwnam()
to see if this user exists on the system.
Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they
couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add
a search base to look up cn=trusts,$SUFFX to allow TDO objects to be
queried.
On FreeIPA side access controls are put in place so that only AD trust
agents are able to see a content of the cn=trusts,$SUFFIX subtree.
Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ececbf9cd64f69c61ae21db571d4cd4e970ffdbf">ececbf9c</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:00:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_seed: Remove unused parameter from seed_domain_user_info
The last usage was removed in the commit
6181113ea79806a414aadc580e6e241a6b317763
Merges: https://pagure.io/SSSD/sssd/pull-request/3784
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4900b8e59bdbb89fbc1c9718969aabe26f3db34a">4900b8e5</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:22:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SUDO: Fix running in unprivileged responder
There are strict checks for private sockets which does not work with
unprivileged responder
Resolves:
https://pagure.io/SSSD/sssd/issue/3778
Merges: https://pagure.io/SSSD/sssd/pull-request/3784
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/21ea8204a0bd8ea4451f420713e909d3cfee34ef">21ea8204</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:22:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SUDO: Root should be able to read/write sssd-sudo socket
There is not any reason to require additional capabilities from root
when sssd is running as unprivileged user.
Sudo UNIX socket is not a real private socket. It just cannot
be used by others. Just owner(sssd) and root should be able to use it.
Resolves:
https://pagure.io/SSSD/sssd/issue/3778
Merges: https://pagure.io/SSSD/sssd/pull-request/3784
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7fbee7903622a625ce8bc562096e0c746a6facf2">7fbee790</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:25:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: Drop unnecessary check for minor version of el7
CentOS 7.5.1804 was release more than 2 months ago
https://blog.centos.org/2018/05/centos-7-5-1804-released/
So we can drop checks for minor versions of el7. They were used
to distinguish between released and development versions and to use
new optional features.
Merges: https://pagure.io/SSSD/sssd/pull-request/3783
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/08ae90af3f8f3fda6595d0d64518a40447d2a857">08ae90af</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:27:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_ssh_client: Do not ignore failure from read
Merges: https://pagure.io/SSSD/sssd/pull-request/3782
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7326b52dbe91f0b7d58480e1f105782db6747806">7326b52d</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:29:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: Move openssl deps away from unit tests deps
We should install openssl build dependences even though we do not want
to run/install dependencies for unit tests
Merges: https://pagure.io/SSSD/sssd/pull-request/3781
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2a3f24955ab696270d3acc831de81bedf18afb98">2a3f2495</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:32:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PYTHON: Avoid warnings with python3.7
src/python/pysss.c: In function 'PyList_AsStringList':
src/python/pysss.c:60:17: warning: assignment discards 'const'
qualifier from pointer target type [-Wdiscarded-qualifiers]
itemstr = PyUnicode_AsUTF8AndSize(item, &itemlen);
^
src/python/pyhbac.c: In function 'str_concat_sequence':
src/python/pyhbac.c:252:14: warning: assignment discards 'const'
qualifier from pointer target type [-Wdiscarded-qualifiers]
part = PyUnicode_AsUTF8(item);
^
The result of PyUnicode_AsUTF8AndSize() and PyUnicode_AsUTF8() is now
of type const char * rather of char *. (Contributed by Serhiy
Storchaka in bpo-28769.)
https://docs.python.org/3.7/whatsnew/3.7.html
https://bugs.python.org/issue28769
Merges: https://pagure.io/SSSD/sssd/pull-request/3780
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7b25811b7f204d66c0c9f1943a84bc0b840fa266">7b25811b</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:53:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: Move secrets responder to the package sssd-kcm
The sssd secrets responder is used mainly by sssd-kcm and it is not
used by any service which is in the sub-package sssd-common.
