<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/sssd-team/sssd">Debian SSSD packaging / sssd</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/3ee29f4b5873102660555223d4de1ab255142b80">3ee29f4b</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-06-13T20:51:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updating the version for the 2.2.1 release
Reviewed-by: N/A
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6839e6720a84bd4127efc15ed1b0b974794b30ae">6839e672</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-06-17T10:59:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/crypto/libcrypto: changed sss_hmac_sha1()
Changed libcrypto/sss_hmac_sha1 implementation to be FIPS140 compliant.
Resolves: https://pagure.io/SSSD/sssd/issue/4022
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0b210838e46302493e920fab080101b7f54c8b94">0b210838</a></strong>
<div>
<span>by Niranjan M.R</span>
<i>at 2019-06-17T18:37:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Test kvno correctly displays vesion numbers of principals
Multihost tests for: https://pagure.io/SSSD/sssd/issue/3757.
Signed-off-by: Niranjan M.R <mrniranjan@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1ea7e770843942046c32317706f3b64a66cfea56">1ea7e770</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-06-18T19:29:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: disable timeout
There is a bug in jenkins [1] which causes to include the time a job is
waiting for an available executor is added to the complete execution time.
As a consequence a job may time out without actually started because it
did not get the executor in time.
Therefore we disable the timeout completely. We can abort it manually if
a job hangs for some reason. The job always finished so far but many jobs
were aborted because they were waiting for an executor for a long time.
[1] https://issues.jenkins-ci.org/browse/JENKINS-46569
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2a53df35458fbc25e96e175b95ff49b511f50dae">2a53df35</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-06-18T19:31:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Install expect to drive password-change modifications
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/71ae2eda2fb82306c81cf67753d2d6c5669284af">71ae2eda</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-06-18T19:32:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Also add LDAP password when creating users
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7ad11b2898925cd65fc145955063c6669814b7d5">7ad11b28</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-06-18T19:32:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Test changing LDAP password with extended operation and modification
A test for:
https://pagure.io/SSSD/sssd/issue/1314
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6925b9cdcec42c62c65c55ee8cb23e40abfd7dde">6925b9cd</a></strong>
<div>
<span>by Yuri Chornoivan</span>
<i>at 2019-06-18T19:37:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix minor typos in docs
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/01ea70fa8cc91f05a726d1dea3c64bd776dc3517">01ea70fa</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-06-20T18:33:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: ldap_user_home_directory default missing
The default value of "ldap_user_home_directory" is "homeDirectory"
but for AD provider it is "unixHomeDirectory"
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1673443
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/dfa50c2141fe5e9c63721bba80e06251ab4b9cd6">dfa50c21</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-06-20T18:36:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: Add a multihost test for not returning / for an empty home dir
A multihost test for:
https://pagure.io/SSSD/sssd/issue/3901
Reviewed-by: Niranjan M.R <mrniranjan@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0a10d863f4186a18d4622e72065c8aa66b6bfa17">0a10d863</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-06-25T20:09:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MONITOR: Don't check for the nscd socket while regenerating configuration
https://pagure.io/SSSD/sssd/issue/4028
In setups where only sssd-kcm is used and not the rest of SSSD, seeing
the nscd warning might be irritating.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ee23b8e3a42f70b350f532f3599b00ca85ba191b">ee23b8e3</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-06-25T20:14:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/crypto/libcrypto: changed sss_hmac_sha1()
Implementation of sss_hmac_sha1() was changed (again) to support
broader range of OpenSSL versions.
Resolves: https://pagure.io/SSSD/sssd/issue/4026
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e7e212b49bbd357129aab410cbbd5c7b1b0965a2">e7e212b4</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-06-25T20:18:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">negcache: add fq-usernames of know domains to all UPN neg-caches
The previous patch for this issue did not handle user with
fully-qualified names from known domains correctly. Here the user was
only added to the negative cache of the known domain but not to the
negative UPN caches for all domains. This patch fixes this.
Related to https://pagure.io/SSSD/sssd/issue/3978
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e1b678c0cce73494d986610920b03956c1dbb62a">e1b678c0</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-06-28T14:51:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Return data in output parameter if everything is OK
The function remove_duplicate_group_members might return EOK also in the middle
of function but return parameter was not set with right data.
Processing continued in the function save_group but there was a
dereference of NULL pointer.
Introduced in: https://pagure.io/SSSD/sssd/issue/3931
Crash:
(gdb) bt
#0 0x00007fb4ce4a9ac5 in save_group (sysdb=sysdb@entry=0x55c9a0efb230, dom=dom@entry=0x55c9a0efb420, grp=grp@entry=0x55c9a0f370f0, real_name=0x55c9a0f47340 "nobody@ldap",
alias=alias@entry=0x0) at src/providers/proxy/proxy_id.c:748
#1 0x00007fb4ce4aa600 in get_gr_gid (mem_ctx=mem_ctx@entry=0x55c9a0f38be0, sysdb=sysdb@entry=0x55c9a0efb230, dom=dom@entry=0x55c9a0efb420, gid=99, now=<optimized out>,
ctx=<optimized out>) at src/providers/proxy/proxy_id.c:1160
#2 0x00007fb4ce4ac9e5 in get_initgr_groups_process (pwd=0x55c9a0f384a0, pwd=0x55c9a0f384a0, dom=0x55c9a0efb420, sysdb=0x55c9a0efb230, ctx=0x55c9a0f048e0, memctx=0x55c9a0f38be0)
at src/providers/proxy/proxy_id.c:1553
#3 get_initgr (i_name=<optimized out>, dom=0x55c9a0efb420, sysdb=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1461