Therefore it make more sense to have secrets responder in the pacakge
sssd-kcm and reduce dependencies of sssd-common package
(http-parser, jansson)
Note: libcurl is installed anyway on fedora due to other dependencies
Merges: https://pagure.io/SSSD/sssd/pull-request/3714
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/950558628b1f68df35e58e3a9f21eda185772ec7">95055862</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T20:55:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: Do not build python2 bindings on latest distros
Merges: https://pagure.io/SSSD/sssd/pull-request/3708
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7ddbcd8face721c76975cc329c7ce3a227c0b0c9">7ddbcd8f</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T21:01:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Replace also runstatedir in templates
It will be used in systemd socket files
Merges: https://pagure.io/SSSD/sssd/pull-request/3691
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f64e958725060cd4ac38526243dab13a323c088c">f64e9587</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-07-25T21:01:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSTEMD: Allow to use "/run" in ListenStream
/var/run is only symbolic link to /run on some distributions
and /run is mounted on tmpfs
sh-4.4$ ls -l /var/run
lrwxrwxrwx. 1 root root 6 Dec 12 2015 /var/run -> ../run
Previously, we used $(localstatedir)/run in ListenStream
which does not allow to use "/run" because we still need to
store some files in under $(localstatedir) (/var).
Autoconf 2.70 will add new configure time option --runstatedir
for configuring runstatedir. ATM, we use just fallback implementation
where $(runstatedir) is set to $(localstatedir)/run
Merges: https://pagure.io/SSSD/sssd/pull-request/3691
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/26db9658ba5721b3ad1172a2dfce2030dbaceb5b">26db9658</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-07-26T09:26:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESP: Terminate client connection if the permissions check on the priv pipe fails
Resolves:
https://pagure.io/SSSD/sssd/issue/3777
The responder code just returned in case the permissions check failed.
But at least with the sudo responder, this just caused an endless loop.
If the permission check fails, it's best to just abort the client.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/954bf82b60b7cfd93b865a6618f155d042b15729">954bf82b</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-26T09:27:03Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sdap: respect passwordGracelimit
Since recent changes in 389-ds two response controls are end when
passwordGracelimit is set and about to expire:
- [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself
- [2.16.840.1.113730.3.4.4] for the PasswordExpired
Whenever the former is returned and the GraceLimit is still valid, we
shouldn't report the latter to the users.
Resolves:
https://pagure.io/SSSD/sssd/issue/3597
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6d154a07bc7f7fdede0f33dc9ec8d5accb771bcb">6d154a07</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-26T09:27:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">deskprofile: fix a typo in _get_filename_path()
There's a typo in the matrix of profiles (based in the priority set)
which ended up saving the 10th priority with a wrong name.
Resolves:
https://pagure.io/SSSD/sssd/issue/3774
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/965e1f4f34c98d12b7cb6187a394d61f24ffe7f8">965e1f4f</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-26T09:27:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: add tests for ipa_deskprofile_get_filename_path()
Related:
https://pagure.io/SSSD/sssd/issue/3774
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/dbb1abae6eaa9df24f61e3a9f855e2461a66a197">dbb1abae</a></strong>
<div>
<span>by Josef Cejka</span>
<i>at 2018-07-30T19:55:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Strip whitespaces in netgroup triple.
Strip leading and trailing whitespaces from netgroup three-tuple
strings to be compatible with nss_ldap.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/49bb452049e352655af3bcb354e58e7ee9646274">49bb4520</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-30T20:01:39Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util: introduce sss_ssh_print_pubkey()
This function will be used to print the public keys, as already done in
sss_ssh_authorizedkeys.c.
Related:
https://pagure.io/SSSD/sssd/issue/3542
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b1141e4141213a43d38d1d22a501a589a7a94956">b1141e41</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-30T20:01:43Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ssh: make use of sss_ssh_print_pubkey()
Related:
https://pagure.io/SSSD/sssd/issue/3542
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/36f2fe8f6306df3b5495f34110280d0d6133d7b0">36f2fe8f</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-07-30T20:01:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_ssh_knownhostsproxy: add option to only print the pubkey
Related:
https://pagure.io/SSSD/sssd/issue/3542
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f1c2d4139b6107ee3e9bec0cbe5bf8c2ea8428b2">f1c2d413</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-07-30T20:07:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MC: Remove check if record is in the mapped address space
There is a check in the memory cache code that checks if a record pointer
points to the mmapped region . But since some time ago, we return not
a pointer to the mmapped region itself, but a copy to avoid issues with
invalidating an entry while the same entry is being returned.
In most cases, the check is correct, simply because of how memory is laid
out on Linux, but in some cases the check was failing and causing a high
load of SSSD.