#4 proxy_account_info (domain=0x55c9a0efb420, be_ctx=<optimized out>, data=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1659
#5 proxy_account_info_handler_send (mem_ctx=<optimized out>, id_ctx=0x55c9a0f048e0, data=<optimized out>, params=0x55c9a0f39790) at src/providers/proxy/proxy_id.c:1758
#6 0x000055c99fc67677 in file_dp_request (_dp_req=<synthetic pointer>, req=0x55c9a0f39470, request_data=<optimized out>, dp_flags=1, method=DPM_ACCOUNT_HANDLER, target=DPT_ID,
name=<optimized out>, domainname=0x55c9a0f39190 "LDAP", provider=0x55c9a0efe0e0, mem_ctx=<optimized out>) at src/providers/data_provider/dp_request.c:250
#7 dp_req_send (mem_ctx=0x55c9a0f37b60, provider=provider@entry=0x55c9a0efe0e0, domain=domain@entry=0x55c9a0f39190 "LDAP", name=<optimized out>, target=target@entry=DPT_ID,
method=method@entry=DPM_ACCOUNT_HANDLER, dp_flags=dp_flags@entry=1, request_data=0x55c9a0f37c00, _request_name=0x55c9a0f37b60) at src/providers/data_provider/dp_request.c:295
#8 0x000055c99fc6a132 in dp_get_account_info_send (mem_ctx=<optimized out>, ev=0x55c9a0eddbc0, sbus_req=<optimized out>, provider=0x55c9a0efe0e0, dp_flags=1,
entry_type=<optimized out>, filter=0x55c9a0f358d0 "name=nobody@ldap", domain=0x55c9a0f39190 "LDAP", extra=0x55c9a0f354a0 "") at src/providers/data_provider/dp_target_id.c:528
#9 0x00007fb4da35265b in _sbus_sss_invoke_in_uusss_out_qus_step (ev=0x55c9a0eddbc0, te=<optimized out>, tv=..., private_data=<optimized out>) at src/sss_iface/sbus_sss_invokers.c:2847
#10 0x00007fb4d9cfb1cf in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0
#11 0x00007fb4d9cfb339 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0
#12 0x00007fb4d9cfc2f9 in epoll_event_loop_once () from /lib64/libtevent.so.0
#13 0x00007fb4d9cfa7b7 in std_event_loop_once () from /lib64/libtevent.so.0
#14 0x00007fb4d9cf5b5d in _tevent_loop_once () from /lib64/libtevent.so.0
#15 0x00007fb4d9cf5d8b in tevent_common_loop_wait () from /lib64/libtevent.so.0
#16 0x00007fb4d9cfa757 in std_event_loop_wait () from /lib64/libtevent.so.0
#17 0x00007fb4dd955ac3 in server_loop (main_ctx=0x55c9a0edf090) at src/util/server.c:724
#18 0x000055c99fc59760 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:747
(gdb) l
(gdb) bt
#0 0x00007fb4ce4a9ac5 in save_group (sysdb=sysdb@entry=0x55c9a0efb230, dom=dom@entry=0x55c9a0efb420, grp=grp@entry=0x55c9a0f370f0, real_name=0x55c9a0f47340 "nobody@ldap",
alias=alias@entry=0x0) at src/providers/proxy/proxy_id.c:748
#1 0x00007fb4ce4aa600 in get_gr_gid (mem_ctx=mem_ctx@entry=0x55c9a0f38be0, sysdb=sysdb@entry=0x55c9a0efb230, dom=dom@entry=0x55c9a0efb420, gid=99, now=<optimized out>,
ctx=<optimized out>) at src/providers/proxy/proxy_id.c:1160
#2 0x00007fb4ce4ac9e5 in get_initgr_groups_process (pwd=0x55c9a0f384a0, pwd=0x55c9a0f384a0, dom=0x55c9a0efb420, sysdb=0x55c9a0efb230, ctx=0x55c9a0f048e0, memctx=0x55c9a0f38be0)
at src/providers/proxy/proxy_id.c:1553
#3 get_initgr (i_name=<optimized out>, dom=0x55c9a0efb420, sysdb=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1461
#4 proxy_account_info (domain=0x55c9a0efb420, be_ctx=<optimized out>, data=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1659
#5 proxy_account_info_handler_send (mem_ctx=<optimized out>, id_ctx=0x55c9a0f048e0, data=<optimized out>, params=0x55c9a0f39790) at src/providers/proxy/proxy_id.c:1758
#6 0x000055c99fc67677 in file_dp_request (_dp_req=<synthetic pointer>, req=0x55c9a0f39470, request_data=<optimized out>, dp_flags=1, method=DPM_ACCOUNT_HANDLER, target=DPT_ID,
name=<optimized out>, domainname=0x55c9a0f39190 "LDAP", provider=0x55c9a0efe0e0, mem_ctx=<optimized out>) at src/providers/data_provider/dp_request.c:250
#7 dp_req_send (mem_ctx=0x55c9a0f37b60, provider=provider@entry=0x55c9a0efe0e0, domain=domain@entry=0x55c9a0f39190 "LDAP", name=<optimized out>, target=target@entry=DPT_ID,
method=method@entry=DPM_ACCOUNT_HANDLER, dp_flags=dp_flags@entry=1, request_data=0x55c9a0f37c00, _request_name=0x55c9a0f37b60) at src/providers/data_provider/dp_request.c:295
#8 0x000055c99fc6a132 in dp_get_account_info_send (mem_ctx=<optimized out>, ev=0x55c9a0eddbc0, sbus_req=<optimized out>, provider=0x55c9a0efe0e0, dp_flags=1,
entry_type=<optimized out>, filter=0x55c9a0f358d0 "name=nobody@ldap", domain=0x55c9a0f39190 "LDAP", extra=0x55c9a0f354a0 "") at src/providers/data_provider/dp_target_id.c:528
#9 0x00007fb4da35265b in _sbus_sss_invoke_in_uusss_out_qus_step (ev=0x55c9a0eddbc0, te=<optimized out>, tv=..., private_data=<optimized out>) at src/sss_iface/sbus_sss_invokers.c:2847
#10 0x00007fb4d9cfb1cf in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0
#11 0x00007fb4d9cfb339 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0
#12 0x00007fb4d9cfc2f9 in epoll_event_loop_once () from /lib64/libtevent.so.0
#13 0x00007fb4d9cfa7b7 in std_event_loop_once () from /lib64/libtevent.so.0
#14 0x00007fb4d9cf5b5d in _tevent_loop_once () from /lib64/libtevent.so.0
#15 0x00007fb4d9cf5d8b in tevent_common_loop_wait () from /lib64/libtevent.so.0
#16 0x00007fb4d9cfa757 in std_event_loop_wait () from /lib64/libtevent.so.0
#17 0x00007fb4dd955ac3 in server_loop (main_ctx=0x55c9a0edf090) at src/util/server.c:724
#18 0x000055c99fc59760 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:747
(gdb) l
733 ret = remove_duplicate_group_members(tmp_ctx, grp, &ngroup);
734 if (ret != EOK) {
735 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to remove duplicate group member s\n");
736 goto done;
737 }
738
739 DEBUG_GR_MEM(SSSDBG_TRACE_LIBS, ngroup);
740
741 ret = sysdb_transaction_start(sysdb);
742 if (ret != EOK) {
743 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
744 goto done;
745 }
746 in_transaction = true;
747
748 if (ngroup->gr_mem && ngroup->gr_mem[0]) {
749 attrs = sysdb_new_attrs(tmp_ctx);
750 if (!attrs) {
751 DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n");
752 ret = ENOMEM;
(gdb) p ngroup
$1 = (struct group *) 0x0
743 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
744 goto done;
745 }
746 in_transaction = true;
747
748 if (ngroup->gr_mem && ngroup->gr_mem[0]) {
749 attrs = sysdb_new_attrs(tmp_ctx);
750 if (!attrs) {
751 DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n");
752 ret = ENOMEM;
(gdb) p ngroup
$1 = (struct group *) 0x0
Merges: https://pagure.io/SSSD/sssd/pull-request/4036
Resolves:
https://pagure.io/SSSD/sssd/issue/4037
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2c965b04f693df4ca89eda7a4cff9d1900523837">2c965b04</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-07-03T20:10:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pcre: port to pcre2
Some distributions want to drop pcre support. Sssd should work with
pcre2. With this patch sssd tries to use pcre2 if pcre is not present.
Resolves:
https://pagure.io/SSSD/sssd/issue/3833
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d2adfcf54c3a37aeda675aec3ba3d174061fac1a">d2adfcf5</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-07-03T20:12:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE: SSSD doesn't clear cache entries
Once object is in cache it is refreshed when it is expired and
requested by the system. Object ID is not checked before refresh,
but config parameter ldap_(min|max)_id could be changed by admin.
We should check object ID and not refresh objects outside min/max
ID interval.
Resolves:
https://pagure.io/SSSD/sssd/issue/3905
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e8e0f4079e112798ff173df277413a96bd9d8866">e8e0f407</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-03T20:14:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/secrets: memory leaks are fixed
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8aa0dfdf6e36fa90855c0f35a4dfa57139ad6504">8aa0dfdf</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-03T20:15:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/crypto/nss/nss_nite: params sanitization
- `key` params made const
- added omitted sanity checks of pointer params
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d603d34a6074b7cb67828f5a8c5b18332ee78173">d603d34a</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-03T20:15:47Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">crypto/libcrypto/crypto_nite: HMAC calculation changed
Changed HMAC calculation to make it consistent with
https://pagure.io/SSSD/sssd/issue/4026
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e232a98a04554298e5517a167116f688ded8fabd">e232a98a</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-05T10:16:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/find_uid.c: fixed debug message
Fixed wrong debug message in check_if_uid_is_active()
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0897be2ab9943f5ce9ae03d57a646b2b4cd724d4">0897be2a</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-05T10:16:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/find_uid.c: fixed race condition bug
It was wrong to return EOK from get_uid_from_pid() in case of failed
open() or fstat() as this leaves `uid` uninitialized and no means
for caller to detect this situation.
There was no reason to fail get_active_uid_linux() completely in case
of failed get_uid_from_pid() for one of /proc entries. Function was
changed to continue with next entry instead.
Resolves: https://pagure.io/SSSD/sssd/issue/2854
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/39686a584e1286366e0e34910074d45f88c8f4e6">39686a58</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2019-07-05T10:24:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: ldb-tools and sssd-tools are required for multihost tests
Some of the test do use ldbsearch and sssd-tools.
Resolves:
https://pagure.io/SSSD/sssd/issue/3894
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2d657dffb419640860e46ed417137b0e2cc7d9af">2d657dff</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-07-05T10:26:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: failover does not work on non-responsive ldaps
In case ldaps:// is used, then establishing the secure socket is
a sychronous operation. If there's nothing on the other end, then
the process would be stuck waiting in for the crypto library
to finish.
Here we set socket read/write timeout so the operation can finish
in reasonable time with an error. The ldap_network_timeout
option is used for this timeout.
Resolves:
https://pagure.io/SSSD/sssd/issue/2878
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/db99504a5295ae1f9bc5166133c8f21e4510c676">db99504a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add sysdb_search_with_ts_attr
Adds a new public sysdb call sysdb_search_with_ts_attr() that allows to
search on the timestamp cache attributes, but merge back persistent
cache attributes. The converse also works, when searching the persistent
cache the timestamp attributes or even entries matches only in the
timestamp cache are merged.
What does not work is AND-ed complex filter that contains both
attributes from the timestamp cache and the persistent cache because
the searches use the same filter, which doesn't match. We would need to
decompose the filter ourselves.
Because matching and merging the results can be time-consuming, two
flags are provided:
SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER that only searches the timestamp
cache, but merges back the corresponding entries from the persistent
cache
SYSDB_SEARCH_WITH_TS_ONLY_SYSDB_FILTER that only searches the
persistent cache but merges back the attributes from the timestamp
cache
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f27955297603dd7bcbab2569394853d5d9ca90ea">f2795529</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:19Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: search with sysdb_search_with_ts_attr
Previously, the background refresh code had used sysdb_search_entry()
which does not run the search on the timestamp cache. Instead, this
patch changes to using sysdb_search_with_ts_attr with the
SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER optimization because currently only
the dataExpireTimestamp attribute is included in the filter.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1a08b53defa7f921a9b0f9e839ca90f91b5f86d2">1a08b53d</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Enable refresh for multiple domains
Descend into subdomains on back end refresh and make sure to start from
users again.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/bb0bd61ac54dca429b6562e808755152d4c90ce7">bb0bd61a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:26Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Make be_refresh_ctx_init set up the periodical task, too
This is mostly a preparatory patch that rolls in setting up the ptask
into be_refresh_ctx_init. Since in later patches we will call
be_refresh_ctx_init from several different places, this will prevent
code duplication.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9d49c90ceb7388333c8682f4cbd6842ec236b9de">9d49c90c</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end
Since later patches will pass different parameters to
be_refresh_ctx_init(), let's call the init function in the provider
libraries not directly in the back end.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d1eb0a70de3c98ca9dc03a0b79287f4ce6ee4855">d1eb0a70</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME
In later patches, we will implement refreshes for AD or IPA which might
refresh objects that do not have a name yet, but always do have a different
attribute, like a SID or a uniqueID. In this case, it's better to use that
different attribute instead of name.
This patch allows the caller to tell the refresh module which attribute
to use.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/41305ef5a0ef2f4796e322190ffcc12331151643">41305ef5</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx
It is a bit odd that a caller to a be_ function would set a property of
be_ctx. IMO it is cleaner if the function has a side-effect and sets the
property internally and rather returns errno.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ac72bb4ab1a8d3d13f0d459efe5f23cf010c2790">ac72bb4a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE/LDAP: Split out a helper function from sdap_refresh for later reuse
Every refresh request will send a similar account_req. Let's split out
the function that creates the account_req into a reusable one.
Also removes the type string as it was only used in DEBUG messages and
there is already a function in the back end API that provides the same
functionality.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/2cb294e6d5782aa725a2e9d7892a9e0c62e0b3a9">2cb294e6</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:40Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Pass in filter_type when creating the refresh account request
For refreshing AD users and groups, we'll want to create a request by
SID, for all other requests we'll want to create a request by name. This
patch allows parametrizing the request creation by the caller.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7443498cc074c323e3b307f47ed49d59a5001f64">7443498c</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:42Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Send refresh requests in batches
As we extend the background refresh into larger domains, the amount of
data that SSSD refreshes on the background might be larger. And
refreshing all expired entries in a single request might block sssd_be
for a long time, either triggering the watchdog or starving other
legitimate requests.
Therefore the background refresh will be done in batches of 200 entries.
The first batch of every type (up to 200 users, up to 200 groups, ...)
will be scheduled imediatelly and subsequent batches with a 0.5 second
delay.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0fbc317ac7f1fe13cd41364c67db7d7a19d7d546">0fbc317a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:46Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Extend be_ptask_create() with control when to schedule next run after success
Related: https://pagure.io/SSSD/sssd/issue/4012
be_ptask_create() used to always schedule the next periodical run
"period" seconds after the previous run started. This is great for tasks
that are short-lived like DNS updates because we know they will be
executed really with the configured period.