Signed-off-by: Jakub Hrozek <jhrozek@redhat.com>
Resolves:
https://pagure.io/SSSD/sssd/issue/3776
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/bb20d5160faed5e0076887ac4a83e550be15a8b2">bb20d516</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2018-07-30T20:22:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "CRYPTO: Suppress warning Wstringop-truncation"
This reverts commit 2951a9a84bd85f384213a3e071ffc167907df2d7.
The original use stpncpy was correct. Changing it to memcpy
changed the resulting hash. This resulted in users from
local domain to not be able to authenticate (offline
authentication was also probably broken) if their hash was
created before this change.
https://pagure.io/SSSD/sssd/issue/3791
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cd28ef7c66ba393ee7c20e99064668cd8d588883">cd28ef7c</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-08-02T10:21:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "Revert "CRYPTO: Suppress warning Wstringop-truncation""
This reverts commit bb20d5160faed5e0076887ac4a83e550be15a8b2.
The patch introduced compile time warning
src/util/crypto/libcrypto/crypto_sha512crypt.c:280:10: error: 'stpncpy'
output truncated before terminating nul copying 3 bytes from a string
of the same length [-Werror=stringop-truncation]
cp = stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Merges: https://pagure.io/SSSD/sssd/pull-request/3792
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f62d2af0c270a4f6143264a6cf3ce618f4a9ba80">f62d2af0</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-08-02T10:22:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CRYPTO: Save prefix in s3crypt_sha512
Since commit 2951a9a84bd85f384213a3e071ffc167907df2d7 where we switched from
stpncpy to memcpy the salt prefix "$6$" is not stored at all.
This broke offline authentication if someone upgraded from old version
that stored the prefix to one that doesn't store it.
Resolves:
https://pagure.io/SSSD/sssd/issue/3791
Merges: https://pagure.io/SSSD/sssd/pull-request/3792
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8e1576b1ce7548530bba6efaa43b321d70707a1d">8e1576b1</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-08-02T10:22:06Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">crypto-tests: Add unit test for s3crypt_sha512
Resolves:
https://pagure.io/SSSD/sssd/issue/3791
Merges: https://pagure.io/SSSD/sssd/pull-request/3792
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a76f96ac143128c11bdb975293d667aca861cd91">a76f96ac</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2018-08-02T10:22:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSS_CERT: Close file descriptors after executing p11_child
We can call cert_to_ssh_key_step from cert_to_ssh_key_done and thus
p11_child can be executed more time. We created pipes for each call
but destructor for state->io can close just last one.
It's better to manually close pipes with macro PIPE_FD_CLOSE.
that macro set file descriptor to -1 and destructor will not try
to close them 2nd time. Destructor will cover just edge cases.
Merges: https://pagure.io/SSSD/sssd/pull-request/3793
Resolves:
https://pagure.io/SSSD/sssd/issue/3794
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a41367f7b6925d9fbb87b8428de4d406e5a50bd1">a41367f7</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2018-08-09T07:06:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix "test-find-uid" and "find_uid-tests" tests
Handle a "hidepid=1" mount option for procfs. One of the affects - this
option makes impermissible non own pid subdirectories on /proc.
Resolves:
https://pagure.io/SSSD/sssd/issue/3789
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1e81d040c75b2b15cab48fb7df1041138747e6c3">1e81d040</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-08-09T07:07:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELINUX: Also call is_selinux_enabled as a check for selinux child
Resolves:
https://pagure.io/SSSD/sssd/issue/3796
The SSSD selinux management routines were only checking if SELinux is
managed on the system. If it is managed, the code tries to proceed and
set the login context, otherwise an error is returned which SSSD handles
gracefully.
But this is not enough, in some cases SELinux might be disabled, but
managed and in these cases SSSD was returning strange errors, which
might have prevented login with selinux provider in effect.
We got this hint form the RH SELinux maintainer:
"""
libsemanage is for managing SELinux infrastructure. generally if there's
/etc/selinux/config where libsemanage can read SELINUXTYPE and SELinux
module store - /etc/selinux/<SELINUXTYPE>/active (or
/var/lib/selinux/<SELINUXTYPE>/active) - is available, libsemanage can
manage it even when SELinux is disabled.