But the background refresh task can potentially take a very long time in
which case the next run could have been scheduled almost immediately and
as a result sssd_be would always be quite busy. It is better to have the
option to schedule the next task period seconds after the last run has
finished. This can lead to some inconsistency, but we can warn the
admin about that.
This patch so far does not change any of the existing calls to
be_ptask_create(), just adds BE_PTASK_SCHEDULE_FROM_LAST as an
additional parameter.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/576f3691a2d22322b08fb55fe74899d2ea4975d6">576f3691</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:48Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Schedule the refresh interval from the finish time of the last run
Related: https://pagure.io/SSSD/sssd/issue/4012
Changes scheduling the periodical task so that the next run is started
relative to the previous run finish time, not start time to protect
against cases where the refresh would take too long and run practically
all the time.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b72adfcc332b13489931483201bcc4c7ecf9ecb6">b72adfcc</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Implement background refresh for AD domains
Split out the actual useful functionality from the AD account handler
into a tevent request. This tevent request is then subsequently used by
a new ad_refresh module.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d76756ef472da9593c691f94186d09226bb49916">d76756ef</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:54Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA: Implement background refresh for IPA domains
Split out the actual useful functionality from the IPA account lookup
handler into a tevent request. This tevent request is then used in a new
ipa_refresh module.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1d0e75e9c5db0acf946f82705a4640063ea5aea9">1d0e75e9</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE/IPA/AD/LDAP: Add inigroups refresh support
Related: https://pagure.io/SSSD/sssd/issue/4012
In addition to refreshing users, groups and netgroups, this patch adds
the ability to also refresh initgroups. The refresh is ran for any users
that have the initgrExpireTimestamp attribute close to expiration.
This request is ran as the first one, because the initgroups operation
refreshes the user entry and can touch groups as well.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/792235097b9b63593dc717440aab48e8671fbf12">79223509</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:33:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication
Related: https://pagure.io/SSSD/sssd/issue/4012
This patch slightly increases the line count, but on the other hand the
code is now more declarative and contains less logic, which should
hopefully decrease the maintenance cost in the future.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/60c876aefe2efc5a67929f9b3890b627cea7c549">60c876ae</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:34:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
Related: https://pagure.io/SSSD/sssd/issue/4012
The per-object type refresh functions are more or less boilerplate code.
Even though macro-generated code should be used very rarely, here the
generated code does not contain any logic at all so it makese sense to
generate it with macros.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/039384b8851bb6a2513af83dba0df318432e0c63">039384b8</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:34:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Amend the documentation for the background refresh
Related: https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7a08d1dea8cb9148ba1afe13f4d4567229c9b381">7a08d1de</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:34:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function
Related: https://pagure.io/SSSD/sssd/issue/4012
Because the initgroups request can, especially in the case of IPA provider
with trusts, contain several sub-requests that run some provider-specific
initgroups internally and then run post-processing AND because at the same
time concurrent requests in the responder need to be sure that the
initgrExpireTimestamp is only increased when the initgroups request is
really done, we only set the initgrExpireTimestamp in the DP when the
request finishes.
This means, the background refresh task needs to also set the
initgrExpireTimestamp attribute on its own as well. This patch so far
splits the helper function into a reusable one so it can later be used
by the background refresh.
For examples of the bugs caused by the initgrTimestamp being set before
the whole multi-step operation finishes, please see tickets #3744
or #2634.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/cdc44a05d11ae614eb55f219f70150d241cd850f">cdc44a05</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-07-05T10:34:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request
Related: https://pagure.io/SSSD/sssd/issue/4012
Calls sysdb_set_initgr_expire_timestamp() after each successfull refresh
of initgroups data to make sure the initgrExpireTimestamp attribute is
increased.
If you're wondering why the timestamp is not set by the initgroups operation
itself, see tickets #3744 or #2634 for examples of bugs caused by setting
the initgrExpireTimestamp too soon.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8be1a0e829ba9eaf6769622adcb3be827575f551">8be1a0e8</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-15T11:52:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/crypto: removed erroneous declaration
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e839acd1fda573b11170a3d074f60eff9d654008">e839acd1</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-15T11:52:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/crypto/sss_crypto.c: cleanup of includes
Removed unneeded include of config.h and added includes for open()
and error codes according to the man page.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9f4b7d9fbec9a7746fc39d9e69054ac469c14d19">9f4b7d9f</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-15T11:52:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/crypto: generate_csprng_buffer() changed
1) generate_csprng_buffer() is renamed to sss_generate_csprng_buffer()
to make util/crypto API more consistent
2) its implementation became dependant on crypto backend being used
3) in case of libcrypto backend RAND_bytes() is used instead of
direct access to "/dev/urandom"
Relates: https://pagure.io/SSSD/sssd/issue/4024
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/93d0aba5a49fdf9df87037eba42986eee02d1d35">93d0aba5</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-15T11:52:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/crypto: added sss_rand()
Introduced `sss_rand()` wrapper to be used in project sources in every
applicable case where "raw" rand()/etc are used now.
Relates: https://pagure.io/SSSD/sssd/issue/4024
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/bfc02ea2cdc111bfb8df044f359655cce3337ccd">bfc02ea2</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-15T11:52:16Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">crypto/libcrypto/crypto_nite.c: memory leak fixed
Fixed leaking of memory in case of failure in `sss_encrypt()` function.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/548ea574645f405307b14bb1113d66f9da1abf2b">548ea574</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-15T11:52:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FIPS140 compliant usage of PRNG
Calls to `rand()`, "/dev/urandom", etc are replaced with
appropriate wrappers from `util/crypto`.
Resolves: https://pagure.io/SSSD/sssd/issue/4024
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1f528861d0e20091f90660d3df98a81cf232db99">1f528861</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-07-15T13:24:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">crypto/nss: some nss_ctx_init() params made const
This patch fixes compilation issues introduced in 8aa0dfd :
as `key` parameter of sss_encrypt() and sss_decrypt() became const,
changes in signature of nss_ctx_init() were required to follow up.
For more details see https://github.com/SSSD/sssd/pull/846
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8d64e9f5229967d382c6280d89b139e024bd2c1a">8d64e9f5</a></strong>
<div>
<span>by Sam Morris</span>
<i>at 2019-07-15T19:56:45Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">build: fix detection of systemd.pc
Related: https://pagure.io/SSSD/sssd/issue/4043
A typo prevents systemd.pc from being detected, in turn this means
HAVE_SYSTEMD is never set, responders are built without socket
activation support and the monitor never notifies systemd that it is
ready.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8f22e7952a6b440a01912749eae1e60aafb90561">8f22e795</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-16T15:00:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: switch to new tooling and remove 'Read trusted files' stage
The 'Read trusted files' stage was removed because all scripts are
now being executed on client machines so there is no point to prohibit
modification.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/209edb3e19420fb84d45dfa4f5a3bda655288c1a">209edb3e</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-16T15:00:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: rebase pull request on the target branch
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/230de12b9f2f85bbed3f2655615519bc0c6e2615">230de12b</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-16T15:00:37Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: print node on which the test is being run
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6815844daa7701c76e31addbbdff74656cd30bea">6815844d</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-18T09:02:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo: use proper datetime for default modifyTimestamp value
The current default was simply "1", however OpenLDAP server was unable
to compare modifyTimestamp attribute to simple number. A proper datetime
is required by OpenLDAP.
It worked correctly on 389-ds.
Steps to reproduce:
1. install openldap server
2. run sssd
3. there are no sudo rules on the server and there are no cached objects
4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value)
The minimum accepted value by OpenLDAP is 00000101000000Z, as both month and day can not be zero.
Resolves:
https://pagure.io/SSSD/sssd/issue/4046
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ff8284e222f2c03e6ff72d6b03390db79e0511cd">ff8284e2</a></strong>
<div>
<span>by Alex Rodin</span>
<i>at 2019-07-22T18:28:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait()
Switching from tevent_loop_once() to tevent_loop_wait() as the bug was fixed https://bugzilla.samba.org/show_bug.cgi?id=10012
Resolves: https://pagure.io/SSSD/sssd/issue/3962
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/15cc1e404f1725d05cb6a285abba70853ae89ad1">15cc1e40</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-07-22T18:30:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONFDB: Files domain if activated without .conf
Implicit files domain gets activated when no sssd.conf present
and sssd is started. This does not respect --disable-files-domain
configure option
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1713352
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/31e08f300ff9c19e87ee9b230d8d9a5970c7dcdb">31e08f30</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-07-22T18:31:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: adapt tests to enabled default files domain
Some tests expect that SSSD is compiled with --enable-files-domain
option (test_no_sssd_conf). But having this enabled by default
breaks some other tests.
This patch adds --enable-files-domain to test build and explicitly
disables the domain in configuration of some tests (ldap, enumeration).
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1713352
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7f0a8f5060b28dc35e152d7290b583de99361d80">7f0a8f50</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-07-22T18:33:24Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: prefer better digest function if card supports it
To improve FIPS compliance and security in general p11_child now checks
which message digest functions (hashes) are support for RSA keys and
tries to use the highest bit length supported.
For EC keys sha512 is used unconditionally.
Related to https://pagure.io/SSSD/sssd/issue/4039
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/60748f69d9e21cf4cfd0655a0d7b81a715e9ae04">60748f69</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-07-22T18:33:29Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: fix a memory leak and other memory mangement issues
EVP_MD_CTX_create() was called without matching EVP_MD_CTX_destroy().
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/06479a1d724c66b2e93b232a26977b6f8009eef7">06479a1d</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2019-07-31T19:49:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: Fix command 'endservent' resetting wrong struct member
Resolves:
https://pagure.io/SSSD/sssd/issue/4050
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5b235bbdbea355923e4f2aeb745c8e514b423984">5b235bbd</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-07-31T19:52:44Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Introduce flag for be_ptask_create
The be_ptask_create has already too many parameters. Lets have flags
parameter to avoid future extending.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/1c7521898f1cb13607c536977029561f89573c7c">1c752189</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-07-31T19:52:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Convert be_ptask params to flags
The be_ptask_create call has a lot of parameters.
Some of them can be converted to flags to simplify
the declaration.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f2c69a67ad0cd9d4db94aa66e46ede0cb0790480">f2c69a67</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-07-31T19:52:52Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DYNDNS: dyndns_update is not enough
When dyndns_update is set to True and dyndns_refresh_interval is
not set or set to 0, DNS is not updated at all.
With this patch DNS is updated when sssd changes its state to
online.
If dyndns_refresh_interval is set, updates are performed as
before - i. e. when comming online and then every
dyndns_refresh_interval.
Resolves:
https://pagure.io/SSSD/sssd/issue/4047
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b1ea33eca64a0429513fcfe2ba7402ff56889b46">b1ea33ec</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-31T19:55:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">systemd: add Restart=on-failure to sssd.service
Resolves:
https://pagure.io/SSSD/sssd/issue/4040
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7b4635c8428917ced63954f2c3c70491b45d7870">7b4635c8</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-31T19:59:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: fix description of dns_resolver_op_timeout
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/3807de1d97fc87cf7c25af264a8b1bbabdef54e2">3807de1d</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-31T19:59:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: fix description of dns_resolver_timeout
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/99e2a107f01c625cb59cb88589db87294176d6c6">99e2a107</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-31T19:59:12Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">failover: add dns_resolver_server_timeout option
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e97ff0adb62c89cfc7e75858b7e592e0303720b0">e97ff0ad</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-31T19:59:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">failover: change default timeouts
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/049f3906b9ef2041b5e1df666bd570379ae60718">049f3906</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-07-31T19:59:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">config: add dns_resolver_op_timeout to option list
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/db46cd0890057be1f72173a2ca2ae040bcf46c9a">db46cd08</a></strong>
<div>
<span>by Jakub Jelen</span>
<i>at 2019-08-07T16:25:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam_sss: Add missing colon to the PIN prompt
This can be noticed in the sudo prompt, when the system is configured
to authenticate users using smart cards.
Resolves: Pagure#4049
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e9091aba9c0cbcc1f00f5f0656c200554cc485a3">e9091aba</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-07T17:07:02Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: make sure p11_child.log has the right permissions
If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.
Related to https://pagure.io/SSSD/sssd/issue/4056
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8119ee216a9471ed2f01b16ed17068f5dc8b83cb">8119ee21</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-07T17:07:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ssh: make sure p11_child.log has the right permissions
If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.
Related to https://pagure.io/SSSD/sssd/issue/4056
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/9339c445b4b98a28146ff834fec2af42bd3a6340">9339c445</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-07T17:07:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: make sure child log files have the right permissions
If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.
Related to https://pagure.io/SSSD/sssd/issue/4056
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ca02a20c16a1249a8fcecad31e915bf64df77cc9">ca02a20c</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-07T18:54:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Get rid of sssd-secrets reference
Related:
https://pagure.io/SSSD/sssd/issue/3685
There were some stray references to the secrets responder in the
sssd-kcm manual page.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/84eca2e812f8a8684a35b4cd0c262660930e0d40">84eca2e8</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-07T18:54:57Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Document that it is enough to systemctl restart sssd-kcm.service lately
Related:
https://pagure.io/SSSD/sssd/issue/3862
We forgot to amend the man page after implementing the sssd-kcm service
reload.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f74b97860ec7c66df01ed2b719d29a138c958081">f74b9786</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-07T18:55:00Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SECRETS: Use different option names from secrets and KCM for quota options
Related:
https://pagure.io/SSSD/sssd/issue/3386
With the separate secrets responder, the quotas for the /secrets and
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
section using the same option -- the /secrets vs. /kcm distinction was
made using the subsection name.