I'm not sure if selinux_child doesn any is_selinux_enabled() checks but
it could help to avoid such situations.
"""
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4937f2c68ae2fc1bbd398aa35ad7845c896e4ff4">4937f2c6</a></strong>
<div>
<span>by Alexey Sheplyakov</span>
<i>at 2018-08-09T15:20:25Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: skip incomplete groups instead of bailing out
Suppose the user U is a member of (AD) groups D1\A, D1\B, D2\X, and no
domain controllers in the domain D2 can be reached at the moment (and
there are no cached info). As of now initgroups won't assign any groups
at all. To improve the behavior skip the incomplete groups so initgroup
assigns at least some groups (D1\A, D1\B in the above example).
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e8b417e80de6110b37f1672883cb48e03690cbdf">e8b417e8</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2018-08-10T15:26:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: remove unused label
After 4937f2c6, Sumit noticed the following warning/breakage:
make[2]: Leaving directory '/home/sbose/sssd/master_build/src/man'
Making check in .
make[2]: Entering directory '/home/sbose/sssd/master_build'
CC src/responder/nss/nss_protocol_grent.o
../src/responder/nss/nss_protocol_grent.c: In function 'nss_protocol_fill_initgr':
../src/responder/nss/nss_protocol_grent.c:409:1: error: label 'done' defined but not used [-Werror=unused-label]
done:
^~~~
cc1: all warnings being treated as errors
Makefile:17808: recipe for target 'src/responder/nss/nss_protocol_grent.o' failed
make[2]: *** [src/responder/nss/nss_protocol_grent.o] Error 1
make[2]: Leaving directory '/home/sbose/sssd/master_build'
Also, while removing the label, by moving the error treatment to the if
block just before the existing one makes the code cleaner.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7225bab5af2503f2bdb35c063cf8284fab822819">7225bab5</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-08-10T15:27:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">P11: Don't return int failure from a bool function
The functions return bool as per their prototype, but returning EINVAL
on failure meant that EINVAL (typically 22) was converted to 'true', so
a certificate that was not processable was considered valid.
Luckily this code only converts certificates into SSH public keys, so
there are no security implications.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/da9e34e36a43450fc0c5eb7ace76bc716419f620">da9e34e3</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2018-08-10T15:28:08Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: fix sss_nss_idmap-tests
If sss_nss_idmap-tests is complied with -Wl,-Bsymbolic-functions it
fails because sss_nss_make_request_timeout() is not properly wrapped but
the tests expects that the replacement call it provides is picked by the
linker and not the original function.
This patch wraps the call in the corresponding test library. As a
consequence a small helper function had to be added to make dlopen-tests
pass for the test library as well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3801
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Tested-by: Andreas Hasenack <andreas.hasenack@canonical.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/61c515aa8484bdbcf2f4bc63c7032ade1c6ec06f">61c515aa</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2018-08-12T13:21:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updating translations for the 1.16.3 release
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9d3189a1730672e532773f41cdb55c367b62bbaf">9d3189a1</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-08-22T10:00:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">libsss-sudo: Add sss entry to nsswitch only on initial install. (Closes: #903917)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/57ce315e2e39eb39ba6dcb84f588f32632374584">57ce315e</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-08-22T10:02:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'upstream'