With the standalone KCM responder writing directly to the database, it
makes sense to have options with more descriptive names better suitable
for the KCM usage. For that we need the options for secrets quotas and
kcm quotas to be named differently.
For now, the patch only passes the option name to sss_sec_get_quota()
and sss_sec_get_hive_config() together with the default value in an
instance of a new structure sss_sec_quota_opt. The secrets responder
still uses the same option names for backwards compatibility.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/940002ca21abde53ad81df622d1f4dd3b5e8e014">940002ca</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-07T18:55:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SECRETS: Don't limit the global number of ccaches
Related:
https://pagure.io/SSSD/sssd/issue/3386
In the KCM context, the global number of ccaches would limit the number
of users who can store their ccaches in the KCM deamon.
In more detail, the options have the following semantics with KCM:
- DEFAULT_SEC_KCM_MAX_SECRETS - global number of secrets, would
cover both how many ccaches can a user store, but this is better
served with DEFAULT_SEC_KCM_MAX_UID_SECRETS
- DEFAULT_SEC_KCM_MAX_UID_SECRETS - how many 'principals' can a user
kinit with
- DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE - the payload size of service
tickets
With the above in mind, I think the most important limits are
max_uid_secrets to limit and the payload size to constraint how much
space can a user occupy and it doesn't make much sense to limit the
global quota.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f00db73d7bbf312e3e2a772b8b10895d5460b989">f00db73d</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-07T18:55:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Pass confdb context to the ccache db initialization
Resolves:
https://pagure.io/SSSD/sssd/issue/3386
The libsecrets back end needs to read the quota options from confdb,
therefore it needs to know the section and access the confdb handle.
These parameters are unused for other ccache back end types, but they
are harmless and IMO it makes more sense to keep the ccache back end
abstract.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f024b5e46b62ad49f0099ed8db8155e7ea475639">f024b5e4</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-07T18:55:11Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Configurable quotas for the secdb ccache back end
Related:
https://pagure.io/SSSD/sssd/issue/3386
Exposes three new options for the [kcm] responder to set the global
ccache limit, the per-uid ccache limit and the payload size.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/247aa48004ceb2efba42e917cebecc0ab74dc207">247aa480</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-07T18:55:15Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add tests for the configurable quotas
Related:
https://pagure.io/SSSD/sssd/issue/3386
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ba01db0dcd43ef1b2079d9cc209534d45a3e938d">ba01db0d</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-07T19:11:14Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: remove unused prototype (cert_to_ssh_key)
This is a leftover from a previous cleanup done in the context of
https://pagure.io/SSSD/sssd/issue/3489.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a97ec73e04b6347bb6aa9794f5ea9f4ca3424801">a97ec73e</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-07T19:11:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: move parse_cert_verify_opts() into separate file
parse_cert_verify_opts() is only used by p11_child, so it makes sense to
move the sources nearer together. The related test is still in
test_utils but it can be split out as well if there are more p11_child
related unit tests.
Related to https://pagure.io/SSSD/sssd/issue/4032
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/ad9dd137e2f8ad46cfb921fb7bf137fb3442692e">ad9dd137</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-07T19:11:31Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: make OCSP digest configurable
Currently sha1 is used to create the certid for an OCSP request. Since
sha1 is not recommend for new applications anymore and not FIPS
compliant this patch changes the default to sha256 and makes the digest
function configurable as well.
Related to https://pagure.io/SSSD/sssd/issue/4032
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5574de0f87e72d85547add9a48f9ac0def27f47d">5574de0f</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-14T12:09:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: fix loop in Smartcard authentication
If 'try_cert_auth' or 'require_cert_auth' options are used and a wrong
PIN is entered the PAM responder might end in an endless loop. This
patch uses a flag to avoid the loop and makes sure that during
authentication the error code causing the loop is not returned.
Related to https://pagure.io/SSSD/sssd/issue/4051
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/41da9ddfd084024ba9ca20b6d3c0b531c0473231">41da9ddf</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-14T12:11:18Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't qualify users from files domain when default_domain_suffix is set
Resolves:
https://pagure.io/SSSD/sssd/issue/4052
The files domain should always be non-qualified. The usual rules like
qualification of all domains except the one set with
default_domain_suffix should not apply.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b35d88ebf1530cccebd69dc00679cd4df8a0d344">b35d88eb</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2019-08-15T00:54:27Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update the translations for the 2.2.1 release
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4bc3422768c191fa4164df35d514f16bbba7eb15">4bc34227</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2019-08-15T10:57:33Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bumping the version to track the 2.2.2 development
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/820151f3813f08c704cb87a99988fe39f9f48a8d">820151f3</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-18T21:09:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8
Resolves:
https://pagure.io/SSSD/sssd/issue/3932
Reviewed-by: Tomas Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/815957cd10a82aca6742b0bd56c7e7f199596cd4">815957cd</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T15:13:20Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb
If previously enabled subdomain was disabled by removing it from ad_enabled_domains
option in sssd.conf, its cached content (including the domain object itself)
was kept in sysdb. Therefore eventhough the domain was effectively disabled in
backed its cached data was still available in responders.
Subdomains that are disabled on server side are correctly removed from sysdb in
`ad_subdomains_refresh()` so this issue is related only to the configuration
option.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7a03e99890806257df1ed8a126673d6a032fee6a">7a03e998</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T15:13:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb: add sysdb_domain_set_enabled()
This will be used in subsequent patches to disable subdomains.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6882bc5f5c8805abff3511d55c0ed60cad84faab">6882bc5f</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T15:14:01Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: set enabled=false attribute for subdomains that no longer exists
Only forest root domain needs to be disabled because it has to be available
for other tasks. All other non-root domains are removed from cache completely
so it does not make sense for them.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d278704d85fea74c229b67e6a63b650b0d776c88">d278704d</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T15:14:05Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb: read and interpret domain's enabled attribute
Disable domain if its sysdb object has enabled=false.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c7e6530d642f746982c5306cf3455608d1980d1f">c7e6530d</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T15:14:10Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb: add sysdb_list_subdomains()
To list all cached subdomains names.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d0bdaabbc95bc9ee3253e1376d849e6a8bd6c6f0">d0bdaabb</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T15:14:13Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: remove all subdomains if only master domain is enabled
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b3c3542188e50770b431942c0b603e6f2733cb33">b3c35421</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T15:14:17Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: make ad_enabled_domains case insensitive
The rest of the code that works with ad_enabled_domains options
is case insensitive so we rather should be consistent.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f19f8e6b917e77d5d2bfdedc78e5669b522ea265">f19f8e6b</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-08-23T15:40:55Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SERVER: Receving SIGSEGV process on shutdown
There is race condition when dynamic libraries are unloaded. Talloc
library calls our destructors but they still need openssl calls
which might be not available.
Solution is to free explicitely memory context and trigger
destructors before calling exit(). In this PR the SIGTERM
handler is moved from individual providers to generel
backend code.
Also generic server code is changed to explicitely free
memory context when signal is received.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1672584
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c2e24df4320d46577aca8d1268f0336af443d541">c2e24df4</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-23T15:46:36Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA: Allow paging when fetching external groups
For some reason (I guess a mistake during refactoring..) the LDAP search
request that fetches the external groups does not enable the paging
control. This means that the number of external groups that SSSD can
fetch is limited to 2000.
Resolves: https://pagure.io/SSSD/sssd/issue/4058
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/c580c76a2affc377850303cc81a1519075d174f2">c580c76a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-23T16:38:32Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Use int32_t type conversion in DEBUG message for int32_t variable
The KDC offset is stored as int32_t, but a DEBUG message in KCM was using
an uint32_t. This lead to confusion as it appeared that the offset does
not work.
Resolves:
https://pagure.io/SSSD/sssd/issue/4063
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/8e1f6734a96f92749869e6c06cb8d9fbd4610e65">8e1f6734</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T16:45:28Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: use python2 version of pytest
Fedora 31 changed symlink of /usr/bin/py.test from pytest2 to pytest3.
We need to run the python2 version in order to run our tests with python2.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/498a230e58bdf9299e75d6295a52d8114f536098">498a230e</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T16:45:50Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: pep8 was renamed to pycodestyle in Fedora 31
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e989620bd2b4f7094dee3ef740ba92d0cf45d0c8">e989620b</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-23T16:51:09Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: keep pin on the PAM stack for forward_pass
Currently only the password or the long-term part of a two-factor
authentication was kept on the PM stack if pam_sss.so has the option
forward_pass. With this patch the Smartcard PIN can be forwarded to
other PAM modules as well.
Related https://pagure.io/SSSD/sssd/issue/4067
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6e759010ae43c039eeaff6a4390beb72af0d0e8e">6e759010</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-23T18:04:38Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: do not accept empty PIN
The current check for an empty PIN was incomplete and if no PIN was
given pam_sss should not send a request to SSSD's pam responder. This
would match the behavior if a user name hint should be requested as
well.
Related to: https://pagure.io/SSSD/sssd/issue/4068
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/945970088209a1a8a75a94e600a4587fb6e8f48c">94597008</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-23T18:04:59Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: user PAM return codes where expected
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5dccf76aff8ac5b4adf000c8b701a7a9fae506c2">5dccf76a</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-23T18:14:07Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: set PAM_USER properly with allow_missing_name
Currently if the allow_missing_name pam_sss option is used PAM_USER is
set to the fully-qualified name only for the files provider it is set to
the short name. This might cause issue with other components expecting
that the value of PAM_USER corresponds to the name returned by the nss
calls getpwnam() and getpwuid().
With this patch PAM_USER is set to the same user name as returned by the
NSS responder. For the communication between pam_sss and SSSD's PAM
responder the fully-qualified name is kept.
Related to https://pagure.io/SSSD/sssd/issue/4069
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7fcd0a70d6dcaab3aa8f2a84ce9dc939ec350415">7fcd0a70</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-08-23T18:19:34Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE: Invalid oprator used in condition
There is wrong binary or used in condition. We have to use & here
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1744134
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/7129979bf2d28aed38a285537dc467a3eb941163">7129979b</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-23T19:20:58Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: remove left overs from previous rebase
If previous run of a PR failed to rebase, the code was left in rebase
in progress and was not correctly overwritten by new changes in the
patches.
Reviewed-by: Tomas Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e7b7edea47ac4ca462cd01a7f52a3175f8b9cca6">e7b7edea</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-08-23T19:39:30Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "SERVER: Receving SIGSEGV process on shutdown"
This reverts commit f19f8e6b917e77d5d2bfdedc78e5669b522ea265.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a9669683de3a1c39dc4e47dd2aca0a9f99b652a9">a9669683</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-08-29T14:32:49Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SERVER: Receving SIGSEGV process on shutdown
There is race condition when dynamic libraries are unloaded. Talloc
library calls our destructors but they still need openssl calls
which might be not available.
Solution is to free explicitely memory context and trigger
destructors before calling exit(). In this PR the SIGTERM
handler is moved from individual providers to generel
backend code.
Also generic server code is changed to explicitely free
memory context when signal is received.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1672584
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f9b589a47b0bacb1dcc4efd9b5d993c4b33b367f">f9b589a4</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-08-30T10:44:56Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo: do not update last usn value on rules refresh
Refreshing specific rules may produce a higher usn value that the one
that is already remembered if the rules changed on the server. However,
there may be another rule that is not being refreshed which usn value
is higher then the current value but lower then the value of some of the
refreshed rules. If the highest usn value is updated in this case, the
rule would not be found be smart refresh.
Thus we must not update the usn value during rules refresh.
Resolves:
https://pagure.io/SSSD/sssd/issue/3996
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/6b0570022dc320a986600fdea64180de06eff690">6b057002</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-30T14:36:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Add a forgotten return
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f5f7f26a3f7726dd3a546dd3934fb4d0b5faa525">f5f7f26a</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-30T14:36:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Allow modifications of ccache's principal
Related:
https://pagure.io/SSSD/sssd/issue/4017
This patch will be useful to fix credential delegation.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0216bfe2c8d1f73a2e1b5745ff82aab4647ef730">0216bfe2</a></strong>
<div>
<span>by Jakub Hrozek</span>
<i>at 2019-08-30T14:36:41Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Fill empty cache, do not initialize a new one
Related:
https://pagure.io/SSSD/sssd/issue/4017
openssh uses this sequence of calls:
gen_new()
switch()
initialize()
What happened before was that if there was already some cache, gen_new
would create a new empty cache, then switch would set it as the default.
But then, during the initialize call, the cache that used to be the
default was deleted, another one created and used as the default. This
meant. Afterwards, KCM would store the credentials in the previous
cache, which would no longer be the default.
The logic behind was that KCM didn't anticipate the client generating
the new and setting the default on its own.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/18611d70e2916138103a099d45861252d6323366">18611d70</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-09-03T13:41:21Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ifp: let cache_req parse input name so it can fallback to upn search
UPN search expects that the input name is in its fully qualified form.
However, GetUserAttr calls cache_req with unqualified username therefore
it never fallback to UPN search.