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4065a8b4cdb271788220e2ec9be797ff82ba5394">4065a8b4</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-08-22T10:05:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9617acb3f1ea6e4d8d0a13755c70e27fa31dde1b">9617acb3</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-08-22T10:11:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Update list address.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/bbefb69c2e585c4e048109b76b02d46085024e08">bbefb69c</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-08-22T13:33:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">disable-tests.diff: Dropped, all tests pass on a proper buildd setup which should have /etc/{hosts,networks} populated.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/725f6dd2f4cfe614ca6cfa2d254f4cbaeb7610c7">725f6dd2</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2018-08-22T13:34:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package sssd version 1.16.3-1
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#b8d57aa4a09effcbac8deeffe8aea9131499424f">
contrib/sssd.spec.in
</a>
</li>
<li class="file-stats">
<a href="#9c96da0e9f91d7d8937b69b524702c106258f0d1">
debian/changelog
</a>
</li>
<li class="file-stats">
<a href="#58ef006ab62b83b4bec5d81fe5b32c3b4c2d1cc2">
debian/control
</a>
</li>
<li class="file-stats">
<a href="#cf1958edff7d90437414d9182312325a382ceaba">
debian/libsss-sudo.postinst
</a>
</li>
<li class="file-stats">
<a href="#3c79d5a174fc206a6ec67a839971164e0d31221d">
<span class="deleted-file">
−
debian/patches/disable-tests.diff
</span>
</a>
</li>
<li class="file-stats">
<a href="#bc34014ab4b9a49dd7a27bdd8d352912607c3a96">
debian/patches/series
</a>
</li>
<li class="file-stats">
<a href="#4e573a66c66b45b45a1e180cad791738ed22cdd2">
po/bg.po
</a>
</li>
<li class="file-stats">
<a href="#b91599a7e7dcdfc93152518865a9d894acfe41c9">
po/ca.po
</a>
</li>
<li class="file-stats">
<a href="#8133f48bcd872819f4d7310d09b4ef30a26831b0">
po/de.po
</a>
</li>
<li class="file-stats">
<a href="#bf0ecd6fd82096852700283e68fd723ccfe57871">
po/es.po
</a>
</li>
<li class="file-stats">
<a href="#804f8c75d12ae05ad9351001530d8575e03a169d">
po/eu.po
</a>
</li>
<li class="file-stats">
<a href="#09aa9a4cf22de79302d7cefe7d280b7235f787c7">
po/fr.po
</a>
</li>
<li class="file-stats">
<a href="#1ea4eac30921a4a13fc7be0b323144e189daec70">
po/hu.po
</a>
</li>
<li class="file-stats">
<a href="#cbd0a16c6ab85833ae5892982bc57d68cc315864">
po/id.po
</a>
</li>
<li class="file-stats">
<a href="#327aa0bc550fa884acca79a3295e722b622f7559">
po/it.po
</a>
</li>
<li class="file-stats">
<a href="#5c873de36a1b57f9c8b16c7fb9cd64292a431fb2">
po/ja.po
</a>
</li>
<li class="file-stats">
<a href="#088da71e4e8eddb438a4704013c74671ac837fe3">
po/nb.po
</a>
</li>
<li class="file-stats">
<a href="#c54e8255699d35fd83cf0c4800a6cf1fe45533d9">
po/nl.po
</a>
</li>
<li class="file-stats">
<a href="#74adca948cd9fddf7f9644856d4988126ffe9601">
po/pl.po
</a>
</li>
<li class="file-stats">
<a href="#7a488413e07158a724225892439d611e4ba28ba0">
po/pt.po
</a>
</li>
<li class="file-stats">
<a href="#160f60c3dd59b978e505eccda1925dc3923a1d71">
po/pt_BR.po
</a>
</li>
<li class="file-stats">
<a href="#2316433971b53f8a58c69a9c3ce650787e35b3c0">
po/ru.po
</a>
</li>
<li class="file-stats">
<a href="#0d4e896bfdd3ddb2a1208357455cc9d994cf5a94">
po/sssd.pot
</a>
</li>
<li class="file-stats">
<a href="#4a5c1cf4e30bce97baf810ad306a537239e2c52e">
po/sv.po
</a>
</li>
<li class="file-stats">
<a href="#172b5ede9463bce50719ca3fba867887ecdaa56c">
po/tg.po
</a>
</li>
<li class="file-stats">
<a href="#cf4f0b0dadc52f5cd0dfbc7af6bc3ca27ba42355">
po/tr.po
</a>
</li>
<li class="file-stats">
<a href="#b51f8cbe35a8772efe6f023fc1673b635dca1f80">
po/uk.po
</a>
</li>
<li class="file-stats">
<a href="#649f57c2c27e08866163cb3bc5d7709242509a33">
po/zh_CN.po
</a>
</li>
<li class="file-stats">
<a href="#9073c7a6a45185a5d8109b9db2583c3a6ebb6fc0">
po/zh_TW.po
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/sssd-team/sssd/compare/b41c0f81c6dcc672636220c46ed3d52f3b69ba7c...725f6dd2f4cfe614ca6cfa2d254f4cbaeb7610c7">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>