Steps to reproduce:
1. Configure SSSD against AD
2. Set UPN to `TestUserUPN@ad.vm`
3. Run:
```
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:TestUserUPN@ad.vm array:string:name
Error sbus.Error.NotFound: No such file or directory
```
Resolves:
https://pagure.io/SSSD/sssd/issue/4065
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/078ed8db65f53b7abf331fa9fe0e228bf5d01a19">078ed8db</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Add macro for checking python3 modules
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b262a7b874772ef5a715a2aef30de08bad63d07d">b262a7b8</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Fix typo of detecting python module for intgcheck
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/e7d1c15297e73149a14f58d8360121645bfcfa55">e7d1c152</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Move checking of python2 modules for intgcheck
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/87e97bb0b0ccde249794fca8d7e0ce862e72ff2a">87e97bb0</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Add macro for checking pytest for intgcheck
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/b0ad68609cdcf2456ed1180ed3b76d3ecaa91f3d">b0ad6860</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS
It will simplify detection in following patches
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/4378d949d947686492fb51056fc165fda8238cd5">4378d949</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Move python checks for intgcheck to macro
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/05aad03030bc27d9a5689839ac5136f8fafe31fc">05aad030</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">INTG: Do hot hardcode version of python/pytest in intgcheck
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0e1346b93fff9de97a5dfa6c480787f44638d7fd">0e1346b9</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Prefer python3 for intgcheck
Samba 4.11.0 dropped support for python2 and thus it was also
dropped from samba related libraries (ldb ...)
which is required by integration tests
Merges: https://pagure.io/SSSD/sssd/pull-request/4075
Resolves:
https://pagure.io/SSSD/sssd/issue/4074
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/5dc86be06c7acb89366af78abbb6b9399786915b">5dc86be0</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:38:04Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">intg: Install python3 dependencies for intgcheck on new distros
Samba 4.11.0 dropped support for python3 and thus it was also
dropped from samba related libraries (ldb ...)
which is required by integration tests
Merges: https://pagure.io/SSSD/sssd/pull-request/4075
Resolves:
https://pagure.io/SSSD/sssd/issue/4074
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/d625308c9a5e8e42cd2daeb3346d178222e8ae29">d625308c</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pyhbac: Fix warning Wdiscarded-qualifiers
The macro PyDoc_STRVAR changed in python 3.8
and it defined variable with const modifier
src/python/pyhbac.c: In function ‘PyInit_pyhbac’:
src/python/pyhbac.c:1948:25: warning: passing argument 2 of
‘sss_exception_with_doc’ discards ‘const’ qualifier from pointer
target type [-Wdiscarded-qualifiers]
1948 | HbacError__doc__,
| ^~~~~~~~~~~~~~~~
In file included from src/python/pyhbac.c:27:
./src/util/sss_python.h:33:1: note: expected ‘char *’ but argument
is of type ‘const char *’
33 | sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict);
| ^~~~~~~~~~~~~~~~~~~~~~
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/0610618bbf39b15dea04ce1226e65b8a75d8bd47">0610618b</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_pam_responder: Fix unicore error
Use raw strings instead; other alternative would be to escepe backslash
E File "/home/build/sssd/src/tests/intg/test_pam_responder.py", line 647
E assert err.find("pam_authenticate for user [auth_only\user1]: " +
E ^
E SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 36-37: truncated \uXXXX escape
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f10530b3dcd509f93ffbb382f086116897139206">f10530b3</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSDConfig: Add minimal test for parse method
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/be3588bd0b876ec9054c16b5ac82902753b92af2">be3588bd</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSDConfig: Fix SyntaxWarning "is not" with a literal
There is a warning with python 3.8
/usr/lib/python3.8/site-packages/SSSDConfig/ipachangeconf.py:399:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
if len(sectopts) is not 0:
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/bce896fe6f61367eed37782b443fc82320cd6f17">bce896fe</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add minimal test for pysss encrypt
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/618014f44e2a490f5631dff3b3a0010932c0d645">618014f4</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN
src/tests/pysss-test.py:73: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
val1 = obfuscator.encrypt("123", obfuscator.AES_256)
These were introduced by https://bugs.python.org/issue36381 to warn about
an upcoming Python C API change. The meaning of PY_SSIZE_T_CLEAN is described
in https://python.readthedocs.io/en/stable/c-api/arg.html#strings-and-buffers.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/a946d13416cf7d6f9c9948d6f2baf2688e1690a9">a946d134</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN
src/tests/pysss_murmur-test.py:93: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
hash_val = pysss_murmur.murmurhash3(sid_str, 0, seed)
src/tests/pysss_murmur-test.py:96: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
hash_val = pysss_murmur.murmurhash3(sid_str, len(sid_str), seed)
These were introduced by https://bugs.python.org/issue36381 to warn about
an upcoming Python C API change. The meaning of PY_SSIZE_T_CLEAN is described
in https://python.readthedocs.io/en/stable/c-api/arg.html#strings-and-buffers.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f3529bed3de167dd0fff9dad55b138ae9880e3c6">f3529bed</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_pam_responder: Fix DeprecationWarning invalid escape sequence
test_pam_responder.py:151
src/tests/intg/test_pam_responder.py:151: DeprecationWarning: invalid escape sequence \%
return unindent("""\
Merges: https://pagure.io/SSSD/sssd/pull-request/4076
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/629416d8aa44e7b40dd7f34e216d69abc165b0ed">629416d8</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2019-09-05T08:43:51Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">testlib: Fix SyntaxWarning "is" with a literal
Reviewed-by: Pavel Březina <pbrezina@redhat.com>\
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/commit/f52eadd33f828bf1d9b834a38da2317e2a9280d6">f52eadd3</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2019-09-12T12:09:23Z</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update the translations for the 2.2.2 release
</pre>
</li>
</ul>
<h4>13 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#0c2c5c506cef0ed2d3ad2b7e45e97980b66f5520">
Jenkinsfile
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#49d80aa598751b3e8c23a3bbb4e7e9c03aa770b6">
contrib/ci/deps.sh
</a>
</li>
<li class="file-stats">
<a href="#3ead13c99a6fdcbcc0a23d3846e2a8837cc2f3e7">
contrib/ci/run
</a>
</li>
<li class="file-stats">
<a href="#d348d65f630a357f2aeaa78fc64043f57caa4cb0">
contrib/ci/sssd.supp
</a>
</li>
<li class="file-stats">
<a href="#3d2f764ef24a4af4d2f718f6385375e433c0eeb7">
contrib/test-suite/README.md
</a>
</li>
<li class="file-stats">
<a href="#828a4acdc5cebd16badf8e6b765e91b963ef8b24">
<span class="deleted-file">
−
contrib/test-suite/run-client.sh
</span>
</a>
</li>
<li class="file-stats">
<a href="#cf3808699e58bfbc32dc1065a7eccca70ea9039d">
<span class="deleted-file">
−
contrib/test-suite/run.sh
</span>
</a>
</li>
<li class="file-stats">
<a href="#944f00a9afc281fcd148fc61fdc2cf888f624877">
<span class="new-file">
+
contrib/test-suite/test-suite.yml
</span>
</a>
</li>
<li class="file-stats">
<a href="#4e573a66c66b45b45a1e180cad791738ed22cdd2">
po/bg.po
</a>
</li>
<li class="file-stats">
<a href="#b91599a7e7dcdfc93152518865a9d894acfe41c9">
po/ca.po
</a>
</li>
<li class="file-stats">
<a href="#fccf081b8d2f9631b6347df4a24d22fac5a73474">
po/cs.po
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/sssd-team/sssd/compare/9f144b92fbc04bf7980fc682cdea3301fb14dede...f52eadd33f828bf1d9b834a38da2317e2a9280d6">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>